Jamf Nation Community

@bentoms We're at the latest, 9.22.

@freddie.cox, cool. Just wanted to make sure.

I guess you could use dummy receipts to right a file that is picked up by an extension attribute & then runs the binding?

Hang on, why do you need to un/re-bind? The AD Binding should work across the update.

I would test using a Smart Group and a policy targeted at that group. In the workflow you listed above, the Self Service policy, just add something like this to the "Execute Command" box on the Files And Processes "tab":

touch /Library/Application Support/JAMF/Receipts/OS-Upgrade.tx | jamf recon

Have a Smart Group set to look for that "receipt", or an EA that looks for that file and a Smart Group that looks for it, or however you want to get the computer into the Smart Group.

Then have a policy that is set for "startup" that runs the scripts you want.

I would test this, obviously, because I'm not certain how the policy will react to the restart that the OS installer does. It should not trigger the policy, but you can never be too safe.

@freddie.cox][/url][/url I don't know if this will work with the OS upgrade workflow, but you could try building a one time LaunchDaemon + script that you could package up and include as part of the OS upgrade policy. Something that would be installed maybe after the OS upgrade, or maybe before, I'm not sure which would make more sense.

What the LD and script could do is check for connectivity to the JSS, and when successful, have it move on to run your specific policy by ID or trigger, and finally when complete, unload and delete the LaunchDaemon as well as deleting itself, so self destructing, or self cleaning, however you want to look at it. As long as the LaunchDaemon has the RunAtLoad key and maybe a start interval of 10 seconds, it should load at startup and keep rerunning until it can connect with the JSS and run the policy, then remove itself.

Actually for that matter you could potentially script the entire bind process or whatever it is that you need to happen after the upgrade, without relying on connection to the JSS.

Does that help?

@bentoms If I do not unbind I get some awesome PAM errors that throw directory services into a meltdown (E.g 300% CPU utilization) following the upgrade.

Also, since they are stored in /etc and /opt I sometimes get some permissions problems following the upgrade that I have just found it easier to unbind, remove, upgrade, re-install and rejoin.

@stevewood I was toying around with that as an option, but was also concerned about how it would handle the restarts the Installer has baked in.

@mm2270 JSS Connection wouldn't be as crucial as the ability to hit our LDAP server, but I do understand the logic.

@Chris I just found the DerFlounder page. I'll take a look at the other link you posted.

Thanks all for the quick replies!

Looking like going with @Chris suggestion is going to be the ticket.

Still working out some of the kinks in the process, but thanks all!

You could also refer to this thread:

https://jamfnation.jamfsoftware.com/discussion.html?id=7397

We used a LaunchD item for our 10.8 upgrade and it worked very consistently. I had hit and miss results when testing doing it via smart groups.