Jamf Nation Community

nick_casio · ‎07-29-2019

Hi All,

Is there a jamf command that will automatically scope a machine to a certain policy?

Thanks in advance.

seraphina · ‎07-29-2019

So what you will want to do is something like the following :
the keys you want to change are

<computer_group_memberships>
      <group>All Managed Clients</group>
      <group>On Campus</group>
      <group>Faculty+Staff Machines</group> <!-- static group -->
      <group>Faculty/Staff Machines</group> <!-- smart group based on DEP or membership of the static -->
      <group>Laptops</group>
      <group>Machines on Mojave or above</group>
</computer_group_memberships>

Step 1: Pull Computer Record
Step 2: Edit the XML response, adding the group you want the computer to be a part of.
Step 3: POST the Computer Record to the appropriate ID

#!/bin/bash
jssUser="$4"
jssPass="$5"
jssURL=$(/usr/bin/defaults read /Library/Preferences/com.jamfsoftware.jamf.plist jss_url | /usr/bin/sed s'/.$//'_)
udid=$(/usr/sbin/system_profiler SPHardwareDataType | /usr/bin/awk '/UUID/ { print $3; }') #use UUID over Serial #, that way each computer has a UNIQUE UUID. If a motherboard gets replaced, the UUID changes, but the SN is the same
/usr/bin/curl -X GET --user "$jssUser:$jssPass" "$jssURL/JSSResource/computers/udid/$udid" | /usr/bin/xmllint --format - >> /var/tmp/record.xml

Programmatically make the changes to your user group, then PUT the updated record (POST will overwrite the record entirely, PUT will change a desired part.. You may need to play with this on a non production machine). You need to do xmllint because the cURL response will be 1 giant line and will mess up with things like sed. Alternatively however, you should lookin to --xpath with xmllint

curl -X PUT --user "$jssUser:$jssPass" --data "@/path/to/file" "$jssURL/JSSResource/computers/udid/$udid"

Of course you can probably do this without a GET command at all, and just PUT what you need in the computer record, but again you should play around first before trying to get the API calls working in production.

View solution in original post

brunerd · ‎07-29-2019

Hmmm, I think it's a bit dubious to change your group membership in your computer record only...
And it's problematic to attempt to change static group membership on the client since you must donwload the membership, add your Mac by JSS ID and upload the new list. If there are other clients running at the same time there is a possbility that those changes will get overwritten.

One alternative would be to:
• Create an Extension Attribute of the Pop-up kind, only choice is YES (the other being blank)
Name it something that relates to this policy you want to run "Run <POLICY NAME>" or something similar
• Create a Smart Group: "EA - <EA Name> (YES)"
• Scope the policy to this Smart Group

Create a triggered policy, scoped to all, that sets the EA for a client machine (Google around for the code on that)
The script will have the logic to determine the computer's UUID and serial in order to write to the extension attribute for that Mac
Triggername: setEA-<EA_Name>-YES

So then on the client computer: jamf policy -trigger setEA-<EA_NAME>-YES

Then that EA is set, which places it in the Smart Group, which is scoped to the policy you want.
The nice thing is you can now run reports with that EA as a column and track it better than if it was based on a static group or even a Smart Group

View solution in original post

Hugonaut · ‎07-29-2019

I don't think a one liner exists to add a computer directly to a policy like there is to trigger a policy for example: sudo jamf policy -event PolicyTriggerHere, would love to be proven wrong because that's a great line to know! other methods would be nice to see as well

I do know you can create a shell script with api calls to add computers to certain policies.

https://your.jps.org:8443/api/#!/policies

________________
Looking for a Jamf Managed Service Provider? Look no further than Rocketman
________________

Virtual MacAdmins Monthly Meetup - First Friday, Every Month

seraphina · ‎07-29-2019

So what you will want to do is something like the following :
the keys you want to change are

<computer_group_memberships>
      <group>All Managed Clients</group>
      <group>On Campus</group>
      <group>Faculty+Staff Machines</group> <!-- static group -->
      <group>Faculty/Staff Machines</group> <!-- smart group based on DEP or membership of the static -->
      <group>Laptops</group>
      <group>Machines on Mojave or above</group>
</computer_group_memberships>

Step 1: Pull Computer Record
Step 2: Edit the XML response, adding the group you want the computer to be a part of.
Step 3: POST the Computer Record to the appropriate ID

#!/bin/bash
jssUser="$4"
jssPass="$5"
jssURL=$(/usr/bin/defaults read /Library/Preferences/com.jamfsoftware.jamf.plist jss_url | /usr/bin/sed s'/.$//'_)
udid=$(/usr/sbin/system_profiler SPHardwareDataType | /usr/bin/awk '/UUID/ { print $3; }') #use UUID over Serial #, that way each computer has a UNIQUE UUID. If a motherboard gets replaced, the UUID changes, but the SN is the same
/usr/bin/curl -X GET --user "$jssUser:$jssPass" "$jssURL/JSSResource/computers/udid/$udid" | /usr/bin/xmllint --format - >> /var/tmp/record.xml

Programmatically make the changes to your user group, then PUT the updated record (POST will overwrite the record entirely, PUT will change a desired part.. You may need to play with this on a non production machine). You need to do xmllint because the cURL response will be 1 giant line and will mess up with things like sed. Alternatively however, you should lookin to --xpath with xmllint

curl -X PUT --user "$jssUser:$jssPass" --data "@/path/to/file" "$jssURL/JSSResource/computers/udid/$udid"

Of course you can probably do this without a GET command at all, and just PUT what you need in the computer record, but again you should play around first before trying to get the API calls working in production.

brunerd · ‎07-29-2019

Hmmm, I think it's a bit dubious to change your group membership in your computer record only...
And it's problematic to attempt to change static group membership on the client since you must donwload the membership, add your Mac by JSS ID and upload the new list. If there are other clients running at the same time there is a possbility that those changes will get overwritten.

One alternative would be to:
• Create an Extension Attribute of the Pop-up kind, only choice is YES (the other being blank)
Name it something that relates to this policy you want to run "Run <POLICY NAME>" or something similar
• Create a Smart Group: "EA - <EA Name> (YES)"
• Scope the policy to this Smart Group

Create a triggered policy, scoped to all, that sets the EA for a client machine (Google around for the code on that)
The script will have the logic to determine the computer's UUID and serial in order to write to the extension attribute for that Mac
Triggername: setEA-<EA_Name>-YES

So then on the client computer: jamf policy -trigger setEA-<EA_NAME>-YES

Then that EA is set, which places it in the Smart Group, which is scoped to the policy you want.
The nice thing is you can now run reports with that EA as a column and track it better than if it was based on a static group or even a Smart Group

sdagley · ‎07-29-2019

@brunerd It's no longer necessary to upload an entire Static Group list to add a machine to the membership. See the thread Script to add a device to a computer group? for an example of using the computer_additions tag for that.

seann · ‎07-29-2019

Use a dummy package and a smart group that relies on its presence... then create the file and run jamf recon

sdagley · ‎07-29-2019

@duwayne If you're just trying to install a package on an arbitrary Mac you can do that using Jamf Remote. Just find the computer you're looking for in the Jamf Remote GUI, tick the checkbox next to the computer name, select the Packages tab, then enable the package(s) you want installed. It essentially builds a one off Policy to install the package(s).

Jamf Nation Community

Scope a computer via Jamf Terminal Command