Running JAMF Policy via Self Service

nnewport
New Contributor III

I'm trying to setup a self service policy where users can run it and it will force a policy command check-in. We previously had it set up to do an inventory update and then run the commands "jamf manage;jamf policy". It seems like this was working but now it is not. I've tried a whole new policy that just runs a script with "sudo jamf policy" in it but it doesn't seem to work. We are running OSX 10.9.2.

Any help would be appreciated. The main reason we want this to work is if we push out a cached package if one class needs it they can just run the policy update manually from SS so that it will cache.

4 REPLIES 4

krichterjr
Contributor
Contributor

What's the trigger of the policy you are trying to call via Self Service? I believe the exact command may differ between Casper 8 and 9 (I'm still on Casper 8). I typically use something like this to trigger a policy through Terminal when I'm testing.

sudo jamf policy -trigger every15

You can omit the sudo if it's run through Casper as it will already be run as root. The every15 is the trigger we typically use. If you just run jamf policy I believe it defaults to the any trigger. So I would start with looking at the trigger of policy you are trying to call.

There are a lot of ways to accomplish what you are trying to do. Take a look at the help page by running ```
jamf help policy

Usage: jamf policy [-event <event>] [-username <username>] [-id <policy_id>]

-event The event or trigger that the policy is associated with in the JSS. Historical synonyms include –trigger and –action. Note: Running policy without an event will default to the scheduled event. Other events include: login, logout, startup, networkStateChange, enrollmentComplete, along with custom events.

-username The username to check for policies for.

-id The ID of the policy to be executed. Used by Casper Remote and Self Service.
```

Another option is to have your Self Service policy call the other policy by ID or the Manual Trigger. I'm happy to go into that more but it sounds like you already had this working and are trying to figure out why it's now not working.

obi-k
Valued Contributor III

Had the same issue. What worked for my environment was to create an AppleScript with your code, save it as an app, change the icon (JAMF one), then let techs or whoever run it. You can post the app in Self Service to download.

Here it is:

do shell script "sudo jamf manage" with administrator privileges
do shell script "sudo jamf policy" with administrator privileges
beep
display alert "Script Finished!"

dpratl
Contributor II

Hi all,

I know this thread is already quit old, but it is not closed and is the only thing I found about this.

I want to start

sudo jamf policy -v

from the self service.
But this is not working because jamf is already running (I think because self service is open)

Does anyone have a clue how to do this?

Thank you
BR
Daniel

brunerd
Contributor

@nnewport Hey there, I've always meant to get around to doing this... then I learned to live without... and here we are 5 years later (and I've wanted this longer than that!).

Anyway, launchd is perfect, since any processes you attempt to run in a policy script in the background or as a subprocess seem to get killed when the policy completes. Launchd can spawn an independent process that can launch then wait for all processes with "jamf policy" to quit, then it runs, then it uninstalls/erases itself.

Perfect if you have a policy that sets an EA, changes departments, or affects some criteria that puts them in scope for check-in triggered policies, just set this script to run After in your policy

#!/bin/bash
#brunerd - Joel Bruner

#your domain name reversed
reverseDomainName="com.brunerd"

#unload if it exists for some reason
[ -e "/Library/LaunchDaemons/${reverseDomainName}.runJamfPolicy.plist" ] && launchctl unload "/Library/LaunchDaemons/${reverseDomainName}.runJamfPolicy.plist" 2>/dev/null

cat <<-EOF > "/Library/LaunchDaemons/${reverseDomainName}.runJamfPolicy.plist"
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>Label</key>
    <string>${reverseDomainName}.runJamfPolicy</string>
    <key>ProgramArguments</key>
    <array>
        <string>/usr/local/bin/runJamfPolicy.command</string>
    </array>
    <key>RunAtLoad</key>
    <true/>
</dict>
</plist>
EOF

cat <<-EOF > /usr/local/bin/runJamfPolicy.command
#!/bin/bash

#time to wait between checks ensuring "jamf policy" has ended
sleepIntervalSeconds=10

#send to a log file and echo out
function logEcho {
#echo out to stdout and /var/log/jamf.log
echo "$(date +'%a %b %d %H:%M:%S') $(hostname | cut -d . -f1) ${myName:="$(basename "${0%%.*}")"}[${myPID:=$$}]: $@" | tee -a /var/log/jamf.log
}

#until the "jamf policy" is not found in the output of "ps auxww" sleep and keep checking
until [ -z "$(ps auxww | grep [j]amf policy)" ]; do
    logEcho "Waiting jamf policy running, waiting ${sleepIntervalSeconds} seconds..."
    sleep ${sleepIntervalSeconds}
done

logEcho "All clear, running "/usr/local/bin/jamf policy""
/usr/local/bin/jamf policy

logEcho "Finished. Exiting and Uninstalling."

#delete this script
rm "$0"

#erase the launchd file
rm /Library/LaunchDaemons/${reverseDomainName}.runJamfPolicy.plist

#remove the launchd by label name
launchctl remove ${reverseDomainName}.runJamfPolicy
EOF

#ensure correct ownership and mode 
chown root:wheel "/Library/LaunchDaemons/${reverseDomainName}.runJamfPolicy.plist" "/usr/local/bin/runJamfPolicy.command"
chmod ugo+rx,go-w "/usr/local/bin/runJamfPolicy.command"
chmod ugo+r,go-w "/Library/LaunchDaemons/${reverseDomainName}.runJamfPolicy.plist"

#load the launchd
launchctl load "/Library/LaunchDaemons/${reverseDomainName}.runJamfPolicy.plist"

Also if you run jamf manage it reloads jamf's launch agents and daemons and Self Service will then only pretend to run policies (you'll see nothing actually runs via jamf.log despite the button animations that might fool you).

This will quickly shut down Self Service and relaunch it as the console user:

killall Self Service
su $(stat -f%Su /dev/console) -c "open /Applications/Self Service.app"