jamf/Setup-Manager
1
0
Fork 0
mirror of https://github.com/jamf/Setup-Manager.git synced 2026-02-03 14:13:24 +00:00
Code Issues 37 Actions Packages Projects Releases Wiki Activity

Compare commits

base: jamf:v1.1.1
Branches Tags
jamf:main jamf:beta
jamf:v1.4.2 jamf:v1.4.1 jamf:v1.4 jamf:v1.4beta2 jamf:v1.4beta jamf:v1.3.1 jamf:v1.3 jamf:v1.3beta jamf:v1.2.2 jamf:v1.2.1 jamf:v1.2 jamf:v1.2beta3 jamf:v1.2beta2 jamf:v1.2beta jamf:v1.1.1 jamf:v1.1 jamf:v1.1beta jamf:v1.0 jamf:v1.0rc jamf:v0.9.1-306
...
compare: jamf:v1.3.1
Branches Tags
jamf:main jamf:beta
jamf:v1.4.2 jamf:v1.4.1 jamf:v1.4 jamf:v1.4beta2 jamf:v1.4beta jamf:v1.3.1 jamf:v1.3 jamf:v1.3beta jamf:v1.2.2 jamf:v1.2.1 jamf:v1.2 jamf:v1.2beta3 jamf:v1.2beta2 jamf:v1.2beta jamf:v1.1.1 jamf:v1.1 jamf:v1.1beta jamf:v1.0 jamf:v1.0rc jamf:v0.9.1-306

18 Commits
v1.1.1 ... v1.3.1

Author SHA1 Message Date
Armin Briegel
fb4d6c84e0 v1.3.1 2025-07-18 08:23:58 +02:00
Armin Briegel
d647234e37 fixed links 2025-07-08 10:13:44 +02:00
Armin Briegel
dd25148186 Merge branch 'beta' 2025-07-08 10:06:42 +02:00
Armin Briegel
552f8e7fc1 updated for v1.3 2025-07-08 10:03:20 +02:00
Armin Briegel
290c68cfe2 documentation updates 2025-05-28 13:32:15 +02:00
Armin Briegel
44f4c4513c minor fixes for 1.3beta 2025-05-27 16:03:22 +02:00
Armin Briegel
29489d9b6f updated for v1.3beta 2025-05-27 16:00:06 +02:00
Armin Briegel
9368026e74 updated for v1.2.2 2025-04-17 09:00:40 +02:00
Armin Briegel
3f6198a30f v1.2.1 2025-04-02 16:34:19 +02:00
Armin Briegel
9ea8e84f6b updated changelog for 1.2 2025-03-17 15:58:07 +01:00
Armin Briegel
407d7f32dc updated for v1.2beta3 2025-03-05 14:12:35 +01:00
Armin Briegel
89d9033c15 Merge branch 'main' into beta 2025-02-27 09:06:00 +01:00
Armin Briegel
996058a776 updated license 2025-02-27 09:05:40 +01:00
Armin Briegel
2f3bdaa93d added important notice to WebHook.md 2025-02-26 17:31:57 +01:00
Armin Briegel
d9ec69df04 v1.2beta2 2025-02-26 16:21:39 +01:00
Armin Briegel
0eb0916a2f updated for v1.2beta 2025-02-13 16:43:46 +01:00
Armin Briegel
c5d5798f4e Merge branch 'main' of github.com:Jamf-Concepts/Setup-Manager 2025-02-03 09:13:35 +01:00
Daniel MacLaughlin
97f11bab6b Fixed Custom Schema Links (#82) 
* fixed links for custom schema and some minor typos

* fixed links for custom schema and some minor typos
 2025-02-03 13:22:30 +11:00
11 changed files with 947 additions and 86 deletions
Expand all files Collapse all files

