What are Extension Attributes? Why were they added to Jamf Pro and why do they matter? These questions, and others, will be answered in this short post. Extension Attributes can be a powerful tool in the tool belt of the Jamf Pro admin, and we will dive into them a little deeper in this post. At the end, you should have a working knowledge of Extension Attributes, a few workflow ideas, and some further resources to continue on in your journey to become an Extension Attribute guru. So buckle up and let’s go on a journey!
What Are Extension Attributes?
Introduced in the Casper Suite days, Extension Atributes are a method for extending the data stored in Jamf Pro for an object (computer, mobile device, or user). From our developer documentation:
Extension attributes allow Jamf Pro to store additional inventory information about a device beyond what is collected by default. Their values can be set via API call, or through the Jamf Pro console itself. While Jamf Pro is designed to collect data via its client and MDM components, there are external systems that typically exist in an environment, and those systems may have data that could provide value within Jamf Pro.
Extension attributes serve as the way to get that data into Jamf Pro. They can be used for reporting, grouping, or to initiate tasks on managed devices. They can also be referenced in Managed App Configuration to pass data to managed apps.
Extension Attributes can capture different types of data depending on whether they are for computers, mobile devices, or users. User objects can collect values via a text field or pop-up item, mobile devices can collect those same items along with LDAP values, and computer objects can collect the same values as mobile devices, with the addition of values from scripts run on the computers.
Why Were Extension Attributes Added to Jamf Pro?
In the days of the Casper Suite, admins wanted ways to build more advanced automation workflows that utilized data that wasn’t always stored in Casper. The information they wanted was oftentimes stored on the device itself or stored in a third-party system. The admins wanted a way to store this data in Casper to enable these advanced workflows.
How Can Extension Attributes Be Useful?
Once Extension Attributes were added to Jamf Pro, the Jamf admin community let their imagination go wild with use cases. Admins have used Extension Attributes for everything from asset management workflows (keeping track of a “born on” date or perhaps a “retirement” date) to triggering software deployments from third party software.
By storing this data inside of Jamf Pro it allows Jamf admins to utilize the full power of Jamf Pro for automation tasks, like triggering software deployments based on membership in a Smart Group. Having the data stored inside of Jamf Pro alleviates the need for a middleware layer to make calls to third-party systems, among other things.
Adding Extension Attributes
Extension Attributes are easy to utilize in Jamf Pro. Within Jamf Pro we simply navigate to Settings and then select Extension Attributes under either the Computer Management, Device Management, or User Management categories. Computer Extension Attributes are going to give us our most powerful options when using Extension Attributes, which is what we’ll focus on in our examples. Within Extension Attributes settings, we can then select New, New From Template, or Upload.
Some Workflow Examples
To give a little better idea of how Extension Attributes can be used in real world workflows, we’ll cover 4 different workflows really quickly:
- Reporting on the Last User to login to a computer
- Creating software testing groups
- Device refresh date
- SecureToken users on a computer
Last User Report
Jamf Pro has several templates that are available for use. There are templates for some third-party software titles, like Code42 CrashPlan for example, for some Jamf software, and for data that is readily stored in macOS. The “Last User” template contains a script that will gather the username for the last person to login to a Mac.
Once this Extension Attribute has been added to Jamf Pro, after a computer submits inventory information, the last user to sign into the Mac will be stored in Jamf Pro. This data could then be utilized to provide a report utilizing and Advanced Search to show this Last User information for all computers. This information could be helpful for auditing which devices are assigned to the wrong person in Jamf Pro.
Software Testing Groups
Traditionally software testing is done with three groups: a Test group, a Pilot group, and then everyone else, oftentimes called Prod (or Production). To gather devices into these different groups a pop-up Extension Attribute can be utilized to identify which group a device falls into.
Coupled with a Smart Group that looks for a specific value, these groups can be used for scoping of Configuration Profiles, App Store apps, or Policies in the case of computer objects.
The values for a pop-up Extension Attribute can be manipulated manually in Jamf Pro, or they can be changed via the API. This allows for the use of Self Service workflows to add machines to these test groups, or for third-party software like service desk software to organize devices into these testing groups.
Device Refresh Date
As mentioned above, the use of a Refresh Date (or even a Born On Date) could be useful for procurement departments to determine when a device needs to be replaced, or refreshed. By utilizing a date Extension Attribute a Smart Group or Advanced Search could use date operators for criteria, like “before a date” or “after a date”.
This type of Extension Attribute could also be manipulated via the API, allowing third-party asset management systems to populate the Refresh Date information. This could then be utilized for reporting or by a Smart Group to alert the user of an upcoming device refresh.
When Apple released macOS 10.13 and changed the storage format to APFS (Apple File System) they introduced a new SecureToken methodology for securing the storage on a computer. A user is granted a SecureToken by the operating system when their account is created via Setup Assistant or via the Users & Groups preference pane. Without a SecureToken a user is unable to unlock a FileVault encrypted volume.
Since we would not want to encrypt a device with FileVault that did not have at least one SecureToken user, it would be useful to gather those users in an Extension Attribute. Utilizing a script-based Extension Attribute an admin is able to gather those users and then utilize that Extension Attribute for scoping of a FileVault encryption policy.
This post has been a very high level, very rudimentary discussion about Extension Attributes and how they might be used. Hopefully with the high-level discussion of these workflows they might trigger an idea in your head.
In the Resources section below you will find links to Jamf Pro documentation, some blog posts on Extension Attributes, some links to JNUC presentations.
Jamf Pro Documentation