Determine if MDM capable users field is empty

mags
New Contributor II

I'd like to create a smart group of computers where the MDM capability is YES, but MDM capable users is currently empty, so that fire over a policy to these machines to set the MDM user.

I can see that I can use the MDM capability as the criteria for a smart group, but can't seem to use the MDM capable users field. Is there a way to check if there are no MDM users set in a script or other?

Thanks

5 REPLIES 5

mm2270
Legendary Contributor III

With the Jamf API:

#!/bin/bash

serNum=$(ioreg -rd1 -c IOPlatformExpertDevice | awk -F'"' '/IOPlatformSerialNumber/{print $4}')

mdmUser=$(curl -H "Accept: text/xml" -sfku "${apiuser}:${apipass}" https://your.jss.address.com:8443/JSSResource/computers/serialnumber/${serNum}/subset/general | xpath '/computer/general/mdm_capable_users/mdm_capable_user/text()')

if [[ -z "$mdmUser" ]]; then
    ## do something or set variable string
else
    ## set different variable string
fi

You could use something like the above in a script to take some kind of action, or create a new Extension Attribute that you would then use to populate your Smart Group. Maybe something like "Set" if it finds any assigned MDM user, and "Not Set" if it finds none for example. You'll need to edit it to add your actual API username and password and the correct JSS URL.

Going forward, I would really love to see all possible criteria captured by Jamf Pro be something we can use to create Smart Groups and/or Searches from. I find it silly that we still can't use everything in inventory for these purposes.

mags
New Contributor II

Sorry for the delay but thanks @mm2270 I quite agree that we should be able to use everything in inventory to create smart groups etc. Security-wise we aren't keen to use the API as it needs the API password so I think I am still stumped with this one.

mm2270
Legendary Contributor III

@mags I hear you about not wanting to use an API account in an EA. There are some things you can do to help mitigate the risk though.

You could, for example, create a very limited API account that can only read a few select objects, just the stuff you need it to be able to read from records, and use that in the EA script. With READ ONLY access to just a few items, it's not likely that even if the password was compromised that anyone could do anything with it. They could read computer objects, but I'm not sure if that would be a big issue. It kinda depends on how sensitive you consider that information.

If that still isn't good enough, you could instead have an Ongoing policy run on each check-in that runs the script to grab these values out of the API. The script can use parameters to pass the credentials (for extra security, take a look at Jamf's encrypted-script-parameters), and have the script save the results into a local file on the machine each time it runs (overwriting previous values) Then your EA can simply look for and read back the data in the file, which doesn't require any usernames/passwords to be stored in the clear in the EA script.

mags
New Contributor II

Thanks again @mm2270 . Today we went back to trying to create a smart group for this purpose and this time we could add "has MDM profile" as a selection criteria! I'm not sure when this became an option, as I'm sure that we couldn't do this before, but this has allowed us to get the list of non-MDM users that we wanted.
Might be useful for someone :)

rbean
New Contributor III

@mags What version of Jamf Pro are you running? I tried to create a smart computer group with "has MDM profile", but that is not an available option. We are running 10.1.1 here.

Thanks