<img height="1" width="1" style="display:none;" alt="" src="https://dc.ads.linkedin.com/collect/?pid=314913&amp;fmt=gif">

Trigger Jamf Remote Management Commands from ServiceNow with ITS Jamf Integration

Tony Alberty
November 23, 2020

Build powerful ServiceNow workflows to remotely update, lock, and even erase Mac computers.

Now, more than ever before, users are working remotely across a wide range of locations. Our latest update to the ITS Jamf Integration adds new features to remotely manage Mac computers more efficiently from ServiceNow contexts (like Workflows/Flow Designer, scheduled jobs, and UI Actions). Whether working remotely or in-office, ITS Jamf Integration is better than ever for managing the Mac population from ServiceNow.

Watch this live demo video to learn more!

 

Beginning with version 1.2.2, you can now trigger Jamf Remote Management Commands directly from ServiceNow using the ITS Jamf Integration. We have added a simple UI modal for triggering commands from a Computer CI form and a public script including (ITSJamfRemoteManagementUtil), which can trigger the Jamf commands from other ServiceNow contexts like workflows, Flow Designer actions, and scheduled jobs. In this article, we will walk you through an overview of the commands and some how-to examples. 

Supported Jamf Remote Management Commands

At this time, the integration supports all Jamf Remote Management Commands available in the Jamf Classic API. Like Schedule OS Update or Unmanaged Device, some commands are only available for computers that were enrolled via DEP. Each command records its parameters, target computer, and success/fail status in the Jamf Remote Management Command History table. We'll go over pre-requisites in the next section, Getting Started.

  • Blank Push: Trigger an Apple push notification, primarily used for testing/validation.
  • Enable/Disable Bluetooth: Enable/Disable Bluetooth on target devices. 
  • Enable/Disable Remote Desktop: Enable/Disable Remote Desktop on the target device
  • Sync Computer from Jamf: Update a CI on demand with latest data available in Jamf. 
  • Initiate Remote Assist Session: Instructions for initiating Remote Assist Session over SSH. 
  • Lock Device: Lock Device (Passcode required)
  • Erase Device*: Erases device Hard Drive once passcode has been entered on the target device. (OS will need reinstallation after the command is complete). 
  • Unmanaged Device: Remove the management profile on target devices.
  • Delete User: Delete a specified local account from the target device. 
  • Unlock User Account: Unlock a local account that was locked due to incorrect password attempts.
  • Schedule OS Update: Download updates for the operating system and built-in applications on target devices. Allow the user to install updates once downloaded manually. 
  • Schedule OS Update and Install: Download and install updates for the operating system and built-in applications on target devices.

*Note: The Erase Device command will first lock a computer and prompt for a passcode. Entering the passcode will trigger the process to erase the computer’s hard drive and the process cannot be stopped.

Getting Started

Prerequisites for Remote Management Commands
  1. ITS Jamf Integration 1.2.2 installed and configured with at least one completed hardware import.
  2. ITS Jamf Admin role [x_itsp_its_jamf.jamf_admin]
  3. The API user will need “CREATE” permissions on the Computers endpoint to create Computer Management commands.
  4. The API user also needs the following permissions under Jamf Pro Server Actions:
    Send Blank Pushes to Mobile Devices
    Send Computer Bluetooth Command
    Send Computer Remote Desktop Command
    Send Computer Remote Lock Command
    Send Computer Remote Wipe Command

Example: Triggering Remote Management Commands via Computer CI

CI’s discovered by the ITS Jamf Integration will have a new related link called “ITS Jamf Remote Management Suite”, visible only to users that have been granted the ITS Jamf Admin role in ServiceNow. Clicking that link will open a UI modal where you can execute commands on the selected computer.

  1. Navigate to a computer CI discovered by the ITS Jamf Integration. You can find these by typing “Jamf Discovered” and selecting the “Computers: Jamf Discovered” module.
  2. In the Related Links section, click ITS Jamf Remote Management Suite.
  3. Select a command from the dropdown.
  4. If performing a “Lock Device” or “Erase Device” command, a 6-digit numeric passcode is required. This code will be stored in the ITS Jamf Remote Management History table, along with any other parameters and a status indicating if the command was successfully sent to the JSS or not.
  5. Click Execute.

ITS Jamf Remote Management Suite

ITS Jamf Remote Management Suite 2

ITS Jamf Remote Management Suite 3

 

Example: Triggering Remote Management commands programmatically

These commands can be incorporated into workflows for a variety of business processes, including onboarding/offboarding, vulnerability management, and asset recovery. Let’s look at an example of a workflow using the ITSJamfRemoteManagementUtil script include to lock a computer that was reported as stolen.

Instructions:

  1. The Lock Computer command requires a 6-digit numeric passcode. In this example, we have the passcode stored in a system property called “ComputerStolenPasscode”. You could store this anywhere, as long as you pass the value to the workflow’s deviceLock function as the second parameter.

  2. Create a workflow that triggers when a computer CI’s Status changes to Stolen.

  3. Add a condition that the Computer CI’s Discovery Source contains “ITS Jamf”.

  4. Connect the “Jamf Discovered” condition to a Run Script action, as illustrated below

    Add the following code:
    var RemoteManagementUtil = new x_itsp_its_jamf.ITSJamfRemoteManagementUtil(); var passcode = gs.getProperty(“ComputerStolenPasscode”); RemoteManagementUtil.deviceLock(current, passcode);
  5. If the condition is not met, end the workflow by connecting the else to the End step.

Run Script

Run Script 2

Further Notes About the ITSJamfRemoteManagementUtil Script Include:

  • Each function has instructions encapsulated in comments.
  • There is a function called multiComputerActions that allows you to run low impact Remote Management commands (ex: enabling/disabling Bluetooth) on multiple computers with a single API
  • The UI and the script include both log any parameters, target computer, and success/fail status in the Jamf Remote Management History table.
  • There are convenient helper functions, including a function to log a command in the Remote Management History table.

We hope these features make it easier to support your remote Mac users!

This year we’ve been adding a lot of functionality to help you safely and remotely support your Mac users. Feeling inspired? Let us know what kind of workflows you’ve been building or want to build for your Mac use cases!

contact us

Subscribe by Email