Jamf Trust - How to guide a user to enable JamfPrivateAccess ?

tleadley
New Contributor

 I have been able to determine if the application is enabled and running, just have not been able to create a script or guidance to help the user turn it back on without generating support tickets. I have seen this type of guidance demonstrated with a Jamf lead learning presentation.

So what I want to do is create an alert that will guide a user to a self service help script that will either direct a user to or allow them to click a button to enable Jamf Private Access when it gets disabled. 

Anyone have any Ideas?

 

I have not been fruitful in my search of information as of yet to be able to run JamfPrivateAccess using CLI or create the assistive guidance necessary.

1 ACCEPTED SOLUTION

tleadley
New Contributor

Since I have not found or heard anything, I have attempted to create this myself. Here is my multi pronged approach, this is not a perfect method however it does work and does a pretty good job. All done without generating embedded credentials to make this process work. I have tried to cover as much as I can.

If there are other Ideas or improvements please share!

 

When the status is set to Not running or Access_Disabled the device will be added to the following:

Smart Group

Jamf Trusted Access Disabled

Status for EA’s

EA Name

Status Message

Jamf Trust - Access

Running

Not Running

Jamf Protect - Smart Groups

Access_Disabled

 

Jamf Protect custom analytic with smart group

Jamf Protect agent will notify and update smart group when the application has been disabled or closed

 

( $event.type  == 2 AND $event.process.name == "JamfPrivateAccess" )

 

Jamf EA 

Purpose is to detect if the Jamf Trust Access process is running when the device checks in.

EA Name: Jamf Trust - Access

Script:

 

#!/bin/bash
ProcessName=JamfPrivateAccess
number=$(ps aux | grep -v grep | grep -ci $ProcessName)
if [ "$number" = "1" ]
    then
        result="Running"
    elif [ "$number" = "0" ]
    then
        result="Not Running"
fi
echo "<result>$result</result>"

 

Jamf Helper script

Computer Management script named Jamf Access Disabled

This is the script that notifies the end user and will allow the user to enable Jamf Trust Access and if for some reason the workflow is not installed it will not show the enable button unless the workflow is installed.

 

#!/bin/bash
## Get the logged in username
currUser=$(/usr/bin/stat -f%Su /dev/console)

# Jamf Helper Script for Jamf Protect (Low-Level Threat)

jamfHelper="/Library/Application Support/JAMF/bin/jamfHelper.app/Contents/MacOS/jamfHelper"

#Title for Pop Up
msgtitle="Digital IT Group" 

#Header for Pop Up
heading="Jamf Private Access"

#Description for Pop Up
description1="Looks Like Jamf Access has stopped running!

If this is something you have initiated you can disregard this message. 
Otherwise if this becomes persistent, Please report to IT."

description2="Looks Like Jamf Access has stopped running!

If this is something you have initiated you can disregard this message, 
Otherwise Click Enable to reactivate your connection!

Please report to IT if you suspect anything wrong or if this becomes persistent."

#Button Text
button1="Ok"
#Button Text
button2="Enable"
#Path for Icon Displayed
icon="/System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/ToolBarInfo.icns"

if [ ! -d /Users/$currUser/Library/Services/access.workflow ]; then

userChoice=$("$jamfHelper" -windowType utility -title "$msgtitle" -heading "$heading" -description "$description1" -button1 "$button1" -icon "$icon")

else

userChoice=$("$jamfHelper" -windowType utility -title "$msgtitle" -heading "$heading" -description "$description2" -button1 "$button1" -button2 "$button2" -icon "$icon")

if [[ "$userChoice" == "2" ]]; then

/usr/bin/automator /Users/$currUser/Library/Services/access.workflow

fi 

fi

#Remove Jamf Protect Extension Attribute
rm /Library/Application\ Support/JamfProtect/groups/*

#Update Jamf Inventroy
jamf recon

 

 

Created Jamf Pro "PKG" signed build that installs the workflow, with post install script borrowed from @mm2270 

This community article

 

