Jamf Nation Community

desktopengineer · ‎01-13-2015

Hi -- We're new to the JSS and are looking to create a script that will prompt the user on enrollment to choose if the device is Personal or Enterprise Owned, and then have it populate an Extension Attribute. Then we could create a smart group to exclude those personal devices from certain policies. Has anyone ever done something like this before or is there a better way?? Any help is GREATLY appreciated!

mm2270 · ‎01-13-2015

Well, someone may have already done this. In fact, I'm almost certain someone has. Whether they'll post what they've done I don't know.

For now, here's a very simple example to get you started on a path. Below is a bash script that calls an Applescript dialog. Here I'm just using buttons instead of choose from list. This actually helps prevent someone from just clicking the Cancel button and exiting without choosing 'something'. A button must be clicked to dismiss it in other words. As you'll see, it should create a file called "systemtype" in /private/var/ with a string of text in it. That text can later be picked up in a simple Extension Attribute script, which can populate your Smart Groups. The script runs a full inventory collection after, so it would hopefully pick up the user selection.

#!/bin/sh

selection=$(/usr/bin/osascript -e 'set userChoice to button returned of (display dialog "Choose the type of Mac you are enrolling from the list below" buttons {"Enterprise owned", "Personally owned"})')

if [ "$selection" == "Personally owned" ]; then
    echo "Mac is personally owned"
    echo "personal" > "/private/var/systemtype"
elif [ "$selection" == "Enterprise owned" ]; then
    echo "Mac is enterprise owned"
    echo "enterprise" > "/private/var/systemtype"
fi

jamf recon

The only thing about Applescript for this kind of stuff is that, starting around 10.8 and increasingly with each new OS X release, Apple has made it pretty hard to display dialogs to the end user unless they are run as the user. Since Casper Suite runs scripts as root by default, not the user, you may need to work around that to get the dialog to even display. Its very inconsistent in my experience when you'll get stopped in your tracks by sandboxing and when it just works. So try it as is, and see what happens.

View solution in original post

thoule · ‎01-13-2015

Just to expand on @mm2270 script, here's a version of the same thing that uses the JAMFHelper instead of AppleScript. That avoids the ugly 'run as end user' stuff.

#!/bin/sh                                                                                                                                                     

button=`/Library/Application Support/JAMF/bin/jamfHelper.app/Contents/MacOS/jamfHelper -windowType hud -title "Computer Ownership"  -description "Please define if this computer is a personal device or company owned." -button1 "Personal" -button2 "Company"`

if [ $button -eq 2 ]; then
    echo "Enterprise" > "/private/var/systemtype"
    echo "This is a company owned mac"
elif [ $button -eq 0 ]; then
    echo "private" > "/private/var/systemtype"
    echo "this is a private Mac"
fi

View solution in original post

mm2270 · ‎01-13-2015

Just one minor correction. Extension Attributes need to echo the result back within specific tags in order to be added into the Casper database for that client.
So for example, taking what @thoule wrote above, it would actually need to look something like this:

#!/bin/sh

result=$(cat /private/var/systemtype)

echo "<result>$result</result>"

But in general, what is explained above is the exact process you'd want to use.
1- Add the script into your Casper db
2- Add the Extension Attribute as explained
3- Then you'll need to create your policy, as I mentioned in my first post. Make sure its scoped to all Managed clients with only "Enrollment Complete" as the sole trigger. Add the script using jamfHelper to the policy to run. When a client enrolls, as soon as its done, the jamf agent will check against the JSS to see what must be run, and run the policy, popping up the message.

Hope that all makes sense, and thanks to @thoule for adding in some useful input to the thread.

View solution in original post

mm2270 · ‎01-13-2015

Hi and welcome.
Generally speaking, something like that should be possible. Since you're talking about doing it directly after enrollment, you might need to use an Applescript call inside a script for the dialog for the end user to make a choice from a drop down menu (Personal or Enterprise) **. What they choose could simply create a hidden identifier somewhere on the Mac that would get picked up by an inventory collection Extension Attribute script. From that Extension Attribute info you can create your Smart Groups for any inclusion or exclusion stuff. Generally, a simple file or folder created somewhere works fine for the identifier, but you could also do something like create a property list file with data in it. (probably overkill for this, but still an option)

As for how to trigger the above script, you would want to make a JSS policy scoped to all Macs with a trigger of "Enrollment Complete" to run the script. So in theory at least, as soon as they're done enrolling the Mac, it will run the policy, the script will run, prompt them for the info and then collect inventory, placing their Mac into the appropriate group(s).

Keep in mind this is only one of many possible ways to do it. I'm sure other folks will chime in with other solutions to this. the above was just off the top of my head and not thoroughly thought through, so I could be overlooking something.

