Run any Jamf Pro policy at the next user login or computer reboot
Recently, we had a need to run a particular Jamf Pro policy only the next time the computer rebooted.
Having previously created Recon at Reboot, I started on a modification for this one-off need. About a third of the way into the modifications, a Heaven-inspired question came to mind:
Why don’t you write a script to execute any Jamf Pro policy at the next reboot?
@dan-snelson Any particular reason you're triggering the policy via LaunchAgent/Self Service at login versus via LaunchDaemon/jamf binary on restart? The former is problematic if user login is required for Self Service, and the latter should work for both cases.
@dan-snelson Any particular reason you're triggering the policy via LaunchAgent/Self Service at login versus via LaunchDaemon/jamf binary on restart? The former is problematic if user login is required for Self Service, and the latter should work for both cases.
Happy Thursday, @sdagley!
I started out with the just the "reboot / LaunchDaemon / jamf binary" flavor, but in my testing, a "LaunchAgent / jamf binary" option failed (since the jamf binary requires elevated privileges).
Pull Request are always welcome.
Happy Thursday, @sdagley!
I started out with the just the "reboot / LaunchDaemon / jamf binary" flavor, but in my testing, a "LaunchAgent / jamf binary" option failed (since the jamf binary requires elevated privileges).
Pull Request are always welcome.
I know you can't call the jamf binary via a LaunchAgent, but my question was really why have the LaunchAgent/Self Service option at all? That's something colored by my environment. FileVault is required, and there is only one user per Mac, so a LaunchDaemon won't actually be triggered until a user logs in.
If you're not using FileVault, and do want to delay triggering something until the user sees a desktop, I could see the LaunchAgent working there if login isn't required, but my approach here is to use a LaunchDaemon to trigger a script that waits for the Finder process to start before performing the desired task.
I know you can't call the jamf binary via a LaunchAgent, but my question was really why have the LaunchAgent/Self Service option at all? That's something colored by my environment. FileVault is required, and there is only one user per Mac, so a LaunchDaemon won't actually be triggered until a user logs in.
If you're not using FileVault, and do want to delay triggering something until the user sees a desktop, I could see the LaunchAgent working there if login isn't required, but my approach here is to use a LaunchDaemon to trigger a script that waits for the Finder process to start before performing the desired task.
I suppose the use-case highlighted in the screencast is one possible example.
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.