Getting AD description and OU into Jamf Pro extension attribute (or other ideas)

New Contributor

It looks like we can get the AD description field and a computer's OU into extension attributes by running a script on a Mac, but the problem with this is that it only works when someone is on campus or using the VPN.

Has anyone had any success getting this information some other way?

It appears that Jamf Pro can talk directly to AD to grab user information, but it doesn't look like there is built un functionality to grab computer information even though it is just a simple LDAP call.

All I can think of is having a script that loops through my AD once a day and uses the REST API to push these values in to Jamf Pro, but that seems horribly inefficient.

Any ideas?


Valued Contributor

Why would you need to do this once per day? At least in our environment, this is pretty static data - I'd think once x week or per month would be sufficient.

Any chance of sharing that script? Sounds like something useful, but I've not even thought about trying to do it until now.

Contributor II

This is what I do, based on an EA named AD_OU, pieced from some other scripts I'm sure.
I'd run this at most 1x/month.


# Function to decrypt
function DecryptString() {
    # Usage: ~$ DecryptString "Encrypted String" "Salt" "Passphrase"
    echo "${1}" | /usr/bin/openssl enc -aes256 -d -a -A -S "${2}" -k "${3}"

# Decrypt password
apiUser=$(DecryptString '' '')
apiPass=$(DecryptString '' '')


ad_computer_name=$(dsconfigad -show | grep "Computer Account" | awk '{print $4}')
ad_computer_ou=$(dscl /Search read /Computers/$ad_computer_name | 
    grep dsAttrTypeNative:distinguishedName | 
    cut -d, -f2- | 
    awk -F, '{print $1}' | 
    awk -F= '{print $2}' )

echo "Computer $ad_computer_name is in OU $ad_computer_ou" 
udid=$(/usr/sbin/system_profiler SPHardwareDataType | /usr/bin/awk '/Hardware UUID:/ { print $3 }')
xmlString="<?xml version="1.0" encoding="UTF-8"?><computer><extension_attributes><extension_attribute><name>AD_OU</name><value>$ad_computer_ou</value></extension_attribute></extension_attributes></computer>"

# Identify the location of the jamf binary for the jamf_binary variable.
CheckBinary (){
# Identify location of jamf binary.
jamf_binary=$(/usr/bin/which jamf)

if [[ "$jamf_binary" == "" ]] && [[ -e "/usr/sbin/jamf" ]] && [[ ! -e "/usr/local/bin/jamf" ]]; then
elif [[ "$jamf_binary" == "" ]] && [[ ! -e "/usr/sbin/jamf" ]] && [[ -e "/usr/local/bin/jamf" ]]; then
elif [[ "$jamf_binary" == "" ]] && [[ -e "/usr/sbin/jamf" ]] && [[ -e "/usr/local/bin/jamf" ]]; then

# Update the Extention Attribute
UpdateAPI (){
    -u ${apiUser}:${apiPass} 
    -X PUT 
    -H "Content-Type: text/xml" 
    -d "${xmlString}" "${apiURL}/JSSResource/computers/udid/$udid"


exit 0

Valued Contributor

Very cool, thanks! We're using Centrify for binding, but I'll start digging to see what the equivalent to the dsconfigad command would be. Much appreciated!