Posted on 10-17-2022 12:19 PM
My question is very simple, is it possible to search for files in my clients' recycle bin? With EA or politics?
Posted on 10-17-2022 01:10 PM
Sure, the Trash is just a hidden folder in your users home folder. Just follow the path /Users/<user_shortname>/.Trash to get to the files trashed by the user.
Posted on 10-17-2022 03:00 PM
I wouldn't do it via an EA - but rather a targeted policy that runs a simple script - this should output everything in the trash. for you to test it I had to give terminal full disk access, so test it first. and then see what it returns in the logs of the policy when run from jamf.
#get logged in user
LastLoggedInUser=$(defaults read /Library/Preferences/com.apple.loginwindow lastUserName)
#list all trash items
ls -al /Users/$LastLoggedInUser/.Trash
Posted on 10-18-2022 07:08 AM
Actually with some scripting you could create a script that runs under a policy that will dump a listing of all the contents of the Trash folder and uploaded via API as an attachment to computer inventory in Jamf Pro.
You could install a launchdaemon that will watch the .trash folder for changes so every time a new file is added, it will trigger a script that logs the file information to a .log file. Then a policy will collect that .log file daily, zip it and upload it via API to the computer inventory in Jamf Pro.
Posted on 10-18-2022 07:20 AM
Good call @falabella_cst - I would recommend what you outlined here vs just adding the results to the inventory record(like an EA does) as it spits it out, it would be a lot less overhead on the server. I'm curious as to the use case behind this as it seems like it would be tons of info.... 🤔
Posted on 10-18-2022 07:32 AM
@Anonymous not only less overhead. An EA collects inventory information, meaning that to collect data you need to run a scheduled inventory policy. If your inventory policies run, say every 12 hours, and in between the user deletes a bunch of files and empties the trash, you will never get that information. Using a launchdaemon/script/policy combo will allow you to list the contents of the trash folder to a log file every time the folder is modified in real time, and at the end of the day, upload the contents of the log file to the Jamf inventory. I'm sure it won't take more than a couple KBs per file.