Question

Flaky policy behavior - JSS 9.32

Forum|Forum|11 years ago
August 27, 2014
6 replies
63 views

kjicha
New Contributor

We've been experiencing an issue where some policies fail to execute on about half of the client machines within the scope. The JSS interface shows that the policy is "pending", but it never runs. We've noticed this "flaky" behavior with several policies, each with different triggers. The most consistently problematic policies are those which trigger at login. Testing has revealed that logging in to one of these clients does not execute the policy, and running a "sudo jamf policy -event login" returns: "No policies were found for the "login" trigger."

The most baffling thing is that some of the machines in the scope will execute the policy without issue, while others do not. All of the machines in the group have had the same imaging workflow run on them, show as managed in the JSS, and have been pulling down other polices without issue. So I'm not sure what could be causing the problem. Since the policy never executes, the policy logs are unhelpful.

During my testing, I cloned a policy (leaving all the settings the same as the original), and logged in on one of the problem machines. Lo and behold, the new, cloned policy ran without issue on the problem machine. However, other clients within the group still fail to run the policy, and still only show as "pending" in the logs. There doesn't seem to be any rhyme or reason to which clients fail to execute the policies. All in all, some clients just never seem to execute some of the policies that are scoped to them, but they will execute others. We've been able to replicate this behavior with several different policies and clients.

Any thoughts or ideas? I've made sure that I have login/logout hooks enabled, and I've tried unchecking "Perform login hook actions in background". See screen shot of our settings. external image link

We're running 9.32 for our JSS with a SMB file share as our distribution point (no http).

+15

thoule
Contributor
Forum|Forum|11 years ago
August 27, 2014

So for the "-event login" thing to work, you need a Custom trigger called 'login' for it to work. Instead make a custom trigger called something a little more specific to the policy title and invoke it with the -event. Right now, it's looking at the 'Custom' trigger for one called 'login' and not finding one, which is of course accurate.

However, to get to the point of your question, can you try watching the jamf log? I would either look at /var/log/jamf.log on the client after a login, or ssh into the machine, "tail -F /var/log/jamf.log" and watch that while logging into the machine. Hopefully somewhere shows up that it's at least looking.

Also, do you have the one-time-only on the policy set? I've often had polices not run because of that. I needed to flush the 'failed' policy to make it try again (I think there's a feature request in for that annoyance).

kjicha
Author
New Contributor
Forum|Forum|11 years ago
August 27, 2014

Todd,

I thought that “login” was the trigger, I’ll try creating a custom trigger if none of this information proves useful.

I double-checked all of the problematic policies several times prior to submitting this post to make sure that it wasn't just a case of having to flush the logs. This one in particular is set to run once per user, and I made sure I was logging in to a client I had not logged into yet. Below is a snapshot of the policy settings. There are no server or client-side limitations specified below the fold.

external image link

Here is the output from the jamf.log, after logging in, waiting, then logging out (a few times).

Wed Aug 27 13:53:02 ncat003-02 jamf[1558]: Checking for policies triggered by "recurring check-in"...
Wed Aug 27 14:10:12 ncat003-02 jamf[2407]: Checking for policies triggered by "recurring check-in"...
Wed Aug 27 14:22:16 ncat003-02 jamf[3236]: Checking for policies triggered by "recurring check-in"...
Wed Aug 27 14:35:14 ncat003-02 jamf[4071]: Checking for policies triggered by "recurring check-in"...
Wed Aug 27 14:52:22 ncat003-02 jamf[4903]: Checking for policies triggered by "recurring check-in"...
Wed Aug 27 15:08:27 ncat003-02 jamf[5731]: Checking for policies triggered by "recurring check-in"...
Wed Aug 27 15:20:31 ncat003-02 jamf[6561]: Checking for policies triggered by "recurring check-in"...
Wed Aug 27 15:35:53 ncat003-02 jamf[7387]: Checking for policies triggered by "recurring check-in"...
Wed Aug 27 15:51:02 ncat003-02 jamf[8217]: Checking for policies triggered by "recurring check-in"...
Wed Aug 27 16:07:18 ncat003-02 jamf[9047]: Checking for policies triggered by "recurring check-in"...
Wed Aug 27 16:13:25 ncat003-02 jamf[9653]: Checking for policies triggered by "login" for user "kjicha"...
Wed Aug 27 16:20:21 ncat003-02 jamf[10235]: Checking for policies triggered by "logout" for user "kjicha"...
Wed Aug 27 16:20:46 ncat003-02 jamf[10413]: Checking for policies triggered by "login" for user "kjicha"...
Wed Aug 27 16:22:35 ncat003-02 jamf[10675]: Checking for policies triggered by "logout" for user "kjicha"...
Wed Aug 27 16:22:45 ncat003-02 jamf[10837]: Checking for policies triggered by "login" for user "slu"...
Wed Aug 27 16:23:21 ncat003-02 jamf[11035]: Checking for policies triggered by "logout" for user "slu"...

There are several policies that should be executing here, but the one in particular was “Set NCAT Dock copy”.

Thanks for the help.

+10

calumhunter
New Contributor
Forum|Forum|11 years ago
August 27, 2014

also note that it is literally once per user. not once per user per computer.
So if you login with that one user on any machine thats your one time. login with that user on another machine, policy wont run as that "user" has already run that policy.

+15

thoule
Contributor
Forum|Forum|11 years ago
August 28, 2014

So if you login with that one user on any machine thats your one time. login with that user on another machine, policy wont run as that "user" has already run that policy

Seriously!?!?! Wow. That's a killer. Another reason to just use a LaunchAgent. @kjicha is this something you can use a LaunchAgent for? I usually make a launch agent that touches a file in the user's library to say it's been done. If not file exists, do the task, then create the done touch file- that makes it a once- only agent.

As for your log, it says its looking for login policies for you and not finding anything. That suggests it's run for you already and needs to be flushed. Perhaps as @calumhunter said, you've run it on a different machine already.