Skip to content

Instantly share code, notes, and snippets.

@rtrouton

rtrouton/gist:8032d209b3c810f0912f

Created June 4, 2014 14:22
Show Gist options
  • Star 1 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save rtrouton/8032d209b3c810f0912f to your computer and use it in GitHub Desktop.
Save rtrouton/8032d209b3c810f0912f to your computer and use it in GitHub Desktop.
Download ZIP
Script that fixes the Casper MDM certificate on a Casper 9.x-managed Mac running 10.7.x or later.
Raw
gistfile1.txt
#!/bin/bash
# Determine OS version
OSVERS=$(sw_vers -productVersion | awk -F. '{print $2}')
# Macs running 10.6.x or earlier are not able to use profiles.
# If the script detects that it is running on an OS earlier than
# 10.7.0, the script will exit at this point to avoid problems.
if [[ ${OSVERS} -lt 7 ]]; then
/usr/bin/logger "MDM profiles are not supported on this version of Mac OS X."
exit 0
fi
if [[ ${OSVERS} -ge 7 ]]; then
# If any previous instances of the fixcaspermdm LaunchDaemon and script exist,
# unload the LaunchDaemon and remove the LaunchDaemon and script files
if [[ -f "/Library/LaunchDaemons/com.company.fixcaspermdm.plist" ]]; then
/bin/launchctl unload "/Library/LaunchDaemons/com.company.fixcaspermdm.plist"
/bin/rm "/Library/LaunchDaemons/com.company.fixcaspermdm.plist"
fi
if [[ -f "/var/root/fixcaspermdm.sh" ]]; then
/bin/rm "/var/root/fixcaspermdm.sh"
fi
# Create the fixcaspermdm LaunchDaemon by using cat input redirection
# to write the XML contained below to a new file.
#
# The LaunchDaemon will run at load and every ten minutes thereafter.
/bin/cat > "/tmp/com.company.fixcaspermdm.plist" << 'CASPER_MDM_FIX_LAUNCHDAEMON'
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>Label</key>
<string>com.company.fixcaspermdm</string>
<key>ProgramArguments</key>
<array>
<string>sh</string>
<string>/var/root/fixcaspermdm.sh</string>
</array>
<key>RunAtLoad</key>
<true/>
<key>StartInterval</key>
<integer>600</integer>
</dict>
</plist>
CASPER_MDM_FIX_LAUNCHDAEMON
# Create the fixcaspermdm script by using cat input redirection
# to write the shell script contained below to a new file.
#
# You will need to change the "jss_server_address" variable in the
# script below. Please put the complete fully qualified domain name
# address of your Casper server.
#
# You may need to change the "jss_server_port" variable in the
# script below. Please put the port number of your Casper server
# if it is different than 8443.
/bin/cat > "/tmp/fixcaspermdm.sh" << 'CASPER_MDM_FIX_SCRIPT'
#!/bin/bash
#
# User-editable variables
#
# For the jss_server_address variable, put the complete
# fully qualified domain name address of your Casper server
jss_server_address="casper.server.here"
# For the jss_server_address variable, put the port number
# of your Casper server. This is usually 8443; change as
# appropriate.
jss_server_port="8443"
CheckSiteNetwork (){
# CheckSiteNetwork function adapted from Facebook's check_corp function script.
# check_corp script available on Facebook's IT-CPE Github repo:
#
# check_corp:
# This script verifies a system is on the corporate network.
# Input: CORP_URL= set this to a hostname on your corp network
# Optional ($1) contains a parameter that is used for testing.
# Output: Returns a check_corp variable that will return "True" if on
# corp network, "False" otherwise.
# If a parameter is passed ($1), the check_corp variable will return it
# This is useful for testing scripts where you want to force check_corp
# to be either "True" or "False"
# USAGE:
# check_corp # No parameter passed
# check_corp "True" # Parameter of "True" is passed and returned
site_network="False"
