Skip to main content
Solved

Extension Attribute Not Running Automatically

A
Forum|alt.badge.img+3

Hello everyone,

I am trying to implement an extension attribute to pull the version of SafeGuard. Below is my script:

The extension attribute will populate the correct information if I'm physically on the machine running "sudo jamf recon". I enrolled a new machine and it did not pull this extension attribute until I ran "sudo jamf recon"

Also worth mentioning, we do not have SSH open, so Casper Remote's inventory functionality isn't feasible in our environment. 

#!/bin/bash
#determines whether or not SGN is installed on the machine

if [[ -e /usr/bin/sgdeadmin ]] || [[ -e /usr/local/bin/sgdeadmin ]]; 
then
    echo "<result>`sgdeadmin --version | grep Version | awk '{print $NF}'`</result>"
else
    echo "<result>SafeGuard Not Installed</result>"
fi

Best answer by mm2270

Hi @alliehodge You may want to consider putting in the full path to the sgdeadmin binary in the command in the script that pulls the version. Its possible you're running into a case where the PATH variables in the context of the script being run in the EA (usually run as root) doesn't know what sgdeadmin resolves to, such as in this case, it should resolve to the full /usr/bin/sgdeadmin or /usr/local/bin/sgdeadmin. When you run a manual recon, the Mac is using a different PATH setting, so it may be able to resolve it correctly in that case.
So for example, you could modify you're script to look like this:

#!/bin/bash

#determines whether or not SGN is installed on the machine and sets a path variable
if [[ -e /usr/bin/sgdeadmin ]]; then
    SGDEADMIN="/usr/bin/sgdeadmin"
elif [[ -e /usr/local/bin/sgdeadmin ]]; then
    SGDEADMIN="/usr/local/bin/sgdeadmin"
fi

if [ "$SGDEADMIN" ]; then
    echo "<result>$(${SGDEADMIN} --version | grep Version | awk '{print $NF}')</result>"
else
    echo "<result>SafeGuard Not Installed</result>"
fi

The above first looks for the binary in one of two possible locations. Whichever one it finds it in, it sets a variable to use for the command later. Then, if the variable is populated, it runs the command, using that variable. If $SGDEADMIN is not populated, it means the script couldn't find the binary, so its not installed and reports "SafeGuard Not Installed"

Give this a try and see if it works.

Oh, one last thing, I can't test this since I don't have SafeGuard, but I assume you can remove the grep and use awk's regex matching to pull the version info and the correct column in one line, like this:

${SGDEADMIN} --version | awk '/Version/{print $NF}'
View original
Did this topic help you find an answer to your question?

7 replies

A
Forum|alt.badge.img+3
  • alliehodge
  • Author
  • New Contributor
  • 4 replies
  • November 15, 2016

I have also tried switching to a variable, just in case it couldn't process everything in one line. Still no luck.

#!/bin/bash
#determines whether or not SGN is installed on the machine

sgnversion=`sgdeadmin --version | grep Version | awk '{print $NF}'`

if [[ -e /usr/bin/sgdeadmin ]] || [[ -e /usr/local/bin/sgdeadmin ]]; 
then
    echo "<result>$sgnversion</result>"
else
    echo "<result>SafeGuard Not Installed</result>"
fi
bburdeaux
Forum|alt.badge.img+11
  • bburdeaux
  • Contributor
  • 107 replies
  • November 15, 2016

Have you tried checking the Enrollment Complete option in your Update Inventory policy? I don't think the initial enrollment recon checks for extension attributes, so having it run a normal recon after enrolling may be your best option.

dan-snelson
Forum|alt.badge.img+28
  • dan-snelson
  • Honored Contributor
  • 627 replies
  • November 15, 2016

@alliehodge Here's what we're using:

#!/bin/sh
# Extension Attribute to read the SafeGuard Version

if [ -f "/usr/local/bin/sgdeadmin" ] ; then
    result=`/usr/local/bin/sgdeadmin --version | grep "Version" | awk {'print $9'}`
else
    result="Not installed"
fi


echo "<result>$result</result>"
A
Forum|alt.badge.img+3
  • alliehodge
  • Author
  • New Contributor
  • 4 replies
  • November 16, 2016

Hi @dan.snelson

It seems that the sgdeamin is located in /usr/bin/ if it's 10.10 or earlier, and in /usr/local/bin if it's 10.11+. Does your attribute automatically populate without having to force a recon on the machine?

Mine appears to work if I force a recon on the machine locally; it'll store a version number in the extension attribute in the JSS. But if I force it to pull and inventory update from the JSS (post manual recon) it seems to fail and overwrite the extension attribute with a blank value.

Thanks for your help! I'm going to implement yours as well, and see if it works at least for the newer OS.

mm2270
Forum|alt.badge.img+16
  • mm2270
  • Legendary Contributor
  • 7880 replies
  • Answer
  • November 16, 2016

Hi @alliehodge You may want to consider putting in the full path to the sgdeadmin binary in the command in the script that pulls the version. Its possible you're running into a case where the PATH variables in the context of the script being run in the EA (usually run as root) doesn't know what sgdeadmin resolves to, such as in this case, it should resolve to the full /usr/bin/sgdeadmin or /usr/local/bin/sgdeadmin. When you run a manual recon, the Mac is using a different PATH setting, so it may be able to resolve it correctly in that case.
So for example, you could modify you're script to look like this:

#!/bin/bash

#determines whether or not SGN is installed on the machine and sets a path variable
if [[ -e /usr/bin/sgdeadmin ]]; then
    SGDEADMIN="/usr/bin/sgdeadmin"
elif [[ -e /usr/local/bin/sgdeadmin ]]; then
    SGDEADMIN="/usr/local/bin/sgdeadmin"
fi

if [ "$SGDEADMIN" ]; then
    echo "<result>$(${SGDEADMIN} --version | grep Version | awk '{print $NF}')</result>"
else
    echo "<result>SafeGuard Not Installed</result>"
fi

The above first looks for the binary in one of two possible locations. Whichever one it finds it in, it sets a variable to use for the command later. Then, if the variable is populated, it runs the command, using that variable. If $SGDEADMIN is not populated, it means the script couldn't find the binary, so its not installed and reports "SafeGuard Not Installed"

Give this a try and see if it works.

Oh, one last thing, I can't test this since I don't have SafeGuard, but I assume you can remove the grep and use awk's regex matching to pull the version info and the correct column in one line, like this:

${SGDEADMIN} --version | awk '/Version/{print $NF}'
dan-snelson
Forum|alt.badge.img+28
  • dan-snelson
  • Honored Contributor
  • 627 replies
  • November 16, 2016

I like Mike's approach better than mine.

A
Forum|alt.badge.img+3
  • alliehodge
  • Author
  • New Contributor
  • 4 replies
  • November 16, 2016

@mm2270 YES! Funny you mentioned that, this was exactly my logic this morning. I essentially did what you did and broke it into an elif, and that seems to have fixed it. I'm waiting on a few more machines to check in during the re-occuring check in to do an inventory update. But I believe it's working as it should be.

Thanks for your help everyone!

Reply


Most helpful members this week

Terms & ConditionsCookie settingsAccessibility statement

Cookie policy

We use cookies to enhance and personalize your experience. If you accept you agree to our full cookie policy. Learn more about our cookies.

 
Cookie settings