NetworkStateChange Trigger Casper 9.21

tijones
New Contributor II

Hey Guys,

Im having a few issues getting this working,

What i want to do is trigger a script to log users into our proxy server automatically when the plug into the Lan.

e.g. user goes to meeting with laptop on wifi comes back to the office plugs into the network and when they do they the script is triggered,
e.g. user turns up at work in the morning and the PC is locked(sleep) they plug it in and unlock the machine the script is triggered.

I have created a policy and limited it only to the Subnet I want it to run on and only on MacBook devices with the trigger network state change, but it doesn't ever seem to trigger,

Even making it available offline it still doesn't trigger,

Any ideas what I am doing wrong or is this even possible?

15 REPLIES 15

bentoms
Release Candidate Programs Tester

@tijones, why not use a PAC file to define your proxy?

If the URL you give for your PAC is only internally resolvable, when out of the office the clients will attempt to use the PAC but quickly give up & then go direct.

We do that & use the below to set it: http://macmule.com/2011/09/09/how-to-change-the-automatic-proxy-configuration-url-in-system-preferen...

nkalister
Valued Contributor

like ben said, if you can, use a PAC file to accomplish this. If a PAC file isn't a possibility, consider using a launchd with a watch path of /Library/Preferences/SystemConfiguration. That's what we do- the launchd's script is triggered when SystemConfiguration changes, which will happen whenever the network state changes. The script looks at what SSID the mac is connected to on wifi, and changes locations to either turn the proxy on or off as needed. been working very well for us, and might be simpler to set up and test than trying to use the network state change trigger since everything needed to turn the proxy on or off is local to the machine . . . no JSS communication necessary.

tijones
New Contributor II

Yea can't use a PAC file not really what I'm trying to accomplish,

I just need to echo out

echo "IP="$IPADDR",""PERSON="$TheUser,"ACTION=ONLINE"

If you plug in the LAN cable

Would a launched under systemconfiguration do this on 10.9?

I have an every 15 min trigger to do echo "IP="$IPADDR",""PERSON="$TheUser,"ACTION=PING"

and a login trigger to do echo "IP="$IPADDR",""PERSON="$TheUser,"ACTION=ONLINE"

But i need to also trigger ONLINE on wake from sleep / unlock and plug in network cable

nkalister
Valued Contributor

it should, but test, test, test. our requirements were for proxy settings, so a little different emphasis than your situation. But afaik, using the system configuration watch path should get you what you need. We are using this under 10.9 with no changes from 10.8.

mm2270
Legendary Contributor III

@tijones][/url wrote:

Would a launched under systemconfiguration do this on 10.9?

Yes, and in fact more reliably under Mavericks than in 10.8. Mountain Lion had some odd issues where processes would trigger the preference.plist file inside /Library/Preferences/SystemConfiguration/ to get modified nearly constantly. This in turn would cause any LaunchDaemon/Agents that used that folder as a WatchPath to get re-trigegred all the time. We have a launchd that uses that WatchPath and had to modify our script to force a 10 second sleep to prevent the Console System log from being filled up with launchd throttle errors. (Launchd jobs can only run at max once every 10 seconds or the OS throttles them and writes that into the log file)

Fortunately from what I can see, 10.9 fixes this issue. So only on a network change, like plugging in a cable or connecting to a Wi-Fi SSID, connecting to VPN, etc. does anything in that folder get modified, which in turn will trigger any launchd job watching that directory.

nkalister
Valued Contributor

yep, we did see occasional throttling messages in 10.8 from that launchd, haven't seen them in my 10.9 testing but I don't have a large enough sample size on that to say for sure it's fixed. good to hear it has been!!

tijones
New Contributor II

Ok so I have got this far,

IPADDR=`/sbin/ifconfig -u | /usr/bin/grep -i "inet "|/usr/bin/grep "156"| /usr/bin/cut -d" " -f2`
if grep -q 156.62. <<<$IPADDR; then
    sudo jamf policy -event internetautologin
fi

How do I create a launchd to run on change of network state? I see how the casper one start interval 900,

All this because i can't get the casper network state changes to work.

nkalister
Valued Contributor

well, you'll need a standard launchd plist. The keys you'll need to include are ProgramArguments- that'll be the path to your script- and WatchPaths, which is the path that launchctl will watch for changes and use as the trigger. that'll be the /Library/Preferences/SystemConfiguration path we talked about earlier.
Launchd documentation from Apple is here:
https://developer.apple.com/library/mac/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/Cre...

If anyone else has better tutorials, post links!

nkalister
Valued Contributor

double post

mm2270
Legendary Contributor III

I recommend using an app like LaunchControl to create the launchd. Although its certainly possible to craft them manually, and some people do, I've run into too many issues with making them that way. OS X is very picky about launchd plists. If they aren't exactly the way it expects them to be it will skip over them.

