Menu Close

How to tell Jamf Pro what Vendor “P” knows about Vendor ”S”

Or, Jamf Pro Extension Attributes for Sophos Endpoint’s “Real Time Scanning > Files” as referenced by Palo Alto GlobalProtect’s “HIP Objects > Real Time Protection”

Background

While adding a new Network Access Controls section to William Smith’s excellent Computer Information script, I was deflated to learn that my current Jamf Pro Extension Attribute for Sophos Endpoint wasn’t looking at the same data point as Palo Alto GlobalProtect’s “HIP Objects > Real Time Protection.”

Computer Information > Network Access Controls

Jamf Pro Extension Attributes

com.sophos.scan

My first attempt was to determine the status of com.sophos.scan:

#!/usr/bin/env bash
##########################################################################
# A script to collect the process state of Sophos Endpoint.              #
# If Sophos Endpoint is not installed, "Not Installed" will be returned. #
##########################################################################

RESULT="Not Installed"

if [[ -d /Applications/Sophos/Sophos\ Endpoint.app ]]; then
	sophosScanAgentName=$( /bin/launchctl list | /usr/bin/awk '/com.sophos.scan/{ print $3}' )
    if [[ -z "${sophosScanAgentName}" ]]; then
        RESULT="Not Found"
    else
	    RESULT=$( /bin/launchctl print system/${sophosScanAgentName} | /usr/bin/awk '/state/{ print $3}' )
    fi
fi

/bin/echo "<result>${RESULT}</result>"

This worked well, until I discovered older versions of macOS didn’t include com.sophos.scan.

com.sophos.common.servicemanager

After confirming with Sophos Support that com.sophos.common.servicemanager is common among all OSes we’re running, I re-wrote the EA:

#!/usr/bin/env bash
##########################################################################
# A script to collect the process state of Sophos Endpoint.              #
# If Sophos Endpoint is not installed, "Not Installed" will be returned. #
##########################################################################

RESULT="Not Installed"

if [[ -d /Applications/Sophos/Sophos\ Endpoint.app ]]; then
    sophosProcessName=$( /bin/launchctl list | /usr/bin/awk '/com.sophos.common.servicemanager/{ print $3}' )
    if [[ -z "${sophosProcessName}" ]]; then
        RESULT="Not Found"
    else
        RESULT=$( /bin/launchctl print system/${sophosProcessName} | /usr/bin/awk '/state/{ print $3}' )
    fi
fi

/bin/echo "<result>${RESULT}</result>"

OnAccessRunning

After contacting Sophos Support again to inform them that GlobalProtect was looking somewhere else, they pointed me in the direction of their various .PLISTs.

#!/usr/bin/env bash
####################################################################################
# A script to collect the state of Sophos Endpoint's "Real Time Scanning > Files". #
# If Sophos Endpoint is not installed, "Not Installed" will be returned.           #
# If "Real Time Scanning > Files" is disabled, "Disabled" will be returned.        #
####################################################################################

RESULT="Not Installed"

if [[ -d /Applications/Sophos/Sophos\ Endpoint.app ]]; then
    if [[ -f /Library/Preferences/com.sophos.sav.plist ]]; then
        sophosOnAccessRunning=$( /usr/bin/defaults read /Library/Preferences/com.sophos.sav.plist OnAccessRunning )
        case ${sophosOnAccessRunning} in
            "0" ) RESULT="Disabled" ;;
            "1" ) RESULT="Enabled" ;;
             *  ) RESULT="Unknown" ;;
        esac
    else
        RESULT="Not Found"
    fi
fi

/bin/echo "<result>${RESULT}</result>"

Computer Information Snippets

Here are a few of the related snippets we’re using in our Computer Information script:

Variables

####################################################################################################
#
# Variables
#
####################################################################################################

loggedInUser=$( /bin/echo "show State:/Users/ConsoleUser" | /usr/sbin/scutil | /usr/bin/awk '/Name :/ && ! /loginwindow/ { print $3 }' )

GlobalProtect Status

# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
# Determine the status of GlobalProtect
# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #

function GlobalProtectStatusCheck (){

    appResult="Not Installed"
    userResult="${loggedInUser} not logged-in"
    globalProtectDisabled="Disabled"

    if [[ -d /Applications/GlobalProtect.app ]]; then # GlobalProtect.app found in /Applications

        # Read GlobalProtect's version number 
        appResult=$( /usr/bin/defaults read /Applications/GlobalProtect.app/Contents/Info.plist CFBundleShortVersionString )
        appResult="GlobalProtect ${appResult} installed"

        # Read `disable-globalprotect` value
        globalProtectDisabledStatus=$( /usr/libexec/PlistBuddy -c "print :Palo\ Alto\ Networks:GlobalProtect:PanGPS:disable-globalprotect" /Library/Preferences/com.paloaltonetworks.GlobalProtect.settings.plist )
        case "${globalProtectDisabledStatus}" in
            0 ) globalProtectDisabled="GlobalProtect enabled" ;;
            1 ) globalProtectDisabled="GlobalProtect disabled" ;;
            * ) globalProtectDisabled="GlobalProtect status unknown" ;;
        esac

