Lab 11: Sensors and Scripts for Mac Endpoints

Introduction

Omnissa Workspace ONE Intelligent Hub is an application that provides a secure digital workspace to employees on any device, anywhere. It serves as a central hub where employees can access all the necessary tools and resources to be productive, regardless of whether they are using a desktop, mobile device, or web browser.

Objectives and Tasks

Create multiple Sensors and a Script for macOS devices in UEM:

Module 1: Sensors

  1. Create a sensor reporting the free disk space available on a macOS device.
  2. Create a sensor reporting the build version of the operating system.
  3. Create a sensor reporting the CPU architecture of a macOS device.

Module 2: Scripts

  1. Create a script for macOS in the Workspace ONE console
  2. Validate successful script execution (optional)

Module 1: Sensors

Sensors monitor specific device attributes, such as battery charge cycles, virus definition file updates, or security agent build versions. They can execute periodically or in response to system events like Login, Logout, and Startup.

Sensors use Bash, Python 3, or Z shell scripts to retrieve attribute values. If a script returns multiple values, Workspace ONE UEM interprets the output as a single value. If a script returns a null value, Workspace ONE UEM doesn’t report the sensor.

If this is the first time you have accessed the Sensors interface, you might be prompted with an information screen with helpful links to get you started with the Sensors feature in Workspace ONE. If you get that screen, just click Get Started to proceed with the lab.

For privacy reasons, sensors are not supported on employee-owned devices.

In this module, you will create three sensors to collect device attributes from macOS devices.

If you don’t have an enrolled macOS in your lab environment, you won’t see the sensor results in the Workspace ONE console. Nevertheless, you should still proceed with performing the tasks to learn how to deploy sensors.

Task 1: Create a sensor reporting the free disk space available on a macOS device

In this exercise, you will create a sensor that will report the available free disk space on macOS devices.

To create the sensor:

  1. In the Workspace ONE console, click on Resources.
  2. Select Sensors.
  3. Click Add and select macOS from the dropdown menu.
  4. Enter system_disk_free_space{labid} as the sensor name. Click Next.
  5. From the Language dropdown, select Bash.
  6. Set the Execution Context to System.
  7. Select String from the Response Data Type.
  8. Paste the following code into the Code window.
#!/bin/bash

free_space=$(/usr/sbin/diskutil info /| grep 'Available Space:\|Free Space' | awk '{print $4, $5}')
echo $free_space

# Description: Returns free disk space of root volume '/'
# Execution Context: SYSTEM
# Execution Architecture: UNKNOWN
# Return Type: STRING
Click to copy
  1. Click Next.
  2. Click Save & Assign.
  3. Click New Assignment.
  4. Name the assignment All Corporate macOS Devices.
  5. Click in the Select Smart Group field and select Corporate-owned macOS Devices. Click Next.
  6. For Triggers, select Login and Log Out. This will trigger the sensor to report its value to Workspace ONE whenever an end user logs in or out of their device.
  7. Click Save.
  8. Click Close.

Task 2: Create a sensor reporting the build version of the operating system

In this exercise, you will create a sensor that will report the build version of the operating system on macOS devices.

To create the sensor:

  1. In the Workspace ONE console, click on Resources.
  2. Select Sensors.
  3. Click Add and select macOS from the dropdown menu.
  4. Enter os_build_version{labid} as the sensor name. Click Next.
  5. From the Language dropdown, select Bash.
  6. Set the Execution Context to System.
  7. Select String from the Response Data Type.
  8. Paste the following code into the Code window.
#!/bin/bash

buildv=$(/usr/bin/sw_vers -buildVersion)
echo $buildv

# Description: Returns the OS build version
# Execution Context: SYSTEM
# Execution Architecture: UNKNOWN
# Return Type: STRING
Click to copy
  1. Click Next.
  2. Click Save & Assign.
  3. Click New Assignment.
  4. Name the assignment All Corporate macOS Devices.
  5. Click in the Select Smart Group field and select Corporate-owned macOS Devices. Click Next.
  6. For Triggers, select Login. This will trigger the sensor to report its value to Workspace ONE whenever an end user logs in to their device.
  7. Click Save.
  8. Click Close.