218
ChangeLog.md
View File

@@ -1,5 +1,223 @@
# Setup Manager - Change Log
## 1.3.1
(2025-07-17)
- updates to Polish localization
- improvements to launch process at login window
- logs macOS version at launch
- email addresses and urls in markdown text are not active links any more
- documentation updates and clarifications
## 1.3
(2025-07-08)
Notes added since 1.3beta are marked with '(release)'
### New Features
- Logging
- log output format has been cleaned up
- Install log and Jamf Pro log (when available) can now be viewed in the Log window (#78, #130)
- now also logs to macOS unified logging
- new top-level default key to control action output logging
- Network Monitoring
- changes to network interfaces are now logged, see the Notes section for details (#15)
- network status can be shown in the top-right corner of the Setup Manager window
- new flag file `/private/var/db/.JamfSetupStarted`, which is created when Setup Manager starts. You can use this to scope Mac App Store apps and Jamf App Installers, which prevents these apps from installing early in the enrollment, slowing down the Jamf Pro configuration
- added [a specific webhook to send a message to Slack](Docs/Webhooks.md#slack) (#104)
- two new defaults keys `finishedScript` and `finishedTrigger` allow to run custom behavior when Setup Manager has finished
- new option `none` for `finalAction` (#115)
- (release) Polish localization (Thanks to @bsojka)
### Fixes and Improvements
- Jamf Pro: improved monitoring for Jamf Pro to complete its setup after enrollment
- webhook log entries correctly show status
- added `-skipAppUpdates` option to list of options for Jamf Pro policy actions, this should avoid some false "error 57" reports
- Jamf Pro policy will trigger 'Recurring Check-in' policies on empty string value
- (release) added name for macOS Tahoe 26
- (release) minor localization and UI fixes
- (release) disabled some undesirable keyboard shortcuts (#125)
- (release) arguments in `installomator` actions are now processed correctly
- (release) output to log is flushed immediately to avoid truncation on restart/shutdown (#129)
- (release) MDM Server address shown in extended "About this Mac" (#127)
### Deprecations and Removals
- (1.3) the minimum macOS requirement for Setup Manager is now macOS 13.5
- (1.2) `showBothButtons` option removed and non-functional, there will always be just one final action button displayed
- the method for providing localized texts in the configuration profile changed in version 1.1. The previous method (by appending the two letter language code to the key) is considered deprecated. It will continue to work for the time being but will be removed in a future release. It is _strongly_ recommended to change to the [new dictionary-based solution](ConfigurationProfile.md#localization)
### Notes
#### Logging
The format of the Setup Manager log file (in `/Library/Logs/Setup Manager.log`) has changed. The new format should be easier to read and parse with other tools. There are four columns:
- timestamp (in ISO8601)
- log level (default, error or fault)
- category (general, install, network, jamfpro)
- message
Setup Manager 1.3 also logs to the macOS unified system log. The subsystem is `com.jamf.setupmanager`. You can use the `log` command line tool to read the log.
For example:
```
sudo log show --last 30m --predicate 'subsystem="com.jamf.setupmanager"'
```
To clean up the log a little, Setup Manager 1.3 will only write the output of actions to the Setup Manager log file when an error occurred. You can control this behavior with a new top-level preference key `actionOutputLogging`.
#### Installation and Jamf Pro logs and summaries
The Log window (open with command-L) gained a new "Install" tab, which shows the system's installation log file (`/var/log/install.log`). When enrolling with Jamf Pro, there is another new "Jamf" tab, which shows the Jamf log (`/var/log/jamf.log`). By default, the Log window will be summarized to events relevant to the enrollment workflow. You can see the full log content by unchecking the 'Summarize' option.
Note that both logs will show events that were not initiated by Setup Manager. Nevertheless, these events may be relevant to your enrollment workflow.
These summarized events will also appear in the Setup Manager log tab and file, as well as the universal log entries. Having these events in context at the time they occur in the Setup Manager log is very helpful when trouble-shooting enrollment workflows.
#### Network change logging
Setup Manager 1.3 adds logging for changes to network interfaces. It is possible that there will multiple entries in the log with regards to the same network change. Most changes logged will be neutral and should not affect your deployment negatively.
However, it is possible that changes to the network configuration of a device can influence the deployment workflow. For example, when a configuration profile with the access information for a secure corporate Wifi is installed on the device, then the download access to required resources might change. Another example are security tools that might lead to restricted access for downloads (Installomator uses `curl` to download data, which might trigger security tools.)
Checking the log for network changes or outages during enrollment can be useful for troubleshooting.
#### Network Status icon/menu
Network status can also show with a new icon in the top-right corner of the Setup Manager window.
Note that Network Relay will only protect traffic to certain configured servers and services, not all traffic.
By default, the network icon will _not_ be shown. You can activate it manually with the command-N keystroke.
When you click on the Network status icon, a popup will show:
- the current active network interface
- IPv4 and IPv6 addresses
- download and upload bandwidth (will take a while to appear)
- Network Relay hosts (when network relay profile is present)
- list of additional custom hosts, configured in the profile
Note that the connectivity check is quite basic and might not catch all functionality that is required for a service to work. It should provide an indication whether a service is reachable, but deeper trouble-shooting and monitoring might be required for reliable diagnostics.
Seen["Network Connectivity"](Docs/Network.md) for more detail.
#### Finished Script and Trigger
Setup Manager now includes functionality to launch a script or Jamf Pro custom policy trigger in a separate process when the main Setup Manager process is finished. This is useful for installations that might unexpectedly restart the computer or the context that Setup Manager is running in (most commonly, Setup Manager is running at login window, which the Jamf Connect installer will kill).
There are two keys relevant for this: `finishedScript` and `finishedTrigger`.
See ["Running Scripts and Policies when Setup Manager finishes"](Docs/Extras.md#running-scripts-and-policies-when-setup-manager-finishes) for detail.
## v1.3beta
(2025-05-27)
### New Features
- Logging
- log output format has been cleaned up
- Install log and Jamf Pro log (when available) can now be viewed in the Log window (#78)
- now also logs to macOS unified logging
- new top-level default key to control action output logging
- Network Monitoring
- changes to network interfaces are now logged, see the Notes section for details (#15)
- network status can be shown in the top-right corner of the Setup Manager window
- new flag file `/private/var/db/.JamfSetupStarted`, which is created when Setup Manager starts
- added [a specific webhook to send a message to Slack](Docs/WebHooks.md#Slack) (#104)
- two new defaults keys `finishedScript` and `finishedTrigger` allow to run custom behavior when Setup Manager has finished
- new option `none` for `finalAction` (#115)
### Fixes and Improvements
- Jamf Pro: improved monitoring for Jamf Pro to complete its setup after enrollment
- webhook log entries correctly show status
- added `-skipAppUpdates` option to list of options for Jamf Pro policy actions
- Jamf Pro policy will trigger 'Recurring Check-in' policies on empty string value
### Deprecations and Removals
- (1.3) the minimum macOS requirement for Setup Manager is now macOS 13.5
- (1.2) `showBothButtons` option removed and non-functional, there will always be just one final action button displayed
- the method for providing localized texts in the configuration profile changed in version 1.1. The previous method (by appending the two letter language code to the key) is considered deprecated. It will continue to work for the time being but will be removed in a future release. It is _strongly_ recommended to change to the [new dictionary-based solution](ConfigurationProfile.md#localization)
## v1.2.2
(2025-04-17)
- signed a helper script that could lead to unexpected background item prompts
- disabled command-W keystroke
- fixed a stall in `waitForUserEntry` with Jamf School
- fixed link to computer record in Teams message (#110)
- minor documentation fixes
## v1.2.1
(2025-04-02)
- updated included Installomator script to [v10.8](https://github.com/Installomator/Installomator/releases/tag/v10.8)
- now tries for 15 seconds to reload local `background` image file (#105), this should help in situations where the image file is installed after Setup Manager
- improved monitoring of Jamf Pro enrollment process and completion during the "Getting Ready" phase
- minor documentation fixes (#106)
## v1.2.2
(2025-04-17)
- signed a helper script that could lead to unexpected background item prompts
- disabled command-W keystroke
- fixed a stall in `waitForUserEntry` with Jamf School
- fixed link to computer record in Teams message (#110)
- minor documentation fixes
## v1.2.1
(2025-04-02)
- updated included Installomator script to [v10.8](https://github.com/Installomator/Installomator/releases/tag/v10.8)
- now tries for 15 seconds to reload local `background` image file (#105), this should help in situations where the image file is installed after Setup Manager
- improved monitoring of Jamf Pro enrollment process and completion during the "Getting Ready" phase
- minor documentation fixes (#106)
v1.2
(2025-03-17)
### New Features
- Setup Manager can send [webhooks](Docs/Webhooks.md) on start and finish, (#70)
- (beta2) added [a specific webhook to send a message to Microsoft Teams](Docs/WebHooks.md#Microsoft-Teams)
- User Entry:
- `email`, `endUsername`, `realname`, `position` and `phone` fields added. These will be submitted to Jamf Pro when Setup Manager finishes and during a `waitForUserEntry` action
- you can set custom and localized labels for user entry fields in the profile with a `label` key
- [User Data file](Docs/Extras.md#user-data-file) now contains a list of enrollmentActions
- added 'restart' option to ['finalAction'](ConfigurationProfile.md#finalAction) (#38, #58)
- [icon sources](ConfigurationProfile.md#icon-source) and [`accentColor`](ConfigurationProfile.md#accentColor) can now have [a dark mode alternative defined in the profile](ConfigurationProfile.md#dark-mode) (#61)
- hitting the space bar while Setup Manager is the Active window will open a window with a scannable barcode of the serial number
- `message` and help:`message` now interpret [markdown formatting](ConfigurationProfile.md#markdown) (#46)
### Fixes and Improvements
- (beta3 and release) return key connected to final action and save buttons (#93)
- (beta3) added an `event` field to standard webhook data, (#94)
- (beta3) "facts" in Teams message are no longer in random order
- (beta3) improved reliablity of running at login window (#77)
- (beta2) an empty `userEntry` dictionary in the profile no longer chokes the UI (#85)
- (beta2) MDM check more resilient to certain profile configs (#87)
- (beta2) the `name` field in WebHook data was shortened from `SetupManagerFinished` and `SetupManagerStarted` to `Finished` and `Started`
- (beta2) early log entry when debug mode is enabled
- icon for `waitForUserEntry` can be changed from the profile
- shell actions correctly show success or failure, depending on their exit code#39)
- Jamf Pro policy actions show success or failure in most situations. Note that there are many things a policy can potentially do. Not all failures are caught. This registers failed pkg installations and policy scripts that return a non-zero exit code, which should cover most situations. Note also, these checks will only work on macOS 13 and higher. On macOS 12, Jamf policies will always be reported as success.
- read enrollment actions data from profile after user-initiated enrollments more reliably
- now tries for 15 seconds to reload images with local file paths, this should help in situations were the resources file are installed after Setup Manager
- many other fixes and improvements
- updated included Installomator to 10.7
- user data file will contain the enrollment user when the `userID` key is set
- battery warning threshold is now different for Intel (%50) and Apple silicon (%20) Macs. This matches Apple's warnings before applying software updates
### Deprecations and Removals
- the minimum macOS requirement for Setup Manager will be raised to macOS 13 soon
- `showBothButtons` option removed and non-functional, there will always be just one final action button displayed
- the method for providing localized texts in the configuration profile changed in version 1.1. The previous method (by appending the two letter language code to the key) is considered deprecated. It will continue to work for the time being but will be removed in a future release. It is _strongly_ recommended to change to the [new dictionary-based solution](ConfigurationProfile.md#localization).
### Beta Features
Even though we are confident that the release is overall stable and ready to be used in production, we believe this feature may require more testing. When, after thorough testing in your environment, you conclude this works for your workflow, please let us know about success or any issues you might encounter.
- Setup Manager can now run over Login Window, instead of immediately after installation. This also allows Setup Manager to work with AutoAdvance. Use [the new `runAt` key](ConfigurationProfile.md#runAt) in the profile to determine when Setup Manager runs
## v1.1.1
(2025-01-28)

