Extension Attribute Inventory Update

Sobchak
Contributor

I have an extension attribute telling me if a configuration profile is installed and I have a smart group listing all the computers with this extension attribute. The problem is extension attributes populate with an inventory update (which we have set at 24 hours). Is there a way to trigger an inventory update when a computer gets the configuration profile so we do not have to wait?

1 ACCEPTED SOLUTION

sdagley
Esteemed Contributor II

@Sobchak There is a Smart Group criteria named "Profile Name" that you can use to see if a profile is installed on a Mac (it updates independently of a recon), so you shouldn't need an EA.

View solution in original post

6 REPLIES 6

sdagley
Esteemed Contributor II

@Sobchak There is a Smart Group criteria named "Profile Name" that you can use to see if a profile is installed on a Mac (it updates independently of a recon), so you shouldn't need an EA.

tlarkin
Honored Contributor

@Sobchak

What are you attempting to accomplish? Depending on what you are doing there could be other ways

rocketman
New Contributor III

@sdagley In my experience, "Profile Name" only updates when an inventory update happens (if this has changed recently, awesom!). I have a client with a policy to remove McAfee, which has an uninstall agent, so I need to ensure the configuration profile approving the kernel extension is gone before I remove it. In the past, I had to have users do an inventory update before they would see the policy in Self Service, because I had the policy scoped to a smart group using the "Profile Name" criteria, but I was able to get around that by adding this code to my script:

#!/bin/bash
kextex=$(profiles -C -v | grep "McAfee Web Proxy Kernel Extension")
TIMEOUT=60

counter=0
while [[ $kextex != "" ]]
do
  sleep 1
  counter=$((counter+1))
  if [[ $counter -gt $TIMEOUT ]]; then
    jamf displayMessage -message "McAfee Kernel Extension is installed. Try again later."
    echo "Error: McAfee Kernel Extension is installed"
    exit 1
  fi
  kextex=$(profiles -C -v | grep "McAfee Web Proxy Kernel Extension")
done

echo "McAfee Kernel Extension Installed. Proceeding..."

After that, you could proceed with the script you're running, or call another policy by using jamf policy -event customtriggername. This example is seeing if a specific config profile doesn't exist, but you can easily change that to see if it exists.

@Sobchak I wouldn't recommend doing an inventory update every time a configuration profile is installed, that could create some major issues. As @tlarkin mentioned, there may be other ways. Let us know what you're trying to accomplish and we can point you in the right direction. The solution above may work for you too.

Looking for a Jamf Managed Service Provider? Look no further than Rocketman

sdagley
Esteemed Contributor II

@rocketman If you look at the Management History for a computer you will see that any Install or Remove of a profile will also trigger ProfileList and CertificateList commands. These will immediately update the computer record's inventory of installed Profiles and Certificates. It does not reflect immediately in a Smart Group using the Profile Name criteria, but the Smart Group does update prior to the Mac doing a recon, apparently on its next check-in.

I'm not sure I follow your logic of removing the Configuration Profile to approve the McAfee kext before you run the script to uninstall the McAfee agent. I'd want to do exactly the opposite, and remove the kext first so that removing the kext approval profile doesn't cause macOS to prompt the user for approval. That's the user experience I've seen when removing the MDM Profile from a machine, and that in turn removed the kext approval Profile.

tlarkin
Honored Contributor

You can just query the sqlite database on what kext profiles are installed with a simple command:

sudo sqlite3 /var/db/SystemPolicyConfiguration/KextPolicy <<< "select * from kext_policy_mdm;"

You will have to probably hard code team IDs in to match, playing around in the shell for a minute you might want to strip out the pipes and separate the output by space so you can easily awk it

sudo sqlite3 /var/db/SystemPolicyConfiguration/KextPolicy <<< "select * from kext_policy_mdm;" | sed 's/|/ /g' | awk '{ print $1 }'

From there you can loop through every kext MDM policy you have deployed via MDM and check against each team ID. If you want to look at what the user has approved you can drop the _mdm on the sqlite query to see what was approved locally.

liftengine
New Contributor

I’d still like to know if you can update the EAs atomically since I’d like to do it myself on network changes. And I don’t want to have to trigger a full inventory each time - total overkill, no?