#!/bin/sh

## Get the logged in username
currUser=$(/usr/bin/stat -f%Su /dev/console)

## Check for a 'Services' folder in the user's home directory. Create one if necessary

if [ ! -d /Users/$currUser/Library/Services ]; then
    echo "Creating Services directory for $currUser"
    mkdir /Users/$currUser/Library/Services
    sudo chown -R $currUser /Users/$currUser/Library/Services
fi

## Check to see if the workflow file was installed in /tmp
## and copy it to the current user's home Library folder
if [ -d /private/tmp/access.workflow ]; then
    sudo cp -R /private/tmp/access.workflow /Users/$currUser/Library/Services/
        echo "Copied the workflow to $currUser's Services folder"
    sudo chown -R $currUser /Users/$currUser/Library/Services/access.workflow
        echo "Set permissions on the workflow to $currUser as owner"
    sudo chmod -R go-rwx /Users/$currUser/Library/Services/access.workflow
        echo "Set access on the workflow for $currUser"
else
    ## Exit the rest of the installation if the workflow wasn't there to copy
    echo "The Service workflow was not found. Exiting installation..."
/Library/Application Support/JAMF/bin/jamfHelper.app/Contents/MacOS/jamfHelper -windowType utility -title "Installation failed" -description "We seem to have run into a problem getting the service installed for you. Try running the Self Service installation again. If you continue to see this error, contact support so we can help correct this for you." -icon "/System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/AlertCautionIcon.icns" -button1 "OK" -defaultButton 1
    exit 1
fi

## Now we check to make sure everything is in place
if [ -e /Users/$currUser/Library/Services/access.workflow ]; then
    echo "The Service was installed"
    serviceFile="Yes"
fi

sleep 2
killall Finder

## Final clean up stage
rm -R /private/tmp/access*

 

Apple Automation workflow

Record a simple workflow to record your action to click the menu item to enable the feature. Note this will also disable access since it only clicks the menu item shown if the user has already enabled before the process kicks off

 

Application accessibility enablement payload

Since we are activating this workflow within terminal, terminal only needs access to activate this automation and I used PPPC Utility to allow accessibility permissions and then upload.

Identifier: com.apple.Terminal

Identifier Type: Bundle ID

Code Requirement : identifier "com.apple.Terminal" and anchor apple

Accessibility  : Allow

 

Tools Used

Composer

PPPC Utility

Jamf Admin

KeyChain Access

Text editor

View solution in original post

1 REPLY 1

tleadley
New Contributor

Since I have not found or heard anything, I have attempted to create this myself. Here is my multi pronged approach, this is not a perfect method however it does work and does a pretty good job. All done without generating embedded credentials to make this process work. I have tried to cover as much as I can.

If there are other Ideas or improvements please share!

 

When the status is set to Not running or Access_Disabled the device will be added to the following:

Smart Group

Jamf Trusted Access Disabled

Status for EA’s

EA Name

Status Message

Jamf Trust - Access

Running

Not Running

Jamf Protect - Smart Groups

Access_Disabled

 

Jamf Protect custom analytic with smart group

Jamf Protect agent will notify and update smart group when the application has been disabled or closed

 

( $event.type  == 2 AND $event.process.name == "JamfPrivateAccess" )

 

Jamf EA 

Purpose is to detect if the Jamf Trust Access process is running when the device checks in.

EA Name: Jamf Trust - Access

Script:

 

#!/bin/bash
ProcessName=JamfPrivateAccess
number=$(ps aux | grep -v grep | grep -ci $ProcessName)
if [ "$number" = "1" ]
    then
        result="Running"
    elif [ "$number" = "0" ]
    then
        result="Not Running"
fi
echo "<result>$result</result>"

 

Jamf Helper script

Computer Management script named Jamf Access Disabled

This is the script that notifies the end user and will allow the user to enable Jamf Trust Access and if for some reason the workflow is not installed it will not show the enable button unless the workflow is installed.

