Skip to main content
Solved

Call Policy from a separate Policy from a Computer without that Policy in Scope

I
Forum|alt.badge.img+5

Here's the scenario:

We have a classroom of computers. Between class sessions, we run a restart on those computers. This happens at varying times.

To run this restart we used to use Apple Remote Desktop. Since that is becoming/is unsupported, we want to move away from it.

To run the command to restart/shutdown, etc., we have a staff computer that is separate from the other classroom computers.

So... from what I've read it is possible to call a policy from a separate policy. Say:

  • (Policy 1) has a custom trigger, and
  • (Policy 2) uses Files and Processes to call the custom trigger 'sudo policy -trigger [triggername]'

I created (Policy 1) to deliver a restart command. I scoped it to all of the computers that I want to have restarted. I created a custom trigger 'restartComputers10'

I created (Policy 2), have it call the 'restartComputers10' trigger, scoped it only to the staff computer, made the command available in Self Service.

Now that policy is only visible in Self Service from the staff computer, but I find that it does not trigger the first policy. Is this because that "staff" computer does not have Policy 1 in scope?

Is it possible to trigger a policy for separate computers from a computer that doesn't have the policy scoped to it?

Thanks for any thoughts on this.

Best answer by mm2270

iamYaje wrote:

@mm2270 Yes! That's what I'm attempting to do.

I suppose I don't know the problem well enough to describe it simply.

Do you have any suggestions?


Ok, well, unfortunately that isn't possible to do with any of the built in functionality in Jamf Pro. As I mentioned, when you execute anything from Self Service, it's running on that Mac only. It doesn't touch any other devices.

Back when Jamf Remote was around, it would have been possible to do thru that application, and as you already know, programs like Apple Remote Desktop can do this.

That said, I'm sure with enough tinkering, it might be possible to do this. I would have to sit down and think through how something like this would work. It's not an easy ask.

View original
    Did this topic help you find an answer to your question?

    12 replies

    jamf-42
    Forum|alt.badge.img+17
    • jamf-42
    • Esteemed Contributor
    • 744 replies
    • March 9, 2023

    if you are calling policy 1 from policy 2 then you can scope policy 1 to all devices .. as only 2 can trigger it. policy 2 you can then define the scope you only want for policy 2 

    I
    Forum|alt.badge.img+5
    • iamYaje
    • Author
    • Contributor
    • 33 replies
    • March 9, 2023

    If I scope Policy 1 to the "staff" computer, and trigger Policy 2 from Self Service (from the "staff" computer), wouldn't that initiate a restart (for example) on the staff computer in addition to the other computers. We wouldn't want the staff computer to restart as well.

    I
    Forum|alt.badge.img+5
    • iamYaje
    • Author
    • Contributor
    • 33 replies
    • March 9, 2023

    I guess the thing I'm running into that's causing the most problem is calling a custom trigger and having the effects of the trigger affect multiple scoped computers at the same time.

    If policy 1 is scoped to two computers, it will only trigger on the computer that I call it from.

    If I call policy 1 from policy 2, it will do nothing unless the computer that is calling policy 1 from policy 2 also has policy 1 in its scope, and in that case policy 1 will only be triggered for that same computer, not the other ones.

    jamf-42
    Forum|alt.badge.img+17
    • jamf-42
    • Esteemed Contributor
    • 744 replies
    • March 9, 2023

    exclude staff from policy 1 or scope policy 1 to students via smart group

    I
    Forum|alt.badge.img+5
    • iamYaje
    • Author
    • Contributor
    • 33 replies
    • March 9, 2023

    Right, I've got it scoped to the students via a smart group.

    It's just that, I am being unsuccessful at calling a custom trigger and having it deliver the policy to multiple computers at once. The smart group contains all of the computers I want it delivered to. I can call it from any one of those computers individually, but it won't trigger for the whole smart group at once.

    jamf-42
    Forum|alt.badge.img+17
    • jamf-42
    • Esteemed Contributor
    • 744 replies
    • March 9, 2023
    iamYaje wrote:

    Right, I've got it scoped to the students via a smart group.

    It's just that, I am being unsuccessful at calling a custom trigger and having it deliver the policy to multiple computers at once. The smart group contains all of the computers I want it delivered to. I can call it from any one of those computers individually, but it won't trigger for the whole smart group at once.


    let me wrap my brain round this. ðŸ¤” 🤔🙃

    policy 1 - reboot - scoped to students - custom trigger  'reboot'

    policy 2 - self service - scoped to staff - (you don't need sudo) jamf policy -event reboot 

    trigger? thats old.. sure its event, maybe trigger works? 

    if I understand it.. that should work? ðŸ˜Ž

     

    I
    Forum|alt.badge.img+5
    • iamYaje
    • Author
    • Contributor
    • 33 replies
    • March 9, 2023
    I'll try to clarify:

    The idea is:
    • (Policy 1: Restart)
      • Scoped to the classroom computers via a smart group
      • Delivers a simple restart command
      • Custom trigger: "restartRoom10"
    • (Policy 2: Trigger Restart via Self Service)
      • Scoped to the instructor computer
      • Files and Processes: execute:

     

    jamf policy -trigger "restartRoom10"

     

    What I've learned in trying to do this is that a policy will be delivered to the same computer from which it was triggered (when using a custom trigger). For example, I cannot get Policy 2 to trigger Policy 1 at all, unless policy 1 is scoped also to the computer that called Policy 2.
     
