-
Notifications
You must be signed in to change notification settings - Fork 3
/
example_provisioning_script.sh
executable file
·176 lines (143 loc) · 7.86 KB
/
example_provisioning_script.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
#!/bin/bash
## First run script following DEP enrolment
## Neil Martin, University of East London
# $4 = JSS URL incuding port number - e.g. https://yourjss.com:8443
# $5 = JSS account username for API access
# $6 = JSS account password for API access
# Set basic variables
osversion=$(/usr/bin/sw_vers -productVersion)
osbuild=$(/usr/bin/sw_vers -buildVersion)
serial=$(/usr/sbin/ioreg -rd1 -c IOPlatformExpertDevice | /usr/bin/awk -F'"' '/IOPlatformSerialNumber/{print $4}')
jamfUrl="$4"
apiUserName="$5"
apiPassword="$6"
# Function to add date to log entries
log(){
NOW="$(date +"*%Y-%m-%d %H:%M:%S")"
/bin/echo "$NOW": "$1"
}
# Logging for troubleshooting - view the log at /private/tmp/firstrun.log
/usr/bin/touch /private/tmp/firstrun.log
exec 2>&1>/private/tmp/firstrun.log
# Let's not go to sleep
log "Disabling sleep..."
/usr/bin/caffeinate -d -i -m -s -u &
caffeinatepid=$!
# Disable Automatic Software Updates during provisioning
log "Disabling automatic software updates..."
/usr/sbin/softwareupdate --schedule off
# Get API Bearer Token
response=$(/usr/bin/curl -s -u "$apiUserName":"$apiPassword" "$jamfUrl"/api/v1/auth/token -X POST)
bearerToken=$(/bin/echo "$response" | /usr/bin/plutil -extract token raw -)
# Check for existing Hostname extension attribute in JSS - if it's not there, we'll set up NoMAD Login with User Input mech, otherwise, we will proceed with Notify mech only!
log "Checking for existing Hostname and Role in JSS..."
eaxml=$(/usr/bin/curl -s "$jamfUrl"/JSSResource/computers/serialnumber/"$serial"/subset/extension_attributes -H "Authorization: Bearer ${bearerToken}" -H "Accept: text/xml")
computerName=$(/bin/echo "$eaxml" | /usr/bin/xpath '//extension_attribute[name="Hostname"' | /usr/bin/awk -F'<value>|</value>' '{print $2}')
computerRole=$(/bin/echo "$eaxml" | /usr/bin/xpath '//extension_attribute[name="Mac User Role"' | /usr/bin/awk -F'<value>|</value>' '{print $2}')
# Destroy API Bearer Token as it may be some time before we need another
/usr/bin/curl "$jamfUrl"/api/v1/auth/invalidate-token -H "Authorization: Bearer ${bearerToken}" -X POST -s -o /dev/null
# Wait for the setup assistant to complete before continuing
log "Waiting for Setup Assistant to complete..."
loggedInUser=$(/usr/sbin/scutil <<< "show State:/Users/ConsoleUser" | /usr/bin/awk -F': ' '/[[:space:]]+Name[[:space:]]:/ { if ( $2 != "loginwindow" ) { print $2 }} ')
while [[ "$loggedInUser" == "_mbsetupuser" ]]; do
/bin/sleep 5
loggedInUser=$(/usr/sbin/scutil <<< "show State:/Users/ConsoleUser" | /usr/bin/awk -F': ' '/[[:space:]]+Name[[:space:]]:/ { if ( $2 != "loginwindow" ) { print $2 }} ')
done
# Let's continue
log "Setup Assistant complete, continuing..."
if [[ "$computerName" == "" ]] || [[ "$computerRole" == "" ]]; then
log "Hostname or Role not set in JSS, proceeding to User Input..."
# Quit Notify and proceed to UserInput mech
/bin/echo "Command: Quit" >> /var/tmp/depnotify.log
/bin/sleep 5
/bin/echo "Command: Image: "/Library/Application Support/UEL/branding/logo-prov.png"" > /var/tmp/depnotify.log
/bin/echo "Command: MainTitle: Please wait a moment..." >> /var/tmp/depnotify.log
/bin/echo "Command: MainText: " >> /var/tmp/depnotify.log
/bin/echo "Status: Please wait..." >> /var/tmp/depnotify.log
# Wait for the user data to be submitted...
while [[ ! -f /var/tmp/userinputoutput.txt ]]; do
log "Waiting for user data..."
/bin/sleep 5
done
log "User data submitted, continuing setup..."
