shurkin18/Apple-Automated-Updates-Deferral-JIRA-Ticket.sh

## Apple-Automated-Updates-Deferral-JIRA-Ticket.sh
#!/bin/bash

############################################################################################################################
# NOTE1: You will need to supply the JIRA API credentials down below under "JIRA API credentials and Issue Category" section
# NOTE2: You will need to modify the issue type id variable "mm_jira_cloud_it_tic_issue_type" (# Issue Type can be found in
# JIRA > Administration > Issues > Issue Types > copy link of Edit button next to the issue type and there will be ID at the end)
# NOTE3: You can modify the ticket creation wording for the summary and description, however make sure you match the issue/ticket
# presence check section as well, as it uses specific wording in the issue/ticket summary ("AUTOMATED TICKET") and the Reporter,
# so that if 1 issue/ticket is already created for the user > it will not keep creating more similar tickets!
# The rest of the script you can leave intact
#
# NOTE4: The original Apple Updates script I found a while ago on JAMF Nation, then modified it a bunch of times and now
# replaced the Apple Update force part (this can't be done on newer macOS anyways) with JIRA ticket creation
############################################################################################################################

# This script is meant to be used with Jamf Pro and makes use of Jamf Helper.
# The idea behind this script is that it alerts the user that there are required OS
# updates that need to be installed. Rather than forcing updates to take place through the
# command line using "softwareupdate", the user is encouraged to use the GUI to update.

# The script will allow end users to postpone/defer updates X amount of times and then will
# submit a JIRA ticket
#
# JAMF Pro Script Parameters:
# Parameter 4: Optional. Number of postponements allowed. Default: 3
# Parameter 5: Optional. Number of seconds dialog should remain up. Default: 900 seconds
# Parameter 6: Optional. Contact email, number, or department name used in messaging.
#              Default: IT
# Parameter 7: Optional. Set your own custom icon. Default is Apple Software Update icon.

###### ACTUAL WORKING CODE  BELOW #######
setDeferral (){
	# Notes: PlistBuddy "print" will print stderr to stdout when file is not found.
	#   File Doesn't Exist, Will Create: /path/to/file.plist
	# There is some unused code here with the idea that at some point in the future I can
	# extend functionality of this script to support hard and relative dates.
	BundleID="${1}"
	DeferralType="${2}"
	DeferralValue="${3}"
	DeferralPlist="${4}"

	if [[ "$DeferralType" == "date" ]]; then
		DeferralDate="$(/usr/libexec/PlistBuddy -c "print :"$BundleID":date" "$DeferralPlist" 2>/dev/null)"
		# Set deferral date
		if [[ -n "$DeferralDate" ]] && [[ ! "$DeferralDate" == *"File Doesn't Exist"* ]]; then
			# PlistBuddy command example
			# /usr/libexec/PlistBuddy -c "set :"$BundleID":date '07/04/2019 11:21:51 +0000'" "$DeferralPlist"
			/usr/libexec/PlistBuddy -c "set :"$BundleID":date $DeferralValue" "$DeferralPlist" 2>/dev/null
		else
			# PlistBuddy command example
			# /usr/libexec/PlistBuddy -c "add :"$BundleID":date date '07/04/2019 11:21:51 +0000'" "$DeferralPlist"
			/usr/libexec/PlistBuddy -c "add :"$BundleID":date date $DeferralValue" "$DeferralPlist" 2>/dev/null
		fi
	elif [[ "$DeferralType" == "count" ]]; then
		DeferralCount="$(/usr/libexec/PlistBuddy -c "print :"$BundleID":count" "$DeferralPlist" 2>/dev/null)"
		# Set deferral count
		if [[ -n "$DeferralCount" ]] && [[ ! "$DeferralCount" == *"File Doesn't Exist"* ]]; then
			/usr/libexec/PlistBuddy -c "set :"$BundleID":count $DeferralValue" "$DeferralPlist" 2>/dev/null
		else
			/usr/libexec/PlistBuddy -c "add :"$BundleID":count integer $DeferralValue" "$DeferralPlist" 2>/dev/null
		fi
	else
		echo "Incorrect deferral type used"
		exit 14
	fi
}

