Smart group to show systems with a Restricted Software rule in scope

New Contributor

Is there an extension attribute available (or something else) that will allow me to build a smart computer group which pulls all systems with a specific restricted software rule in scope? Meaning, I want to create a smart computer group that shows all systems that Ive restricted


Legendary Contributor III

There isn't anything built in, I don't think, which will give you those results. Is there some reason you would need this though? Since Restricted Software is scoped just like any other items (policies, config profiles, etc), you can view the scope for the Restricted Software item directly in the JSS GUI.

Maybe I'm just not understanding the need. If you can provide a little more info on what this would solve for you, I can probably help make an Extension Attribute that would let you build a Smart Group. Its the only way I can think that might help you gather all Macs that have a specific restriction in place, other than viewing them right in the JSS that is.

New Contributor

I have the same issue. I have placed restrictive software on and would like to smart group it to see what machines the rule has applied to, or not in this case. Reason to restrict is that students are using it during class time.

Legendary Contributor III

Again, there isn't anything built in that I'm aware of to create such Smart Groups. You'd need to use an Extension Attribute and scrape info from the file that determines the restrictions.
It goes against my better instincts to post info here on what file actually sets what restrictions are in place, since these pages get picked up by Google and someone who is looking to bypass a restriction may get the ammo they need to do so.

That being said, here is a shell script which obscures the path to the file that holds the restrictions. It's mentioned on other threads, so I would look for that and replace the line that says /path/to/file with the correct path. This should get a result of the Restriction titles as well as what process each one uses to do the blocking. It does not grab things like the text that may pop up in a dialog, or if there are exclusions, or if the process is killed/deleted etc. It just gets the names and the processes. I'm thinking that may be good enough here?


## Replace /path/to/file with actual path to restrictions file on the system
scopedRestrictions=$(xmllint --format /path/to/file | awk -F'>|<' '/:name|:process/{print $3}' | paste -d"," - - | sed 's/,/& /g')

echo "<result>$scopedRestrictions</result>"

You could modify this to include additional lines from the file, like whether it kills the process, or requires exact match, etc. Just examine the file and you'll see what's in there.