enroll-ec2-mac is an AppleScript made to automatically enroll Amazon Web Services Elastic Compute Cloud (EC2) Mac instances into a mobile device management (MDM) solution. enroll-ec2-mac is made to ensure the MDM “pairing“ relationship isn't broken for MDM enrollment. Without that pairing, an EC2 Mac instance isn’t able to ”listen“ for new or updated profiles from the MDM server. enroll-ec2-mac performs all of this without any user interaction after AMI configuration (as per the instructions below). Included is a subroutine to automate the issuance and retrieval of Jamf enrollment profiles.
Included are AWS CloudFormation and HashiCorp Terraform templates to get these set up. Either of these will automate creating the AWS Secrets Manager secret, Identity and Access Management policy, role, and instance profile needed for enroll-ec2-mac to retrieve credentials. Alternatively, if using AWS Systems Manager Parameter Store instead, templates are also included, and a setting must be changed to match. Manual instructions to set up the secret are also included at the bottom of this page.
jamfSecret
, and requires 5 values for the following keys (with sample values below):
jamfServerDomain
("jamfurl.jamfcloud.com")
jamfEnrollmentUser
("enrollmentUserExampleName")
jamfEnrollmentPassword
("enrollment3x4mplep455w0rd")
jamfEnrollmentUser
field with the Client ID and jamfEnrollmentPassword
with the Client Secret.localAdmin
("ec2-user")
ec2-user
unless a change is made outside of these instructions. Must be an administrator account.localAdminPassword
("l0c4l3x4mplep455w0rd")
localAdmin
administrator account.sudo /usr/bin/dscl . -passwd /Users/ec2-user 'l0c4l3x4mplep455w0rd' ; sudo launchctl enable system/com.apple.screensharing ; sudo launchctl load -w /System/Library/LaunchDaemons/com.apple.screensharing.plist
enroll-ec2-mac.scpt
in /Users/Shared
.
MMSecret
in the script, or writing the ID to a plist with the below command.
defaults write /Library/Preferences/com.amazon.dsx.ec2.enrollment.automation MMSecret "jamfSecret-YOUR-SECRET-ID"
, replacing what's in quotes with the ID or ARN of your secret.osascript /Users/Shared/enroll-ec2-mac.scpt --setup
--with-screen
flag to activate.
osascript /Users/Shared/enroll-ec2-mac.scpt --setup --with-screen
osascript
process and may be reverted programmatically, included in the cleanup routines if prodFlag
is set to 1
.
useDEPNotify
is set to true
, or the --with-screen
flag is used, prompts for App Management will appear and the screen will flash. DEPNotify is used to keep users from interfering in the enrollment process, but is optional if automatic login is set, since enrollment can transparently occur before a user logs in.launchctl unload -w /Library/LaunchAgents/com.amazon.dsx.ec2.enrollment.automation.startup.plist ; launchctl load -w /Library/LaunchAgents/com.amazon.dsx.ec2.enrollment.automation.startup.plist
sudo launchctl disable system/com.apple.screensharing ; sudo launchctl unload -w /System/Library/LaunchDaemons/com.apple.screensharing.plist
prodFlag
) is available to revoke permissions and remove files.“{{ }},{{ }}")
, it may not have access to the secrets it needs, or isn’t parsing them correctly.
jamfSecret
to the name or ARN of your secret):
aws secretsmanager get-secret-value --secret-id jamfSecret --query SecretString
enroll-ec2-mac has some options to customize to suit your deployment. To set any of these preferences, type defaults write com.amazon.dsx.ec2.enrollment.automation
, the key, and the value. For example, to set your secret ID (the only required setting), the full command would be:
defaults write com.amazon.dsx.ec2.enrollment.automation MMSecret "jamfSecretID-GoesHere"
(replacing "jamfSecretID-GoesHere"
with your secret ID or ARN)
MMSecret
is the ID of the secret for enroll-ec2-mac to read from. (default jamfSecret
)invitationID
is a value for the Jamf invitation ID (numeric string). By default this is read/generated via Jamf API, but can be manually set.retrievalType
changes how the secret is read. By default, this is set to SecretsManager
(AWS Secrets Manager), but may be set to ParameterStore
(AWS Systems Manager Parameter Store). (default SecretsManager
)useDEPNotify
activates (if set to true
) the DEPNotify UI that enroll-ec2-mac uses to shield the display from a user during enrollment. This is set to true
when the --with-screen
flag is used, and explicitly false
with the --no-screen
flag. (default false
, Note: changed from true
in earlier versions)autoLogin
enables/disables automatic login of the stored user. Note: it is recommended to use a User Data script during setup to automate this setting, as some versions of macOS require additional commands. (default true
)invPreload
enables inventory preload via Jamf API. Default setting in code is to set Vendor to AWS when enabled. (default false
)prodFlag
enables cleanup routines to reset the TCC databases, delete the script, and remove associated files. Some optional commands are included and commented out, including to remove the active instance profile. Set to 1
to enable. (default 0
, Note: changed from testFlag
in earlier versions, which was only available to set inline.)enroll-ec2-mac uses a single secret that contains 5 key/value pair entries: the Jamf URL (jamfServerDomain
), API credentials (jamfEnrollmentUser
& jamfEnrollmentPassword
), and local admin credentials (localAdmin
& localAdminPassword
). The first three are required to generate the profile, and the final two to apply them to the Mac. Example values are in Credential Setup at the top of the page. The EC2 instance needs an appropriate ㊙️🪪 IAM instance profile applied to itself to read these secrets, as well.
The Jamf API client or user account for enroll-ec2-mac only requires the Create permission for Computer Invitations, and none else. See below for an example of an ㊙️🪪 IAM instance profile including the appropriate access.
Please ensure that you have replaced the ARN next to "Resource" with the full ARN of your secret. If editing manually:
⚠️⇢region-name
with the appropriate AWS region (e.g. us-east-1
).1111222233333
with the appropriate AWS account ID.jamfSecret
with your applicable Secret ID.{
"Version": "2012-10-17"
"Statement": [
{
"Action": [
"secretsmanager:ListSecrets",
"secretsmanager:ListSecretVersionIds",
"secretsmanager:GetSecretValue",
"secretsmanager:GetResourcePolicy",
"secretsmanager:GetRandomPassword",
"secretsmanager:DescribeSecret"
],
"Effect": "Allow",
"Resource": "arn:aws:secretsmanager:⚠️⇢region-name:111122223333:secret:jamfSecret",
"Sid": ""
}
]
}
THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM “AS IS” WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, REPAIR OR CORRECTION.
"There's no step 13!"