Jamf Nation Community

Ok, so if I wanted to take my current image (OS, Apps, etc) and set that as the baseline and then find out which Macs did not meet that standard in one report without creating a smart computer group with all of these listed as criteria how would you do it?

Im just a little confused when you say baseline.

So lets say your current image has: OSX 10.8, Java 7, iWork, and Qucktime Pro

are you trying to find computers that are missing these particular titles in order to remediate via script/policy or is it just for compliance reporting in the sense that you want to know whos out of compliance period regardless of Applications. If you are doing it on an application by application basis I might have something but I'd have to play around with it. You can create an answer file and do a look up against.

I am just talking about compliance reporting. I could always use policies to update machines but If i wanted to evaluate a machine against a "baseline" currently I would have to look at the groups that it is a part of or package receipts instead of just some way of looking to see if it is "Compliant".

You'd have to do a Directory compare to an Answer File. Thats the best way I can think. The only other way would be use ARD fields to give the Image a name, but if you are worried about people deleting things that won't help ;)

You'd have to do a Directory compare to an Answer File. Thats the best way I can think. The only other way would be use ARD fields to give the Image a name, but if you are worried about people deleting things that won't help ;)

ls  "/Applications" > "/Applications/list.txt"

This will copy anything LS'd from the Apps folder to a text file, from there you compare to an answer file.

#!/bin/bash

ls  "/Applications/" > "/Library/Application Support/JAMF/Reports/currentsoftware.txt"

diff -a --suppress-common-lines "/Library/Application Support/JAMF/Reports/currentsoftware.txt"  "/Library/Application Support/JAMF/Reports/image.txt" | grep '<'  > "/Library/Application Support/JAMF/Reports/difference.txt"

Something I whipped up super quick. The output is very messy but it does output anything missing from either folder into a TXT file. Of course I did this super quick so I am sure you can use this as a template to get going.

This sounds very much like the core functionality of Radmind: detecting changes from a known good state.
http://rsug.itd.umich.edu/software/radmind/download.html

I don't hear too much about that project anymore, perhaps mothballed, nevertheless you might be able to get some ideas by looking at what they were doing.

The script I posted will work great I just suck at using AWK and SED. If you can strip out the > < and line bits from the diff you are in good shape. It will report the exact missing pieces of software.

@Matt, your script could fall down if someone deletes or adds something into a sub-folder If I go into Microsoft Office 2011 and delete all the apps there, or I add a bunch of stuff into that folder, the script would not catch it since its only doing an ls on the /Applications/ folder.

Might be better to use mdfind (Spotlight) for this. I posted something similar to this on a FR that just showed up today

mdfind -onlyin /Applications/ 'kMDItemKind == "Application"' | sort -f

This will pull a list of all applications in the /Applications/ and /Applications/Utilities directories with full paths to each, including any in sub-folders like Office 2011. That can be exported and compared against a baseline like you mentioned.
All in all though, this is a bit of hackery, since its not true compliance checking. There's a lot more that goes into a real compliance check as I'm certain you know than just what apps live on the Mac. its a start though.

FYI here is the output. I added a file to Applications and removed the App Store.

< App Store.app
< libpeerconnection.log

@mm2270 you are correct. It won't do anything even if I do it recursively. The whole idea behind this is looking for specific software against an answer file. Its just a really dirty way to do things. Maybe a starting point Im not the best coder but hopefully this may turn a light bulb on to someone who can script :D

Answer File

Adobe
Adobe Bridge CS6
Adobe Extension Manager CS6
Adobe Photoshop CS6
Automator.app
Calculator.app
Calendar.app
Casper Suite
Chess.app
Citrix
Citrix Receiver.app
Contacts.app
Cyberduck.app
DVD Player.app
Dashboard.app
Dictionary.app
FaceTime.app
Firefox.app
Flip Player.app
Font Book.app
Game Center.app
GarageBand.app
Google Chrome.app
Hightail Desktop App.app
Image Capture.app
Launchpad.app
Mail.app
Maps.app
Messages.app
Microsoft Office 2011
Mission Control.app
Notes.app
Photo Booth.app
Preview.app
QuickTime Player.app
Reminders.app
Remote Desktop.app
Safari.app
Self Service.app
Stickies.app
System Preferences.app
TextEdit.app
TextWrangler.app
Time Machine.app
Utilities
VLC.app
YouSendIt.app
iMovie.app
iPhoto.app
iTunes.app
iWork '09

Output of Applications:

Adobe
Adobe Bridge CS6
Adobe Extension Manager CS6
Adobe Photoshop CS6
App Store.app
Automator.app
Calculator.app
Calendar.app
Casper Suite
Chess.app
Citrix
Citrix Receiver.app
Contacts.app
Cyberduck.app
DVD Player.app
Dashboard.app
Dictionary.app
FaceTime.app
Firefox.app
Flip Player.app
Font Book.app
Game Center.app
GarageBand.app
Google Chrome.app
Hightail Desktop App.app
Image Capture.app
Launchpad.app
Mail.app
Maps.app
Messages.app
Microsoft Office 2011
Mission Control.app
Notes.app
Photo Booth.app
Preview.app
QuickTime Player.app
Reminders.app
Remote Desktop.app
Safari.app
Self Service.app
Stickies.app
System Preferences.app
TextEdit.app
TextWrangler.app
Time Machine.app
Utilities
VLC.app
YouSendIt.app
iMovie.app
iPhoto.app
iTunes.app
iWork '09
libpeerconnection.log

Difference Report

< App Store.app
< libpeerconnection.log

Its ugly ugly ugly!!!!!! :D

Out of curiosity. Why don't you want to use smart groups? Would a smartgroup based on extension attributes not work for this?

What sort of information would you be looking to get? Just that the computer isn't compliant against the baseline? That it's missing X, Y, and Z?

I think EAs would be the way to go here, because then you could at least output the result of each EA in the single report that a Mac would fall into if "it wasn't compliant." Otherwise I don't think a singular report would help very much without a HUGE amount of coding, but then we're back to the EA portion of it...

You might want to think about creating an EA for each area of the baseline you want to compare a mac to. Say one is java version has to be 1.7.0_11 for the Mac to be considered compliant (yes, I know 1.7.0_11 is super ancient, gimme a break it's just an example ;) ). You would make that into an EA, populated by script. Rinse and repeat for each baseline item you want to check. Once you have all the EAs you want, you can create a single smart group (or inventory report, your choice) with the criteria of Extension Attribute 'a' IS NOT <whatever it is supposed to be> OR Extension Attribute 'b' IS NOT, etc.

The report will then show all macs that are non-compliant for one reason or another, and in this report you can specify to display all of the EA fields that you are checking, so you can then see what area(s) of the Mac do not meet the baseline. You could also create a smart group for this and then be able to run policies against it to get the members of that group back into compliance - but in order to see the EA values you'd have to specify that the EA(s) are displayed by default in every inventory result.

I think it was @don montalvo that said in another thread "Casper is a framework." Sometimes it takes some finessing to get it to do what you want. I find that to be gratifying since I love to code, and management thinks I'm a hero when I can hand them a single, shiny report, regardless of how much they just spent on said report ;)

At least we figured out how to compare the Apps folder :D Run as an EA with <results>whatever</results> and bam.

Personally though, I love the Smart Groups. I have one for each title we offer in Self Service.

yeah smart groups are your friend :) And kudos on the mdfind command @mm2270. Yet again I will be incorporating that into my master migration script :) I've been looking for a way to compare lists of Apps easily to pick out which ones need an install so during upgrade/reimaging/migration I can compare against a file of App names, populate an array of associated packages and use the jamf binary to do all the work.