Task 3: Create a sensor reporting the CPU architecture of a macOS device

In this exercise, you will create a sensor that will report the CPU architecture of managed macOS devices.

To create the sensor:

  1. In the Workspace ONE console, click on Resources.
  2. Select Sensors.
  3. Click Add and select macOS from the dropdown menu.
  4. Enter system_cpu_arch{labid} as the sensor name. Click Next.
  5. From the Language dropdown, select Zsh.
  6. Set the Execution Context to System.
  7. Select String from the Response Data Type.
  8. Paste the following code into the Code window.
#!/bin/zsh

PROC=$(/usr/sbin/sysctl -n machdep.cpu.brand_string)

if grep -q "Apple" <<< "$PROC"; then
	echo "arm64"
else
	if grep -q "Intel" <<< "$PROC"; then
    	echo "x86_x64"
    else
    	echo "unknown_cpu"
    fi
fi

# Description: Returns CPU processor architecture. Either arm64, x86_64 or unknown_cpu.
# Execution Context: SYSTEM
# Execution Architecture: UNKNOWN
# Return Type: STRING
Click to copy
  1. Click Next.
  2. Click Save & Assign.
  3. Click New Assignment.
  4. Name the assignment All Corporate macOS Devices.
  5. Click in the Select Smart Group field and select Corporate-owned macOS Devices. Click Next.
  6. For Triggers, select Startup. This will trigger the sensor to report its value to Workspace ONE during device startup.
  7. Click Save.
  8. Click Close.

Once the sensors are triggered on the devices, you will see values populated in the Sensors tab under Device Details.

Module 2: Scripts

Task 1: Create a macOS script in Workspace ONE UEM

Utilize scripts to execute Bash, Python 3, or Z shell commands for endpoint configuration management on macOS devices using Omnissa Workspace ONE UEM. You can configure the execution context for the script, either as a user or system context. Additionally, you can specify a timeout in case the script becomes looped or unresponsive for any reason.

If this is the first time you have accessed the Scripts interface, you might be prompted with an information screen with helpful links to get you started with the Scripts feature in Workspace ONE. Just click Get Started to proceed with the lab.

For this exercise, you will use a simple script that creates a text file on the desktop of the device’s logged-in end user.

To create a script:

  1. In the Workspace ONE console, select Resources. Then, click Scripts.
  2. Click Add, and select macOS from the dropdown menu.
  3. Name the script Create-File-On-Desktop(labid). Leave the App Catalog Configuration disabled. Click Next.
  4. Set the Language to Bash, the Execution Context to System, and Timeout to 30.
  5. Paste the following script into the Code window.
#!/bin/sh
loggedInUser="root"
while [[ "$loggedInUser" == "root" ]];
do
sleep 10
loggedInUser=`/bin/ls -l /dev/console | /usr/bin/awk '{ print $3 }'`
done
touch /Users/$loggedInUser/Desktop/textfile.txt
Click to copy
  1. Click Next, and then click Save.
  2. Click Save.
  3. In the Scripts list, check the new script you just created, and click Assign.
  1. Click New Assignment. Name the assignment All macOS Devices.
  2. For Select Smart Group, click in the search box. From the list of Assignment Groups that appear, select Corporate-owned macOS Devices.
  3. Click Next.
  4. Check Run Once Immediately.
  5. Click Add.
  6. Click Save & Publish, and then click Publish.

Task 2: Validate successful script execution (optional)

This exercise is optional. If you do not have a macOS device enrolled in your lab environment, feel free to skip to module 3 of this lab.

To validate that the script has successfully executed:

  1. Log into a macOS device that is included in the assignment you configured earlier. Look on the desktop for a file called textfile.txt

If you have just logged into your macOS device, it may take a few minutes for the script to execute.

  1. You can also check the execution status in the Workspace ONE UEM console by selecting Devices, and then Devices.
  2. Click a macOS device in the list, and then select Scripts.
  3. Look for the script you created earlier. Check the Status of the script. If it was successful, the status will be Executed.

If the script does not appear on the list, try refreshing the screen. It might take a moment for Intelligent Hub to update Workspace ONE UEM on the status of the script’s execution.

0 Comments

Add your comment

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.