We have a handful of applications that are required to be on our laptops at all times. Currently, we have smart groups set with criteria for the app not being installed and a policy scoped to that group. The downside is it only updates when an automatic inventory update is done every day. Has anyone done something similar that runs more frequently?
Page 1 / 1
Hello!
Currently, mandatory application compliance in Jamf Pro relies on daily inventory updates, causing delays. To run checks more frequently, you can reduce the Jamf Pro recurring check-in frequency (e.g., hourly), but this increases server load. A better approach is to scope a specific policy to the "Recurring Check-in" trigger, setting its execution frequency to "Every Check-in" and ensuring it includes an "Update Inventory" step; this policy would target devices missing the app.
You can reduce the detection and remediation window to around 15–45 minutes.
- You would need to change your device check-in frequency from daily to every 15 minutes.
- Write an Extension Attribute for each Application you want to ensure is installed.
- Create a Smart Group checking for the Application being missing using the Extension Attribute.
- Create a Policy that runs on recurring check-in to Deploy the Policy containing the desired Application to devices missing the Application.
Alternatively you could configure this to deploy to all Devices Excluding devices with the Application if you prefer that approach.
Jamf will only check installed software daily, but Extension Attributes are run on each check-in and is the way to go for core compliance tools like Security Applications. If absolute compliance is a must, remove users admin access and they cant uninstall applications to begin with.
Most efficient way is to deploy a script to check if app installed something like this
#!/bin/bash
appName="my.app"
#You can also put an array of more than 1 app
if [[ -d "/Applications/$appName" ]]
then
echo "Directory exists. No need to install"
else
echo "Installing $appName"
jamf policy -trigger triggerName
fiand upload to the client machines to a folder like /private/var/myscripts, then create a launchdaemon and set interval value to 300 so it would run every 5 minutes with no load on the server
You can reduce the detection and remediation window to around 15–45 minutes.
- You would need to change your device check-in frequency from daily to every 15 minutes.
- Write an Extension Attribute for each Application you want to ensure is installed.
- Create a Smart Group checking for the Application being missing using the Extension Attribute.
- Create a Policy that runs on recurring check-in to Deploy the Policy containing the desired Application to devices missing the Application.
Alternatively you could configure this to deploy to all Devices Excluding devices with the Application if you prefer that approach.
Jamf will only check installed software daily, but Extension Attributes are run on each check-in and is the way to go for core compliance tools like Security Applications. If absolute compliance is a must, remove users admin access and they cant uninstall applications to begin with.
@AJPinto What is you source for Extension Attributes running on every checkin? Everything I've read, and seen in operation for my Jamf Pro instances, is that EAs only run during a recon.
@AJPinto What is you source for Extension Attributes running on every checkin? Everything I've read, and seen in operation for my Jamf Pro instances, is that EAs only run during a recon.
Looks like I had assumed, it does not appear to run EAs on each checkin. Thanks for pointing that out, and now I feel like an idiot lol.
Reply
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.