smaddock/mdm-reenroll.sh

## mdm-reenroll.sh
#!/bin/bash
### IMPORTANT NOTICE ###
### BEFORE USING THE SCRIPT MAKE SURE THAT YOU HAVE YOUR OWN APPLE PUSH CERTIFICATE AND MDM PROFILE SET UP IN YOUR ADDIGY ENVIRONMENT ###
# Best practice is to use this Script for devices that are in a Policy with the MDM Profile configured correctly
# This script is made with the intention of streamlining the migration from an expired APN/Apple Push Certificate to a new one

MDMProfileIdentifier="com.github.addigy.mdm.mdm"
majorVersion=$(sw_vers -productVersion | awk -F. '{print $2}')
minorVersion=$(sw_vers -productVersion | awk -F. '{print $3}')

# Gets realm, policyID, and orgID and makes them into variables
realm=$(cat /Library/Addigy/config/.adg_agent_config | grep -i "realm" | sed '/realm /s///')
orgID=$(cat /Library/Addigy/config/.adg_agent_config | grep -i "orgid" | sed '/orgid /s///')
policyID=$(cat /Library/Addigy/config/.adg_agent_config | grep -i "policy_id" | sed '/policy_id /s///')

# Modify these strings to change the verbiage in the badge notification.
title="MDM Profile Installed!"
acceptText="Open"

# Download Addigy MDM Profile
rm -f "/Library/Addigy/mdm-profile-$orgID.mobileconfig"
if [[ $policyID != "" ]]; then
    echo "Downloading MDM with Policy"
    MDMInstallLink="https://mdm-$realm.addigy.com/mdm/enroll/$orgID/$policyID"
else
    echo "Downloading MDM without Policy"
    MDMInstallLink="https://mdm-$realm.addigy.com/mdm/enroll/$orgID"
fi
/Library/Addigy/go-agent download "$MDMInstallLink" "/Library/Addigy/mdm-profile-$orgID.mobileconfig"

# Check whether downloaded Addigy MDM Profile matches installed MDM profile, if one exists
echo "Checking for installed MDM profile..."
if sudo profiles -P | grep $MDMProfileIdentifier >& /dev/null; then
    echo "An MDM profile is already installed."
    if (( majorVersion < 15 )); then
        appPort="com.apple.mdmclient.daemon.push.production"
    else
        appPort="com.apple.aps.mdmclient.daemon.push.production"
    fi
    installedAPNTopic=$(/System/Library/PrivateFrameworks/ApplePushService.framework/apsctl status | grep -A 25 $appPort | grep topic: | tr -s ' ' | cut -d ' ' -f 3 | head -n 1)
    downloadedAPNTopic=$(security cms -D -i "/Library/Addigy/mdm-profile-$orgID.mobileconfig" | xmllint --pretty 1 - | grep -A1 "Topic" | grep "string" | cut -d '>' -f2 | cut -d '<' -f1)
    if [[ $installedAPNTopic == $downloadedAPNTopic ]]; then
        echo "Installed profile matches what is configured in Addigy. No action taken."
        exit 0
    else
        echo "Installed profile does not match Addigy. Removing old MDM profile..."
        profiles -R -p $MDMProfileIdentifier
    fi
else
    echo "No MDM profiles currently installed."
fi

# Install Addigy MDM Profile
echo "Installing Addigy MDM Profile..."
profiles -IF "/Library/Addigy/mdm-profile-$orgID.mobileconfig"

# Request user approval of Addigy MDM Profile if needed
echo "Checking macOS version compatibility."
if (( majorVersion < 13 || (majorVersion == 13 && minorVersion < 4) )); then
    echo "This device is on 10.${majorVersion}.${minorVersion}. Installing the Addigy MDM Profile, user approval is not needed."
else
    echo "This device is on 10.${majorVersion}.${minorVersion}, installing the Addigy MDM Profile. Please approve the profile after install."
    MDMProfileName=$(system_profiler SPConfigurationProfileDataType | grep -B 5 $MDMProfileIdentifier | sed 's/^          Description: .*$//g' | sed 's/^          Organization: .*$//g' | sed 's/^          Description: .*$//g' | sed 's/^          Organization: .*$//g' | sed 's/^          Installation Date: .*$//g' | sed 's/^          Identifier: .*$//g' | sed 's/://g' | sed 's/        //g')
    description="Please approve profile: \"$MDMProfileName\" to gain full MDM functionality!"
    if /Library/Addigy/macmanage/MacManage.app/Contents/MacOS/MacManage action=notify title="${title}" description="${description}" closeLabel="${acceptText}"; then
        # This first condition body needs to stay empty because of the single user prompt
        echo ""
    else
        open "/Applications/System Preferences.app" >& /dev/null
        sleep 0.5
        open /System/Library/PreferencePanes/Profiles.prefPane >& /dev/null
    fi
fi
	#!/bin/bash
	### IMPORTANT NOTICE ###
	### BEFORE USING THE SCRIPT MAKE SURE THAT YOU HAVE YOUR OWN APPLE PUSH CERTIFICATE AND MDM PROFILE SET UP IN YOUR ADDIGY ENVIRONMENT ###
	# Best practice is to use this Script for devices that are in a Policy with the MDM Profile configured correctly
	# This script is made with the intention of streamlining the migration from an expired APN/Apple Push Certificate to a new one

	MDMProfileIdentifier="com.github.addigy.mdm.mdm"
	majorVersion=$(sw_vers -productVersion \| awk -F. '{print $2}')
	minorVersion=$(sw_vers -productVersion \| awk -F. '{print $3}')

	# Gets realm, policyID, and orgID and makes them into variables
	realm=$(cat /Library/Addigy/config/.adg_agent_config \| grep -i "realm" \| sed '/realm /s///')
	orgID=$(cat /Library/Addigy/config/.adg_agent_config \| grep -i "orgid" \| sed '/orgid /s///')
	policyID=$(cat /Library/Addigy/config/.adg_agent_config \| grep -i "policy_id" \| sed '/policy_id /s///')

	# Modify these strings to change the verbiage in the badge notification.
	title="MDM Profile Installed!"
	acceptText="Open"

	# Download Addigy MDM Profile
	rm -f "/Library/Addigy/mdm-profile-$orgID.mobileconfig"
	if [[ $policyID != "" ]]; then
	echo "Downloading MDM with Policy"
	MDMInstallLink="https://mdm-$realm.addigy.com/mdm/enroll/$orgID/$policyID"
	else
	echo "Downloading MDM without Policy"
	MDMInstallLink="https://mdm-$realm.addigy.com/mdm/enroll/$orgID"
	fi
	/Library/Addigy/go-agent download "$MDMInstallLink" "/Library/Addigy/mdm-profile-$orgID.mobileconfig"

	# Check whether downloaded Addigy MDM Profile matches installed MDM profile, if one exists
	echo "Checking for installed MDM profile..."
	if sudo profiles -P \| grep $MDMProfileIdentifier >& /dev/null; then
	echo "An MDM profile is already installed."
	if (( majorVersion < 15 )); then
	appPort="com.apple.mdmclient.daemon.push.production"
	else
	appPort="com.apple.aps.mdmclient.daemon.push.production"
	fi
	installedAPNTopic=$(/System/Library/PrivateFrameworks/ApplePushService.framework/apsctl status \| grep -A 25 $appPort \| grep topic: \| tr -s ' ' \| cut -d ' ' -f 3 \| head -n 1)
	downloadedAPNTopic=$(security cms -D -i "/Library/Addigy/mdm-profile-$orgID.mobileconfig" \| xmllint --pretty 1 - \| grep -A1 "Topic" \| grep "string" \| cut -d '>' -f2 \| cut -d '<' -f1)
	if [[ $installedAPNTopic == $downloadedAPNTopic ]]; then
	echo "Installed profile matches what is configured in Addigy. No action taken."
	exit 0
	else
	echo "Installed profile does not match Addigy. Removing old MDM profile..."
	profiles -R -p $MDMProfileIdentifier
	fi
	else
	echo "No MDM profiles currently installed."
	fi

	# Install Addigy MDM Profile
	echo "Installing Addigy MDM Profile..."
	profiles -IF "/Library/Addigy/mdm-profile-$orgID.mobileconfig"

	# Request user approval of Addigy MDM Profile if needed
	echo "Checking macOS version compatibility."
	if (( majorVersion < 13 \|\| (majorVersion == 13 && minorVersion < 4) )); then
	echo "This device is on 10.${majorVersion}.${minorVersion}. Installing the Addigy MDM Profile, user approval is not needed."
	else
	echo "This device is on 10.${majorVersion}.${minorVersion}, installing the Addigy MDM Profile. Please approve the profile after install."
	MDMProfileName=$(system_profiler SPConfigurationProfileDataType \| grep -B 5 $MDMProfileIdentifier \| sed 's/^ Description: .$//g' \| sed 's/^ Organization: .$//g' \| sed 's/^ Description: .$//g' \| sed 's/^ Organization: .$//g' \| sed 's/^ Installation Date: .$//g' \| sed 's/^ Identifier: .$//g' \| sed 's/://g' \| sed 's/ //g')
	description="Please approve profile: \"$MDMProfileName\" to gain full MDM functionality!"
	if /Library/Addigy/macmanage/MacManage.app/Contents/MacOS/MacManage action=notify title="${title}" description="${description}" closeLabel="${acceptText}"; then
	# This first condition body needs to stay empty because of the single user prompt
	echo ""
	else
	open "/Applications/System Preferences.app" >& /dev/null
	sleep 0.5
	open /System/Library/PreferencePanes/Profiles.prefPane >& /dev/null
	fi
	fi