Posted on 08-14-2013 10:32 AM
I am not sure if this has been asked as a feature request or not but is there a way to create a baseline (OS, app versions, policies etc other than smart computer groups) and then run a compliance report against it? Being able to do compliance reporting at the click of a button would be awesome!
Posted on 08-14-2013 11:00 AM
Lets take one example of what you are trying to do. Best thing about Casper their is more than one way to skin a cat. I am a big user of Extension Attributes, Smart Groups, and Custom Triggers.
Posted on 08-14-2013 11:23 AM
Ok, so if I wanted to take my current image (OS, Apps, etc) and set that as the baseline and then find out which Macs did not meet that standard in one report without creating a smart computer group with all of these listed as criteria how would you do it?
Posted on 08-14-2013 11:28 AM
Im just a little confused when you say baseline.
So lets say your current image has: OSX 10.8, Java 7, iWork, and Qucktime Pro
are you trying to find computers that are missing these particular titles in order to remediate via script/policy or is it just for compliance reporting in the sense that you want to know whos out of compliance period regardless of Applications. If you are doing it on an application by application basis I might have something but I'd have to play around with it. You can create an answer file and do a look up against.
Posted on 08-14-2013 11:35 AM
I am just talking about compliance reporting. I could always use policies to update machines but If i wanted to evaluate a machine against a "baseline" currently I would have to look at the groups that it is a part of or package receipts instead of just some way of looking to see if it is "Compliant".
Posted on 08-14-2013 11:46 AM
You'd have to do a Directory compare to an Answer File. Thats the best way I can think. The only other way would be use ARD fields to give the Image a name, but if you are worried about people deleting things that won't help ;)
Posted on 08-14-2013 11:46 AM
You'd have to do a Directory compare to an Answer File. Thats the best way I can think. The only other way would be use ARD fields to give the Image a name, but if you are worried about people deleting things that won't help ;)
ls "/Applications" > "/Applications/list.txt"
This will copy anything LS'd from the Apps folder to a text file, from there you compare to an answer file.
Posted on 08-14-2013 12:12 PM
#!/bin/bash
ls "/Applications/" > "/Library/Application Support/JAMF/Reports/currentsoftware.txt"
diff -a --suppress-common-lines "/Library/Application Support/JAMF/Reports/currentsoftware.txt" "/Library/Application Support/JAMF/Reports/image.txt" | grep '<' > "/Library/Application Support/JAMF/Reports/difference.txt"
Something I whipped up super quick. The output is very messy but it does output anything missing from either folder into a TXT file. Of course I did this super quick so I am sure you can use this as a template to get going.
Posted on 08-14-2013 12:39 PM
This sounds very much like the core functionality of Radmind: detecting changes from a known good state.
http://rsug.itd.umich.edu/software/radmind/download.html
I don't hear too much about that project anymore, perhaps mothballed, nevertheless you might be able to get some ideas by looking at what they were doing.
Posted on 08-14-2013 12:42 PM
The script I posted will work great I just suck at using AWK and SED. If you can strip out the > < and line bits from the diff you are in good shape. It will report the exact missing pieces of software.
Posted on 08-14-2013 12:52 PM
@Matt, your script could fall down if someone deletes or adds something into a sub-folder If I go into Microsoft Office 2011 and delete all the apps there, or I add a bunch of stuff into that folder, the script would not catch it since its only doing an ls on the /Applications/ folder.
Might be better to use mdfind (Spotlight) for this. I posted something similar to this on a FR that just showed up today
mdfind -onlyin /Applications/ 'kMDItemKind == "Application"' | sort -f
This will pull a list of all applications in the /Applications/ and /Applications/Utilities directories with full paths to each, including any in sub-folders like Office 2011. That can be exported and compared against a baseline like you mentioned.
All in all though, this is a bit of hackery, since its not true compliance checking. There's a lot more that goes into a real compliance check as I'm certain you know than just what apps live on the Mac. its a start though.
Posted on 08-14-2013 12:53 PM
FYI here is the output. I added a file to Applications and removed the App Store.
