delay smart group update

New Contributor II

I'm trying to get an email notification when a specific application is not running on the device.
For that purpose, I have a Smart Group for the devices where the process is not running and sends an email on each membership change. 

The annoyance is that on the user login after boot the app is not detected, generating a report because the device was added to the group, but in the minute after the application is detected and the device removed, generating a new message.

I'm trying to reduce these unnecessary reports by introducing a delay or a condition on the smart group.
My initial idea was to place a condition like "Last Inventory Update" or "Last Check-in" more than a few minutes ago, but the rule builder only works with date and days, not minutes.
How would you accomplish the objective? [receiving email notifications on apps that are not running but with a small delay]


New Contributor II

I'm more than certain that the "thing" is within the inventory update policy, which was set to update by network change and log in.
I have come to realize that this is a kind of useless question, I just needed to dig 1st. [but I'm not sure how to delete posts]


I feel your frustration, you really have to get creative and think outside the box when trying to capture things that can change so quickly. Smart groups probably aren't the best option for trying to capture real-time data like a running process, because the group will only update with every inventory update (so could take hours depending on your settings). 


What about having a script run at user login that waits for say 30 seconds to see if the process starts. If running, exit. If not running, create a file in tmp directory for an EA to look for. You can then base the Smart group on the EA instead of the app running or not. This would solve the membership notifications, but the problem here though will be also capturing if the process starts running after you've already created the file for the EA to look for. You would basically need a script running in an endless loop, which isn't ideal.

I do this for a lot of things, have a policy run a script that outputs to a text file that an EA reads.  You could look into having the script see if the app is running and if not, output the EA then do a recon.  That should get you your email sooner and you can put logic in the script that if the value is there, don't recon any more to avoid the loop.

New Contributor II

Thanks for your suggestion, I do think that it would give cleaner results, but I'm trying to stick with the jamf "vanilla" features, and not add any running code/work to the endpoint. Nevertheless one has to consider the application limitations and use its extension capabilities. 
I will look in more detail at the Script + Extension Attribute solution.
thanks all again for the support