Reporting on Remote Access

FutureFacinLuke
Contributor II

Hi,

I have been asked to report on how many users logged into our Mac Labs. I use RealVNC and they cannot provide the information.

So naturally I thought a JAMF report may be the answer. The data I need is in Computer Usage (Login event between one date and another) but cannot be accessed through a report. So next step would be using the API to pull the information.

What I need is:

Username

Date/Time of Login

If that login was over VNC (remote)

Anyone know how I could do this (ideally as an extension attribute) with a script?

5 REPLIES 5

FutureFacinLuke
Contributor II

The data also lives in /Library/Logs/vncserver.log and I'd need to pull lines that start with <13>

<13> 2022-02-08T11:06:13.005Z [$COMPUTERNAME] vncserver[306]: Connections: authenticated: [$EMAIL} (from [IPAddress]::[PORT}), as [$USERNAME] (f permissions)

Any tips on building this as an extension attribute.

 

Scratch that , won't work because a new file is created each time the service starts and only the previous version is backed up.

rebecca_latimer
New Contributor III

Here is a script that I have used to look for usage. In this example, it looks for all computers in an advanced search to see logins in November between 1 and 2 pm and puts them into a CSV on your desktop. Remember that Jamf may report times in UTC and adjust for that. It isn't exactly what you are looking for, but might help you get there. I am also using ........ to return all student usernames since ours are eight characters each. You would have to modify that part for your environment.

 

#!/bin/bash

#Add your credentials and Jamf Pro URL here if you don't want to be prompted for them. This is also necessary if you are running the script as root (jamf or LaunchDaemon)
jssUser=
jssPassword=
jssURL=

#You can also uncomment this line if you want the script to read which jamf server the computer it is running on connects to.
#jssURL=$(/usr/bin/defaults read ~/Library/Preferences/com.jamfsoftware.jss.plist url)


if [ -z $jssURL ]; then
	echo "Please enter the JSS URL:"
	read -r jssURL
fi 

if [ -z $jssUser ]; then
	echo "Please enter your JSS username:"
	read -r jssUser
fi 

if [ -z $jssPassword ]; then 
	echo "Please enter JSS password for account: $jssUser:"
	read -r -s jssPassword
fi

xpath() {
    # the xpath tool changes in Big Sur
    if [[ $(sw_vers -buildVersion) > "20A" ]]; then
        /usr/bin/xpath -e "$@"
    else
        /usr/bin/xpath "$@"
    fi
}


echo "Logging in to $jssURL as $jssUser"

#gets logged in user to put the csv on their desktop
loggedInUser=$( scutil <<< "show State:/Users/ConsoleUser" | awk -F': ' '/[[:space:]]+Name[[:space:]]:/ { if ( $2 != "loginwindow" ) { print $2 }}' )
echo "The currently logged in user is $loggedInUser. Creating CSV file on the desktop..."

#creates the two necessary files 
touch /tmp/output.txt
touch /Users/"$loggedInUser"/Desktop/Usage.csv

#adds header fields to the CSV
echo "Computer Name","Logins During Target Time" >> /Users/"$loggedInUser"/Desktop/Usage.csv

#loops through all computer IDs in the advanced computer search indicated
computerIDs=($(/usr/bin/curl -X GET -H "Accept: application/xml" -s -u "${jssUser}":"${jssPassword}" ${jssURL}/JSSResource/advancedcomputersearches/id/[ID Number of Advanced Search] | xpath "/advanced_computer_search/computers/computer/id" 2> /dev/null | awk -F'</?id>' '{for(i=2;i<=NF;i++) print $i}'))
for id in "${computerIDs[@]}"; do
#prints the ID number it is working on
echo "Checking computer with ID $id"
	#gets the name of the device associated with the ID number
	computerName=$(curl -X GET -H "Accept: application/xml" -s -u ${jssUser}:${jssPassword} "${jssURL%/}"/JSSResource/computers/id/$id/subset/general | awk -F '<name>|</name>' '{print $2}')
	#loops through all of the events in the computer's history and puts them in the txt file (so they can be parsed as text)
	computerHistory=$(/usr/bin/curl -X GET -H "Accept: application/xml" -s -u ${jssUser}:${jssPassword} "${jssURL%/}"/JSSResource/computerhistory/id/$id/subset/ComputerUsageLogs | xpath "/computer_history/computer_usage_logs/usage_log" 2> /dev/null | awk -F'</?usage_log>' '{for(i=2;i<=NF;i++) print $i}' > /tmp/output.txt)
	for command in "${computerHistory[@]}"; do
	#looks through the command text for logins in November between 1 and 2 pm CST
	loginNumber=$(grep -c '<event>login</event><username>........</username><date_time>2020/11/[0-1][0-9] at [7-8]:.. PM' /tmp/output.txt)
	echo "$computerName: $loginNumber login(s)"
	echo "$computerName","$loginNumber" >> /Users/"$loggedInUser"/Desktop/Usage.csv
	done
done

#cleans up temporary text file
rm /tmp/output.txt

echo "Complete. A CSV has been created on the desktop with computer usage."

  

So if I wanted to look at all logins from 17 Dec - 4th Jan

 

 

 

	loginNumber=$(grep -c '<event>login</event><username>........</username><date_time>2021/12/[1-2][7-9] at [0-23]:.. PM' /tmp/output.txt)

 

 

 How does that time formatting work?

 

FutureFacinLuke
Contributor II

Thanks, that looks really useful, I'me going to test it over the Winter Closure period and see what I get.

Is there any way in the logs etc... to see if a login was through VNC vs local?

FutureFacinLuke
Contributor II