Config profile based on Jamf backend

Captainamerica
Contributor II

I have the following scripts that updates jamf username and fullname in jamf backend

#! /bin/bash
sudo jamf recon -endUsername $3


#Discover last logged in username
lastUser=`defaults read /Library/Preferences/com.apple.loginwindow lastUserName`

# Get the Full Name of the last logged in user
fullName=$(dscl . read /Users/$lastUser RealName | grep -v RealName | cut -c 2-)

# Add the users full name to the computer record in the JSS
jamf recon -realname "$fullName"

exit 0

The issue is that first when this scripts has been running a config profile must be pushed out. Right now the config profile runs first before the scripts has made it

Maybe I am thinking to technical instead of going for the easy way - but do any have some input have this can be solved

3 REPLIES 3

Chris
Valued Contributor

You could add something like

touch /var/db/.GOprofileGO

to your script (before the recon), create an extension attribute that monitors the existence of the file and create a smart group based on that.
Then scope your config profile only to devices that have the file.

Or scope the profile to a smart group that has "Full Name" - "Not like" - "empty" (if that makes sense in your situation)
0de6fb6152224a7ea3460e8f903bd02b

mschroder
Valued Contributor

We do it the way @Chris describes. What i hate about that is that I have to

  • create yet another extension attribute
  • add a smart group (or even two: 'requested this' and 'got this')
  • run a full recon to signal the existence of the tagfile and make sure macs get added to the smart group.

but I have not yet found a better way.

mm2270
Legendary Contributor III

I suppose another option, if you don't want to create another Extension Attribute (I understand this, as I once had hundreds of them tracking all kinds of settings and files, etc), is to use an API script to add the computer into a static group that is scoped to the profile deployment. Once the machine is added to the group, it should (in theory) push the profile out right away.
This is undoubtedly more complex on the face of it, since adding a machine into a group on the JPS is not exactly trivial, but it would negate the need to drop breadcrumbs on the machine, running another full recon and then have another EA script run on your devices.

I feel like there should be a simpler way to schedule things like this to happen in the order that we need them to happen in though.