I am running 9.22 I don;t see this in the criteria. Which item is it? I see it listed under the general tab of a computer, but not in the criteria I can choose while creating a smart group. I see "Verify MDM Enrollment", nothing else even related.

Its just called "Management Account" I see it listed under either the Advanced Search criteria or when creating a Smart Group. Click the "All Criteria" button when you first go into the criteria tab, then scroll down until you see "Management Account' and select that. it should give you a field where you can type in whatever value you want, i.e. the name of the account managing the Mac that want to build a group off of.

I am running 9.22 it is not listed under All Criteria. It goes from "Make" to "Mapped Printers" No Management Account. What version are you running? Do you have an extension attribute that is doing that?

Erh, well, we do have an Extension Attribute, as I outline in the post I linked to. I thought that the criteria was something built in now in version 9, but I apparently made a mistake. Looks like I was seeing our EA and not something built in. Its kind of an issue with version now that its harder to know if something you're choosing from criteria is built in or part of something you created because they are no longer separated into categories.

Sorry. I guess you'll need to make that EA the way I outlined in my post then. Could have sworn this was now a built in item in version 9.

Thanks. I am glad I am not crazy. I opened up a ticket to figure out how to create an EA for 9.x. Ill post it when complete.

@pblake][/url Did you happen to figure out how to create an EA for 9.x? I'd love the share if you did.
Thanks in advance.

Update: Used @mm2270 way of creating the EA... Worked great. Thanks!

Not sure if you are still looking for a way to do this, but I created a new Extension Attribute that reports the "Managed by" user name for each computer.
You can then use this EA to create a Smart Group.

You can create a new EA and set to "Input Type = Script" and then copy and past the below text into the Script box.
P.S. I'm working uploading the .xml file to the JAMF Nation Extension Attribute page. Then you can download it from there and just upload to your JSS.

!/bin/bash

####################################################################################################################

This Extension Attribute will return the "Managed by" account name that the JSS is using to manage the computer"

You can then create Smart Groups or Advanced Search based on this Attribute.

You need to fill in your UserName, Password to access your JSS. You also need to fill in the JSS address and port number.

####################################################################################################################

Update these variables

user="UserName"
pass="Password"
jssaddress="Server Address"
serverPort="8443"
computerName=$(hostname -f)

Do not modify below this line #

response=$(curl https://$jssaddress/JSSResource:$serverPort/computers/name/$computerName/subset/General --user "$user:$pass")
ManagedBy=$(echo $response | /usr/bin/awk -F'<management_username>|</management_username>' '{print $2}')

echo "<result>$ManagedBy</result>"

Does anyone have a clue how to pull this from the database without the EA?

jleomcdo and mm2270 - I greatly appreciate the EA, but our ITSec guys freak out with any script that has a password stored. (even if it is just the service account).

Considering that the info is already IN the database somewhere, it seems inefficient to query the workstations for the data through the EA - there ought to be a method to simply expose that record in the database to use in your smart groups.

I may go with the "read-only" API account, but I know that if it is discovered in an audit it will get flagged.

@Taylor.Armstrong I wish this was a built in item we could display in a report or use as criteria for a Smart Group without having to resort to the EA. This is one of those areas where I get very frustrated with JAMF. I agree with you 100%, no, actually 1000%! The information is right there in the computer record, both in the JSS UI and in the API info, so why in the heck isn't this just something we can choose as a search or Smart Group criteria item? I've said this like a hundred times by now on different threads, but, if a piece of data exists in the computer record that I can see in the JSS, I should also be able to use that as criteria for an advanced search or Smart Group. There are simply no excuses for these omissions, and I continue to be baffled why there are still items we can't use for this purpose, even though they are easy to see when browsing a computer record.

For the moment, you can I suppose, consider creating a special API read only account that just has access to computer objects only and nothing else and use that in the EA script.

Another approach you could take is to look at JAMF's script here: Encrypted-Script-Parameters that would let you use an encrypted username and password sent down to a script at run time. Have this script run from a policy once per day on each Mac and write the resulting management account name into a local file. Then have the EA script simply look for, and pull out the results from the file. In that way, you can use a more secure script method of pulling data with the API, but have the EA scoop up the information later. I'm guessing the security issue would be in using a plain text username/password in a script, and not so much if the management account name is exposed in a plain text file, right?

Hi thanks for the ext.Attribute. It's what I searched for.

@jleomcdo There is a little mistake in your Extension Attribute.

it has to be:
response=$(curl https://$jssaddress:$serverPort/JSSResource/computers/name/$computerName/subset/General --user "$user:$pass")

@t.bissinger @jleomcdo Just starting out here and I'm having trouble getting your EAs to work. Any tips? Here's what I'm working with.

user="myusername"
pass="mypassword"
jssaddress="jss.myurl.com"
serverPort="8443"
computerName=$(hostname -f)

response=$(curl https://$jssaddress:$serverPort/JSSResource/computers/name/$computerName/subset/General --user "$user:$pass")
ManagedBy=$(echo $response | /usr/bin/awk -F'<management_username>|</management_username>' '{print $2}')

echo "<result>$ManagedBy</result>"

@true[robby] Does your EA script have a shebang line at the top, like #!/bin/sh for example? Your post above doesn't contain it so its unclear.

Yes it does.

@true[robby] OK, I just took a closer look and I think I see the issue. The hostname -f command for getting the ComputerName is most likely messing things up. On my system, which is AD joined, it returns a full hostname in the format of computername.domain.company.com that's not going to work in an API script since that's not actually the computer name.

You can get the correct computer name several different ways. Here's just one way:
scutil --get ComputerName

But in actuality, it may be safer to use the Serial number in the API call, since some computer names can have odd characters or spaces in them that, if not properly escaped, will throw an error when used in a curl API call.

Getting the serial number in the script:

serialNumber=$(ioreg -rd1 -c IOPlatformExpertDevice | awk -F'"' '/IOPlatformSerialNumber/{print $4}')

You would still need to change the resource url for the API call though, from

JSSResource/computers/name/$computerName/subset/General

to

JSSResource/computers/serialnumber/$serialNumber/subset/General

See if that works after making those changes.

@mm2270 Both suggestions worked! Our computer names are our asset tag numbers so I shouldn't have a problem but SN is just as good. Thanks!

I would also like to see this, especially without an API call. I generally agree with @Taylor.Armstrong and @mm2270 — and for similar reasons.