Is there a way to track active group changes? When a device moves from one smart group to another?

@timmeedski There is a "Send email notification on membership change" option on the 1st page of the Smart Group configuration screen which will produce the tracking you're asking for. It does require your JSS be configured with an SNMP server though.

Yes, I'd prefer not to get 300+ emails, plus its configured to send an email to a dist group, so it would spam the whole team. It would work but not really practical.

We also like to track or log historical data of machines. We would normally write a script to touch a hidden file to that machine and name it appropriately so that the file name describes what we're trying to track. The script would be delivered by a policy scoped to the smart group that contains the >0 machines or whatever smart group you designate.

We create a repository that holds all of these hidden files that we can search later if necessary. Extension Attributes can also be created that search for those hidden files, but we try to limit the use of EA's to reduce overhead.

#!/bin/bash
if [[ -e /Library/CompanyName/.Vulnerability15 ]]; then
echo "<result>V15</result>"
else
echo "<result>NotV15</result>"
fi

Over time, the machine will have a history of work in that file repository!

Hope this helps.

@timmeedski You can control what notifications a user receives so create a new JSS user who only receives email notification of Smart Group changes (you don't need to assign them any permissions) and set their email address to the one you want to be notified when a group changes and disable that for any other users receiving email notifications.

If that's not viable, and you're Jamf Cloud hosted, then you may want to look at the Premium Cloud option which allows sending all Jamf Pro logging data to Splunk (you'd want to verify Smart Group changes are in that data)

I had a little difficulty in understanding what you were saying at first, but now I get it.

So the steps I'm taking are:

Create a script that checks for my vuln file. If that file is greater than 0, it creates an output of "activevulns.txt", if the file is =0 bytes it will create a remediatedvulns.txt

Then deploy this script via a policy to a smart group of machines that have active vulns.

Then create an EA that looks at the file created by the script("activevulns.txt" or "remediatedvulns.txt"), and if the remediatedvulns.txt exists, then report back that it is remediated. Once the device is remediated, it will be removed from the smart group and stop the policy from running. If the initial vulns file exists but neither of the activevulns.txt or remediatedvulns.txt exist, report that it never existed.

Now that I have an EA that can tell me the status if it is active, remediated, or never needed.

THANK YOU!

Great! You can also create advanced searches or new smart groups based on the EA which really helps for reporting status up the flag pole or if you'd like to perform any further actions on those machines. EA's will show up under Show Advanced Criteria. 

I think the biggest issue is that the email tracking is not the way I wanted to go in this case. I do have an instance where we do use it for smart group tracking and AWOL computers, but in this I was hoping to get numbers to track remediated vulns without having to do it manually.