Help

Prevent Mac App From Launching During Onboarding

JVan
New Contributor II

Posted on ‎05-28-2025 12:40 PM

Hello, I'm trying to include the Cloudflare WARP client install during the onboarding setup on our Macs. The issue is that once it installs it auto launches the menu bar app and a browser sign in page. I would prefer if these two actions didn't launch automatically, and we would instruct the user to login after the onboarding setup. Currently, we are just instructing users to install the app in Self Service after the onboarding process finished. Anyway to prevent Cloudflare from auto launching after installing or maybe a script to minimize the windows after it installs?

Thanks

0 Kudos
Reply
11 REPLIES 11

sdagley
Esteemed Contributor III

Posted on ‎05-28-2025 01:00 PM

@JVan Have you consulted the Cloudflare docs for managed deployment of WARP: https://developers.cloudflare.com/cloudflare-one/connections/connect-devices/warp/deployment/mdm-dep...

0 Kudos
Reply

JVan
New Contributor II
In response to sdagley

Posted on ‎05-28-2025 01:11 PM

Yes, and it's all configured correctly and installs fine for us. They just don't include a specific deployment method  "The Cloudflare WARP macOS client allows for an automated install via tools like Jamf, Intune, Kandji, or JumpCloud or any  script or management tool that can place a com.cloudflare.warp.plist file in /Library/Managed Preferences on a supported macOS device. Additionally this plist can be wrapped in a .mobileconfig "

0 Kudos
Reply

GadgetVirtuoso
New Contributor III
In response to JVan

Posted on ‎05-28-2025 01:34 PM

Looked it up and there is an option to disable auto launch.

<key>DisableAutoLaunch</key>
<true/>
<key>HideMenuBarIcon</key>
<true/>


You can set that for your initial deployment, then later change it when you expect the machine enrollment to be completed.

0 Kudos
Reply

JVan
New Contributor II
In response to GadgetVirtuoso

Posted on ‎05-28-2025 01:54 PM

This would be perfect, was this in the cloudflare documentation? I am assuming I would add this to the plist I already have?

0 Kudos
Reply

sdagley
Esteemed Contributor III
In response to JVan

Posted on ‎05-28-2025 01:44 PM

@JVan See https://learn.jamf.com/en-US/bundle/technical-articles/page/Deploying_Custom_Computer_Configuration_... for an article that explains how to deploy a vendor provided .plist

Reply

GadgetVirtuoso
New Contributor III

Posted on ‎05-28-2025 01:10 PM

Have you considered moving the installation to later? You could set up a smart group for machines that don't have Cloudflare WARP and are less than 12 hrs hours (or whatever you like) since added to the system to be excluded from Cloudflare WARP deployment. That way, you're giving the machines time to complete their setup without requiring the users to do anything. After your deployment window, you can then install WARP normally, and it can auto-connect without interfering with the enrollment.

0 Kudos
Reply

JVan
New Contributor II
In response to GadgetVirtuoso

Posted on ‎05-28-2025 01:15 PM

This could work as well but I'm not sure how to accomplish this with a smart group. What criteria would I use?

0 Kudos
Reply

GadgetVirtuoso
New Contributor III
In response to JVan

Posted on ‎05-28-2025 01:38 PM

Smart group

WARP not installed
AND

Criteria: Extension Attribute → OnboardingComplete
Operator: is
Value: Yes

Sample extension attribute: (not tested)

#!/bin/bash
# EA: OnboardingComplete
if [ -f "/Library/Management/.onboarding_complete" ]; then
  echo "<result>Yes</result>"
else
  echo "<result>No</result>"
fi

Then you can trigger the installation as you've been doing.

Reply

iOllie
New Contributor III
In response to GadgetVirtuoso

Posted on ‎06-02-2025 10:33 AM

In my opinion, there’s no need to modify or create any extension attributes.

Here’s the approach I recommend:

1. Create a Smart Computer Group
Criteria: Cloudflare WARP client is NOT present on the device.

2. Set up a Policy to Install the Cloudflare WARP Client
Configuration:

• Trigger: Recurring Check-in (Runs based on the check-in frequency set in Jamf Pro — typically every 15 minutes by default)

• Execution Frequency: Once per computer

• Maintenance Payload: Enable Update Inventory (Forces the Mac to submit updated inventory data to Jamf Pro after installation)

Result:
The client will automatically be installed within ~15 minutes of any new Mac checking in.

Why this works:
Once the client is installed and inventory is updated, the device will automatically fall out of the smart group, preventing reinstallation.

Reply

easyedc
Valued Contributor II

Posted on ‎06-05-2025 07:08 AM

After seeing all I wrote, I want to say buckle up. It might be a long ride. 

 

A few thoughts on this. First you can control the flow of policies during your enrollment by giving them numerical titles (see my screen shot).  Effectively, you'd make the installation be the highest number (ex. 999) so that it becomes the last policy run during your enrollment. 

Also - 

I have a similar issue with Zscaler as our VPN client - as soon as it's installed it auto-launches and attempts a sign in.  My fix (which was suggested to me long ago and I found very useful) is to use step 000 (the first thing enrollment does) to create a .plist and write out an enrollment status with this configured setting. It creates a directory, defaults write a .plist, and then marks it as enrollmentBegun is true using the Files and Processes option:

Run Unix command '/bin/mkdir -p /private/var/EnterpriseManagement/; /usr/bin/defaults write "/private/var/EnterpriseManagement/com.apple.enterprisedeployment" enrollmentBegun -bool true; /usr/local/bin/jamf recon'

From here, I just read the values via an EA querying for Enrollment status:

sudo defaults read /private/var/EnterpriseManagement/com.apple.enterprisedeployment.plist
{
    enrollmentBegun = 1;
}

And the associated EA:

#!/bin/sh
EnrollmentBegun=$(/usr/bin/defaults read "/private/var/EnterpriseManagement/com.apple.enterprisedeployment" enrollmentBegun)
if [ "$EnrollmentBegun" -eq "1" ]; then
    echo "<result>true</result>"
fi
exit 0

From there it's simply creating smart groups to read the values. Certain policies get applied to a variety of conditions, whether I want to include or exclude based on its enrollment status. The very last step in my enrollment workflow (step 999) is to add another key:

Run Unix command '/bin/mkdir -p /private/var/EnterpriseManagement/; /usr/bin/defaults write "/private/var/EnterpriseManagement/com.apple.enterprisedeployment" enrollmentComplete -bool true; /usr/local/bin/jamf policy -event dock; /usr/local/bin/jamf recon'

 so that I have 2 entries:

{
    enrollmentBegun = 1;
    enrollmentComplete = 1;
}

 and now 2 EAs - "Enrollment Begun" and "Enrollment Complete" and smart groups that read each setting. Certain necessary policies are applied to all computers, but exclude members of a smart group "enrollmentComplete = Not True" because the last policy hasn't run to give it a true value. I use these Smart Groups for a number of policies that I want to happen to all, but to not happen during my enrollment workflow. 

 

A little long winded, but hopefully it helps.

Preview file
66 KB
Reply

JVan
New Contributor II
In response to easyedc

Posted on ‎06-05-2025 07:17 AM

Thank you for this! I will have to review. For now I ended up finding a pretty simple solution to my problem my accident. Once Cloudflare installs and opens up the safari window to sign in, I have a command to kill safari right after the Cloudflare install is completed. This closes this sign in window and minimizes the cloudflare menu bar app shortly after the install. 

0 Kudos
Reply