homebysix/ModifyAuthDBLoginMechs.sh

## escrow_buddy_authdb_index.sh
#!/bin/sh
# This Jamf extension attribute returns the mechanism entry index number
# (starting with zero) if Escrow Buddy is present in the authorization database
# login mechanisms, or "-1" otherwise.
MECHANISM="Escrow Buddy:Invoke,privileged"
security authorizationdb read system.login.console 2>/dev/null > /tmp/auth.db
INDEX=$(/usr/libexec/PlistBuddy -c "Print :mechanisms:" /tmp/auth.db 2>/dev/null | grep -n "<string>$MECHANISM</string>" | awk -F ":" '{print $1}')
if [ -z $INDEX ]; then
    # Return -1 if mechanism is not in array
    INDEX="-1"
else
    # Adjust for extra lines of output at beginning of array
    INDEX=$((INDEX-2))
fi
echo "<result>$INDEX</result>"

## escrow_buddy_authdb_status.sh
#!/bin/sh
# This Jamf extension attribute returns "Configured" if Escrow Buddy is present
# in the authorization database login mechanisms, or "Not Configured" otherwise.
MECHANISM="Escrow Buddy:Invoke,privileged"
if security authorizationdb read system.login.console 2>/dev/null | grep -q "<string>$MECHANISM</string>"; then
    echo "<result>Configured</result>"
else
    echo "<result>Not Configured</result>"
fi

## ModifyAuthDBLoginMechs.sh
#!/bin/bash

###
#
#            Name:  ModifyAuthDBLoginMechs.sh
#     Description:  This script provides functions that can help Mac IT
#                   administrators modify and maintain the list of
#                   login mechanisms in the macOS authorization database.
#                   For details see:
#                   https://www.elliotjordan.com/posts/macos-authdb-mechs
#          Author:  Elliot Jordan <elliot@elliotjordan.com>
#         Created:  2023-06-17
#   Last Modified:  2023-06-17
#         Version:  1.0.0
#
###

# Temporary directory for storage of authorization database files
AUTH_DB="/tmp/system.login.console.plist"

# Check execution context (root required)
if [[ $EUID -ne 0 ]]; then
    echo "ERROR: Please run this script as root."
    exit 1
fi

############################ FUNCTION: CheckAuthDB ############################
# Checks current loginwindow auth database for entry specified by parameter 1.
CheckAuthDB() {
    /usr/bin/security authorizationdb read system.login.console 2>/dev/null > "$AUTH_DB"
    if grep -q "<string>$1</string>" "$AUTH_DB"; then
        echo "$1 is configured in the authorization database."
        return
    fi
    echo "$1 is not configured in the authorization database."
    return 1
}

############################ FUNCTION: BackupAuthDB ###########################
# Create a backup copy of the auth database at the path specified by $AUTH_DB
BackupAuthDB() {
    if [[ -f "$AUTH_DB" ]]; then
        /usr/bin/security authorizationdb read system.login.console 2>/dev/null > "$AUTH_DB"
    fi
    cp "$AUTH_DB" "$AUTH_DB.backup"
    return
}

######################## FUNCTION: ValidateAuthDBEntry ########################
# Validates the format of entry prior to modifying the authorization database
ValidateAuthDBEntry() {
    if ! grep -qE '^[^,:]+:[^,:]+(,privileged)?$' <<< "$1"; then
        echo "ERROR: Specified right is not formatted correctly: $1"
        exit 1
    fi
}

############################ FUNCTION: AddToAuthDB ############################
# Add an entry before/after another entry
# The entry to add is specified by parameter 1
# "before" or "after" is specified by parameter 2
# The existing entry to use for placement is specified by parameter 3
AddToAuthDB() {
    ValidateAuthDBEntry "$1"
    INDEX=$(/usr/libexec/PlistBuddy -c "Print :mechanisms:" "$AUTH_DB" 2>/dev/null | grep -n "$3" | awk -F ":" '{print $1}')
    if [[ -z $INDEX ]]; then
        echo "ERROR: Unable to find $3 in authorization database."
        exit 1
    fi

    # Adjust index to account for PlistBuddy output format
    if [[ "$2" == "before" ]]; then
        INDEX=$((INDEX-2))
    elif [[ "$2" == "after" ]]; then
        INDEX=$((INDEX-1))
    else
        echo "ERROR: AddToAuthDB requires parameter 2 to be 'before' or 'after'."
        exit 1
    fi

    # Insert mechanism relative to parameter 3
    echo "Adding $1 to authorization database $2 $3..."
    /usr/libexec/PlistBuddy -c "Add :mechanisms:$INDEX string '$1'" "$AUTH_DB"

    # Save authorization database changes
    if ! security authorizationdb write system.login.console 2>/dev/null < "$AUTH_DB"; then
        echo "ERROR: Unable to save changes to authorization database."
        exit 1
    fi

    echo "$1 successfully configured in macOS authorization database."
}

########################## FUNCTION: RemoveFromAuthDB #########################
# Remove mechanism specified by parameter 1 from authorization database
RemoveFromAuthDB() {
    INDEX=$(/usr/libexec/PlistBuddy -c "Print :mechanisms:" "$AUTH_DB" 2>/dev/null | grep -n "$1" | awk -F ":" '{print $1}')
    if [[ -z $INDEX ]]; then
        echo "$1 is not configured in the authorization database."
        return
    fi

    # Adjust index to account for PlistBuddy output format
    INDEX=$((INDEX-2))

    # Remove mechanism
    /usr/libexec/PlistBuddy -c "Delete :mechanisms:$INDEX" "$AUTH_DB"

    # Save authorization database changes
    echo "Removing $1 from authorization database..."
    if ! security authorizationdb write system.login.console 2>/dev/null < "$AUTH_DB"; then
        echo "ERROR: Unable to save changes to authorization database."
        exit 1
    fi
}

################################ USAGE EXAMPLES ###############################
# The commented examples below demonstrate how to use the functions above.

# Example 1: Check authorization database for Escrow Buddy entry.
# If present, remove it.
#
# MECHANISM="Escrow Buddy:Invoke,privileged"
# if CheckAuthDB "$MECHANISM"; then
#     BackupAuthDB
#     RemoveFromAuthDB "$MECHANISM"
# fi

# Example 2: Check authorization database for Escrow Buddy entry.
# If absent, add it before loginwindow:done.
#
# MECHANISM="Escrow Buddy:Invoke,privileged"
# if ! CheckAuthDB "$MECHANISM"; then
#     BackupAuthDB
#     AddToAuthDB "$MECHANISM" "before" "loginwindow:done"
# fi

# Example 3: Check authorization database for Crypt entries.
# If any are absent, re-add them before loginwindow:done.
#
# MECHANISM1="Crypt:Check,privileged"
# MECHANISM2="Crypt:CryptGUI"
# MECHANISM3="Crypt:Enablement,privileged"
# if ! CheckAuthDB "$MECHANISM1" || ! CheckAuthDB "$MECHANISM2" || ! CheckAuthDB "$MECHANISM3"; then
#     BackupAuthDB
#     CheckAuthDB "$MECHANISM1" && RemoveFromAuthDB "$MECHANISM1"
#     CheckAuthDB "$MECHANISM2" && RemoveFromAuthDB "$MECHANISM2"
#     CheckAuthDB "$MECHANISM3" && RemoveFromAuthDB "$MECHANISM3"
#     AddToAuthDB "$MECHANISM1" "before" "loginwindow:done"
#     AddToAuthDB "$MECHANISM2" "before" "loginwindow:done"
#     AddToAuthDB "$MECHANISM3" "before" "loginwindow:done"
# fi

