Well, yes in fact. Have a similar SMART group for different purposes. Here's what I do.
•) My administrative account for the JSS is "admin", this is important.
•) My students machines are all in easily identifiable 'departments' In my case they are called:
student
student-loaner
Now, I use the following extension attribute found somewhere here on JAMFNation (Sorry for lacking attribution), to determine which accounts on any given unit are administrative users:
#!/bin/bash
# Script to detect if a computer has a local admin account on it with an UID of above 500
# Initialize array
list=()
# generate user list of users with UID greater than 500
for username in $(dscl . list /Users UniqueID | awk '$2 > 500 { print $1 }'); do
# Checks to see which usernames are reported as being admins. The
# check is running dsmemberutil's check membership and listing the
# accounts that are being reported as admin users. Actual check is
# for accounts that are NOT not an admin (i.e. not standard users.)
if [[ $(dsmemberutil checkmembership -U "${username}" -G admin) != *not* ]]; then
# Any reported accounts are added to the array list
list+=("${username}")
fi
done
# Prints the array's list contents
echo "<result>${list[@]}</result>"
I've called this Extension Attribute "Admin Users"... Cryptic I know.
So my SMART criteria are as follows:
• Extension Attribute: "Admin Users" IS NOT "admin"
-This will show any unit who has an account additional to my admin user. Afterall, if the only adminsitrative account was "admin" then that would be the only output. Anything else trips the policy and qualifies.
---AND---
(
Department IS "Student"
---OR---
Department IS "Student-Loaner"
)
