Generating Manual Manifests for Jamf PreStage Enrollment Packages
Posted on 11th June 2020
It has been a long time coming that in Jamf and Apple land, that we can pre-install packages to the Mac during the enrollment process (DEP, now called Apple Device Enrollment). In our environment, we are switching from the old, bind to the AD domain method and allow password syncs to break even while using Nomad era, to the new (re-branded Nomad) Jamf Connect (See: https://www.jamf.com/products/jamf-connect/). Naturally, we would like to reply the Jamf Connect Login before anything else and use it’s Notify script to streamline the install progress and provide the user information as the installs complete.
The specific error that you see under the Management Commands for the specific computer you are trying to enroll is “No manifest could be created for the package.”
Jamf Pro 10.19-10.21 have an issue that seems related to PI-007954 where Jamf Admin is not automatically calculating the size of the package and creating a correct manifest for it. The manifest is required in order for macOS to install the packages defined in PreStage Enrollments. Since this does not get generated automatically correctly, we must manually build one and upload it for each package we are going to use during the PreStage Enrollment.
There was not much information about this in the community forums on Jamf Nation, nor from Jamf themselves. After talking to support, here is what you need to do:
- Download the source for appmanifest from here: https://github.com/micromdm/tools/archive/v1.zip
- Extract the zipped folder and navigate to appmanifest in the terminal.
- Make sure you have go installed using HomeBrew (brew install go)
- Run go build appmanifest.go
- You should now have a binary called appmanifest that you can move to a more suitable place. I moved mine to the Desktop where the packages generated from Composer are. Run chmod +x appmanifest to make it executable.
cd tools-1/appmanifest/ brew install go go build appmanifest.go mv appmanifest ~/Desktop/
Generate the Package Manifest
- Upload the package using Jamf Admin or some other manual process. Reminder that all packages that you want to use in PreStage Enrollment must be stored on a publicly accessible https distribution point that is not using any authentication. I may do a writeup of how I set that up later since I did not want all of my packages on the public server.
- Run the command: ./appmanifest -url <urlofpackage> <pathoflocalpackage> > <pathandfilenametosavemanifest>
- Upload the manifest plist to the package in Jamf Pro’s Settings -> Computer Managment -> Packages.
./appmanifest -url https://jamfdist.server.com/Packages/JamfConnectLogin-1.11.4.pkg ~/Desktop/JamfConnectLogin-1.11.4.pkg > ~/Desktop/JamfConnectLogin-1.11.4.plist
Example Package Manifest Upload
That is it! Now you should be able to test once you add the package to you PreStage enrollment profile. We were up and running in no time. Hopefully this issue will be resolved soon, but at least we can work around it for now.
“appmanifest.go:11:2: cannot find package “github.com/groob/plist” in any of”
There seem to be some dependancies here which are difficult to sort out.
I downloaded https://github.com/groob/plist and placed it in ~/go/github.com/groob/plist/ and then it compiled correctly. Not sure if this is the recommended way, but it worked.
I had some extra commands for others to help:
$ go get github.com/groob/plist
$ go build ./appmanifest.go
$ ./appmanifest -url https://yourmanageserver/unprotected/Rosseta2.pkg /Users/yourusername/Desktop/Rosetta2.pkg > /Users/yourusername/Desktop/Rosetta2.plist
if you will get a error like this one:
appmanifest.go:11:2: no required module provides package github.com/groob/plist: go.mod file not found in current directory or any parent directory; see ‘go help modules’
Run in Terminal:
$ go env -w GO111MODULE=off
$ go get github.com/groob/plist
next you can run: $ go build ./appmanifest.go
Are you still planning on doing a writeup on what you’re doing for hosting these enrollment packages? The Jamf Admin guide says you can secure the public distribution point with a JSON web token, but there’s not a lot of info on how you get that distribution point setup correctly for JAMF.
Didn’t work for it said invalid manifests in the logs on the Mac (expected different md5sums),
so made my own script based on the example Manifest of apple: https://support.apple.com/en-eg/guide/deployment/dep873c25ac4/web
It uses a chunk size of 10 MiB like in the Apple document.