Trigger Policy at Custom Event

Kevin_mueller
New Contributor III

Hello Jamfnation,

Can anybody please help me with the following issue:

I need a policy to run once per computer, but it should trigger at a custom event, which would be, that 2 configuration profiles have already been applied before.

Thanks for any input!

1 ACCEPTED SOLUTION

Kevin_mueller
New Contributor III

Thanks for all your input!

Our solution:

#!/bin/bash

ID1="34B4BD85-3422-4B3E-A48E-09A987113718"
ID2="93350992-13C1-42AE-916A-4F3543E7E29C"

CHECK1=/usr/bin/profiles -L -P | grep $ID1 | wc -l
CHECK2=/usr/bin/profiles -L -P | grep $ID2 | wc -l

## CHECK OFFICE Tunnel ALL

if [ $CHECK1 -eq 0 ]
then echo "No Certificate installed for Office Access Tunnel All" EXIT1="1"
else echo "Certificate for Office Access Tunnel All are installed" EXIT1="0"
fi

if [ $CHECK2 -eq 0 ]
then echo "No Certificate installed for Office Access" EXIT2="1"
else echo "Certificate for Access are installed" EXIT2="0"
fi

if [ $EXIT1 -eq 0 ]
then if [ $EXIT2 -eq 0 ] then jamf policy -event CNSO

fi
else exit 0
fi

This (jamf policy -event CNSO) triggers the policy, that sets our Network Service order, the way we want it:

https://jamfnation.jamfsoftware.com/discussion.html?id=11189

Best regards,
Kevin

View solution in original post

9 REPLIES 9

acdesigntech
Contributor II

well, you can do one of two things: populate those config profiles into EAs, then scope that policy to run once on only computers that meet the criteria of those two EAs (create a smart group of computers that has both those config profiles).

This will get you all installed profiles:

#!/bin/sh

profiles=`profiles -C -v | awk -F: '/attribute: name/{print $NF}' | sort`
echo "<result>$profiles</result>"

exit 0

You'll want to pull out each on into a separate EA though.

The other method is to have an ongoing policy that runs a "before" script to check the installed profiles and then upon it finding those two profiles, triggers a policy that runs once only.

thoule
Valued Contributor II

Profiles are installed almost immediately. So just targeting those computers with a policy and you'll be safe. However, if you are risk averse, then you'd need something to look for those policies. I'd write a little shell script to list profiles installed. You should be able to do something with 'profiles -P' to list profiles installed. If they are, then execute the command 'jamf policy -event RunImportantPolicy'

tthurman
Contributor III

Hey Kevin,

I could be completely off base here - and there is probably a way better way to do this but - have you tried using extension attribute for your config profiles? (i.e. if you had an EA for whether or not the config profile set the correct settings)

You could then create a smart group to automatically run a policy (once per computer) for that group that had the two settings correct.

Again, just a thought.

Kevin_mueller
New Contributor III

First of all, thanks for all the answers. Tackling the issue with Smart groups would be my most favourite approach, however, I think there is no possibility to create a Smart Group based on Configuration Profiles, as far as I know. Please correct me if I am wrong.

How can you populate into an Extension Attribute for an Configuration Profile?

Thanks and best regards,
Kevin

thoule
Valued Contributor II

@Kevin.mueller
You can create a smart group. You need to create an extension attribute which looks for the policy on the machine, then a smart group based on that extension attribute. @acdesigntech created a nice script which returns the installed policies for you. You can create an extension attribute with a simple copy/paste of his script.

mm2270
Legendary Contributor II

@Kevin.mueller - @acdesigntech already posted an example above of how to write an Extension Attribute to capture all installed Config profiles.

The only thing I'll add is that, if each Config Profile uses a unique enough name, it should be fine to pull all of them into one EA and then use the "Like" operator when building your Smart Group. You could run into trouble if parts of the names of the profiles are repeated. For example, if I have a profile called "CompanyX_WIFI" and another one called "CompanyX_WIFI_Guest" I might have trouble if I build an EA using criteria such as-

Installed Config Profiles | Like | "CompanyX_WIFI"

If I was just trying to gather Macs that had that profile installed, since it would also grab any that had the additional "Guest" profile as well, but the ones with Guest installed may not have the first one installed as well, making my SG inaccurate.
But as long as the names are unique enough, just use the EA acdesigntech posted above to gather them all into one Extension Attribute, then build your Smart Group using the Like operator.

BTW, your post title is slightly confusing. Are you actually looking for a trigger against a custom "event", or more a custom "condition"? The former would, IMO, be something that triggers as soon as something else occurs. The latter would be more suitable to a Smart Group as already discussed.

rderewianko
Valued Contributor II

I built this to find out what vpn's a user has.. You can easily adapt it for your use. It's just searching for the string value

#!/bin/sh
########################################################################
# Created By: Ross Derewianko
# For: Ping Identity Corporation
# Creation Date: Dec 2013
# Last modified: Dec 4, 2013
# Brief Description: Find out what VPN's our Users have
########################################################################

#checks for vpn... 

if [[ `grep  "vpn1" /Library/Preferences/SystemConfiguration/preferences.plist -o -m 1` ]]; then 
    resultvpn1="vpn1"
else
    resultvpn1="vpn1 not found"
fi

#Checks for other vpn's, if there report and end script
if [[ `grep "vpn2" /Library/Preferences/SystemConfiguration/preferences.plist -o -m 1` ]]; then 
    result="vpn2"
        ##the statement above can be expanded with
#Check for vpn3 if there report and end script
elif [[ `grep "vpn3" /Library/Preferences/SystemConfiguration/preferences.plist -o -m 1` ]]; then 
    result="vpn3"
else 
result="No Other VPN"
fi

echo "<result>$resultvpn1 & $result</result>"
exit 0

It's searching for a term, in the file... so if your config profiles have unique names It can search for that and scope based on that.

alexjdale
Valued Contributor III

+1 for creating an extension attribute that is a list of all installed Profiles, then creating Smart Groups with "like" criteria to scope to them. That's what I do.

Kevin_mueller
New Contributor III

Thanks for all your input!

Our solution:

#!/bin/bash

ID1="34B4BD85-3422-4B3E-A48E-09A987113718"
ID2="93350992-13C1-42AE-916A-4F3543E7E29C"

CHECK1=/usr/bin/profiles -L -P | grep $ID1 | wc -l
CHECK2=/usr/bin/profiles -L -P | grep $ID2 | wc -l

## CHECK OFFICE Tunnel ALL

if [ $CHECK1 -eq 0 ]
then echo "No Certificate installed for Office Access Tunnel All" EXIT1="1"
else echo "Certificate for Office Access Tunnel All are installed" EXIT1="0"
fi

if [ $CHECK2 -eq 0 ]
then echo "No Certificate installed for Office Access" EXIT2="1"
else echo "Certificate for Access are installed" EXIT2="0"
fi

if [ $EXIT1 -eq 0 ]
then if [ $EXIT2 -eq 0 ] then jamf policy -event CNSO

fi
else exit 0
fi

This (jamf policy -event CNSO) triggers the policy, that sets our Network Service order, the way we want it:

https://jamfnation.jamfsoftware.com/discussion.html?id=11189

Best regards,
Kevin