- Jamf Nation Community
- Products
- Jamf Pro
- Re: List MDM Capable Users in Extension Attribute
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 11-02-2017 12:37 PM
Hi all,
I've had a few issues where VPP applications would not install and after a fair while of investigation i found that the uername listed under MDM Capable Users is not the same as the login username, in most instances the AD account had been initially set up with an incorrect spelling and the JSS picked that up and kept it as the MDM Capable username.
If i remove jamfframework and re-enroll it gets the correct username and the VPP applications install ok.
I'd like to create an Attribute and smart group to compare the login username with the MDM Capable username and if there's a discrepancy i'll get notified.
I can see MDM Capable username listed in the JSS but can't find a way to pull it into an Extension attribute to be compared with the login username, anyone know how to list MDM capable users from the command line ?
Solved! Go to Solution.
1 ACCEPTED SOLUTION
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 11-03-2017 03:07 AM
Coincidentally I've been working on this exact problem. The issue is to find the MDM users requires some API work as that information isn't available anywhere else. I run the below as an EA.
#!/bin/bash
# EA to find the names of the MDM capable users on this device
# Set variables here
udid=$( ioreg -rd1 -c IOPlatformExpertDevice | awk '/IOPlatformUUID/ { split($0, line, """); printf("%s
", line[4]); }' )
jssurl=`/usr/bin/defaults read /Library/Preferences/com.jamfsoftware.jamf.plist jss_url`
apiuser=""
apipass=""
# Retrieve the computer record data from the JSS API.
# Use xpath to scope for the particular xml section we want. Dump all error to /dev/null because xpath doesn't output cleanly.
# sed to remove the xml tags leaving either the data we want, or nothing.
user=$( curl -k -H "Accept: application/xml" -s -u ${apiuser}:${apipass} ${jssurl}JSSResource/computers/udid/${udid} | xpath //general/mdm_capable_users 2> /dev/null | sed -e 's/<mdm_capable_users>//;s/</mdm_capable_users>//;s/<mdm_capable_users />//' )
# Report back as either a name or as unlisted
if [ "$user" = "" ];
then
echo "<result>Missing</result>"
else
echo "<result>$user</result>"
fi
# Finished!
exit 0
4 REPLIES 4
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 11-03-2017 03:07 AM
Coincidentally I've been working on this exact problem. The issue is to find the MDM users requires some API work as that information isn't available anywhere else. I run the below as an EA.
#!/bin/bash
# EA to find the names of the MDM capable users on this device
# Set variables here
udid=$( ioreg -rd1 -c IOPlatformExpertDevice | awk '/IOPlatformUUID/ { split($0, line, """); printf("%s
", line[4]); }' )
jssurl=`/usr/bin/defaults read /Library/Preferences/com.jamfsoftware.jamf.plist jss_url`
apiuser=""
apipass=""
# Retrieve the computer record data from the JSS API.
# Use xpath to scope for the particular xml section we want. Dump all error to /dev/null because xpath doesn't output cleanly.
# sed to remove the xml tags leaving either the data we want, or nothing.
user=$( curl -k -H "Accept: application/xml" -s -u ${apiuser}:${apipass} ${jssurl}JSSResource/computers/udid/${udid} | xpath //general/mdm_capable_users 2> /dev/null | sed -e 's/<mdm_capable_users>//;s/</mdm_capable_users>//;s/<mdm_capable_users />//' )
# Report back as either a name or as unlisted
if [ "$user" = "" ];
then
echo "<result>Missing</result>"
else
echo "<result>$user</result>"
fi
# Finished!
exit 0Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 11-06-2017 02:36 PM
Hi @franton
what a fortunate coincidence for me, and thank you so much for sharing your hard work !
this works perfectly, i've changed it to run in a policy so i can keep the API user details out of the script and in a parameter on the JSS and added the beginning of script from @mm2270 to confirm the parameters had been included.
If anyone that's logged in with 14 days isn't listed as an MDM capable user on the JSS it'll write to a text file which i can monitor with an Extension Attribute and Smart Group, please excuse my sed mess! when i get time i'll find a way to make it cleaner!
#!/bin/bash
#From mm2270
## You can choose to hardcode the API credentials below, or pass them as parameters $4 (username) and $5 (password)
APIUSER=""
APIPASS=""
if [[ -z "$APIUSER" ]] && [[ ! -z "$4" ]]; then
APIUSER="$4"
elif [ ! -z "$APIUSER" ]; then
APIUSER="$APIUSER"
fi
if [[ -z "$APIPASS" ]] && [[ ! -z "$5" ]]; then
APIPASS="$5"
elif [ ! -z "$APIPASS" ]; then
APIPASS="$APIPASS"
fi
## Check to make both values are not blank
if [[ -z "$APIUSER" ]] || [[ -z "$APIPASS" ]]; then
echo "API credentials were not passed to this script. Pass the required values to the script and try again."
exit 1
fi
#delete old file if exists
if [ -f /Library/Application Support/JAMF/bin/non_mdmuser.txt ]; then
rm /Library/Application Support/JAMF/bin/non_mdmuser.txt
fi
#modified from franton
# Set variables here
udid=$( ioreg -rd1 -c IOPlatformExpertDevice | awk '/IOPlatformUUID/ { split($0, line, """); printf("%s
", line[4]); }' )
jssurl=`/usr/bin/defaults read /Library/Preferences/com.jamfsoftware.jamf.plist jss_url`
#MDM USERS
MDMUsers=$( curl -k -H "Accept: application/xml" -s -u ${APIUSER}:${APIPASS} ${jssurl}JSSResource/computers/udid/${udid} | xpath //general/mdm_capable_users 2> /dev/null | sed 's/mdm_capable_user//g;s//<s>//g;s/<s><>//g;s/</>//g;s/</s>//g;s/<>/ /g')
#RECENT USERS - in last 14 days
RecentLoggedInUsers=$( find /Users/ -atime -14 -maxdepth 1 -mindepth 1 | cut -b 9- | sed
's/Shared//;s/localadmin1//;s/localadmin2//;s/root//;/^$/d' )
echo "MDM = $MDMUsers"
echo "$RecentLoggedInUsers"
if [[ "$MDMUsers" =~ "$RecentLoggedInUsers" ]] ; then
echo "ok"
else
echo "user not MDM cabable"
touch /Library/Application Support/JAMF/bin/non_mdmuser.txt
echo "$RecentLoggedInUsers" > /Library/Application Support/JAMF/bin/non_mdmuser.txt
fi
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 02-13-2018 01:19 PM
Good Afternoon,
I want to begin by apologizing for not being very good at writing or reading script. I was hoping that the script that was originally posted by Franton would help me determine which of my client machines are missing their MDM capable user. I too am having VPP application distribution issues. Can one of you fine folks please tell me exactly which part of the script I must enter my own information. Like apiuser, apipass and URL.
Thank you very much in advanced!
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 05-23-2018 03:52 AM
Hi, this helps with an issue that's I'm also having. But how are you creating an extension attribute based on the text file?
I was working along the path of using the API to update an extension attribute in Jamf but not sure on how to script this!
