Posted on 11-20-2013 12:16 PM
I might be overlooking an easy fix, but here goes... I am testing the process to update 10.8 machines to 10.9 using Self service... the caching of the package and installation work with no problems. Upon reboot and logon, the machine's inventory has not yet been updated, and as a result it still displays 10.8.x as the OS version. I have multiple policies that are triggered based on 10.9 OS, which impact the users initial experience. The question is, how can i best ensure that after these machines are updated to 10.9, the inventory updates when the user logs on for the first time after the upgrade (or soon after)? Thanks.
Solved! Go to Solution.
Posted on 12-06-2013 10:17 AM
Try this:
#!/bin/bash
/usr/sbin/jamf log
if [ $? == "0" ]; then
/usr/sbin/jamf recon
/bin/rm -f /Library/LaunchDaemons/com.company.firstrecon.plist
/bin/rm -f "$0"
else
exit 0
fi
I still think that net-catting your JSS is a better option than running the log command... but that's just me.
Posted on 11-20-2013 12:20 PM
add a recon as a first boot script.
Posted on 11-20-2013 12:25 PM
Create a simple LaunchDaemon and script that runs a jamf recon, and then deletes the daemon and itself.
The LaunchDaemon should simply have a RunAtLoad key and a ProgramArguments which runs the script.
Use Lingon or LaunchControl to create the LaunchDaemon
Lingon: https://jamfnation.jamfsoftware.com/viewProduct.html?id=148&view=info
LaunchControl: https://jamfnation.jamfsoftware.com/viewProduct.html?id=246&view=info
Wrap up the Daemon and the script into a package (pkg). Deploy that package along with your Mavericks upgrade workflow. When the Mac reboots, it should immediately run the inventory scan, even before any user logs in, then delete the LaunchDaemon and itself, so in effect, cleaning up.
Alternatively, you could simply leave them on the Mac, so they'll inventory every time they reboot.
Posted on 11-20-2013 05:15 PM
Appreciate the follow-up. I will give this a try.
Posted on 12-05-2013 08:48 AM
I have not had much luck with this. Since we leverage wifi (802.1x) as a primary connection, the start-up script is unable to reach our jamf server (I seem to be having similar issues with the logon trigger). As a workaround, I may just advertise a 'Mavericks Post Install' which includes the various 10.9 specific configuration scripts... any other ideas would be appreciated. Thanks!
Posted on 12-05-2013 09:09 AM
@josaxo][/url][/url][/url][/url][/url, that tends to be an issue with machines that don't have hardwired Ethernet connections or otherwise may boot up off the network.
What I've done to get around this is put in a simple check up front in the script that does a jamf log
Have the script check the exit status. If successful, then move on to do the recon and clean up. Otherwise, exit until the next run. To have it run again in addition to the RunAtLoad, add in a StartInterval to the daemon. Say, every 30 or 60 seconds, etc.
#!/bin/bash
status=$(/usr/sbin/jamf log; echo $?)
if [ "$status" == "0" ]; then
/usr/sbin/jamf recon
/bin/rm -f /Library/LaunchDaemons/com.company.firstrecon.plist
/bin/rm -f "$0"
else
exit 0
fi
Hope that helps.
Posted on 12-05-2013 01:29 PM
I'd do something similar to @mm2270][/url, but likely using NetCat to your JSS instead... something like:
#!/usr/bin/env bash
ServerStatus=$(nc -z $Server 8443 | grep -c "succeeded")
if [[ $ServerStatus > 0 ]]; then
jamf recon
rm -rfv $LaunchD_Plist
rm -rfv "$0"
sleep 10
launchctl remove $LaunchD_Identifier
fi
exit 0
Posted on 12-06-2013 08:15 AM
OK, so I've tested the script and although it forces the machine to check-in, it does not update the inventory. Should i include any additional commands besides recon?
Posted on 12-06-2013 09:10 AM
That's odd. The jamf recon should be enough to gather new inventory.
Just to clarify, this is running after the Mac reboots and has been upgraded?
Are you testing the script manually or via a LaunchDaemon? If you're doing it via the latter, remember that it must be run from a LaunchDaemon, not a LaunchAgent, since only a daemon can run the script as root, which is required since you're doing s jamf recon in it.
