Find Macs NOT assigned to a site

AVmcclint
Honored Contributor

We have a couple dozen Sites defined with Macs assigned accordingly. The problem is we have a bunch of Macs that are NOT assigned to any Sites. I'm trying to figure out how to craft a search or smart group to show me all Macs that are assigned to "None" for the site. There doesn't appear to be any way to define Sites as search criteria. Is there a method I'm missing that will tell me what I need to know?

2 ACCEPTED SOLUTIONS

swapple
Contributor III

One kludgy way to do this is to make smart groups scoped to each site, so

smart groups (criteria can be computer name is not blank) named
site= acme1,
site= acme2,
site= acme3 and so on.  

Now we have defined the sites as a criteria, as smart groups.

Then make a smart group not scoped to any site named "site = none" and in the criteria, pick 

computer group not member of site = acme1, AND

computer group not member of site = acme2, AND

computer group not member of site = acme3, AND

and so on.  Make a new site, make a new smart group for it and also add it to the none smart group.

Kludgy I know.

Option 2 would be to make a policy scoped to each site that does a simple echo sitename > /var/log/theJamfSite.txt then make one EA that <results>cat /var/log/theJamfSite.txt </results> and now you have the site defined.

again, kludgy.

I agree with mm2270 that site should already be a criteria.

View solution in original post

MLBZ521
Contributor III

As mm2270 mentioned, this isn't a feature of Jamf Pro -- even though there's numerous Feature Requests asking for it for years....

You can do this several different ways:

  1. Create an Extension Attribute that you assign the devices' current Sites to that EA and then you can utilize that EA in an Advanced Search like you normally would any other criteria item.  You could do this one of three ways:

    1. Create a Config Profile with a custom payload domain (e.g. org.my.AboutMac) and include the Site variable in a dictionary <dict><key>Site</key><string>$Site</string></dict>) which you can then simply use defaults read /Library/Managed\ Preferences/org.my.AboutMac.plist Site in an EA Script to collect the EA

      1. However, this isn't dynamic if you have devices that switch between Sites; i.e. it will never change or if you devices that aren't actively checking in, it won't work -- and this only works for Macs

    2.  Create a Policy, as swapple mentioned, that writes the Site to a file and collect the info via the method above
    3. Run a script that sets this value on every device using the API. This is what I do and have shared before and others utilize. Here's my script: jamf_assignSiteEA.ps1; some notes:
      1. This is a PowerShell script as I run it on a Windows box that runs other automated tasks that my team has setup

        1. It runs nightly and dumps to a log file for review

        2. It checks if the current Site is the same as the Site EA; if it is, it does nothing, if it isn't, it updates the Site EA

          1. Duplicate records will cause an issue here -- the API cannot handle this

          2. Every time the API is used to change a device record, Jamf Pro acts like that is a "Inventory Update" even though it isn't -- this is a known issue with Jamf Pro that Jamf has yet to fix even though there are numerous Feature Requests asking for it

  2. Create a Smart Group in each Site with zero criteria items. This will give you a managed device count for that Site.

    1. I don't like to suggest creating Smart Groups that will be used for reporting....and remember you'll need two Smart Groups per Site (one for computers and one for mobile devices) for nothing more than this need will cause unnecessary overhead in your Jamf Pro Server.

View solution in original post

6 REPLIES 6

mm2270
Legendary Contributor III

Unfortunately there is no criteria for "Assigned to Site" or something like that, so you won't be able to make a Smart Group or search for that, even if you are a global/full Jamf admin. *

This is something you can get from an API query though, so you might have to go that route.

* FWIW, I've always felt that a global Jamf admin should have access to such a criteria when searching. I understand why something like that wouldn't be valid for a Site admin, since by design, they can only see or pull up devices in their own site anyway, but if I'm a global admin then when shouldn't I be able to search by site? It's one reason the Site feature has left me wanting since its introduction. It feels half baked to me.

swapple
Contributor III

One kludgy way to do this is to make smart groups scoped to each site, so

smart groups (criteria can be computer name is not blank) named
site= acme1,
site= acme2,
site= acme3 and so on.  

Now we have defined the sites as a criteria, as smart groups.

Then make a smart group not scoped to any site named "site = none" and in the criteria, pick 

computer group not member of site = acme1, AND

computer group not member of site = acme2, AND

computer group not member of site = acme3, AND

and so on.  Make a new site, make a new smart group for it and also add it to the none smart group.

Kludgy I know.

Option 2 would be to make a policy scoped to each site that does a simple echo sitename > /var/log/theJamfSite.txt then make one EA that <results>cat /var/log/theJamfSite.txt </results> and now you have the site defined.

again, kludgy.

I agree with mm2270 that site should already be a criteria.

scottlep
Contributor II

At my previous company, we just used a smart group where we left site as blank for the criteria and this showed us all computers not assigned to a site. We don't use sites where I current work, so I can't create a screen shot to show the search or test that this still works as expected.

scottb
Honored Contributor

When I used Sites on a previous client, I made enrollment accounts based on Sites so as to have a way to segregate them...it worked well, but it's kinda moot if you've already been enrolled. 

We did this for companies with lots of smaller groups that we needed to deliver different configs to. 

dennisnardi
Contributor

I had a similar issue. I made a post about a workournd I created here: https://community.jamf.com/t5/jamf-pro/custom-extension-attribute-based-on-site/m-p/228424#M216665

 

Basically I created a custom extension attribute named "Site". Then I used an API script to read the site of each computer, and write the data to that EA. Then you can use that EA in searches or groups. There's not a great other way to do it. 

MLBZ521
Contributor III

As mm2270 mentioned, this isn't a feature of Jamf Pro -- even though there's numerous Feature Requests asking for it for years....

You can do this several different ways:

  1. Create an Extension Attribute that you assign the devices' current Sites to that EA and then you can utilize that EA in an Advanced Search like you normally would any other criteria item.  You could do this one of three ways:

    1. Create a Config Profile with a custom payload domain (e.g. org.my.AboutMac) and include the Site variable in a dictionary <dict><key>Site</key><string>$Site</string></dict>) which you can then simply use defaults read /Library/Managed\ Preferences/org.my.AboutMac.plist Site in an EA Script to collect the EA

      1. However, this isn't dynamic if you have devices that switch between Sites; i.e. it will never change or if you devices that aren't actively checking in, it won't work -- and this only works for Macs

    2.  Create a Policy, as swapple mentioned, that writes the Site to a file and collect the info via the method above
    3. Run a script that sets this value on every device using the API. This is what I do and have shared before and others utilize. Here's my script: jamf_assignSiteEA.ps1; some notes:
      1. This is a PowerShell script as I run it on a Windows box that runs other automated tasks that my team has setup

        1. It runs nightly and dumps to a log file for review

        2. It checks if the current Site is the same as the Site EA; if it is, it does nothing, if it isn't, it updates the Site EA

          1. Duplicate records will cause an issue here -- the API cannot handle this

          2. Every time the API is used to change a device record, Jamf Pro acts like that is a "Inventory Update" even though it isn't -- this is a known issue with Jamf Pro that Jamf has yet to fix even though there are numerous Feature Requests asking for it

  2. Create a Smart Group in each Site with zero criteria items. This will give you a managed device count for that Site.

    1. I don't like to suggest creating Smart Groups that will be used for reporting....and remember you'll need two Smart Groups per Site (one for computers and one for mobile devices) for nothing more than this need will cause unnecessary overhead in your Jamf Pro Server.