Last edit: March 23, 2019 09:28:40 PM CDT
List of all cheatsheets
The Reported IP Address is the IP address that the computer has on its local network
IP Address is the IP address that the JSS sees the computer connecting from
JAMF Tomcat: /user/local/jss. Standard Tomcat: /usr/share (RHEL) and /var/lib (ubuntu)
See also MySQL & Tomcat for additional information, including memcached, keytool and MySQL and Tomcat configuration recommendations
Is Jamf Pro running/listening on proper port?
netstat -ntlap | awk '/[8080 | 8443 | 443]/ && /LISTEN/'
Breakpart the Jamf Pro Linux Installer
/path/to/jamfproinstaller.run --noexec --target /tmp/jamf_installer_expanded/
Make a profile from the JSS human-readable
openssl smime -inform DER -verify -in /path/to/downloaded.mobileconfig -noverify -out /path/to/de-signed.mobileconfig
plutil -convert xml1 /path/to/de-signed.mobileconfig
Find the Jamf device cert in the System Keychain
security dump-keychain /Library/Keychains/System.keychain | awk '/alis/' | grep -E "[A-F0-9]{8}-[A-F0-9]{4}-4[A-F0-9]{3}-[89AB][A-F0-9]{3}-[A-F0-9]{12}" | cut -c 19-54
Binaries
Does the machine see the JSS?
jamf checkJSSConnection
See hiddens
jamf help -hidden
jamf help [verb] -hidden
Install a package
jamf install -package -path -target [-fut] [-feu] [-showProgress]
Run SoftwareUpdate and bypass an internal SUS servers
jamf runSoftwareUpdate -fromApple
Save Inventory Details to a Local File
sudo jamf recon -verbose -saveFormTo ~/Desktop/
Get JSS ID for a machine
jamf recon 2>&1 | grep computer_id | grep -o '[0-9]\+'
Reinstall the JSS CA Cert
jamf trustJSS
Reinstall MDM Profile
jamf mdm manage
jamf Binary Detailed Listings
jamf [PDF]
jamfHelper Basic Example
sudo /Library/Application\ Support/JAMF/bin/jamfHelper.app/Contents/MacOS/jamfHelper -windowType utility -title "Title TK" -timeout 15 -description "Copy Goes Here" -button1 "Tk"
jamfhelper Flags
Window
-windowType [hud | utility | fs]
hud: creates an Apple "Heads Up Display" style window
utility: creates an Apple "Utility" style window
fs: creates a full screen window the restricts all user input (WARNING: Remote access must be used to unlock machines in this mode
-windowPosition [ul | ll | ur | lr] If no input is given, the window defaults to the center of the screen
-icon path Sets the windows image filed to the image located at the specified path
-title "string" Sets the window's title to the specified string
-heading "string" Sets the heading of the window to the specified string
-description "string" Sets the main contents of the window to the specified string
-alignDescription [right | left | center | justified | natural]
-alignHeading [right | left | center | justified | natural]
-alignCountdown [right | left | center | justified | natural]
Buttons
-button1 "string" Creates a button with the specified label
-button2 "string" Creates a second button with the specified label
-defaultButton [1 | 2] Sets the default button of the window to the specified button. The Default Button will respond to “return”
-cancelButton [1 | 2] Sets the cancel button of the window to the specified button. The Cancel Button will respond to “escape”
WindowTimouts & Exit Options
-kill Kills the JAMF Helper when it has been started with launchd
-countdown Displays a string notifying the user when the window will time out
-lockHUD Removes the ability to exit the HUD by selecting the close button
-showDelayOptions "int, int, int,..." Enables the “Delay Options Mode”. The window will display a dropdown with the values passed through the string
-timeout int Causes the window to timeout after the specified amount of seconds. Note: The timeout will cause the default button, button 1 or button 2, to be selected (in that order)
jamfHelper Error Codes
jamfHelper will print the following return values to stdout,
0: Button 1 was clicked
1: The Jamf Helper was unable to launch
2: Button 2 was clicked
3: Process was started as a launchd task
XX1: Button 1 was clicked with a value of XX seconds selected in the drop-down
XX2: Button 2 was clicked with a value of XX seconds selected in the drop-down
239: The exit button was clicked
240: The "ProductVersion" in sw_vers did not return 10.5.X, 10.6.X or 10.7.X
243: The window timed-out with no buttons on the screen
250: Bad "-windowType"
254: Cancel button was select with delay option present
255: No "-windowType"
Database
Get version of Database Utility
sudo java -jar /usr/local/jss/bin/JSSDatabaseUtil.jar version
Turn off Limited Access
update limited_access_mode_settings set access_mode=[0] where address='[ip of server]';
How many pending policy pushes are in queue
select apns_result_status, count(*) from mobile_device_management_commands group by apns_result_status;
How many policy pushes are in queue per device
select computer_id, count(*) from mobile_device_management_commands where apns_result_status="" group by computer_id order by count(*) ASC;
Delete pending pushes for all devices
delete from mobile_device_management_commands where apns_result_status != 'Acknowledged’;
Delete pending pushes for a particular device
delete from mobile_device_management_commands where apns_result_status != 'Acknowledged' and device_id=[device ID];
Equivalent of Computers > [computer] > History > Mac App Store Apps for all computers
select application_name, count(*) as count from applications where mac_app_store=1 and report_id in (select last_report_id from computers_denormalized) group by application_name order by count desc into outfile '/path/to/output';
See registered APNS tokens for a machine
use jamfsoftware; select computer_name, computer_id, apn_token from computers;
Dump a list of all the applications installed on enrolled clients
mysql -u root -p -e "use jamfsoftware; select application_name,application_path from applications;" > /tmp/appslist.txt
Get size of the database
SELECT table_name AS "Tables",
round(((data_length + index_length) / 1024 / 1024), 2) "Size in MB"
FROM information_schema.TABLES
WHERE table_schema = "jamfsoftware"
ORDER BY (data_length + index_length) DESC;
View the criteria for a Smart Group
Find the ID number for the Smart Group: select * from computer_groups where computer_group_name like '%[search criteria]%' and is_smart_group='1';
With the ID number, pull up the Smart Group's criteria: select search_field,search_type,criteria,and_or,opening_paren, closing_paren,criteria_display from smart_computer_group_criteria where computer_group_id='[computer group ID from previous]'
Find all the smart groups that have a particular term in the criteria
select * from smart_computer_group_criteria where criteria like '%[term]%';
Policies in the database
Policy details are stored in the policies table. Policy scoping is stored in policy_deployment. These two are linked by policy_id. policy_deployment's target_id is the same as computer_id from computers.
Keys in the computers table as of 10.10 (describe computers;)
alt_mac_address
apn_token
asset_tag
auto_login_user
awaiting_quick_add
bar_code_1
bar_code_2
ble_capable
computer_id
computer_name
default_distribution_point_id
default_distribution_server_id
default_netboot_server_id
default_software_update_server_id
delay_user_mdm
device_certificate
device_push_token
file_vault_2_eligibility_message
gatekeeper_status
initial_entry_date_epoch
itunes_store_account_hash
itunes_store_account_is_active
jamf_version
last_ip
last_reported_ip
logged_in_user
mac_address
management_password_encrypted
management_username
mdm_access_rights
mdm_certificate
mdm_cert_dirty
platform
push_magic
requires_token_update
sip_status
udid
user_removed_mdm_profile
xprotect_version
API
You can do the GET/PUT/DELETE off of any unique identifier in the JSS. It varies per object
e.g. JSS ID, Serial Number, Name, Mac Address, UDID, etc
You can POST to /id/0 or /id/XXX to have it automatically select the next available ID in the JSS
Flags:
-u, --user
Means specify the user name and password to use for server authentication. With no password provided you will be prompted.
-X, --request
Specifies the request type: GET, PUT, POST, DELETE. GET is the default value so it doesn’t have to be called out
-o, --output
Means to write output to instead of stdout.
-k, --insecure
Means allow invalid certificate if you dont have a trusted 3rd party SSL cert in your JSS.
-T, --upload-file
Means for transfer a file. "-T /path/to/file.xml"
-d, --data
Means data to send in the requested PUT or POST, you can use this to pass values in-line without it having to read from a file.
-v, --verbose
Means be more verbose/talkative during the operation.
-H, --header
Means header to append to data sent or type of data received.
e.g.
-H "Content-Type: application/xml" auto appends the xml header when uploading, e.g.
-H "Application: application/xml" means to download in xml or JSON depending on whats specified.
GET/Read
curl -k -u username:password https://jssaddress.com:8443/JSSResource/computers/serialnumber/actualSerialNumber -o ~/Desktop/computer.xml
GET/Read force download in XML
curl -k -H "Accept: application/xml" -u username:password https://jssaddress.com:8443/JSSResource/computers/serialnumber/actualSerialNumber -o ~/Desktop/computer.xml
PUT/Update from XML File
curl -k -u username:password https://jssaddress.com:8443/JSSResource/computers/serialnumber/actualSerialNumber -T ~/Desktop/Computer.xml -X PUT
PUT/Update from XML in Line
curl -k -H "Content-Type: application/xml" -u username:password https://jssaddress.com:8443/JSSResource/computers/serialnumber/actualSerialNumber -d "mike" -X PUT
POST/Create from XML in File
curl -k -u username:password https://jssaddress.com:8443/JSSResource/buildings/id/0 -T ~/Desktop/newbuilding.xml -X POST
POST/Create from XML in line
curl -k -H "Content-Type: application/xml" -u username:password https://jssaddress.com:8443/JSSResource/buildings/id/0 -d "NewBuilding" -X POST
DELETE/Delete
curl -k -u username:password https://jssaddress.com:8443/JSSResource/buildings/id/actualIDNumber -X DELETE
Get a machine record
curl -u user:password https://jssaddress/JSSResource/computers/serialnumber/[serialnumber] 2>/dev/null
Export a machine record to a file
curl -u user:password -H "Accept: application/json" https://jssaddress/JSSResource/computers/serialnumber/[serial number] 2>/dev/null >> /path/to/file.json
Get a list of MDM capable users
curl -H "Accept: text/xml" —silent -u ${apiUser}:${apiPass} https://$jssAddress/JSSResource/computers/serialnumber/$serialNumber | xpath 2>&1 /computer/general/mdm_capable_users/mdm_capable_user | sed -e 's/<mdm_capable_user>//;s/<\/mdm_capable_user>//' -e 's/— NODE —//g'