[s]** EDIT: you could also use jamfHelper for this. It has a drop down menu window style that might work for you as well. It gets installed upon enrollment.[/s]
EDIT 2: never mind. I forgot, the drop down stuff in jamfHelper is only used for delay options so can't really be used for selections.

desktopengineer · ‎01-13-2015

@mm2270][/url - Right, I've found other scripts on here like: https://jamfnation.jamfsoftware.com/discussion.html?id=5890 that used a PERL script to prompt a user to say Yes or No to installing software updates, im just not savvy enough to edit it to poluplate some other information. and this one (https://jamfnation.jamfsoftware.com/discussion.html?id=12546) populates an extension attribute with the remaining disk space. So it all looks doable, just was looking to see if anyone already invented this wheel.

mm2270 · ‎01-13-2015

Well, someone may have already done this. In fact, I'm almost certain someone has. Whether they'll post what they've done I don't know.

For now, here's a very simple example to get you started on a path. Below is a bash script that calls an Applescript dialog. Here I'm just using buttons instead of choose from list. This actually helps prevent someone from just clicking the Cancel button and exiting without choosing 'something'. A button must be clicked to dismiss it in other words. As you'll see, it should create a file called "systemtype" in /private/var/ with a string of text in it. That text can later be picked up in a simple Extension Attribute script, which can populate your Smart Groups. The script runs a full inventory collection after, so it would hopefully pick up the user selection.

#!/bin/sh

selection=$(/usr/bin/osascript -e 'set userChoice to button returned of (display dialog "Choose the type of Mac you are enrolling from the list below" buttons {"Enterprise owned", "Personally owned"})')

if [ "$selection" == "Personally owned" ]; then
    echo "Mac is personally owned"
    echo "personal" > "/private/var/systemtype"
elif [ "$selection" == "Enterprise owned" ]; then
    echo "Mac is enterprise owned"
    echo "enterprise" > "/private/var/systemtype"
fi

jamf recon

The only thing about Applescript for this kind of stuff is that, starting around 10.8 and increasingly with each new OS X release, Apple has made it pretty hard to display dialogs to the end user unless they are run as the user. Since Casper Suite runs scripts as root by default, not the user, you may need to work around that to get the dialog to even display. Its very inconsistent in my experience when you'll get stopped in your tracks by sandboxing and when it just works. So try it as is, and see what happens.

thoule · ‎01-13-2015

Just to expand on @mm2270 script, here's a version of the same thing that uses the JAMFHelper instead of AppleScript. That avoids the ugly 'run as end user' stuff.

#!/bin/sh                                                                                                                                                     

button=`/Library/Application Support/JAMF/bin/jamfHelper.app/Contents/MacOS/jamfHelper -windowType hud -title "Computer Ownership"  -description "Please define if this computer is a personal device or company owned." -button1 "Personal" -button2 "Company"`

if [ $button -eq 2 ]; then
    echo "Enterprise" > "/private/var/systemtype"
    echo "This is a company owned mac"
elif [ $button -eq 0 ]; then
    echo "private" > "/private/var/systemtype"
    echo "this is a private Mac"
fi

desktopengineer · ‎01-13-2015

@thoule and @mm2270 thank you both very much. And please excuse my ignorance, but how would I turn this into an extension attribute now?

thoule · ‎01-13-2015

To implement this process, do the following (note, this isn't every click, but pretty close. Hopefully you can follow along)

Add the script:

Click the gear on the top right of the screen
Click Computer Management, then choose Scripts
Create a new script, using the code in my example with whatever modifications you'd like

(note, add the jamf recon line like the other example - that updates the server with new info instead of waiting 24 hours)

Create the Extension Attribute.- that will read in the setting defined by the script

Click the gear on the top right of the screen
Click Computer Management
Click Extension Attribute
Set the input type to Script
Enter the script below

#!/bin/sh
cat /private/var/systemtype

Now that you've got the extension attribute, you can create a smart group off of that.

Obviously, learning some good BASH scripting is critical to being able to effectively managing a group of Macs.

mm2270 · ‎01-13-2015

Just one minor correction. Extension Attributes need to echo the result back within specific tags in order to be added into the Casper database for that client.
So for example, taking what @thoule wrote above, it would actually need to look something like this:

#!/bin/sh

result=$(cat /private/var/systemtype)

echo "<result>$result</result>"

But in general, what is explained above is the exact process you'd want to use.
1- Add the script into your Casper db
2- Add the Extension Attribute as explained
3- Then you'll need to create your policy, as I mentioned in my first post. Make sure its scoped to all Managed clients with only "Enrollment Complete" as the sole trigger. Add the script using jamfHelper to the policy to run. When a client enrolls, as soon as its done, the jamf agent will check against the JSS to see what must be run, and run the policy, popping up the message.

Hope that all makes sense, and thanks to @thoule for adding in some useful input to the thread.

thoule · ‎01-13-2015

oops- you're right. Thanks, mm. Glad you're watching :)

desktopengineer · ‎01-13-2015

@thoule and @mm2270 I wish I could give you both credit! This works great!! Thank you so much!!

calumhunter · ‎01-13-2015

and if you wanted to go a bit further down the rabbit hole, you could perhaps look at writing the result directly into the JSS via the API

Jamf Nation Community

Enrollment Script