Jamf Nation Community

HNTIT · ‎02-12-2018

I have a bunch of policies that I dont want to run more than once per day, so curiously enough they are set to "Check In" and "Once Per Day" and are each scoped to a specific building.

However, I have 1 particular set of circumstances that should only realistically happen once per machine, where a policy is triggered that intentionally changes a setting to a default value, I then need to trigger my "Once Per day" policy to immediately change them back to the site based one.

Any thoughts

HNTIT · ‎02-13-2018

Sweet Buggery I have got it !!!!!!!!

Here is what I am going to do.

1 : Create a script called "Apply Site Settings" that only has the following in it.

sleep 10s && sudo /usr/local/bin/jamf policy -trigger "Apply Site Settings"

2 : Take my 50+ Site Policies and change them from "Once Per Day" and "Recurring Check In". To instead be "Ongoing" and "Custom" with the Custom Event Trigger set to "Apply Site Settings". This should actually mean none of the Policies will ever run.

3 : Create a single "Site Settings" Policy and set it to "Once Per Day" and "Recurring Check In", and make it run the "Apply Site Settings" Script

4 : My Policy that recreated the local admin account, have it also run the "Apply Site Settings" script "After"

Sound Like a Plan ????

View solution in original post

mm2270 · ‎02-12-2018

Not sure I completely understand what you need here. Can you provide more detail maybe? It sounds like you want to run a "Once per day" policy more than once per day under a particular circumstance. Is that right?
If so, have you considered cloning the policy and changing the frequency of it to Ongoing and just changing it to a manual trigger (unchecking the recurring check-in trigger) and calling it with the custom trigger under that circumstance?

HNTIT · ‎02-13-2018

We have a massive array of buildings globally, most of which have a local person who is trusted with the Local Administrator Password, every Bulding needs a unique Administrator password, so each site has a "Local Building Preferences" policy that only applies to that 1 building, this policy also sets a large array of other Building Specific Settings, these run once per day.

50+ Buildings = 50+ Policies.

However we are now in a situation where we need to add that Administrator account to FileVault, so we have a policy that when triggered deletes the non FileVault enabled account.
This then triggers another Policy that recreates it with FileVault enabled. I don't want to create 50 policies to do this as it's just messy, so we have it done with 1 policy, but that then means the password is set to the same for all machines, and we have to wait possibly up to 24 hours for the settings to change the password again.

What we need is a way to override the Once Per Day thing in a 1 off scenario.

Does that make more sense.

mm2270 · ‎02-13-2018

It makes sense, but unfortunately I don't have an answer for you. There's no way to override a policy's frequency, nor it's scope. If I set a policy to run once per day and it executes on my Mac at 9:00 am, there's no amount of commands, forcing or cajoling I can do to make it run again on my Mac until at least 9 am the following day, UNLESS I flush the policy log (in it's entirety or just the one that ran on my system) This tells the Jamf console that the policy should run again, as if it never ran in the first place.

So, short of flushing policy logs, or changing the frequency from Once per day to Ongoing, there isn't really any other proper way I can think of to do this. At least not ones that aren't akin to reinventing the wheel.

HNTIT · ‎02-13-2018

Thats what I found.

If only the Flushing Policy logs was capable of being just a teeny bit more granular, then perhaps we could find a way to look at the most recent Log for the Policy and just flush that.

Obviously I could manually do this, but having to flush the log by hand is a bit of a pain.

Anyone Else have any ideas ?

HNTIT · ‎02-13-2018