# Example 4: Remove all Crypt entries from authorization database.
#
# MECHANISM1="Crypt:Check,privileged"
# MECHANISM2="Crypt:CryptGUI"
# MECHANISM3="Crypt:Enablement,privileged"
# BackupAuthDB
# CheckAuthDB "$MECHANISM1" && RemoveFromAuthDB "$MECHANISM1"
# CheckAuthDB "$MECHANISM2" && RemoveFromAuthDB "$MECHANISM2"
# CheckAuthDB "$MECHANISM3" && RemoveFromAuthDB "$MECHANISM3"
	#!/bin/sh
	# This Jamf extension attribute returns the mechanism entry index number
	# (starting with zero) if Escrow Buddy is present in the authorization database
	# login mechanisms, or "-1" otherwise.
	MECHANISM="Escrow Buddy:Invoke,privileged"
	security authorizationdb read system.login.console 2>/dev/null > /tmp/auth.db
	INDEX=$(/usr/libexec/PlistBuddy -c "Print :mechanisms:" /tmp/auth.db 2>/dev/null \| grep -n "<string>$MECHANISM</string>" \| awk -F ":" '{print $1}')
	if [ -z $INDEX ]; then
	# Return -1 if mechanism is not in array
	INDEX="-1"
	else
	# Adjust for extra lines of output at beginning of array
	INDEX=$((INDEX-2))
	fi
	echo "<result>$INDEX</result>"
	#!/bin/sh
	# This Jamf extension attribute returns "Configured" if Escrow Buddy is present
	# in the authorization database login mechanisms, or "Not Configured" otherwise.
	MECHANISM="Escrow Buddy:Invoke,privileged"
	if security authorizationdb read system.login.console 2>/dev/null \| grep -q "<string>$MECHANISM</string>"; then
	echo "<result>Configured</result>"
	else
	echo "<result>Not Configured</result>"
	fi
	#!/bin/bash

	###
	#
	# Name: ModifyAuthDBLoginMechs.sh
	# Description: This script provides functions that can help Mac IT
	# administrators modify and maintain the list of
	# login mechanisms in the macOS authorization database.
	# For details see:
	# https://www.elliotjordan.com/posts/macos-authdb-mechs
	# Author: Elliot Jordan <elliot@elliotjordan.com>
	# Created: 2023-06-17
	# Last Modified: 2023-06-17
	# Version: 1.0.0
	#
	###

	# Temporary directory for storage of authorization database files
	AUTH_DB="/tmp/system.login.console.plist"

	# Check execution context (root required)
	if [[ $EUID -ne 0 ]]; then
	echo "ERROR: Please run this script as root."
	exit 1
	fi

	############################ FUNCTION: CheckAuthDB ############################
	# Checks current loginwindow auth database for entry specified by parameter 1.
	CheckAuthDB() {
	/usr/bin/security authorizationdb read system.login.console 2>/dev/null > "$AUTH_DB"
	if grep -q "<string>$1</string>" "$AUTH_DB"; then
	echo "$1 is configured in the authorization database."
	return
	fi
	echo "$1 is not configured in the authorization database."
	return 1
	}

	############################ FUNCTION: BackupAuthDB ###########################
	# Create a backup copy of the auth database at the path specified by $AUTH_DB
	BackupAuthDB() {
	if [[ -f "$AUTH_DB" ]]; then
	/usr/bin/security authorizationdb read system.login.console 2>/dev/null > "$AUTH_DB"
	fi
	cp "$AUTH_DB" "$AUTH_DB.backup"
	return
	}

	######################## FUNCTION: ValidateAuthDBEntry ########################
	# Validates the format of entry prior to modifying the authorization database
	ValidateAuthDBEntry() {
	if ! grep -qE '^[^,:]+:[^,:]+(,privileged)?$' <<< "$1"; then
	echo "ERROR: Specified right is not formatted correctly: $1"
	exit 1
	fi
	}

	############################ FUNCTION: AddToAuthDB ############################
	# Add an entry before/after another entry
	# The entry to add is specified by parameter 1
	# "before" or "after" is specified by parameter 2
	# The existing entry to use for placement is specified by parameter 3
	AddToAuthDB() {
	ValidateAuthDBEntry "$1"
	INDEX=$(/usr/libexec/PlistBuddy -c "Print :mechanisms:" "$AUTH_DB" 2>/dev/null \| grep -n "$3" \| awk -F ":" '{print $1}')
	if [[ -z $INDEX ]]; then
	echo "ERROR: Unable to find $3 in authorization database."
	exit 1
	fi

