Script to check a Jamf PRO server for computer membership useful if you need to check if a computer is in a smart group e.g. FileVault 2 has a valid recovery key. The URL to remediate can then be given as an option to the user.
Credentials are salted for use in this script, feel free to read the following for more information
https://github.com/jamf/Encrypted-Script-Parameters
sh CheckMembershipToGroup.sh 1 2 3 4 5 6 7 8 9 10 11
- MountPoint from Jamf
- ComputerName from Jamf
- UserName from Jamf
- Salted apiUserName
- Salted apiPassword
- Message Subject Good
- Message Good
- Message Subject Bad
- Message Bad
- RemediationURL
- Group ID Number
- theTitleGood="Success. Mac is in Group"
- theMessageGood="This mac is in the group"
- theTitleBad="Failed. Mac is NOT in Group"
- theMessageBad="This mac is NOT in the group, open remediantion page?"
- theURL="jamfselfservice://content?entity=policy&id=xx&action=view"
- groupID="2000
Do not forget to set theURL to your Self Service remediation page or remediation web URL, mine was jamfselfservice://content?entity=policy&id=62&action=view you may have a separate web page you want to direct users to with a remediation
As mentioned I wrote this with FileVault 2 recovery keys in mind. So I wanted users who enroled an existing configured Mac to be tested if FileVault 2 were enabled. If not, then two items
- Config profile with Escrow of Key configured to Jamf PRO Scoped to "All Computers"
- Policy Setup to enable FileVault 2 at next login, Policy set to run on "Enrollment Complete" Trigger, target Macs without FileVault 2 enabled.
But what if the device has FileVault enabled. We need to get the item back into Jamf. So after enrolment the user can open Self Service and check if their machine if configured with a Recovery Key via policy, leveraging this script. Jamf also provide a useful script that allows us to challenge the user for their FV2 password and then reissue the key for Jamf.
Configuration profile Security and Privacy payload configured to Escrow the Recovery Key to Jamf PRO Scope all Computers
Policy
- Policy set to run another script by Jamf to reissue the FileVault key.
- In the Self Service pane of this policy copy the View URL and this will be the parameter "theURL".
- Scope: All Computers
- Frequency: Once Per Day
- Trigger: Self Service
- Payload: Script ReissueKey.sh
- Files and Process Execute Command "jamf policy" (this sends the Key to Jamf)
- https://github.com/jamf/FileVault2_Scripts/blob/master/reissueKey.sh
- Smart Group To Check if a FileVault 2 Individual Recovery Key is Valid, ID of this Smart Group is the parameter "groupID"
- Policy to run the CheckMemebershipToGroup.sh Script.
- scope: All Computers
- Frequency: Ongoing but your choice
- Trigger: Self Service
- Payload: Script CheckMemebershipToGroup.sh
- Parameters:
- P1...3 Managed by Jamf
- P4. QWERTYUIOP1234567890sdfghjkl
- P5. QWERTYUIOP1234567890ZXCVBNMASDFGHJKL
- P6. Success. Mac is in Group
- P7. This mac is in the group
- P8. Failed. Mac is NOT in Group
- P9. This mac is NOT in the group, open remediantion page?
- P10. jamfselfservice://content?entity=policy&id=62&action=view
- P11. 62
- Parameters: