Add a System to a Smartgroup Using Self Service

vuho
New Contributor II

Hello,

I'm looking for a way to add a mark or label to a system so that it can be eligible for a smart group to pick up. When the system is part of that smart group, a configuration profile is then pushed down.

Ideally, I would need to do this in Self Service without changing the computer name.

Any help is appreciated.

8 REPLIES 8

mm2270
Legendary Contributor III

The most common way this is handled is with a combination of an Extension Attribute and policy that would be run from Self Service (and the Smart Group of course)
The Self Service policy once run, can execute a script that would do one of the following things - a) drop some file into a location with a specific name, or b) add an entry to or create a plist file in some location on the machine. There are some additional ways to handle this too of course. But in the end, you either have a file with a name in a specific spot, or a plist that has some entry in it. The Extension Attribute script would look for this file or plist and if found, report on its contents or maybe just the existence of it. A simple Yes/No or True/False type response gets returned.
From there, you would have a Smart Computer Group set up that uses that Extension Attribute as its main criteria and some value, like the Yes or No previously mentioned.

So what you have is, script gets run from the Self Service policy. The script creates some entry that can then be picked up by the Extension Attribute. The policy will collect inventory when completed, which in turns lands the machine into or out of the said Smart Group.

Does that make sense?

junjishimazaki
Valued Contributor

Can you please expand what you mean by adding a "label or mark" to a system? What exactly are you trying to accomplish?

vuho
New Contributor II

@mm2270 That makes total sense. Thank you!

@junjishimazaki When setting up a specific system for the first time, we need to push down a certificate using a configuration profile. Only select users would be able to run the policy in Self Service to be eligible for the certificate.

junjishimazaki
Valued Contributor

When you set up those computers for them, is there any specific that's different from the standard deployment? Special application, do you assign that computer to a different building/department? Anything unique?

sdagley
Esteemed Contributor II

@vuho Here's a pair of scripts that should help. The first is used to create a "flag file" on a system, and the 2nd is the EA template for checking to see if that file is present on a system (you can't pass parameters to an EA like a script, so you have to hard code the path and flag file name.

#!/bin/sh

# Utility - Create Flag File.sh
#
# This script is intended to be used as a script in a Jamf Pro Policy. It will create a
# flag file on a Mac that can be read by an Extended Attribute script which in turn can
# be used as a Smart Group Criteria. This was created to allow Self Service initiated
# scoping of Configuration Profile deployments.
#
# $4 - Path of directory to save Flag File in (will be created if needed)
# $5 - Name of Flag File to create

FlagFilePath="$4"
FlagFileName="$5"

if [ -z "${FlagFilePath}" ] || [ -z "${FlagFileName}" ]; then
    echo "Both the path to the flag file and the flag file name must be provided"
    exit 1
fi

if [ ! -d "${FlagFilePath}" ]; then
    /bin/mkdir "${FlagFilePath}"
fi

/usr/bin/touch "${FlagFilePath}${FlagFileName}"

/usr/local/bin/jamf recon

exit 0
#!/bin/sh

# EA - Template Check For Flag File.sh
#
# One strategy for enabling a Jamf Pro Policy or Configuration Profile is using a Smart Group
# to identify Macs that the Policy or Profile should be deployed to. Some criteria is
# needed to identify a Mac as a member of the target Smart Group. This EA template is a
# mechanism for doing that. If a file exists with the specified name at the specified path
# it will return True, otherwise it returns False. 

FlagFilePath="/Library/SomeOrg/"
FlagFileName="flagfile"
result="False"

if [ -e "${FlagFilePath}${FlagFileName}" ]; then
    result="True"
fi

echo "<result>$result</result>"

juliej
New Contributor II

@sdagley nice! 

A Jamf Integrator showed me a simlar, but simplified script + EA.

Found this very helpful for applying Config Profiles post enrollement i.e. Wifi Connection and User Certificate from SCEP.

 

#!/bin/bash

touch /var/db/.buildComplete

vuho
New Contributor II

@junjishimazaki Unfortunately, we are not that organize yet and still use a standard base set of applications throughout.

@sdagley I just ran everything and it works perfectly. Thank you so much!

sdagley
Esteemed Contributor II

@vuho Glad to hear it. Those were written to replace my original method of scoping computers for policies and profiles via Self Service by using the Jamf API to add/remove them to/from static groups (API access to our Jamf Pro instance is now blocked except for devices on the corporate network).