Posted on 01-25-2014 02:30 PM
Does anyone know how I can create a smart group based on the account the JSS is using for management. We are in the process of changing the management account and it would be create to scope it and track the progress.
I see the name of the account in the General tab of the computer. It is called "Managed: Managed by jssuser".
Can I create a smart group based on which computers are not managed by this account?
Solved! Go to Solution.
Posted on 01-25-2014 02:51 PM
If you're using version 9 of Casper Suite, this is already a built in criteria item you can use in searches or when creating Smart Groups.
If on version 8.x, take a look at this thread for information on how to create an Extension Attribute t capture that information, since its not something built into that series.
Posted on 01-25-2014 02:51 PM
If you're using version 9 of Casper Suite, this is already a built in criteria item you can use in searches or when creating Smart Groups.
If on version 8.x, take a look at this thread for information on how to create an Extension Attribute t capture that information, since its not something built into that series.
Posted on 01-26-2014 02:06 PM
I am running 9.22 I don;t see this in the criteria. Which item is it? I see it listed under the general tab of a computer, but not in the criteria I can choose while creating a smart group. I see "Verify MDM Enrollment", nothing else even related.
Posted on 01-26-2014 02:18 PM
Its just called "Management Account" I see it listed under either the Advanced Search criteria or when creating a Smart Group. Click the "All Criteria" button when you first go into the criteria tab, then scroll down until you see "Management Account' and select that. it should give you a field where you can type in whatever value you want, i.e. the name of the account managing the Mac that want to build a group off of.
Posted on 01-27-2014 01:00 PM
I am running 9.22 it is not listed under All Criteria. It goes from "Make" to "Mapped Printers" No Management Account. What version are you running? Do you have an extension attribute that is doing that?
Posted on 01-27-2014 01:15 PM
Erh, well, we do have an Extension Attribute, as I outline in the post I linked to. I thought that the criteria was something built in now in version 9, but I apparently made a mistake. Looks like I was seeing our EA and not something built in. Its kind of an issue with version now that its harder to know if something you're choosing from criteria is built in or part of something you created because they are no longer separated into categories.
Sorry. I guess you'll need to make that EA the way I outlined in my post then. Could have sworn this was now a built in item in version 9.
Posted on 01-27-2014 02:34 PM
Thanks. I am glad I am not crazy. I opened up a ticket to figure out how to create an EA for 9.x. Ill post it when complete.
Posted on 02-18-2014 06:19 PM
@pblake][/url Did you happen to figure out how to create an EA for 9.x? I'd love the share if you did.
Thanks in advance.
Update: Used @mm2270 way of creating the EA... Worked great. Thanks!
Posted on 10-30-2015 07:30 AM
Not sure if you are still looking for a way to do this, but I created a new Extension Attribute that reports the "Managed by" user name for each computer.
You can then use this EA to create a Smart Group.
You can create a new EA and set to "Input Type = Script" and then copy and past the below text into the Script box.
P.S. I'm working uploading the .xml file to the JAMF Nation Extension Attribute page. Then you can download it from there and just upload to your JSS.
user="UserName"
pass="Password"
jssaddress="Server Address"
serverPort="8443"
computerName=$(hostname -f)
response=$(curl https://$jssaddress/JSSResource:$serverPort/computers/name/$computerName/subset/General --user "$user:$pass")
ManagedBy=$(echo $response | /usr/bin/awk -F'<management_username>|</management_username>' '{print $2}')
echo "<result>$ManagedBy</result>"
Posted on 12-23-2015 05:44 PM
Does anyone have a clue how to pull this from the database without the EA?
jleomcdo and mm2270 - I greatly appreciate the EA, but our ITSec guys freak out with any script that has a password stored. (even if it is just the service account).
Considering that the info is already IN the database somewhere, it seems inefficient to query the workstations for the data through the EA - there ought to be a method to simply expose that record in the database to use in your smart groups.
