Last edit: March 23, 2019 09:28:40 PM CDT List of all cheatsheets The Reported IP Address is the IP address that the computer has on its local network IP Address is the IP address that the JSS sees the computer connecting from JAMF Tomcat: /user/local/jss. Standard Tomcat: /usr/share (RHEL) and /var/lib (ubuntu) See also MySQL & Tomcat for additional information, including memcached, keytool and MySQL and Tomcat configuration recommendations Is Jamf Pro running/listening on proper port? netstat -ntlap | awk '/[8080 | 8443 | 443]/ && /LISTEN/' Breakpart the Jamf Pro Linux Installer /path/to/ --noexec --target /tmp/jamf_installer_expanded/ Make a profile from the JSS human-readable openssl smime -inform DER -verify -in /path/to/downloaded.mobileconfig -noverify -out /path/to/de-signed.mobileconfig plutil -convert xml1 /path/to/de-signed.mobileconfig Find the Jamf device cert in the System Keychain security dump-keychain /Library/Keychains/System.keychain | awk '/alis/' | grep -E "[A-F0-9]{8}-[A-F0-9]{4}-4[A-F0-9]{3}-[89AB][A-F0-9]{3}-[A-F0-9]{12}" | cut -c 19-54 Binaries Does the machine see the JSS? jamf checkJSSConnection See hiddens jamf help -hidden jamf help [verb] -hidden Install a package jamf install -package -path -target [-fut] [-feu] [-showProgress] Run SoftwareUpdate and bypass an internal SUS servers jamf runSoftwareUpdate -fromApple Save Inventory Details to a Local File sudo jamf recon -verbose -saveFormTo ~/Desktop/ Get JSS ID for a machine jamf recon 2>&1 | grep computer_id | grep -o '[0-9]\+' Reinstall the JSS CA Cert jamf trustJSS Reinstall MDM Profile jamf mdm manage jamf Binary Detailed Listings jamf [PDF] jamfHelper Basic Example sudo /Library/Application\ Support/JAMF/bin/ -windowType utility -title "Title TK" -timeout 15 -description "Copy Goes Here" -button1 "Tk" jamfhelper Flags Window -windowType [hud | utility | fs] hud: creates an Apple "Heads Up Display" style window utility: creates an Apple "Utility" style window fs: creates a full screen window the restricts all user input (WARNING: Remote access must be used to unlock machines in this mode -windowPosition [ul | ll | ur | lr] If no input is given, the window defaults to the center of the screen -icon path Sets the windows image filed to the image located at the specified path -title "string" Sets the window's title to the specified string -heading "string" Sets the heading of the window to the specified string -description "string" Sets the main contents of the window to the specified string -alignDescription [right | left | center | justified | natural] -alignHeading [right | left | center | justified | natural] -alignCountdown [right | left | center | justified | natural] Buttons -button1 "string" Creates a button with the specified label -button2 "string" Creates a second button with the specified label -defaultButton [1 | 2] Sets the default button of the window to the specified button. The Default Button will respond to “return” -cancelButton [1 | 2] Sets the cancel button of the window to the specified button. The Cancel Button will respond to “escape” WindowTimouts & Exit Options -kill Kills the JAMF Helper when it has been started with launchd -countdown Displays a string notifying the user when the window will time out -lockHUD Removes the ability to exit the HUD by selecting the close button -showDelayOptions "int, int, int,..." Enables the “Delay Options Mode”. The window will display a dropdown with the values passed through the string -timeout int Causes the window to timeout after the specified amount of seconds. Note: The timeout will cause the default button, button 1 or button 2, to be selected (in that order) jamfHelper Error Codes jamfHelper will print the following return values to stdout, 0: Button 1 was clicked 1: The Jamf Helper was unable to launch 2: Button 2 was clicked 3: Process was started as a launchd task XX1: Button 1 was clicked with a value of XX seconds selected in the drop-down XX2: Button 2 was clicked with a value of XX seconds selected in the drop-down 239: The exit button was clicked 240: The "ProductVersion" in sw_vers did not return 10.5.X, 10.6.X or 10.7.X 243: The window timed-out with no buttons on the screen 250: Bad "-windowType" 254: Cancel button was select with delay option present 255: No "-windowType" Database Get version of Database Utility sudo java -jar /usr/local/jss/bin/JSSDatabaseUtil.jar version Turn off Limited Access update limited_access_mode_settings set access_mode=[0] where address='[ip of server]'; How many pending policy pushes are in queue select apns_result_status, count(*) from mobile_device_management_commands group by apns_result_status; How many policy pushes are in queue per device select computer_id, count(*) from mobile_device_management_commands where apns_result_status="" group by computer_id order by count(*) ASC; Delete pending pushes for all devices delete from mobile_device_management_commands where apns_result_status != 'Acknowledged’; Delete pending pushes for a particular