ping=`host -W .5 $jss_server_address`
# If the ping fails - site_network="False"
[[ $? -eq 0 ]] && site_network="True"
# Check if we are using a test
[[ -n "$1" ]] && site_network="$1"
}
CheckTomcat (){
# Verifies that the JSS's Tomcat service is responding via its assigned port.
tomcat_chk=`nc -z -w 5 $jss_server_address $jss_server_port > /dev/null; echo $?`
if [ "$tomcat_chk" -eq 0 ]; then
/usr/bin/logger "Machine can connect to $jss_server_address over port $jss_server_port. Proceeding."
else
/usr/bin/logger "Machine cannot connect to $jss_server_address over port $jss_server_port. Exiting."
exit 0
fi
}
CheckLogAge (){
# Verifies that the /var/log/jamf.log hasn't been written to for at least five minutes.
# This should help ensure that jamf manage can run and not have to wait for a policy to
# finish running.
jamf_log="/var/log/jamf.log"
current_time=`date +%s`
last_modified=`stat -f %m "$jamf_log"`
if [[ $(($current_time-$last_modified)) -gt 300 ]]; then
/usr/bin/logger "Log has not been modified in the past five minutes. Proceeding."
else
/usr/bin/logger "Log has been modified in the past five minutes. Exiting."
exit 0
fi
}
FixMDM (){
# Verifies that the Mac can communicate with the Casper server.
# Once communication is verified, it takes the following actions:
#
# 1. Removes the existing MDM certificate if one exists
# 2. Runs jamf manage to fix the certificate
# 3. Runs a recon to send an updated inventory to the JSS to report
# that the MDM certificate is fixed.
#
jss_comm_chk=`/usr/sbin/jamf checkJSSConnection > /dev/null; echo $?`
if [[ "$jss_comm_chk" -gt 0 ]]; then
/usr/bin/logger "Machine cannot connect to the JSS. Exiting."
exit 0
elif [[ "$jss_comm_chk" -eq 0 ]]; then
/usr/bin/logger "Machine can connect to the JSS. Fixing MDM"
/usr/sbin/jamf removeMdmProfile -verbose
/usr/sbin/jamf manage -verbose
/usr/sbin/jamf recon
fi
}
SelfDestruct (){
# Removes script and associated LaunchDaemon
if [[ -f "/Library/LaunchDaemons/com.company.fixcaspermdm.plist" ]]; then
/bin/rm "/Library/LaunchDaemons/com.company.fixcaspermdm.plist"
fi
srm $0
}
CheckSiteNetwork
if [[ "$site_network" == "False" ]]; then
/usr/bin/logger "Unable to verify access to site network. Exiting."
fi
if [[ "$site_network" == "True" ]]; then
/usr/bin/logger "Access to site network verified"
CheckTomcat
CheckLogAge
FixMDM
SelfDestruct
fi
exit 0
CASPER_MDM_FIX_SCRIPT
# Once the LaunchDaemon file has been created, fix the permissions
# so that the file is owned by root:wheel and set to not be executable
# After the permissions have been updated, move the LaunchDaemon into
# place in /Library/LaunchDaemons.
/usr/sbin/chown root:wheel "/tmp/com.company.fixcaspermdm.plist"
/bin/chmod 755 "/tmp/com.company.fixcaspermdm.plist"
/bin/chmod a-x "/tmp/com.company.fixcaspermdm.plist"
/bin/mv "/tmp/com.company.fixcaspermdm.plist" "/Library/LaunchDaemons/com.company.fixcaspermdm.plist"
# Once the script file has been created, fix the permissions
# so that the file is owned by root:wheel and set to be executable
# After the permissions have been updated, move the script into the
# place that it will be executed from.
/usr/sbin/chown root:wheel "/tmp/fixcaspermdm.sh"
/bin/chmod 755 "/tmp/fixcaspermdm.sh"
/bin/chmod a+x "/tmp/fixcaspermdm.sh"
/bin/mv "/tmp/fixcaspermdm.sh" "/var/root/fixcaspermdm.sh"
# After the LaunchDaemon and script are in place with proper permissions,
# load the LaunchDaemon to begin the script's execution.
/bin/launchctl load -w "/Library/LaunchDaemons/com.company.fixcaspermdm.plist"
fi
exit 0
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment