Posted on 11-15-2016 12:54 PM
Hello everyone,
I am trying to implement an extension attribute to pull the version of SafeGuard. Below is my script:
The extension attribute will populate the correct information if I'm physically on the machine running "sudo jamf recon". I enrolled a new machine and it did not pull this extension attribute until I ran "sudo jamf recon"
Also worth mentioning, we do not have SSH open, so Casper Remote's inventory functionality isn't feasible in our environment.
#!/bin/bash
#determines whether or not SGN is installed on the machine
if [[ -e /usr/bin/sgdeadmin ]] || [[ -e /usr/local/bin/sgdeadmin ]];
then
echo "<result>`sgdeadmin --version | grep Version | awk '{print $NF}'`</result>"
else
echo "<result>SafeGuard Not Installed</result>"
fi
Solved! Go to Solution.
Posted on 11-16-2016 07:35 AM
Hi @alliehodge You may want to consider putting in the full path to the sgdeadmin
binary in the command in the script that pulls the version. Its possible you're running into a case where the PATH variables in the context of the script being run in the EA (usually run as root) doesn't know what sgdeadmin
resolves to, such as in this case, it should resolve to the full /usr/bin/sgdeadmin
or /usr/local/bin/sgdeadmin
. When you run a manual recon, the Mac is using a different PATH setting, so it may be able to resolve it correctly in that case.
So for example, you could modify you're script to look like this:
#!/bin/bash
#determines whether or not SGN is installed on the machine and sets a path variable
if [[ -e /usr/bin/sgdeadmin ]]; then
SGDEADMIN="/usr/bin/sgdeadmin"
elif [[ -e /usr/local/bin/sgdeadmin ]]; then
SGDEADMIN="/usr/local/bin/sgdeadmin"
fi
if [ "$SGDEADMIN" ]; then
echo "<result>$(${SGDEADMIN} --version | grep Version | awk '{print $NF}')</result>"
else
echo "<result>SafeGuard Not Installed</result>"
fi
The above first looks for the binary in one of two possible locations. Whichever one it finds it in, it sets a variable to use for the command later. Then, if the variable is populated, it runs the command, using that variable. If $SGDEADMIN is not populated, it means the script couldn't find the binary, so its not installed and reports "SafeGuard Not Installed"
Give this a try and see if it works.
Oh, one last thing, I can't test this since I don't have SafeGuard, but I assume you can remove the grep
and use awk's regex matching to pull the version info and the correct column in one line, like this:
${SGDEADMIN} --version | awk '/Version/{print $NF}'
Posted on 11-15-2016 02:01 PM
I have also tried switching to a variable, just in case it couldn't process everything in one line. Still no luck.
#!/bin/bash
#determines whether or not SGN is installed on the machine
sgnversion=`sgdeadmin --version | grep Version | awk '{print $NF}'`
if [[ -e /usr/bin/sgdeadmin ]] || [[ -e /usr/local/bin/sgdeadmin ]];
then
echo "<result>$sgnversion</result>"
else
echo "<result>SafeGuard Not Installed</result>"
fi
Posted on 11-15-2016 02:02 PM
Have you tried checking the Enrollment Complete option in your Update Inventory policy? I don't think the initial enrollment recon checks for extension attributes, so having it run a normal recon after enrolling may be your best option.
Posted on 11-15-2016 02:18 PM
@alliehodge Here's what we're using:
#!/bin/sh
# Extension Attribute to read the SafeGuard Version
if [ -f "/usr/local/bin/sgdeadmin" ] ; then
result=`/usr/local/bin/sgdeadmin --version | grep "Version" | awk {'print $9'}`
else
result="Not installed"
fi
echo "<result>$result</result>"
Posted on 11-16-2016 06:15 AM
Hi @dan.snelson
It seems that the sgdeamin is located in /usr/bin/ if it's 10.10 or earlier, and in /usr/local/bin if it's 10.11+. Does your attribute automatically populate without having to force a recon on the machine?
Mine appears to work if I force a recon on the machine locally; it'll store a version number in the extension attribute in the JSS. But if I force it to pull and inventory update from the JSS (post manual recon) it seems to fail and overwrite the extension attribute with a blank value.
Thanks for your help! I'm going to implement yours as well, and see if it works at least for the newer OS.
Posted on 11-16-2016 07:35 AM
Hi @alliehodge You may want to consider putting in the full path to the sgdeadmin
binary in the command in the script that pulls the version. Its possible you're running into a case where the PATH variables in the context of the script being run in the EA (usually run as root) doesn't know what sgdeadmin
resolves to, such as in this case, it should resolve to the full /usr/bin/sgdeadmin
or /usr/local/bin/sgdeadmin
. When you run a manual recon, the Mac is using a different PATH setting, so it may be able to resolve it correctly in that case.
So for example, you could modify you're script to look like this:
#!/bin/bash
#determines whether or not SGN is installed on the machine and sets a path variable
if [[ -e /usr/bin/sgdeadmin ]]; then
SGDEADMIN="/usr/bin/sgdeadmin"
elif [[ -e /usr/local/bin/sgdeadmin ]]; then
SGDEADMIN="/usr/local/bin/sgdeadmin"
fi
if [ "$SGDEADMIN" ]; then
echo "<result>$(${SGDEADMIN} --version | grep Version | awk '{print $NF}')</result>"
else
echo "<result>SafeGuard Not Installed</result>"
fi
The above first looks for the binary in one of two possible locations. Whichever one it finds it in, it sets a variable to use for the command later. Then, if the variable is populated, it runs the command, using that variable. If $SGDEADMIN is not populated, it means the script couldn't find the binary, so its not installed and reports "SafeGuard Not Installed"
Give this a try and see if it works.
Oh, one last thing, I can't test this since I don't have SafeGuard, but I assume you can remove the grep
and use awk's regex matching to pull the version info and the correct column in one line, like this:
${SGDEADMIN} --version | awk '/Version/{print $NF}'
Posted on 11-16-2016 08:07 AM
I like Mike's approach better than mine.
Posted on 11-16-2016 10:03 AM
@mm2270 YES! Funny you mentioned that, this was exactly my logic this morning. I essentially did what you did and broke it into an elif, and that seems to have fixed it. I'm waiting on a few more machines to check in during the re-occuring check in to do an inventory update. But I believe it's working as it should be.
Thanks for your help everyone!