Jamf Nation Community

Hi @May Just to be sure I wasn't pointing you in the wrong direction with this, I actually put together a working script for this. In the below, you would only need to do the following:
Either hardocode in your API account that has both read and write privileges for policies, or use $4 and $5 passed to the script for the account name and password, respectively. Of course, the latter option is more secure than having those credentials hardcoded into the script, but that all depends on who in your organization has access to look at script and policy details. If it needs to be more secure than that, you'd need to use Jamf's encrypted script parameters workflow, which you can find here.
Secondly, you can either hardcode in or pass the policy ID in question that you want to flip the state on to $6. This one should be fine to hardcode in as it's just the policy ID, not credentials.

In the script, I tried to add as many comments to things where the stuff is happening. I tested this on a junk policy by having my own machine act as the gatekeeper to it. If my machine showed available Software Updates, it would disable the policy (verified in the JSS). If I commented out the section on grabbing updates and hardcoded in a 0 for available updates, it would enable the policy (also verified in the JSS). If the policy is already in the state you want it to be in (enabled/disabled) it would do nothing since no action is needed.

Let me know if you have any questions on this, or have trouble getting it to work. It was tested against Jamf Pro 9.99.0.

#!/bin/bash

## change-policy-state

## You can choose to hardcode the API credentials below, or pass them as parameters $4 (username) and $5 (password)
APIUSER=""
APIPASS=""

## Hardcode the policy JSS ID here, or pass it to the script at runtime as $6
POLICYID=""

if [[ -z "$APIUSER" ]] && [[ ! -z "$4" ]]; then
    APIUSER="$4"
elif [ ! -z "$APIUSER" ]; then
    APIUSER="$APIUSER"
fi


if [[ -z "$APIPASS" ]] && [[ ! -z "$5" ]]; then
    APIPASS="$5"
elif [ ! -z "$APIPASS" ]; then
    APIPASS="$APIPASS"
fi


if [[ -z "$POLICYID" ]] && [[ ! -z "$6" ]]; then
    POLICYID="$6"
elif [ ! -z "$POLICYID" ]; then
    POLICYID="$POLICYID"
fi

## Check to make sure all 3 required values are not blank
if [[ -z "$APIUSER" ]] || [[ -z "$APIPASS" ]] || [[ -z "$POLICYID" ]]; then
    echo "API credentials or the JSS policy ID were not passed to this script. Pass the required values to the script and try again."
    exit 1
fi

## Get the JSS URL from plist
JSSURL=$(defaults read /Library/Preferences/com.jamfsoftware.jamf.plist jss_url)

function flipState ()
{

## Adjust the policy xml file by changing the state (enabled/disabled) to the desired state
sed -i "" "s|<enabled>$CURRENT_STATE</enabled>|<enabled>$DESIRED_STATE</enabled>|" /tmp/${POLICYID}.xml

## Check to see if the sed operation was successful, before continuing
if [ "$?" == 0 ]; then
    echo "State changed in local xml file. Attempting to upload"
    ## Upload the modified policy xml to flip the state of the policy
    curl -sfku "${APIUSER}:${APIPASS}" "${JSSURL}JSSResource/policies/id/${POLICYID}" -X PUT -T /tmp/${POLICYID}.xml 2>&1 > /dev/null
    ## Check the exit code for the upload step
    status=$?
    if [ "$status" == 0 ]; then
        echo "Policy state successfully changed to $DESIRED_STATE"
        rm /tmp/${POLICYID}.xml
        exit 0
    else
        echo "Error: Policy state could not be changed"
        rm /tmp/${POLICYID}.xml
        exit 1
    fi
fi

}


function getPolicyData ()
{

## Pull down entire policy xml into /tmp
curl -H "Accept: text/xml" -sfku "${APIUSER}:${APIPASS}" "${JSSURL}JSSResource/policies/id/${POLICYID}" | xmllint --format - > /tmp/${POLICYID}.xml

## Get the current enabled/disabled state of the policy
CURRENT_STATE=$(xpath '/policy/general/enabled/text()' < /tmp/${POLICYID}.xml)

echo "Current policy state: $CURRENT_STATE"

## See if the current policy state is the same as the desired state we received from the SWU check stage
if [ "$CURRENT_STATE" == "$DESIRED_STATE" ]; then
    ## If they match, there is nothing to change, so no need to modify the policy. Just exit
    echo "Policy already in desired state. Nothing to do"
    exit 0
else
    ## If they do not match, we need to modify the xml and re-upload it
    echo "Current policy state and desired state do not match. Changing state for policy"
    ## Run the flipState function
    flipState
fi

}

function checkForSWUs ()
{

echo "Getting available software updates for this system"

## Get a count of available updates on the target/base system
SWU_AVAIL_COUNT=$(/usr/sbin/softwareupdate -l | grep "*" | awk 'END{print NR}')

## The below sets SWU_AVAIL_COUNT to 0 for testing purposes only.
## Should remain commented out when used in production
#SWU_AVAIL_COUNT=0

## If the count we get is above zero, there are available updates. We need to set the policy to off, if needed
if [ "$SWU_AVAIL_COUNT" -gt 0 ]; then
    echo "Current available software updates: $SWU_AVAIL_COUNT"
    echo "Setting desired policy state to: false"
    DESIRED_STATE="false"
    ## Run the function to get the policy details
    getPolicyData
else
    ## If the count we get is not above 0, there are no available updates. We want to set the policy state to on, if needed
    echo "Current available software updates: 0"
    echo "Setting desired policy state to: true"
    DESIRED_STATE="true"
    ## Run the function to get the policy details
    getPolicyData
fi

}

## Run the function above to check for software updates
checkForSWUs