Call Policy from a separate Policy from a Computer without that Policy in Scope

iamYaje
New Contributor III

Here's the scenario:

We have a classroom of computers. Between class sessions, we run a restart on those computers. This happens at varying times.

To run this restart we used to use Apple Remote Desktop. Since that is becoming/is unsupported, we want to move away from it.

To run the command to restart/shutdown, etc., we have a staff computer that is separate from the other classroom computers.

So... from what I've read it is possible to call a policy from a separate policy. Say:

  • (Policy 1) has a custom trigger, and
  • (Policy 2) uses Files and Processes to call the custom trigger 'sudo policy -trigger [triggername]'

I created (Policy 1) to deliver a restart command. I scoped it to all of the computers that I want to have restarted. I created a custom trigger 'restartComputers10'

I created (Policy 2), have it call the 'restartComputers10' trigger, scoped it only to the staff computer, made the command available in Self Service.

Now that policy is only visible in Self Service from the staff computer, but I find that it does not trigger the first policy. Is this because that "staff" computer does not have Policy 1 in scope?

Is it possible to trigger a policy for separate computers from a computer that doesn't have the policy scoped to it?

Thanks for any thoughts on this.

1 ACCEPTED SOLUTION

mm2270
Legendary Contributor III

Ok, well, unfortunately that isn't possible to do with any of the built in functionality in Jamf Pro. As I mentioned, when you execute anything from Self Service, it's running on that Mac only. It doesn't touch any other devices.

Back when Jamf Remote was around, it would have been possible to do thru that application, and as you already know, programs like Apple Remote Desktop can do this.

That said, I'm sure with enough tinkering, it might be possible to do this. I would have to sit down and think through how something like this would work. It's not an easy ask.

View solution in original post

12 REPLIES 12

jamf-42
Valued Contributor

if you are calling policy 1 from policy 2 then you can scope policy 1 to all devices .. as only 2 can trigger it. policy 2 you can then define the scope you only want for policy 2 

iamYaje
New Contributor III

If I scope Policy 1 to the "staff" computer, and trigger Policy 2 from Self Service (from the "staff" computer), wouldn't that initiate a restart (for example) on the staff computer in addition to the other computers. We wouldn't want the staff computer to restart as well.

iamYaje
New Contributor III

I guess the thing I'm running into that's causing the most problem is calling a custom trigger and having the effects of the trigger affect multiple scoped computers at the same time.

If policy 1 is scoped to two computers, it will only trigger on the computer that I call it from.

If I call policy 1 from policy 2, it will do nothing unless the computer that is calling policy 1 from policy 2 also has policy 1 in its scope, and in that case policy 1 will only be triggered for that same computer, not the other ones.

jamf-42
Valued Contributor

exclude staff from policy 1 or scope policy 1 to students via smart group

iamYaje
New Contributor III

Right, I've got it scoped to the students via a smart group.

It's just that, I am being unsuccessful at calling a custom trigger and having it deliver the policy to multiple computers at once. The smart group contains all of the computers I want it delivered to. I can call it from any one of those computers individually, but it won't trigger for the whole smart group at once.

jamf-42
Valued Contributor

let me wrap my brain round this. 🤔🙃

policy 1 - reboot - scoped to students - custom trigger  'reboot'

policy 2 - self service - scoped to staff - (you don't need sudo) jamf policy -event reboot 

trigger? thats old.. sure its event, maybe trigger works? 

if I understand it.. that should work? 😎

 

iamYaje
New Contributor III
I'll try to clarify:

The idea is:
  • (Policy 1: Restart)
    • Scoped to the classroom computers via a smart group
    • Delivers a simple restart command
    • Custom trigger: "restartRoom10"
  • (Policy 2: Trigger Restart via Self Service)
    • Scoped to the instructor computer
    • Files and Processes: execute:

 

jamf policy -trigger "restartRoom10"

 

What I've learned in trying to do this is that a policy will be delivered to the same computer from which it was triggered (when using a custom trigger). For example, I cannot get Policy 2 to trigger Policy 1 at all, unless policy 1 is scoped also to the computer that called Policy 2.
 
I also cannot get policy 1 to trigger on multiple computers at once (the smart group) when just using Terminal to call the custom trigger for policy 1 from any one of the computers within it's scope. It always only checks for the policy on that local computer, ignoring any other computer in the scope.
 
I've tried adding the '-group' flag in these two configurations to Policy 2:

 

jamf policy -trigger "restartRoom10" -group
jamf policy -trigger "restartRoom10" -group "[name of smart group]"

 

 
This has also been unsuccessful and has the same result.
 
I think the essential question is: how do you configure a policy to trigger on multiple computers in a smart group simultaneously from a custom trigger?

jamf policy -event "restartRoom10" -group
jamf policy -event "restartRoom10" -group "[name of smart group]"

-event is the trigger for the custom triggers

mm2270
Legendary Contributor III

I'm not certain I completely understand what you're trying to do here.

A custom event trigger will execute (if in scope) on the machine calling the trigger from the Self Service policy, or from a Terminal command. Are you trying to use one computer to call policies on other computers? IOW, you want one Mac to use Self Service to make other Macs restart? Is that what you're attempting?

iamYaje
New Contributor III

@mm2270 Yes! That's what I'm attempting to do.

I suppose I don't know the problem well enough to describe it simply.

Do you have any suggestions?

mm2270
Legendary Contributor III

Ok, well, unfortunately that isn't possible to do with any of the built in functionality in Jamf Pro. As I mentioned, when you execute anything from Self Service, it's running on that Mac only. It doesn't touch any other devices.

Back when Jamf Remote was around, it would have been possible to do thru that application, and as you already know, programs like Apple Remote Desktop can do this.

That said, I'm sure with enough tinkering, it might be possible to do this. I would have to sit down and think through how something like this would work. It's not an easy ask.

iamYaje
New Contributor III

Thanks, mm2270.

I had a feeling prior to trying this out that it was going to require quite a bit more backend lifting. It's helpful to have learned that this isn't possible to use Self Service to call a policy on multiple computers.

We can look into alternatives like Team Viewer if ARD goes down. It's still functional for now. I had been hoping to use Jamf for as much as possible.

I appreciate everyone thinking about this with me!