Update system_extensions.yml (#25917)

Added example query. --------- Co-authored-by: Eric <[email protected]>
fleetdm · Feb 3, 2025 · b29e3d4 · b29e3d4
1 parent 4779fef
commit b29e3d4
Show file tree

Hide file tree

Showing 2 changed files with 12 additions and 3 deletions.
diff --git a/schema/osquery_fleet_schema.json b/schema/osquery_fleet_schema.json
@@ -25903,7 +25903,7 @@
     "evented": false,
     "cacheable": false,
     "notes": "",
-    "examples": "Identify system extensions that are not managed via MDM and see their\nsignature status.\n\n```\nSELECT se.identifier, se.bundle_path, se.category, se.state, s.signed FROM system_extensions se JOIN signature s on s.path = se.bundle_path WHERE se.mdm_managed='0';\n```",
+    "examples": "Identify the signature status of system extensions not managed via MDM:\n\n```\nSELECT se.identifier, se.bundle_path, se.category, se.state, s.signed FROM system_extensions se JOIN signature s on s.path = se.bundle_path WHERE se.mdm_managed='0';\n```\n\nPerform a health check on a Jamf Protect installation:\n\n```\nSELECT 1 \nWHERE \n  (EXISTS (SELECT 1 FROM processes WHERE name = 'JamfProtectAgent') OR ( SELECT total_seconds FROM uptime ) <= 300 )\n  AND EXISTS (SELECT 1 FROM system_extensions WHERE identifier = 'com.jamf.protect.security-extension')\n  AND EXISTS (SELECT 1 FROM apps WHERE path = '/Applications/JamfProtect.app');\n```",
     "columns": [
       {
         "name": "path",

diff --git a/schema/tables/system_extensions.yml b/schema/tables/system_extensions.yml
@@ -1,8 +1,17 @@
 name: system_extensions
 examples: |-
-  Identify system extensions that are not managed via MDM and see their
-  signature status.
+  Identify the signature status of system extensions not managed via MDM:
 
   ```
   SELECT se.identifier, se.bundle_path, se.category, se.state, s.signed FROM system_extensions se JOIN signature s on s.path = se.bundle_path WHERE se.mdm_managed='0';
   ```
+
+  Perform a health check on a Jamf Protect installation:
+  
+  ```
+  SELECT 1 
+  WHERE 
+    (EXISTS (SELECT 1 FROM processes WHERE name = 'JamfProtectAgent') OR ( SELECT total_seconds FROM uptime ) <= 300 )
+    AND EXISTS (SELECT 1 FROM system_extensions WHERE identifier = 'com.jamf.protect.security-extension')
+    AND EXISTS (SELECT 1 FROM apps WHERE path = '/Applications/JamfProtect.app');
+  ```