Faster re-install of Jamf Protect?

dm8v
New Contributor

We'll soon be deploying Jamf Protect to our endpoints and are using the built-in integration between Jamf Protect and Jamf Pro to do the initial PKG and config profile installs. 

In our environment, most users are admins on their machines and one thing we discovered during testing was that someone could easily throw away the Jamf Protect app and be unprotected. To remedy this, we've created an EA that tracks the installed version of the Jamf Protect binary (or returns "Protect binary not found") and populates a smart group if the binary isn't present. A policy then re-installs Jamf Protect on any computer in that smart group.

The one downside we've noted to this approach is that the EA only gets updated once daily on inventory collection, so it's possible for a computer to go up to 24 hours without Jamf Protect. Any ideas on how to accelerate the re-install in this situation?

 

1 ACCEPTED SOLUTION

Hugonaut
Valued Contributor II

@dm8v 

Create a Smart Computer Group targeting computers that do not have Jamf Protect installed. Scope your re-install policy to that. This is predicated upon last inventory update results.

Screen Shot 2022-07-01 at 3.34.32 PM.png

Home Grown Solution (If Jamf Inventory Update isn't consistent or if you have an issue with what above smart group is reporting)

Step 1. Create an Extension Attribute Exactly as it is Depicted Below.

Display Name "Protect", Data Type "String", Inventory Display (Wherever you Want), Input Type "Pop-up Menu", Recon Display (Whatever you want), Pop-up Menu Choices "True" & "False".

Screen Shot 2022-06-29 at 4.56.00 PM.png

 

Step 2. Create two Smart Computer Groups Exactly as Depicted Below. 

Smart Computer Group 1: Criteria: "Protect" (The Extension Attribute you just made), Operator "is", Value "False" 

Screen Shot 2022-06-29 at 5.19.37 PM.png

 

Smart Computer Group 2: Criteria: "Protect" (The Extension Attribute you just made), Operator "is", Value "        " (EMPTY)

Screen Shot 2022-06-29 at 5.19.56 PM.png

 

Step 3. Add the Following Script to your Jamf Pro Scripts Library & Modify the Parameter Values as Depicted Below.

This Script Runs a Check to see if the JamfProtect.app file exists, if it does, it writes True to the Extension attribute & is not included in the Smart Computer Group. If the JamfProtect.app file does not exist, it writes False to the Extension attribute & places the computer without Jamf Protect into the Smart Computer Group.

Script:

 

#!/bin/bash

# ██████╗  ██████╗  ██████╗██╗  ██╗███████╗████████╗███╗   ███╗ █████╗ ███╗   ██╗
# ██╔══██╗██╔═══██╗██╔════╝██║ ██╔╝██╔════╝╚══██╔══╝████╗ ████║██╔══██╗████╗  ██║
# ██████╔╝██║   ██║██║     █████╔╝ █████╗     ██║   ██╔████╔██║███████║██╔██╗ ██║
# ██╔══██╗██║   ██║██║     ██╔═██╗ ██╔══╝     ██║   ██║╚██╔╝██║██╔══██║██║╚██╗██║
# ██║  ██║╚██████╔╝╚██████╗██║  ██╗███████╗   ██║   ██║ ╚═╝ ██║██║  ██║██║ ╚████║
# ╚═╝  ╚═╝ ╚═════╝  ╚═════╝╚═╝  ╚═╝╚══════╝   ╚═╝   ╚═╝     ╚═╝╚═╝  ╚═╝╚═╝  ╚═══╝

# Created by Hugonaut


# Script Parameters are set within the Policy this Script is Assigned to & are to be configured as follows
# Parameter 4: jss.example.org:8443·································(apiURL)
# Parameter 5: API Administrator Account····························(apiUsername)
# Parameter 6: API Administrator Password···························(apiPassword)
# Parameter 7: Display Name of Extension Attribute ·················(eaName)

########################## Jamf Policy -> Script Parameters ############################

apiURL=$4
apiUsername=$5
apiPassword=$6
eaName=$7

###################################### Get UDID ########################################
computerUDID=$(/usr/sbin/system_profiler SPHardwareDataType | /usr/bin/awk '/Hardware UUID:/ { print $3 }')

############################### Get Jamf Protect Value #################################