# Let's read the user data into some variables...
computerName=$(/usr/libexec/plistbuddy /var/tmp/userinputoutput.txt -c "print 'Computer Name'")
computerRole=$(/usr/libexec/plistbuddy /var/tmp/userinputoutput.txt -c "print 'Computer Role'")
# Update Hostname and Computer Role in JSS
# Get API Bearer Token
response=$(/usr/bin/curl -s -u "$apiUserName":"$apiPassword" "$jamfUrl"/api/v1/auth/token -X POST)
bearerToken=$(/bin/echo "$response" | /usr/bin/plutil -extract token raw -)
# Create xml
/bin/cat << EOF > /var/tmp/name.xml
<computer>
<extension_attributes>
<extension_attribute>
<name>Hostname</name>
<value>$computerName</value>
</extension_attribute>
</extension_attributes>
</computer>
EOF
## Upload the xml file
/usr/bin/curl -s "$jamfUrl"/JSSResource/computers/serialnumber/"$serial" -H "Authorization: Bearer ${bearerToken}" -H "Content-type: text/xml" -T /var/tmp/name.xml -X PUT
# Create xml
/bin/cat << EOF > /var/tmp/role.xml
<computer>
<extension_attributes>
<extension_attribute>
<name>Mac User Role</name>
<value>$computerRole</value>
</extension_attribute>
</extension_attributes>
</computer>
EOF
## Upload the xml file
/usr/bin/curl -s "$jamfUrl"/JSSResource/computers/serialnumber/"$serial" -H "Authorization: Bearer ${bearerToken}" -H "Content-type: text/xml" -T /var/tmp/role.xml -X PUT
fi
# Destroy API Bearer Token
/usr/bin/curl "$jamfUrl"/api/v1/auth/invalidate-token -H "Authorization: Bearer ${bearerToken}" -X POST -s -o /dev/null
# Carry on with the setup...
# Change DEPNotify title and text...
/bin/echo "Command: MainTitle: Setting things up..." >> /var/tmp/depnotify.log
if [[ $computerRole == "Student" ]]; then
/bin/echo "Command: MainText: Please wait while we set this Mac up with the software and settings it needs. This may take a few hours. We'll restart automatically when we're finished. \n \n Role: "$computerRole" Mac \n Computer Name: "$computerName" \n macOS Version: "$osversion" \n macOS Build: "$osbuild"" >> /var/tmp/depnotify.log
else
/bin/echo "Command: MainText: Please wait while we set this Mac up with the software and settings it needs. This may take up to 20 minutes. We'll restart automatically when we're finished. \n \n Role: "$computerRole" Mac \n Computer Name: "$computerName" \n macOS Version: "$osversion" \n macOS Build: "$osbuild"" >> /var/tmp/depnotify.log
fi
log "Initiating Configuration..."
# Time to set the hostname...
/bin/echo "Status: Setting computer name" >> /var/tmp/depnotify.log
log "Setting hostname to "$computerName"..."
/usr/local/bin/jamf setComputerName -name "$computerName"
# Bind to AD
log "Binding to Active Directory..."
/bin/echo "Status: Binding to Active Directory..." >> /var/tmp/depnotify.log
/usr/local/bin/jamf policy -event BindAD
# Deploy policies for all Macs
log "Running software deployment policies..."
/bin/echo "Status: Installing software, please wait..." >> /var/tmp/depnotify.log
/usr/local/bin/jamf policy -event Deploy
log "Software deployment policies done running"
# Run a recon, set asset tag and room number - this takes the hostname e.g. ABCD123-12345 and splits it at the '-' character to extracpolate the room (first field) and asset number (second field)
/bin/echo "Status: Updating inventory..." >> /var/tmp/depnotify.log
log "Setting variables for asset tag and room..."
assetno=$(/bin/echo "$computerName" | /usr/bin/cut -d '-' -f 2)
room=$(/bin/echo "$computerName" | /usr/bin/cut -d '-' -f 1)
log "Running recon..."
/usr/local/bin/jamf recon -assetTag "$assetno" -room "$room"
# Run a Software Update - this calls a custom policy trigger that has a Software Update payload configured
log "Running Apple Software Update..."
/usr/local/bin/jamf policy -event DeploySUS
# Finishing up - tell the provisioner what's happening
/bin/echo "Command: MainTitle: All done!" >> /var/tmp/depnotify.log
/bin/echo "Command: MainText: This Mac will restart shortly and you'll be able to log in. \n \n If you need any assistance, please contact the UEL IT Service Desk. \n \n Telephone: 020 8223 2468 \n Email: [email protected]" >> /var/tmp/depnotify.log
/bin/echo "Status: Restarting, please wait..." >> /var/tmp/depnotify.log
# Reset login window authentication mech to Apple
log "Resetting Login Window..."
/usr/local/bin/authchanger -reset
# Kill caffeinate and restart with a 2 minute delay
log "Decaffeinating..."
log "Restarting in 2 minutes..."
kill "$caffeinatepid"
/sbin/shutdown -r +2 &
log "Done!"