Category: High Sierra

JSON Schemas in jamf

From around jamf 10.19 a new feature was added that is slowly gain more traction and that’s the ability to use JSON (JavaScript Object Notation) schemas in the Applications and Custom Settings payload. Over time jamf have updated and improved its functionality and ease of use. This article assumes you are on at least jamf 10.26.

So what does all that mean?
It means an app vendor, developer or anyone can create a schema that in turn can be used to create the Profile configuration directly in jamf rather than having to write XML or use other tools like ProfileCreator. This simplifies Profile creation and is a huge time saver.

So let’s give it a go….

Create a new Profile.
Name it and select a category just like creating any other Profile:

Once done scroll down and select the Applications and Custom Settings payload.

It will open up and show a few options:
Jamf Applications
External Applications
Upload

If you use other jamf applications such as jamf connect suite (Login, Sync Verify) you can set up the Profiles from here directly in jamf. For this article though we are going to use the External Applications option.

Select External Applications then click the +Add button on the right. The page will show as below with a Source dropdown:

Click the dropdown and you will see Repository and Custom Schema options. If you select Repository you will see an Application Domain dropdown and within this schemas for Chrome, MAU, Office, Outlook.

For this article lets choose the Custom Schema from the Source dropdown:

You will see a Preference Domain box and the Custom Schema box.

If we want to set up a Profile for NoMAD we would first enter the plist file name. The plist contains the configuration and will be created on the devices we scope the Profile to.

In the Preference Domain box enter com.trusourcelabs.NoMAD.json

Note the name is case sensitive so enter exactly as shown.

 In the Custom Schema box we can now enter the JSON schema, lucky for us one has been created and you can find it here:
https://github.com/Jamf-Custom-Profile-Schemas/mscottblake-schemas/blob/master/com.trusourcelabs.NoMAD.json

Carefully copy and paste the XML from github into the Custom Schema field. I usually select the Raw view on github, then select all and copy.

It should now look like this:

Now scroll down past the Custom Schema field and you will see the JSON XML transformed into items configurable items right inside jamf.

Here you can see the Key’s you would set in XML as configurable items:

You may fine all the configuration items are shown but you can customise the list from the +Add/Remove Keys. Simply check or uncheck the items you require and click OK:

Go ahead and create your Profile by selecting the options you want and adding in the configuration required. The schema creator has helpfully added links to the NoMAD pages for each item so you can quickly see what the config item refers to. Remember to click Save regularly.

When you are ready to test the Profile scope to you test Mac and save again to push it to that device.

And that’s it. No more creating XML by hand, uploading, testing, editing and repeat. It can all be done in jamf.
This is just one example of a schema there are many other JSON schemas on github and Jamf Nation, here are a few I’ve found:

Talkingmoose’s substantial list:
https://github.com/talkingmoose/jamf-manifests

AgileBits 1Password
Apple Safari
Google Chrome and Keystone – although this is already built it as described above
Jamf Products
Microsoft Defender, Edge, OneDrive, Outlook
SAP
https://github.com/Jamf-Custom-Profile-Schemas/JSON-Schema-for-Jamf-Pro-Applications-and-Settings-MDM-Payload

Safari
NoMAD
Zoom
macOS Notifications
https://github.com/bpstuder/jamf_custom_schema

BBedit
Transmit
https://github.com/chrisgrande/jamf-profile-schemas

Managed Installs
https://github.com/joshua-d-miller/JAMF-JSON-Schema

MS Edge
https://blogs.windows.com/msedgedev/2020/02/20/edge-profiles-jamf-applications-custom-settings/

Cant find the schema you want?
I’ve not tried this but there is an app to help create the JSON schema, give it a go and if it works out publish it for other on github.
Schema Builder
https://github.com/BIG-RAT/Managed-App-Schema-Builder

AppleScript Force Software Updates

I needed a simple way to force Mac’s to run all updates from the Apple App store and then restart but give users notification and an option to defer for a set time.

This is what I came up with.

AppleScript that runs a softwareupdate -l if anything is found it then runs softwareupdate -i -a which will install all available updates. After completion it then has kicks off a dialogue box informing the user the Mac needs a restart. They have two options, defer for 5 minutes or restart straight away.

The script will be added to Library/Scripts/ along with the linked company logo via JAMF install on Check-in

It can be run via ssh into the Mac and osascript /Library/Scripts/update_restart_script.scpt or via a JAMF policy with a Process payload.

Hopefully this will be more reliable that JAMF policies which either stay as pending or fail to restart the Mac even though set to Restart Imemdiately.


if (do shell script "softwareupdate -l") contains "*" then
do shell script "softwareupdate -i -a"
tell application "Finder"
activate
repeat -- forever
set answer to button returned of (display dialog "Mandatory updates have been applied." & return & "Your Mac is ready to restart." & return & return & "Please close all applications and click RESTART." & return & return & "For further information email: support@yourcompany.com" with title "Mandatory Security Update - Restart Required" with icon {"/Library/Scripts/logo.png"} buttons {"Wait 5 minutes", "RESTART"} default button "RESTART")

if answer is equal to "RESTART" then
tell application "Finder" to restart
exit repeat
else
delay 300 -- time in seconds 300 is 5 minutes
end if
end repeat
end tell
end if

Stop High Sierra Installs and Updates

With High Sierra causing so many issues for Enterprise environments at the moment you may want to block the install. This can be achieved in various ways.

If you are using Jamf MDM then a simple Restricted Software policy can stop the install:

However this won’t stop macOS downloading the updater in the background and prompting the user to install, but there are two other commands we can issues to try and stop auto updates and notifications:

To stop Auto Updates:
defaults write /Library/Preferences/com.apple.SoftwareUpdate AutomaticCheckEnabled -bool FALSE

To turn Auto Updates back on:
defaults write /Library/Preferences/com.apple.SoftwareUpdate AutomaticCheckEnabled -bool TRUE

To turn off High Sierra notifications
sudo softwareupdate --ignore macOS High

An when you do want to allow notifications you can switch it back on with:
sudo softwareupdate --reset-ignored