talkingmoose/Re-enroll computers for LAPS.zsh

## Re-enroll computers for LAPS.zsh
#!/bin/zsh

:<<ABOUT_THIS_SCRIPT
-------------------------------------------------------------------------------

	Written by:William Smith
	Technical Enablement Manager
	Jamf
	bill@talkingmoose.net
	https://gist.github.com/talkingmoose/9f4638932df28c4bebde5dd47be1812a

	Originally posted: May 22, 2024

	Purpose: Use a Jamf Pro policy to re-enroll a computer to install a LAPS
	management account, and then create a launch daemon and script to update
	inventory immediately.

	The launch daemon and script are necessary because re-enrollment destroys
	the original device signature and prevents reporting to the policy when
	complete.

	Note: This script works only for using the jamf binary to re-enroll
	computers. It cannot remotely invoke an MDM re-enrollment using:

		/usr/bin/profiles renew -type enrollment

	because this command requires user interaction.

	Although this script re-enrolls a computer using the jamf binary, any
	computers initially enrollled using Automated Device Enrollment will
	continue reporting "Enrollment Method: PreStage enrollment".

	Instructions:

	1. Create a new script in Jamf Pro named something like "Re-enroll computers for LAPS".

	   Paste the entire contents of this script as-is into the Script field.

	   Under the Options tab, set the following parameter labels.
	   Parameter 4: Organization Name (e.g., "My Example Company")
	   Parameter 5: Organization Reverse Domain (e.g., "com.example")
	   Parameter 6: Enrollment Invitation (e.g., "124632841331503686010851388828066332132")

	2. Use Jamf Pro Computers > Enrollment Invitations to generate a new multiple
	   use Invitation ID and set the expiration for as long as you think you'll
	   need to re-enroll computers to create the account.

	   Copy the Invitation ID for use in the policy later.

	3. Create a smart computer group named something like:
	   "All computers with LAPS management account"

	   Set its criteria to:
	   "Managed By is LAPSusername".

	   Replace "LAPSusernme" with the username of your managed local
	   administrator account from User-Initiated Enrollment.

	4. Add the script to a new policy named something like "Re-enroll computers
	   for LAPS".

	   Set the three script parameters:
	   Organization Name (e.g., "My Example Company")
	   Organization Reverse Domain (e.g., "com.example")
	   Enrollment Invitation (e.g., "124632841331503686010851388828066332132")

	   Enable the policy to trigger at Recurring Check-In with a frequency of
	   Once Per Computer.

	   Scope the policy:
	   Set Target to "All Computers"
	   Set Exclusions to your new smart computer group from step 3.

	After a computer checks in and completes the policy, the computer record
	should show a jamf binary account for "Managed Local Administrator Accounts"
	and fall out of scope for the policy.

	(Note: The policy logs will never report the policy has completed unless it
	generates an error.)

	Except where otherwise noted, this work is licensed under
	http://creativecommons.org/licenses/by/4.0/.

	"Someone will solve a problem, if he finds the problem interesting."
	— Tim O'Reilly

-------------------------------------------------------------------------------
ABOUT_THIS_SCRIPT


# script parameters from the Jamf Pro policy
organizationName="$4"
organizationReverseDomain="$5"
enrollmentInvitation="$6"

#re-enroll the computer

/usr/local/bin/jamf enroll -invitation "$6" -noRecon -noManage -noPolicy

exitStatus="$?"

