Skip to content

Instantly share code, notes, and snippets.

@charliwest
Created January 10, 2024 09:22
Show Gist options
  • Save charliwest/6c4040828b3c488dedeeb5a2561be609 to your computer and use it in GitHub Desktop.
Save charliwest/6c4040828b3c488dedeeb5a2561be609 to your computer and use it in GitHub Desktop.
Runs the first time a user logs in after enrollment macOS
#!/bin/zsh
organizationIdentifier=XXXX
installerBaseString=${organizationIdentifier}.firstBoot
tempUtilitiesPath=/var/tmp
installerScriptName=${installerBaseString}-installer.zsh
uninstallerScriptName=${installerBaseString}-cleanup.zsh
launchDaemonName=${installerBaseString}.plist
launchDaemonPath="/Library/LaunchDaemons"/${launchDaemonName}
installerScriptPath=${tempUtilitiesPath}/${installerScriptName}
uninstallerScriptPath=${tempUtilitiesPath}/${uninstallerScriptName}
echo "Creating ${installerScriptPath}."
(
cat <<ENDOFINSTALLERSCRIPT
#!/bin/zsh
while true; do
# Check if current user is root, admin, or otheradmin (change these as needed or remove). Also make sure it is not _mbsetupuser
loggedInUser=\$( scutil <<< "show State:/Users/ConsoleUser" | awk '/Name :/ && ! /loginwindow/ { print \$3 }' )
if [[ \${loggedInUser} == "root" || \${loggedInUser} == "admin" || \${loggedInUser} == "otheradmin" || \${loggedInUser} == "_mbsetupuser" || \${loggedInUser} == "" || \${loggedInUser} == "." ]]; then
echo "Cannot run script as \${loggedInUser}. Waiting for 10 seconds."
sleep 10
else
sleep 5
echo "Running script as \${loggedInUser}"
# Set up Dock
/usr/local/bin/jamf policy -event "setUpDock" &&
# Set VPN URL
/usr/local/bin/jamf policy -event "setVPNURL" &&
# Set Wallpaper
/usr/local/bin/jamf policy -event "setWallpaper" &&
# Set User Permissions for Printer, Network and Date & Time
/usr/local/bin/jamf policy -event "SetUserPermissions" &&
# Set Correct Username
/usr/local/bin/jamf policy -event "updateUsername" &&
# Set FV2 Keyboard Correctly
/usr/local/bin/jamf policy -event "fixKeyboardLayout" &&
# Sets the device enrollment complete
/usr/local/bin/jamf policy -event "SetDeviceEnrollmentCompleted" &&
# Open Self Service
sudo -u $loggedInUser open "jamfselfservice://" &&
# Run a Recon
/usr/local/bin/jamf recon
# Open OneDrive, this makes it autostart each login
open -a OneDrive
# Clean up set up
#rm /var/tmp/notifyJamf.sh
# Exit the loop and the script
break
fi
done
ENDOFINSTALLERSCRIPT
) > "${installerScriptPath}"
echo "Setting permissions for ${installerScriptPath}."
chmod 700 "${installerScriptPath}"
chown root:wheel "${installerScriptPath}"
echo "Creating ${launchDaemonPath}."
(
cat <<ENDOFLAUNCHDAEMON
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>Label</key>
<string>${launchDaemonName}</string>
<key>RunAtLoad</key>
<true/>
<key>UserName</key>
<string>root</string>
<key>ProgramArguments</key>
<array>
<string>/bin/zsh</string>
<string>${installerScriptPath}</string>
</array>
<key>StandardErrorPath</key>
<string>/var/tmp/${installerScriptName}.err</string>
<key>StandardOutPath</key>
<string>/var/tmp/${installerScriptName}.out</string>
</dict>
</plist>
ENDOFLAUNCHDAEMON
) > "${launchDaemonPath}"
echo "Setting permissions for ${launchDaemonPath}."
chmod 644 "${launchDaemonPath}"
chown root:wheel "${launchDaemonPath}"
echo "Loading ${launchDaemonName}."
launchctl load "${launchDaemonPath}"
echo "Creating ${uninstallerScriptPath}."
(
cat <<ENDOFUNINSTALLERSCRIPT
#!/bin/zsh
# This is meant to be called by a Jamf Pro policy via trigger
# Near the end of your setup for your mac script
rm ${installerScriptPath}
# Note that if you unload the LaunchDaemon this will immediately kill the setup your mac script script
# Just remove the underlying plist file, and the LaunchDaemon will not run after next reboot/login.
rm ${launchDaemonPath}
rm ${uninstallerScriptName}
rm /var/tmp/${installerScriptName}.err
rm /var/tmp/${installerScriptName}.out
ENDOFUNINSTALLERSCRIPT
) > "${uninstallerScriptPath}"
echo "Setting permissions for ${uninstallerScriptPath}."
chmod 700 "${uninstallerScriptPath}"
chown root:wheel "${uninstallerScriptPath}"
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment