Jamf Nation Community

marlink · ‎07-23-2020

I'm hoping to create a simple script that will add a computer to a pre-defined static group. I've seen multiple examples here in the forum, but they all appear to do much more than what I'm looking for (for example, we don't need anything that calls on if/then statements because we would only run a specific script against a specific computer). I'm hoping to create a workflow that goes something like this:
1. Create a policy with a custom trigger that runs the script in question
2. Add that custom trigger to an existing Self Service policy that is already built to install the software we that we need on that specific group of computers, as well as name it according to our standard schema. That policy is really just a collection of scripts that call on the custom triggers for all of the necessary software, and would be specific to the group that the computer would ideally be placed in.

To explain: This would be used at a University where students in certain majors receive laptops on their first day. These laptops are organized in static groups based on major and the year that they start, because the students then get to keep the laptop when they graduate. Using static groups helps us keep track of which major and which graduating class we need to un-manage at the end of their four years. So far, we've been using MUT to assign these computers to the correct static group after the student has received their laptop, but this often causes some lag time because we have to wait for the computer to enroll before using the tool.

To avoid potential hiccups in a zero-touch-deployment setup, we currently unbox the computer and make sure it enrolls successfully, then use Self Service to install everything and configure it based on how the computer will be used (faculty/staff, classroom, student, etc). Right now, this process is pretty much: Computer A is going to Prof. Blahblah, so I'll click the 'faculty setup' button in Self Service to have all of the standard faculty software, printers, networks added. We currently have similar one-click Self Service policies in place for each particular major, and would like to have that same policy add the computer to the group associated with that particular policy (haha, forgive me if that's a bit wordy...).

Any ideas on the easiest way to do this?

sdagley · ‎07-23-2020

@marlink This should be a good example of what you're looking for:

#!/bin/sh

#API login info
apiuser="USERNAME"
apipass='PASSWORD'
jamfProURL="https://jamfproserver:8443"

ComputerName=$(/usr/sbin/scutil --get ComputerName)

GroupID="1234"
GroupName="Whatever the Group Name is"

apiURL="JSSResource/computergroups/id/${GroupID}"

#XML header stuff
xmlHeader="<?xml version="1.0" encoding="UTF-8"?>"

apiData="<computer_group><id>${GroupID}</id><name>${GroupName}</name><computer_additions><computer><name>$ComputerName</name></computer></computer_additions></computer_group>"

curl -sSkiu ${apiuser}:${apipass} "${jamfProURL}/${apiURL}" \
    -H "Content-Type: text/xml" \
    -d "${xmlHeader}${apiData}" \
    -X PUT  > /dev/null

The apiuser account for your JSS will require Update rights on Static Groups.

In Production you should use something like Encrypted Script Parameters so you're not passing around an account name and password in clear text.

GabeShack · ‎03-22-2022

@sdagley Ive been attempting to use this script, and the only changes I made was using $4-7 for variables, however when being run from self service I am getting the following results:

Script exit code: 127
Script result: HTTP/2 200 

date: Tue, 22 Mar 2022 19:53:53 GMT

content-type: text/xml;charset=UTF-8

set-cookie: AWSALB=p6UluP8Wecra5MhhgcEcr66etWLa9gIKEvIxHhF553rknc9F7Z4xj18hddURcEDd656hGaKX1h1rOB6r3N206ho1Kctg95DQ9OsaHywoFq9MS6iIWrgN6DaP+n9I; Expires=Tue, 29 Mar 2022 19:53:53 GMT; Path=/

set-cookie: AWSALBCORS=p6UluP8Wecra5MhhgcEcr66etWLa9gIKEvIxHhF553rknc9F7Z4xj18hddURcEDd656hGaKX1h1rOB6r3N206ho1Kctg95DQ9OsaHywoFq9MS6iIWrgN6DaP+n9I; Expires=Tue, 29 Mar 2022 19:53:53 GMT; Path=/; SameSite=None; Secure