# Set path where deferral plist will be placed
DeferralPlistPath="/Library/Application Support/JAMF"
[[ ! -d "$DeferralPlistPath" ]] && /bin/mkdir -p "$DeferralPlistPath"

OSMajorVersion="$(/usr/bin/sw_vers -productVersion | /usr/bin/cut -d '.' -f 1)"
OSMinorVersion="$(/usr/bin/sw_vers -productVersion | /usr/bin/cut -d '.' -f 2)"
OSPatchVersion="$(/usr/bin/sw_vers -productVersion | /usr/bin/cut -d '.' -f 3)"
DeferralPlist="$DeferralPlistPath/com.custom.deferrals.plist"
BundleID="com.apple.SoftwareUpdate"
DeferralType="count"
DeferralValue="${4}"
TimeOutinSec="${5}"
ITContact="${6}"
AppleSUIcon="${7}"

# Set default values
[[ -z "$DeferralValue" ]] && DeferralValue=3
[[ -z "$TimeOutinSec" ]] && TimeOutinSec="900"
[[ -z "$ITContact" ]] && ITContact="IT"

CurrentDeferralValue="$(/usr/libexec/PlistBuddy -c "print :"$BundleID":count" "$DeferralPlist" 2>/dev/null)"

# Set up the deferral value if it does not exist already
if [[ -z "$CurrentDeferralValue" ]] || [[ "$CurrentDeferralValue" == *"File Doesn't Exist"* ]]; then
	setDeferral "$BundleID" "$DeferralType" "$DeferralValue" "$DeferralPlist"
	CurrentDeferralValue="$(/usr/libexec/PlistBuddy -c "print :"$BundleID":count" "$DeferralPlist" 2>/dev/null)"
fi

jamfHelper="/Library/Application Support/JAMF/bin/jamfHelper.app/Contents/MacOS/jamfHelper"
jamf="/usr/local/bin/jamf"

# Path to temporarily store list of software updates. Avoids having to re-run the softwareupdate command multiple times.
ListOfSoftwareUpdates="/tmp/ListOfSoftwareUpdates"

# If non-existent path has been supplied, set appropriate Software Update icon depending on OS version
if [[ ! -e "$AppleSUIcon" ]]; then
	if [[ "$OSMajorVersion" -ge 11 ]] || [[ "$OSMajorVersion" -eq 10 && "$OSMinorVersion" -gt 13 ]]; then
		AppleSUIcon="/System/Library/PreferencePanes/SoftwareUpdate.prefPane/Contents/Resources/SoftwareUpdate.icns"
	elif [[ "$OSMajorVersion" -eq 10 && "$OSMinorVersion" -eq 13 ]]; then
		AppleSUIcon="/System/Library/CoreServices/Install Command Line Developer Tools.app/Contents/Resources/SoftwareUpdate.icns"
	elif [[ "$OSMajorVersion" -eq 10 && "$OSMinorVersion" -ge 8 && "$OSMinorVersion" -le 12 ]]; then
		AppleSUIcon="/System/Library/CoreServices/Software Update.app/Contents/Resources/SoftwareUpdate.icns"
	elif [[ "$OSMajorVersion" -eq 10 && "$OSMinorVersion" -lt 8 ]]; then
		AppleSUIcon="/System/Library/CoreServices/Software Update.app/Contents/Resources/Software Update.icns"
	fi
fi

# Path to the alert caution icon
AlertIcon="/System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/AlertStopIcon.icns"

## Verbiage For Messages ##
# Message to guide user to Software Update process
if [[ "$OSMajorVersion" -ge 11 ]] || [[ "$OSMajorVersion" -eq 10 && "$OSMinorVersion" -ge 14 ]]; then
	#SUGuide="by clicking on the Apple menu, clicking System Preferences and clicking Software Update to install any available updates."
	SUGuide="by navigating to:

 > System Preferences > Software Update"
else
	#SUGuide="by opening up the App Store located in the Applications folder and clicking on the Updates tab to install any available updates."
	SUGuide="by navigating to:

 > App Store > Updates tab"
fi

# Message to let user to contact IT
ContactMsg="There seems to have been an error installing the updates. You can try again $SUGuide

If the error persists, please contact $ITContact."

# Message to display when computer is running off battery
NoACPower="The computer is currently running off battery and is not plugged into a power source."

