Update Department & Building by Policy?

New Contributor

Does anyone know of a way to update the department and building via an ongoing Policy?

I have static groups that I'd like to make sure always has this information populate so I can build some other smart grouped policies off of.


Honored Contributor

Are you using LDAP?

If the user is assigned to a computer when it does a full inventory or a "jamf recon" then it will pull the user's ldap department and building information (assuming you've got those values set in your ldap config in the JSS).

Esteemed Contributor
Esteemed Contributor

@peterj04 This post expands upon more what @bpavlov mentioned.

It's what we use & we build smart groups off the information.

New Contributor

We use LDAP, but what I'm doing is different than what the department field is to be used for. Since I work for a school district with 60+ schools we have lots of computers in labs that aren't assigned to anyone and I have those in a static group.

Since there isn't a proper field for me to specify "Lab" computer, I was going to use the Department field and enter "Lab" for those specific machines. Then when I want to scope stuff to all the labs, I can just use a smart group that looks for all the "Lab" machines.

So I was looking for a policy that would would run once a day for each site's labs, to make sure that field is always filled in with "Lab".

Valued Contributor

@peterj04 Your comment here got me started down my own rabbit hole. While we use LDAP as well, we have more important things to do than manage everyone's department and title in our Active Directory just to get this info in our JSS. That being said, there is definitely value in this information and if would be great to get it into the JSS automatically. Don't know if you came up a solution, but thought I'd share mine.

I have two approaches. If they don't work for you, or you tweak them, please share!

Approach 1 - Script to write data to PLIST during imaging

We're still an imaging institution, so if you're not this won't work for you. We use different imaging configurations for each department, as the majority of our departments have one or more pieces of software unique to them, and it makes our imaging process go more smoothly. This breakdown allows us to assign the below script such that it writes the applicable Department, Building, and/or Room to a PLIST on the local machine. Once written, this can be pulled using recon

The jamf recon command includes flags for including username info (as @bentoms posts), but it also includes flags for the department, building, and room. So long as the Department and Building are entered in your JSS already, the script below can be added to your imaging workflow:


# DEPARTMENT name must match name in JSS
# BUILDING name must match name in JSS
DATE=$(date "+%Y-%m-%d %H:%M:%S")

# Write imagingconfig to LOG

# Write imagingconfig to PLIST
/usr/bin/defaults write "$PLIST" imagingconfig "$IMG_CFG"

# Write imagingdate to PLIST
/usr/bin/defaults write "$PLIST" imagingdate "$DATE"

# Write department to PLIST
/usr/bin/defaults write "$PLIST" department "$DEPT"

# Write building to PLIST
/usr/bin/defaults write "$PLIST" building "$BUILDING"

# Write room to PLIST
/usr/bin/defaults write "$PLIST" room "$ROOM"


Rather than having an inventory update policy do the default inventory collection, you can have it run as a single command that references the PLIST:

sudo jamf recon -endUsername "$(defaults read /Library/Preferences/com.apple.loginwindow.plist lastUserName)" -building "$(defaults read /path/to/JSSData.plist building)" -department "$(defaults read /path/to/JSSData.plist department)" -room "$(defaults read /path/to/JSSData.plist room)"

Approach 2 - Policy & Script to Collect LDAP membership

There are actually two different versions of this approach, one which you could have run in a policy once on every computer or one which you have run with your regular inventory collection. We collect inventory every day, so if you're thinking about this option you might think about whether you want your machines to be running LDAP queries every day to determine group membership.

Let me say upfront that this solution (at least in our environment) only can reliably determine department and building. This may not work for you if you have departments across multiple buildings. Add additional LDAP groups to the secgroup array below and elif [ ]; then statements at the bottom.


# Last logged in user
user=$(/usr/bin/defaults read /Library/Preferences/com.apple.loginwindow lastUserName)

# Array of LDAP groups to determine department


for ((i = 0; i < "${#secgroup[@]}"; i++)); do
    TEST=$(/usr/sbin/dseditgroup -o checkmember -m "$user" "${secgroup[$i]}" | /usr/bin/awk '{print $1}')
    if [ "$TEST" = "yes" ]; then

if [ "$GROUP" = "ldapgroup1" ]; then
    dept="ENTER DEPT HERE"
    building="BUILDING HERE"
elif [ "$GROUP" = "ldapgroup2" ]; then
    dept="ENTER DEPT HERE"
    building="BUILDING HERE"
# Add additional elif statements for additional ldap groups below

sudo jamf recon -endUsername "$user" -department "$dept" -building "$building"

Esteemed Contributor
Esteemed Contributor

@aporlebeke Post before the one I think you read has those extra flags in it too. Link