        # Read the logged-in user's `User`
        userResult=$( /usr/bin/defaults read /Users/${loggedInUser}/Library/Preferences/com.paloaltonetworks.GlobalProtect.client User 2>&1 )
        if [[ "${userResult}"  == *"Does Not Exist" || -z "${userResult}" ]]; then
            userResult="${loggedInUser} NOT logged-in to GlobalProtect"
        elif [[ ! -z "${userResult}" ]]; then
            userResult="${loggedInUser} logged-in to GlobalProtect"
        fi

        # Read `Portal`
        companyPortal=$( /usr/libexec/PlistBuddy -c "print :Palo\ Alto\ Networks:GlobalProtect:PanSetup:Portal" /Library/Preferences/com.paloaltonetworks.GlobalProtect.settings.plist )

        # Read `default-gateway-name`
        gatewayResult=$( /usr/libexec/PlistBuddy -c "print :${companyPortal}:default-gateway-name" /Users/${loggedInUser}/Library/Preferences/com.paloaltonetworks.GlobalProtect.client.plist 2>&1 )
        if [[ "${gatewayResult}" == *"Does Not Exist" ]]; then
            gatewayResult="No default gateway specified"
        elif [[ ! -z "${gatewayResult}" ]]; then
            gatewayResult="${loggedInUser} selected ${gatewayResult} as default gateway"
        fi

    else # GlobalProtect.app NOT found in /Applications; clear other variables
        userResult=""
        globalProtectDisabled=""
        gatewayResult=""

    fi

}

Sophos Endpoint Status

# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
# Determine the status of Sophos Endpoint
# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #

function SophosEndpointStatusCheck (){

    sophosEndpointStatus="Not Installed"

    if [[ -d /Applications/Sophos/Sophos\ Endpoint.app ]]; then
        if [[ -f /Library/Preferences/com.sophos.sav.plist ]]; then
            sophosOnAccessRunning=$( /usr/bin/defaults read /Library/Preferences/com.sophos.sav.plist OnAccessRunning )
            case ${sophosOnAccessRunning} in
                "0" ) sophosEndpointStatus="Disabled" ;;
                "1" ) sophosEndpointStatus="Enabled" ;;
                *  ) sophosEndpointStatus="Unknown" ;;
            esac
        else
            sophosEndpointStatus="Not Found"
        fi
    fi

}

Cisco AnyConnect / Palo Alto Global Protect VPN IPs

# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
# Test for VPN Clients and IP addresses
# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #

function vpnIP(){

    anyConnectTest="/opt/cisco/anyconnect/bin/vpn" # Cisco binary
    globalProtectTest="/Applications/GlobalProtect.app" # GlobalProtect app



    ###
    # Cisco AnyConnect
    ###

    if [ -f "${anyConnectTest}" ] ; then

        # Cisco AnyConnect installed; read current IP Address
        anyConnectIP=$( /opt/cisco/anyconnect/bin/vpn stats | grep "Client Address (IPv4):" | awk '{print $4}' )

        if [ "${anyConnectIP}" = "Not" ]; then
            # IP address is blank, report no connection
            anyConnectStatus="AnyConnect IP: Inactive"
        else
            # IP address is *not* blank, report the IP address
            anyConnectStatus="AnyConnect IP: ${anyConnectIP}"
        fi

    else

        # Cisco AnyConnect is not installed
        anyConnectStatus="AnyConnect is NOT installed"

    fi



    ###
    # Palo Alto Networks GlobalProtect
    # Thanks, @franton!
    ###

    if [ -d "${globalProtectTest}" ] ; then

        # Palo Alto Networks GlobalProtect installed; read current IP Address

        interface=$( ifconfig | grep -B1 "10." | awk '{ print $1 }' | head -1 )

        if [ -z "$interface" ]; then
            globalProtectStatus="GlobalProtect: Inactive"
        else
            globalProtectIP=$( ifconfig | grep -A2 -E "${interface}" | grep inet | awk '{ print $2 }' )
            globalProtectStatus="GlobalProtect: ${globalProtectIP}"
        fi

    else

        # Palo Alto Networks GlobalProtect is not installed
        globalProtectStatus="GlobalProtect is NOT installed"

    fi

    ScriptLog "$anyConnectStatus"
    ScriptLog "$globalProtectStatus"

}

Time Machine

# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
# Time Machine
# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #

tmDestinationInfo=$( /usr/bin/tmutil destinationinfo )

if [[ "${tmDestinationInfo}" == *"No destinations configured"* ]]; then

    tmStatus="No destination configured"

else

    runCommand=$( /usr/bin/tmutil destinationinfo | /usr/bin/grep "Name" | /usr/bin/awk -F ':' '{print $NF}' )
    tmStatus="Destination: $runCommand"

fi



if [[ "${tmDestinationInfo}" == *"No destinations configured"* ]]; then

    tmLastBackup="Latest Backup: N/A"

else

    runCommand=$( /usr/bin/tmutil latestbackup | /usr/bin/awk -F "/" '{print $NF}' )

    if [[ -z $runCommand ]]; then

        tmLastBackup="Latest Backup: Unknown; connect destination"

    else

        tmLastBackup="Latest Backup: $runCommand"

    fi

fi
Posted in Palo Alto GlobalProtect, Sophos Endpoint, Tips & Tricks

Related Posts