324
ConfigurationProfile.md
View File

@@ -2,9 +2,10 @@
The project some sample files to get you started:
- [sample plist](Examples/sample-com.jamf.setupmanager.plist) for Jamf Pro
- [sample plist](Examples/sample-waitForUserEntry) for Jamf Pro with [two phase workflow](Docs/JamfPro-TwoPhase.md)
- [configuration profile](Example/sample-jamfschool.mobileconfig) for Jamf School
- [sample plist](Examples/sample-waitForUserEntry.plist) for Jamf Pro with [two phase workflow](Docs/JamfPro-TwoPhase.md)
- [configuration profile](Examples/sample-jamfschool.mobileconfig) for Jamf School
**Important:** all keys and values are **case-senstive**.
## Top-level keys
@@ -12,11 +13,11 @@ The project some sample files to get you started:
(Boolean, default: `false`)
When this is set to `true` any steps that actually change software on the disk will not be performed. This will also allow you to launch Setup Manager by double-clicking as the user. This can be useful to test a profile, or to take screen shots for documentation.
When this is set to `true` any steps that actually change software on the disk will not be performed. This will also allow you to launch Setup Manager by double-clicking as the user. This can be useful to test a profile, or to take screenshots for documentation.
These behaviors change in debug mode:
- checks for the existence of the Jamf binary and keychain are skipped
- Jamf Setup manager will accept enrollmentActions from a non-managed preference file
- Jamf Setup Manager will accept enrollmentActions from a non-managed preference file
- `policy`, `recon`, and `shell` actions that require root are replaced with a delay (and will always complete successfully)
- `watchPath` and `wait` actions timeout and fail after 10 seconds
@@ -37,13 +38,13 @@ Example:
#### `icon`
(String, default: `name:AppIcon`, localized)
(String, default: `name:AppIcon`, localized, dark mode)
The icon shown at the top center of the window. There are many options to define icons, described in the [Icon Sources](#icon-sources) section later.
The icon shown at the top center of the window. There are many options to define icons, described in the [Icon Sources](#icon-sources) section later. Images will be scaled to fit a size of 700x128 pixels (or 1400x256 @2x).
#### `message`
(String, default: `Setup Manager is configuring your Mac…`, localized, substitutions)
(String, default: `Setup Manager is configuring your Mac…`, localized, substitutions, markdown)
The message shown below the title.
@@ -54,7 +55,7 @@ Example:
<string>Please wait a few moments while we install essential software…</string>
```
The message can use [substitutions](#substitution):
The message can use [substitutions](#substitution).
Example:
@@ -63,9 +64,34 @@ Example:
<string>Preparing your new %model%. Please be patient.</string>
```
Markdown formatting options in the message field will be translated into rich text:
Example:
```xml
<key>message</key>
<string>Preparing your new %model%. **Please be patient.**</string>
```
`Please be patient.` will be bold. More detail on [Markdown here](#markdown).
During the "Getting Ready" phase up to three lines of text will be shown. When the action icon progress list is shown, text will be truncated to a single line.
Use actual line breaks in the XML for line breaks in this text. (`\n` escape sequence will _not_ work in XML)
Example:
```xml
<key>message</key>
<string>Please be patient…
This line of text will be truncated when the action icon list is shown.</string>
```
#### `background`
(String, optional, localized)
(String, optional, localized, dark mode)
When this key is set, Setup Manager treats it as an image/[icon source](#icon-sources) and displays the image in a screen covering background.
@@ -73,11 +99,9 @@ When this key is set, Setup Manager treats it as an image/[icon source](#icon-so
(String, optional, default: `enrollment`)
**Beta:** We believe the run at login window feature may require more testing, especially in some edge cases. When, after thorough testing, you believe this works in your workflow, feel free to deploy it, and please let us know about success or any issues you might encounter.
This value determines when Setup Manager should launch. There are two values: `enrollment` (default) and `loginwindow`. When set to `enrollment` Setup Manager will launch immediately when its installation package is installed. This is the setting to use for automated device enrollment (without Auto Advance) and user-initiated enrollment.
This value determines when Setup Manager should launch. There are two values: `enrollment` (default) and `loginwindow`. When set to `enrollment` Setup Manager will launch immediately when the pkg is installed. This is the setting to use for automated device enrollment (without AutoAdvance) and user-initiated enrollment.
When the `runAt` value is set to `loginwindow` Setup Manager will launch only when the login window is shown. This is useful for fully automated enrollments using AutoAdvance.
When the `runAt` value is set to `loginwindow` Setup Manager will launch only when the login window is shown. This is useful for fully automated enrollments using Auto Advance and some workflows involving Jamf Connect or similar tools.
A setting of `loginwindow` will only work with enrollment setups that eventually end on the login window (i.e. a user has to be created automatically, the device is bound to a directory, etc).
@@ -104,11 +128,11 @@ When this key exists, Setup Manager will prompt for user data while the enrollme
(Dict of Strings, optional)
When this key exists, Setup Manager will show a "Help" button (a circled question mark) in the lower right corner while it is running. You can add sub-keys with content for the help, which are described in [Help](#help). When Setup Manager has completed, the "Help" button will be replaced with the "Continue" and/or "Shutdown" button.
When this key exists, Setup Manager will show a "Help" button (a circled question mark) in the lower right corner while it is running. You can add sub-keys with content for the help, which are described in [Help](#help-1). When Setup Manager has completed, the "Help" button will be replaced with the "Continue" and/or "Shutdown" button.
#### `accentColor`
(String, optional, default: system blue)
(String or Dict, optional, default: system blue, dark mode)
Sets the accent color for buttons, progress bar, SF Symbol icons, and other UI elements. You can use this to match branding. Color is encoded as a six digit hex code, e.g. `#FF0088`.
@@ -116,23 +140,37 @@ Example:
```xml
<key>accentColor</key>
<string>#FF0088</string>
<string>#FF00AA</string>
```
If you want different accent colors depending on whether the system is in light or dark mode, provide a `dict` with two keys, for `light` and `dark` mode:
Example:
```xml
<key>accentColor</key>
<dict>
<key>dark</key>
<string>#FF00AA</string>
<key>light</key>
<string>#AA0055</string>
</dict>
```
#### `finalCountdown`
(Number/integer, optional, default: `60`)
This key changes the duration (in seconds) of the "final countdown" before the app automatically performs the `finalAction` (continue or shut down). Set to `-1` (or any negative number) to disable automated execution.
This key changes the duration (in seconds) of the "final countdown" before the app automatically performs the `finalAction`. Set to `-1` to disable automated execution.
Examples:
Example:
```xml
<key>finalCountdown</key>
<integer>30</integer>
```
Disable the
Disable the countdown:
```xml
<key>finalCountdown</key>
@@ -143,9 +181,21 @@ Disable the
(String, optional, default: `continue`)
This key sets the action and label for the button shown when Setup Manger has completed. When this key is set to `shutdown` (no space!) it will shut down the computer, other wise it will just quit Setup Manager ("continue"). This is also the action that is performed when the `finalCountdown` timer runs out.
This key sets the action and label for the button shown when Setup Manger has completed.
When the `DEBUG` preference is set, shutdown will merely quit/continue.
There are four options:
- `continue`: (default) merely quits Setup Manager and allows the user to continue (probably Setup Assistant or login window)
- `restart`: restarts the Mac
- `shutdown`: (no space!) shuts down the Mac
- `none`: no button shown. (see note below)
**Warning:** `restart` and `shutdown` options will force their action immediately. If a user is logged in (after user-initiated enrollment), they may lose data from open, unsaved documents.
**Note on `none`:** the `none` option exists for workflows where the restart or continue is controlled by a process other than Setup Manager. For example, when installing additional software with a `finishedScript` or `finishedTrigger` which forces a restart. Having a `continue` or `restart` button would be confusing and might interrupt the installation in the finished process. However, having no button to end Setup Manager at all, might leave the user 'stuck' there, so be sure to always restart or kill Setup Manager. You can always use the keyboard shortcut `shift-control-command-E` to quit Setup Manager.
This is also the action that is performed when the `finalCountdown` timer runs out.
When the `DEBUG` preference is set, `shutdown` or `restart` will merely quit/continue.
Example:
@@ -154,26 +204,48 @@ Example:
<string>shutdown</string>
```
#### `showBothButtons`
#### `finishedScript`
(Bool, optional default: `false`)
(String, optional)
This key determines whether both the 'Shutdown' and 'Continue' are shown or just the button set in the `finalAction` key.
A full path to a script file which will be executed _after_ Setup Manager has finished its workflow. This process runs independently of Setup Manager, so it can run installers or scripts that affect Setup Manager.
**Warning:** this key is deprecated and will be removed in a future version of Setup Manager
The script has to fulfill these criteria to be executed:
- owner: `root`, group: `wheel`
- executable bit set
- not writable for group or other (file mode `755` or `555`)
- no quarantine flag attached
The output of the finished script and trigger will be logged to `/private/var/log/setupManagerFinished.log`.
Example:
```xml
<key>showBothButtons</key>
<true/>
<key>finishedScript</key>
<string>/Library/Management/finishedScript.sh</string>
```
#### `finishedTrigger`
(String, optional, Jamf Pro only)
A custom policy trigger which will be executed _after_ Setup Manager has finished its workflow. This process runs independently of Setup Manager, so it can run installers or scripts that affect Setup Manager.
The output of the finished script and trigger will be logged to `/private/var/log/setupManagerFinished.log`.
Example:
```xml
<key>finishedTrigger</key>
<string>setup_manager_finished</string>
```
#### `totalDownloadBytes`
(Integer, opitonal, default: 1000000000 or 1GB, v0.8)
(Integer, optional, default: 1000000000 or 1GB, v0.8)
Use this value to provide an estimate for the total size of all items that will be downloaded. Setup Manager will display and estimated download time for this sum in the "About this Mac..." popup window.
Use this value to provide an estimate for the total size of all items that will be downloaded. Setup Manager will display an estimated download time for this sum in the "About this Mac..." popup window.
Example:
@@ -186,7 +258,7 @@ Example:
(String, Jamf Pro only)
Set this to `$JSSID` in the configuration profile and Setup Manager will be aware of its computer's id in Jamf Pro. It will be displayed in the 'About this Mac…' popup.
Set this to `$JSSID` in the configuration profile and Setup Manager will be aware of its computer's id in Jamf Pro. It will be displayed in the 'About this Mac…' popup, when clicked with the option key.
Example:
@@ -199,7 +271,7 @@ Example:
(String, Jamf Pro only)
