Skip to main content
Question

Script to remove or change scope in config profiles?

  • April 6, 2022
  • 7 replies
  • 34 views
J
Forum|alt.badge.img+3

Hello, i've been working with jamf support with no luck of deleting a config profile running the following command in terminal:

 

curl -sku $apiUsername:$apiPassword -X DELETE "https://URL.jamfcloud.com/JSSResource/osxconfigurationprofiles/id/{4}”

 

When I click on the configuration profile we're getting a spinning wheel that never loads so i'd like to just blow it out and kill the pending tasks. 

 

Another option is i'd like to take the scope off the config by potentially using a script to change the scope away from all computers so that it doesn't apply to any at all. Anyone have any ideas? Thanks in advance. 

    7 replies

    mm2270
    Forum|alt.badge.img+24
    • mm2270
    • Legendary Contributor
    • April 6, 2022

    Hi, not sure if you're actually putting the curly brackets around the profile ID number, as in /id/{4} but if so, remove those so it's just the number. I know the Classic API shows it with those brackets around the number, but that's just styling to show that the 'value goes here' type of thing.

    I would also recommend putting some kind of quotes around the entire $apiUsername:$apiPassword section to prevent the shell from interpreting any special character(s) in the password. Sometimes it works with single quote marks and other times it needs to be double quotes. See which one works for you better.

    As for removing the scope from the profile, you would of course need to do this change before deleting it from Jamf Pro, so I would be careful with that since I've seen weird cases of profiles that for reasons I can't really explain, end up being non-removable short of a wipe or special direct intervention if they don't have a corresponding entry in Jamf to tell it to remove it from the machine.

    But to change the scope from the API, you have to use POST and edit the xml for the profile to include the changes to the scope section. Here's an example of a profile scope section that includes "All computers" but nothing else.

    <scope> <all_computers>true</all_computers> <all_jss_users>false</all_jss_users> <computers/> <buildings/> <departments/> <computer_groups/> <jss_users/> <jss_user_groups/> <limitations> <users/> <user_groups/> <network_segments/> <ibeacons/> </limitations> <exclusions> <computers/> <buildings/> <departments/> <computer_groups/> <users/> <user_groups/> <network_segments/> <ibeacons/> <jss_users/> <jss_user_groups/> </exclusions> </scope>

    If yours is set up similar to this, you'd change the <all_computers>true</all_computers> to <all_computers>false</all_computers>

      J
      Forum|alt.badge.img+3
      • jamserver
      • Author
      • New Contributor
      • April 7, 2022

      Hi, not sure if you're actually putting the curly brackets around the profile ID number, as in /id/{4} but if so, remove those so it's just the number. I know the Classic API shows it with those brackets around the number, but that's just styling to show that the 'value goes here' type of thing.

      I would also recommend putting some kind of quotes around the entire $apiUsername:$apiPassword section to prevent the shell from interpreting any special character(s) in the password. Sometimes it works with single quote marks and other times it needs to be double quotes. See which one works for you better.

      As for removing the scope from the profile, you would of course need to do this change before deleting it from Jamf Pro, so I would be careful with that since I've seen weird cases of profiles that for reasons I can't really explain, end up being non-removable short of a wipe or special direct intervention if they don't have a corresponding entry in Jamf to tell it to remove it from the machine.

      But to change the scope from the API, you have to use POST and edit the xml for the profile to include the changes to the scope section. Here's an example of a profile scope section that includes "All computers" but nothing else.

      <scope> <all_computers>true</all_computers> <all_jss_users>false</all_jss_users> <computers/> <buildings/> <departments/> <computer_groups/> <jss_users/> <jss_user_groups/> <limitations> <users/> <user_groups/> <network_segments/> <ibeacons/> </limitations> <exclusions> <computers/> <buildings/> <departments/> <computer_groups/> <users/> <user_groups/> <network_segments/> <ibeacons/> <jss_users/> <jss_user_groups/> </exclusions> </scope>

      If yours is set up similar to this, you'd change the <all_computers>true</all_computers> to <all_computers>false</all_computers>


      Many thanks, i'm using terminal to run these commands. Any suggestion on how to change scope using terminal if that's at all possible? The line completes to remove the profile but obviously when I log in it's still there. 

      J
      Forum|alt.badge.img+3
      • jamserver
      • Author
      • New Contributor
      • April 7, 2022

      Hi, not sure if you're actually putting the curly brackets around the profile ID number, as in /id/{4} but if so, remove those so it's just the number. I know the Classic API shows it with those brackets around the number, but that's just styling to show that the 'value goes here' type of thing.

      I would also recommend putting some kind of quotes around the entire $apiUsername:$apiPassword section to prevent the shell from interpreting any special character(s) in the password. Sometimes it works with single quote marks and other times it needs to be double quotes. See which one works for you better.

      As for removing the scope from the profile, you would of course need to do this change before deleting it from Jamf Pro, so I would be careful with that since I've seen weird cases of profiles that for reasons I can't really explain, end up being non-removable short of a wipe or special direct intervention if they don't have a corresponding entry in Jamf to tell it to remove it from the machine.

      But to change the scope from the API, you have to use POST and edit the xml for the profile to include the changes to the scope section. Here's an example of a profile scope section that includes "All computers" but nothing else.

