Use BigFix action to trigger a JAMF policy?

My team normally handles Windows deployments and we’re starting to take on Mac from another team. I know all of this can just be done through JAMF itself, but is it possible to trigger a JAMF policy via BigFix? I like BigFix’s deferral prompts much better than what’s natively available in JAMF. Has anyone had success with a scenario like below?

  • Create a software policy in JAMF.
  • Attach the necessary .pkg.
  • Set the policy scope to all machines.
  • Only apply a custom trigger to the policy. (ex. upgradeSnagit)
  • Enable the policy.
  • Use a BigFix action to initiate the custom trigger.

I tried a BigFix action with ‘wait sudo jamf policy -trigger upgradeSnagit’ but it failed. I’m assuming that it’s not liking whatever sudo credentials are being passed from BigFix?

1 Like

You’re almost there. You don’t need sudo since the BigFix client runs with admin privileges.
try:
wait /usr/local/bin/jamf policy -trigger upgradeSnagit

2 Likes

if jamf is on the PATH then you would normally invoke it jusing just jamf but that assumes that you are running the command inside a shell (bash or zsh) and the shell itself is what handles the PATH completion and finds jamf within /usr/local/bin automatically for you.

When you invoke a command using wait in bigfix actionscript, there is no shell. This is direct process invocation. This means there is not the same kind of PATH completion. You must provide absolute paths to the executable you are invoking in most cases.

Alternatively, you could use actionscript like this:

wait bash -c "jamf policy -trigger upgradeSnagit"

BigFix invokes bash, then bash runs the command provided within the shell, which then means PATH completion works!

I’m not saying this will definitely work, I haven’t tested it. I am however saying why wait jamf policy -trigger upgradeSnagit probably isn’t working.

As for the sudo part. You can include it or not, it doesn’t matter since BigFix will run it is root regardless. Best to leave it out, but if you keep it, it shouldn’t do anything one way or the other.

The real question is, why don’t you need to provide the absolute path to bash, but you do to other commands? I don’t fully know the answer, but I know this is the case on MacOS and Windows and Linux… just that some things you can invoke directly using a relative path and they work, while others require the shell to help you find the relative path or to invoke something that is a command that only exists within the shell itself and does not exist as a binary / executable on the PATH.

Thank you both. :+1: I’ll give these a shot today.