I may go with the "read-only" API account, but I know that if it is discovered in an audit it will get flagged.
Posted on 12-23-2015 09:35 PM
@Taylor.Armstrong I wish this was a built in item we could display in a report or use as criteria for a Smart Group without having to resort to the EA. This is one of those areas where I get very frustrated with JAMF. I agree with you 100%, no, actually 1000%! The information is right there in the computer record, both in the JSS UI and in the API info, so why in the heck isn't this just something we can choose as a search or Smart Group criteria item? I've said this like a hundred times by now on different threads, but, if a piece of data exists in the computer record that I can see in the JSS, I should also be able to use that as criteria for an advanced search or Smart Group. There are simply no excuses for these omissions, and I continue to be baffled why there are still items we can't use for this purpose, even though they are easy to see when browsing a computer record.
For the moment, you can I suppose, consider creating a special API read only account that just has access to computer objects only and nothing else and use that in the EA script.
Another approach you could take is to look at JAMF's script here: Encrypted-Script-Parameters that would let you use an encrypted username and password sent down to a script at run time. Have this script run from a policy once per day on each Mac and write the resulting management account name into a local file. Then have the EA script simply look for, and pull out the results from the file. In that way, you can use a more secure script method of pulling data with the API, but have the EA scoop up the information later. I'm guessing the security issue would be in using a plain text username/password in a script, and not so much if the management account name is exposed in a plain text file, right?
Posted on 01-22-2016 05:19 AM
Hi thanks for the ext.Attribute. It's what I searched for.
@jleomcdo There is a little mistake in your Extension Attribute.
it has to be:
response=$(curl https://$jssaddress:$serverPort/JSSResource/computers/name/$computerName/subset/General --user "$user:$pass")
Posted on 02-02-2016 05:54 PM
@t.bissinger @jleomcdo Just starting out here and I'm having trouble getting your EAs to work. Any tips? Here's what I'm working with.
user="myusername"
pass="mypassword"
jssaddress="jss.myurl.com"
serverPort="8443"
computerName=$(hostname -f)
response=$(curl https://$jssaddress:$serverPort/JSSResource/computers/name/$computerName/subset/General --user "$user:$pass")
ManagedBy=$(echo $response | /usr/bin/awk -F'<management_username>|</management_username>' '{print $2}')
echo "<result>$ManagedBy</result>"
Posted on 02-02-2016 09:43 PM
@true[robby] Does your EA script have a shebang line at the top, like #!/bin/sh
for example? Your post above doesn't contain it so its unclear.
Posted on 02-02-2016 10:21 PM
Yes it does.
Posted on 02-02-2016 10:40 PM
@true[robby] OK, I just took a closer look and I think I see the issue. The hostname -f command for getting the ComputerName is most likely messing things up. On my system, which is AD joined, it returns a full hostname in the format of computername.domain.company.com
that's not going to work in an API script since that's not actually the computer name.
You can get the correct computer name several different ways. Here's just one way:scutil --get ComputerName
But in actuality, it may be safer to use the Serial number in the API call, since some computer names can have odd characters or spaces in them that, if not properly escaped, will throw an error when used in a curl API call.
Getting the serial number in the script:
serialNumber=$(ioreg -rd1 -c IOPlatformExpertDevice | awk -F'"' '/IOPlatformSerialNumber/{print $4}')
You would still need to change the resource url for the API call though, from
JSSResource/computers/name/$computerName/subset/General
to
JSSResource/computers/serialnumber/$serialNumber/subset/General
See if that works after making those changes.
Posted on 02-02-2016 11:38 PM
@mm2270 Both suggestions worked! Our computer names are our asset tag numbers so I shouldn't have a problem but SN is just as good. Thanks!
Posted on 02-10-2016 06:53 AM
I would also like to see this, especially without an API call. I generally agree with @Taylor.Armstrong and @mm2270 — and for similar reasons.