Jamf Policy Logs - No History of Policy

joethedsa
Contributor II

I'm SMH about an issue with policies that are staying in the "pending" state even though they have successfully completed. This is troublesome because the policy in question is one that the execution frequency is set to "Once per Computer". I've flushed the policies for the machine. I've even run recon on the computer and still the same issue. I have a cloud instance of JSS with version 10.12.0. Anyone else having this issue?

Here is some context - The policy being run on 10.14 is using the "Execute a Command" field in the "Files and Processes" payload. The command being run is for running updates, then doing a restart:

softwareupdate -i -a; jamf policy -trigger restartComputer

The trigger "restartComputer" is also just a command payload running the following command:

shutdown -r now

Doing a recon, shows the computer was successfully updated by comparing the before and after inventory of the computer.

1 ACCEPTED SOLUTION

mm2270
Legendary Contributor III

@joethedsa Sure. Give that option a try.

BTW, I need to take back one thing I said above, which is that Jamf doesn't offer a way to do this natively. That isn't true. While they don't offer a way to do this using things like a script or command being run, you can add the Restart Options payload into a policy and configure it for a reboot, and it in fact does something along the lines of what I mentioned above with a LaunchDaemon that calls the reboot in the background. This does allow the main policy items to complete and shows as complete in the policy log, since the restart gets offloaded from the main process. To get similar behavior to the above, you would want to configure it to restart immediately in the options. That, I believe, will just restart the Mac at the end without a user needing to acknowledge any dialog, but you should test that out to be sure.

View solution in original post

6 REPLIES 6

hjcao
Contributor

Explanation below is way better than what I said!

mm2270
Legendary Contributor III

This problem has been discussed a number of times before. The main issue is the reboot is taking place before a policy log can be uploaded back to the Jamf server. In order for any policy to show as completed, a log must be uploaded to the server at the completion of that policy. That's really the only way the server will ever know if the policy ran on the device or not. If a log doesn't get uploaded, the policy will stay in a "pending" state forever.
When you have a shutdown -r now at the end of your policy, that command is still part of that policy, and as soon as it runs, the Mac restarts, which interrupts the running of the policy, and thus, a policy log never gets uploaded.

Hopefully the above explanation makes some sense now.

The way around this is not so clear. There are a variety of ways to address it, none of which are great, but Jamf unfortunately doesn't offer a good built in solution to the problem, so we've had to craft our own solutions.

One way would be to have a script run at the end of the policy that creates a LaunchDaemon that kicks off the restart in a delayed fashion. In other words, the restart must be offloaded from the main part of the policy so the policy itself can "complete" and upload a log, so you can see that it ran.

I don't have a current example of how the above looks, but if you need some help or an example, I can probably put something together. Someone else may already have a ready made example they can post before I do though.

Edit: In taking another look at what you have, you may have luck simply changing your command in the second policy from

shutdown -r now

to

shutdown -r +2 &

The latter just tells the command to spin off into it's own process, which I believe will let Policy B complete, upload it's log, then Policy A (the one running the softwareupdate command) to finish, and upload it's log, and then finally within 2 minutes the Mac will restart.
If the above works ok, you could play with it and see if 1 minute is enough time. It might be, but 2 should for sure be plenty of time to allow everything to complete.

joethedsa
Contributor II

@mm2270 and @hjcao thanks for responding. @mm2270, your work around seems interesting. I'm going to try that out and let you know how I venture. In the meantime, I've removed the restart from the policy and confirmed that it is working as it should be.

mm2270
Legendary Contributor III

@joethedsa Sure. Give that option a try.

BTW, I need to take back one thing I said above, which is that Jamf doesn't offer a way to do this natively. That isn't true. While they don't offer a way to do this using things like a script or command being run, you can add the Restart Options payload into a policy and configure it for a reboot, and it in fact does something along the lines of what I mentioned above with a LaunchDaemon that calls the reboot in the background. This does allow the main policy items to complete and shows as complete in the policy log, since the restart gets offloaded from the main process. To get similar behavior to the above, you would want to configure it to restart immediately in the options. That, I believe, will just restart the Mac at the end without a user needing to acknowledge any dialog, but you should test that out to be sure.

joethedsa
Contributor II

@mm2270, I should have mentioned that the policies I'm running are when the computer is idle and at the username and password screens so there is not user interaction that is needed. The hope is that I will be able to get these policies to work and completed "off hours" since these are lab computers that aren't used all the time. With that mentioned, is it possible that because the computer is at the login screen as opposed to not being logged in by a user, that it's having an issue?

joethedsa
Contributor II

@mm2270, just wanted to let you know that I ended up using the "Restart Options" payload in the policy and it worked as hoped. I set the reboot for a 2 minute delay. The policy now shows completed. Thanks as always for the guidance.

Cheers!