# if re-enrollment failed, report this to the policy log and exit the script

if [[ "$exitStatus" != 0 ]]; then
	exit "$exitStatus"
fi

# create organization folder if necessary to house the jamf-recon.zsh script

/bin/mkdir -p "/Library/$organizationName"

# create jamf-recon.zsh script

tee "/Library/$organizationName/jamf-recon.zsh" << EOF
#!/bin/zsh

# update Jamf Pro inventory
/usr/local/bin/jamf recon

# delete this script
/bin/rm "/Library/$organizationName/jamf-recon.zsh"

# attempt to delete enclosing directory
/bin/rmdir "/Library/$organizationName"

# delete the launch daemon plist
/bin/rm "/Library/LaunchDaemons/$organizationReverseDomain.jamf-recon.plist"

# kill the launch daemon process
/bin/launchctl remove "$organizationReverseDomain.jamf-recon"

exit 0
EOF

# set correct ownership and permissions on jamf-recon.zsh script

/usr/sbin/chown root:wheel "/Library/$organizationName/jamf-recon.zsh" && /bin/chmod +x "/Library/$organizationName/jamf-recon.zsh"

# create $organizationReverseDomain.jamf-recon.plist launch daemon

tee /Library/LaunchDaemons/$organizationReverseDomain.jamf-recon.plist << EOF
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
	<key>EnvironmentVariables</key>
	<dict>
		<key>PATH</key>
		<string>/usr/local/bin:/usr/bin:/bin:/usr/sbin:/sbin</string>
	</dict>
	<key>Label</key>
	<string>$organizationReverseDomain.jamf-recon</string>
	<key>ProgramArguments</key>
	<array>
		<string>/bin/zsh</string>
		<string>-c</string>
		<string>"/Library/$organizationName/jamf-recon.zsh"</string>
	</array>
	<key>RunAtLoad</key>
	<true/>
	<key>StartInterval</key>
	<integer>1</integer>
</dict>
</plist>
EOF

# set correct ownership and permissions on launch daemon

/usr/sbin/chown root:wheel /Library/LaunchDaemons/$organizationReverseDomain.jamf-recon.plist && /bin/chmod 644 /Library/LaunchDaemons/$organizationReverseDomain.jamf-recon.plist

# start launch daemon after installation

/bin/launchctl bootstrap system /Library/LaunchDaemons/$organizationReverseDomain.jamf-recon.plist && /bin/launchctl start /Library/LaunchDaemons/$organizationReverseDomain.jamf-recon.plist

exit
	#!/bin/zsh

	:<<ABOUT_THIS_SCRIPT
	-------------------------------------------------------------------------------

	Written by:William Smith
	Technical Enablement Manager
	Jamf
	bill@talkingmoose.net
	https://gist.github.com/talkingmoose/9f4638932df28c4bebde5dd47be1812a

	Originally posted: May 22, 2024

	Purpose: Use a Jamf Pro policy to re-enroll a computer to install a LAPS
	management account, and then create a launch daemon and script to update
	inventory immediately.

	The launch daemon and script are necessary because re-enrollment destroys
	the original device signature and prevents reporting to the policy when
	complete.

	Note: This script works only for using the jamf binary to re-enroll
	computers. It cannot remotely invoke an MDM re-enrollment using:

	/usr/bin/profiles renew -type enrollment

	because this command requires user interaction.

	Although this script re-enrolls a computer using the jamf binary, any
	computers initially enrollled using Automated Device Enrollment will
	continue reporting "Enrollment Method: PreStage enrollment".

	Instructions:

	1. Create a new script in Jamf Pro named something like "Re-enroll computers for LAPS".

	Paste the entire contents of this script as-is into the Script field.

	Under the Options tab, set the following parameter labels.
	Parameter 4: Organization Name (e.g., "My Example Company")
	Parameter 5: Organization Reverse Domain (e.g., "com.example")
	Parameter 6: Enrollment Invitation (e.g., "124632841331503686010851388828066332132")

	2. Use Jamf Pro Computers > Enrollment Invitations to generate a new multiple
	use Invitation ID and set the expiration for as long as you think you'll
	need to re-enroll computers to create the account.

	Copy the Invitation ID for use in the policy later.

	3. Create a smart computer group named something like:
	"All computers with LAPS management account"

	Set its criteria to:
	"Managed By is LAPSusername".

	Replace "LAPSusernme" with the username of your managed local
	administrator account from User-Initiated Enrollment.

