Posted on 03-31-2016 05:37 AM
Hi Everyone,
I've been working on a script, in Powershell, to create what we call a support area using the API. I know you're probably wondering why I'm using powershell so I will get that out of the way. Long story short, we are working on a Powershell script to automate the creation of various resources across several different systems. This includes Active Directory OUs, AD security groups, SCCM resources, etc. Jamf is just one part. The thought is to be able to specify what we want these resources named then let Powershell do the rest. We're using a web interface into our Powershell server so this could potentially do this from a webpage. We also use sites very heavily for organization of our Jamf resources. I've got most everything working properly except for one thing. We have a number of default policies that run on all our computers. A good example is enabling the Firewall. We have a subset of machines that have different firewall requirements and cannot use the built in Apple firewall, so one of the things that I do is create an exclusion group in each site so that our desktop support staff can exclude the machines that need to have the builtin firewall turned off so they can use a different firewall. That's just one example, but it's about the best one that I could use to illustrate what I'm trying to accomplish. So after I create the group in the site, I am attempting to add this group to the exclusion section of the policy scope. I'm running into an issue where I am getting a conflict (To rule out any Powershell strangeness, I used curl. The result is the same):
If I take a looks at the Policy Scope on the JSS the group is not in scope:
However, if I take a look at the API it is listed:
I think I'm missing something in my XML, but am not sure what. I think it has something to do with the fact that the policy I'm modifying is in what I call the central site, or no site, and the group is under the new site I just created earlier in the script. Wanted to see if anyone else is using the API to do this kind of work and see if they have any sage advice. Thanks in advance!
Andy
Posted on 03-31-2016 06:55 AM
I'm not sure if this will help. However, I roughed out a change of scope, just modifying the "all_computers" field. I haven't tried changing the exclusions yet.
apiUsername="username"
apiPassword="password"
jssURL="jss.url.here"
policyID=1234
curl -sS -k -u $apiUsername:$apiPassword https://$jssURL:8443/JSSResource/policies/id/$policyID -H "Content-Type: application/xml" -d "<policy><scope><all_computers>true</all_computers></scope></policy>" -X PUT
Regards,
TJ
Posted on 03-31-2016 07:05 AM
Okay. I tested the exclusions in two ways.
The first one will add the computer id to the exclusion. The second will add the computer group. You can mix them together, if needed.
Note If you run the first, then the second, the exclusions are NOT replaced. Just added to. (the computer was added, then the computer group.)
#!/bin/sh
apiUsername="username"
apiPassword="password"
jssURL="jss.url.here"
policyID=2018
curl -sS -k -u $apiUsername:$apiPassword https://$jssURL:8443/JSSResource/policies/id/$policyID -H "Content-Type: application/xml" -d "<policy><scope><exclusions><computers><computer><id>4272</id><name>MAC-TT030970</name><udid>65D62B26-CC57-5727-93A0-258651D2D54C</udid></scope></policy>" -X PUT
#!/bin/sh
apiUsername="username"
apiPassword="password"
jssURL="jss.url.here"
policyID=2018
curl -sS -k -u $apiUsername:$apiPassword https://$jssURL:8443/JSSResource/policies/id/$policyID -H "Content-Type: application/xml" -d "<policy><scope><exclusions><computer_groups><computer_group><id>1</id><name>All Managed Clients</name></computer_group></computer_groups></exclusions></scope></policy>" -X PUT
Posted on 03-31-2016 07:22 AM
Hi TJ,
Thanks for the suggestion! That indeed works, however, only on computer groups that are not in a Site. So any of the computer groups that are under the Full JSS will work, but when you attempt to do the same operation on a computer that is in site the command doesn't work. The trouble seems to be when a JSS resource is in a site. Thanks again for the suggestion!
Andy
Posted on 03-31-2016 08:22 AM
Wait, if a group is in a site, it's in the full JSS as well, right?
We don't use sites, so:
I did this:
I then took a look at the API and it seems to output very similarly.
<exclusions>
<computers>
<computer>
<id>4272</id>
<name>MAC-TT030970</name>
<udid>65D62B26-CC57-5727-93A0-258651D2D54C</udid>
</computer>
</computers>
<computer_groups>
<computer_group>
<id>342</id>
<name>Test Static Site Group</name>
</computer_group>
</computer_groups>
<buildings/>
<departments/>
<users/>
<user_groups/>
<network_segments/>
<ibeacons/>
</exclusions>
Posted on 03-31-2016 08:39 AM
I honestly think there is something wonky with your curl PUT
command.
There isn't anything in the API scope XML that has <site></site>.
Plus, you're missing the <name></name> portion of the XML. I'm not sure if that makes a difference or not.
Adding Computer Groups that are in Site "X" to the exclusions of a policy in Site "X" seem to work just fine via my API commands.
Unless I'm completely off base on what you're trying to do.
Regards,
TJ
Posted on 03-31-2016 08:39 AM
Hi TJ,
Did you add the exclusion via the JSS or the API? I did the same operation using the JSS and the XML came out the same as what I was using the with the API. It just seems when I run it through the API it doesn't like something I'm doing. Another thought I had was to create the group in the Full JSS, add it to the the scope of the policy, then move the group into the site. That's a lot of extra coding though.