    I also cannot get policy 1 to trigger on multiple computers at once (the smart group) when just using Terminal to call the custom trigger for policy 1 from any one of the computers within it's scope. It always only checks for the policy on that local computer, ignoring any other computer in the scope.
     
    I've tried adding the '-group' flag in these two configurations to Policy 2:

     

    jamf policy -trigger "restartRoom10" -groupjamf policy -trigger "restartRoom10" -group "[name of smart group]"

     

     
    This has also been unsuccessful and has the same result.
     
    I think the essential question is: how do you configure a policy to trigger on multiple computers in a smart group simultaneously from a custom trigger?
    mm2270
    Forum|alt.badge.img+16
    • mm2270
    • Legendary Contributor
    • 7880 replies
    • March 9, 2023

    I'm not certain I completely understand what you're trying to do here.

    A custom event trigger will execute (if in scope) on the machine calling the trigger from the Self Service policy, or from a Terminal command. Are you trying to use one computer to call policies on other computers? IOW, you want one Mac to use Self Service to make other Macs restart? Is that what you're attempting?

    I
    Forum|alt.badge.img+5
    • iamYaje
    • Author
    • Contributor
    • 33 replies
    • March 9, 2023
    mm2270 wrote:

    I'm not certain I completely understand what you're trying to do here.

    A custom event trigger will execute (if in scope) on the machine calling the trigger from the Self Service policy, or from a Terminal command. Are you trying to use one computer to call policies on other computers? IOW, you want one Mac to use Self Service to make other Macs restart? Is that what you're attempting?


    @mm2270 Yes! That's what I'm attempting to do.

    I suppose I don't know the problem well enough to describe it simply.

    Do you have any suggestions?

    mm2270
    Forum|alt.badge.img+16
    • mm2270
    • Legendary Contributor
    • 7880 replies
    • Answer
    • March 10, 2023
    iamYaje wrote:

    @mm2270 Yes! That's what I'm attempting to do.

    I suppose I don't know the problem well enough to describe it simply.

    Do you have any suggestions?


    Ok, well, unfortunately that isn't possible to do with any of the built in functionality in Jamf Pro. As I mentioned, when you execute anything from Self Service, it's running on that Mac only. It doesn't touch any other devices.

    Back when Jamf Remote was around, it would have been possible to do thru that application, and as you already know, programs like Apple Remote Desktop can do this.

    That said, I'm sure with enough tinkering, it might be possible to do this. I would have to sit down and think through how something like this would work. It's not an easy ask.

    I
    Forum|alt.badge.img+5
    • iamYaje
    • Author
    • Contributor
    • 33 replies
    • March 10, 2023

    Thanks, mm2270.

    I had a feeling prior to trying this out that it was going to require quite a bit more backend lifting. It's helpful to have learned that this isn't possible to use Self Service to call a policy on multiple computers.

    We can look into alternatives like Team Viewer if ARD goes down. It's still functional for now. I had been hoping to use Jamf for as much as possible.

    I appreciate everyone thinking about this with me! 

    T
    Forum|alt.badge.img+4
    iamYaje wrote:
    I'll try to clarify:

    The idea is:
    • (Policy 1: Restart)
      • Scoped to the classroom computers via a smart group
      • Delivers a simple restart command
      • Custom trigger: "restartRoom10"
    • (Policy 2: Trigger Restart via Self Service)
      • Scoped to the instructor computer
      • Files and Processes: execute:

     

    jamf policy -trigger "restartRoom10"

     

    What I've learned in trying to do this is that a policy will be delivered to the same computer from which it was triggered (when using a custom trigger). For example, I cannot get Policy 2 to trigger Policy 1 at all, unless policy 1 is scoped also to the computer that called Policy 2.
     
    I also cannot get policy 1 to trigger on multiple computers at once (the smart group) when just using Terminal to call the custom trigger for policy 1 from any one of the computers within it's scope. It always only checks for the policy on that local computer, ignoring any other computer in the scope.
     
    I've tried adding the '-group' flag in these two configurations to Policy 2:

     

    jamf policy -trigger "restartRoom10" -groupjamf policy -trigger "restartRoom10" -group "[name of smart group]"

     

     
    This has also been unsuccessful and has the same result.
     
    I think the essential question is: how do you configure a policy to trigger on multiple computers in a smart group simultaneously from a custom trigger?

    jamf policy -event "restartRoom10" -groupjamf policy -event "restartRoom10" -group "[name of smart group]"

    -event is the trigger for the custom triggers

    Reply


    Most helpful members this week

    Terms & ConditionsCookie settingsAccessibility statement

    Cookie policy

    We use cookies to enhance and personalize your experience. If you accept you agree to our full cookie policy. Learn more about our cookies.

     
    Cookie settings