TLDR: Scripts on GitHub: Detection | Remediation with Jira Connection
Situation, I’m been learning Intune on my own time in my lab, one annoyance I have is the proactive remediation scripts. It’s a nice feature, like a beta version of Baselines in Configuration Manager, and so in my opinion (feel free to correct me or argue your point on twitter), Proactive Remediations are lacking in reporting. I’ll get machines that failed to resolve issues (according to the console) and I then I have to go and check out the machine, which can be cumbersome.
Goal: increased visibility into problem machines. (something like this)
Idea: Leverage the FREE Atlassian Jira Cloud tier to have the Proactive Remediation (Remediation Script) create a Jira Task and upload logs if the Remediation Script doesn’t bring the machine back into compliance.
Proof of Concept: Monitor Low Disk Space, if under threshold, run remediation, if still under threshold when remediation complete, create Jira Task with logs and info.
The Detection Script checks for free space and to see if above threshold. [GitHub]
The Remediation Script consists of a few things. [GitHub]
- User defined Variables (Thresholds & Log locations)
- Functions
- CMTraceLog (Ryan Ephgrave)
- CleanDisk (Joshua Allen Shaw)
- DiskHog (Keith Garner)
- Jira Connection Info
Jira Connection
Since this is my lab, I created a FREE Jira instance on their cloud and was able to get my own custom name. https://garytown.atlassian.net/
Once setup, I created a project I wanted all of these remediations to be associated with, I went with “Intune – Proactive Remediation” which then gets the short code of ‘IPR’
Once you have this setup, you’ll need an API Token for your scripts to leverage to have the permissions to upload items to Jira. Instructions for Token creation.
Now, I’m using the Token in clear text in my script, I wouldn’t recommend this, but this is a POC, and just in my lab. If you want a much better way to handle passwords / secrets with Intune for Proactive Remediation, I’d recommend you look at Damien’s post “Store BIOS passwords on Azure Key Vault and set devices password with Intune” for insights on using Azure’s Key Vault.
In the Script, I’m leveraging the PowerShell Module JiraPS. I’ve had good luck using this at work with their on-prem JIRA, so I went with it for my lab. The script will install the module when required.
Things I’m not accounting for, Proxy servers. I’m ASSUMING that if you’re running this on Intune Managed devices, that they don’t have Proxies. If you require proxies, update the script accordingly.
To make the Jira Connection, you’ll need the username (email address of the account you used to make the token), the token, and the server address.
- Example of Requirements:
- $JiraName = “jira@garytown.com”
- $JiraToken = ‘lkjasdlfha928239hedhs’ | ConvertTo-SecureString -Force -AsPlainText
- $Credential = New-Object System.Management.Automation.PsCredential(“$JiraName”,$JiraToken)}
- $JiraConfigServer = “https://garytown.atlassian.net”
- $JiraProjectID = ‘IPR’
Once you have that, you can create the connection
Set-JiraConfigServer -Server $JiraConfigServer
New-JiraSession -Credential $Credential
Once you’ve created the connection, you can then issue the commands to create Tasks (Or other items)
#Create Information for JIRA Task
$Description = "Low Disk Space
Required: $MinFreeSpace
Machine has attempted Proactive Remediation and still has low disk space, see attached logs for additional details
"
$Summary = "Low Disk Space: Machine $env:COMPUTERNAME"
#Create the Jira Task
$JiraIssue = New-JiraIssue -Project $JiraProjectID -IssueType "Task" -Summary $Summary -Description $Description
#Create Comment & Add to Task
$Comment = $Results | Out-String
Add-JiraIssueComment -Comment $Comment -Issue $JiraIssue.Key
#Attach Logs
$Logs = Get-ChildItem -Path (Split-Path -Path $ScriptLogPath)
foreach ($log in $logs)
{
Add-JiraIssueAttachment -Issue $JiraIssue.Key -FilePath $log.FullName
}That’s the basics of creating a Task.
I’ve had issues trying to add a reporter, pretty sure it’s a BUG in Jira Cloud, so I disabled the requirement of having a Reporter. More details below.
I recommend testing the script on machine you have local admin rights on and can open ISE on and start testing your JIRA connection to ensure that’s all in place. Then run through parts of the script to see the logs created, and see how you want to customize for your environment before testing in intune. Testing in intune drives me crazy, waiting for the scripts to run when they feel like it.
More Jira Info for those less familiar, here are some items I found helpful.
Creating a new Project for Kanban Tasks (Project Menu -> Create Project)
Now I pick a name, in the future I’m planning to integrate Jira Tasks into a TS, so I’ll set that up now:
Once you’ve created the project, if you’re planning to use JiraPS, you’ll need to edit the Project Settings and remove the Reporter field.
I’ve had issues creating Tasks when the reporter was required, so I removed that requirement. See the Bug in GitHub. I get similar issues when trying to assign a user, so I just don’t do that.
Note, I did not have the issue with our on-prem version, I can assign items and reporters and watchers without issue, but on the cloud version, I have problems.
In Action
The Remediation Script has the Jira Info to create a task and add to the Jira Kanban board for someone to pickup.
When you drill in to the task, there is additional info, including attached logs.
The Task includes a Summary (Title), Description, Comment and Attachments that will hopefully give some helpful information to the Tech that picks up the task to work on instead of going in clueless.
Please let me know if you have any questions, hit me up on Twitter (@gwblok), hopefully the script itself might answer anything I might have glossed over.
Posted originally on GARYTOWN.COM
1 thought on “Intune Proactive Remediation – Generate Jira Tasks when Non-Compliant”