Skip to main content
Question

Reporting on Remote Access

  • February 8, 2022
  • 5 replies
  • 37 views
FutureFacinLuke
Forum|alt.badge.img+8

Hi,

I have been asked to report on how many users logged into our Mac Labs. I use RealVNC and they cannot provide the information.

So naturally I thought a JAMF report may be the answer. The data I need is in Computer Usage (Login event between one date and another) but cannot be accessed through a report. So next step would be using the API to pull the information.

What I need is:

Username

Date/Time of Login

If that login was over VNC (remote)

Anyone know how I could do this (ideally as an extension attribute) with a script?

    5 replies

    FutureFacinLuke
    Forum|alt.badge.img+8
    • FutureFacinLuke
    • Author
    • Valued Contributor
    • February 8, 2022

    The data also lives in /Library/Logs/vncserver.log and I'd need to pull lines that start with <13>

    <13> 2022-02-08T11:06:13.005Z [$COMPUTERNAME] vncserver[306]: Connections: authenticated: [$EMAIL} (from [IPAddress]::[PORT}), as [$USERNAME] (f permissions)

    Any tips on building this as an extension attribute.

     

    Scratch that , won't work because a new file is created each time the service starts and only the previous version is backed up.

    R
    Forum|alt.badge.img+5

    Here is a script that I have used to look for usage. In this example, it looks for all computers in an advanced search to see logins in November between 1 and 2 pm and puts them into a CSV on your desktop. Remember that Jamf may report times in UTC and adjust for that. It isn't exactly what you are looking for, but might help you get there. I am also using ........ to return all student usernames since ours are eight characters each. You would have to modify that part for your environment.

     

    #!/bin/bash #Add your credentials and Jamf Pro URL here if you don't want to be prompted for them. This is also necessary if you are running the script as root (jamf or LaunchDaemon) jssUser= jssPassword= jssURL= #You can also uncomment this line if you want the script to read which jamf server the computer it is running on connects to. #jssURL=$(/usr/bin/defaults read ~/Library/Preferences/com.jamfsoftware.jss.plist url) if [ -z $jssURL ]; then echo "Please enter the JSS URL:" read -r jssURL fi if [ -z $jssUser ]; then echo "Please enter your JSS username:" read -r jssUser fi if [ -z $jssPassword ]; then echo "Please enter JSS password for account: $jssUser:" read -r -s jssPassword fi xpath() { # the xpath tool changes in Big Sur if [[ $(sw_vers -buildVersion) > "20A" ]]; then /usr/bin/xpath -e "$@" else /usr/bin/xpath "$@" fi } echo "Logging in to $jssURL as $jssUser" #gets logged in user to put the csv on their desktop loggedInUser=$( scutil <<< "show State:/Users/ConsoleUser" | awk -F': ' '/[[:space:]]+Name[[:space:]]:/ { if ( $2 != "loginwindow" ) { print $2 }}' ) echo "The currently logged in user is $loggedInUser. Creating CSV file on the desktop..." #creates the two necessary files touch /tmp/output.txt touch /Users/"$loggedInUser"/Desktop/Usage.csv #adds header fields to the CSV echo "Computer Name","Logins During Target Time" >> /Users/"$loggedInUser"/Desktop/Usage.csv #loops through all computer IDs in the advanced computer search indicated computerIDs=($(/usr/bin/curl -X GET -H "Accept: application/xml" -s -u "${jssUser}":"${jssPassword}" ${jssURL}/JSSResource/advancedcomputersearches/id/[ID Number of Advanced Search] | xpath "/advanced_computer_search/computers/computer/id" 2> /dev/null | awk -F'</?id>' '{for(i=2;i<=NF;i++) print $i}')) for id in "${computerIDs[@]}"; do #prints the ID number it is working on echo "Checking computer with ID $id" #gets the name of the device associated with the ID number computerName=$(curl -X GET -H "Accept: application/xml" -s -u ${jssUser}:${jssPassword} "${jssURL%/}"/JSSResource/computers/id/$id/subset/general | awk -F '<name>|</name>' '{print $2}') #loops through all of the events in the computer's history and puts them in the txt file (so they can be parsed as text) computerHistory=$(/usr/bin/curl -X GET -H "Accept: application/xml" -s -u ${jssUser}:${jssPassword} "${jssURL%/}"/JSSResource/computerhistory/id/$id/subset/ComputerUsageLogs | xpath "/computer_history/computer_usage_logs/usage_log" 2> /dev/null | awk -F'</?usage_log>' '{for(i=2;i<=NF;i++) print $i}' > /tmp/output.txt) for command in "${computerHistory[@]}"; do #looks through the command text for logins in November between 1 and 2 pm CST loginNumber=$(grep -c '<event>login</event><username>........</username><date_time>2020/11/[0-1][0-9] at [7-8]:.. PM' /tmp/output.txt) echo "$computerName: $loginNumber login(s)" echo "$computerName","$loginNumber" >> /Users/"$loggedInUser"/Desktop/Usage.csv done done #cleans up temporary text file rm /tmp/output.txt echo "Complete. A CSV has been created on the desktop with computer usage."

