Enrollment policy without logs?

ganidran
New Contributor III

Is it normal for a policy that only has a script as the payload to never get logs? I have our "master enrollment" script that calls on other policies after enrollment and it shows "pending" on end for any computer. What's strange is that the policies that it calls within the script work/are triggered.

Trigger: Enrollment Complete

Frequency: Once per computer

Scope: All computers - Specific Users

1 ACCEPTED SOLUTION

talkingmoose
Moderator
Moderator

Policies themselves have no idea what’s running in the scripts attached to them. The best they can report is “Successful” or “Failed”.

If you want detail from the script, add echo statements that report the status of the lines doing something. Echo statements will be fed back into the policy’s log.

I talked about this briefly during my JNUC 2022 Presentation. Here’s the relevant part:

https://youtu.be/kRW4CtlCyWw?t=1404

But lik @Stev and @TrentO, it really does sound like one of your policies getting called by the main policy is rebooting the computer and preventing it from reporting a success or failure. I think you may be able to add something like this to spin off the reboot process and allow the policy to quit. (Untested.)

/sbin/shutdown -r +1 & # restart in 1 minute

View solution in original post

5 REPLIES 5

stevewood
Honored Contributor II
Honored Contributor II

If you are rebooting the device from the script, then the script never completes and never signals to Jamf Pro that it is complete. So it would remain in a Pending state with no logs.

If you want to reboot the device, I would suggest using the restart functionality in the Policy.

I agree with @stevewood. This is most likely the case, or at least something causing the script to not return. If you are rebooting, make sure you use the Policy payload for that rather than calling it in the script. 

talkingmoose
Moderator
Moderator

Policies themselves have no idea what’s running in the scripts attached to them. The best they can report is “Successful” or “Failed”.

If you want detail from the script, add echo statements that report the status of the lines doing something. Echo statements will be fed back into the policy’s log.

I talked about this briefly during my JNUC 2022 Presentation. Here’s the relevant part:

https://youtu.be/kRW4CtlCyWw?t=1404

But lik @Stev and @TrentO, it really does sound like one of your policies getting called by the main policy is rebooting the computer and preventing it from reporting a success or failure. I think you may be able to add something like this to spin off the reboot process and allow the policy to quit. (Untested.)

/sbin/shutdown -r +1 & # restart in 1 minute

ganidran
New Contributor III

@stevewood 
Really good feedback - I appreciate it! We do have echo statements as it goes line by line - It's definitely the fact that we reboot prior to the script ending because we give the user the choice to reboot or not (so as to kick in the prompt to turn on filevault upon reboot).

I'll try out the 'shutdown' command with a '&' and see what happens @talkingmoose 

ganidran
New Contributor III

Confirmed adding an "&" helps the policy continue to exit while a reboot is timed! Thanks moose! :D