Question

Run policies after rebuild

  • 1 September 2022
  • 4 replies
  • 157 views

Badge

We have several policies that are based on a weekly staggered layout by location and 4am deployment (and next check in).  However, when we re-image a workstation and Automox gets automatically installed, we would have to wait until the next morning or next update cycle to get software and patches.  I dont know if we can do anything like this now, but It would be nice when a new device checks in, is in the default group, or have a command switch to run, that it would automatically force run any associated policies before we deploy back to staff.


4 replies

Userlevel 1
Badge

We have several policies that are based on a weekly staggered layout by location and 4am deployment (and next check in).  However, when we re-image a workstation and Automox gets automatically installed, we would have to wait until the next morning or next update cycle to get software and patches.  I dont know if we can do anything like this now, but It would be nice when a new device checks in, is in the default group, or have a command switch to run, that it would automatically force run any associated policies before we deploy back to staff.

Hello,

 

The only way to have patch policies run before their normally scheduled times would be to run them manually on the device after the imaging is complete.

You can do this from the Device Details page for a given machine when you know the machine is ready to start patching. As long as there are associated patch policies, you can click “Run on this device” for a given policy to execute it immediately.

If you are imaging multiple devices in a batch on a regular basis, then you might consider creating a new patch policy specifically for the newly imaged devices that you can associate, run once, and then unassociate before returning the device to end users. With this method, you could select the policy itself and choose “Run Policy” so it affects the specific devices without kicking off the patch policies for all the other devices already deployed.

Device Targeting would be useful in this case, as you could Tag a device for the new policy to target (for example, “Imaging”), thus protecting you from accidentally associating the policy to the wrong devices.

Hope that helps!
Cheers

Badge

Thanks.  Will probably just focus on manually pushing but appreciate the feedback.  With this, it would be nice to have an option to repeat throughout the day instead of just one set time.  So like every 4 hours, every time it syncs/scans, or apply if its been less then 24 hours since last checked in to assigned policy, etc.

Badge

I too would like a more automated feature for this.  I was hoping I could just create a policy that uses device targeting on all systems tagged with “Recently Added” but apparently that is not a tag you can target off of.  I would seem to be a very simple feature to implement, since Automox can already automatically tag devices as “Recently Added” when they first check-in.  That way I could just setup a policy that runs every day at a certain time, and if the device misses that window it’ll start the next time it checks in.  This would allow us to image a new computer for 1 or more new users and if we leave them on overnight it would just install, and reboot on its own so by the next morning the computers would be up to date and ready to join the normal patch cycle as all the other computers.

Userlevel 5
Badge +1

@tyler.adams @jhamman While you wait, there is a way with the Automox API to achieve the desired outcome. You would need to customize it to your needs of course. 

 

Check my post out here for how to drop secrets into powershell. Not fully secure, but a better than nothing. 

 

 

# Prepare Authorization

$apiKey = Read-Host "Enter API Key"
$headers = @{ "Authorization" = "Bearer $apiKey" }
$orgID = Read-Host "Enter Org ID"

# Get all agents from Automox (need this for the IDs)
$i = 0
$agents = do{
$url = "https://console.automox.com/api/servers?o=$orgID&page=$i&limit=100"
try{ $response = (Invoke-WebRequest -Method Get -Uri $url -Headers $headers -UseBasicParsing).Content | ConvertFrom-Json}catch{Write-Log "$($Error[0].Exception.Message)"}
$response
$i++
}
while ($response)


# Get Policy (handy to get friendly name)
$url = "https://console.automox.com/api/policies?o=$orgID"
$policies = (Invoke-WebRequest -Method Get -Uri $url -Headers $headers).Content | ConvertFrom-Json


# Grab the policies you want to run (need the ID)
$RunPolicies | where-object name -in ('policy name 1','policy name 2')

# Get a list of newly imaged computers
<#
Could key off the create_time property in the $agents variable. Just know that date stays from the first time that hardware was observed by Automox and won't know you put a fresh image on the device...

You could, if you use a worklet, include some date/time logic around this WMI query:
$InstallDate = (Get-CimInstance Win32_OperatingSystem).InstallDate
#>

# Get only the PCs you want to run policy on
$PCs = Get-Content C:\temp\ImagedComputers.txt
$systems = $agents | Where-Object name -in $PCs

# Run the desired policy
ForEach($policy in $RunPolicies){
$p = $policy.id
ForEach($agent in $systems){
$serverId = $agent.id
$url = "https://console.automox.com/api/policies/$p/action?o=$orgID&action=remediateServer&serverId=$serverId"
Invoke-WebRequest -Method POST -Uri $url -Headers $headers -UseBasicParsing
}
}

# Run policies on the device

 

Reply