Or, Jamf Pro Extension Attributes for Sophos Endpoint’s “Real Time Scanning > Files” as referenced by Palo Alto GlobalProtect’s “HIP Objects > Real Time Protection”
Background
While adding a new Network Access Controls section to William Smith’s excellent Computer Information script, I was deflated to learn that my current Jamf Pro Extension Attribute for Sophos Endpoint wasn’t looking at the same data point as Palo Alto GlobalProtect’s “HIP Objects > Real Time Protection.”
Jamf Pro Extension Attributes
com.sophos.scan
My first attempt was to determine the status of com.sophos.scan
:
#!/usr/bin/env bash ########################################################################## # A script to collect the process state of Sophos Endpoint. # # If Sophos Endpoint is not installed, "Not Installed" will be returned. # ########################################################################## RESULT="Not Installed" if [[ -d /Applications/Sophos/Sophos\ Endpoint.app ]]; then sophosScanAgentName=$( /bin/launchctl list | /usr/bin/awk '/com.sophos.scan/{ print $3}' ) if [[ -z "${sophosScanAgentName}" ]]; then RESULT="Not Found" else RESULT=$( /bin/launchctl print system/${sophosScanAgentName} | /usr/bin/awk '/state/{ print $3}' ) fi fi /bin/echo "<result>${RESULT}</result>"
This worked well, until I discovered older versions of macOS didn’t include com.sophos.scan
.
com.sophos.common.servicemanager
After confirming with Sophos Support that com.sophos.common.servicemanager
is common among all OSes we’re running, I re-wrote the EA:
#!/usr/bin/env bash ########################################################################## # A script to collect the process state of Sophos Endpoint. # # If Sophos Endpoint is not installed, "Not Installed" will be returned. # ########################################################################## RESULT="Not Installed" if [[ -d /Applications/Sophos/Sophos\ Endpoint.app ]]; then sophosProcessName=$( /bin/launchctl list | /usr/bin/awk '/com.sophos.common.servicemanager/{ print $3}' ) if [[ -z "${sophosProcessName}" ]]; then RESULT="Not Found" else RESULT=$( /bin/launchctl print system/${sophosProcessName} | /usr/bin/awk '/state/{ print $3}' ) fi fi /bin/echo "<result>${RESULT}</result>"
OnAccessRunning
After contacting Sophos Support again to inform them that GlobalProtect was looking somewhere else, they pointed me in the direction of their various .PLIST
s.
#!/usr/bin/env bash #################################################################################### # A script to collect the state of Sophos Endpoint's "Real Time Scanning > Files". # # If Sophos Endpoint is not installed, "Not Installed" will be returned. # # If "Real Time Scanning > Files" is disabled, "Disabled" will be returned. # #################################################################################### RESULT="Not Installed" if [[ -d /Applications/Sophos/Sophos\ Endpoint.app ]]; then if [[ -f /Library/Preferences/com.sophos.sav.plist ]]; then sophosOnAccessRunning=$( /usr/bin/defaults read /Library/Preferences/com.sophos.sav.plist OnAccessRunning ) case ${sophosOnAccessRunning} in "0" ) RESULT="Disabled" ;; "1" ) RESULT="Enabled" ;; * ) RESULT="Unknown" ;; esac else RESULT="Not Found" fi fi /bin/echo "<result>${RESULT}</result>"
Computer Information Snippets
Here are a few of the related snippets we’re using in our Computer Information script:
Variables
#################################################################################################### # # Variables # #################################################################################################### loggedInUser=$( /bin/echo "show State:/Users/ConsoleUser" | /usr/sbin/scutil | /usr/bin/awk '/Name :/ && ! /loginwindow/ { print $3 }' )
GlobalProtect Status
# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # Determine the status of GlobalProtect # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # function GlobalProtectStatusCheck (){ appResult="Not Installed" userResult="${loggedInUser} not logged-in" globalProtectDisabled="Disabled" if [[ -d /Applications/GlobalProtect.app ]]; then # GlobalProtect.app found in /Applications # Read GlobalProtect's version number appResult=$( /usr/bin/defaults read /Applications/GlobalProtect.app/Contents/Info.plist CFBundleShortVersionString ) appResult="GlobalProtect ${appResult} installed" # Read `disable-globalprotect` value globalProtectDisabledStatus=$( /usr/libexec/PlistBuddy -c "print :Palo\ Alto\ Networks:GlobalProtect:PanGPS:disable-globalprotect" /Library/Preferences/com.paloaltonetworks.GlobalProtect.settings.plist ) case "${globalProtectDisabledStatus}" in 0 ) globalProtectDisabled="GlobalProtect enabled" ;; 1 ) globalProtectDisabled="GlobalProtect disabled" ;; * ) globalProtectDisabled="GlobalProtect status unknown" ;; esac # Read the logged-in user's `User` userResult=$( /usr/bin/defaults read /Users/${loggedInUser}/Library/Preferences/com.paloaltonetworks.GlobalProtect.client User 2>&1 ) if [[ "${userResult}" == *"Does Not Exist" || -z "${userResult}" ]]; then userResult="${loggedInUser} NOT logged-in to GlobalProtect" elif [[ ! -z "${userResult}" ]]; then userResult="${loggedInUser} logged-in to GlobalProtect" fi # Read `Portal` companyPortal=$( /usr/libexec/PlistBuddy -c "print :Palo\ Alto\ Networks:GlobalProtect:PanSetup:Portal" /Library/Preferences/com.paloaltonetworks.GlobalProtect.settings.plist ) # Read `default-gateway-name` gatewayResult=$( /usr/libexec/PlistBuddy -c "print :${companyPortal}:default-gateway-name" /Users/${loggedInUser}/Library/Preferences/com.paloaltonetworks.GlobalProtect.client.plist 2>&1 ) if [[ "${gatewayResult}" == *"Does Not Exist" ]]; then gatewayResult="No default gateway specified" elif [[ ! -z "${gatewayResult}" ]]; then gatewayResult="${loggedInUser} selected ${gatewayResult} as default gateway" fi else # GlobalProtect.app NOT found in /Applications; clear other variables userResult="" globalProtectDisabled="" gatewayResult="" fi }
Sophos Endpoint Status
# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # Determine the status of Sophos Endpoint # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # function SophosEndpointStatusCheck (){ sophosEndpointStatus="Not Installed" if [[ -d /Applications/Sophos/Sophos\ Endpoint.app ]]; then if [[ -f /Library/Preferences/com.sophos.sav.plist ]]; then sophosOnAccessRunning=$( /usr/bin/defaults read /Library/Preferences/com.sophos.sav.plist OnAccessRunning ) case ${sophosOnAccessRunning} in "0" ) sophosEndpointStatus="Disabled" ;; "1" ) sophosEndpointStatus="Enabled" ;; * ) sophosEndpointStatus="Unknown" ;; esac else sophosEndpointStatus="Not Found" fi fi }
Cisco AnyConnect / Palo Alto Global Protect VPN IPs
# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # Test for VPN Clients and IP addresses # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # function vpnIP(){ anyConnectTest="/opt/cisco/anyconnect/bin/vpn" # Cisco binary globalProtectTest="/Applications/GlobalProtect.app" # GlobalProtect app ### # Cisco AnyConnect ### if [ -f "${anyConnectTest}" ] ; then # Cisco AnyConnect installed; read current IP Address anyConnectIP=$( /opt/cisco/anyconnect/bin/vpn stats | grep "Client Address (IPv4):" | awk '{print $4}' ) if [ "${anyConnectIP}" = "Not" ]; then # IP address is blank, report no connection anyConnectStatus="AnyConnect IP: Inactive" else # IP address is *not* blank, report the IP address anyConnectStatus="AnyConnect IP: ${anyConnectIP}" fi else # Cisco AnyConnect is not installed anyConnectStatus="AnyConnect is NOT installed" fi ### # Palo Alto Networks GlobalProtect # Thanks, @franton! ### if [ -d "${globalProtectTest}" ] ; then # Palo Alto Networks GlobalProtect installed; read current IP Address interface=$( ifconfig | grep -B1 "10." | awk '{ print $1 }' | head -1 ) if [ -z "$interface" ]; then globalProtectStatus="GlobalProtect: Inactive" else globalProtectIP=$( ifconfig | grep -A2 -E "${interface}" | grep inet | awk '{ print $2 }' ) globalProtectStatus="GlobalProtect: ${globalProtectIP}" fi else # Palo Alto Networks GlobalProtect is not installed globalProtectStatus="GlobalProtect is NOT installed" fi ScriptLog "$anyConnectStatus" ScriptLog "$globalProtectStatus" }
Time Machine
# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # Time Machine # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # tmDestinationInfo=$( /usr/bin/tmutil destinationinfo ) if [[ "${tmDestinationInfo}" == *"No destinations configured"* ]]; then tmStatus="No destination configured" else runCommand=$( /usr/bin/tmutil destinationinfo | /usr/bin/grep "Name" | /usr/bin/awk -F ':' '{print $NF}' ) tmStatus="Destination: $runCommand" fi if [[ "${tmDestinationInfo}" == *"No destinations configured"* ]]; then tmLastBackup="Latest Backup: N/A" else runCommand=$( /usr/bin/tmutil latestbackup | /usr/bin/awk -F "/" '{print $NF}' ) if [[ -z $runCommand ]]; then tmLastBackup="Latest Backup: Unknown; connect destination" else tmLastBackup="Latest Backup: $runCommand" fi fi