device delete from mobile_device_management_commands where apns_result_status != 'Acknowledged' and device_id=[device ID]; Equivalent of Computers > [computer] > History > Mac App Store Apps for all computers select application_name, count(*) as count from applications where mac_app_store=1 and report_id in (select last_report_id from computers_denormalized) group by application_name order by count desc into outfile '/path/to/output'; See registered APNS tokens for a machine use jamfsoftware; select computer_name, computer_id, apn_token from computers; Dump a list of all the applications installed on enrolled clients mysql -u root -p -e "use jamfsoftware; select application_name,application_path from applications;" > /tmp/appslist.txt Get size of the database SELECT table_name AS "Tables", round(((data_length + index_length) / 1024 / 1024), 2) "Size in MB" FROM information_schema.TABLES WHERE table_schema = "jamfsoftware" ORDER BY (data_length + index_length) DESC; View the criteria for a Smart Group Find the ID number for the Smart Group: select * from computer_groups where computer_group_name like '%[search criteria]%' and is_smart_group='1'; With the ID number, pull up the Smart Group's criteria: select search_field,search_type,criteria,and_or,opening_paren, closing_paren,criteria_display from smart_computer_group_criteria where computer_group_id='[computer group ID from previous]' Find all the smart groups that have a particular term in the criteria select * from smart_computer_group_criteria where criteria like '%[term]%'; Policies in the database Policy details are stored in the policies table. Policy scoping is stored in policy_deployment. These two are linked by policy_id. policy_deployment's target_id is the same as computer_id from computers. Keys in the computers table as of 10.10 (describe computers;) alt_mac_address apn_token asset_tag auto_login_user awaiting_quick_add bar_code_1 bar_code_2 ble_capable computer_id computer_name default_distribution_point_id default_distribution_server_id default_netboot_server_id default_software_update_server_id delay_user_mdm device_certificate device_push_token file_vault_2_eligibility_message gatekeeper_status initial_entry_date_epoch itunes_store_account_hash itunes_store_account_is_active jamf_version last_ip last_reported_ip logged_in_user mac_address management_password_encrypted management_username mdm_access_rights mdm_certificate mdm_cert_dirty platform push_magic requires_token_update sip_status udid user_removed_mdm_profile xprotect_version API You can do the GET/PUT/DELETE off of any unique identifier in the JSS. It varies per object e.g. JSS ID, Serial Number, Name, Mac Address, UDID, etc You can POST to /id/0 or /id/XXX to have it automatically select the next available ID in the JSS Flags: -u, --user Means specify the user name and password to use for server authentication. With no password provided you will be prompted. -X, --request Specifies the request type: GET, PUT, POST, DELETE. GET is the default value so it doesn’t have to be called out -o, --output Means to write output to instead of stdout. -k, --insecure Means allow invalid certificate if you dont have a trusted 3rd party SSL cert in your JSS. -T, --upload-file Means for transfer a file. "-T /path/to/file.xml" -d, --data Means data to send in the requested PUT or POST, you can use this to pass values in-line without it having to read from a file. -v, --verbose Means be more verbose/talkative during the operation. -H, --header Means header to append to data sent or type of data received. e.g. -H "Content-Type: application/xml" auto appends the xml header when uploading, e.g. -H "Application: application/xml" means to download in xml or JSON depending on whats specified. GET/Read curl -k -u username:password -o ~/Desktop/computer.xml GET/Read force download in XML curl -k -H "Accept: application/xml" -u username:password -o ~/Desktop/computer.xml PUT/Update from XML File curl -k -u username:password -T ~/Desktop/Computer.xml -X PUT PUT/Update from XML in Line curl -k -H "Content-Type: application/xml" -u username:password -d "mike" -X PUT POST/Create from XML in File curl -k -u username:password -T ~/Desktop/newbuilding.xml -X POST POST/Create from XML in line curl -k -H "Content-Type: application/xml" -u username:password -d "NewBuilding" -X POST DELETE/Delete curl -k -u username:password -X DELETE Get a machine record curl -u user:password https://jssaddress/JSSResource/computers/serialnumber/[serialnumber] 2>/dev/null Export a machine record to a file curl -u user:password -H "Accept: application/json" https://jssaddress/JSSResource/computers/serialnumber/[serial number] 2>/dev/null >> /path/to/file.json Get a list of MDM capable users curl -H "Accept: text/xml" —silent -u ${apiUser}:${apiPass} https://$jssAddress/JSSResource/computers/serialnumber/$serialNumber | xpath 2>&1 /computer/general/mdm_capable_users/mdm_capable_user | sed -e 's/<mdm_capable_user>//;s/<\/mdm_capable_user>//' -e 's/— NODE —//g'