JSS distribution point share folder permissions and accounts repair

jssdistrorepair.sh

#!/bin/bash

#################################################################################################################
# This script assumes, JSS is using default read and write usernames: jamf, jamfadmin
# This script also assumes that local administrator account used on the mac is named: administrator
#################################################################################################################

#Ask user to point to the share folder, browse to it via "cd"
FOLDER_TO_PROCESS=$(/usr/bin/osascript << EOD
tell application "System Events"
activate
try
set FolderName to POSIX path of (choose folder with prompt "Browse to the JSS Distribution Point Share folder:")
on error
set FolderName to "!ERROR!"
end try
end tell
EOD)

echo "Share Folder location is: $FOLDER_TO_PROCESS"
sharedirlocation=$(echo "$FOLDER_TO_PROCESS" | sed 's|\(.*\)/.*|\1|')
echo "Browsing to the outside of the Shared folder, to path: $sharedirlocation"
cd $sharedirlocation

machinename=$(echo "$FOLDER_TO_PROCESS" | sed 's|.*/||')
echo "Share Folder name is: $machinename, which will be used to run the repairs."

#RUN THE REPAIRS

#Set permissions for the share folder
echo "Setting permissions for the share folder: $machinename"

#Allow jamf account to Read only
chmod -R +ai "user:jamf allow list,search,readattr,readextattr,readsecurity,file_inherit,directory_inherit" $machinename

#Allow jamfadmin account Read & Write access
chmod -R +a 'jamfadmin allow list,add_file,search,add_subdirectory,delete_child,readattr,writeattr,readextattr,writeextattr,readsecurity' $machinename

#Allow administrator account Read & Write access
chmod -R +a 'administrator allow list,add_file,search,add_subdirectory,delete_child,readattr,writeattr,readextattr,writeextattr,readsecurity' $machinename

#Hide JAMF accounts from login screen
defaults write /Library/Preferences/com.apple.loginwindow HiddenUsersList -array-add jamf jamfadmin


#Turn on SSH and limit it to Administrators
#Make sure group exists
sudo /usr/sbin/dseditgroup -o create -q com.apple.access_ssh
#Add user username to the group
sudo /usr/sbin/dseditgroup -o edit -a administrator -t user com.apple.access_ssh
#Turn remote login on
sudo /usr/sbin/systemsetup -setremotelogin on

#Turn on Remote Management and limit it to administrator
targetUsername="administrator"
privs="-DeleteFiles -ControlObserve -TextMessages -OpenQuitApps -GenerateReports -RestartShutDown -SendFiles -ChangeSettings"
echo "Enabling Apple Remote Desktop Agent..."
/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -activate -configure -allowAccessFor -specifiedUsers
echo "Setting Remote Management Privileges for User: $targetUsername ..."
/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -configure -access -on -privs $privs -users $targetUsername

#Turn on File Sharing, make sure SMB and AFP options are turned on/checked and add the Share folder
launchctl load -w /System/Library/LaunchDaemons/com.apple.smbd.plist
defaults write /Library/Preferences/SystemConfiguration/com.apple.smb.server.plist EnabledServices -array disk
launchctl load -w /System/Library/LaunchDaemons/com.apple.AppleFileServer.plist
defaults write /Library/Preferences/SystemConfiguration/com.apple.AppleFileServer.plist EnabledServices -array disk
sharing -a /Users/shared/$machinename