Andy
Posted on 03-31-2016 08:52 AM
I used the API.
Is your curl command the same as above? Can you post it with three ticks around it? ```
Regards,
TJ
Posted on 03-31-2016 08:57 AM
Hi TJ,
I thought that too, initially. I tried it both with and without the <name></name> tags and it didn't seem to care either way. It still adds it to the policy in the exclusion section in the API if you just specify the group ID. But if you look at the policy scope the computer group does not appear.
The fact that I'm running into the same error in both the Curl command and the Invoke-RestMethod in Powershell leads me to believe it's something in the XML. The do essentially the same thing, just in a different language.
The <site></site> XML information came from the only post I could find while Googling the issue. I found a post where supposedly they fixed the issue by specifying the site that the group belongs to. Doesn't appear to be the case.
You're off by a little bit, but close. The policies that I have applied to all computers are under the Full JSS:
the group that I am trying to add is under a Site:
If I use the same command on a policy that is located in a Site it appears to work. It just appears to be when you cross the line between the Site and the Full JSS.
The reason I'm doing this is so that the Site Admins have the ability to add computers to the groups themselves. We do not allow our Site Admins to have access to the Full JSS. They only have site access.
Hope that clarifies things a little bit.
Andy
Posted on 03-31-2016 09:03 AM
Sure! Here's a screenshot:
Posted on 03-31-2016 09:25 AM
curl -k -Ss -u username:password https://jss.url.here:8443/JSSResource/policies/id/2052 -H "Content-Type: application/xml" -d "<policy><scope><exclusions><computer_groups><computer_group><id>344</id><name>Test Static Site Group</name></computer_group></computer_groups></exclusions></scope></policy>" -X PUT
Did not work. I must have mixed it up before.
It doesn't seem like it's possible. I'm getting the same conflict error as you do. My only bet is to talk with your TAM and see what they can come up with.
--
TJ
Posted on 03-31-2016 09:54 AM
HI TJ,
Thanks for trying! I'm glad to see that it isn't only me. I was planning on reaching out to my TAM, but wanted to see if anyone else could shed some light on it before I went that route. I know that there are some places in the API that require the use of particular XML tags to work, I just wasn't sure if that was one of them. Thanks again!
Andy
Posted on 08-07-2017 03:45 PM
@adhuston Ever get resolution on this? I am trying to use the API to add computers to a policy scope... and also getting "Computer (ID:#, Name:COMPUTERNAME) is enabled for a site" as an error...
Ultimately going to move this from a bash to a powershell script too which is how I stumbled here before encountering the issue!
For more context - I'm using the <computer_additions> tag to attempt to add a computer to the scope of a policy. A little more experimentation revealed that if I removed the computer from a site or set the policy to match the site of the computer it works, but if the computer doesn't match the site it fails with a similar error, either "Computer (ID:#ID, Name:$ComputerName) is not site-enabled for this site." or in the case where the policy is not assigned to a site "Computer (ID:#ID, Name:$ComputerName) is enabled for a site."
Posted on 08-08-2017 01:54 AM
@Sterritt Unfortunately, I wasn't able to resolve this issue. After some investigation with Jamf Support it was determined to be a product defect, and was escalated to the development team. It's filed under product issue PI-002498.
Posted on 11-08-2019 02:21 PM
Trying something similar building on this. I want to exclude a machine from a Wireless profile. This is where I am at right now.
I am getting an error "Script result: -:1: parser error : Document is empty"
#!/bin/sh
apiUsername="$4"
apiPassword="$5"
jssURL="6"
configurationID="$7"
##get Mac info
macUDID=$( ioreg -d2 -c IOPlatformExpertDevice | awk -F" '/IOPlatformUUID/{print $(NF-1)}' )
computerName=$( /usr/sbin/scutil --get ComputerName )
MACaddy=$( networksetup -getmacaddress en0 | awk '{print $3}' | sed 's/:/./g' )
jssID=$(curl -H "Accept: application/xml" -sfku "$4:$5" "https://$jssURL:8443/JSSResource/computers/macaddress/$MACaddy/subset/General" | xmllint --format - | awk -F'>|<' '/<id>/{print $3; exit}')
echo $jssID
curl -sfku "$4:$5" https://$jssURL:8443/JSSResource/osxconfigurationprofiles/id/$configurationID -H "Content-Type: application/xml" -d "<osxconfigurationprofiles><scope><exclusions><computers><computer><id>$jssID</id><name>$computerName</name><udid>$macUDID</udid></scope></osxconfigurationprofiles>" -X PUT
Posted on 11-09-2019 08:10 PM
How about changing jssURL="6"
to jssURL="$6"
.
Posted on 09-24-2020 05:20 AM
Sorry for responding to an old thread. I found this thread because I was looking for a way to add computers to an exclusion list. The given solution here works fine.
But now I want to be able to remove a specific computer from the exclusion list. Is this possible? How to?