Extension Attribute to check AD User Group Membership

I thought there was a default variable of "$3" that is passed on every script that sends the user who is logged in. I believe it is being generated by grepping for the console process and finding who owns that process. Thus:

ps -jax | grep [c]onsole | awk '{print $1}'

$3 only works for either login policies or Self Service though. If you have inventory and thus Extension Attributes running only at those points its fine to use that. But its much safer to get the logged in user using another method, such as:

/usr/bin/who | /usr/bin/awk '/console/{ print $1 }'

or

ls -l /dev/console | awk '{ print $3 }'

You can store that in the Extension Attribute script as a variable so it can use it when it runs.

Something else to consider here though. Are you only going to be using a single AD group for this kind of request or will there be different ones for different software? If its the latter, you might want to either:
a) set up your EA to grab all groups the user is part of. Something like:

dscl /Active Directory/DOMAIN/All Domains read /Users/$username dsAttrTypeNative:memberOf

Or b) use something like the "Scope to User Group" method in a policy. I'm assuming your users have AD based accounts they log into their Macs with or else none of the above will work very well. If that's the case, scoping to AD groups in the policy might be the way to go rather than an Extension Attribute.

Justin and mm2270, thanks for the feedback.

mm2270, I would be using different AD Groups for different policies/packages. I was hoping to script the EA in a way that if an end user is a member of the Group in question, that the echoed result could either serve as a manual policy trigger or that the result could simply match the scope of a smart group or policy.

I originally had authentication enabled for Self Service based policies so scoping to AD Groups worked fine, but my management is trying to get even more automated.

-Dan

@daniel.behan, I see what you're getting at. Truthfully, I've never used an EA to actually kick off another process or policy based on its results. What I mean is, I'm not sure if EA scripts are actually treated the same as a script run from a policy. Will the standard if/then, do jamf policy -trigger <manual_trigger> actually work? Just not sure, but its worth a try I guess. Keep in mind while recon is running, the jamf binary is already in use, so you'd be asking it to start another process instance to kick off a policy while its still running a recon. I don't know if that works.

If it doesn't work, then dropping those Macs into a Smart Group based on the results would be the thing to do. It won't be immediate, but if the policy that installs the software is set to the everyX minutes trigger, it should get installed at the next check in cycle.

All that said, I still think you should consider not just grepping for a single group if you plan on using multiple ones. Gathering all group info into the results should still allow you to set up the Smart Group to use the EA with a "Like" operand.

@mm2270,

I have the EA working if I'm checking for a specific AD Group. The command you provided does successfully list all group memberships, but I'm unsure how to list them all in an EA. You and @justinrummel have been a great help. If it will help anyone, the script for my EA is listed below. If anyone else knows how to simply use one EA to list all memberships, that would be great too.

-Dan

#!/bin/sh

userName=last -1 | awk '{print $1}'
ADGroup=dscl '/Active Directory/DOMAIN/All Domains' -read /Users/$userName | grep group
result='group'

if [ "$result" == "" ]; then
echo "<result>No (End user is not a member)</result>"
else
echo "<result>Yes (End user is a member)</result>"
fi

@mm2270, I'd much rather just one EA like you're suggesting, I'll play around with your script. What I've done so far works as a proof of concept for the project my team is involved in, but I prefer to do what you're doing.

BTW, I'm running Casper 8.62

@mm2270, That worked perfectly! Now I only have one EA and can scope smart groups to any AD Group I'm looking for. Thanks for your help.

-Dan

daniel.behan, we do something similar to what you are trying to do. We have security groups in AD for each piece of software that we want to deploy. We just map the group into JAMF using the AD connection that is built in. The shopping cart software we use automates a user being added to the AD groups and by doing that allows the software to be installed either via Self Service or a policy.

@jhbush1973 So your users go to a website to choose the software they want in a shopping cart interface? Awesome! Are you using a CMS for the shopping cart page like Wordpress or Joomla? Plugins?
I don't know anything about your environment, why use the website and not just purely Self Service?

@jhbush1973 that's what we're looking at doing. @ssrussell We're using Service Now as our Ticketing System that includes a Service Catalog for User Access Requests as well as Hardware/Software orders. We're reviewing an application called RunBook that can help place users in AD Groups/OUs if they order software through the Service Catalog and a Manager approves the request. The theory is that as long as they're in the Group, then SCCM can push the software to the Windows users and Casper will push to the Mac folks. My management wants to avoid Self Service because they only want the initial service request to be the end user interaction.

Thanks to everyone's help, I now have one EA that lists all group memberships of a currently logged in end user. Now I just have to make smart groups matching group memberships with computers that don't have the intended software.

Of course the real fun will be the laborious task of defining and updating the software inventory available in the service catalog.

@daniel.behan, please post back with results once you get this all up and running. I'll be curious to hear how it all goes. This type of request and software deployment model is something I think many Casper admins would be interested in hearing about. Self Service is great, but certain environments like yours also require official requests for software to be handled differently, not just dropped into Self Service.

Also curious to hear how this RunBook application works out for you. It sounds like something we might be able to use in the future.

@mm2270 I'll let you know how it goes. We just had a POC meeting on Friday which initially triggered this discussion. I used myself as a test subject and so far it worked. I think I'll also have a Smart Group for Help Desk staff so they can get Casper Remote on their Macs instead of the Static Group I have now.

@daniel.behan we use software called App Portal http://www.flexerasoftware.com/products/app-portal.htm @ssrussell we use the App Portal software to track purchasing and manager approval for software. It also handles adding the users to the AD security groups. That saves us time if the user has their machine re-imaged. They just go back to SS and reinstall their applications. We are also exploring more integration with out ticketing system Service Now http://www.servicenow.com

Hi all,

I'm currently looking at doing something similar to the script posted by mm2270. Being new to Macs I am clawing and scratching my way through most things. Our machines will not be bound to our domain and our users will all have local accounts that they log in with. The login accounts match the user's ID in our AD. My question is do Macs need to be bound to a domain for this script to work? Is it enough for the machines to just be connected to the corporate network? If this is the case is there another option for grabbing the memberOf attribute for users, so that I can scope Smart Groups to AD groups?

@daniel.behan @mm2270 Hope you are well. I am actually trying to implement exactly what you implemented. Software deployment by Ad group membership. I saw the script that said resolve. I am not sure how to use the script. If you could assist me with a step by step guide on what to do to deploy a script via AD security group as well as creating the smart group etc. V9.92

Thanks for reading