	4. Add the script to a new policy named something like "Re-enroll computers
	for LAPS".

	Set the three script parameters:
	Organization Name (e.g., "My Example Company")
	Organization Reverse Domain (e.g., "com.example")
	Enrollment Invitation (e.g., "124632841331503686010851388828066332132")

	Enable the policy to trigger at Recurring Check-In with a frequency of
	Once Per Computer.

	Scope the policy:
	Set Target to "All Computers"
	Set Exclusions to your new smart computer group from step 3.

	After a computer checks in and completes the policy, the computer record
	should show a jamf binary account for "Managed Local Administrator Accounts"
	and fall out of scope for the policy.

	(Note: The policy logs will never report the policy has completed unless it
	generates an error.)

	Except where otherwise noted, this work is licensed under
	http://creativecommons.org/licenses/by/4.0/.

	"Someone will solve a problem, if he finds the problem interesting."
	— Tim O'Reilly

	-------------------------------------------------------------------------------
	ABOUT_THIS_SCRIPT


	# script parameters from the Jamf Pro policy
	organizationName="$4"
	organizationReverseDomain="$5"
	enrollmentInvitation="$6"

	#re-enroll the computer

	/usr/local/bin/jamf enroll -invitation "$6" -noRecon -noManage -noPolicy

	exitStatus="$?"

	# if re-enrollment failed, report this to the policy log and exit the script

	if [[ "$exitStatus" != 0 ]]; then
	exit "$exitStatus"
	fi

	# create organization folder if necessary to house the jamf-recon.zsh script

	/bin/mkdir -p "/Library/$organizationName"

	# create jamf-recon.zsh script

	tee "/Library/$organizationName/jamf-recon.zsh" << EOF
	#!/bin/zsh

	# update Jamf Pro inventory
	/usr/local/bin/jamf recon

	# delete this script
	/bin/rm "/Library/$organizationName/jamf-recon.zsh"

	# attempt to delete enclosing directory
	/bin/rmdir "/Library/$organizationName"

	# delete the launch daemon plist
	/bin/rm "/Library/LaunchDaemons/$organizationReverseDomain.jamf-recon.plist"

	# kill the launch daemon process
	/bin/launchctl remove "$organizationReverseDomain.jamf-recon"

	exit 0
	EOF

	# set correct ownership and permissions on jamf-recon.zsh script

	/usr/sbin/chown root:wheel "/Library/$organizationName/jamf-recon.zsh" && /bin/chmod +x "/Library/$organizationName/jamf-recon.zsh"

	# create $organizationReverseDomain.jamf-recon.plist launch daemon

	tee /Library/LaunchDaemons/$organizationReverseDomain.jamf-recon.plist << EOF
	<?xml version="1.0" encoding="UTF-8"?>
	<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
	<plist version="1.0">
	<dict>
	<key>EnvironmentVariables</key>
	<dict>
	<key>PATH</key>
	<string>/usr/local/bin:/usr/bin:/bin:/usr/sbin:/sbin</string>
	</dict>
	<key>Label</key>
	<string>$organizationReverseDomain.jamf-recon</string>
	<key>ProgramArguments</key>
	<array>
	<string>/bin/zsh</string>
	<string>-c</string>
	<string>"/Library/$organizationName/jamf-recon.zsh"</string>
	</array>
	<key>RunAtLoad</key>
	<true/>
	<key>StartInterval</key>
	<integer>1</integer>
	</dict>
	</plist>
	EOF

	# set correct ownership and permissions on launch daemon

	/usr/sbin/chown root:wheel /Library/LaunchDaemons/$organizationReverseDomain.jamf-recon.plist && /bin/chmod 644 /Library/LaunchDaemons/$organizationReverseDomain.jamf-recon.plist

	# start launch daemon after installation

	/bin/launchctl bootstrap system /Library/LaunchDaemons/$organizationReverseDomain.jamf-recon.plist && /bin/launchctl start /Library/LaunchDaemons/$organizationReverseDomain.jamf-recon.plist

	exit