- Jamf Nation Community
- Products
- Jamf Pro
- Call Policy from a separate Policy from a Computer...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-09-2023 09:11 AM - edited 03-09-2023 09:13 AM
Here's the scenario:
We have a classroom of computers. Between class sessions, we run a restart on those computers. This happens at varying times.
To run this restart we used to use Apple Remote Desktop. Since that is becoming/is unsupported, we want to move away from it.
To run the command to restart/shutdown, etc., we have a staff computer that is separate from the other classroom computers.
So... from what I've read it is possible to call a policy from a separate policy. Say:
- (Policy 1) has a custom trigger, and
- (Policy 2) uses Files and Processes to call the custom trigger 'sudo policy -trigger [triggername]'
I created (Policy 1) to deliver a restart command. I scoped it to all of the computers that I want to have restarted. I created a custom trigger 'restartComputers10'
I created (Policy 2), have it call the 'restartComputers10' trigger, scoped it only to the staff computer, made the command available in Self Service.
Now that policy is only visible in Self Service from the staff computer, but I find that it does not trigger the first policy. Is this because that "staff" computer does not have Policy 1 in scope?
Is it possible to trigger a policy for separate computers from a computer that doesn't have the policy scoped to it?
Thanks for any thoughts on this.
Solved! Go to Solution.
1 ACCEPTED SOLUTION
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 03-10-2023 05:45 AM
Ok, well, unfortunately that isn't possible to do with any of the built in functionality in Jamf Pro. As I mentioned, when you execute anything from Self Service, it's running on that Mac only. It doesn't touch any other devices.
Back when Jamf Remote was around, it would have been possible to do thru that application, and as you already know, programs like Apple Remote Desktop can do this.
That said, I'm sure with enough tinkering, it might be possible to do this. I would have to sit down and think through how something like this would work. It's not an easy ask.
12 REPLIES 12
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 03-09-2023 09:18 AM
if you are calling policy 1 from policy 2 then you can scope policy 1 to all devices .. as only 2 can trigger it. policy 2 you can then define the scope you only want for policy 2
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 03-09-2023 09:27 AM
If I scope Policy 1 to the "staff" computer, and trigger Policy 2 from Self Service (from the "staff" computer), wouldn't that initiate a restart (for example) on the staff computer in addition to the other computers. We wouldn't want the staff computer to restart as well.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 03-09-2023 09:50 AM
I guess the thing I'm running into that's causing the most problem is calling a custom trigger and having the effects of the trigger affect multiple scoped computers at the same time.
If policy 1 is scoped to two computers, it will only trigger on the computer that I call it from.
If I call policy 1 from policy 2, it will do nothing unless the computer that is calling policy 1 from policy 2 also has policy 1 in its scope, and in that case policy 1 will only be triggered for that same computer, not the other ones.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 03-09-2023 09:53 AM
exclude staff from policy 1 or scope policy 1 to students via smart group
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 03-09-2023 10:10 AM
Right, I've got it scoped to the students via a smart group.
It's just that, I am being unsuccessful at calling a custom trigger and having it deliver the policy to multiple computers at once. The smart group contains all of the computers I want it delivered to. I can call it from any one of those computers individually, but it won't trigger for the whole smart group at once.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-09-2023 10:19 AM - edited 03-09-2023 10:22 AM
let me wrap my brain round this. 🤔🙃
policy 1 - reboot - scoped to students - custom trigger 'reboot'
policy 2 - self service - scoped to staff - (you don't need sudo) jamf policy -event reboot
trigger? thats old.. sure its event, maybe trigger works?
if I understand it.. that should work? 😎
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-09-2023 10:58 AM - edited 03-09-2023 11:01 AM
I'll try to clarify:
The idea is:
The idea is:
- (Policy 1: Restart)
- Scoped to the classroom computers via a smart group
- Delivers a simple restart command
- Custom trigger: "restartRoom10"
- (Policy 2: Trigger Restart via Self Service)
- Scoped to the instructor computer
- Files and Processes: execute:
jamf policy -trigger "restartRoom10"
What I've learned in trying to do this is that a policy will be delivered to the same computer from which it was triggered (when using a custom trigger). For example, I cannot get Policy 2 to trigger Policy 1 at all, unless policy 1 is scoped also to the computer that called Policy 2.
I also cannot get policy 1 to trigger on multiple computers at once (the smart group) when just using Terminal to call the custom trigger for policy 1 from any one of the computers within it's scope. It always only checks for the policy on that local computer, ignoring any other computer in the scope.
I've tried adding the '-group' flag in these two configurations to Policy 2:
jamf policy -trigger "restartRoom10" -groupjamf policy -trigger "restartRoom10" -group "[name of smart group]"
This has also been unsuccessful and has the same result.
I think the essential question is: how do you configure a policy to trigger on multiple computers in a smart group simultaneously from a custom trigger?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 03-14-2023 04:35 AM
jamf policy -event "restartRoom10" -groupjamf policy -event "restartRoom10" -group "[name of smart group]"-event is the trigger for the custom triggers
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 03-09-2023 11:10 AM
I'm not certain I completely understand what you're trying to do here.
A custom event trigger will execute (if in scope) on the machine calling the trigger from the Self Service policy, or from a Terminal command. Are you trying to use one computer to call policies on other computers? IOW, you want one Mac to use Self Service to make other Macs restart? Is that what you're attempting?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-09-2023 11:11 AM - edited 03-09-2023 12:48 PM
@mm2270 Yes! That's what I'm attempting to do.
I suppose I don't know the problem well enough to describe it simply.
Do you have any suggestions?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 03-10-2023 05:45 AM
Ok, well, unfortunately that isn't possible to do with any of the built in functionality in Jamf Pro. As I mentioned, when you execute anything from Self Service, it's running on that Mac only. It doesn't touch any other devices.
Back when Jamf Remote was around, it would have been possible to do thru that application, and as you already know, programs like Apple Remote Desktop can do this.
That said, I'm sure with enough tinkering, it might be possible to do this. I would have to sit down and think through how something like this would work. It's not an easy ask.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-10-2023 08:25 AM - edited 03-10-2023 08:27 AM
Thanks, mm2270.
I had a feeling prior to trying this out that it was going to require quite a bit more backend lifting. It's helpful to have learned that this isn't possible to use Self Service to call a policy on multiple computers.
We can look into alternatives like Team Viewer if ARD goes down. It's still functional for now. I had been hoping to use Jamf for as much as possible.
I appreciate everyone thinking about this with me!
