My team normally handles Windows deployments and we’re starting to take on Mac from another team. I know all of this can just be done through JAMF itself, but is it possible to trigger a JAMF policy via BigFix? I like BigFix’s deferral prompts much better than what’s natively available in JAMF. Has anyone had success with a scenario like below?
Create a software policy in JAMF.
Attach the necessary .pkg.
Set the policy scope to all machines.
Only apply a custom trigger to the policy. (ex. upgradeSnagit)
Enable the policy.
Use a BigFix action to initiate the custom trigger.
I tried a BigFix action with ‘wait sudo jamf policy -trigger upgradeSnagit’ but it failed. I’m assuming that it’s not liking whatever sudo credentials are being passed from BigFix?
You’re almost there. You don’t need sudo since the BigFix client runs with admin privileges.
try: wait /usr/local/bin/jamf policy -trigger upgradeSnagit
if jamf is on the PATH then you would normally invoke it jusing just jamf but that assumes that you are running the command inside a shell (bash or zsh) and the shell itself is what handles the PATH completion and finds jamf within /usr/local/bin automatically for you.
When you invoke a command using wait in bigfix actionscript, there is no shell. This is direct process invocation. This means there is not the same kind of PATH completion. You must provide absolute paths to the executable you are invoking in most cases.
Alternatively, you could use actionscript like this:
wait bash -c "jamf policy -trigger upgradeSnagit"
BigFix invokes bash, then bash runs the command provided within the shell, which then means PATH completion works!
I’m not saying this will definitely work, I haven’t tested it. I am however saying why wait jamf policy -trigger upgradeSnagit probably isn’t working.
As for the sudo part. You can include it or not, it doesn’t matter since BigFix will run it is root regardless. Best to leave it out, but if you keep it, it shouldn’t do anything one way or the other.
The real question is, why don’t you need to provide the absolute path to bash, but you do to other commands? I don’t fully know the answer, but I know this is the case on MacOS and Windows and Linux… just that some things you can invoke directly using a relative path and they work, while others require the shell to help you find the relative path or to invoke something that is a command that only exists within the shell itself and does not exist as a binary / executable on the PATH.
I believe this should work, but only someone with Mac expertise can confirm. However, I looked into the Jamf log file, and “executing policy” is a line that occurs frequently.
Q: preceding text of last (computer name) of preceding text of first "jamf" of locked lines (maximum of line numbers of locked lines containing "Executing Policy" of it) of file "/var/log/jamf.log"
A: Tue Apr 15 01:22:27
T: 1435129
This is really interesting. I’m not sure if this is the most efficient way to get the newest log line containing a particular string with BigFix Relevance, but it seems like it might be. That is very useful.
I personally would pluralize it a bit more like this:
locked lines (maxima of line numbers of locked lines containing "Executing Policy" of it) of files "/var/log/jamf.log"
This would prevent it from throwing an error if the log file didn’t exist or if a line containing that did not exist.
preceding text of last (computer name) of preceding text of first "jamf" of locked lines (maximum of line numbers of locked lines containing "Executing Policy" of it) of file "/var/log/jamf.log"
I’ll give these a shot today.