JAMF deployment

A complete JAMF rollout requires three pieces:

1. A Bootstrap script that writes /etc/preamp/bootstrap.env before the .pkg installs. This carries the org enrollment token and the assigned user’s email so each device attributes to a real person on the Workforce tab.
2. The managed .pkg, deployed via a JAMF policy.
3. A PPPC Profile granting Full Disk Access to the agent’s binary.

An optional Configuration Profile with preference domain ai.preamp tunes runtime settings (schedule, full-backup interval, allow-uninstall, custom apiUrl for air-gapped installs). Not required for enrollment.

Prerequisites

• Preamp admin console access (to generate an enrollment token).
• JAMF Pro tenant with permission to upload scripts, configuration profiles, and packages.
• The signed preamp-managed-<version>.pkg. See Package downloads for the URL and SHA-256 verification steps.
• At least one verified domain for your org under app.preamp.ai → Settings → Domains. Without it, devices still back up but land in the per-org unattributed bucket on the Workforce tab instead of attributing to a real person.

Steps

1. Generate an enrollment token in the Preamp admin console (https://app.preamp.ai/org/fleet/devices?tab=enrollment). Copy it immediately, the plaintext is shown only once.

2. Add the bootstrap script to JAMF. In Settings → Computer Management → Scripts create a new script named Preamp bootstrap with these parameter labels:

   Parameter	Label	Value at policy time
   Parameter 4	Org token	The token from step 1.
   Parameter 5	User email	JAMF substitution for the assigned user’s email (typically the EMAIL field from User and Location). Must be a verified-domain address for per-person attribution.
   Parameter 6	Display name	Optional. JAMF substitution for the assigned user’s real name (often $REALNAME).

   Paste this body:

   #!/bin/bash
   set -euo pipefail
   
   TOK="${4:-}"
   EM="${5:-}"
   NM="${6:-}"
   
   if [[ -z "$TOK" ]]; then
     echo "preamp bootstrap: parameter 4 (org token) is required" >&2
     exit 1
   fi
   
   mkdir -p /etc/preamp
   chmod 0700 /etc/preamp
   
   umask 077
   {
     printf 'PREAMP_ORG_TOKEN=%s\n' "$TOK"
     printf 'PREAMP_USER_EMAIL=%s\n' "$EM"
     printf 'PREAMP_USER_NAME=%s\n'  "$NM"
   } > /etc/preamp/bootstrap.env
   chmod 0600 /etc/preamp/bootstrap.env

3. Upload the managed .pkg (preamp-managed-<version>.pkg) to JAMF’s package repository.

4. Create the deployment policy. Computers → Policies → New:

   • Scripts payload: add the Preamp bootstrap script. Set Priority to Before. Fill in the parameters per the table above.
   • Packages payload: add preamp-managed-<version>.pkg.
   • General → Trigger: Check-in.
   • General → Frequency: Once per computer.
   • Scope: the target Macs.

   The script writes the bootstrap file, then the .pkg installs, then the postinstall reads the file, runs preamp enroll as the console user, and deletes the bootstrap file on success.

5. Import the PPPC template (installers/macos/pppc-template.xml from the agent repo) into JAMF’s PPPC Utility, fill in $TEAM_ID and $CODE_REQUIREMENT from your signed binary, and upload the resulting profile. See the PPPC profile guide for the exact codesign invocations.

6. Scope the PPPC profile to the same target set as the deployment policy.

7. (Optional) Tune runtime settings via Configuration Profile. If you need to override the default schedule, set a custom apiUrl for air-gapped installs, or enable user-initiated uninstall, create a Configuration Profile in JAMF Pro using the Application & Custom Settings payload with preference domain ai.preamp. See the managed preferences reference for available keys. The Configuration Profile is independent of enrollment.

Verification

On a target Mac after the policy runs:

• /etc/preamp/bootstrap.env is absent (the postinstall deletes it on successful enroll; presence means enroll failed, check the policy run log).
• The agent appears in System Settings → Privacy & Security → Full Disk Access with a grey toggle (meaning an MDM granted it).
• The device shows up under the assigned user on app.preamp.ai/org/inventory/workforce. If it lands under Unattributed devices, the assigned user’s email domain isn’t in the org’s verified-domains list. Add it under app.preamp.ai → Settings → Domains and retry; the next policy run re-attributes the device.

Failure modes

• Console user is root at install time (login window, fresh image before first login). The postinstall logs no console user; deferring enroll until next policy run and leaves the bootstrap file in place. The next JAMF policy run picks it up.
• Bootstrap env file is malformed (typo in a key, missing =). The agent’s parser rejects malformed lines and preamp enroll exits non-zero, visible in the JAMF policy log. The bootstrap file stays in place for diagnosis.
• Email is outside the org’s verified domains. Enroll succeeds but the device lands in the unattributed bucket. Verify your org domains and retry; the bootstrap file is removed on first successful enroll regardless of attribution outcome.

Uninstall

Deploy preamp-uninstaller-<version>.pkg via the same JAMF policy mechanism. The uninstaller pkgutil --forgets itself so repeated runs are safe. If you set allowUninstall: true in a Configuration Profile, the uninstaller also removes per-user data trees.

Trust note

The org token is sensitive. It appears in JAMF policy logs unless logging is suppressed for the bootstrap script step. Treat it like any other secret in your MDM tenant, and rotate via app.preamp.ai → Settings → Enrollment tokens → Revoke if exposed. The postinstall removes the on-disk bootstrap file as soon as enroll succeeds; if you see the file lingering on a managed Mac, that’s a signal enroll didn’t complete.