      <scope> <all_computers>true</all_computers> <all_jss_users>false</all_jss_users> <computers/> <buildings/> <departments/> <computer_groups/> <jss_users/> <jss_user_groups/> <limitations> <users/> <user_groups/> <network_segments/> <ibeacons/> </limitations> <exclusions> <computers/> <buildings/> <departments/> <computer_groups/> <users/> <user_groups/> <network_segments/> <ibeacons/> <jss_users/> <jss_user_groups/> </exclusions> </scope>

      If yours is set up similar to this, you'd change the <all_computers>true</all_computers> to <all_computers>false</all_computers>


      Also by change do you have direction on accessing the API to make the changes in post? 

      mm2270
      Forum|alt.badge.img+24
      • mm2270
      • Legendary Contributor
      • April 7, 2022

      Also by change do you have direction on accessing the API to make the changes in post? 


      Yes, so, IF the only thing you need to change for the scope is to flip from the current setting to "Specific Computers" with No Targets as the target (meaning no computers), then something like this should, I think, work.

      #!/bin/zsh /bin/echo "<os_x_configuration_profile><scope><all_computers>false</all_computers></scope></os_x_configuration_profile>" > /tmp/update.xml /usr/bin/curl -sku $apiUsername:$apiPassword "https://URL.jamfcloud.com/JSSResource/osxconfigurationprofiles/id/4" -X PUT -T /tmp/update.xml

      So basically, first line outputs a simple xml file that looks like this when structured

      <?xml version="1.0"?> <os_x_configuration_profile> <scope> <all_computers>false</all_computers> </scope> </os_x_configuration_profile>

      And then uses the API with a PUT command to update the target resource (Configuration Profile ID #4 in your case) by using that previously output file as the source. It leaves all other options alone in the profile and just updates the Scope section with your changes, since that's all the XML contains.

      Give that a try and see if it works. Though I guess I don't know how you'll confirm the change in the GUI since it's not loading. I supposed you could add one more API call to pull down the new profile XML and see if the all_computers section of the scope is now set to false.
      Also, at the completion of a successful API command like above, you should get something like this back in Terminal

      <?xml version="1.0" encoding="UTF-8"?><os_x_configuration_profile><id>4</id></os_x_configuration_profile>%

       

        J
        Forum|alt.badge.img+3
        • jamserver
        • Author
        • New Contributor
        • April 8, 2022

        Yes, so, IF the only thing you need to change for the scope is to flip from the current setting to "Specific Computers" with No Targets as the target (meaning no computers), then something like this should, I think, work.

        #!/bin/zsh /bin/echo "<os_x_configuration_profile><scope><all_computers>false</all_computers></scope></os_x_configuration_profile>" > /tmp/update.xml /usr/bin/curl -sku $apiUsername:$apiPassword "https://URL.jamfcloud.com/JSSResource/osxconfigurationprofiles/id/4" -X PUT -T /tmp/update.xml

        So basically, first line outputs a simple xml file that looks like this when structured

        <?xml version="1.0"?> <os_x_configuration_profile> <scope> <all_computers>false</all_computers> </scope> </os_x_configuration_profile>

        And then uses the API with a PUT command to update the target resource (Configuration Profile ID #4 in your case) by using that previously output file as the source. It leaves all other options alone in the profile and just updates the Scope section with your changes, since that's all the XML contains.

        Give that a try and see if it works. Though I guess I don't know how you'll confirm the change in the GUI since it's not loading. I supposed you could add one more API call to pull down the new profile XML and see if the all_computers section of the scope is now set to false.
        Also, at the completion of a successful API command like above, you should get something like this back in Terminal

        <?xml version="1.0" encoding="UTF-8"?><os_x_configuration_profile><id>4</id></os_x_configuration_profile>%

         


        Thank you, that definitely did something when I ran it but no effect on the policy. I'm afraid it's hung in a partially deleted loop. 

        mm2270
        Forum|alt.badge.img+24
        • mm2270
        • Legendary Contributor
        • April 8, 2022

        Thank you, that definitely did something when I ran it but no effect on the policy. I'm afraid it's hung in a partially deleted loop. 


        And Jamf has no advice on how to remove this with a direct MySQL command? Assuming this is an on prem instance that is. It sounds like that might be your only option to truly rid yourself of this.
        I also think that this got messed up because you did a delete before trying to unscope it. You should always remove scope first and then delete, at least with profiles anyway. Otherwise the profile may get "stuck" deployed to a machine or machines with no easy way to remove it.

        J
        Forum|alt.badge.img+3
        • jamserver
        • Author
        • New Contributor
        • April 8, 2022

        And Jamf has no advice on how to remove this with a direct MySQL command? Assuming this is an on prem instance that is. It sounds like that might be your only option to truly rid yourself of this.
        I also think that this got messed up because you did a delete before trying to unscope it. You should always remove scope first and then delete, at least with profiles anyway. Otherwise the profile may get "stuck" deployed to a machine or machines with no easy way to remove it.


        It's been about two weeks of them trying to figure it out..figured i'd get on here to see if anyone else has run into this. You've been more helpful than support :) we've only got about 12 systems in the console (new to it) at this time so our database should be relatively small. 

        Terms & ConditionsCookie settingsAccessibility statement