Removing computer assignment from Static group using API

Jay_007
Contributor

Hi, I'm new to Jamf Pro and the Apple world and I'm utilising this fantastic API script here. I am wanting to see if a Computer object is a member of a Static group, if so, remove that object from that group. Is this possible? 

 

I'm assuming that I can use this to GET the object (variables are defined at the top of my script):

apiURL="JSSResource/computergroups/id/${StaticGroupID}"

apiData="<computer_group><id>${StaticGroupID}</id><name>${StaticGroupName}</name><computer_additions><computer><name>$ComputerName</name></computer></computer_additions></computer_group>"

group_check=$(curl -s \
	--header "Authorization: Bearer ${api_token}" --header "Content-Type: text/xml" \
	--url "${jamfpro_url}/${apiURL}" \
	--data "${apiData}" \
    --request GET > /dev/null)
if [[ ${group_check} -ne 200 ]]; then    
	echo "Device is no longer assigned to static group. Will not proceed." 
fi
exit 0

Next, if that Computer is assigned to that Group, I want to unassign it, but I only see API functions to DELETE a group or computer object and nothing to remove a computer from a group.

https://developer.jamf.com/jamf-pro/reference/computergroups 

 

Basically the goal here is, assign computers to a Static group to make "Erase and Install macOS" available to that computer in Self Service. When the policy is triggered, remove the computer from that group, then run Erase and Install - This is just a failsafe in case admins forget to remove the computer assignment from the Static group after the erase has been triggered, as we don't want Erase and Install available to devices all the time. Only on a case by case basis.

 

I appreciate any help you can give here. 

2 ACCEPTED SOLUTIONS

dlondon
Valued Contributor

I'm not sure that it's necessary to check if the machine is in a group or not.  Adding to a group won't cause an error if it's already in the group and similarly removing from group when it's not in the group also has no error.

Strangely I was thinking about removing from group last week and updated the script here https://community.jamf.com/t5/jamf-pro/bearer-token-api-and-adding-computer-to-static-group/td-p/261...

Maybe that will help

View solution in original post

Thanks, nice idea having the Add/Remove input parameters. Yeah, I decided to remove that section that checks the group first, as it's assumed that the computer will always be a member if it's running the script anyway. 

My example using <computer_deletions> has done the trick, but I might adapt to yours, as that will be handy in future :) 

View solution in original post

5 REPLIES 5

Jay_007
Contributor

Ok, so I think I've found what I need, but I'm just not sure how to put it together...

GET computer in group:

 

# Remove apiData as it's not required?

apiURL="JSSResource/computergroups/id/${StaticGroupID}/$ComputerName"

group_check=$(curl -s \
	--header "Authorization: Bearer ${api_token}" --header "Content-Type: text/xml" \
	--url "${jamfpro_url}/${apiURL}" \
    --request GET > /dev/null)
if [[ ${group_check} -ne 200 ]]; then    
	echo "Device is no longer assigned to static group. Will not proceed." 
fi
exit 0

 

Remove computer from group:

 

#Change to "computer_deletions"

apiData="<computer_group><id>${StaticGroupID}</id><name>${StaticGroupName}</name><computer_deletions><computer><name>$ComputerName</name></computer></computer_deletions></computer_group>"

# Use PUT instead of DELETE

curl -s \
	--header "Authorization: Bearer ${api_token}" --header "Content-Type: text/xml" \
	--url "${jamfpro_url}/${apiURL}" \
	--data "${apiData}" \
    --request PUT > /dev/null

 

Am I on the right track? 

sdagley
Esteemed Contributor II

@Jay_007 Yes, that is the right request type and apiData format to delete a computer from a Static Group

Thanks. I'm still not doing something right with the GET portion though. I have made a change to the header, but still no luck yet.

 

--header 'Accept: application/xml' \

 

dlondon
Valued Contributor

I'm not sure that it's necessary to check if the machine is in a group or not.  Adding to a group won't cause an error if it's already in the group and similarly removing from group when it's not in the group also has no error.

Strangely I was thinking about removing from group last week and updated the script here https://community.jamf.com/t5/jamf-pro/bearer-token-api-and-adding-computer-to-static-group/td-p/261...

Maybe that will help

Thanks, nice idea having the Add/Remove input parameters. Yeah, I decided to remove that section that checks the group first, as it's assumed that the computer will always be a member if it's running the script anyway. 

My example using <computer_deletions> has done the trick, but I might adapt to yours, as that will be handy in future :)