Set this to `$EMAIL` in the configuration profile. This communicates the user who logged in to customized enrollment to Setup Manager. This can be used together with the `userEntry.showForUserIDs` key to control which users see the user entry UI.
Set this to `$EMAIL` in the configuration profile. This communicates the user who logged in to customized enrollment to Setup Manager. This can be used together with the [`userEntry.showForUserIDs`](#conditionally-show-the-user-entry-for-certain-users) key to control which users see the user entry UI.
Example:
@@ -229,7 +301,7 @@ This will set the computer name to `Mac-DEF456` where `DEF456` are the center si
(String, optional)
When set, the "About this Mac" info window will show this value instead of the real serial number. This is useful when making screen shots or recordings for documentation or presentations where you do not want to expose real serial numbers.
When set, the "About this Mac" info window will show this value instead of the real serial number. This is useful when making screenshots or recordings for documentation or presentations where you do not want to expose real serial numbers.
Note: This is for display only. [Substitutions](#substitution) will still use the real serial number.
@@ -272,6 +344,26 @@ Example:
When debug mode is enabled, you can set the `simulateMDM` preference key to `Jamf Pro` or `Jamf School`. This allows you to do test runs on un-enrolled Macs.
#### `actionOutputLogging`
(string, optional, default: `error`)
This key controls whether the output of actions is written to the Setup Manager log file.
There are three options:
- `always`: output and exit code are always written to the log file
- `error`: (default) output and exit code are only written on errors
- `never`: output and exit are never written to the log file
Setup Manager's log window will always show the output, regardless of this setting.
Example:
```xml
<key>actionOutputLogging</key>
<string>always</string>
```
## Actions
All actions should have these keys:
@@ -284,9 +376,9 @@ The label is used as the name of the action in display.
#### `icon`
(String, optional, localized)
(String, optional, localized, dark mode)
The icon source string used for the display of the label. Different types of actions will have different default icons, which is used when no `icon` key is present.
The [icon source](#icon-sources) used for the display of the label. Different types of actions will have different default icons, which are used when no `icon` key is present. The icons will be scaled to fit 64x64 pixels (or 128x128 @2x).
There are several different types of actions, and these are defined by additional keys. These keys will be on the same level as the keys above.
@@ -308,7 +400,7 @@ When the command given in `shell` requires arguments they are listed here, one i
(Bool, default: `false`, optional)
When this key is set to `true` Setup Manager will only run this when itself is running as root. Otherwise it will fail the action. When `DEBUG` is enabled, it will replace the action with a delay instead.
When this key is set to `true`, Setup Manager will only run this when itself is running as root. Otherwise, it will fail the action. When `DEBUG` is enabled, it will replace the action with a delay instead.
Example:
@@ -330,13 +422,33 @@ Example:
</dict>
```
This example is the equivalent of this command line:
```
sudo systemsetup -setTimeZone Europe/Amsterdam
```
Notes: to break the command in to its components
- full path to the command
- arguments are split into the `arguments` array, one string entry per argument, no quoting or backslash escaping
- if the command contains a `&` it needs to be escaped with `&amp;`
- shell constructs such as substitution (e.g `$SHELL`), redirection (e.g `&2>1`)
- `sudo` won't work in this context, instead set `requiresRoot` to true
### Jamf Policy Trigger
#### `policy`
(String, Jamf Pro only)
This will run the jamf policy or polices with the given trigger name. This is the equivalent of running `jamf policy -event <triggername>`
This will run the Jamf Pro policy or polices with the given trigger name. This is the equivalent of running
```
jamf policy -event <triggername> -verbose -forceNoRecon -doNotRestart -noInteraction -skipAppUpdates
```
Note: Jamf Pro policies can do a lot of different things and fail in many different ways. Setup Manager does _not_ check for all possible failure modes. It only checks for failed installer pkgs and policy scripts that return non-zero exit codes, which should cover most uses of policies for initial deployment.
Example:
@@ -351,6 +463,20 @@ Example:
</dict>
```
Note: You can trigger policies attached to "Recurring Check-in" by leaving the string value empty:
```xml
<dict>
<key>icon</key>
<string>symbol:arrow.trianglehead.2.clockwise.rotate.90</string>
<key>label</key>
<string>Check-in</string>
<key>policy</key>
<string/>
</dict>
```
### Watch Path
#### `watchPath`
@@ -386,7 +512,7 @@ Example:
</dict>
```
Note: This is intended to check if app are installed from the Mac App Store or Jamf App Installers. In my experience, these installation methods are quite unreliable, hence the timeout. Since you cannot anticipate the order in which these apps may be installed, it is best to put the `watchPath` actions at the end. For large installations (Xcode) you want to set a large timeout.
Note: This is intended to check if an app is installed from the Mac App Store or by Jamf App Installers. In my experience, these installation methods are quite unreliable during enrollment, hence the timeout. Since you cannot anticipate the order in which these apps may be installed, it is best to put the `watchPath` actions at the end. For large installations, such as Xcode, or Adobe apps, you want to set a large timeout.
### Wait
@@ -415,7 +541,7 @@ Example:
If Setup Manager reaches this action before the user entry has been completed, it will wait until the user entry is completed and the user has clicked 'Save.'
When the user entry is saved and this action is reached, it will set the computer name, according to the `computerNameTemplate` or what was entered by the user and run a recon/Update Inventory which submits the user data. It will also save the data from the user entry to the [user data file](Docs/Extras.md#user-data-file)
When the user entry is saved and this action is reached, it will set the computer name, according to the `computerNameTemplate` or what was entered by the user and run a recon/Update Inventory which submits the user data. It will also save the data from the user entry to the [user data file](Docs/Extras.md#user-data-file).
This action allows for "two phase" installation workflows where the policies in the second phase are scoped to data from the user entry. After this action, smart groups in Jamf Pro should reflect the data entered and you can use scoping in subsequent policies to choose which policies should or should not run on this device.
@@ -438,7 +564,7 @@ Regardless of whether there is a `waitForUserEntry` action or not, Setup Manager
This will run a Jamf Inventory update.
You should usually not need to add a recon step. By default Setup Manager will automatically run an inventory update before and after running the enrollment actions.
This action exists mainly for troubleshooting. You should generally not need to add a recon step. By default, Setup Manager will automatically run an inventory update before and after running the enrollment actions. If you have a `waitForUserEntry` action configured, this will also run a recon/inventory update.
Example:
@@ -451,9 +577,9 @@ Example:
### Installomator
This will run [Installomator](https://github.com/Installomator/Installomator) to install a given label.
Setup Manager includes the [Installomator](https://github.com/Installomator/Installomator) script to simplify installations. This action will run [Installomator](https://github.com/Installomator/Installomator) to install a given label.
Note: by default, Setup manager will add `NOTIFY=silent` to the arguments to suppress notfications. You can override this in the `arguments`.
Note: by default, Setup manager will add `NOTIFY=silent` to the arguments to suppress notifications. You can override these variables and add more with the `arguments` key.
#### `installomator`
@@ -480,6 +606,21 @@ Example:
</dict>
```
with arguments:
```xml
<dict>
<key>label</key>
<string>Example App</string>
<key>installomator</key>
<string>example</string>
<key>arguments</key>
<array>
<string>downloadURL=https://example.com/alternativeURL</string>
</array>
</dict>
```
## Icon Sources
@@ -527,7 +668,7 @@ When the icon source starts with `name:`, Setup Manager will get the icon with t
### SF Symbols:
When the icon source starts with `symbol:`, Setup Manager will create the icon using that symbols name. You can look up symbol names using the [SF Symbols](https://developer.apple.com/sf-symbols/) app.
When the icon source starts with `symbol:`, Setup Manager will create the icon using that symbol's name. You can look up symbol names using the [SF Symbols](https://developer.apple.com/sf-symbols/) app.
Note that the availability and appearance of SF Symbols may vary with the OS version and language/region.
@@ -536,11 +677,37 @@ Note that the availability and appearance of SF Symbols may vary with the OS ver
<string>symbol:clock</string>
```
### Dark Mode
Note: after enrollment, over Setup Assistant, the system is always in light mode. This is only relevant when you use Setup Manager after user-initiated enrollment
To provide alternative images for dark or light mode, change the `string` defining the image to a dictionary with a `dark` and a `light` key. This works with the `background`, `icon`, and each action's `icon`. This also works with the `accentColor` key.
Note that Setup Manager does _not_ monitor the appearance mode, so if it changes _while_ Setup Manager is running, things will not update consistently.
Example:
```xml
<key>icon</key>
<dict>
<key>dark</key>
<string>name:Jamf_white</string>
<key>light</key>
<string>name:Jamf_blue</string>
</dict>
```
## User Entry
You can enable user entry for the following keys:
- `userID`
- `email`
- `endUsername` (shown as 'Account Name')
- `realname` (shown as 'Full Name')
- `position`
- `phone`
- `department`
- `building`
- `room`
@@ -549,6 +716,9 @@ You can enable user entry for the following keys:
Any of the fields will only be shown when its key exists. If you were to create an empty `userEntry` dict, you get an empty user input screen with a 'Save' button - not a good user experience.
`userID` and `email` can be somewhat confusing and depending on which Cloud directory you have configured in Jamf Pro, you may need one or the other or both. Because of this Setup Manager 1.1 and older would only prompt for 'User email' and set both `userID` and `email` from that value. To maintain compatibility with this behavior, Setup Manager will continue to set _both_ `userID` and `email` when only one of the two values is requested and entered. If you request both fields, both will be set individually in the recon.
### User Data file
Data from user entry is written, together with some other data to a file when Setup Manager reaches a `waitForUserEntry` action and again when it finishes. The file is stored at `/private/var/db/SetupManagerUserData.txt`. [More details.](Docs/Extras.md#user-data-file)
@@ -557,7 +727,7 @@ Data from user entry is written, together with some other data to a file when Se
(String, localized)
Provide a default value in two ways:
Provide a default value in one of two ways:
Example:
@@ -675,11 +845,37 @@ The default validation message will show the regular expression the value is not
</dict>
```
#### `label`
(String, localized, optional)
Many Jamf Pro admins use the standard fields in ways that don't match their built-in label. For this purpose you can override the default label shown for a field in the user entry.
