Asset recovery

jwojda
Valued Contributor II

I'm being tasked with some asset recovery for PCI compliance. I have a LDAP (SQL) database that I need to locate term'd employees every day, then take that data, locate the ones that have Macs, and then issue a machine lock to ensure the machines get turned in instead of handed to someone else.

I need to automate this.

12 REPLIES 12

mm2270
Legendary Contributor III

Without knowing anything about the database you referenced, assuming its easy to get info out of, I'd say this should be possible to automate using the JSS API. However, one question that comes to mind is, do all your Macs have the primary user assigned to them so its easy to cross reference between your db and the API? That piece would be critical to making this work, unless you have some other way of identifying Macs that may have been used by the term'd users.

Also, I'd be really cautious with this, and do a lot of testing to be sure its really working solidly, since you're talking about sending an MDM lock command to these Macs. Last thing you'd want is for this to screw up and lock an actively used system by someone still in the company. That would be bad.

Are there any details you can post about the LDAP database you have or have access to?

jwojda
Valued Contributor II

That was the route I was imagining in my head.

I know it's a sql db, I can open it up in a sql gui (Sequal Pro.app) and see the raw data.

The primary user thing is something we discussed but probably, at best, it's about 60-70% accurate (our local admin somehow is tied to a user for instance). We thought maybe we'd try to find a way to get a list of the machine names with the user id's (currently not in the db) and then use those with the jss.

There has to be other companies that have something setup, I doubt we are the only company wanting to do this.

Another option we were exploring on the PC side, was to make an AD group and dump the machines into that. But I'm not sure the mac's would necessarily know what to do with AD group data. We only really use AD for user authentication/password requirements.

mm2270
Legendary Contributor III

OK, so its a SQL db. How were you planning on extracting the information out of that to use it? If you can have someone, or something, pull out the user names into a file on a scheduled basis, you could use that as the input to a script of accounts to look up via the API, and then take action on them.

As for automating this daily, what was the thought on that? Do you have a Mac that can act as the central system that runs the script once a day to locate machines to send the lock command to? Like a Mac server that can do duty for this purpose? Its not really something you could automate off your JSS of course.

millersc
Valued Contributor

@jwojda look at the Lego video from JNUC16, go to time code 27:20 and that might give you some ideas.

jwojda
Valued Contributor II

@millersc Ohh, I was there for that one. I had forgotten about it. Maybe @LEGO or @macninja_IO could perhaps elaborate a bit on how that was done.

macninja_IO
New Contributor III

Hei.

I'll be more than happy to clarify.

We have a setPrimaryUser script that runs at each login.
It looks to see if the user has logged in 3 times.
If they have they get the prompt for my presentation.

They are asked if they are the Owner/Primary User.
If they are and say yes, the script then looks at the user.
At LEGO only a LEGO employee is allowed to be responsible for a LEGO asset.
So if the user is a LEGO employee they get added to a receipt and the Computer Record in Jamf is updated.
If they are not a LEGO employee it does a AD lookup and the manager of the user is set as owner.
And the user is set as Primary user in an Extension Attribute in Jamf.

If they say No. They get added to a Negative List and are not prompted again.
When the script runs at first it checks to see if a owner is set or the user is on the Negative List.
If they are it exits.

There are still more adjustments that needed to be done but we are at a v1.0 for this solution.

I hope this helped
Michael

jwojda
Valued Contributor II

@macninja_IO so then I assume you do not use a ldap lookup for the info at login?

Would you be willing/able to share the scripts and how they are setup by chance :)?

macninja_IO
New Contributor III

I'll be happy to share.

Be mindful it's still pretty rough.
I just need to clean it up to disclose.

jwojda
Valued Contributor II

@macninja_IO thank you!

millersc
Valued Contributor

@macninja_IO Any chance you might be able to share this script still? I'm trying to find a solution for our teachers and this sounds like a very good solution.

macninja_IO
New Contributor III

Hi @millersc Sure. I got sidetracked by reality.

I'll have it up by Thursday.

It has dependencies though. But I'll put it in the description.

macninja_IO
New Contributor III

I finally got around to describe it all.
I put it in a separate post here https://www.jamf.com/jamf-nation/discussions/25549/how-we-do-asset-management-with-our-jamf-pro