Device-Specific Parameters for Jamf Pro Script Policies

In Jamf Pro you can add a script under Settings and label the parameters. For a shell script these would be $1..$11. Then when adding the script to a policy, we could tell Jamf to send a value to use when running the script and it would show up in “$4”. ($1..$3 are automatically populated with some commonly used values — mount point, computer name, and username.) But what if we need to run the script with different parameter value for each computer?

You’re probably familiar with the many variables we can use when construction profiles. These variables are listed in https://docs.jamf.com/jamf-pro/administrator-guide/Computer_Configuration_Profiles.html

VariableInventory Information
$COMPUTERNAMEComputer Name
$SITENAMESite Name
$SITEIDSite ID
$UDIDUDID
$SERIALNUMBERSerial Number
$USERNAMEUsername associated with the computer in Jamf Pro
(computer-level profiles only)Username of the user logging in to the computer
(user-level profiles only)
$FULLNAME or $REALNAMEFull Name
$EMAILEmail Address
$PHONEPhone Number
$POSITIONPosition
$DEPARTMENTNAMEDepartment Name
$DEPARTMENTIDDepartment ID
$BUILDINGNAMEBuilding Name
$BUILDINGIDBuilding ID
$ROOMRoom
$MACADDRESSMAC Address
$JSSIDJamf Pro ID
$PROFILEJSSIDJamf Pro ID of the Configuration Profile
$EXTENSIONATTRIBUTE_#Extension Attribute ID NumberNote: The ID number is found in the extension attribute URL. In the example URL below, “id=2” indicates the extension attribute ID number:
https://instancename.jamfcloud.com/computerExtensionAttributes.html?id=2&o=r
For more information, see Computer Extension Attributes.

If you’re like me, you’d look in the Admin Guide under Policy Scripts and find no mention of any kind of variable parameters there, and then try entering $USERNAME into a parameter value and running the policy just to see if it works. It does not. The script runs and the value of $4 is literally “$USERNAME”. Jamf doesn’t replace that with the actual username assigned to the computer the way it does when distributing profiles.

There’s some talk on Jamf Nation about pulling the values down to the running script via API. But that requires us to provide API credentials to the clients. That is a potentially dangerous practice since the user or someone that’s pwned their device to get at them.

Solution:

Write the values you need in your script to the device using a Jamf Pro external application settings profile then read them into your script with “defaults read”.

Example:

I want a file on every desktop named “Read me, <name of user assigned to the computer>!.txt

  1. Create a computer profile. I called mine “Script Preference” and set it to install to computer level. I scoped it to a test computer.
  2. Go down to “Application & Custom Settings” in the payloads list and add an “External Application”. Source will be “Custom Schema”. You can enter whatever you want in Preference Domain, but usually these follow the same scheme Apple uses for their preference files, like “com.apple.keyboard”. I called mine “com.my.script”

3. Then you’re going to upload a schema to explain what parameters you want to use in your script. I just want my script to have access to the username to which the Mac has been assigned in Jamf Pro inventory. So my schema is pretty simple…

{
  "title": "My Script Settings",
  "description": "Settings for my script",
  "properties": {
    "jamf_mac_username": {
      "title": "Username",
      "description": "The Jamf device owner",
      "property_order": 10,
      "type": "string"
    }
  }
}

You could have lots of settings in there but I just need that one.

4. Once you save the schema you’ll be asked to enter a value for the config profile payload’s “Username” field because that’s what we have in the “title” attribute in our schema. The value for that setting will be the Jamf Pro replacement variable “$USERNAME”.

5. Click “Save” and then look at your profiles in macOS System Settings. The prefs profile has been installed and because Jamf Pro understands $variables in configuration profiles, the username from my computer “janedoe” is in there…

6. Create a script in Jamf Pro Settings. Instead of using things like the ${4} we use when we specify a static parameter in policy settings, we use “defaults read” to pull the value out of the Script preference configuration profile…

7. Create a policy with that script, scope it to a test computer and run it. (Wait for scheduled check-in, call it with “sudo jamf policy” in terminal, or set the policy up in Self Service and run it from there…). There will now be a file called “READ ME janedoe!.txt” on the admin user’s desktop.

That’s not an example of anything you’d actually want to do… it’s just to illustrate the technique. You can send many settings and use any of the available profile variables. If you need the script to use a custom value that’s not in one of the built-in variables, create an extension attribute in Settings and upload the values for each computer using MUT or your own API script.

Advertisement

2 thoughts on “Device-Specific Parameters for Jamf Pro Script Policies

  1. Thank you for this write up. This is great and immediately useful for my context. I do have one question though. Once these values are written, let’s say the user’s name changes or the computer is reassigned to another user without being re-provisioned. Is there a way to automate redeploying this profile so that the values get updated?

    Like

    1. Jamf Pro has no automation that would detect the need to re-deploy a profile based on a change in the value of a lookup variable. You can redeploy a profile (with updated data) to all devices by pretending to make an edit to the profile record in Jamf and then choosing to redeploy to all devices when saving. Plus, tell them you need a safe way for a device to read and write its own data.

      Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: