Jamf Nation Community

Gonzalo · ‎03-30-2021

Hi,
I'm looking for an extension attribute that displays if the computer name is set to $serialnumber of the computer. The purpose is to run a rename policy to machines that has not $serialnumber as computer name.

mm2270 · ‎03-30-2021

Something like this as an EA would help you build a Smart Group

#!/bin/sh

computer_name=$(scutil --get ComputerName)
serial_number=$(ioreg -rd1 -c IOPlatformExpertDevice | awk -F'"' '/IOPlatformSerialNumber/{print $4}')

if [ "$computer_name" == "$serial_number" ]; then
      result="Yes"
else
      result="No"
fi

echo "<result>$result</result>"

FWIW, I have a similar issue here where a machine certificate takes on the machine name as part of the CN when it gets pushed to the device, and I had to work around issues where the profile would come down too early in our provisioning process and name the cert incorrectly, meaning before my provisioning workflow had a chance to correctly name the device. I have a script that renames the computer to our naming convention as early on as possible, and then collects inventory, so the Mac lands in a Smart Group scoped to the profile that deploys the machine certificate. I have this Smart Group set up looking for computers that have the proper naming convention, but I'm not using an EA for that. We have a prefix for our names that I can pick up in the Smart Group using a regex pattern match instead.

View solution in original post

sdagley · ‎03-30-2021

@Gonzalo I'd suggest a simpler approach unless you're planning to watch the log for your rename policy to see what Macs required renaming. Our rename script run as part of the daily computer inventory policy, and the script itself decides if the computer requires renaming.

easyedc · ‎03-30-2021

When are you usually running your rename? Is it during initial provisioning? Are you experiencing an issue where users are changing the name of the computer? If that is happening, I highly suggest some user education. If you're using active directory and have not changed your names to serial number, once you change the name, you'll need to rebind to your AD.

Gonzalo · ‎03-30-2021

@easyedc We are already using a rename script that runs after enrollment (and once a day I think) and sets the computer name to $serialnumber, however I would still prefer to scope this policy to a smart group with criteria "computer name not $serialnumber" i.e.

The issue now, is that we still are binding to AD and have recently switch to ADCS Connector instead of the old AD Certificate payload. The AD bind is configured with a configuration profile and deploys under enrollment (DEP). As a results of the that, all the new computers that we enroll receives a machine certificate with wrong name (DEP-Macbook-xxx).

Therefore, we would rather have a smart group with above criteria that we could scope the ADCS connector profile to, so we can ensure that the certificate gets the correct name.

easyedc · ‎03-30-2021

Because the computer name is an item captured by the Jamf inventory, I don't know of anyone who's written an EA to grab that uniquely. You'll probably end up writing something to read the Computer name and just report that back as your EA value. Create a smart group that maybe has criteria of "Ext Att name > is like > "DEP-Macbook" and see what hits you get.

#!/bin/bash

CompName=$( /usr/sbin/scutil --get ComputerName )
  echo "<result>$CompName</result>"

My vote is KISS. Also - I didn't test that, double check my work. ;)

mm2270 · ‎03-30-2021

Something like this as an EA would help you build a Smart Group

#!/bin/sh

computer_name=$(scutil --get ComputerName)
serial_number=$(ioreg -rd1 -c IOPlatformExpertDevice | awk -F'"' '/IOPlatformSerialNumber/{print $4}')

if [ "$computer_name" == "$serial_number" ]; then
      result="Yes"
else
      result="No"
fi

echo "<result>$result</result>"

FWIW, I have a similar issue here where a machine certificate takes on the machine name as part of the CN when it gets pushed to the device, and I had to work around issues where the profile would come down too early in our provisioning process and name the cert incorrectly, meaning before my provisioning workflow had a chance to correctly name the device. I have a script that renames the computer to our naming convention as early on as possible, and then collects inventory, so the Mac lands in a Smart Group scoped to the profile that deploys the machine certificate. I have this Smart Group set up looking for computers that have the proper naming convention, but I'm not using an EA for that. We have a prefix for our names that I can pick up in the Smart Group using a regex pattern match instead.

mojo21221 · ‎03-31-2021

Just adding my $.02 we ran into a similar issue when switching to ADCS. Our fix was to not use the computer name in the field that pushes out the cert, but to use the $SerialNumber. That way the cert always would have the name we preferred. Then all we had to do was make sure we added the machine name to AD when new inventory was purchased prior to provisioning. Working out pretty well for the past year+

mm2270 · ‎03-31-2021

@mojo21221 I totally agree with you on that, and we've actually asked for an exception with security on this to allow a more generic CN name or using the serial number in the profile like you described. We just have to get the approval and test and then switch everything up. The "computer name" thing for the cert is a holdover from when it was just Windows machines in the environment, and they were attempting to keep everything similar on the Macs, as much as possible.

Jamf Nation Community

Extension attribute for computer name