Security

last person joined: 19 hours ago 

Enterprise security using ClearPass Policy Management, ClearPass Security Exchange, IntroSpect, VIA, 360 Security Exchange, Extensions and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

JAMF integrations using Serial number instead of MAC addresses

This thread has been viewed 23 times
  • 1.  JAMF integrations using Serial number instead of MAC addresses

    Posted Feb 23, 2021 02:54 PM
    I was able to successfully get clearpass and JAMF to integrate and synch to the endpoint database. Unfortunately, I am seeing twice as many endpoints as I do JAMF devices. This is most likely because in my extension attributes I am saying to list all the MAC address as unique endpoint entries. All of my MAC devices have a VPN adapter associated with them so it would be better not to use MAC addresses as the identifier. Here is the extension attribute I am using now:

    #!/bin/sh
result=`/usr/sbin/networksetup -listallhardwareports | /usr/bin/awk '/Ethernet Address/ {printf "%s%s",sep,$3; sep="|"} END {print ""}'`
echo "<result>$result</result>"

    Do you have a sample script that will allow me to use serial number instead of MAC address? I was trying to edit the above script with this but its not working:

    #!/bin/sh
result=`/usr/bin/awk -F "<serial_number>|</serial_number>|<name>|</name>" '{ print $4,$2 }' )

    Thanks for any help you can provide.

    ------------------------------
    abraham
    ------------------------------


  • 2.  RE: JAMF integrations using Serial number instead of MAC addresses

    Posted Feb 23, 2021 03:34 PM
    Hey Abraham,

    The feature to capture via leveraging the JAMF extensions mult-mac's / endpoint was driven in itself by JAMF shortcoming to report all mac-address for an endpoint, i.e. wired and wireless NIC's. The script can be pushed directly from the CPPM extension into JAMF {if authority is set correctly} but the CPPM extension is hardcoded to then read the array created in the JAMF endpoint extension {cppm-all-mac-addresses} and then specifically create {as you see} a unique endpoint in CPPM based upon the list of mac-address in the cppm-all-mac-addresses array... if you were to modify the script we push this then wouldn't work as their is linkage into the CPPM endpoint Db based upon a primary key of mac-address.

    HTH.


    ------------------------------
    Danny Jump
    "Passionate about CPPM"
    ------------------------------



  • 3.  RE: JAMF integrations using Serial number instead of MAC addresses

    Posted Feb 24, 2021 10:40 AM

    Thanks for the response. So if I understand you correctly the JAMF-Clearpass integration was designed to retrieve all the MAC addresses from the JAMF database. After thinking this over last night I guess I understand the logic considering you need to know all the interfaces on a device. I suppose if a user changes from wireless to wired network or connecting from home using VPN, Clearpass would need to all of the interfaces a device might use to authenticate to the network. I just thought that there was a way to associate all the device interface MAC addresses with one device. Thanks for the information.

     

    Ajamu Abraham

    Senior Network Engineer

    Dotdash.com

    28 Liberty

    7th Floor

    New York, NY 10005

    Cell #: 646.257.0453

    "l'argent comptant règne tout autour de moi"

     

     






  • 4.  RE: JAMF integrations using Serial number instead of MAC addresses

    Posted Feb 24, 2021 11:51 AM
    JAMF can hold 2 mac per endpoint, but it's not defined that it will capture say wired & wireless, it could grab wireless and Bluetooth, or as in your case wireless and VPN etc. 

    And when that device authN's CPPM needs to be able to tether the mac to the endpoint record in CPPM to check on endpoint attributes etc.

    ------------------------------
    Danny Jump
    "Passionate about CPPM"
    ------------------------------



  • 5.  RE: JAMF integrations using Serial number instead of MAC addresses

    Posted Feb 24, 2021 11:53 AM
    This is awful. JAMF went from tracking machines by something potentially impermanent and not machine-specific (MAC address) and changed it to something else impermanent and not machine-specific (UDID) FaceTime PC.

    Anecdotally, we have thousands of "Mid-2013" Airs deployed and are now averaging one logic board replacement per day from that model. Each laptop becomes a new machine in the JSS upon imaging, listed with an identical serial number.

    Apple already has a system for unique, ubiquitous, actually-machine-specific identifiers; the Serial Number. Fluke cases of apple techs neglecting correct SN flashing procedure is not something to account for in core jamf functionality, especially not at a cost of breaking device management, tracking, and history after apple service.

    FaceTime PC

    ------------------------------
    Ferguson Michel
    ------------------------------