Smart Group by 'Enrolled' Casper Management account?

buckychappell
New Contributor II

I am trying to untangle an array of differing management accounts we've used over time on our client machines.

How do I create a smart group based on the Enrolled management account?

I presume I'm missing something obvious.

Eric 'Bucky' Chappell
3 REPLIES 3

mm2270
Legendary Contributor III

No, you're not. You can build a Smart Group based on Macs enrolled through the new self enrollment page, but not just based on what account is managing the Mac. Sadly this option is missing and has been for as long as I can remember. I'm not clear why this hasn't been added as a criteria option since obviously the Casper db is aware of what is managing the Mac. Its right there under the details section, so why can't we search on it?

I have not found a good way to do this other than to build an Extension Attribute that queries the JSS through the Casper API and pulls the information on the management account into a field for that Mac. Its a wacky way of getting the information, but it can be done.
Let me know if you're interested in seeing the general process for an EA to capture this.

buckychappell
New Contributor II

I would definitely be interested - thank you!

Eric 'Bucky' Chappell

mm2270
Legendary Contributor III

OK, so not sure how much you know about the Casper APi but the first thing you have to do is set up at least one account with a password you know in the Accounts tab of your JSS with API privileges. You can give it only read APi privileges and also no access to the JSS itself. In other words, uncheck everything under the "Privileges" tab, and click the "Grant All API Read Privileges" link under the API Privileges tab. The reason this would be a good idea is because the password will be in the script for the EA, so you'll want to make sure its not something with full access to your JSS, just in case.

So, here's what I have for pulling this from the API in a shell script. Special thanks for John Miller @ JAMF for pointing out the use of xpath in another thread, which makes this a bit cleaner.

#!/bin/sh

apiURL="https://your.casper.server.com:8443/JSSResource/computers/macaddress/"
apiUser="api_username"
apiPass="api_password"
MacAdd=$(networksetup -getmacaddress en0 | awk '{ print $3 }' | sed 's/:/./g')

ManAccount=$(curl -s -u $apiUser:$apiPass $apiURL$MacAdd | xpath /computer/general/remote_management/management_username[1] | sed 's/<management_username>//;s/</management_username>//')

echo "<result>$ManAccount</result>"

In the above, change the JSS address to match your own, and also make sure you put in the actual api_username and api_password in the correct variables as above.

What this does is pull the MAC Address for en0 for the Mac, which it uses as the criteria to locate the correct system using the API. (I've found this to be more reliable than the computer name) Then it uses that to get just the management_account using xpath and some sed commands, then drops that into the results to echo back.

Let me know if you have any issues with it, but it should work for you. The only possible issue might be with Macs that somehow don't have an en0, but I can't think of cases where that would be true.