Posted on 07-21-2014 02:27 AM
Hello Jamfnation,
Can anybody please help me with the following issue:
I need a policy to run once per computer, but it should trigger at a custom event, which would be, that 2 configuration profiles have already been applied before.
Thanks for any input!
Solved! Go to Solution.
Posted on 07-23-2014 06:46 AM
Thanks for all your input!
Our solution:
#!/bin/bash
ID1="34B4BD85-3422-4B3E-A48E-09A987113718"
ID2="93350992-13C1-42AE-916A-4F3543E7E29C"
CHECK1=/usr/bin/profiles -L -P | grep $ID1 | wc -l
CHECK2=/usr/bin/profiles -L -P | grep $ID2 | wc -l
## CHECK OFFICE Tunnel ALL
if [ $CHECK1 -eq 0 ]
then
echo "No Certificate installed for Office Access Tunnel All"
EXIT1="1"
else
echo "Certificate for Office Access Tunnel All are installed"
EXIT1="0"
fi
if [ $CHECK2 -eq 0 ]
then
echo "No Certificate installed for Office Access"
EXIT2="1"
else
echo "Certificate for Access are installed"
EXIT2="0"
fi
if [ $EXIT1 -eq 0 ]
then
if [ $EXIT2 -eq 0 ]
then
jamf policy -event CNSO
fi
else
exit 0
fi
This (jamf policy -event CNSO) triggers the policy, that sets our Network Service order, the way we want it:
https://jamfnation.jamfsoftware.com/discussion.html?id=11189
Best regards,
Kevin
Posted on 07-21-2014 07:11 AM
well, you can do one of two things: populate those config profiles into EAs, then scope that policy to run once on only computers that meet the criteria of those two EAs (create a smart group of computers that has both those config profiles).
This will get you all installed profiles:
#!/bin/sh
profiles=`profiles -C -v | awk -F: '/attribute: name/{print $NF}' | sort`
echo "<result>$profiles</result>"
exit 0
You'll want to pull out each on into a separate EA though.
The other method is to have an ongoing policy that runs a "before" script to check the installed profiles and then upon it finding those two profiles, triggers a policy that runs once only.
Posted on 07-21-2014 07:12 AM
Profiles are installed almost immediately. So just targeting those computers with a policy and you'll be safe. However, if you are risk averse, then you'd need something to look for those policies. I'd write a little shell script to list profiles installed. You should be able to do something with 'profiles -P' to list profiles installed. If they are, then execute the command 'jamf policy -event RunImportantPolicy'
Posted on 07-21-2014 07:14 AM
Hey Kevin,
I could be completely off base here - and there is probably a way better way to do this but - have you tried using extension attribute for your config profiles? (i.e. if you had an EA for whether or not the config profile set the correct settings)
You could then create a smart group to automatically run a policy (once per computer) for that group that had the two settings correct.
Again, just a thought.
Posted on 07-22-2014 07:47 AM
First of all, thanks for all the answers. Tackling the issue with Smart groups would be my most favourite approach, however, I think there is no possibility to create a Smart Group based on Configuration Profiles, as far as I know. Please correct me if I am wrong.
How can you populate into an Extension Attribute for an Configuration Profile?
Thanks and best regards,
Kevin
Posted on 07-22-2014 08:08 AM
@Kevin.mueller
You can create a smart group. You need to create an extension attribute which looks for the policy on the machine, then a smart group based on that extension attribute. @acdesigntech created a nice script which returns the installed policies for you. You can create an extension attribute with a simple copy/paste of his script.
Posted on 07-22-2014 08:11 AM
@Kevin.mueller - @acdesigntech already posted an example above of how to write an Extension Attribute to capture all installed Config profiles.
The only thing I'll add is that, if each Config Profile uses a unique enough name, it should be fine to pull all of them into one EA and then use the "Like" operator when building your Smart Group. You could run into trouble if parts of the names of the profiles are repeated. For example, if I have a profile called "CompanyX_WIFI" and another one called "CompanyX_WIFI_Guest" I might have trouble if I build an EA using criteria such as-
Installed Config Profiles | Like | "CompanyX_WIFI"
If I was just trying to gather Macs that had that profile installed, since it would also grab any that had the additional "Guest" profile as well, but the ones with Guest installed may not have the first one installed as well, making my SG inaccurate.
But as long as the names are unique enough, just use the EA acdesigntech posted above to gather them all into one Extension Attribute, then build your Smart Group using the Like operator.
BTW, your post title is slightly confusing. Are you actually looking for a trigger against a custom "event", or more a custom "condition"? The former would, IMO, be something that triggers as soon as something else occurs. The latter would be more suitable to a Smart Group as already discussed.
Posted on 07-22-2014 08:18 AM
I built this to find out what vpn's a user has.. You can easily adapt it for your use. It's just searching for the string value
#!/bin/sh
########################################################################
# Created By: Ross Derewianko
# For: Ping Identity Corporation
# Creation Date: Dec 2013
# Last modified: Dec 4, 2013
# Brief Description: Find out what VPN's our Users have
########################################################################
#checks for vpn...
if [[ `grep "vpn1" /Library/Preferences/SystemConfiguration/preferences.plist -o -m 1` ]]; then
resultvpn1="vpn1"
else
resultvpn1="vpn1 not found"
fi
#Checks for other vpn's, if there report and end script
if [[ `grep "vpn2" /Library/Preferences/SystemConfiguration/preferences.plist -o -m 1` ]]; then
result="vpn2"
##the statement above can be expanded with
#Check for vpn3 if there report and end script
elif [[ `grep "vpn3" /Library/Preferences/SystemConfiguration/preferences.plist -o -m 1` ]]; then
result="vpn3"
else
result="No Other VPN"
fi
echo "<result>$resultvpn1 & $result</result>"
exit 0
It's searching for a term, in the file... so if your config profiles have unique names It can search for that and scope based on that.
Posted on 07-22-2014 11:00 AM
+1 for creating an extension attribute that is a list of all installed Profiles, then creating Smart Groups with "like" criteria to scope to them. That's what I do.
Posted on 07-23-2014 06:46 AM
Thanks for all your input!
Our solution:
#!/bin/bash
ID1="34B4BD85-3422-4B3E-A48E-09A987113718"
ID2="93350992-13C1-42AE-916A-4F3543E7E29C"
CHECK1=/usr/bin/profiles -L -P | grep $ID1 | wc -l
CHECK2=/usr/bin/profiles -L -P | grep $ID2 | wc -l
## CHECK OFFICE Tunnel ALL
if [ $CHECK1 -eq 0 ]
then
echo "No Certificate installed for Office Access Tunnel All"
EXIT1="1"
else
echo "Certificate for Office Access Tunnel All are installed"
EXIT1="0"
fi
if [ $CHECK2 -eq 0 ]
then
echo "No Certificate installed for Office Access"
EXIT2="1"
else
echo "Certificate for Access are installed"
EXIT2="0"
fi
if [ $EXIT1 -eq 0 ]
then
if [ $EXIT2 -eq 0 ]
then
jamf policy -event CNSO
fi
else
exit 0
fi
This (jamf policy -event CNSO) triggers the policy, that sets our Network Service order, the way we want it:
https://jamfnation.jamfsoftware.com/discussion.html?id=11189
Best regards,
Kevin