Scoping A Policy To All, But Via Custom Event Only

derek_ritchison
Contributor

Help me out here, because maybe there is a better way to do this. I am setting up DEP Notify (awesome tool) for my remote team to better manage my MacBooks and their first-time set up flow. I have a number of "First Time Setup" policies that I am triggering with a custom event only - a simple label that I trigger in my DEP Notify script yadda yadda. To make this easy, I want to scope to All Computers but my concern is that a policy that is triggered by a custom event only will still run during the daily inventory update. Is this correct? I do not want unnecessary policies running on every machine once a day, or worse, have an end user get upset because I reconfigured their Dock.

If this is correct, maybe someone has a better way to scope these tasks?

7 REPLIES 7

mm2270
Legendary Contributor III

I may not be fully understanding your question here, but, a policy that only has a custom event trigger assigned, and no other triggers will only ever run if it's called by that event trigger, like if it's called in a script or by adding a jamf policy -event <trigger> in a Run Command field of a policy as two possible examples. It should never run under any other circumstances since that event is its sole trigger.
Is this what your concern was, or am I misunderstanding?

derek_ritchison
Contributor

This is my concern, yes. If I scope "Reconfigure Dock" to all computers and trigger it via "dock" I definitely don't want 300 laptops to have their Dock messed with during a daily inventory update or a "sudo jamf recon" since the policy is technically scoped to them.

mm2270
Legendary Contributor III

Even if it's scoped to all, the policy won't run unless you call it specifically by that trigger. The only way it could run on all your Macs repeatedly and unnecessarily would be if you included another trigger, like Check-In or Login or something like that. And also if the policy was set to a frequency other than Once per Computer.

T_Armstrong
Contributor

Daily inventory is daily inventory, not "Daily run all the policies". Something set with a custom trigger will only run when that trigger is pulled. sudo jamf recon only runs recon (inventory), does not activate ANY policies.

derek_ritchison
Contributor

So, just to be safe, even if I run a "jamf policy all" (or whatever similar command runs all scoped) I would be... okay?

mm2270
Legendary Contributor III

sudo jamf policy is equivalent to "run all policies scoped to this Mac with the Check-in trigger", and no, it would not run a policy that only has a Custom Event trigger, unless, again, you also had the Check-In trigger enabled for said policy.

The only way that policy will run (assuming the Mac is in scope and it hasn't already run in a Once per computer configuration) would be to do something like sudo jamf policy -event "eventname"

In short, yes, you are safe scoping those policies to all Macs as long as you don't add other triggers to them that could cause them to run under another circumstance.

I will say that one thing to be careful of is your main policy, the one tied to DEPNotify and that likely calls all the other custom event ones. I have found to be safe that it's best to scope that policy to a Smart Group of Macs that have been enrolled via the Prestage Enrollment, not just to all computers. If you use the Enrollment Complete trigger to have that policy run, then it means that if you scoped it to all computers, even Macs that enrolled via User Initiated Enrollment would end up running it, which likely isn't desirable. So that's why I say you should consider narrowing the scope for that to only run on Macs enrolled via your DEP Prestage.

derek_ritchison
Contributor

Ironically, I have a small fleet of non-DEP devices still roaming my floors, and I do want my team to run my DEP Notify script upon completion of manual enrollment. I wish I didn't have non-DEP devices out there (impossibly difficult for people to remember the process for some reason) but such is the life of an org that didn't have IT from the get go! The number is slowly but surely dwindling, at least.