LaunchControl - https://jamfnation.jamfsoftware.com/viewProduct.html?id=246&view=info

Also keep in mind that LaunchDaemons, from /Library/LaunchDaemons/ run as root, but any LaunchAgents, like in /Liibrary/LaunchAgents/ or ~/Library/LaunchAgents/ run as the user, so they won't run commands as root. Since your script calls a policy with the jamf binary, you'll need to have it designed as an Daemon, not an Agent.
Lastly, I would drop the sudo from the final script since it won't be needed in that instance.

tijones
New Contributor II

One of the smart cookies here also discovered that the "Checking for policies triggered by "networkStateChange"..." is only triggered by WiFi connections not by Lan which i need

Bauer
New Contributor

What we use is based on the WiFi Location Changer project https://github.com/rimar/wifi-location-changer, which was based on Mac OS X LocationChanger http://tech.inhelsinki.nl/locationchanger/. Both pages have the script and example launchdaemons for download.

Like Nick said, our LocationChanger launchdaemon watches for changes in /Library/Preferences/SystemConfiguration. There were some initial issues with looping since the LocationChanger script was triggered by changes to preferences in the SystemConfiguration folder, and was itself writing changes back to that folder, persistently triggering the launchd, and that was resolved with a simple "sleep 10" at the beginning of the script. After that, all looping of the script and throttling of the launchdaemons was stopped, and our logs have been quiet for about a year now.

Edit: If you have different IP's for WiFi vs wired, you could pick that up with the script, and the tech.inhelsinki version as an example of that process.

A version of our LocationChanger is below, and hopefully it still makes sense after all the sanitation of network location names and names cities where our offices are located. We have the standard "Automatic" location and four different network locations in OS X to point our Macs to different proxies, depending on their geo, or "Automatic" for no proxy, if they're off our network.

#!/bin/bash

## This script automatically changes the network location based on the current SSID.
## Matt Bauer, Nick Kalister - 2012, 2013 - Source script from github.com/rimar/wifi-location-changer.

# Uncomment below to redirect all output to /dev/null for troubleshooting or testing.
# exec 1>/dev/null 2>/dev/null

# Waiting 10 seconds to let the network connections sort themselves out before executing script. 
# This also keeps the launchdaemon from being throttled as a result of infinitely looping.
sleep 10

AirPortPower=`/System/Library/PrivateFrameworks/Apple80211.framework/Versions/A/Resources/airport -I | grep -e AirPort: | cut -d ':' -f 2 | tr -d ' '`
AirPortOff=Off
SSID=`/System/Library/PrivateFrameworks/Apple80211.framework/Versions/A/Resources/airport -I | grep ' SSID:' | cut -d ':' -f 2 | tr -d ' '`
WorkSSID=CorporateWifiSSID
LocationCheck=`networksetup -getcurrentlocation`
CityCheck1=`ifconfig | grep 10.1.2`
CityCheck2=`ifconfig | grep 10.1.3`
CityCheck3=`ifconfig | grep 10.1.4`
CityCheck4=`ifconfig | grep 10.1.5`

# Determine current location and whether it's an corporate location or not.
if [ "$LocationCheck" == "Corp Location 1" ] || [ "$LocationCheck" == "Corp Location 2" ] || [ "$LocationCheck" == "Corp Location 3" ] || [ "$LocationCheck" == "Corp Location 4" ]; then
    Location=WorkLocation
else
    Location=OtherLocation
fi

# Check current IP and determine whether it's one of those city's IP addresses or not.
if [ "$CityCheck1" == "10.1.2" ] || [ "$CityCheck2" == "10.1.3" ] || [ "$CityCheck3" == "10.1.4" ] || [ "$CityCheck4" == "10.1.5" ]; then
    CurrentIP=CityIP
else
    CurrentIP=OtherIP
fi

# Check AirPort power and connection status.
if [ "$AirPortPower" == "$AirPortOff" ]; then
    exit 0
elif [ "$SSID" == "" ]; then
    exit 0
fi

# Check to see if the SSID and network location settings are already accurate.
if [[ "$SSID" == "$WorkSSID" && "$Location" == "WorkLocation" ]]; then
    sleep 5
    /usr/sbin/jamf log
    exit 0
elif [[ "$SSID" != "$WorkSSID" && "$Location" != "WorkLocation" ]]; then
    exit 0
fi

# Change network location and set to an APAC location if the IP address matches one of the Chinese HDS IP addresses.
if [[ "$SSID" == "$WorkSSID" && "$CurrentIP" != "$CityIP" ]]; then
    scselect "Work Location 1"
    sleep 5
    /usr/sbin/jamf log
elif [[ "$SSID" == "$WorkSSID" && "$CurrentIP" == "$CityIP" ]]; then
    scselect "Work Location 2"
    sleep 5
    /usr/sbin/jamf log
else
    scselect Automatic
fi

exit

tijones
New Contributor II

Hey thanks for the help guys but i really just wanted to trigger on the change so did this it seems to work ok for me

tail -f /private/var/log/system.log | while read LINE
do
  if [ `echo $LINE | grep -c "+:156.62"` -gt 0 ]
  then
    jamf -policy -trigger internetautologin
    fi
      if [ `echo $LINE | grep -c -- "-:156.62"` -gt 0 ]
  then
    jamf -policy -trigger internetautologout
    fi
Done

Cheers

mostlikelee
Contributor

based on some initial testing here, the networkstatechange trigger seems very inconsistent. I'm trying to script a network location change and proxy setup when new interfaces are connected. launchd might be the better way to go for now...

mostlikelee
Contributor

Has anyone having issues with the launchdaemon watching /Library/Preferences/SystemConfiguration triggering whenever the jamfagent is checking in for policies?