Leverage a client-side LaunchDaemon, script and .plist trio to determine computer health, based on the Mac’s ability to execute an inventory update policy
Background
In the spring of 2022, I renewed my Utah’s driver license and noted it wouldn’t expire for six years. When I obtained my Ohio’s driver license last Halloween, I was tickled with the option for an eight-year expiration: “Yes, please!”
When I enrolled a Mac in our Dev lane yesterday, I was also pleased that its Jamf Pro-related certificates won’t expire for more than three years. (Although, by the time you’re reading this, that box has probably already been nuked-and-paved. Thrice.)
If we base a Mac’s compliance solely on the presence of valid MDM certificates, we’re probably allowing too many computers access to sensitive data
However, if at next week’s traffic stop the police officer simply confirmed I had a valid driver’s license and sent me on my way with a warning to “slow down” — never double-checking what I’ve actually been up to using the computer in the police cruiser — I could continue not worrying about all those unpaid parking tickets.
Similarly, just because a Mac has valid MDM certificates doesn’t guarantee its enrollment is healthy.
Overview
The Jamf Pro Health Check script executes on the following approach:
- Creates a client-side LaunchDaemon and script pair which marks the Mac as
unhealthyeach morning shortly after midnight (local time) and immediately after each restart (i.e., negative trust). - Adding this script to your recurring Jamf Pro inventory update policy will then mark the Mac as
healthywhen the policy executes successfully; end-users can also self-remediate by logging into Self Service and manually running your modified “update computer inventory” policy. - You can then leverage a vendor’s ability to read client-side
.plistvalues to determine if the Mac ishealthyorunhealthy(based on the Mac’s ability to successfully execute the assigned Jamf Pro inventory update policies).
