Jamf Nation Community

howie_isaacks · 3 weeks ago

I am frequently tasked with updating the many agents we run on our Macs. Often, the update process does not involve simply running a package that would register a failure if the policy failed to run the install for some reason. If the update process is driven entirely by a script, and the update is not a success, Jamf Pro will show that the policy completed. It did actually complete but the update was a failure. When I noticed that this was happening with one of my recent updates, I added a conditional statement to check if the version of the app was the newer version.

if [ $Version = "7.13" ]; then
	echo "Upgrade to version 7.13 was successful"
	exit 0
else 
	echo "Upgrade to version 7.13 failed"
	exit 1
fi

Since I have noticed that some Macs did not get the latest version of the app and the policy shows as completed, I'm obviously not doing this right. What else do I need to do to get Jamf Pro to show the policy as failed instead of completed?

sdagley · 3 weeks ago

@howie_isaacks Do the policy logs for the Macs that didn't actually update show that the script went through the code path which ended with an exit 1?

howie_isaacks · 3 weeks ago

Yes. It does, which is why I think I may be doing something wrong. Here's a sample of what I see in the policy log for a Mac that failed to get the update package downloaded. Since the package did not download the specified path to the install package was invalid. For the 7.13 version rollout, I have included a step to check if the install package is there. Since the new version of CrowdStrike was not present at end of the process, the exit code was 1.

installer: Error - the package path specified was invalid: '/private/tmp/CrowdStrike/FalconSensorMacOS.MaverickGyr 7.12.pkg'.
Removing the staged installer package
Checking if the upgrade was successful
CrowdStrike upgrade to version 7.12 failed

Error running script: return code was 1.
Running Recon...

sdagley · 3 weeks ago

So the package and the script both failed. I would definitely expect the policy to report as failed in that case. Time to open a support case with Jamf asking why that's not happening.

howie_isaacks · 3 weeks ago

I will do that since I will likely want to do something like this again. I should add that we will be doing auto-updates for CrowdStrike soon so I won't need to do anything but manage the new install policy. Until then, I have to use a script to stop the CrowdStrike agent, and install the staged install package for the new version. And while I was writing this response, it occurred to me that I should include a check for the staged installer before the script tries to run the installer. Just being able to talk about this stuff helps me improve my processes!

sdagley · 3 weeks ago

I would definitely recommend having CrowdStrike auto update rather than trying to push updates via Jamf Pro.

And speaking of improving process, if you're not already using @franton 's scripted install approach for your initial CrowdStrike install, do yourself a favor and take a look at https://richard-purves.com/2022/05/03/downloading-crowdstrike-via-api-for-fun-and-profit/

howie_isaacks · 2 weeks ago

The plan is to move to auto-updates. Thanks for the link. I will look at it.

Jamf Nation Community

How to use an exit code to show a policy failure?