Extension Attribute Updates?

sgiesbrecht
Contributor III

Is there a way to update the Extension Attributes without run recon?

I don't want to run recon every hour to update the extensions 

7 REPLIES 7

ljcacioppo
Contributor III

You can write to extension attributes using the API, but that definitely would add complexity to the workflow, but Im unsure why it would be necessary to do that.

I'm confused on your statement about not wanting to run recon every hour to update the extensions. Do you anticipate these extensions would be rapidly changing and therefore recon would need to run very often in order to pick up the changes? If the data is rapidly changing there, its possible that extension attributes may not be the right approach.

Tribruin
Valued Contributor
Valued Contributor

If this is value that changes that frequently, I would suggest looking at using script to call the API to update the EA. You could then have a Launch Agent/Dameon that runs the script every hour. But that is more work and the usual caution of having to put credentials in to a script apply. 

 

Agreed with previous poster. What are you trying to track and accomplish? There might be an alternate solution. 

sdagley
Honored Contributor III

@sgiesbrecht To paraphrase @ljcacioppo, what is it you're trying to do because if you're looking to monitor something that frequently then an EA probably isn't the way to go? Nor is calling the Jamf API from all of your endpoints because it's currently discouraged by Jamf (that may change with the changes coming for API authentication later this year, but there are also other reasons to avoid API calls from all endpoints).

What may be a better approach is to install a LaunchDaemon and a companion script on your Macs which runs periodically, or is triggered by a file system change, and have that script run a Jamf policy via a custom trigger when the conditions you're looking for are met.

swhps
Contributor III

There are a number of feature requests (https://ideas.jamf.com) for just such a thing, so we can just update extension attributes with out doing a full recon.  At the moment there is not a way to separate the 2 with out going into APIs fetch the results.

easyedc
Valued Contributor II

Is the setting/piece of information you're wanting to track something you can enforce via a custom configuration profile? That way you can just Ron Popeil it and set it and forget it.

sgiesbrecht
Contributor III

We policy is not to have anything attached to the workstaitons (iPhone, iPad, etc...)
I have a script to check if anything is attached.  If there is something, it will write to the System.log and copies the SN into the Extension field. 

It will only run once daily. 

I know I can have the script put it as a Policy but they want it to be reported in Jamf also.

this is the script that I am using

 

#! /bin/bash

###############################################
# Created by Shawn Giesbrecht - 2022-01-11
#
# Ver 1.0 - smg - 2021.01.11 - Checks to see if an iPad has been connected to a workstation and if yes, logs it in the "/private/var/log/24-7System.log" 
# Ver 1.1 - smg - 2021.01.12 - Changed the log file from "/private/var/log/24-7System.log" to the System Log ""/private/var/log/System.log""
# 
###############################################

iCheck=$( system_profiler SPUSBDataType | sed -n -E -e '/(iPad)/,/Serial/s/ *Serial Number: *(.+)/\1/p' )
WorkstationName=$(hostname)
logFile="/private/var/log/System.log"

if [[ -z "$iCheck" ]] ;
then
	echo "<result>Not Connected</result>"
else
	echo "<result>$iCheck</result>"
	echo $(date "+%b %d %H:%M:%S ") "$WorkstationName - Alert - iPad SN:$iCheck attached to workstation" >> $logFile
fi

 

sdagley
Honored Contributor III

@sgiesbrecht You could use a LaunchDaemon that periodically launches a modified version of your detection script that just checks for a device attached, and if it finds one it uses a custom policy trigger `jamf policy -event ScanMacForAttachedDevice` which runs a policy with your full script to extract the device serial number and echo it to the policy log. That way the serial numbers will be part of the policy logs for the Mac.