Jamf Nation Community

Okay. I tested the exclusions in two ways.

The first one will add the computer id to the exclusion. The second will add the computer group. You can mix them together, if needed.
Note If you run the first, then the second, the exclusions are NOT replaced. Just added to. (the computer was added, then the computer group.)

#!/bin/sh
apiUsername="username"
apiPassword="password"
jssURL="jss.url.here"

policyID=2018

curl -sS -k -u $apiUsername:$apiPassword https://$jssURL:8443/JSSResource/policies/id/$policyID -H "Content-Type: application/xml" -d "<policy><scope><exclusions><computers><computer><id>4272</id><name>MAC-TT030970</name><udid>65D62B26-CC57-5727-93A0-258651D2D54C</udid></scope></policy>" -X PUT

#!/bin/sh
apiUsername="username"
apiPassword="password"
jssURL="jss.url.here"

policyID=2018

curl -sS -k -u $apiUsername:$apiPassword https://$jssURL:8443/JSSResource/policies/id/$policyID -H "Content-Type: application/xml" -d "<policy><scope><exclusions><computer_groups><computer_group><id>1</id><name>All Managed Clients</name></computer_group></computer_groups></exclusions></scope></policy>" -X PUT

Hi TJ,

Thanks for the suggestion! That indeed works, however, only on computer groups that are not in a Site. So any of the computer groups that are under the Full JSS will work, but when you attempt to do the same operation on a computer that is in site the command doesn't work. The trouble seems to be when a JSS resource is in a site. Thanks again for the suggestion!

Andy

Wait, if a group is in a site, it's in the full JSS as well, right?
We don't use sites, so:

I did this:

• Created Test Site
• Added My Machine to the Site. -- My machine shows up in both site and full.
• Created Static Group in Site. -- The Group shows up in the Site and the Full JSS.
• I added the group and my machine to the exclusion list.

I then took a look at the API and it seems to output very similarly.

    <exclusions>
      <computers>
        <computer>
          <id>4272</id>
          <name>MAC-TT030970</name>
          <udid>65D62B26-CC57-5727-93A0-258651D2D54C</udid>
        </computer>
      </computers>
      <computer_groups>
        <computer_group>
          <id>342</id>
          <name>Test Static Site Group</name>
        </computer_group>
      </computer_groups>
      <buildings/>
      <departments/>
      <users/>
      <user_groups/>
      <network_segments/>
      <ibeacons/>
    </exclusions>

I honestly think there is something wonky with your curl PUT command.

There isn't anything in the API scope XML that has <site></site>.
Plus, you're missing the <name></name> portion of the XML. I'm not sure if that makes a difference or not.

Adding Computer Groups that are in Site "X" to the exclusions of a policy in Site "X" seem to work just fine via my API commands.

Unless I'm completely off base on what you're trying to do.

Regards,
TJ

Hi TJ,

Did you add the exclusion via the JSS or the API? I did the same operation using the JSS and the XML came out the same as what I was using the with the API. It just seems when I run it through the API it doesn't like something I'm doing. Another thought I had was to create the group in the Full JSS, add it to the the scope of the policy, then move the group into the site. That's a lot of extra coding though.

Andy

I used the API.

Is your curl command the same as above? Can you post it with three ticks around it? ```

Regards,
TJ

Hi TJ,

I thought that too, initially. I tried it both with and without the <name></name> tags and it didn't seem to care either way. It still adds it to the policy in the exclusion section in the API if you just specify the group ID. But if you look at the policy scope the computer group does not appear.

The fact that I'm running into the same error in both the Curl command and the Invoke-RestMethod in Powershell leads me to believe it's something in the XML. The do essentially the same thing, just in a different language.

The <site></site> XML information came from the only post I could find while Googling the issue. I found a post where supposedly they fixed the issue by specifying the site that the group belongs to. Doesn't appear to be the case.

You're off by a little bit, but close. The policies that I have applied to all computers are under the Full JSS:

the group that I am trying to add is under a Site:

If I use the same command on a policy that is located in a Site it appears to work. It just appears to be when you cross the line between the Site and the Full JSS.

The reason I'm doing this is so that the Site Admins have the ability to add computers to the groups themselves. We do not allow our Site Admins to have access to the Full JSS. They only have site access.

Hope that clarifies things a little bit.

Andy

Sure! Here's a screenshot:

curl -k -Ss -u username:password https://jss.url.here:8443/JSSResource/policies/id/2052 -H "Content-Type: application/xml" -d "<policy><scope><exclusions><computer_groups><computer_group><id>344</id><name>Test Static Site Group</name></computer_group></computer_groups></exclusions></scope></policy>" -X PUT

Did not work. I must have mixed it up before.

It doesn't seem like it's possible. I'm getting the same conflict error as you do. My only bet is to talk with your TAM and see what they can come up with.

--
TJ

HI TJ,

Thanks for trying! I'm glad to see that it isn't only me. I was planning on reaching out to my TAM, but wanted to see if anyone else could shed some light on it before I went that route. I know that there are some places in the API that require the use of particular XML tags to work, I just wasn't sure if that was one of them. Thanks again!

Andy

@adhuston Ever get resolution on this? I am trying to use the API to add computers to a policy scope... and also getting "Computer (ID:#, Name:COMPUTERNAME) is enabled for a site" as an error...

Ultimately going to move this from a bash to a powershell script too which is how I stumbled here before encountering the issue!

For more context - I'm using the <computer_additions> tag to attempt to add a computer to the scope of a policy. A little more experimentation revealed that if I removed the computer from a site or set the policy to match the site of the computer it works, but if the computer doesn't match the site it fails with a similar error, either "Computer (ID:#ID, Name:$ComputerName) is not site-enabled for this site." or in the case where the policy is not assigned to a site "Computer (ID:#ID, Name:$ComputerName) is enabled for a site."

@Sterritt Unfortunately, I wasn't able to resolve this issue. After some investigation with Jamf Support it was determined to be a product defect, and was escalated to the development team. It's filed under product issue PI-002498.

Trying something similar building on this. I want to exclude a machine from a Wireless profile. This is where I am at right now.

I am getting an error "Script result: -:1: parser error : Document is empty"

#!/bin/sh
apiUsername="$4"
apiPassword="$5"
jssURL="6"

configurationID="$7"

##get Mac info
macUDID=$( ioreg -d2 -c IOPlatformExpertDevice | awk -F" '/IOPlatformUUID/{print $(NF-1)}' )
computerName=$( /usr/sbin/scutil --get ComputerName )
MACaddy=$( networksetup -getmacaddress en0 | awk '{print $3}' | sed 's/:/./g' )
jssID=$(curl -H "Accept: application/xml" -sfku "$4:$5" "https://$jssURL:8443/JSSResource/computers/macaddress/$MACaddy/subset/General" | xmllint --format - | awk -F'>|<' '/<id>/{print $3; exit}')

echo $jssID


curl -sfku "$4:$5" https://$jssURL:8443/JSSResource/osxconfigurationprofiles/id/$configurationID -H "Content-Type: application/xml" -d "<osxconfigurationprofiles><scope><exclusions><computers><computer><id>$jssID</id><name>$computerName</name><udid>$macUDID</udid></scope></osxconfigurationprofiles>" -X PUT

How about changing jssURL="6" to jssURL="$6".

Sorry for responding to an old thread. I found this thread because I was looking for a way to add computers to an exclusion list. The given solution here works fine.

But now I want to be able to remove a specific computer from the exclusion list. Is this possible? How to?