Note that the text label in the [User Data file](Docs/Extras.md#user-data-file) will _not_ be changed.
Example:
```xml
<key>room</key>
<dict>
<key>label</key>
<string>Site</string>
<key>options</key>
<array>
<string>London</string>
<string>Paris</string>
<string>Amsterdam</string>
</array>
</dict>
```
In this example, the 'Room' field will be shown in Setup Manager with the label 'Site.' The choice will be submitted to the 'room' field in Jamf Pro inventory and written with the 'room' label to the [User data file](Docs/Extras.md#user-data-file). You can then pick up the data in policy scripts after Setup Manager is finished or the `waitForUserEntry` action and process it accordingly.
### Conditionally show the user entry for certain users
You can configure Setup Manager to only show the user entry section when specified users have authentication in enrollment customization. This enables workflows, where certain users (techs and admins) gets the option to re-assign the device to another user, but other users don't see the option.
You can configure Setup Manager to only show the user entry section when specified users have authenticated in enrollment customization. This enables workflows, where certain users (techs and admins) get the option to re-assign the device to another user, but other users don't see the option.
For this, you need to setup the top-level `userID` to receive the `$EMAIL` variable. This will communicate the user who logged in with customized enrollment back into Setup Manager. Then you add key `showForUserIDs` with an array of user emails to the `userEntry` dict. When both `userID` and `userEntry.showForUserIDs` are set, the user entry UI will only show for the listed users.
For this, you need to setup the top-level `userID` to receive the `$EMAIL` variable. This will communicate to SetupManager the user who logged in with customized enrollment. Then you add key `showForUserIDs` with an array of user emails to the `userEntry` dict. When both `userID` and `userEntry.showForUserIDs` are set, the user entry UI will only show for the listed users.
#### `showForUserIDs`
@@ -718,7 +914,7 @@ When you provide a top-level `help` key with a dictionary a help button (with a
#### `message`
(String, optional, localized)
(String, optional, localized, markdown)
#### `url`:
@@ -740,9 +936,17 @@ Example:
</dict>
```
## Webhooks
Setup Manager can send web hooks to servers and services to trigger workflows there. You can read [details on how to configure and use WebHooks here](Docs/Webhooks.md).
## Network Connectivity
Setup Manager can check and display the network status and connectivity to a list of hosts. You can read [the details on how to configure this here](Docs/Network.md).
## Localization
The app will pick up the user choice of the UI language for the interface elements. (Table of currently available languages below) The app will fall back to English for other language choices.
The app will pick up the user choice of the UI language for the interface elements. (Table of currently available languages below.) The app will fall back to English for other language choices.
You can provide localizations for the custom texts given in the configuration profile.
@@ -794,6 +998,7 @@ The following keys can be localized:
- `default`
- `placeholder`
- `validationMessage`
- `label`
### Help
@@ -801,6 +1006,10 @@ The following keys can be localized:
- `message`
- `url`
### Network Check
- `label`
Use these two-letter codes for these languages:
| Language | two-letter code |
@@ -809,9 +1018,10 @@ Use these two-letter codes for these languages:
| Dutch (Nederlands) | nl |
| French | fr |
| German | de |
| Italian | it |
| Hebrew | he |
| Italian | it |
| Norwegian | nb |
| Polish | pl |
| Spanish | es |
| Swedish | sv |
@@ -848,3 +1058,21 @@ These keys can use substitutions:
- `message`
- `computerNameTemplate`
- actions: `label`
## Markdown
In some fields, markdown formatting can be used to generate rich, formatted text. For example:
```xml
<key>message</key>
<string>Preparing your new Mac. **Please be patient.**</string>
```
The `Please be patient.` text will be shown bolded. You can find details on markdown formatting in the [Markdown Cheat Sheet](https://www.markdownguide.org/cheat-sheet/).
Note that while you _can_ embed links to websites in the markdown using the `[…](…)` syntax they will not work while running over Setup Assistant or Login Window.
These keys can use markdown:
- `message`
- Help: `message`

97
Docs/Extras.md
View File

@@ -1,5 +1,19 @@
# Extras and Notes
## Keyboard Shortcuts
Note that the Setup Manager window does not activate to receive keystrokes automatically when running over Setup Manager. You have to click in the Setup Manager window first.
| shift-control-command E | ["exit"/quit Setup Manager](#Quit), use only in emergencies as it will leave installations in an indeterminate state |
| command-L | open [Log window](#Logging) |
| command-B | toggle Battery status icon in Setup Manager window |
| command-N | toggle [Network status icon](Network.md) in Setup Manager window |
| space | show [serial number bar code window](#scannable-serial-number-barcode) |
| i | show "About this Mac" popup |
| h | show "Help" popup, when present |
| hold option key when clicking "About this Mac" | shows more info |
## Custom JSON Schema for Jamf Pro
- create a new profile
@@ -19,11 +33,34 @@ Note that the custom schema can become confused when you switch between enrollme
## Quit
The command-Q keyboard short cut to quit the app is disabled. Use `shift-control-command-E` instead. This should only be used when debugging and trouble-shooting, as it will leave the client in an undetermined state when installations are aborted.
The command-Q keyboard shortcut to quit the app is disabled. Use `shift-control-command-E` instead. This should only be used when debugging and troubleshooting, as it will leave the client in an undetermined state when installations are aborted.
## Logging
Setup Manager logs to `/Library/Logs/Setup Manager.log`. While Setup Manager is running you can open a log window with command-L.
While Setup Manager is running you can open a log window with command-L.
There are two or three tabs, one for the main Setup Manager log, one showing output from `/var/log/install.log` and (Jamf Pro only) one tab showing output from `/var/log/jamf.log`. By default, these log tabs will be summarized to events relevant to the enrollment workflow. You can see the full log content by unchecking the 'Summarize' option.
Note that both logs will show events that were not initiated by Setup Manager. Nevertheless, these events may be relevant to your enrollment workflow.
These summarized events will also appear in the Setup Manager log tab and log file, as well as the universal log entries. Having these events in context at the time they occur in the Setup Manager log is very helpful when trouble-shooting enrollment workflows.
Setup Manager logs to `/Library/Logs/Setup Manager.log`. There are four columns:
- timestamp (in ISO8601)
- log level (default, error or fault)
- category (general, install, network, jamfpro)
- message
To clean up the main log a little, Setup Manager will only write the output of actions to the Setup Manager log file when an error occurred. You can control this behavior with a new top-level preference key `actionOutputLogging`.
Setup Manager also logs to the macOS unified system log. The subsystem is `com.jamf.setupmanager`. You can use the `log` command line tool to read the log.
For example:
```
sudo log show --last 30m --predicate 'subsystem="com.jamf.setupmanager"'
```
## Debug mode
@@ -73,7 +110,6 @@ computerName: MacBook-M7WGMK
submit: 2024-08-14T13:54:37Z
duration: 101
```
Start time (`start`) and finish/submission time (`submit`) are given in ISO8601 format, universal time (UTC). Duration is given in seconds.
Fields that were not set in user entry will not be shown at all. You can use this file in scripts or extension attributes. One possible way is to parse it with `awk`, e.g.
@@ -82,13 +118,68 @@ Fields that were not set in user entry will not be shown at all. You can use thi
duration=$(awk -F ': ' '/duration: / {print $2}' /private/var/db/SetupManagerUserData.txt)
```
Starting with Setup Manager 1.2, the User Data file contains a list of actions with their status:
```
enrollmentActions:
-action 0: finished - Microsoft 365
-action 1: finished - Google Chrome
-action 2: finished - Jamf Connect
```
The status can be `finished` or `failed`.
## "About This Mac…" window
When you hold the option key when clicking on "About This Mac…" you will see more information.
## Scannable Serial Number Barcode
Hitting the space bar while Setup Manager is the Active window will open a window with a scannable barcode of the serial number. Hitting the space bar again will dismiss the window.
Note that Setup Manager does not automatically get Key Window when it launches, while running over Setup Assistant, so you may have to click in the Setup Manager window, before hitting the space bar.
## Uninstall Setup Manager
Setup Manager will unload and remove its LaunchAgent and LauchDaemon files upon successful completion. That together with the [flag file](#flag-file) should prevent Setup Manager from launching on future reboots.
If you still want to remove Setup Manager after successful enrollment, there is [a sample uninstaller script in the Examples folder](../Examples/uninstall.sh).
## (Jamf Pro): Useful Smart Groups
You can create smart groups to coordinate installations of Configuration profiles. Some useful examples are:
### Setup Manager Installed
Criteria: 'Application Bundle ID' is `com.jamf.setupmanager`
You can use this smart group to scope or limit configuration profiles, Mac App Store/VPP apps, and Jamf App Installer apps. This way their installation will not occur immediately after enrollment, potentially slowing down the installation of essential Jamf Pro components and extending the "Getting Ready" phase.
### Setup Manager Done
Create an Extension attribute named "Setup Manager Done" with the script code:
```sh
if [ -f "/private/var/db/.JamfSetupEnrollmentDone" ]; then
echo "<result>done</result>"
else
echo "<result>incomplete</result>"
fi
```
Then create a Smart Group named "Setup Manager Done" with the criteria `"Setup Manager Done" is "done"`.
You can use this to scope configuration profiles and policies so that they are installed or run _after_ Setup Manager is complete.
## Running Scripts and Policies when Setup Manager finishes
Generally, you want to coordinate tasks, configurations, and installations with Setup Manager actions. However, in some situations the installations might interfere with the Setup Manager workflow itself. This is most relevant with software that needs to reload the login window process, which will also kill Setup Manager. (e.g Jamf Connect Login)
Setup Manager provides a LaunchDaemon which monitors the `.JamfEnrollmentSetupDone` flag file. It then launches a script or a custom Jamf Pro policy trigger. Since this LaunchDaemon runs independently from Setup Manager, so it can run installers or scripts that might quit login window or Setup Manager.
However, if you have set Setup Manager to automatically shut down or restart at the end, this will interrupt the finished script or policy, unless the automated delay is long enough. Use the [`finalAction`](../ConfigurationProfile.md#finalAction) value of `none` to remove the button and countdown from the Setup Manager UI. However, now it the responsibility of the finishing process to restart the Mac or quit the Setup Manager process, otherwise Setup Manager will keep blocking the UI.
The finished script or custom trigger are configured in the Setup Manager configuration profile, with the [`finishedScript`](../ConfigurationProfile.md#finishedScript) and [`finishedTrigger`](../ConfigurationProfile.md#finishedTrigger) keys.
