Update Department & Building by Policy?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 08-07-2015 09:12 AM
Does anyone know of a way to update the department and building via an ongoing Policy?
I have static groups that I'd like to make sure always has this information populate so I can build some other smart grouped policies off of.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 08-07-2015 09:22 AM
Are you using LDAP?
If the user is assigned to a computer when it does a full inventory or a "jamf recon" then it will pull the user's ldap department and building information (assuming you've got those values set in your ldap config in the JSS).
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 08-09-2015 03:12 AM
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 08-10-2015 05:46 AM
We use LDAP, but what I'm doing is different than what the department field is to be used for. Since I work for a school district with 60+ schools we have lots of computers in labs that aren't assigned to anyone and I have those in a static group.
Since there isn't a proper field for me to specify "Lab" computer, I was going to use the Department field and enter "Lab" for those specific machines. Then when I want to scope stuff to all the labs, I can just use a smart group that looks for all the "Lab" machines.
So I was looking for a policy that would would run once a day for each site's labs, to make sure that field is always filled in with "Lab".
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 02-01-2017 03:34 PM
@peterj04 Your comment here got me started down my own rabbit hole. While we use LDAP as well, we have more important things to do than manage everyone's department and title in our Active Directory just to get this info in our JSS. That being said, there is definitely value in this information and if would be great to get it into the JSS automatically. Don't know if you came up a solution, but thought I'd share mine.
I have two approaches. If they don't work for you, or you tweak them, please share!
Approach 1 - Script to write data to PLIST during imaging
We're still an imaging institution, so if you're not this won't work for you. We use different imaging configurations for each department, as the majority of our departments have one or more pieces of software unique to them, and it makes our imaging process go more smoothly. This breakdown allows us to assign the below script such that it writes the applicable Department, Building, and/or Room to a PLIST on the local machine. Once written, this can be pulled using recon
The jamf recon
command includes flags for including username info (as @bentoms posts), but it also includes flags for the department, building, and room. So long as the Department and Building are entered in your JSS already, the script below can be added to your imaging workflow:
#!/bin/bash
IMG_CFG=""
# DEPARTMENT name must match name in JSS
DEPT=""
# BUILDING name must match name in JSS
BUILDING=""
ROOM=""
DATE=$(date "+%Y-%m-%d %H:%M:%S")
LOG="$1/var/log/jamf.log"
PLIST="$1/Library/Receipts/JSSData.plist"
# Write imagingconfig to LOG
/bin/echo "$DATE IMAGINGCONFIG $IMG_CFG" >> "$LOG"
# Write imagingconfig to PLIST
/usr/bin/defaults write "$PLIST" imagingconfig "$IMG_CFG"
# Write imagingdate to PLIST
/usr/bin/defaults write "$PLIST" imagingdate "$DATE"
# Write department to PLIST
/usr/bin/defaults write "$PLIST" department "$DEPT"
# Write building to PLIST
/usr/bin/defaults write "$PLIST" building "$BUILDING"
# Write room to PLIST
/usr/bin/defaults write "$PLIST" room "$ROOM"
exit
Rather than having an inventory update policy do the default inventory collection, you can have it run as a single command that references the PLIST:
sudo jamf recon -endUsername "$(defaults read /Library/Preferences/com.apple.loginwindow.plist lastUserName)" -building "$(defaults read /path/to/JSSData.plist building)" -department "$(defaults read /path/to/JSSData.plist department)" -room "$(defaults read /path/to/JSSData.plist room)"
Approach 2 - Policy & Script to Collect LDAP membership
There are actually two different versions of this approach, one which you could have run in a policy once on every computer or one which you have run with your regular inventory collection. We collect inventory every day, so if you're thinking about this option you might think about whether you want your machines to be running LDAP queries every day to determine group membership.
Let me say upfront that this solution (at least in our environment) only can reliably determine department and building. This may not work for you if you have departments across multiple buildings. Add additional LDAP groups to the secgroup
array below and elif [ ]; then
statements at the bottom.
#!/bin/bash
# Last logged in user
user=$(/usr/bin/defaults read /Library/Preferences/com.apple.loginwindow lastUserName)
# Array of LDAP groups to determine department
secgroup=('ldapgroup1'
'ldapgroup2')
##############################
for ((i = 0; i < "${#secgroup[@]}"; i++)); do
TEST=$(/usr/sbin/dseditgroup -o checkmember -m "$user" "${secgroup[$i]}" | /usr/bin/awk '{print $1}')
if [ "$TEST" = "yes" ]; then
GROUP="${secgroup[$i]}"
break
fi
done
if [ "$GROUP" = "ldapgroup1" ]; then
dept="ENTER DEPT HERE"
building="BUILDING HERE"
elif [ "$GROUP" = "ldapgroup2" ]; then
dept="ENTER DEPT HERE"
building="BUILDING HERE"
# Add additional elif statements for additional ldap groups below
fi
sudo jamf recon -endUsername "$user" -department "$dept" -building "$building"
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 02-01-2017 04:10 PM
@aporlebeke Post before the one I think you read has those extra flags in it too. Link