< App Store.app
< libpeerconnection.log
Posted on 08-14-2013 12:59 PM
@mm2270 you are correct. It won't do anything even if I do it recursively. The whole idea behind this is looking for specific software against an answer file. Its just a really dirty way to do things. Maybe a starting point Im not the best coder but hopefully this may turn a light bulb on to someone who can script :D
Answer File
Adobe
Adobe Bridge CS6
Adobe Extension Manager CS6
Adobe Photoshop CS6
Automator.app
Calculator.app
Calendar.app
Casper Suite
Chess.app
Citrix
Citrix Receiver.app
Contacts.app
Cyberduck.app
DVD Player.app
Dashboard.app
Dictionary.app
FaceTime.app
Firefox.app
Flip Player.app
Font Book.app
Game Center.app
GarageBand.app
Google Chrome.app
Hightail Desktop App.app
Image Capture.app
Launchpad.app
Mail.app
Maps.app
Messages.app
Microsoft Office 2011
Mission Control.app
Notes.app
Photo Booth.app
Preview.app
QuickTime Player.app
Reminders.app
Remote Desktop.app
Safari.app
Self Service.app
Stickies.app
System Preferences.app
TextEdit.app
TextWrangler.app
Time Machine.app
Utilities
VLC.app
YouSendIt.app
iMovie.app
iPhoto.app
iTunes.app
iWork '09
Output of Applications:
Adobe
Adobe Bridge CS6
Adobe Extension Manager CS6
Adobe Photoshop CS6
App Store.app
Automator.app
Calculator.app
Calendar.app
Casper Suite
Chess.app
Citrix
Citrix Receiver.app
Contacts.app
Cyberduck.app
DVD Player.app
Dashboard.app
Dictionary.app
FaceTime.app
Firefox.app
Flip Player.app
Font Book.app
Game Center.app
GarageBand.app
Google Chrome.app
Hightail Desktop App.app
Image Capture.app
Launchpad.app
Mail.app
Maps.app
Messages.app
Microsoft Office 2011
Mission Control.app
Notes.app
Photo Booth.app
Preview.app
QuickTime Player.app
Reminders.app
Remote Desktop.app
Safari.app
Self Service.app
Stickies.app
System Preferences.app
TextEdit.app
TextWrangler.app
Time Machine.app
Utilities
VLC.app
YouSendIt.app
iMovie.app
iPhoto.app
iTunes.app
iWork '09
libpeerconnection.log
Difference Report
< App Store.app
< libpeerconnection.log
Its ugly ugly ugly!!!!!! :D
Posted on 08-15-2013 05:38 AM
Out of curiosity. Why don't you want to use smart groups? Would a smartgroup based on extension attributes not work for this?
Posted on 08-15-2013 10:37 AM
What sort of information would you be looking to get? Just that the computer isn't compliant against the baseline? That it's missing X, Y, and Z?
I think EAs would be the way to go here, because then you could at least output the result of each EA in the single report that a Mac would fall into if "it wasn't compliant." Otherwise I don't think a singular report would help very much without a HUGE amount of coding, but then we're back to the EA portion of it...
You might want to think about creating an EA for each area of the baseline you want to compare a mac to. Say one is java version has to be 1.7.0_11 for the Mac to be considered compliant (yes, I know 1.7.0_11 is super ancient, gimme a break it's just an example ;) ). You would make that into an EA, populated by script. Rinse and repeat for each baseline item you want to check. Once you have all the EAs you want, you can create a single smart group (or inventory report, your choice) with the criteria of Extension Attribute 'a' IS NOT <whatever it is supposed to be> OR Extension Attribute 'b' IS NOT, etc.
The report will then show all macs that are non-compliant for one reason or another, and in this report you can specify to display all of the EA fields that you are checking, so you can then see what area(s) of the Mac do not meet the baseline. You could also create a smart group for this and then be able to run policies against it to get the members of that group back into compliance - but in order to see the EA values you'd have to specify that the EA(s) are displayed by default in every inventory result.
I think it was @don montalvo that said in another thread "Casper is a framework." Sometimes it takes some finessing to get it to do what you want. I find that to be gratifying since I love to code, and management thinks I'm a hero when I can hand them a single, shiny report, regardless of how much they just spent on said report ;)
Posted on 08-15-2013 12:07 PM
At least we figured out how to compare the Apps folder :D Run as an EA with <results>whatever</results> and bam.
Personally though, I love the Smart Groups. I have one for each title we offer in Self Service.
Posted on 08-15-2013 12:16 PM
yeah smart groups are your friend :) And kudos on the mdfind command @mm2270. Yet again I will be incorporating that into my master migration script :) I've been looking for a way to compare lists of Apps easily to pick out which ones need an install so during upgrade/reimaging/migration I can compare against a file of App names, populate an array of associated packages and use the jamf binary to do all the work.