Under the UserNotification event, the loggedInUser variable is not populated to execute IBM Notifier and fails to execute the notification. Copying over the section from the Revert script and putting the variable in brackets resolves the issue.

loggedInUser=$(/usr/sbin/scutil <<< "show State:/Users/ConsoleUser" | /usr/bin/awk '/Name :/ && ! /loginwindow/ { print $3 }')

/usr/bin/sudo -u ${loggedInUser} "$notificationApp" -type "$window" -bar_title "$barTitle" -title "$title" -subtitle "$subTitle" -always_on_top -main_button_label "$mainButtonLabel" -tertiary_button_label "$tertiaryButtonLabel" -tertiary_button_cta_type "$tertiaryButtonType" -tertiary_button_cta_payload "$tertiaryButtonPayload" -help_button_cta_type "$helpButtonType" -help_button_cta_payload "$helpButtonPayload" -icon_path "$iconPath" &

When using this EA "as is" in our environments (on prem and cloud) no results are returned

Updating line 1 to
#!/bin/bash
from
#!/usr/bin/bash

results return as expected

Hello,

some of the extension attribute scripts are not working correctly with the latest Jamf Protect Version 4.0.0.
Especially there are the following issues with the "jamf_protect_last_check_in_compliance.sh" script I was using.

The Output of the following command for example is empty because there are no colons after Status anymore and the column in the awk command does not match anymore.

jamf_protect_status=$(echo "$jamf_protect_info" | /usr/bin/grep 'Status:' | /usr/bin/awk '{print $2}')

It is working with the following though:

jamf_protect_status=$(echo "$jamf_protect_info" | /usr/bin/grep 'Status' | /usr/bin/awk '{print $4}')

There is a similar problem with the following command, where the columns $3 and $4 do not match anymore:

jamf_protect_lastcheckin=$(echo "$jamf_protect_info" | /usr/bin/grep "Last Check-in" | /usr/bin/awk '{ print $3, $4 }' | /usr/bin/sed -e 's/ /-/g' -e 's/:/-/g' -e 's/\./-/g')

It's working with $5, $6:

jamf_protect_lastcheckin=$(echo "$jamf_protect_info" | /usr/bin/grep "Last Check-in" | /usr/bin/awk '{ print $5, $6 }' | /usr/bin/sed -e 's/ /-/g' -e 's/:/-/g' -e 's/\./-/g')

Users might get empty Extensions Attributes as a result or parsing issues while running the script.

Cheers,
Dominik

I noticed the policy trigger in the readme for Google Cloud Aftermath Credentials is currently gcs_creds but in the aftermath collection script it currently calls /usr/local/bin/jamf policy -event gc_creds as the trigger.

In most JAMF predicates there are double-quotes that are quoting a string within a string. For example, try the unified_log_filters/login_through_login_window_with_password_failure.yaml file:

predicate: "processImagePath BEGINSWITH "/System/" AND process == "SecurityAgent" AND subsystem == "com.apple.loginwindow" AND eventMessage CONTAINS "Authentication failure""

This closes and opens the YAML string at "/System/" and at the other double-quoted strings. In order to fix this, please use either of the two YAML Block Scalar indicators: https://yaml-multiline.info/ or please escape these bash-style "" or with a backslash \" - thank you!

Hey all,

There's an issue with the following predicate in it's usage with Jamf Protect (though this applies to other predicates in this repo as well):

https://github.com/jamf/jamfprotect/blob/32096d0c425882ad558721162d41aabf357214ce/unified_log_filters/jamf_connect/cloud_idp_authentication_bypass_and_local_user_authentication.yaml#L4C4-L4C4

The output from the mentioned predicate is something like:

2024-01-03 13:29:13.068455-0500 0x3018d    Debug       0x60010              44503  0    SecurityAgentHelper-arm64: (JamfConnectLogin) [com.jamf.connect.login:LoginUI] Local auth success, allowing login for user: testuser

This will not make it to the SIEM, since only messages with the default level are flagged and forwarded and not messages with info and debug.

Hi Team, hopefully this is right place to ask, if not, I'd appreciate if you can direct me.

I'm the founder of cloudquery.io, a high performance open source ELT framework.

Our users are interested in a Jamf plugin, but as we cannot maintain all the plugins ourselves, I was curious if this would be an interesting collaboration, where we would help implement an initial source plugin, and you will help maintain it.

This will give your users the ability to sync Jamf APIs to any of their datalakes/data-warehouses/databases easily using any of the growing list of CQ destination plugins.

Best,
Yevgeny