Update Department & Building by Policy?

peterj04
New Contributor

Does anyone know of a way to update the department and building via an ongoing Policy?

I have static groups that I'd like to make sure always has this information populate so I can build some other smart grouped policies off of.

5 REPLIES 5

bpavlov
Honored Contributor

Are you using LDAP?

If the user is assigned to a computer when it does a full inventory or a "jamf recon" then it will pull the user's ldap department and building information (assuming you've got those values set in your ldap config in the JSS).

bentoms
Esteemed Contributor
Esteemed Contributor

@peterj04 This post expands upon more what @bpavlov mentioned.

It's what we use & we build smart groups off the information.

peterj04
New Contributor

We use LDAP, but what I'm doing is different than what the department field is to be used for. Since I work for a school district with 60+ schools we have lots of computers in labs that aren't assigned to anyone and I have those in a static group.

Since there isn't a proper field for me to specify "Lab" computer, I was going to use the Department field and enter "Lab" for those specific machines. Then when I want to scope stuff to all the labs, I can just use a smart group that looks for all the "Lab" machines.

So I was looking for a policy that would would run once a day for each site's labs, to make sure that field is always filled in with "Lab".

apizz
Valued Contributor

@peterj04 Your comment here got me started down my own rabbit hole. While we use LDAP as well, we have more important things to do than manage everyone's department and title in our Active Directory just to get this info in our JSS. That being said, there is definitely value in this information and if would be great to get it into the JSS automatically. Don't know if you came up a solution, but thought I'd share mine.

I have two approaches. If they don't work for you, or you tweak them, please share!

Approach 1 - Script to write data to PLIST during imaging

We're still an imaging institution, so if you're not this won't work for you. We use different imaging configurations for each department, as the majority of our departments have one or more pieces of software unique to them, and it makes our imaging process go more smoothly. This breakdown allows us to assign the below script such that it writes the applicable Department, Building, and/or Room to a PLIST on the local machine. Once written, this can be pulled using recon

The jamf recon command includes flags for including username info (as @bentoms posts), but it also includes flags for the department, building, and room. So long as the Department and Building are entered in your JSS already, the script below can be added to your imaging workflow:

#!/bin/bash

IMG_CFG=""
# DEPARTMENT name must match name in JSS
DEPT=""
# BUILDING name must match name in JSS
BUILDING=""
ROOM=""
DATE=$(date "+%Y-%m-%d %H:%M:%S")
LOG="$1/var/log/jamf.log"
PLIST="$1/Library/Receipts/JSSData.plist"

# Write imagingconfig to LOG
/bin/echo "$DATE IMAGINGCONFIG $IMG_CFG" >> "$LOG"

# Write imagingconfig to PLIST
/usr/bin/defaults write "$PLIST" imagingconfig "$IMG_CFG"

# Write imagingdate to PLIST
/usr/bin/defaults write "$PLIST" imagingdate "$DATE"

# Write department to PLIST
/usr/bin/defaults write "$PLIST" department "$DEPT"

# Write building to PLIST
/usr/bin/defaults write "$PLIST" building "$BUILDING"

# Write room to PLIST
/usr/bin/defaults write "$PLIST" room "$ROOM"

exit

Rather than having an inventory update policy do the default inventory collection, you can have it run as a single command that references the PLIST:

sudo jamf recon -endUsername "$(defaults read /Library/Preferences/com.apple.loginwindow.plist lastUserName)" -building "$(defaults read /path/to/JSSData.plist building)" -department "$(defaults read /path/to/JSSData.plist department)" -room "$(defaults read /path/to/JSSData.plist room)"

Approach 2 - Policy & Script to Collect LDAP membership

There are actually two different versions of this approach, one which you could have run in a policy once on every computer or one which you have run with your regular inventory collection. We collect inventory every day, so if you're thinking about this option you might think about whether you want your machines to be running LDAP queries every day to determine group membership.

Let me say upfront that this solution (at least in our environment) only can reliably determine department and building. This may not work for you if you have departments across multiple buildings. Add additional LDAP groups to the secgroup array below and elif [ ]; then statements at the bottom.

#!/bin/bash

# Last logged in user
user=$(/usr/bin/defaults read /Library/Preferences/com.apple.loginwindow lastUserName)

# Array of LDAP groups to determine department
secgroup=('ldapgroup1'
'ldapgroup2')

##############################

for ((i = 0; i < "${#secgroup[@]}"; i++)); do
    TEST=$(/usr/sbin/dseditgroup -o checkmember -m "$user" "${secgroup[$i]}" | /usr/bin/awk '{print $1}')
    if [ "$TEST" = "yes" ]; then
        GROUP="${secgroup[$i]}"
        break
    fi
done

if [ "$GROUP" = "ldapgroup1" ]; then
    dept="ENTER DEPT HERE"
    building="BUILDING HERE"
elif [ "$GROUP" = "ldapgroup2" ]; then
    dept="ENTER DEPT HERE"
    building="BUILDING HERE"
# Add additional elif statements for additional ldap groups below
fi

sudo jamf recon -endUsername "$user" -department "$dept" -building "$building"

bentoms
Esteemed Contributor
Esteemed Contributor

@aporlebeke Post before the one I think you read has those extra flags in it too. Link