	# Adjust index to account for PlistBuddy output format
	if [[ "$2" == "before" ]]; then
	INDEX=$((INDEX-2))
	elif [[ "$2" == "after" ]]; then
	INDEX=$((INDEX-1))
	else
	echo "ERROR: AddToAuthDB requires parameter 2 to be 'before' or 'after'."
	exit 1
	fi

	# Insert mechanism relative to parameter 3
	echo "Adding $1 to authorization database $2 $3..."
	/usr/libexec/PlistBuddy -c "Add :mechanisms:$INDEX string '$1'" "$AUTH_DB"

	# Save authorization database changes
	if ! security authorizationdb write system.login.console 2>/dev/null < "$AUTH_DB"; then
	echo "ERROR: Unable to save changes to authorization database."
	exit 1
	fi

	echo "$1 successfully configured in macOS authorization database."
	}

	########################## FUNCTION: RemoveFromAuthDB #########################
	# Remove mechanism specified by parameter 1 from authorization database
	RemoveFromAuthDB() {
	INDEX=$(/usr/libexec/PlistBuddy -c "Print :mechanisms:" "$AUTH_DB" 2>/dev/null \| grep -n "$1" \| awk -F ":" '{print $1}')
	if [[ -z $INDEX ]]; then
	echo "$1 is not configured in the authorization database."
	return
	fi

	# Adjust index to account for PlistBuddy output format
	INDEX=$((INDEX-2))

	# Remove mechanism
	/usr/libexec/PlistBuddy -c "Delete :mechanisms:$INDEX" "$AUTH_DB"

	# Save authorization database changes
	echo "Removing $1 from authorization database..."
	if ! security authorizationdb write system.login.console 2>/dev/null < "$AUTH_DB"; then
	echo "ERROR: Unable to save changes to authorization database."
	exit 1
	fi
	}

	################################ USAGE EXAMPLES ###############################
	# The commented examples below demonstrate how to use the functions above.

	# Example 1: Check authorization database for Escrow Buddy entry.
	# If present, remove it.
	#
	# MECHANISM="Escrow Buddy:Invoke,privileged"
	# if CheckAuthDB "$MECHANISM"; then
	# BackupAuthDB
	# RemoveFromAuthDB "$MECHANISM"
	# fi

	# Example 2: Check authorization database for Escrow Buddy entry.
	# If absent, add it before loginwindow:done.
	#
	# MECHANISM="Escrow Buddy:Invoke,privileged"
	# if ! CheckAuthDB "$MECHANISM"; then
	# BackupAuthDB
	# AddToAuthDB "$MECHANISM" "before" "loginwindow:done"
	# fi

	# Example 3: Check authorization database for Crypt entries.
	# If any are absent, re-add them before loginwindow:done.
	#
	# MECHANISM1="Crypt:Check,privileged"
	# MECHANISM2="Crypt:CryptGUI"
	# MECHANISM3="Crypt:Enablement,privileged"
	# if ! CheckAuthDB "$MECHANISM1" \|\| ! CheckAuthDB "$MECHANISM2" \|\| ! CheckAuthDB "$MECHANISM3"; then
	# BackupAuthDB
	# CheckAuthDB "$MECHANISM1" && RemoveFromAuthDB "$MECHANISM1"
	# CheckAuthDB "$MECHANISM2" && RemoveFromAuthDB "$MECHANISM2"
	# CheckAuthDB "$MECHANISM3" && RemoveFromAuthDB "$MECHANISM3"
	# AddToAuthDB "$MECHANISM1" "before" "loginwindow:done"
	# AddToAuthDB "$MECHANISM2" "before" "loginwindow:done"
	# AddToAuthDB "$MECHANISM3" "before" "loginwindow:done"
	# fi

	# Example 4: Remove all Crypt entries from authorization database.
	#
	# MECHANISM1="Crypt:Check,privileged"
	# MECHANISM2="Crypt:CryptGUI"
	# MECHANISM3="Crypt:Enablement,privileged"
	# BackupAuthDB
	# CheckAuthDB "$MECHANISM1" && RemoveFromAuthDB "$MECHANISM1"
	# CheckAuthDB "$MECHANISM2" && RemoveFromAuthDB "$MECHANISM2"
	# CheckAuthDB "$MECHANISM3" && RemoveFromAuthDB "$MECHANISM3"