# Standard Update Message
StandardUpdatePrompt="There is an OS update available for your Mac. Please click Continue to proceed to Software Update to run this update. If you are unable to start the process at this time, you may choose to postpone by one day.

Attempts left to postpone: $CurrentDeferralValue

You may install macOS software updates at any time $SUGuide"

# Forced Update Message
ForcedUpdatePrompt="There are software updates available for your Mac that require you to restart. You have already postponed updates the maximum number of times.

Please save your work and click 'Update' otherwise this message will disappear and the computer will restart automatically."

# Message shown when running CLI updates
HUDMessage="Please save your work and quit all other applications. macOS software updates are being installed in the background. Do not turn off this computer during this time.

This message will go away when updates are complete and closing it will not stop the update process.

If you feel too much time has passed, please contact $ITContact.

"
#Out of Space Message
NoSpacePrompt="Please clear up some space by deleting files and then attempt to do the update $SUGuide.

If this error persists, please contact $ITContact."

UserDidNotUpdateActionRequired="There is a critical software update(s) available for your Mac that need to be installed (which will require a restart). You have already postponed updates the maximum number of times.

Since the updates were not installed - a ticket will be submitted to MediaMath IT and someone will reach out to assist."

## Functions ##
powerCheck (){
	# This is meant to be used when doing CLI update installs.
	# Updates through the GUI can already determine its own requirements to proceed with
	# the update process.
	# Let's wait 5 minutes to see if computer gets plugged into power.
	for (( i = 1; i <= 5; ++i )); do
		if [[ "$(/usr/bin/pmset -g ps | /usr/bin/grep "Battery Power")" = "Now drawing from 'Battery Power'" ]] && [[ $i = 5 ]]; then
			echo "$NoACPower"
		elif [[ "$(/usr/bin/pmset -g ps | /usr/bin/grep "Battery Power")" = "Now drawing from 'Battery Power'" ]]; then
			/bin/sleep 60
		else
			return 0
		fi
	done
	exit 11
}


updateCLI (){
	# Install all software updates
	/usr/sbin/softwareupdate -ia --verbose 1>> "$ListOfSoftwareUpdates" 2>> "$ListOfSoftwareUpdates" &

	## Get the Process ID of the last command run in the background ($!) and wait for it to complete (wait)
	# If you don't wait, the computer may take a restart action before updates are finished
	SUPID=$(echo "$!")

	wait $SUPID

	SU_EC=$?

	echo $SU_EC

	return $SU_EC
}


updateRestartAction (){
	# On T2 hardware, we need to shutdown on certain updates
	# Verbiage found when installing updates that require a shutdown:
	#   To install these updates, your computer must shut down. Your computer will automatically start up to finish installation.
	#   Installation will not complete successfully if you choose to restart your computer instead of shutting down.
	#   Please call halt(8) or select Shut Down from the Apple menu. To automate the shutdown process with softwareupdate(8), use --restart.
	if [[ "$(/bin/cat "$ListOfSoftwareUpdates" | /usr/bin/grep -E "Please call halt")" || "$(/bin/cat "$ListOfSoftwareUpdates" | /usr/bin/grep -E "your computer must shut down")" ]] && [[ "$SEPType" ]]; then
		if [[ "$OSMajorVersion" -eq 10 && "$OSMinorVersion" -eq 13 && "$OSPatchVersion" -ge 4 ]] || [[ "$OSMajorVersion" -eq 10 && "$OSMinorVersion" -ge 14 ]] || [[ "$OSMajorVersion" -ge 11 ]]; then
			# Resetting the deferral count
			setDeferral "$BundleID" "$DeferralType" "$DeferralValue" "$DeferralPlist"

			echo "Restart Action: Shutdown/Halt"

			/sbin/shutdown -h now
			exit 0
		fi
	fi
	# Resetting the deferral count
	setDeferral "$BundleID" "$DeferralType" "$DeferralValue" "$DeferralPlist"

	# If no shutdown is required then let's go ahead and restart
	echo "Restart Action: Restart"

	/sbin/shutdown -r now
	exit 0
}


updateGUI (){
	# Update through the GUI
	if [[ "$OSMajorVersion" -ge 11 ]] || [[ "$OSMajorVersion" -eq 10 && "$OSMinorVersion" -ge 14 ]]; then
		/bin/launchctl $LMethod $LID /usr/bin/open "/System/Library/CoreServices/Software Update.app"
	elif [[ "$OSMajorVersion" -eq 10 && "$OSMinorVersion" -ge 8 && "$OSMinorVersion" -le 13 ]]; then
		/bin/launchctl $LMethod $LID /usr/bin/open macappstore://showUpdatesPage
	fi
}


fvStatusCheck (){
	# Check to see if the encryption process is complete
	FVStatus="$(/usr/bin/fdesetup status)"
	if [[ $(/usr/bin/grep -q "Encryption in progress" <<< "$FVStatus") ]]; then
		echo "The encryption process is still in progress."
		echo "$FVStatus"
		exit 13
	fi
}


runUpdates (){
	"$jamfHelper" -windowType hud -lockhud -title "Apple Software Update" -description "$HUDMessage""START TIME: $(/bin/date +"%b %d %Y %T")" -icon "$AppleSUIcon" &>/dev/null &

	## We'll need the pid of jamfHelper to kill it once the updates are complete
	JHPID=$(echo "$!")

	## Run the jamf policy to insall software updates
	SU_EC="$(updateCLI)"

	## Kill the jamfHelper. If a restart is needed, the user will be prompted. If not the hud will just go away
	/bin/kill -s KILL "$JHPID" &>/dev/null

	# softwareupdate does not exit with error when insufficient space is detected
	# which is why we need to get ahead of that error
	if [[ "$(/bin/cat "$ListOfSoftwareUpdates" | /usr/bin/grep -E "Not enough free disk space")" ]]; then
		SpaceError=$(echo "$(/bin/cat "$ListOfSoftwareUpdates" | /usr/bin/grep -E "Not enough free disk space" | /usr/bin/tail -n 1)")
		AvailableFreeSpace=$(/bin/df -g / | /usr/bin/awk '(NR == 2){print $4}')

		echo "$SpaceError"
		echo "Disk has $AvailableFreeSpace GB of free space."

		"$jamfHelper" -windowType utility -icon "$AlertIcon" -title "Apple Software Update Error" -description "$SpaceError Your disk has $AvailableFreeSpace GB of free space. $NoSpacePrompt" -button1 "OK" &
		return 15
	fi

	if [[ "$SU_EC" -eq 0 ]]; then
		updateRestartAction
	else
		echo "/usr/bin/softwareupdate failed. Exit Code: $SU_EC"

		"$jamfHelper" -windowType utility -icon "$AppleSUIcon" -title "Apple Software Update" -description "$ContactMsg" -button1 "OK" &
		return 12
	fi

	exit 0
}


# Function to do best effort check if using presentation or web conferencing is active
checkForDisplaySleepAssertions() {
	Assertions="$(/usr/bin/pmset -g assertions | /usr/bin/awk '/NoDisplaySleepAssertion | PreventUserIdleDisplaySleep/ && match($0,/\(.+\)/) && ! /coreaudiod/ {gsub(/^\ +/,"",$0); print};')"

	# There are multiple types of power assertions an app can assert.
	# These specifically tend to be used when an app wants to try and prevent the OS from going to display sleep.
	# Scenarios where an app may not want to have the display going to sleep include, but are not limited to:
	#   Presentation (KeyNote, PowerPoint)
	#   Web conference software (Zoom, Webex)
	#   Screen sharing session
	# Apps have to make the assertion and therefore it's possible some apps may not get captured.
	# Some assertions can be found here: https://developer.apple.com/documentation/iokit/iopmlib_h/iopmassertiontypes
	if [[ "$Assertions" ]]; then
		echo "The following display-related power assertions have been detected:"
		echo "$Assertions"
		echo "Exiting script to avoid disrupting user while these power assertions are active."

		exit 0
	fi
}

# Store list of software updates in /tmp which gets cleared periodically by the OS and on restarts
/usr/sbin/softwareupdate -l 2>&1 > "$ListOfSoftwareUpdates"

UpdatesNoRestart=$(/bin/cat "$ListOfSoftwareUpdates" | /usr/bin/grep -i recommended | /usr/bin/grep -v -i restart | /usr/bin/cut -d , -f 1 | /usr/bin/sed -e 's/^[[:space:]]*//' | /usr/bin/sed -e 's/^Title:\ *//')
RestartRequired=$(/bin/cat "$ListOfSoftwareUpdates" | /usr/bin/grep -i restart | /usr/bin/grep -v '\*' | /usr/bin/cut -d , -f 1 | /usr/bin/sed -e 's/^[[:space:]]*//' | /usr/bin/sed -e 's/^Title:\ *//')

# Determine Secure Enclave version
SEPType="$(/usr/sbin/system_profiler SPiBridgeDataType | /usr/bin/awk -F: '/Model Name/ { gsub(/.*: /,""); print $0}')"

# Determine currently logged in user
LoggedInUser="$(/usr/sbin/scutil <<< "show State:/Users/ConsoleUser" | /usr/bin/awk '/Name :/ && ! /loginwindow/ { print $3 }')"

# Determine logged in user's UID
LoggedInUserID=$(/usr/bin/id -u "$LoggedInUser")

# Determine launchctl method we will need to use to launch osascript under user context
if [[ "$OSMajorVersion" -eq 10 && "$OSMinorVersion" -le 9 ]]; then
	LID=$(/usr/bin/pgrep -x -u "$LoggedInUserID" loginwindow)
	LMethod="bsexec"
else
	LID=$LoggedInUserID
	LMethod="asuser"
fi

# Let's make sure FileVault isn't encrypting before proceeding any further
fvStatusCheck

# If there are no system updates, reset timer and exit script
if [[ "$UpdatesNoRestart" == "" ]] && [[ "$RestartRequired" == "" ]]; then
	echo "No updates at this time."

	## CAN TEST OUT HERE IF NO UPDATES ARE AVAILABLE ##
	########################TESTING########################
	########################TESTING########################

	setDeferral "$BundleID" "$DeferralType" "$DeferralValue" "$DeferralPlist"
	exit 0
fi

# If we get to this point, there are updates available.
# If there is no one logged in, let's try to run the updates.
if [[ "$LoggedInUser" == "" ]]; then
	powerCheck
	updateCLI &>/dev/null
	updateRestartAction
else
	checkForDisplaySleepAssertions

	# Someone is logged in. Prompt if any updates require a restart ONLY IF the update timer has not reached zero
	if [[ "$RestartRequired" != "" ]]; then
		if [[ "$CurrentDeferralValue" -gt 0 ]]; then
			# Reduce the timer by 1. The script will run again the next day
			let CurrTimer=$CurrentDeferralValue-1
			setDeferral "$BundleID" "$DeferralType" "$CurrTimer" "$DeferralPlist"

			# If someone is logged in and they have not canceled $DeferralValue times already, prompt them to install updates that require a restart and state how many more times they can press 'cancel' before updates run automatically.
			HELPER=$("$jamfHelper" -windowType utility -icon "$AppleSUIcon" -title "Apple Software Update" -description "$StandardUpdatePrompt" -button1 "Continue" -button2 "Postpone" -cancelButton "2" -defaultButton 2 -timeout "$TimeOutinSec")
			echo "Jamf Helper Exit Code: $HELPER"

			# If they click "Update" then take them to the software update preference pane
			if [ "$HELPER" -eq 0 ]; then
				updateGUI
			fi

			exit 0
		else
			########################################################################################################################
			# shurkin18 ADDITIONS: If someone is logged in and they run out of deferrals, inform that an IT ticket will be submitted.
			HELPER=$("$jamfHelper" -windowType utility -icon "$AppleSUIcon" -title "Apple Software Update" -description "$UserDidNotUpdateActionRequired" -button1 "Acknowledge" -defaultButton 1 -timeout "$TimeOutinSecForForcedGUI" -countdown -alignCountdown "right")
			echo "Jamf Helper Exit Code: $HELPER"

			# Obtain currently logged in user account so that it can be passed to JIRA as the Reporter of the ticket
			currentLoggedInUser=`stat -f '%u %Su' /dev/console | awk '{ print $2 }'`
			echo "Currently logged in user is: $currentLoggedInUser"
			currentMachineName=$(hostname)
			todaysDate=$(date)

			#Echo log
			echo "Updates were not installed for: $currentLoggedInUser, machine name: $currentMachineName. Last deferral on: $todaysDate"
			echo "Submitting a JIRA ticket with Reporter being currently logged in user"


			########################################################################################################################
			########################################################################################################################
			# JIRA API credentials and Issue Category
			########################################################################################################################
			# You will need to generate a token (https://id.atlassian.com/manage-profile/security/api-tokens and click "Create API token")
			# Make sure that account has necessary access (JIRA groups) on the JIRA's end, especially if you will be creating tickets via API
			# NOTE: this is for mac only
			########################################################################################################################
			########################################################################################################################
			mm_jira_api_auth="APIACCOUNT@COMPANY.COM:TOKEN"
			mm_jira_api_url="https://COMPANY.atlassian.net/rest/api/2"

			mm_jira_cloud_it_tic_issue_type="10103"
			# Issue Type can be found in JIRA > Administration > Issues > Issue Types > copy link of Edit button next to the issue type and there will be ID at the end
			########################################################################################################################
			########################################################################################################################
			# NOTE: If you will be modifying JIRA ticket creation summary, make sure you match JIRA ticket search/check for ticket presence!!!
			########################################################################################################################
			########################################################################################################################

			# Obtain currently logged in user JIRA ID
			curlLoggedInUserID=`curl --request GET \
			--url "$mm_jira_api_url/user/search?query=$currentLoggedInUser" \
			--user "$mm_jira_api_auth" \
			--header 'Accept: application/json' | cut -d '"' -f4 | cut -d "=" -f2`
			echo "Currently logged in user is: $currentLoggedInUser, userID: $curlLoggedInUserID"

			########################################################################################################################
			# Search JIRA for Tickets with title "AUTOMATED TICKET", with Reporter - currently logged in user(by user JIRA ID)
			curlInputData=`curl \
			-D- \
			-u $mm_jira_api_auth \
			-X GET \
			-H "Content-Type: application/json" \
			$mm_jira_api_url/search?jql=summary%20~%20%22AUTOMATED%20TICKET%22%20AND%20reporter%20in%20%28$curlLoggedInUserID%29`
			########################################################################################################################

			#Obtain the total number of found tickets, ie 0/1/2/3/etc.
			totalResults=$(echo $curlInputData | sed -e 's/[{}]/''/g' | awk -v k="text" '{n=split($0,a,","); for (i=1; i<=n; i++) print a[i]}' | grep 'total' | awk -F \" '{ print $3 }' | sed 's/://' | sed '2,100d')

			# Check if no tickets are found | totalResults = 0 > no tickets found > create a ticket then
			if [[ $totalResults -eq "0" ]]; then
				echo "No Tickets found, ticket found results variable totalResults is: $totalResults"
				echo "Creating a JIRA ticket for $currentLoggedInUser"

				#Create JIRA API ticket - JIRA CLOUD / USING accountId (not name, name can't be used in Jira Cloud)
				curl \
				-D- \
				-u $mm_jira_api_auth \
				-X POST \
				-H "Content-Type: application/json" \
				$mm_jira_api_url/issue/ \
				--data '
				{
					"fields":
					{
						"project":
						{
						"key": "IT"
						},
						"issuetype":
						{
						"id": "'$mm_jira_api_issue_type'"
						},
						"summary": "AUTOMATED TICKET - Apple Critical Updates NOT installed - Action Required",
						"description": "Apple Critical Updates deferred maximum amount of times, action required, employee affected: '$currentLoggedInUser'@mediamath.com. Computer name: '$currentMachineName'.",
						"reporter":
						{
						"accountId": "'$curlLoggedInUserID'"
						}
					}
				}
				'
			else
				echo "Ticket(s) are present, NOT OPENING ANOTHER ONE!"
			fi


		fi
	fi
fi

# Install updates that do not require a restart
# Future Fix: Might want to see if Safari and iTunes are running as sometimes these apps sometimes do not require a restart but do require that the apps be closed
# A simple stop gap to see if either process is running.
if [[ "$UpdatesNoRestart" != "" ]] && [[ ! "$(/bin/ps -axc | /usr/bin/grep -e Safari$)" ]] && [[ ! "$(/bin/ps -axc | /usr/bin/grep -e iTunes$)" ]]; then
	powerCheck
	updateCLI &>/dev/null
fi

exit 0