Jamf Nation Community

It's possible to do via the Jamf API, but it involves passing credentials down to the Mac during script execution for a Jamf account that has write privileges to the computer object, so whether this is considered a "good" method depends on you and your organizations comfort level with such a thing.

But the gist is, each computer record can have attachments added to them. This can be done, and often IS done, thru the Jamf Pro UI. But it can also be done using the API with the right syntax. This would add the log file to the computer under the Attachments section where you can then retrieve it by downloading it to your machine.

Probably the better long term solution would be to look at some kind of external logging solution, like a SIEM or something similar that can collect logs from clients. That would probably be more secure, though maybe not as easy to implement, unless you already have something like this in your org that you can tap in to.

As for receiving a notification when an end user executes a Self Service policy, that's a little trickier. But maybe something like this could work.

Have the policy write some entry into a local plist or log file, or update one of the same. Create an Extension Attribute that captures some details from this log/plist file. Based on how you set it up, you could have a Smart Computer Group that devices get added to when that file is updated with some value or the date in it changes to within a threshold you choose. If you have an SMTP server set up to send emails, you can be notified of group changes to this Smart Computer Group, so you'll know a Mac landed in that group, which would mean the user ran the policy. This is dependent on making sure an inventory collection is taken immediately after the policy runs of course.

Ok, this is all really great info. Thanks so much everyone.

I will have to set up and test with API.

Thanks again!

If you want to be lazy, you can create a file and an extension attribute looking for said file.

1. Add a line to the script that creates a file like touch /tmp/log/admin.log (or use something that already exists in the script)
2. Have an inventory update payload on the policy.
3. Create an extension attribute looking for that file.
4. Create a smart group for devices with that file and enable email notifications when someone is added.

This will cause JAMF to email you after the make me an admin policy finishes as the devices are added to the smart group because /tmp/log/admin.log exists on the device. You can have your demotion workflow remove that file which would remove the device from the smart group on next inventory update.