A Policy to Install software but don't install if the software is already there...?

monaronyc
Contributor

Make any sense? I made the mistake of pushing software to our Mac workstations via ARD because we were in a pinch. It was a .pkg with small Launch Daemon script right after the push to activate the software. Now that it's already been pushed out, it appears a gang of machines got missed for whatever reason. Not online at time of vlan scan. Laptops. Yada yada...

So is there a way i can add this package to Casper, with script, to push out to folks who first log in, or whatever option, that did not receive the install? This way i know everyone has it?

14 REPLIES 14

amit_vasani
New Contributor II

@monaronyc Take a look at Smart Groups. I think that is what you are looking for. Have a policy to install any package you want but scope it out to a smart group. Smart group criteria would be something like "Application Title does not have [SoftwareTitle]"

monaronyc
Contributor

@avasani Okay great! This is a start! One thing though... this .pkg isn't really software. Its more of a service for security management and identity. Tanium. Maybe you've heard of it. I had to create a custom .pkg via composer for this. All it really installs is a small Tanium folder in the root of the main Library folder. I'm not seeing anything in the main Criteria tab for something like this? What or how would you set/use this?

mm2270
Legendary Contributor III

You can use the Package Receipt as the basis for the Smart Group. You'll need to figure out what actual package receipt is added to the Mac though. If you built it in Composer, you can find this pretty easily by opening Composer, clicking on the source item and then turning down the arrow to reveal additional items. Then turn down the arrow for the Settings folder inside that and click on Info.plist. The "Bundle Identifier" string should be the same as the package receipt. Its what you'd look for using the Packages Installed By Casper criteria item.

amit_vasani
New Contributor II

@mm2270 is absolutely right. That would be the best way in my opinion as well. Make sure you take a look at your JSS Settings > Computer Management > Computer Inventory Collection and make sure "Collect package receipts" is enabled.

monaronyc
Contributor

@mm2270 @avasani This is great! And nice tip because "Collect package receipts" was UNCHECKED! Maybe that's why it was stuck at 0. Let's see what this returns.

monaronyc
Contributor

Guys, NO GOOD! I let this thing run all night. Still says zero count. And i know they're on the machines because for one, i installed it, and for 2 when I remote controlled a machine i know to have it, it's definitely there. I did find the location of where these Composer package receipts get installed:

/private/var/db/receipts

Think this buried path might have something to do with it?

JAMF_Kev
New Contributor

@monaronyc I came accross this which may help - An extension attribute that searches for a file. Then create a smart group with your new extension attribute as the criteria as 'true or false'

https://www.jamf.com/jamf-nation/discussions/17127/smart-group-based-on-existence-of-a-file

mm2270
Legendary Contributor III

@monaronyc - Jamf Pro/Casper installed package receipts go into /Library/Application Support/JAMF/Receipts/ You should see the receipt in there.

As far as the count saying zero, have you confirmed that new inventory has been submitted from these Macs that its installed on? You can force new inventory if needed to make sure the record is updated. Just because you flipped on the switch to collect package receipts doesn't mean the computer records in the JSS have already updated. Once they submit another inventory collection, it should show up. But you should also go into your Smart Group, click on the Packages Installed By Casper criteria and click the small ellipses button (…) and choose the package name from the list that appears, to be sure its matching up correctly. You may have to delete and re-add the criteria to do the above, not sure.

monaronyc
Contributor

Thanks guys! We're getting closer! @mm2270 So i checked the path you referenced and there's nothing in this JAMF folder. I also checked to see when in Casper the machines last update was and it was this morning. So not sure why it still didn't pick anything up.

@JAMF_Kev So i have the script created. Tried it against my machine and it looks promising. How do i now add this to Casper? To a Smart Group? I don't see an option for scripts?

mm2270
Legendary Contributor III

@monaronyc I'm not sure what the issue is, but it sounds like something isn't configured correctly on your Jamf Pro server. By "last update" do you mean the last inventory update? Not the last check-in, right? Because those aren't the same thing. Inventory only gets collected when it updates, not when it checks in.

While you can certainly use a script for this as outlined above, you're kind of recreating the wheel, since Jamf Pro already should capture when packages are installed as discussed above. I can't explain why the receipt isn't there, but that does explain why inventory isn't picking that up. And you say you created the package being installed in Composer, right? And its being installed on those Macs by a Jamf Pro policy?

stevewood
Honored Contributor II
Honored Contributor II

@monaronyc how did you originally install this PKG? Was it done via a Policy or did you use ARD to push it out to all machines or sneaker net to walk around and install by hand? If you did not install via Policy, the Packages Installed By Casper will not have the receipt, nor will that receipt show up in the folder that @mm2270 pointed you to.

Make sure that you are looking for the package name you used when you created the .pkg file from Composer and not the name of the software. So if you saved the package as "My Cool AV PlugIn.pkg" that is the name you would look for in Casper and NOT the name of the software.

You may also be able to use the Smart Group criteria "Packages Installed By Installer.app/SWU". That should pickup anything that was installed via ARD or by hand.

monaronyc
Contributor

@mm2270 Yes, sorry, I meant Update. Not Check In. Still trying to fully grasp all of this. I created the .pkg using Composer. But as I mentioned in my original post, we were short on time, and didn't know how to fully leverage Casper with all of this, because each site gets their own custom .pkg (custom meaning each .pkg has a .txt file with site tags added to it and Composer makes it so easy to create) so I pushed the Composer created .pkg using Apple's Remote Desktop application.

@stevewood Yes, via ARD. To lazy to do by sneaker hand! ; ) I'll try that "Packages Installed By Installer.app/SWU" option. Overlooked that one some how.

mm2270
Legendary Contributor III

OK, then as @stevewood mentioned, you'll need to use the other package receipt criteria. I was under the impression the pkg was installed via Casper, so that explains why its not showing up when using that criteria option. Casper retains its own installs in that /Library/Application Support/ location and ARD/Apple Installer maintains its own database for receipts.

That should get you the results you're looking for. Hopefully that does it for you.

normanchan
New Contributor II

You can create an extension attribute with a script that checks if the specific LaunchDaemon script is found on that machine.

For example, something like in your Extension Attribute section:

#!/bin/sh
file="/Library/LaunchDaemon/script.sh"

if [ -z "$file" ]; then result="Not Installed" echo "The launchdaemon script is missing"
else result="Installed Already" echo "The launchdaemon script is found"
fi

echo "<result>$result</result>"

Then you can create a "Not Installed" smart group based on this extension attribute -- create a policy scoped to only the "Not Installed" smart group.