Last active
June 27, 2024 19:06
-
-
Save talkingmoose/9f4638932df28c4bebde5dd47be1812a to your computer and use it in GitHub Desktop.
Use a Jamf Pro policy to re-enroll a computer to install a LAPS management account, and then create a launch daemon and script to update inventory immediately.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/zsh | |
:<<ABOUT_THIS_SCRIPT | |
------------------------------------------------------------------------------- | |
Written by:William Smith | |
Technical Enablement Manager | |
Jamf | |
bill@talkingmoose.net | |
https://gist.github.com/talkingmoose/9f4638932df28c4bebde5dd47be1812a | |
Originally posted: May 22, 2024 | |
Purpose: Use a Jamf Pro policy to re-enroll a computer to install a LAPS | |
management account, and then create a launch daemon and script to update | |
inventory immediately. | |
The launch daemon and script are necessary because re-enrollment destroys | |
the original device signature and prevents reporting to the policy when | |
complete. | |
Note: This script works only for using the jamf binary to re-enroll | |
computers. It cannot remotely invoke an MDM re-enrollment using: | |
/usr/bin/profiles renew -type enrollment | |
because this command requires user interaction. | |
Although this script re-enrolls a computer using the jamf binary, any | |
computers initially enrollled using Automated Device Enrollment will | |
continue reporting "Enrollment Method: PreStage enrollment". | |
Instructions: | |
1. Create a new script in Jamf Pro named something like "Re-enroll computers for LAPS". | |
Paste the entire contents of this script as-is into the Script field. | |
Under the Options tab, set the following parameter labels. | |
Parameter 4: Organization Name (e.g., "My Example Company") | |
Parameter 5: Organization Reverse Domain (e.g., "com.example") | |
Parameter 6: Enrollment Invitation (e.g., "124632841331503686010851388828066332132") | |
2. Use Jamf Pro Computers > Enrollment Invitations to generate a new multiple | |
use Invitation ID and set the expiration for as long as you think you'll | |
need to re-enroll computers to create the account. | |
Copy the Invitation ID for use in the policy later. | |
3. Create a smart computer group named something like: | |
"All computers with LAPS management account" | |
Set its criteria to: | |
"Managed By is LAPSusername". | |
Replace "LAPSusernme" with the username of your managed local | |
administrator account from User-Initiated Enrollment. | |
4. Add the script to a new policy named something like "Re-enroll computers | |
for LAPS". | |
Set the three script parameters: | |
Organization Name (e.g., "My Example Company") | |
Organization Reverse Domain (e.g., "com.example") | |
Enrollment Invitation (e.g., "124632841331503686010851388828066332132") | |
Enable the policy to trigger at Recurring Check-In with a frequency of | |
Once Per Computer. | |
Scope the policy: | |
Set Target to "All Computers" | |
Set Exclusions to your new smart computer group from step 3. | |
After a computer checks in and completes the policy, the computer record | |
should show a jamf binary account for "Managed Local Administrator Accounts" | |
and fall out of scope for the policy. | |
(Note: The policy logs will never report the policy has completed unless it | |
generates an error.) | |
Except where otherwise noted, this work is licensed under | |
http://creativecommons.org/licenses/by/4.0/. | |
"Someone will solve a problem, if he finds the problem interesting." | |
— Tim O'Reilly | |
------------------------------------------------------------------------------- | |
ABOUT_THIS_SCRIPT | |
# script parameters from the Jamf Pro policy | |
organizationName="$4" | |
organizationReverseDomain="$5" | |
enrollmentInvitation="$6" | |
#re-enroll the computer | |
/usr/local/bin/jamf enroll -invitation "$6" -noRecon -noManage -noPolicy | |
exitStatus="$?" | |
# if re-enrollment failed, report this to the policy log and exit the script | |
if [[ "$exitStatus" != 0 ]]; then | |
exit "$exitStatus" | |
fi | |
# create organization folder if necessary to house the jamf-recon.zsh script | |
/bin/mkdir -p "/Library/$organizationName" | |
# create jamf-recon.zsh script | |
tee "/Library/$organizationName/jamf-recon.zsh" << EOF | |
#!/bin/zsh | |
# update Jamf Pro inventory | |
/usr/local/bin/jamf recon | |
# delete this script | |
/bin/rm "/Library/$organizationName/jamf-recon.zsh" | |
# attempt to delete enclosing directory | |
/bin/rmdir "/Library/$organizationName" | |
# delete the launch daemon plist | |
/bin/rm "/Library/LaunchDaemons/$organizationReverseDomain.jamf-recon.plist" | |
# kill the launch daemon process | |
/bin/launchctl remove "$organizationReverseDomain.jamf-recon" | |
exit 0 | |
EOF | |
# set correct ownership and permissions on jamf-recon.zsh script | |
/usr/sbin/chown root:wheel "/Library/$organizationName/jamf-recon.zsh" && /bin/chmod +x "/Library/$organizationName/jamf-recon.zsh" | |
# create $organizationReverseDomain.jamf-recon.plist launch daemon | |
tee /Library/LaunchDaemons/$organizationReverseDomain.jamf-recon.plist << EOF | |
<?xml version="1.0" encoding="UTF-8"?> | |
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> | |
<plist version="1.0"> | |
<dict> | |
<key>EnvironmentVariables</key> | |
<dict> | |
<key>PATH</key> | |
<string>/usr/local/bin:/usr/bin:/bin:/usr/sbin:/sbin</string> | |
</dict> | |
<key>Label</key> | |
<string>$organizationReverseDomain.jamf-recon</string> | |
<key>ProgramArguments</key> | |
<array> | |
<string>/bin/zsh</string> | |
<string>-c</string> | |
<string>"/Library/$organizationName/jamf-recon.zsh"</string> | |
</array> | |
<key>RunAtLoad</key> | |
<true/> | |
<key>StartInterval</key> | |
<integer>1</integer> | |
</dict> | |
</plist> | |
EOF | |
# set correct ownership and permissions on launch daemon | |
/usr/sbin/chown root:wheel /Library/LaunchDaemons/$organizationReverseDomain.jamf-recon.plist && /bin/chmod 644 /Library/LaunchDaemons/$organizationReverseDomain.jamf-recon.plist | |
# start launch daemon after installation | |
/bin/launchctl bootstrap system /Library/LaunchDaemons/$organizationReverseDomain.jamf-recon.plist && /bin/launchctl start /Library/LaunchDaemons/$organizationReverseDomain.jamf-recon.plist | |
exit |
@zomburss The script is intended to be run from a Jamf Pro policy. Are you doing that? If so, verify you're not trying to create a LAPS account with a username that already exists.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Running into "Permission Error - The user specified does not have permission to perform the action." Any idea where to start tracking this down?