      

      FutureFacinLuke
      Forum|alt.badge.img+8
      • FutureFacinLuke
      • Author
      • Valued Contributor
      • February 9, 2022

      Thanks, that looks really useful, I'me going to test it over the Winter Closure period and see what I get.

      Is there any way in the logs etc... to see if a login was through VNC vs local?

      FutureFacinLuke
      Forum|alt.badge.img+8
      • FutureFacinLuke
      • Author
      • Valued Contributor
      • February 9, 2022

      Here is a script that I have used to look for usage. In this example, it looks for all computers in an advanced search to see logins in November between 1 and 2 pm and puts them into a CSV on your desktop. Remember that Jamf may report times in UTC and adjust for that. It isn't exactly what you are looking for, but might help you get there. I am also using ........ to return all student usernames since ours are eight characters each. You would have to modify that part for your environment.

       

      #!/bin/bash #Add your credentials and Jamf Pro URL here if you don't want to be prompted for them. This is also necessary if you are running the script as root (jamf or LaunchDaemon) jssUser= jssPassword= jssURL= #You can also uncomment this line if you want the script to read which jamf server the computer it is running on connects to. #jssURL=$(/usr/bin/defaults read ~/Library/Preferences/com.jamfsoftware.jss.plist url) if [ -z $jssURL ]; then echo "Please enter the JSS URL:" read -r jssURL fi if [ -z $jssUser ]; then echo "Please enter your JSS username:" read -r jssUser fi if [ -z $jssPassword ]; then echo "Please enter JSS password for account: $jssUser:" read -r -s jssPassword fi xpath() { # the xpath tool changes in Big Sur if [[ $(sw_vers -buildVersion) > "20A" ]]; then /usr/bin/xpath -e "$@" else /usr/bin/xpath "$@" fi } echo "Logging in to $jssURL as $jssUser" #gets logged in user to put the csv on their desktop loggedInUser=$( scutil <<< "show State:/Users/ConsoleUser" | awk -F': ' '/[[:space:]]+Name[[:space:]]:/ { if ( $2 != "loginwindow" ) { print $2 }}' ) echo "The currently logged in user is $loggedInUser. Creating CSV file on the desktop..." #creates the two necessary files touch /tmp/output.txt touch /Users/"$loggedInUser"/Desktop/Usage.csv #adds header fields to the CSV echo "Computer Name","Logins During Target Time" >> /Users/"$loggedInUser"/Desktop/Usage.csv #loops through all computer IDs in the advanced computer search indicated computerIDs=($(/usr/bin/curl -X GET -H "Accept: application/xml" -s -u "${jssUser}":"${jssPassword}" ${jssURL}/JSSResource/advancedcomputersearches/id/[ID Number of Advanced Search] | xpath "/advanced_computer_search/computers/computer/id" 2> /dev/null | awk -F'</?id>' '{for(i=2;i<=NF;i++) print $i}')) for id in "${computerIDs[@]}"; do #prints the ID number it is working on echo "Checking computer with ID $id" #gets the name of the device associated with the ID number computerName=$(curl -X GET -H "Accept: application/xml" -s -u ${jssUser}:${jssPassword} "${jssURL%/}"/JSSResource/computers/id/$id/subset/general | awk -F '<name>|</name>' '{print $2}') #loops through all of the events in the computer's history and puts them in the txt file (so they can be parsed as text) computerHistory=$(/usr/bin/curl -X GET -H "Accept: application/xml" -s -u ${jssUser}:${jssPassword} "${jssURL%/}"/JSSResource/computerhistory/id/$id/subset/ComputerUsageLogs | xpath "/computer_history/computer_usage_logs/usage_log" 2> /dev/null | awk -F'</?usage_log>' '{for(i=2;i<=NF;i++) print $i}' > /tmp/output.txt) for command in "${computerHistory[@]}"; do #looks through the command text for logins in November between 1 and 2 pm CST loginNumber=$(grep -c '<event>login</event><username>........</username><date_time>2020/11/[0-1][0-9] at [7-8]:.. PM' /tmp/output.txt) echo "$computerName: $loginNumber login(s)" echo "$computerName","$loginNumber" >> /Users/"$loggedInUser"/Desktop/Usage.csv done done #cleans up temporary text file rm /tmp/output.txt echo "Complete. A CSV has been created on the desktop with computer usage."

        


      So if I wanted to look at all logins from 17 Dec - 4th Jan

       

       

       

      loginNumber=$(grep -c '<event>login</event><username>........</username><date_time>2021/12/[1-2][7-9] at [0-23]:.. PM' /tmp/output.txt)

       

       

       How does that time formatting work?

       

      FutureFacinLuke
      Forum|alt.badge.img+8
      • FutureFacinLuke
      • Author
      • Valued Contributor
      • February 10, 2022

      https://apple.stackexchange.com/questions/283385/where-to-find-vnc-access-logs-with-ip-addresses-on-sierra looks useful.

       

      Now how to translate this into @rebecca_latimer script or an EA...?

      Terms & ConditionsCookie settingsAccessibility statement