server: Jamf Cloud Node

strict-transport-security: max-age=31536000; includeSubdomains;

x-frame-options: DENY

cache-control: no-store, no-cache, must-revalidate, max-age=0, post-check=0, pre-check=0

accept-ranges: bytes

vary: Accept-Charset,Accept-Encoding,Accept-Language,Accept

x-xss-protection: 1; mode=block

strict-transport-security: max-age=31536000 ; includeSubDomains

set-cookie: APBALANCEID=aws.use1-std-pelican9-tc-5; path=/;HttpOnly;Secure;

<?xml version="1.0" encoding="UTF-8"?><computer_group><id>693</id><name>00Remove Princeton Schools Profile</name><is_smart>false</is_smart><site><id>-1</id><name>None</name></site><criteria><size>0</size></criteria><computers><size>0</size></computers></computer_group>/Library/Application Support/JAMF/tmp/zAddUserToStaticGroup(remove).bash: line 21: -H: command not found
/Library/Application Support/JAMF/tmp/zAddUserToStaticGroup(remove).bash: line 22: -d: command not found
/Library/Application Support/JAMF/tmp/zAddUserToStaticGroup(remove).bash: line 23: -X: command not found

@

Gabe Shackney
Princeton Public Schools

sdagley · ‎03-22-2022

@GabeShack It looks like the forum software stripped the \ continuation characters for the curl command. Take a look at the post now and it _should_ have them (the new forum software leaves a lot to be desired regarding posts with code snippets)

GabeShack · ‎03-22-2022

Thanks,

Id also assume if it change the computer_additions to computer_deletions, it would then remove the computer from the static group?

Gabe Shackney
Princeton Public Schools

sdagley · ‎03-22-2022

Yep, it will.

GabeShack · ‎03-22-2022

Im getting it completed, however its not adding or removing to the group. Does the name of the group have to have a specific format? Also can't we do this without using the group name, and just the ID?

Gabe Shackney
Princeton Public Schools

sdagley · ‎03-22-2022

@GabeShack I've never tried with just the group ID. The original example I worked from included both and that's what I stuck with.

As to why your script isn't working, I'm not sure, but I'll refer you to https://community.jamf.com/t5/jamf-pro/bearer-token-api-and-adding-computer-to-static-group/m-p/2614... which is @dlondon 's rework of the old Basic Auth script to use the new Bearer Token Auth mechanism. That will be required for API calls later this year so I'd suggest adopting it now.

GabeShack · ‎03-22-2022

@sdagley This is what I'm seeing, which completes, but the computer in question never gets added to the group.

+ apiuser=xxx
+ apipass=xxx
+ jamfProURL=https://princetonk12.jamfcloud.com
++ /usr/sbin/scutil --get ComputerName
+ ComputerName=HS-Tech-30000
+ GroupID=693
+ GroupName='00Remove Princeton Schools Profile'
+ apiURL=JSSResource/computergroups/id/693
+ xmlHeader='<?xml version=1.0 encoding=UTF-8?>'
+ apiData='<computer_group><id>693</id><name>00Remove Princeton Schools Profile</name><computer_additions><computer><name>HS-Tech-30000</name></computer></computer_additions></computer_group>'
+ curl -sSkiu xxx:xxx https://princetonk12.jamfcloud.com/JSSResource/computergroups/id/693 -H 'Content-Type: text/xml' -d '<?xml version=1.0 encoding=UTF-8?><computer_group><id>693</id><name>00Remove Princeton Schools Profile</name><computer_additions><computer><name>HS-Tech-30000</name></computer></computer_additions></computer_group>' -X PUT

@

Gabe Shackney
Princeton Public Schools

marlink · ‎07-24-2020

@sdagley Oh wow, I didn't expect anyone to respond so quickly. Thanks so much! I'll definitely give this a shot!

Jamf Nation Community

Script to add to static group