Jamf Nation Community

manuelrangel · ‎10-19-2023

In my current tasks, have a challenge to find the way to detect all browsers installed on the JAMF Pro administered devices, do you have any idea about do it possible?.

Regards,
MR

AJPinto · ‎10-19-2023

Unfortunately, "all installed browsers" is far too generic to report on, you need to define what a browser is.

You can use smart groups targeting the application title and specify the browser name. i.e., safari.app, chrome.app, etc. There are other ways to do this, but I'd not reinvent the wheel unless necessary.

View solution in original post

AJPinto · ‎10-19-2023

Unfortunately, "all installed browsers" is far too generic to report on, you need to define what a browser is.

You can use smart groups targeting the application title and specify the browser name. i.e., safari.app, chrome.app, etc. There are other ways to do this, but I'd not reinvent the wheel unless necessary.

mm2270 · ‎10-19-2023

You could, in a way, do this with an Extension Attribute. But given what was already stated by @AJPinto above, the concept of what a "browser" is is somewhat nebulous. Some applications that are not intended to be used to read html data can in fact do it, such as most of the Microsoft 365 apps. But no-one would realistic consider Microsoft Word to be considered a browser.

However, it seems at first glance that all actual browsers have some flags in their Info.plist file that designate them as actual browsers. The property that seems common in most browsers I've looked at is CFBundleURLName = "Web site URL";

Using this, you can make an EA that scans all your installed applications in the main Applications folder and finds the ones that have that entry in their plist. Something like the below.

#!/bin/zsh

main_applications=$(/usr/bin/find /Applications -maxdepth 1 -name "*.app" | sort -g)

while read app_name; do
	get_app_name=$(/bin/echo "$app_name" | awk -F'/' '{print $NF}')
	if [[ $(/usr/bin/defaults read "${app_name}/Contents/Info.plist" | /usr/bin/grep "Web site URL") ]]; then
		browsers_list+=("$get_app_name")
	fi
done < <(printf '%s\n' "$main_applications")

/bin/echo "<result>$(printf '%s\n' "${browsers_list[@]}")</result>"

TrentO · ‎10-20-2023

I love this idea for detecting browsers via a extended attribute. The only issue I see is that the CFBundleURLTypes.CFBundleURLName value where "Web site URL" is found is not standardized. Firefox for example uses "http URL" and "https URL" to refer to the http and https schemas individually.

I made some modifications to detect the schemas themselves as opposed to the CFBundleURLName value. I also added an exclusion list, so false alarms or allowed browsers can be ignored.

#!/bin/zsh
# Returns browser applications which are not in the approved list

approved_browsers=(
  "Google Chrome.app"
  "Safari.app"
)
false_alarms=(
  "Cyberduck.app" # File transfer utility
)
exclusion_list=($approved_browsers $false_alarms)

detections=()
application_list=("${(f@)$(/usr/bin/find /Applications -type d -maxdepth 2 -name "*.app")}")
for app in $application_list; do
  if (($exclusion_list[(I)${app:t}])); then continue; fi
  if /usr/bin/plutil -convert xml1 -o - "$app/Contents/Info.plist" | 
      /usr/bin/xmllint -xpath '//key[text() = "CFBundleURLTypes"]/following-sibling::*[1]//key[text() = "CFBundleURLSchemes"]/following-sibling::*[1]/string/text()' - 2>/dev/null |
      /usr/bin/grep -qiE '^https?$'; then
    detections+=(${app:t})
  fi
done

/bin/echo "<result>$(printf '%s\n' "${detections[@]}")</result>"

AJPinto · ‎10-20-2023

Be careful with scripts like this as Extension Attributes. This will run on every device at every check in, and depending on how many directories are being indexed it can massively slow down inventory check in's if not break them totally. Also, with EA's there is no way to limit the blast radius.

mm2270 · ‎10-20-2023

This is certainly true, and definitely sound advice.

However, in my quick and dirty tests, the script seems to complete in a reasonable amount of time. Not any longer than many other EAs I have. I suppose if you were scanning every location across the drive, this would bring a Jamf inventory collection to it's knees. That's why I limited the one I whipped up to only look in the main Applications folder and only one level deep. Unless someone has thousands of applications installed, it shouldn't take very long to complete. But, YMMV as they say.

That being said, you could mitigate this concern by having a once per day policy run on the Mac that just runs the above script and outputs the results to a file, then have the EA just pick up the contents of that file instead. That would prevent any long running recons, though it could make for a daily long running policy. For something like this, I imagine that would be quite acceptable since I doubt changes in installed browsers is happening all that often.

mm2270 · ‎10-20-2023

Also, not sure what you meant by "This will run on every device at every check in". Unless you have an ongoing policy in place that does an inventory collection, that really shouldn't be the case. In fact, constant inventory collections is a bad idea.

TrentO · ‎10-20-2023

That's a good point. I generally would deploy something like this as a policy and then gather the result in a EA. Though, this one should be relatively safe as the find command has a maxdepth of 2.

easyedc · ‎10-20-2023

For fun - cause @mm2270 threw it out there - I tested that script. It doesn't find Firefox (which is installed on the same Mac I tested). Just be sure to test.

<result>Google Chrome.app
Microsoft Edge.app
Safari.app</result>

You might have some success hunting for people having changed their default browser..?

plutil -p ~/Library/Preferences/com.apple.LaunchServices/com.apple.launchservices.secure.plist | grep 'https' -b3 |awk 'NR==3 {split($4, arr, "\""); print arr[2]}'

mm2270 · ‎10-20-2023

I didn't have Firefox installed on my Mac, so that's a good catch. Seems like @TrentO has a more comprehensive version that can catch additional apps that mine was missing.

easyedc · ‎10-20-2023

So instead of looking for "all the browsers installed" is there a bigger question we could ask? Maybe - why are you looking for these browsers? If there's a concern with one or two in particular, doing an add to Restricted Software may make more sense. Brave Browser got hit a few years ago as having a coin mining component installed, for example, so we just block browsers we say aren't corp approved (big 4 - Safari, FF, Chrome, Edge).

robjschroeder · ‎10-21-2023

An EA may not be the way to go, you could however just do an application report. Then filter for browser titles. Then you’re not adding overhead to your computers inventory updating with EAs or your jamf server with Smart Groups.

Jamf Nation Community

JAMF Browsers Detection Script