Using JAMF Helper for policies

Jamf Pro has a couple of triggers, events that cause that computer to check-in with the Jamf Pro server to run policies. Those include: Startup, Login, Logout, Network State Change, Enrollment Complete, Recurring Check-in, and Custom. You can read the description for each of those triggers by creating a new policy (you don’t have to save it) and read the descriptions for each of them in the General policy payload.

Recently, I had a situation where we wanted to run an update that’s pretty big on logout. This has the benefit of ensuring the software isn’t running. There are pros and cons to this trigger which I won’t get into here. However, one thing that I’ve always found unacceptable is the JAMF Helper HUD dialog in the bottom right corner that shows up.

Screen Shot 2017-04-27 at 2.07.18 PM.png

I’ve submitted a feature request on JAMF Nation to improve this functionality: https://www.jamf.com/jamf-nation/feature-requests/5980/login-and-logout-policies-should-have-a-more-descriptive-message

The Jamf Pro administrator will know what the dialog means, but end users will be clueless. It’s not descriptive and quite confusing. You can try to educate your end-users on what this means, but you shouldn’t have to and naturally many of them may not remember.

The Script

With this in mind, I started working on a script where I could open a JAMF Helper dialog that would be good to run on logout that would let the end user know when . For this particular instance, I had to keep the script somewhat simple, but I still wanted to make it somewhat generic and flexible enough to be re-used in different policies using JSS Parameters (another area where Jamf Pro could be improved on). The goal here was to be able to 1) call either a full screen or HUD (Apple Heads Up Dialog) or a utility dialog, 2) insert a title, header and message, and optionally 3) allow an icon to be specified and button text (note: the button will not actually have any effect other than closing the dialog).

The current version of this script uses 6 JSS parameters. Some are required while others are optional.
Required: $4 is the window type used by JamfHelper. There are only three possible values: fs, hud, and utility.

Note: All these window types can be exited using CMD + Q.
hud: creates an Apple “Heads Up Display” style window
utility: creates an Apple “Utility” style window
fs: creates a full screen window the restricts all user input

Required: $5 is the title text used by JamfHelper for the dialog window. Does not appear in the fullscreen dialog, but you still need to fill it out.
Required: $6 is the header text used by JamfHelper.
Required: $7 is the description message used by JamfHelper.
Optional: $8 is the icon path used by JamfHelper. Do not escape characters. If not using one, leave empty. Heavily recommended to use it otherwise dialogs look weird.
e.g. /My Directory.app/icon.icns is a valid path. /My\ Directory.app/icon.icns is not a valid path.
A helpful path to know just in case you want something built into macOS: /System/Library/CoreServices/Software Update.app/Contents/Resources/SoftwareUpdate.icns
Optional: $9 is the text in the first button. Requires that $4 be set to “utility” or “hud” otherwise the value in this parameter will be ignored.
Pressing the button will not have any effect other than to cause the dialog window to close.

Using the script in a policy

First upload the script to your JSS. After it has been uploaded, set the script to a Priority: Before and enter parameter labels as seen in the screenshot below. You’re free to use your own labels.

Screen Shot 2017-04-28 at 1.35.11 PM.png

The next thing you’ll want to do is create a new policy. You will use the following policy payloads:

General:

  • Trigger: Logout
  • Frequency: Ongoing (This depends on your policy scope. My targeted smart group focuses on computers not running the latest version which means they’d fall out of scope once the policy runs.)

Packages:

  • Add the packages you want.

Scripts:

Add the script you’ve uploaded to the Jamf Pro server. Set the script to run Before.

Maintenance:

Check “Update Inventory” so that the computer’s inventory is updated when the policy finishes running.

Files and Processes:

In the Execute Command field, enter the following code which will close the JAMF Helper dialog:

kill "$(cat "/tmp/jamfHelper_PID.txt")"

This is useful if you are using the script for one policy only and just want to have the JAMF Helper dialog go away at the end the policy run. If you did this, you could have the JAMF Helper dialog come up for each policy that need to run at logout and disappear once the policy runs. If you have multiple policies running this would at least give the end user an idea of what software package is installing Of course, sometimes that’s not really necessarily because certain software just installs really quickly. But for bigger installers like Microsoft Office or Adobe CC applications which take a longer time to install, this might make more sense.

Note about logout triggers: If you have a configuration profile using the Login Window payload, make sure to check “Logout Script: Also execute the client computer’s LogoutHook script” which is under the Script tab for that payload. Otherwise, logout hooks will NOT run. Screenshot below:Screen Shot 2017-05-19 at 10.11.48 AM.png

You can download the script from my Github repo. Feedback is always welcomed.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s