Jamf binary self-heal with the Jamf API

The first iteration of Jamf binary self-heal is here 🎉

Hot off the presses is Jamf Pro version 10.36, which includes the first iteration of a feature that a lot of admins have been waiting to see for a long time. 

Jamf binary self-heal! 🎉🎊

Have you ever had an instance where a computer has lost device trust and when you attempt to run any policies or a recon you get at Device Signature Error? Or someone sends in a ticket that Self Service isn't working and can't connect to the MDM server (due to Device Signature Error)? On 10.36 you now have a way to redeploy the Jamf management framework without having to unenroll and re-enroll a computer.

Jamf Pro accomplishes this by using the InstallEnterpriseApplication command, which means a computer in this state would still need to be receiving and processing MDM commands from your Jamf Pro server. You can usually tell this is the case if you check the Management History on a computer record and see commands running successfully. If so you can use the new jamf-management-framework API endpoint to reinstall the Jamf management framework (QuickAdd package) automatically and re-establish management with the Jamf Pro server.

A quick look at how you can use this new feature in Jamf Pro 10.36:

  1. Find the Jamf Pro Computer ID of the computer in this state. You can see it in the URL of the computer record or in the attribute Jamf Pro Computer ID on a computer record in Jamf Pro.
  2. Go to the Jamf Pro API (not the Classic API) by going to yourserver.com/api. Authorize with an account that has adequate access to send the command (or go with your admin account).
  3. Find the jamf-management-framework endpoint and click on it to expand the options. You'll see it can POST.

  4. Click the Try it out button. Enter the computer ID in the field and click Execute.
  5. On the computer record in the Management tab you should see a pending command for InstallApplication (this is a UI quirk, as any application install via MDM on 10.14+ uses InstallEnterpriseApplication by default).
  6. As long as the computer is online you should see the command run and the computer will go through re-enrollment once the QuickAdd installs. (This will honor re-enrollment settings as defined by the Jamf Pro re-enrollment settings on the server.)

You can also use a curl command with POST to redeploy the Jamf management framework. It would look something like this (where 3 is the computer ID in this scenario):

curl -X POST "https://yourserver.com/api/v1/jamf-management-framework/redeploy/3" -H "accept: application/json" -H "Authorization: Bearer bigLOngTOkEnTHiNghEre"

⚠️ Passing tokens or user:password auth in plaintext is dangerous business. Be careful where and how you invoke commands like the above. If you're not confident you can pass that information securely when running this command, just use the API endpoint outlined in the steps above and avoid running the command locally on a device.

To check for the installation of the QuickAdd locally on a device, you can filter log events like so:

log show --info --debug --predicate 'subsystem == "com.apple.ManagedClient" AND category == "ManagedApps"' --last 1h

And just to clarify, there are requirements for this functionality to work for you:

  • Jamf Pro server on version 10.36 or later
  • A computer must be MDM managed and receiving/processing MDM commands issued from the Jamf Pro server you expect it to be enrolled in and managed by

🔗 Here's a link to the original Jamf Nation feature request. 

🔗 Here's a link to Jamf Pro 10.36 release notes.

🔗 Developer docs for jamf-management-framework

Don't hesitate to submit new FRs or contact your support team if you have additional questions or feedback around this new feature.

Write a comment