Script check to see if configuration profile is installed

Bko
New Contributor II

Hello,

I want to check to see if a configuration profile has come down and been installed before I proceed with a script in self service. I know I can list the configuration profiles using the "profiles" command but I'm not sure how to check if a profile has come down and proceed if it has and wait x amount of time if it hasn't.

Any help would be appreciated.

Thank you!

1 ACCEPTED SOLUTION

maiksanftenberg
Contributor II

This is what we do via $4 in Jamf Pro to check for the profile.

#!/bin/sh profiles=`profiles -C -v | awk -F: '/attribute: name/{print $NF}' | grep "$4" if [ "$profiles" == " $4" ]; then echo "Profile exists" else echo "Profile does not exists" fi exit 0

If you need this to pause, well then I would create a loop to check this.

View solution in original post

8 REPLIES 8

maiksanftenberg
Contributor II

This is what we do via $4 in Jamf Pro to check for the profile.

#!/bin/sh profiles=`profiles -C -v | awk -F: '/attribute: name/{print $NF}' | grep "$4" if [ "$profiles" == " $4" ]; then echo "Profile exists" else echo "Profile does not exists" fi exit 0

If you need this to pause, well then I would create a loop to check this.

Quan_nong
Contributor

You could use "Smart Groups" to determine if the machine has the configuration profile installed

Bko
New Contributor II

Oh thanks! I was trying something similar but trying to check if the value returned as successful or not. FYI, you might want to edit the line to include the closing back tick =)

@Quan.nong Smart groups take time to populate and cause overhead. For our purposes, this is a script that gets run very soon after enrollment so we needed a check in the policy itself.

Thanks!

Bko
New Contributor II

To expand further, I'm looping the check a few times so it's not indefinite but I want it to quit if it hits the the number of times I set. How would I do this. Right now I have:

profiles=profiles -C -v | awk -F: '/attribute: name/{print $NF}' | grep "$4" n=0 while [ "$profiles" != "$4" ] && [[ $n -lt 3 ]]; do echo "Profile does not exist" && sleep 3; n=$((n+1)) done echo "Profile exists" exit 0

What I want to do is if the counter hits 3 (in this example) to exit out rather than continuing on.

ebioit
New Contributor II

@Bko I think I'm going to copy and modify your script a bit. You can accomplish what you want with a different exit code. The block above will always exit 0 if you add another if statement in your loop you can set a condition of failure.

I need to test this but some of my software isn't installing correctly due to the kernel extension profile installing after the installation policy executes.

#!/bin/sh
profiles=`profiles -C -v | awk -F: '/attribute: name/{print $NF}' | grep "$4"`
timelimit=600
time=0
while [ "$profiles" != "$4" ] && [[ $time -lt $timelimit ]]; do
    echo "Profile does not exist, waiting one minute..." && sleep 60; time=$((time+60))
    if [ $time == $timelimit ]; then
        echo "The profile was not installed within the time limit"
        exit 1
    fi
done
    echo "Profile exists"
    jamf policy -event some-dep-policy
exit 0

eradah
New Contributor

I want to check if configuration profile of ATP defender has installed on devices which I scope. As I have scope around 40+ Mac devices but in that some of the devices showing inactive or no sensor data status in ATP defender portal.
Pls can someone help me here?

mschroder
Valued Contributor

I am a bit puzzled about the need to check this with scripts. If the profile comes from the MDM, the MDM knows about it. For the policies where I need a profile before I can install a PKG via Self-Service (usually apps that require a kernel extension), I use the following logic to make sure the profile is installed before going further :

  • Policy in Self-Service creates a file that acts as a flag and runs a recon to inform MDM about existence
  • Policy is Self-Service that informs user that his request is being handled (to avoid user confusion)
  • Config Profile that installs the needed profile to devices that have this flag
  • Policy that installs package to the nodes that have the profile installed

I never manually check for the profile.

If you need to pause in the middle of an uninstall script until certain profiles are gone (like say... while removing a security agent with multiple system extensions - which led me here, lol), it can be useful.