Is there a way to track active group changes? When a device moves from one smart group to another?

timmeedski
New Contributor

Hello!

I'm looking for a way to check when a device has moved from one smart group to another. In this case I am using an integer Extension Attribute to track a devices vulnerability compliance. If a device reports that a specific file is >0 it is put in a group that says there is a vulnerability. Once that EA drops to 0, that device is good. Is there a way to check which devices HAD an EA >0 but are now at 0 so I can track that the vulns are being remediated?

Thank you!

1 ACCEPTED SOLUTION

Danolman
New Contributor III

We also like to track or log historical data of machines. We would normally write a script to touch a hidden file to that machine and name it appropriately so that the file name describes what we're trying to track. The script would be delivered by a policy scoped to the smart group that contains the >0 machines or whatever smart group you designate.

We create a repository that holds all of these hidden files that we can search later if necessary. Extension Attributes can also be created that search for those hidden files, but we try to limit the use of EA's to reduce overhead.

#!/bin/bash
if [[ -e /Library/CompanyName/.Vulnerability15 ]]; then
echo "<result>V15</result>"
else
echo "<result>NotV15</result>"
fi

Over time, the machine will have a history of work in that file repository!

 

Hope this helps.

View solution in original post

9 REPLIES 9

Danolman
New Contributor III

We also like to track or log historical data of machines. We would normally write a script to touch a hidden file to that machine and name it appropriately so that the file name describes what we're trying to track. The script would be delivered by a policy scoped to the smart group that contains the >0 machines or whatever smart group you designate.

We create a repository that holds all of these hidden files that we can search later if necessary. Extension Attributes can also be created that search for those hidden files, but we try to limit the use of EA's to reduce overhead.

#!/bin/bash
if [[ -e /Library/CompanyName/.Vulnerability15 ]]; then
echo "<result>V15</result>"
else
echo "<result>NotV15</result>"
fi

Over time, the machine will have a history of work in that file repository!

 

Hope this helps.

I had a little difficulty in understanding what you were saying at first, but now I get it.

So the steps I'm taking are:

Create a script that checks for my vuln file. If that file is greater than 0, it creates an output of "activevulns.txt", if the file is =0 bytes it will create a remediatedvulns.txt

Then deploy this script via a policy to a smart group of machines that have active vulns.

Then create an EA that looks at the file created by the script("activevulns.txt" or "remediatedvulns.txt"), and if the remediatedvulns.txt exists, then report back that it is remediated. Once the device is remediated, it will be removed from the smart group and stop the policy from running. If the initial vulns file exists but neither of the activevulns.txt or remediatedvulns.txt exist, report that it never existed.

Now that I have an EA that can tell me the status if it is active, remediated, or never needed.

THANK YOU!

Danolman
New Contributor III

Great! You can also create advanced searches or new smart groups based on the EA which really helps for reporting status up the flag pole or if you'd like to perform any further actions on those machines. EA's will show up under Show Advanced Criteria. 

Really this is a way to get around the issue that our current Vuln Management system isn't reporting a specific vuln on the Mac side, but it is on windows. Instead of waiting for a solution from the vendor, I figure I'll just take it into my own hands and create reports for this one specific thing.

sdagley
Esteemed Contributor II

@timmeedski There is a "Send email notification on membership change" option on the 1st page of the Smart Group configuration screen which will produce the tracking you're asking for. It does require your JSS be configured with an SNMP server though.

Yes, I'd prefer not to get 300+ emails, plus its configured to send an email to a dist group, so it would spam the whole team. It would work but not really practical.

sdagley
Esteemed Contributor II

@timmeedski You can control what notifications a user receives so create a new JSS user who only receives email notification of Smart Group changes (you don't need to assign them any permissions) and set their email address to the one you want to be notified when a group changes and disable that for any other users receiving email notifications.

If that's not viable, and you're Jamf Cloud hosted, then you may want to look at the Premium Cloud option which allows sending all Jamf Pro logging data to Splunk (you'd want to verify Smart Group changes are in that data)

I think the biggest issue is that the email tracking is not the way I wanted to go in this case. I do have an instance where we do use it for smart group tracking and AWOL computers, but in this I was hoping to get numbers to track remediated vulns without having to do it manually.

sdagley
Esteemed Contributor II

In the there's more than one way to cook a Turducken category, Jamf does make the Smart Group membership change event available via the Jamf Pre Webhook interface. For more info see:

https://developer.jamf.com/developer-guide/docs/webhooks#smartgroupcomputermembershipchange

https://docs.jamf.com/10.35.0/jamf-pro/documentation/Webhooks.html?hl=webhook