cancel
Showing results for 
Search instead for 
Did you mean: 

Location Based Dynamic System Groups - On a Day to Day Basis

shawnsong
Rising Star II
Rising Star II

Hey folks,

Last time I posted 2 scripts in PowerShell & Python on this very topic to complement our newly released Dynamic Groups feature (1 of my personal favorites!).

Many people ask for more with the question - what if we want to move around the devices to the location based device groups on a day to day basis? 

The use case is mostly to cater to the orgnisation which has the country / location specific security policies to apply, especially when the employees are traveling. 

Yes, I wrote the script for this, read on!

 

Caveats

  • Get the API key for the manager role’s permissions are sufficient here.
  • The script will only move the devices are online at the moment when it runs.
  • There will be removal of group memberships every time this script runs. -  However, Dynamic Device Groups are not affected. More to that later.   
  • Suggested DO NOT run this script more than twice a day especially in a large organisation (~500+ employees) to minimise the amount of changes in general happening in the background. 

 

Considerations

Use the Dynamic Device Group to bind to the baseline security policies and split the location-based policies into the respective location groups only.

Like you see here: all the Windows devices will be staying in this group which applied 3 security + 1 patching policies. 

shawnsong_0-1695624429985.png

So, when an employee is based (or traveled to) Singapore, a different patch policy and more restrictions to control panel will be applied. 

shawnsong_1-1695624448520.png

 

You can setup more location based policies like this then let the script take care of moving the devices around automatically, thus your organisation is compliant with ease in the country your business is operating in when the employees are traveling often. 

Here is the code

(You can also follow the most up-to-date script here.) 

 


# -----------------------------------------------------------------------------
# Script: Add-geoSystemGroupMember.ps1
# Version: 1.0.1
# Author: Shawn Song
# Reference: 
#  -  https://community.jumpcloud.com/t5/community-scripts/powershell-add-the-systems-to-a-system-group-depends-on-where/m-p/1733#M172
# 
# Notes: Run this script regularly if you wanted to keep moving the device around the geo based groups, not more than twice a day!
# Requirements:
# - The latest JumpCloud PowerShell Module. https://jumpcloud.com/support/install-the-jumpcloud-powershell-module
# - PowerShell 7 and above versions. 
# -----------------------------------------------------------------------------

# Connect to JC online
Connect-JCOnline -JumpCloudApiKey "Your-JC-manager-api-key" #JumpCloud manager admin role is sufficient. 

# a function to query the geo info from an IP supplied
function Get-IPGeolocation {
    Param
    (
      [string]$IPAddress
    )
   
    $request = Invoke-RestMethod -Method Get -Uri "http://ip-api.com/json/$IPAddress"
   
    [PSCustomObject]@{
      IP      = $request.query
      City    = $request.city
      Country = $request.country
      Isp     = $request.isp
    }
  }


# Getting the systems are online with an public IP (excluding the mobile devices).
$jcsystemInfo = Get-JCSystem | where {($_.active -eq $true) -and ($null -ne $_.remoteIP)}
$jcsysgroups = Get-JCGroup -Type System


# Adding the systems to these geo related groups
if ($null -ne $jcsystemInfo){
    foreach ($system in $jcsystemInfo){

        # Moving the system off from the previous system groups - dynamic groups will not be affected
        $jcsysgroups | Get-JCSystemGroupMember | where {$_.systemid -eq $system.id} | Remove-JCSystemGroupMember -SystemID $system.id

        # Now after cleaning up, adding to the new groups based on the device current location
        $geolocation = Get-IPGeolocation -IPAddress $system.remoteIP
    
        $targetGroup = $geolocation.Country.Replace(' ','') + "_" + $system.osFamily
        
        # Adding the system to the target group
        $testGroup = Get-JCGroup -Type System -Name $targetGroup -ErrorAction SilentlyContinue
        $testMember = Get-JCSystemGroupMember -GroupName $targetGroup -ErrorAction SilentlyContinue | where system -eq $system.displayName
    
        if ($null -eq $testGroup){
            $newGroup = New-JCSystemGroup -GroupName $targetGroup
            Add-JCSystemGroupMember -GroupID $newGroup.id -SystemID $system._id 
            Write-Output "$($system.displayname) has been added to $($newgroup.name) system group! `n "
    
        }
        elseif ($null -ne $testGroup -and $null -eq $testMember) {
            Add-JCSystemGroupMember -GroupID $testGroup.id -SystemID $system._id
            Write-Output "$($system.displayname) has been added to $($testGroup.name) system group! `n "
        }
        else {
            Write-Output "$($system.displayname) already exists in $($testGroup.name) system group! `n "
        }
    }
}
else {
    Write-Output "Phew! No system needs to be moved, take a day off!"
}

 

That's it, hope you find it useful.

Have a great starting of the week to end the Q3!

 

0 REPLIES 0