Cut 5083 admu exe upload to jc commands option#249
Cut 5083 admu exe upload to jc commands option#249shashisinghjc wants to merge 13 commits intomasterfrom
Conversation
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
jumpcloud-ADMU-Advanced-Deployment/InvokeFromJCAgent/3_ADMU_Invoke.ps1
Outdated
Show resolved
Hide resolved
jumpcloud-ADMU-Advanced-Deployment/InvokeFromJCAgent/3_ADMU_Invoke.ps1
Outdated
Show resolved
Hide resolved
… or API failures (not just rate limiting)
jumpcloud-ADMU-Advanced-Deployment/InvokeFromJCAgent/3_ADMU_Invoke.ps1
Outdated
Show resolved
Hide resolved
…t a version match
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 1 potential issue.
Reviewed by Cursor Bugbot for commit 21ac223. Configure here.
jumpcloud-ADMU-Advanced-Deployment/InvokeFromJCAgent/3_ADMU_Invoke.ps1
Outdated
Show resolved
Hide resolved
| $localEXEs = $false # When true, require gui_jcadmu.exe in C:\Windows\Temp and uwp_jcadmu.exe in C:\Windows | ||
|
|
||
| # If localEXEs is enabled, ensure uwp_jcadmu.exe is copied from Temp to Windows if needed | ||
| if ($localEXEs) { |
There was a problem hiding this comment.
This works great, thanks for the changes here
kmaranionjc
left a comment
kmaranionjc
left a comment
There was a problem hiding this comment.
Functionality looks good to me. Was able to migrate 2 users. This exe scenario is more for Invoke and validating GUI exe in the temp folder. There should be no need for Start-Migration changes
| systemContextBinding = $systemContextBinding | ||
| LeaveDomainAfterMigration = $LeaveDomainAfterMigration | ||
| removeMDM = $removeMDM | ||
| localEXEs = $localEXEs |
There was a problem hiding this comment.
I don't think we need to change or add local exe validation in Start-Migration
There was a problem hiding this comment.
The Start-Migration updates ensure that users running the script directly receive the same reliability, validation, and fallback logic as the GUI/Invoke flow. While the specific deployment (GUI with pre-uploaded EXEs) is less impacted, these changes maintain consistency and robustness across all methods.
Let me know if it helps, else we can remove this. Shouldn't be a big trouble.
| HelpMessage = "When set to true, the ADMU will remove any existing MDM enrollment from the system. This parameter requires the `leaveDomain` parameter to also be set to true. This parameter will remove MDM enrollment profiles if they have non-null ProviderIDs, and UPNs associated with them. This parameter will not remove JumpCloud MDM enrollments.")] | ||
| [bool] | ||
| $removeMDM = $false, | ||
| [Parameter( |
There was a problem hiding this comment.
Same here, I don't think we need to change or add local exe validation in Start-Migration.
There was a problem hiding this comment.
The Start-Migration updates ensure that users running the script directly receive the same reliability, validation, and fallback logic as the GUI/Invoke flow. While the specific deployment (GUI with pre-uploaded EXEs) is less impacted, these changes maintain consistency and robustness across all methods.
Let me know if it helps, else we can remove this. Shouldn't be a big trouble.
There was a problem hiding this comment.
I disagree, we need to inform the Start-Migration function that we will be supplying the local version of the uwp_jcadmu.exe file in order to drive the behavior in the card acceptance criteria.
| $isForm = $PSCmdlet.ParameterSetName -eq "form" | ||
| $trackAccountMerge = $false | ||
|
|
||
| function Get-UwpJcadmuReleaseInfo { |
There was a problem hiding this comment.
Same here, I don't think we need to change or add local exe validation in Start-Migration.
There was a problem hiding this comment.
The Start-Migration updates ensure that users running the script directly receive the same reliability, validation, and fallback logic as the GUI/Invoke flow. While the specific deployment (GUI with pre-uploaded EXEs) is less impacted, these changes maintain consistency and robustness across all methods.
Let me know if it helps, else we can remove this. Shouldn't be a big trouble.
There was a problem hiding this comment.
A few thoughts here to start.
It's not super well documented but in order to add a new parameter to the EXE, we need to update the Deploy/Functions/New-ADMUTemplate.ps1 file to include the localEXEs parameter. I rebuilt the exe with that change and was able to test the exe as if it were called via the invoke script. This would need to be changed in order to make the changes in the jumpcloud-ADMU-Advanced-Deployment/InvokeFromJCAgent/3_ADMU_Invoke.ps1 prevent replacement of the uwp exe.
You did hit the nail on the head though, there's no need to validate the gui exe once we are running start-migration because the exe invoking the script is the gui_jcadmu.exe.
There are three new functions added to Start-Migration.ps1. These should be private functions, each with basic tests we can call to validate the behavior.
You are right in adding this new parameter to start migration though, when we set the parameter in the invoke script & supply the gui/uwp exes, when we call the gui exe, we need to tell the tool that there's no need to download a new version of the uwp. I'm not seeing that totally work just yet but perhaps I'm missing something in the way you've tested this.
Running through the AC:
I believe you've ticked off the requirements for the invoke script. We just need to figure out how to get the last part of the Start-Migration script and functions working correctly.
For the Start-Migration behavior
When you run
. "C:\Users\jworkman\Desktop\gui_jcadmu.exe" -SelectedUserName "S-1-12-1-1616384916-1297768490-51239584-3993624739" -JumpCloudUserName "george.costanza" -TempPassword "TempPass!123!123" -adminDebug:$true -autoBindJCUser:$false -localExes:$trueThe migration should continue and not download the latest uwp, it should instead log if the UWP is present, the version and not throw if it's missing. Right now I'm getting that error with Get-FileHash and I'm not seeing the private functions continue.
When you run
. "C:\Users\jworkman\Desktop\gui_jcadmu.exe" -SelectedUserName "S-1-12-1-1616384916-1297768490-51239584-3993624739" -JumpCloudUserName "george.costanza" -TempPassword "TempPass!123!123" -adminDebug:$true -autoBindJCUser:$false -localExes:$falseThe migration should continue and download the latest uwp (default behavior). This appears to be working.
In Summary, we need to:
- Update the
New-ADMUTemplate.ps1file to actually allow for the exe to make use of your new localExes param - The functions added to
Start-Migration, I'd like to see these moved to the private functions locations and get tests generated for those files. - I'm not sure
Test-UwpJcadmuExefunction is working as intended. When I test,Get-FileHashis throwing an error.
|
|
||
| if ($localEXEs) { | ||
| if (-not (Test-Path -Path $destinationPath -PathType Leaf)) { | ||
| throw "localEXEs is enabled, but required file 'uwp_jcadmu.exe' was not found at '$destinationPath'." |
There was a problem hiding this comment.
Right now the failure to download the UWP is not a breaking error. I'm hesitant to make it one here which would be a change from how we perform migrations currently.
The ADMU will write the items to the storage device, specifically the user's directory who's being migrated, the UWP can always be run again post-migraiton so I don't want this to throw or otherwise halt a migration that's been successful up to this point.
| } | ||
| } | ||
|
|
||
| throw "Failed to validate UWP executable: $errorMessage" |
There was a problem hiding this comment.
Potentially an issue here if we throw, this could be a terminating error and we don't want migration to halt in that case.
| HelpMessage = "When set to true, the ADMU will remove any existing MDM enrollment from the system. This parameter requires the `leaveDomain` parameter to also be set to true. This parameter will remove MDM enrollment profiles if they have non-null ProviderIDs, and UPNs associated with them. This parameter will not remove JumpCloud MDM enrollments.")] | ||
| [bool] | ||
| $removeMDM = $false, | ||
| [Parameter( |
There was a problem hiding this comment.
I disagree, we need to inform the Start-Migration function that we will be supplying the local version of the uwp_jcadmu.exe file in order to drive the behavior in the card acceptance criteria.
|
|
||
| $localFile = Get-Item -Path $FilePath -ErrorAction Stop | ||
| $localVersion = $localFile.VersionInfo.FileVersion | ||
| $localFileHash = (Get-FileHash -Path $FilePath -Algorithm SHA256).Hash.ToLower() |
There was a problem hiding this comment.
Getting some error here:
Although I am able to run this outside the ADMU which is odd.
3 participants
Issues
What does this solve?
This change introduces support for using locally available executables to mitigate failures caused by GitHub API rate limiting during JC Command execution.
Adds validation logic to check for gui_jcadmu.exe in C:\Windows\Temp (and uwp_jcadmu in C:\Windows) when localEXEs=true
Verifies SHA and ensures the binary is the latest version before use
Skips GitHub download if local validation succeeds
Falls back to GitHub download (with retry + backoff) if local files are missing
Handles API rate limit scenarios gracefully by issuing a warning and using local copies when validation is not possible
Ensures strict failure (exit 1) when required conditions are not met
Is there anything particularly tricky?
NA
How should this be tested?
Screenshots
Note
Medium Risk
Touches migration execution paths and executable download/validation logic (GUI + UWP), which can block or skip parts of migration if misconfigured. Changes are gated behind
localEXEsbut still alter retry/validation behavior and error handling.Overview
Adds an opt-in
localEXEsmode for remote/command-driven ADMU runs to prefer locally providedgui_jcadmu.exe/uwp_jcadmu.exe, validating SHA256 (and version metadata when available) against the latest GitHub release and gracefully handling GitHub API rate limits.Updates the JC Agent invoke script to pre-check required local binaries (and copy
uwp_jcadmu.exeintoC:\Windowswhen present), passlocalEXEsthrough to migrations, and refactors GUI exe retrieval to return a resolved path (download or validated local). InStart-Migration, UWP app restoration now uses a helper that either enforces/validates a localuwp_jcadmu.exeor downloads via thereleases/latest/downloadURL with retry/backoff, skipping UWP restore with a warning if it cannot be prepared.Bumps module version to
2.12.3and updates documentation/help text (docs + help XML) to include the new parameter and minor formatting fixes; UI window titles are updated to the new version, and a placeholder acceptance test file is added.Reviewed by Cursor Bugbot for commit b95883c. Bugbot is set up for automated code reviews on this repo. Configure here.