Using a Policy to force a full policy refresh

HNTIT
Contributor II

The Major point of what I am trying to achieve here is to force a full policy Refresh at boot.

There is nothing in a policy that allows for this.

I have a Startup Policy that runs a script that SHOULD achieve this but it does not work in this instance, in other areas though the script does work.

The Heart of the script is basically the below command (plus the echo above it to make the logs easier to read) that chains the 10s pause and the policy refresh into a seperate windows that it does not wait for completion.

Echo Pausing for 10 Seconds to let this script finish, then Re-Check for Policies

sleep 10s && /usr/local/bin/jamf policy &

Any Thoughts ?

1 ACCEPTED SOLUTION

HNTIT
Contributor II

oddly if i took my original

sleep 10s && /usr/local/bin/jamf policy &

and change it to

sleep 10s && /usr/local/bin/jamf policy

it seems to work, no idea of the difference, I only did that so i could see the error in the log.
Happy Accident, but all working now

View solution in original post

7 REPLIES 7

blackholemac
Valued Contributor III

I’ll be honest I don’t totally understand your goals with this but part might be that I’m having a “slow” morning...sometimes answering other’s posts helps me to center my own tech workflow.

If you are wanting a policy that runs all other relevant policies at startup, consider a script that calls jamf policy with all policy triggers you are trying to call...something like this:

jamf policy -event startup
jamf policy -event login
jamf policy
jamf policy -event logout
jamf policy -event shutdown
jamf policy -event <anycustomtriggerhere>

You don’t have to use each line unless you need to for whatever reason you want, but you get the idea...running jamf policy without an event assumes the recurring check in trigger, hence my third line. Hope this helps and if this is not what you need, please explain what kind of existing policies need to be run

HNTIT
Contributor II

if you run and JAMF POLICY command from a script called by a policy then it will fail.

A policy refresh is already running, but only to run the startup policies, so until the Startup policy check completes, you cannot start another

Asnyder
Contributor III

Couldn't you run

& sleep 60 && pkill jamf && jamf recon

or something. This will pass the processes off to run in the background and allow the current to close...I think.

mike_paul
Contributor III
Contributor III

Yes, there are intentional blocks to not have you running multiple Jamf processes at the same time that are there for reasons.

Id be hesitant to kill off the Jamf process while its running the script that is calling the Jamf process, it might work but seems like trouble.

You have policies set to the "Recurring Check-in" trigger and some set to the "Startup" trigger. Is the goal to have all your "Recurring Check-in" polices also run while booting? Why not just check the "Startup" trigger in addition to the "Recurring Check-in" trigger on all those policies and then they will run at startup as well? You can have multiple triggers set per policy if you want it run at different times.

Now mind you, unless your computers have wired internet, they likely wont be able to reach the JSS until it hits the login window or possibly after authentication, depending on your network infrastructure security requirements.

blackholemac
Valued Contributor III

I'm glad @mike.paul chimed in there...I had forgotten that about multiple Jamf processes running. I remember now as sometimes I'll try to manually invoke a jamf policy command from the Terminal window and it won't be able to get through if it's already going.

Disregard my post above...Another way you could do it simply if you like is to have a given policy trigger at both startup and recurring checkin in the policy itself if you want it to run continuously on both triggers.

HNTIT
Contributor II

oddly if i took my original

sleep 10s && /usr/local/bin/jamf policy &

and change it to

sleep 10s && /usr/local/bin/jamf policy

it seems to work, no idea of the difference, I only did that so i could see the error in the log.
Happy Accident, but all working now

mike_paul
Contributor III
Contributor III

Ok, glad you got your two types of policies running. I still think its valid to discuss your needs of what your actually trying to accomplish as you will likely run into issues. Why do you need to run your Recurring Check-in polices at startup? Layering like this can cause confusion and potential problems in the future and might make un-needed load as there might be better methods.