Skip to main content
Solved

Scope a computer via Jamf Terminal Command

N
Forum|alt.badge.img+3

Hi All,

Is there a jamf command that will automatically scope a machine to a certain policy?

Thanks in advance.

Best answer by seraphina

So what you will want to do is something like the following :
the keys you want to change are

<computer_group_memberships>
      <group>All Managed Clients</group>
      <group>On Campus</group>
      <group>Faculty+Staff Machines</group> <!-- static group -->
      <group>Faculty/Staff Machines</group> <!-- smart group based on DEP or membership of the static -->
      <group>Laptops</group>
      <group>Machines on Mojave or above</group>
</computer_group_memberships>

Step 1: Pull Computer Record
Step 2: Edit the XML response, adding the group you want the computer to be a part of.
Step 3: POST the Computer Record to the appropriate ID

#!/bin/bash
jssUser="$4"
jssPass="$5"
jssURL=$(/usr/bin/defaults read /Library/Preferences/com.jamfsoftware.jamf.plist jss_url | /usr/bin/sed s'/.$//'_)
udid=$(/usr/sbin/system_profiler SPHardwareDataType | /usr/bin/awk '/UUID/ { print $3; }') #use UUID over Serial #, that way each computer has a UNIQUE UUID. If a motherboard gets replaced, the UUID changes, but the SN is the same
/usr/bin/curl -X GET --user "$jssUser:$jssPass" "$jssURL/JSSResource/computers/udid/$udid" | /usr/bin/xmllint --format - >> /var/tmp/record.xml

Programmatically make the changes to your user group, then PUT the updated record (POST will overwrite the record entirely, PUT will change a desired part.. You may need to play with this on a non production machine). You need to do xmllint because the cURL response will be 1 giant line and will mess up with things like sed. Alternatively however, you should lookin to --xpath with xmllint

curl -X PUT --user "$jssUser:$jssPass" --data "@/path/to/file" "$jssURL/JSSResource/computers/udid/$udid"

Of course you can probably do this without a GET command at all, and just PUT what you need in the computer record, but again you should play around first before trying to get the API calls working in production.

View original
    Did this topic help you find an answer to your question?

    6 replies

    Hugonaut
    Forum|alt.badge.img+15
    • Hugonaut
    • Esteemed Contributor
    • 574 replies
    • July 29, 2019

    I don't think a one liner exists to add a computer directly to a policy like there is to trigger a policy for example: sudo jamf policy -event PolicyTriggerHere, would love to be proven wrong because that's a great line to know! other methods would be nice to see as well

    I do know you can create a shell script with api calls to add computers to certain policies.

    https://your.jps.org:8443/api/#!/policies

    Looking for a Jamf Managed Service Provider? Look no further than Rocketman Tech! Virtual MacAdmins Monthly Meetup - First Friday, Every Month
    S
    Forum|alt.badge.img+8
    • seraphina
    • Valued Contributor
    • 97 replies
    • Answer
    • July 29, 2019

    So what you will want to do is something like the following :
    the keys you want to change are

    <computer_group_memberships>
      <group>All Managed Clients</group>
      <group>On Campus</group>
      <group>Faculty+Staff Machines</group> <!-- static group -->
      <group>Faculty/Staff Machines</group> <!-- smart group based on DEP or membership of the static -->
      <group>Laptops</group>
      <group>Machines on Mojave or above</group>
</computer_group_memberships>

    Step 1: Pull Computer Record
    Step 2: Edit the XML response, adding the group you want the computer to be a part of.
    Step 3: POST the Computer Record to the appropriate ID

    #!/bin/bash
jssUser="$4"
jssPass="$5"
jssURL=$(/usr/bin/defaults read /Library/Preferences/com.jamfsoftware.jamf.plist jss_url | /usr/bin/sed s'/.$//'_)
udid=$(/usr/sbin/system_profiler SPHardwareDataType | /usr/bin/awk '/UUID/ { print $3; }') #use UUID over Serial #, that way each computer has a UNIQUE UUID. If a motherboard gets replaced, the UUID changes, but the SN is the same
/usr/bin/curl -X GET --user "$jssUser:$jssPass" "$jssURL/JSSResource/computers/udid/$udid" | /usr/bin/xmllint --format - >> /var/tmp/record.xml

    Programmatically make the changes to your user group, then PUT the updated record (POST will overwrite the record entirely, PUT will change a desired part.. You may need to play with this on a non production machine). You need to do xmllint because the cURL response will be 1 giant line and will mess up with things like sed. Alternatively however, you should lookin to --xpath with xmllint

    curl -X PUT --user "$jssUser:$jssPass" --data "@/path/to/file" "$jssURL/JSSResource/computers/udid/$udid"

    Of course you can probably do this without a GET command at all, and just PUT what you need in the computer record, but again you should play around first before trying to get the API calls working in production.

    N
    1 person likes this
    • N
      nick_casio
    B
    Forum|alt.badge.img+11
    • brunerd
    • New Contributor
    • 70 replies
    • July 29, 2019

    Hmmm, I think it's a bit dubious to change your group membership in your computer record only...
    And it's problematic to attempt to change static group membership on the client since you must donwload the membership, add your Mac by JSS ID and upload the new list. If there are other clients running at the same time there is a possbility that those changes will get overwritten.

    One alternative would be to:
    • Create an Extension Attribute of the Pop-up kind, only choice is YES (the other being blank)
    Name it something that relates to this policy you want to run "Run <POLICY NAME>" or something similar
    • Create a Smart Group: "EA - <EA Name> (YES)"
    • Scope the policy to this Smart Group

    Create a triggered policy, scoped to all, that sets the EA for a client machine (Google around for the code on that)
    The script will have the logic to determine the computer's UUID and serial in order to write to the extension attribute for that Mac
    Triggername: setEA-<EA_Name>-YES

    So then on the client computer: jamf policy -trigger setEA-<EA_NAME>-YES

    Then that EA is set, which places it in the Smart Group, which is scoped to the policy you want.
    The nice thing is you can now run reports with that EA as a column and track it better than if it was based on a static group or even a Smart Group

    N
    Hugonaut
    2 people like this
    • N
      nick_casio
    • Hugonaut
      Hugonaut
    sdagley
    Forum|alt.badge.img+25
    • sdagley
    • Jamf Heroes
    • 3533 replies
    • July 29, 2019

    @brunerd It's no longer necessary to upload an entire Static Group list to add a machine to the membership. See the thread Script to add a device to a computer group? for an example of using the computer_additions tag for that.

    B
    1 person likes this
    • B
      brunerd
    S
    Forum|alt.badge.img+5
    • seann
    • Contributor
    • 88 replies
    • July 29, 2019

    Use a dummy package and a smart group that relies on its presence... then create the file and run jamf recon

    sdagley
    Forum|alt.badge.img+25
    • sdagley
    • Jamf Heroes
    • 3533 replies
    • July 29, 2019

    @duwayne If you're just trying to install a package on an arbitrary Mac you can do that using Jamf Remote. Just find the computer you're looking for in the Jamf Remote GUI, tick the checkbox next to the computer name, select the Packages tab, then enable the package(s) you want installed. It essentially builds a one off Policy to install the package(s).

    Reply


    Most helpful members this week

    Terms & ConditionsCookie settingsAccessibility statement

    Cookie policy

    We use cookies to enhance and personalize your experience. If you accept you agree to our full cookie policy. Learn more about our cookies.

     
    Cookie settings