Posted on 10-17-2017 03:08 PM
Hey guys, I hope you can enlighten me:
We have a bunch of policies that we want to be applied in order to consider a machine ready for the user, some are configured to run after enrollment, but some others are set for check-in.
I am being asked to find a way (if possible) to lock the screen while all these policies apply and, when I can ensure that all are in place, unlock the screen and notify the user that the machine is ready.
My approach, but I feel that it's not the best, is to call sudo jamf policy a bunch of times (5 or 6) until I get the "No policies were found", and then send a notification.
Do you know of a better way to pull all the policies in a less caveman-ish way?
Thanks!
Solved! Go to Solution.
Posted on 10-18-2017 08:25 AM
Set up a custom trigger for all the policies you want to have run upon the enrollment, in addition to the other triggers you already have them on.
Then have a single policy run a script that calls each policy in the order you want, like
/usr/local/bin/jamf policy -trigger "trigger1"
/usr/local/bin/jamf policy -trigger "trigger2"
/usr/local/bin/jamf policy -trigger "trigger3"
etc, etc. This will run all the policies you require one after the other, but from the standpoint of a single policy that is scoped to the machine and gets called on it.
Posted on 10-17-2017 06:35 PM
I would seriously look at how your policies are scoping and how they relate to each other, really
sudo jamf recon
sudo jamf policy
Should get you there.
I don't think there is a nice way to lock the screen when it is on the login window but what I have been doing is deploying a custom login window background that makes it pretty clear imaging is in progress, I then replace it with the correct one once imaging is complete, you can still technically log in but it does kind of let you know it's a bad idea.
Posted on 10-18-2017 07:35 AM
Well, locking the machine is not that hard using jamfHelper:
#!/bin/sh
/Library/Application Support/JAMF/bin/jamfHelper.app/Contents/MacOS/jamfHelper -windowType fs -icon /private/enrollment/lockBG.png -heading "Welcome, please wait…" -description "Some policies are being applied." &
This locks the screen, leaving the process in the background, until I kill it. The problem is that a single call to jamf policy doesn't pull all the policies, just about a third.
Maybe there's a way to make if go through all of the policies instead of just a subset… is there?
Posted on 10-18-2017 08:25 AM
Set up a custom trigger for all the policies you want to have run upon the enrollment, in addition to the other triggers you already have them on.
Then have a single policy run a script that calls each policy in the order you want, like
/usr/local/bin/jamf policy -trigger "trigger1"
/usr/local/bin/jamf policy -trigger "trigger2"
/usr/local/bin/jamf policy -trigger "trigger3"
etc, etc. This will run all the policies you require one after the other, but from the standpoint of a single policy that is scoped to the machine and gets called on it.
Posted on 10-18-2017 09:29 AM
Second @mm2270... custom triggers are the way to go . With a custom trigger you can script something to run in the order in which you want it to run. Those policies only get called when you run “sudo jamf policy -event <your custom trigger here>“ in your script.
“sudo jamf policy” without an argument only runs the recurring check in trigger. It does not even around the startup, login, logout or shutdown triggers Without those events either occurring or you telling it to run them in a script
Posted on 10-23-2017 08:25 AM
Thank you @mm2270 and @blackholemac… It was right in front of my nose and I never thought of it.
Posted on 11-15-2017 08:52 AM
@bearzooka Based on your original post, I'd also suggest looking into SplashBuddy. I'm thirding @mm2270 's recommendation for custom triggers, that should be the way to go, but you can use SplashBuddy to lock out the screen and also show progress in a really nice, pretty way.
Posted on 11-15-2017 09:03 AM
That's an interesting approach @znilsson! I haven't looked into SplashBuddy because I was under the impression that it was specific for DEP scenarios and we are not able to use DEP.
I will test it out ASAP.