JamfProtectValue=$(if [ -e "/Applications/JamfProtect.app" ]
then 
	echo "True"
else
	echo "False"
fi)

########################### Construct & Post Jamf Group EA #############################
	apiData="<computer><extension_attributes><extension_attribute><name>${eaName}</name><value>${JamfProtectValue}</value></extension_attribute></extension_attributes></computer>"

	apiPost=`curl -H "Content-Type: text/xml" -sfu ${apiUsername}:${apiPassword} ${apiURL}/JSSResource/computers/udid/${computerUDID} -d "${apiData}" -X PUT` 

 

 

 

 

 Parameter Values:

Screen Shot 2022-06-29 at 5.02.54 PM.png

Step 4:
- Create a Policy with a Trigger of Recurring Check-in, an Execution Frequency of Ongoing.
- Add the script from Step 3 to the script payload of the policy, add your Jamf Pro Console URL, an administrator account or api account with access to your jamf pro console, the accounts password, and the name of the Extension Attribute created earlier.
- Scope to Smart Computer Group 2 (Empty Value) created in Step 2.

- Configure the "Maintenance" payload & Check Update Inventory.

Screen Shot 2022-06-29 at 5.06.17 PM.png

For parameter "apiURL" - include https:// so it reads just "https://yourorg.jamfcloud.com"

Screen Shot 2022-06-29 at 5.10.25 PM.png

Screen Shot 2022-06-29 at 5.06.30 PM.png

Screen Shot 2022-06-29 at 5.08.38 PM.png

What this will do is run that script on all computers with the empty field & determine if it is Installed or Not. Flagging it either True or False & removing it from scope for the policy. You'll end up with the Smart Computer Group 1 (false value group) - consisting of all the computers in your environment without Jamf Protect (in 15 Minutes, a lot less time than 24 hours.) You can also run this against computers that have reported Jamf Protect is installed as depicted below to doubly verify that its still installed / constant 15 minute monitoring.

Screen Shot 2022-07-01 at 3.40.36 PM.png

 

Step 5: Add smart Computer Group 1 (False Value Group) to the scope of the policy you created that installs Jamf Protect & it will target those computers every recurring check-in instead of daily inventory record update.

________________
Looking for a Jamf Managed Service Provider? Look no further than Rocketman
________________


Virtual MacAdmins Monthly Meetup - First Friday, Every Month

View solution in original post

4 REPLIES 4

Hugonaut
Valued Contributor II

@dm8v 

Create a Smart Computer Group targeting computers that do not have Jamf Protect installed. Scope your re-install policy to that. This is predicated upon last inventory update results.

Screen Shot 2022-07-01 at 3.34.32 PM.png

Home Grown Solution (If Jamf Inventory Update isn't consistent or if you have an issue with what above smart group is reporting)

Step 1. Create an Extension Attribute Exactly as it is Depicted Below.

Display Name "Protect", Data Type "String", Inventory Display (Wherever you Want), Input Type "Pop-up Menu", Recon Display (Whatever you want), Pop-up Menu Choices "True" & "False".

Screen Shot 2022-06-29 at 4.56.00 PM.png

 

Step 2. Create two Smart Computer Groups Exactly as Depicted Below. 

Smart Computer Group 1: Criteria: "Protect" (The Extension Attribute you just made), Operator "is", Value "False" 

Screen Shot 2022-06-29 at 5.19.37 PM.png

 

Smart Computer Group 2: Criteria: "Protect" (The Extension Attribute you just made), Operator "is", Value "        " (EMPTY)

Screen Shot 2022-06-29 at 5.19.56 PM.png

 

Step 3. Add the Following Script to your Jamf Pro Scripts Library & Modify the Parameter Values as Depicted Below.

This Script Runs a Check to see if the JamfProtect.app file exists, if it does, it writes True to the Extension attribute & is not included in the Smart Computer Group. If the JamfProtect.app file does not exist, it writes False to the Extension attribute & places the computer without Jamf Protect into the Smart Computer Group.

Script:

 

#!/bin/bash

# ██████╗  ██████╗  ██████╗██╗  ██╗███████╗████████╗███╗   ███╗ █████╗ ███╗   ██╗
# ██╔══██╗██╔═══██╗██╔════╝██║ ██╔╝██╔════╝╚══██╔══╝████╗ ████║██╔══██╗████╗  ██║
# ██████╔╝██║   ██║██║     █████╔╝ █████╗     ██║   ██╔████╔██║███████║██╔██╗ ██║
# ██╔══██╗██║   ██║██║     ██╔═██╗ ██╔══╝     ██║   ██║╚██╔╝██║██╔══██║██║╚██╗██║
# ██║  ██║╚██████╔╝╚██████╗██║  ██╗███████╗   ██║   ██║ ╚═╝ ██║██║  ██║██║ ╚████║
# ╚═╝  ╚═╝ ╚═════╝  ╚═════╝╚═╝  ╚═╝╚══════╝   ╚═╝   ╚═╝     ╚═╝╚═╝  ╚═╝╚═╝  ╚═══╝

# Created by Hugonaut


# Script Parameters are set within the Policy this Script is Assigned to & are to be configured as follows
# Parameter 4: jss.example.org:8443·································(apiURL)
# Parameter 5: API Administrator Account····························(apiUsername)
# Parameter 6: API Administrator Password···························(apiPassword)
# Parameter 7: Display Name of Extension Attribute ·················(eaName)

########################## Jamf Policy -> Script Parameters ############################

apiURL=$4
apiUsername=$5
apiPassword=$6
eaName=$7

###################################### Get UDID ########################################
computerUDID=$(/usr/sbin/system_profiler SPHardwareDataType | /usr/bin/awk '/Hardware UUID:/ { print $3 }')

############################### Get Jamf Protect Value #################################

JamfProtectValue=$(if [ -e "/Applications/JamfProtect.app" ]
then 
	echo "True"
else
	echo "False"
fi)

########################### Construct & Post Jamf Group EA #############################
	apiData="<computer><extension_attributes><extension_attribute><name>${eaName}</name><value>${JamfProtectValue}</value></extension_attribute></extension_attributes></computer>"

	apiPost=`curl -H "Content-Type: text/xml" -sfu ${apiUsername}:${apiPassword} ${apiURL}/JSSResource/computers/udid/${computerUDID} -d "${apiData}" -X PUT` 

 

 

 

 

 Parameter Values:

Screen Shot 2022-06-29 at 5.02.54 PM.png

Step 4:
- Create a Policy with a Trigger of Recurring Check-in, an Execution Frequency of Ongoing.
- Add the script from Step 3 to the script payload of the policy, add your Jamf Pro Console URL, an administrator account or api account with access to your jamf pro console, the accounts password, and the name of the Extension Attribute created earlier.
- Scope to Smart Computer Group 2 (Empty Value) created in Step 2.

- Configure the "Maintenance" payload & Check Update Inventory.

Screen Shot 2022-06-29 at 5.06.17 PM.png

For parameter "apiURL" - include https:// so it reads just "https://yourorg.jamfcloud.com"

Screen Shot 2022-06-29 at 5.10.25 PM.png

Screen Shot 2022-06-29 at 5.06.30 PM.png

Screen Shot 2022-06-29 at 5.08.38 PM.png

What this will do is run that script on all computers with the empty field & determine if it is Installed or Not. Flagging it either True or False & removing it from scope for the policy. You'll end up with the Smart Computer Group 1 (false value group) - consisting of all the computers in your environment without Jamf Protect (in 15 Minutes, a lot less time than 24 hours.) You can also run this against computers that have reported Jamf Protect is installed as depicted below to doubly verify that its still installed / constant 15 minute monitoring.

Screen Shot 2022-07-01 at 3.40.36 PM.png

 

Step 5: Add smart Computer Group 1 (False Value Group) to the scope of the policy you created that installs Jamf Protect & it will target those computers every recurring check-in instead of daily inventory record update.

________________
Looking for a Jamf Managed Service Provider? Look no further than Rocketman
________________


Virtual MacAdmins Monthly Meetup - First Friday, Every Month

dm8v
New Contributor

Thanks @Hugonaut! This will work nicely.

Hugonaut
Valued Contributor II

You're very welcome @dm8v - Happy to help!

________________
Looking for a Jamf Managed Service Provider? Look no further than Rocketman
________________


Virtual MacAdmins Monthly Meetup - First Friday, Every Month

DownUndaAdmin
New Contributor

 wow this is incredibly helpful, thanks mate