Run jamf policy command when configuration profile pushed

shrisivakumaran
Contributor

Is there anyway to run particular script when pushed a particular configuration profile to a system?

use case: on some Mac jamf policy check-in policy stalled due to unknown issue, we have to ran killall command then run jamf policy command. so planning to run these commands via script with help of configuration profile. when a particular configuration profile pushed the command should run.

Shri Sivakumaran
5 REPLIES 5

Ashok_A
Contributor

While the use case appears unclear, the solution would be creating a smart computer group with the Profile name/identifier. This group automatically calculates when the profile is installed on Mac computers and is then used for policy scoping

Ashok_A_0-1714647420000.png

 

AJPinto
Honored Contributor III

Policies are check in based, unless triggered locally on the device. You can trigger a policy to run based on a certain configuration profile being installed or not installed, but Jamf won't know to do the thing until the device's next check in.

cwaldrip
Valued Contributor

As @Ashok_A mentions this is exactly how I do it. Membership in a Smart Group based on the presence of a Configuration Profile then triggers an 'On Next Check-in' trigger to run a script or install a package.

You can do it the other way as well. If an application has been installed and appears in an Inventory collection, the machine will then fall into a Smart Group and membership in the Smart Group will scope the machine to receive a Configuration Profile.

This solves the problem of needing a configuration profile in place before an app can be installed, or vice versa.

sdagley
Esteemed Contributor II

@shrisivakumaran To restate your request, you're asking how you can have a script launched on the Mac as soon as a Configuration Profile is pushed when the Mac is not properly doing the periodic check in which would normally trigger polices that are in scope? And that script would do a killall on the jamf process then do a "jamf policy" to force an immediate check in?

If so, what you could do is use a LaunchDaemon with a WatchPaths key for a file to be created in "/Library/Managed Preferences" that matches the preference domain used by an Application & Custom Settings payload in your Configuration Profile. Here's a previous post describing a technique for doing that: https://community.jamf.com/t5/jamf-pro/quot-push-quot-trigger-for-jamf-binary/m-p/175199

shrisivakumaran
Contributor

@sdagley You are right, of course. I tried following @B_Hanson's  instructions, but it didn't work. The Launch Daemon has loaded and started, but the command was not running when I pushed the configuration profiles mentioned. I have no idea what I'm lacking.

Shri Sivakumaran