The SetupManagerFinished daemon logs its output (and the output of the policy and scripts to `/private/var/log/setupManagerFinished.log`.

71
Docs/FAQ.md
View File

@@ -1,6 +1,6 @@
# Frequently Asked Questions
## Is there are custom JSON Schema for Jamf Pro?
## Is there a custom JSON Schema for Jamf Pro?
[Yes.](Extras.md#custom-json-schema-for-jamf-pro)
@@ -12,37 +12,60 @@ Yes, use the top-level `background` key and point it to a local image file or a
There can be many causes for this. A few common causes are:
- Jamf Pro: check that Setup Manager is added to your prestage and the package does not have the label "Availability pending" in Settings> Packages
- Jamf Pro: do not install JamfConnect.pkg in prestage when you want to use Setup Manager. Install JamfConnect with Setup Manager instead
- you need at least one of the 'Setup Assistant Options' in the prestage to be set to _not_ skip. Location Services or 'Choose your Look' are common choices, that you generally want to leave up the user anyway. Otherwise Setup Assistant may quit before Setup Manager can launch and do its actions.
- you need at least one of the 'Setup Assistant Options' in the prestage to be set to _not_ skip. Location Services is a good choice that you generally want to leave up the user anyway. Otherwise, Setup Assistant may quit before Setup Manager can launch and do its actions.
- Jamf Pro:
- check that Setup Manager is added to your prestage and the package does not have the label "Availability pending" in Settings> Packages
- in Prestage > Enrollment Packages verify that the Distribution Point is set correctly (it resets to "none" when you remove the last enrollment package)
## Does Setup Manager require Jamf Connect
No.
Setup Manager will run fine without Jamf Connect. You can even build 'single-touch' style workflows with Setup Manager without Jamf Connect. Some features, such as pre-assigning a device to a specific user require Jamf Connect, though.
Setup Manager will run fine without Jamf Connect. You can even build 'single-touch' style workflows with Setup Manager without Jamf Connect. Some workflows, such as pre-assigning a device to a specific user require Jamf Connect, though.
## How can I use the icon for an app before the app is installed?
- preinstall icon files with a custom package installer in prestage. Set the priority of the media/branding package lower than that for Setup Manager, or give the branding/media package a name that is alphabetically earlier than Setup Manager, so it installs before Setup Manager
- use http(s) urls to the image files
- you can host them on a web server/service that you have control over
- you can add the icon as an icon for a self service policy in Jamf and then copy the url to the icon once uploaded
- you can add the icon to a Self Service policy in Jamf and then copy the url to the icon once uploaded
## What is happening during "Getting Ready" and "Finishing"?
During the "Getting Ready" phase, Setup Manager is waiting for the enrollment configuration to be complete. The steps taken during these phases depend on the version of Setup Manager and the management system.
When enrolled into Jamf Pro, Setup Manager runs (among other things) a recon/Update Inventory during "Getting Ready" and "Finshing." This will make up most of the time in these phases.
When enrolled into Jamf Pro, Setup Manager runs (among other things) a recon/Update Inventory during "Getting Ready" and "Finishing." This will make up most of the time in these phases.
You can open the log window (command-L) or review the [log file](Extras.md#logging) for detail for each step. Should Setup Manager stall during one of these steps, you can [quit](Extras.md#quit) out of Setup Manager and review the [log file](Extras.md#logging) after completing the setup.
## (Jamf Pro) Getting Ready is taking very long (several minutes). What is happening and can I do something to make it faster?
The "Getting Ready" phase prepares some steps and waits for all essential Jamf Pro components (the jamf binary, certificates, Jamf.app, etc.) to be installed and configured before starting with the actual enrollment workflow. Depending on the network connection this might take a while.
Note that you can see the individual steps and the timing for each step in the [Setup Manager log file](Extras.md#logging)].
Once Jamf Pro's enrollment workflow is complete, Setup Manager runs a full update inventory/recon. In general, if the recon takes a long time, you should review the inventory collection settings. Calculating home directory sizes and gathering fonts can take a lot of time and CPU power, and speed up things significantly when turned off, not just during enrollment with Setup Manager. You should also review extension attributes, for how long each one runs.
Mac App Store/VPP and Jamf App Installer apps that are scoped to the computer will also begin installing _immediately_ after enrollment. Since macOS will only perform one installation at a time, these might delay the installation of essential Jamf Pro components. You can create smart groups to defer these installations.
With Setup Manager 1.3 and higher, you can check whether apps are getting installed before Setup Manager starts the actions in the Setup Manager log.
You can open the log window (command-L) or review the [log file](Extras.md#logging) for detail for each step. Should Setup Manager stall during one of these steps, you can [quit](#quit) out of Setup Manager and review the [log file](Extras.md#logging) after completing the setup.
## Can I set the wallpaper/desktop picture or dock with Setup Manager?
The settings for the dock and wallpaper/desktop picture are _user_ settings. Since the user account usually does not yet exist when Setup Manager runs, you cannot affect those settings.
What you can do is run a script at login which sets the desktop (using [desktoppr](https://github.com/scriptingosx/desktoppr) ) or the dock (using [dockutil](https://github.com/kcrawford/dockutil) or a similar tool). You can use the Jamf Pro login trigger for this, or create a custom LaunchAgent or use [outset](https://github.com/macadmins/outset/)
What you can do is run a script at login which sets the desktop (using [desktoppr](https://github.com/scriptingosx/desktoppr) ) or the dock (using [dockutil](https://github.com/kcrawford/dockutil) or a similar tool).
## If Setup Manager cannot do it, how can I run scripts at first login
There are several options:
- custom launch agent
- [outset](https://github.com/macadmins/outset/)
- Jamf Pro: [Self Service macOS Onboarding](https://learn.jamf.com/en-US/bundle/jamf-pro-documentation-current/page/macOS_Onboarding.html)
- Jamf Pro: [policy with a login trigger](https://learn.jamf.com/en-US/bundle/jamf-pro-documentation-current/page/Login_Events.html)
## Can Setup Manager run at first login, rather than right after enrollment?
@@ -52,3 +75,33 @@ With Jamf Pro, you can set the Setup Manager pkg to install at the `login` trigg
This is not, however, the primary workflow for Setup Manager and not something that we will test or verify. We believe running right after enrollment over Setup Assistant is the preferable deployment.
With Jamf Pro, you should consider [macOS Onboarding in Self Service](https://learn.jamf.com/en-US/bundle/jamf-pro-documentation-current/page/macOS_Onboarding.html) or a [login trigger](https://learn.jamf.com/en-US/bundle/jamf-pro-documentation-current/page/Login_Events.html) instead.
## Installer or Policy Script is failing with access errors
For some policy scripts or installers it may be necessary to give the Setup Manager app Full Disk Access or some other exemptions with a PPPC Profile.
## Installomator actions are all failing
The log shows exit code 4, which means the download was rejected.
Installomator uses Gatekeeper to verify the downloads. When Gatekeeper is set to allow Mac App Store apps only it will reject all third party apps and installers and the verification will fail.
## Can I set Installomator variables?
Yes. The `installomator` action has an `arguments` key, which takes an array strings, one for each argument. With this, you can override variables in Installomator.
Example:
```xml
<dict>
<key>label</key>
<string>Example App</string>
<key>installomator</key>
<string>example</string>
<key>arguments</key>
<array>
<string>downloadURL=https://example.com/alternativeURL</string>
</array>
</dict>
```

12
Docs/JamfPro-QuickStart.md
View File

@@ -47,12 +47,12 @@ You can add more actions here. There are more types of actions available, you ca
## Scoping and Prestage
- Scope the configuration profile to the computers you want to run Setup Manager on
- scope the configuration profile to the computers you want to run Setup Manager on
- create a new Prestage or duplicate an existing one
- Add the Setup Manager pkg and the configuration profile to the Prestage
- if you have JamfConnect.pkg in the Prestage, remove it. You can later add an action to install JamfConnect using Setup Manager.
- add the Setup Manager pkg and the configuration profile to the Prestage
- when installing and using Jamf Connect Login, ensure you have the latest version
- ensure that 'Automatically advance through Setup Assitant' is _disabled_
- Have at least one Setup Assistant option _disabled_ (so that _is_ displayed)
- have at least one Setup Assistant option which shows before user creation _disabled_ (so that _is_ displayed), we recommend the Location Services or Terms and Conditions pane
- ensure your test Mac(s) is (are) assigned to the Prestage
## Wipe the Test Mac
@@ -66,5 +66,5 @@ You can add more actions here. There are more types of actions available, you ca
- add more [actions](../ConfigurationProfile.md#actions) to Setup Manager, you can use more Jamf Pro policies, Installomator labels, or shell actions
- automate computer naming with a [computer name template key](../ConfigurationProfile.md#computerNameTemplate)
- add [a `help` section](../ConfigurationProfile.md#help) to let the user know what is going on
- ideally automated deployments shouldn't require manual entry, but if necessary, you can configure a [user entry](../ConfigurationProfile.md#user-entry) section in the profile
- optionally, add [a `help` section](../ConfigurationProfile.md#help) to let the user know what is going on
- ideally automated deployments shouldn't require manual data entry, but if necessary, you can configure a [user entry](../ConfigurationProfile.md#user-entry) section in the profile

6
Docs/JamfProConnect-SingleTouch.md
View File

@@ -16,7 +16,9 @@ You can use a combination of Jamf Pro, Setup Manager and Jamf Connector, to get
Customized Enrollment with SSO is not _required_ for this workflow. The assignment to the final user is set from the email entered in Setup Manager. Nevertheless, customized enrollment with SSO is useful in this context since restricts Mac enrollment to a group of authorized accounts.
You should have Jamf Pro and Jamf Connect configured with the required SSO integrations and thoroughly tested before configuring this workflow.
You should have Jamf Pro and Jamf Connect configured with the required SSO integrations and thoroughly tested before configuring this workflow.
Verify that "Collect User and Location information from Directory Service" is **enabled** in Settings > Computer management > Inventory collection.
## Configure Setup Manager
@@ -86,6 +88,8 @@ Then create a Smart Group named "Setup Manager Done" with the criteria `"Setup M
## Pre-set user for Jamf Connect
Note: this step only works with Entra ID as the Identity Provider.
Jamf Connect Login allows pre-configuring the user. Create a configuration profile named "Jamf Connect Enrollment User" to the preference domain `com.jamf.connect.login` with the following property list:
```xml

87
Docs/Network.md Normal file
View File

@@ -0,0 +1,87 @@
# Network Connectivity
Setup Manager can display the current network status in the top right corner of the main window.
By default, the icon will only appear when
- there is no network connection or the connection is lost
- Network Relay is configured
- the `networkCheck` array is present in the profile, even when it is empty
You can always manually toggle the visibility of the network status icon with command-N.
The icon will show the network "globe" icon when the network is connected, the icon with a slash when it is disconnected, and the icon with a small shield when it is connected and Network Relay is configured.
You can click on the icon for more detailed information:
- network connection name
- IP addresses (IPv4 and IPv6, when present)
- Network Bandwidth information (these take a while to appear, be patient)
- When Network Relay is configured, it will show the connectivity to the HTTP3/QUIC and HTTP2 hosts
- Connectivity to certain hosts
- by default, the Jamf Server will be shown
- You can add a list of custom hosts in the configuration profile
### `networkCheck`
(array of dict, optional)
Provides a list of hosts to check connectivity to. These will be shown in the 'Connectivity' section in the network info pane.
Each dict in this array represents a check for a connection to a host. The dict can contain the following keys:
#### `host`
(string)
The host name, e.g. `host.example.com` (no url scheme) to test a connection to.
#### `port`
(integer, optional, default: `443`)
The port to test a connection to.
#### `protocol`
(string, optional, default: `tcp`)
The connection protocol to test: `tcp` or `udp`.
#### `label`
(string, localizable, optional)
A display label for the connection test.
Example:
```xml
<key>networkCheck</key>
<array>
<dict>
<key>host</key>
<string>map.wandera.com</string>
<key>label</key>
<string>Intranet Maps</string>
<key>port</key>
<integer>443</integer>
<key>protocol</key>
<string>tcp</string>
</dict>
</array>
```
Example: empty `networkCheck` array to force Network icon to always show
```xml
<key>networkCheck</key>
<array/>
```
## Network Change logging
Setup Manager 1.3 adds logging for changes to network interfaces. It is possible that there will multiple entries in the log with regards to the same network change. Most changes logged will be neutral and should not affect your deployment negatively.
However, it is possible that changes to the network configuration of a device can influence the deployment workflow. Changes to network or Wi-Fi configurations and other network or security tools might disrupt the network connectivity during enrollment. This might interrupt or cancel downloads.
For example, when a configuration profile with the access information for a secure corporate Wifi is installed on the device, then the download access to required resources might change. Another example are security tools that might lead to restricted access for downloads (Installomator uses `curl` to download data, which might trigger security tools.)
Checking the log for network changes or outages during enrollment can be useful for troubleshooting.

164
Docs/Webhooks.md Normal file
View File

@@ -0,0 +1,164 @@
# Webhooks
#### `webhooks`
(Dict, optional)
Setup Manager can send webhooks to inform other services of its status. The configuration for the webhooks in all stored under the top-level `webhooks` key.
The webhooks dict can contain two keys, both of which are again dicts. `started` defines the webhook or webhooks that are called when Setup Manager starts its workflow, and the other `finished` defines the webhook or webhooks when it finishes the workflow.
When the either the `started` or `finished` key is missing, no webhook will be sent for that event.
Example:
```xml
<key>webhooks</key>
<dict>
<key>finished</key>
<string>https://example.com/webhook-finish</string>
<key>started</key>
<string>https://example.com/webhook-start</string>
</dict>
```
### Multiple webhooks
You can send multiple services per event:
```xml
<key>webhooks</key>
<dict>
<key>finished</key>
<array>
<string>https://example.com/webhook-finish</string>
<string>https://otherservice.com/abc123456</string>
</array>
<key>started</key>
<array>
<string>https://example.com/webhook-start</string>
<string>https://otherservice.com/abc123456</string>
</array>
</dict>
```
### WebHook Data
For the `started` webhook, Setup Manager attaches this data:
```json
{
"name": "Started", // string
"event": "com.jamf.setupmanager.started" // string
"timestamp": "2025-01-14T15:11:28Z", // time setup manager started, date as string, iso8601
"started": "2025-01-14T15:11:27Z", // time webhook was sent, date as string, iso8601
"modelName": "MacBook Air", // string
"modelIdentifier": "Mac14,2", // string
"macOSBuild": "24C101", // string
"macOSVersion": "15.2.0", // string
"serialNumber": "ABCD1234DE", // string
"setupManagerVersion": "1.2" // string
"jamfProVersion": "11.13.0" // optional, only for Jamf Pro, string
"jssID": 1234 // optional, only when `jssID` is set in profile, string
}
```
The data for the `finished` webhook includes the same as above, with some additional fields:
```json
{
"name": "Finished", // string
"event": "com.jamf.setupmanager.finished" // string
"duration": 53, // integer
"finished": "2025-01-14T15:12:20Z", // time Setup Manager finished, date as string, iso8601
"computerName": "Mac-123456" // computer name, only when set through Setup Manager
"userEntry": { // data entered by the user
"department": "IT",
"computerName": "IT-ABC123",
"userID": "a.b@example.,com",
"assetTag": "abc54321"
},
"enrollmentActions": [ // array of enrollmentActions with status
{
"label": "Microsoft 365",
"status": "finished" // status: "finished" or "failed"
},
{
"label": "Google Chrome",
"status": "finished"
},
{
"label": "Jamf Connect",
"status": "finished"
},
],
}
```
### Microsoft Teams
When you set up [an incoming webhook workflow with Microsoft Teams](https://support.microsoft.com/en-us/office/create-incoming-webhooks-with-workflows-for-microsoft-teams-8ae491c7-0394-4861-ba59-055e33f75498) the json payload is expected in a certain format.
**Important Note:** _The Teams Workflow Webhook URL will contain ampersands `&`. Since configuration profiles are XML files, you need to escape/replace all ampersands in the URL with the XML escape sequence `&amp;`._
Use this webhook format in the Setup Manager profile:
```xml
<dict>
<key>kind</key>
<string>teams</string>
<key>url</key>
<string>--insert url from Teams Workflows here--</string>
</dict>
```
This `dict` replaces the simple `string` syntax.
### Slack
You can also [configure Slack to receive messages on webhook url](https://api.slack.com/messaging/webhooks).
Use this webhook format in the Setup Manager profile:
```xml
<dict>
<key>kind</key>
<string>slack</string>
<key>url</key>
<string>--insert url from Slack here--</string>
</dict>
```
### Multiple webhooks
You can send multiple services per event:
```xml
<key>webhooks</key>
<dict>
<key>finished</key>
<array>
<string>https://example.com/webhook-finish</string>
<dict>
<key>kind</key>
<string>teams</string>
<key>url</key>
<string>--insert url from Teams Workflows here--</string>
</dict>
</array>
<key>started</key>
<array>
<string>https://example.com/webhook-start</string>
<dict>
<key>kind</key>
<string>teams</string>
<key>url</key>
<string>--insert url from Teams Workflows here--</string>
</dict>
</array>
</dict>
```
### Webhooks in Debug mode
Webhooks are generally _not_ sent when DEBUG is set to true. However, if you set a `DEBUG` key to `true` _inside_ the webhooks dictionary to true, webhooks will be sent, even when global DEBUG is enabled.

24
Examples/sample-com.jamf.setupmanager.plist
View File

@@ -15,7 +15,7 @@
<key>label</key>
<dict>
<key>de</key>
<string>Zeitzone setzen</string>
<string>Zeitzone einstellen</string>
<key>en</key>
<string>Set Time Zone</string>
<key>es</key>
@@ -28,6 +28,12 @@
<string>Imposta il fuso orario</string>
<key>nl</key>
<string>Tijdzone instellen</string>
<key>sv</key>
<string>Ställ in tidszon</string>
<key>nb</key>
<string>Angi tidssone</string>
<key>pl</key>
<string>Ustal strefę czasową</string>
</dict>
<key>requiresRoot</key>
<true/>
@@ -91,6 +97,12 @@
<string>Sii paziente mentre Setup Manager configura il tuo nuovo Mac.</string>
<key>nl</key>
<string>Even geduld terwijl Setup Manager je nieuwe Mac configureert.</string>
<key>pl</key>
<string>Prosimy o cierpliwość, podczas gdy Setup Manager konfiguruje Twojego nowego Maca.</string>
<key>sv</key>
<string>Ha tålamod medan Setup Manager konfigurerar din nya Mac.</string>
<key>nb</key>
<string>Vær tålmodig mens Setup Manager konfigurerer den nye Mac-en din.</string>
</dict>
<key>title</key>
<dict>
@@ -99,15 +111,21 @@
<key>en</key>
<string>Welcome!</string>
<key>es</key>
<string>¡Bienvenido!</string>
<string>¡^[^[Bienvenido](inflect: true)](inflectionAlternative: &apos;Te damos la bienvenida&apos;)!</string>
<key>fr</key>
<string>Bienvenu!</string>
<key>he</key>
<string>ברוכים הבאים!</string>
<key>it</key>
<string>Benvenuto!</string>
<string>^[Benvenuto](inflect: true, inflectionAlternative: &quot;Ciao&quot;)!</string>
<key>nl</key>
<string>Welcom!</string>
<key>pl</key>
<string>Witamy!</string>
<key>sv</key>
<string>Välkommen</string>
<key>nb</key>
<string>Velkommen</string>
</dict>
<key>userEntry</key>
<dict>

3
LICENSE.md
View File

@@ -1,2 +1 @@
Offered under the terms of the [Jamf Concepts Use Agreement](https://resources.jamf.com/documents/jamf-concept-projects-use-agreement.pdf).
Offered under the terms of the [Jamf Software License and Service Agreement](https://resources.jamf.com/documents/jamf-SLASA.pdf).

27
README.md
View File

@@ -4,8 +4,8 @@
_"Every Assistant has a Manager"_
![Setup Manager Logo](https://img.shields.io/badge/macOS-12%2B-success)
![Setup Manager Logo](https://img.shields.io/badge/macOS-13.5%2B-success)
Updates are published in the '[Releases](https://github.com/jamf-concepts/setup-manager/releases)' section of the repo. There you can also [download the latest pkg installer](https://github.com/jamf-concepts/setup-manager/releases/latest). You can subscribe to notifications for the repo using the 'Watch' button above.
Please report issues, feature requests [as an issue.](https://github.com/jamf-concepts/setup-manager/issues)
@@ -20,7 +20,7 @@ There is also a [`#jamf-setup-manager`](https://macadmins.slack.com/archives/C07
There are many enrollment progress tools available for Mac admins, each with their own strengths. Jamf Setup Manager approaches the problem from the perspective of an IT service provider.
Setup Manager offers many of the same features of these utilities but is especially useful for the case where an IT department or provisioning depot wants to ensure that a new Mac is properly configured and assigned before sending the device to its new user. It runs over Setup Assistant before a user is created so it won't interfere with MDM-capable user or the secure token flow for FileVault. You can control which policies and installations Setup Manager runs with a configuration profile.
Setup Manager offers many of the same features of these utilities but is especially useful for the case where an IT department or provisioning depot wants to ensure that a new Mac is properly configured and assigned before sending the device to its new user. It runs over Setup Assistant before a user is created, so it won't interfere with MDM-capable user or the secure token flow for FileVault. You can control which policies and installations Setup Manager runs with a configuration profile.
Setup Manager provides:
@@ -30,10 +30,10 @@ Setup Manager provides:
- zero-touch (user-driven)
- single-touch (tech-driven)
- user initiated enrollment
- handsfree deployment with auto advance (beta)
- handsfree deployment with AutoAdvance (beta)
- customized branding
- localized interface and custom text
- support for Jamf Pro and Jamf School
- localized interface and localizable custom text
- works with Jamf Pro and Jamf School
## Installation and Configuration
@@ -42,29 +42,28 @@ Setup Manager provides:
- zero-touch and user-initiated deployments (forthcoming)
- [extra installations based on user data entry](Docs/JamfPro-TwoPhase.md)
- [Single-touch workflow with user re-assignment using Jamf Connect](Docs/JamfProConnect-SingleTouch.md)
- [handsfree deployment with auto advance and Setup Manager at login window (beta)](Docs/JamfPro-LoginWindow.md)
- [handsfree deployment with AutoAdvance and Setup Manager at login window (beta)](Docs/JamfPro-LoginWindow.md)
- [Jamf School](Docs/JamfSchool-Setup.md)
- [Extras and Notes](Docs/Extras.md)
- [Frequently Asked Questions](Docs/FAQ.md)
- [Webhooks](Docs/Webhooks.md)
- [Network Connectivity Checks](Docs/Network.md)
## Configuration Profile
The structure of the configuration profile [is documented here](ConfigurationProfile.md).
There is also a [custom schema for Jamf Pro](Docs/Extras#custom-json-schema-for-jamf-pro).
There is also a [custom schema for Jamf Pro](Docs/Extras.md#custom-json-schema-for-jamf-pro).
## Requirements
Setup Manager requires macOS 12.0.0 or higher. It will work only with Jamf Pro or Jamf School.
Setup Manager requires macOS 13.5 or higher. It will work only with Jamf Pro or Jamf School.
## Known Issues
- Setup Manager will **_not_** launch at enrollment with Auto-Advance enabled, use the option to run at login window
- Setup Manager may **_not_** launch or launch and quit quickly when you disable _all_ Setup Assistant screens, leave at least one Setup Assistant option enabled, or use the option to run at login window
- When you install **_Jamf Connect_** during the Prestage together with Setup Manager, you may see Setup Assistant for some time before Setup Manager launches or Setup Manager may not launch at all. Remove Jamf Connect from the Prestage and install it with Setup Manager policy or installomator action.
- Policies that are triggered by `enrollmentComplete` may disrupt Setup Manager running from Prestage/Automated Device Enrollment. Disable or unscope policies triggered by `enrollmentComplete` on devices using Setup Manager.
- In some deployments, Setup Manager attempts to start while Jamf Pro is still installing. Try adding a 30-60 second `wait` action as the first action.
- With Jamf School, there will a few seconds after the remote management dialog where Setup Assistant shows before Setup Manager launches. With the Jamf School enrollment architecture, this is unavoidable.
- Setup Manager may **_not_** launch or launch and quit quickly when you disable _all_ Setup Assistant screens and skip user creation, leave at least one Setup Assistant option that shows _before_ the user creation enabled, or use the option to run at login window
- Policies that are triggered by `enrollmentComplete` may delay or even disrupt Setup Manager running from Prestage/Automated Device Enrollment. Disable or un-scope policies triggered by `enrollmentComplete` on devices using Setup Manager.
---