 

#!/bin/bash
## Get the logged in username
currUser=$(/usr/bin/stat -f%Su /dev/console)

# Jamf Helper Script for Jamf Protect (Low-Level Threat)

jamfHelper="/Library/Application Support/JAMF/bin/jamfHelper.app/Contents/MacOS/jamfHelper"

#Title for Pop Up
msgtitle="Digital IT Group" 

#Header for Pop Up
heading="Jamf Private Access"

#Description for Pop Up
description1="Looks Like Jamf Access has stopped running!

If this is something you have initiated you can disregard this message. 
Otherwise if this becomes persistent, Please report to IT."

description2="Looks Like Jamf Access has stopped running!

If this is something you have initiated you can disregard this message, 
Otherwise Click Enable to reactivate your connection!

Please report to IT if you suspect anything wrong or if this becomes persistent."

#Button Text
button1="Ok"
#Button Text
button2="Enable"
#Path for Icon Displayed
icon="/System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/ToolBarInfo.icns"

if [ ! -d /Users/$currUser/Library/Services/access.workflow ]; then

userChoice=$("$jamfHelper" -windowType utility -title "$msgtitle" -heading "$heading" -description "$description1" -button1 "$button1" -icon "$icon")

else

userChoice=$("$jamfHelper" -windowType utility -title "$msgtitle" -heading "$heading" -description "$description2" -button1 "$button1" -button2 "$button2" -icon "$icon")

if [[ "$userChoice" == "2" ]]; then

/usr/bin/automator /Users/$currUser/Library/Services/access.workflow

fi 

fi

#Remove Jamf Protect Extension Attribute
rm /Library/Application\ Support/JamfProtect/groups/*

#Update Jamf Inventroy
jamf recon

 

 

Created Jamf Pro "PKG" signed build that installs the workflow, with post install script borrowed from @mm2270 

This community article

 

#!/bin/sh

## Get the logged in username
currUser=$(/usr/bin/stat -f%Su /dev/console)

## Check for a 'Services' folder in the user's home directory. Create one if necessary

if [ ! -d /Users/$currUser/Library/Services ]; then
    echo "Creating Services directory for $currUser"
    mkdir /Users/$currUser/Library/Services
    sudo chown -R $currUser /Users/$currUser/Library/Services
fi

## Check to see if the workflow file was installed in /tmp
## and copy it to the current user's home Library folder
if [ -d /private/tmp/access.workflow ]; then
    sudo cp -R /private/tmp/access.workflow /Users/$currUser/Library/Services/
        echo "Copied the workflow to $currUser's Services folder"
    sudo chown -R $currUser /Users/$currUser/Library/Services/access.workflow
        echo "Set permissions on the workflow to $currUser as owner"
    sudo chmod -R go-rwx /Users/$currUser/Library/Services/access.workflow
        echo "Set access on the workflow for $currUser"
else
    ## Exit the rest of the installation if the workflow wasn't there to copy
    echo "The Service workflow was not found. Exiting installation..."
/Library/Application Support/JAMF/bin/jamfHelper.app/Contents/MacOS/jamfHelper -windowType utility -title "Installation failed" -description "We seem to have run into a problem getting the service installed for you. Try running the Self Service installation again. If you continue to see this error, contact support so we can help correct this for you." -icon "/System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/AlertCautionIcon.icns" -button1 "OK" -defaultButton 1
    exit 1
fi

## Now we check to make sure everything is in place
if [ -e /Users/$currUser/Library/Services/access.workflow ]; then
    echo "The Service was installed"
    serviceFile="Yes"
fi

sleep 2
killall Finder

## Final clean up stage
rm -R /private/tmp/access*

 

Apple Automation workflow

Record a simple workflow to record your action to click the menu item to enable the feature. Note this will also disable access since it only clicks the menu item shown if the user has already enabled before the process kicks off

 

Application accessibility enablement payload

Since we are activating this workflow within terminal, terminal only needs access to activate this automation and I used PPPC Utility to allow accessibility permissions and then upload.

Identifier: com.apple.Terminal

Identifier Type: Bundle ID

Code Requirement : identifier "com.apple.Terminal" and anchor apple

Accessibility  : Allow

 

Tools Used

Composer

PPPC Utility

Jamf Admin

KeyChain Access

Text editor