I'm being tasked with some asset recovery for PCI compliance. I have a LDAP (SQL) database that I need to locate term'd employees every day, then take that data, locate the ones that have Macs, and then issue a machine lock to ensure the machines get turned in instead of handed to someone else.
I need to automate this.
Without knowing anything about the database you referenced, assuming its easy to get info out of, I'd say this should be possible to automate using the JSS API. However, one question that comes to mind is, do all your Macs have the primary user assigned to them so its easy to cross reference between your db and the API? That piece would be critical to making this work, unless you have some other way of identifying Macs that may have been used by the term'd users.
Also, I'd be really cautious with this, and do a lot of testing to be sure its really working solidly, since you're talking about sending an MDM lock command to these Macs. Last thing you'd want is for this to screw up and lock an actively used system by someone still in the company. That would be bad.
Are there any details you can post about the LDAP database you have or have access to?
That was the route I was imagining in my head.
I know it's a sql db, I can open it up in a sql gui (Sequal Pro.app) and see the raw data.
The primary user thing is something we discussed but probably, at best, it's about 60-70% accurate (our local admin somehow is tied to a user for instance). We thought maybe we'd try to find a way to get a list of the machine names with the user id's (currently not in the db) and then use those with the jss.
There has to be other companies that have something setup, I doubt we are the only company wanting to do this.
Another option we were exploring on the PC side, was to make an AD group and dump the machines into that. But I'm not sure the mac's would necessarily know what to do with AD group data. We only really use AD for user authentication/password requirements.
OK, so its a SQL db. How were you planning on extracting the information out of that to use it? If you can have someone, or something, pull out the user names into a file on a scheduled basis, you could use that as the input to a script of accounts to look up via the API, and then take action on them.
As for automating this daily, what was the thought on that? Do you have a Mac that can act as the central system that runs the script once a day to locate machines to send the lock command to? Like a Mac server that can do duty for this purpose? Its not really something you could automate off your JSS of course.
I'll be more than happy to clarify.
We have a setPrimaryUser script that runs at each login.
It looks to see if the user has logged in 3 times.
If they have they get the prompt for my presentation.
They are asked if they are the Owner/Primary User.
If they are and say yes, the script then looks at the user.
At LEGO only a LEGO employee is allowed to be responsible for a LEGO asset.
So if the user is a LEGO employee they get added to a receipt and the Computer Record in Jamf is updated.
If they are not a LEGO employee it does a AD lookup and the manager of the user is set as owner.
And the user is set as Primary user in an Extension Attribute in Jamf.
If they say No. They get added to a Negative List and are not prompted again.
When the script runs at first it checks to see if a owner is set or the user is on the Negative List.
If they are it exits.
There are still more adjustments that needed to be done but we are at a v1.0 for this solution.
I hope this helped