Currently, app licenses get assigned when a user is scoped to a self service policy. I want to script an option that a user can “request” to have access to an application through self service and then automatically get added to a smart group that the application license and installation policy is scoped to. Has anyone done anything like this before? Thanks in advance!
Solved
Self Service app licenses
+4Best answer by talkingmoose
@talkingmoose thanks for the reply! I have an org of about 400 devices and lets say I have 50 licenses, when I scope all users to the self service policy doesn't that automatically eat up the 50 licenses? Rather with the method I mentioned, a license wont be used up only until a user uses that self service.
Ah, so these would be paid licenses. And since you say this is a Self Service policy, I’m assuming you mean you have a policy that pushes out some sort of license file you can track.
🤔 🤔
You can create a smart computer group to track the computers with the license file or any simple file you place on them. The question then would be “Can Jamf Pro determine how many computers are in a smart computer group and then trigger an event that disables deployment when you reach 50?” I don’t think that’s possible without using the Classic or Jamf Pro API.
The Jamf Pro API has a preview node called “smart-computer-groups-preview” that looks ideal. You’d use the endpoint “/v1/smart-computer-groups/{id}/recalculate” (replacing “{id}” with the smart group’s Jamf Pro ID found in its URL). The result is the count of computers in that group.
Next question would be “Can you automate getting that computer count with a script?” Definitely with a Jamf Pro API script.
Final question would be “Where does that script run?” Jamf’s stance is that no endpoint should ever be provided Jamf Pro credentials to run a Jamf Pro API script. It’s possible, but that would be a bad security practice.
If you’re up for an adventure, I’d highly recommend looking at the Jamf Automation and Webhook Assistant (JAWA). It requires you have some scripting knowledge and an external Linux server to host the software. It just so happens Chris Ball, who does most of the work on this project, presented on JAWA at JNUC 2022. And once JAWA is up and running, you’ll find it’s a great tool in your tool chest for doing a lot of really cool things.
Final workflow would look something like:
- When deploying the software, deploy a license file or text file.
- Create an extension attribute to report whether the license or text file is present.
- Create a smart computer group to find all computers with the license or text file.
- Use a Jamf Pro webhook to report to JAWA that the smart computer group has changed.
- That triggers a script on the JAWA server to use the Jamf Pro API to determine how many computers are in the smart computer group.
- If the number reaches 50 (or maybe 45?), the script can alert you in some way to buy more licenses and/or disable the policy.
If you’d need help putting the setup and workflow together, Jamf Professional Services or a Jamf consultant could help you.
+36Can you explain your goal for this method?
Automatically assigning an end user to a group to receive a licensed app would be the same as just scoping the end user directly to the policy or app.
Are you building in some sort of approval process? If so, automatically adding the end user to a group may not be what you want.
+4Can you explain your goal for this method?
Automatically assigning an end user to a group to receive a licensed app would be the same as just scoping the end user directly to the policy or app.
Are you building in some sort of approval process? If so, automatically adding the end user to a group may not be what you want.
@talkingmoose thanks for the reply! I have an org of about 400 devices and lets say I have 50 licenses, when I scope all users to the self service policy doesn't that automatically eat up the 50 licenses? Rather with the method I mentioned, a license wont be used up only until a user uses that self service.
I will assume that the app is not a free app, otherwise you'd just get more licenses for the app via Apps & Books.
I can't think of a way to manage this that doesn't have drawbacks. It should be a relatively simple matter to set up a web form that would collect the device serial number and add it to a list. A script could then add that device to a smart group via the Jamf Pro API, which would scope the app, but the problem would be how to handle the fifty first request. Do you boot the oldest serial in the list? Do you deny the request? Do you boot out any serial that has been in the group for a certain period of time?
+36@talkingmoose thanks for the reply! I have an org of about 400 devices and lets say I have 50 licenses, when I scope all users to the self service policy doesn't that automatically eat up the 50 licenses? Rather with the method I mentioned, a license wont be used up only until a user uses that self service.
Ah, so these would be paid licenses. And since you say this is a Self Service policy, I’m assuming you mean you have a policy that pushes out some sort of license file you can track.
🤔 🤔
You can create a smart computer group to track the computers with the license file or any simple file you place on them. The question then would be “Can Jamf Pro determine how many computers are in a smart computer group and then trigger an event that disables deployment when you reach 50?” I don’t think that’s possible without using the Classic or Jamf Pro API.
The Jamf Pro API has a preview node called “smart-computer-groups-preview” that looks ideal. You’d use the endpoint “/v1/smart-computer-groups/{id}/recalculate” (replacing “{id}” with the smart group’s Jamf Pro ID found in its URL). The result is the count of computers in that group.
Next question would be “Can you automate getting that computer count with a script?” Definitely with a Jamf Pro API script.
Final question would be “Where does that script run?” Jamf’s stance is that no endpoint should ever be provided Jamf Pro credentials to run a Jamf Pro API script. It’s possible, but that would be a bad security practice.
If you’re up for an adventure, I’d highly recommend looking at the Jamf Automation and Webhook Assistant (JAWA). It requires you have some scripting knowledge and an external Linux server to host the software. It just so happens Chris Ball, who does most of the work on this project, presented on JAWA at JNUC 2022. And once JAWA is up and running, you’ll find it’s a great tool in your tool chest for doing a lot of really cool things.
Final workflow would look something like:
- When deploying the software, deploy a license file or text file.
- Create an extension attribute to report whether the license or text file is present.
- Create a smart computer group to find all computers with the license or text file.
- Use a Jamf Pro webhook to report to JAWA that the smart computer group has changed.
- That triggers a script on the JAWA server to use the Jamf Pro API to determine how many computers are in the smart computer group.
- If the number reaches 50 (or maybe 45?), the script can alert you in some way to buy more licenses and/or disable the policy.
If you’d need help putting the setup and workflow together, Jamf Professional Services or a Jamf consultant could help you.
+26Just get enough licenses to cover your entire user base and scope the app to all devices with a selfservice trigger and be done with it. If you want to automate app approval, then just don't make a process for app approval and let everyone have it.
Scripts will only work on macOS, but it is possible to do this with API. However again, if you want a user to just be able to request an app without any form of approval just open it up and be done with it. Automate where it makes sense, making extra policies for the sake of extra policies does not make sense.
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.