There will probably come a point in a Jamf Pro admin’s duties when they find themselves with the need to provide a mechanism for users to add or exclude their Mac to the scope of a Configuration Profile or Policy via Self Service. An example would be so users could add themselves to a group teasing macOS Beta releases. Using the Jamf Pro API to add a Mac to a Static Computer Group might seem like the obvious way to do this, but per recommendations made in the Jamf Pro certification courses calling the API from arbitrary endpoints is not recommended. This article will describe an alternative mechanism to allow user initiated scope changes without using the Jamf Pro API.
The core part of this approach is what’s known as a flag file, and its existence on a Mac can be used to add the Mac to a Smart Computer Group which can be used a Scope Target or Exclusion. To create the flag file we’ll use a script to be called via a Script payload in a Self Service initiated Policy. To detect the presence of the flag file we’ll create an Extension Attribute (EA) which will be used as the Criteria for a Computer Smart Group listing all Macs with the flag file present.
The Script
In order to make it reusable the flag file creation script takes Two parameters: a Directory Path where the flag file will be created, and the File Name to use for the flag file. Add the script below you your Jamf Pro instance, and use those names for the parameter labels:
#!/bin/sh
# Create Flag File
#
# Given a directory path and a file name this script will create
# the directory if it doesn't exists then attempt to create a
# file with the given file name in that directory
#
# Inputs:
# (As a script called by Jamf Pro the first parameter is $4)
# $4 - Directory Path - Do not include a trailing / (Required)
# $5 - File Name (Required)
DirectoryPath="$4"
FileName="$5"
if [ -n "$DirectoryPath" ] && [ -n "$FileName" ]; then
# If Directory Path isn't an existing directory then create it
# using the -p option to create any intermediate directories
if [ ! -d "$DirectoryPath" ]; then
/bin/mkdir -p "$DirectoryPath"
# Normally one would check to see if the mkdir reported
# an error but we'll find out if it failed when we try
# to create the flag file
fi
/usr/bin/touch "$DirectoryPath/$FileName"
# Check the result of the touch command
result=$?
if [ $result -ne 0 ]; then
# The touch command failed to create the flag file,
# report an error and exit
echo "Error: Failed to create Flag File"
exit 1
fi
else
# Missing either the Directory Path or File Name parameters,
# report an error and exit
echo "Error: Missing Directory Path or File Name parameters"
exit 1
fi
# If we got here script was successful
exit 0
The Extension Attribute
Here’s an example of an Extension Attribute (EA) that will check for the existence of a flag file named “FlagFile” in the directory path “/Library/Application Support/MyOrg”. Since EAs using the Script input data type don’t take parameters you will need a separate EA for each flag file you might use, but we’ll utilize the same variable names in the EA as used in the script to create flag files for clarity. The EA uses the Integer data type, and returns “1” if the flag file is found and “0” if not (Note: When creating an EA that will return a boolean result, i.e. True/False, an Integer result requires less overhead than a String result):
#!/bin/sh
# Flag File Exists - <Flag File Name>
#
# Given a directory path and a file name this script will check
# for the existence of a file with that name
#
# Returns:
# 0 - Flag file does not exist
# 1 - Flag file exists
# Set these variables as appropriate for the flag file you're
# checking for
DirectoryPath="/Library/Application Support/MyOrg"
FileName="FlagFile"
# Default result is flag file does not exist
result="0"
if [ -f "$DirectoryPath/$FileName" ]; then
result="1"
fi
echo “<result>$result</result>"
The other parts of the puzzle
To use the information collected by a Flag File Exists EA for scoping Macs as either Targets or Exclusions for a Policy or Configuration Profile you’ll need to create a Computer Smart Group with the Flag File Exists EA as the Criteria where the Value is 1.
Create a Self Service policy using the Create Flag File as the Script payload with the appropriate Directory Path and File Name parameters to allow users to add themselves to that Smart Group
Applying the above
Using the Flag File/EA technique described above you now have a mechanism which allows your users to flag their Macs as Targets or Exclusions for the scope of a Policy or a Configuration profile via Self Service without requiring the use of the Jamf Pro API.