Posted on 12-06-2013 09:28 AM
Perhaps it is something in the script logic? If i run recon manually via terminal it updates the inventory as expected... if I run the script via terminal, the inventory does not update... I'm basically using your script, and updated it with my plist name:
#!/bin/bash
status=$(/usr/sbin/jamf log; echo $?)
if [ "$status" == "0" ]; then
/usr/sbin/jamf recon
/bin/rm -f /Library/LaunchDaemons/com.company.firstrecon.plist
/bin/rm -f "$0"
else
exit 0
fi
@c0n0r i assume i would need to customize your script to point toward my plist name?
Posted on 12-06-2013 09:36 AM
I left the variables $Server, $LaunchD_Plist and $LaunchD_Identifier for you to replace with your custom info, or to be defined by you in the script.
How are you firing off the script? The script needs run are root, so if you aren't setting it up as a LaunchDaemon, you would need to fire off the script manually with the sudo command. To completely test it, I would suggest using:
sudo sh -x <path to script>
That should dump each line of the script, exactly as it's trying to be run, to be reported to StdOut.
Posted on 12-06-2013 10:07 AM
I ran the script, and this is the result:
bash-3.2$ sudo sh -x /Users/myuser/Desktop/jamfrecon.sh
++ /usr/sbin/jamf log
++ echo 0
+ status='Logging to https://ourserver:8443/...
0'
+ '[' 'Logging to https://ourserver:8443/...
0' == 0 ']'
+ exit 0
Posted on 12-06-2013 10:17 AM
Try this:
#!/bin/bash
/usr/sbin/jamf log
if [ $? == "0" ]; then
/usr/sbin/jamf recon
/bin/rm -f /Library/LaunchDaemons/com.company.firstrecon.plist
/bin/rm -f "$0"
else
exit 0
fi
I still think that net-catting your JSS is a better option than running the log command... but that's just me.
Posted on 12-06-2013 11:07 AM
Yeah, looks like its not picking up the exit status correctly in the variable. Odd though since echo'ing it out reports as "0" as it should. Splitting it up like above seems to work better.
As for the difference between jamf log or using nc, generally speaking it probably doesn't matter, but I think the important difference is that the jamf log ensures communication between the Mac and your JSS. It won't work if the Mac isn't enrolled and the jamf binary isn't there, so you'll get a non zero exit status. Whereas I can take any Mac on my network, not enrolled in my JSS and do a successful NetCat to the JSS. In other words, being able to NetCat it doesn't imply you can do a recon, whereas a successful jamf log typically does. Just my 2¢.
Posted on 12-06-2013 11:42 AM
@c0n0r @mm270 Thanks for the help. With the updated code provided by conor, the script is now working as expected. This will help to streamline our 10.9 upgrade process. By the way, I ended up using Lingon to create the LaunchDaemon. Thanks again.
Posted on 12-08-2013 02:52 PM
do you have a hidden management account? Did the 10.9 update remove it?
We use a hidden casper management account, and our 10.9 upgrades would remove it as the uid was under 500.
I setup a launch daemon script to check for the presence of the account and to run a script to recreate it if it does not exist, this was pushed out to all 10.8 machines before they were upgraded. Something to think about also
Posted on 12-09-2013 07:19 AM
@clum_carey, it's strange that you're having the sub 500 Casper management account removed when doing upgrades to 10.9. If you check out the thread at https://jamfnation.jamfsoftware.com/discussion.html?id=8744 there are several people that haven't experienced that behavior. I wonder what the difference is between the process your using the the process that others are using. When I tested upgrading to 10.9 my sub 500 Casper admin account remained but I didn't do the upgrade by pushing it out out through Casper. It would be nice to know in what situations the account stays and what situations it gets removed.
Posted on 12-09-2013 08:26 AM
Yeah, most of us have found that installing Mavericks in an update fashion doesn't delete any sub 500 accounts. If that's happening to you, you may want to investigate further, because all accounts from the field have shown that Apple stopped this practice with the 10.9 update, so that shouldn't be happening at all. Something else may be causing that.
Posted on 12-09-2013 01:47 PM
Hmm will have to take another look. Have been using the same workarounds for so long they just become a habit and standard practice now. I'm not sure I even tested an upgrade from 10.8 to 10.9 without the script to recreate the management account. Thanks for the heads up, will test and confirm then its one less package I need to worry about in my workflow