Help

Getting AD description and OU into Jamf Pro extension attribute (or other ideas)

johnarends
New Contributor

Posted on ‎11-13-2017 11:36 AM

It looks like we can get the AD description field and a computer's OU into extension attributes by running a script on a Mac, but the problem with this is that it only works when someone is on campus or using the VPN.

Has anyone had any success getting this information some other way?

It appears that Jamf Pro can talk directly to AD to grab user information, but it doesn't look like there is built un functionality to grab computer information even though it is just a simple LDAP call.

All I can think of is having a script that loops through my AD once a day and uses the REST API to push these values in to Jamf Pro, but that seems horribly inefficient.

Any ideas?

Labels:
0 Kudos
3 REPLIES 3

Taylor_Armstron
Valued Contributor

Posted on ‎11-13-2017 12:06 PM

Why would you need to do this once per day? At least in our environment, this is pretty static data - I'd think once x week or per month would be sufficient.

Any chance of sharing that script? Sounds like something useful, but I've not even thought about trying to do it until now.

0 Kudos

koalatee
Contributor II

Posted on ‎11-13-2017 02:02 PM

This is what I do, based on an EA named AD_OU, pieced from some other scripts I'm sure.
I'd run this at most 1x/month.

#!/bin/sh

# Function to decrypt
function DecryptString() {
    # Usage: ~$ DecryptString "Encrypted String" "Salt" "Passphrase"
    echo "${1}" | /usr/bin/openssl enc -aes256 -d -a -A -S "${2}" -k "${3}"
}

# Decrypt password
apiUser=$(DecryptString '' '')
apiPass=$(DecryptString '' '')

# API URL
apiURL="your.jss.here:8443"

ad_computer_name=$(dsconfigad -show | grep "Computer Account" | awk '{print $4}')
ad_computer_ou=$(dscl /Search read /Computers/$ad_computer_name | 
    grep dsAttrTypeNative:distinguishedName | 
    cut -d, -f2- | 
    awk -F, '{print $1}' | 
    awk -F= '{print $2}' )

echo "Computer $ad_computer_name is in OU $ad_computer_ou" 
udid=$(/usr/sbin/system_profiler SPHardwareDataType | /usr/bin/awk '/Hardware UUID:/ { print $3 }')
xmlString="<?xml version="1.0" encoding="UTF-8"?><computer><extension_attributes><extension_attribute><name>AD_OU</name><value>$ad_computer_ou</value></extension_attribute></extension_attributes></computer>"

# Identify the location of the jamf binary for the jamf_binary variable.
CheckBinary (){
# Identify location of jamf binary.
jamf_binary=$(/usr/bin/which jamf)

if [[ "$jamf_binary" == "" ]] && [[ -e "/usr/sbin/jamf" ]] && [[ ! -e "/usr/local/bin/jamf" ]]; then
jamf_binary="/usr/sbin/jamf"
elif [[ "$jamf_binary" == "" ]] && [[ ! -e "/usr/sbin/jamf" ]] && [[ -e "/usr/local/bin/jamf" ]]; then
jamf_binary="/usr/local/bin/jamf"
elif [[ "$jamf_binary" == "" ]] && [[ -e "/usr/sbin/jamf" ]] && [[ -e "/usr/local/bin/jamf" ]]; then
jamf_binary="/usr/local/bin/jamf"
fi
}

# Update the Extention Attribute
UpdateAPI (){
/usr/bin/curl 
    -s 
    -u ${apiUser}:${apiPass} 
    -X PUT 
    -H "Content-Type: text/xml" 
    -d "${xmlString}" "${apiURL}/JSSResource/computers/udid/$udid"
}

CheckBinary
UpdateAPI

exit 0

Taylor_Armstron
Valued Contributor

Posted on ‎11-13-2017 04:18 PM

Very cool, thanks! We're using Centrify for binding, but I'll start digging to see what the equivalent to the dsconfigad command would be. Much appreciated!

0 Kudos