16 Feb Introducing SCL Jamf Tools
You don’t need a bigger boat, you need custom tools. But a bigger boat wouldn’t hurt.
Here at the Marriott Library we’re in the middle of our transition from Radmind to Jamf Pro as our macOS management system. We’ve supplemented our Radmind deployment with a rich set of utilities and scripts called Xhooks. Continuing the tradition of building custom tools to enhance our existing environment, we’ve begun building creating a set of applications that allow us to quickly find and make changes to specific machines in the Jamf Pro database. We’re calling the collection: SCL Jamf Tools. The repository will include the frameworks of custom applications we have written, Extension Attributes (EA’s) we’ve built to add functionality to our JAMF Pro and other scripts designed to automate tedious or time-consuming tasks.
The first of these tools: Cargo Ship and Tugboat use the Jamf Pro (referred to as Jamf for the rest of this article) API to drill into its depths and help our staff quickly perform tasks that would ordinarily require them to use the Jamf web interface. This can be quite daunting for new users, due to the enormous amount of information available there. Tugboat has been designed to quickly on- and off-board machines, change ownership, update location and other inventory information. Cargo Ship is used to show how Jamf describes a specific machine, to show its printers, profiles, groups, etc. We feel it’s a useful debugging tool that can can show what should be present on a specific computer, if something seems to be missing.
We’re making these tools (Python source included) available here on GitHub. We’ve trimmed out the sections that are specific to the Marriott and provided them as a framework for others to add in functionality unique to their needs. Included on the project page are additional code snippets for interacting with various databases. Both tools share a large percentage of code, feel free to mix and match with your code. We’re excited to see what other teams are able build!
The idea behind Cargo Ship was an offhand remark about how cool it would be if we could quickly see what policies and groups a computer belonged to. In a nutshell, it gathers policy and profile information from the Jamf database and then pulls down individual computer records and presents that information in a condensed, easy to digest format.
Note: Cargo Ship does a lot of communicating with Jamf after you successfully log in. There isn’t any graphical indication that the script is still running, please be patient for it to complete. The more policies and profiles your installation has, the longer this situation will last.
This is a screen shot of an early demo from the end of 2015. It could parse LDAP and update a handful of fields in the Jamf database. It’s most important feature though was that it showed us that we could leverage the power of Jamf API to build desktop tools to quickly and easily modify computer records in Jamf database.
Tugboat has had a number of names during its genesis: Todd’s Python demo, the inventory app, iPop, the Onboarder, Boarding Pass, All Aboard, State Room to name but a few and shows how we ended up with the nautical theme. It’s purpose continuously expanded as features were added and suggestions offered. At the beginning, it was only meant to fill in the User & Location field in for each computer in the Jamf database. At present it can search the JSS, manage a number of Extension Attributes, open specific pages in the Jamf web interface and speak to various databases, like our staff directory and centralized campus LDAP.
Here’s a breakdown of the features of our version of Tugboat:
|1||Machine record discovery methods: JSS string and ID searches|
|2||User selection methods: Top percentage user, hostname name database|
|3||User information methods: Staff database, chain of command traversal, LDAP|
|4||Computer information: Computer name, assigned IP, University asset tag and bar codes|
|5||PC-specific information: Manufacture dates, model info and serial number|
|6||User information: Fields represents the contents of the User and Location tab|
|7||Inventory information: Custom fields specific to our deployment, management status|
|8||Advanced: Open specific JAMF web interface pages, initiate off-boarding process.|
|9||Status and submit: Status text from the app, reset data, quit the app and submit record to JAMF|
The driving force behind Tugboat is a project meant to make our Jamf server the center of our inventory efforts in the Marriott Library, keeping track of the desktops, laptops and mobile devices. We’ve added many EA’s to extend the description of a computer, like what the primary purpose the machine is, how it was paid for, how old it is and where it is physically located. Our goal is to be able to ask questions like “Which department has the oldest desktops” or “Why does this person have so many machines” or “How many machines of a certain specification do we have in storage” and get useful information in return.
One of the other benefits of knowing where machines are located allowed us to design a policy system that provide the appropriate printers to machines. The library is organized by divisions and departments. We co-opt the department category for divisions and the position field for departments within those divisions. All of this information is retrieved from a staff database, greatly reducing the possibility of a hard to find typo preventing someone from accessing the correct printer.
Since Jamf has minimal support for Windows-based computers, we’ve added a number of fields specific to them. An example of this is the date of manufacture sticker on the back of our PC’s, entering this information allows us to make age calculations we would have derived from a Macintosh’s serial number.
Since none of our Extension Attributes or inventory fields will make sense in any other environment, we’ve removed them from the version included in the GitHub repository. Most of the basic functionality remains and can be easily customized to suit your environment. Code snippets and a more in-depth discussion on adding features is available at the GitHub page. Again, we’re looking forward to seeing what other developers are able add to Tugboat!
Here is a quick demonstration of Tugboat in action, please see the GitHub page for more information:
Note: Tugboat does not enroll clients into the Jamf database. In order to edit computer records, the device must already have been enrolled with the usual tools.
Both of these tools are written in Python for cross platform usage and keep external modules use to a minimum. The GitHub pages for each project feature a more in-depth discussion of usage and suggestions for integration into your specific environment. We’ve included pre-built versions of both tools for environments with no need to customize them. Py2app was used to build the MacOS applications and cxfeeze for the Windows version.
In order to read and change data in Jamf, the user attempting such an action will require certain privileges in Jamf. Here is a list of the minimum required rights to use Tugboat and Cargo Ship.
|Accounts and Groups||☑||Needed for login functionality|
|Computer Extension Attributes||☑||☑||Tugboat needs to be able to change values.|
|Computers||☑||☑||Tugboat needs to be able to change values.|
|OS X Configuration Profiles||☑|
|Users||☑||☑||Tugboat needs to be able to change values.|
Jamf LDAP Groups Bug
We attempted to utilize Jamf LDAP Groups to give to proper rights to individuals belonging to certain Active Directory groups, unfortunately a bug in Jamf Pro (Product Issue PI-003395) is currently preventing this method. We hope that Jamf is able to correct this issue soon. Having this functionality intact would allow us to manage users at the AD layer, instead of using Jamf. Limiting the number of places changes need to made when a staff members status changes, limits the possibility of omissions or errors being made. We encourage others to raise this issue as one vitally needs to be addressed with their Jamf technical representatives.
Jamf Duplicate UUID Handling Feature Request
Another issue we discovered during development of these tools is with Windows machines and Jamf. We had the misfortune of discovering that a large number of motherboards shared an identical UUID. Researching this issue showed it was not as rare an event as one would hope. Jamf expects (requires actually) every machine to have a unique UUID. Since the affected machines have identical values, as each is enrolled it overwrites the previous machines values, over and over again. We’re faced with some unfortunate choices: the time-consuming task of visiting each machine and manually change each offending value or write a custom script to add the machine to Jamf, essentially re-writing recon. It’s quite possible that this issue could occur to Macintosh machines as well, if replacement hardware is not serialized properly. We suggest Jamf provide the option of enrolling a machine with a user-defined UUID. You can find our feature request here and we hope others will see the utility and offer additional upvotes.
I’d like to thank the Marriott Library administration and the other members of the Marriott Library Mac Support group for all of the support, feature requests, bug reports, name suggestions and all around awesomeness that they bring to work every day.