I have started trying use ADPassMon in my environment, it would solve a lot of the issues I am having with AD password resetting and kerberos tickets all in one go (plus of course KEYCHAIN!), however I am trying to use the forked V2 I have managed to configure the app as required with the password requirements and user notifications etc but my script will not run as it is returning the error error -10810.36:121: execution error: which I believe means it needs to run as the user, however in testing when I ran it as an admin it worked for the user, does anyone have an idea of how I can deploy this or if maybe I am just going about this the wrong way? this is what I want to configure:
Deploy preferences to app for:
Enable version 2 behaviour
Enable Notifications for expiery
User notification of password requirements and acknowledgement
defaults write org.pmbuko.ADPassMon pwPolicy "Please ensure your password is a minimum of 8 characters including at least 1 upper case, 1 lower case & 1 number or symbol"
osascript -e 'tell application "ADPassMon" to quit'
open -a ADPassMon
Add the App to the users login items
osascript -e 'tell application "System Events" to make login item at end with properties {path:"/Applications/ADPassMon", hidden:false}'
Best answer by bpavlov
I don't know about a script but here are the settings I have documented (I believe these are all of the settings) as of v2.0.9:
ADPassMon Behavior: Version 2
<key>isBehaviour2Enabled</key>
<integer>1</integer>
<key>selectedBehaviour</key>
<integer>2</integer>
Method of obtaining maximum password age: Auto
<key>selectedMethod</key>
<integer>0</integer>
Test this key as it may not be necessary if selectMethod is set to Auto
<key>expireAge</key>
<integer>0</integer>
Check "Use Notifications"
<key>enableNotifications</key>
<true/>
"Add To Login Items"
No key exist. This can be accomplished via a LaunchAgent.
"Perform Keychain Lock check at launch?"
<key>enableKeychainLockCheck</key>
<true/>
How many days before your password expires do you want to be warned? 21
<key>warningDays</key>
<integer>21</integer>
Check "Allow password change?"
<key>allowPasswordChange</key>
<true/>
Password Expiration Check Interval: 12 hrs
<key>passwordCheckInterval</key>
<integer>12</integer>
Policy Requirement message:
defaults write org.pmbuko.ADPassMon pwPolicy "ENTER YOUR MESSAGE HERE."
Lock preferences:
defaults write org.pmbuko.ADPassMon prefsLocked true
And my plist (which I've converted to a config profile) looks like so "org.pmbuko.ADPassMon.plist":
defaults write org.pmbuko.ADPassMon pwPolicy "Please ensure your password is a minimum of 8 characters including at least 1 upper case, 1 lower case & 1 number or symbol"
defaults write org.pmbuko.ADPassMon pwPolicy "Please ensure your password is a minimum of 8 characters including at least 1 upper case, 1 lower case & 1 number or symbol"
#!/bin/sh
##### Deploy preferences to app for:
##### Enable version 2 behaviour
##### Enable Notifications for expiery
##### User notification of password requirements and acknowledgement
##### Lock the preferences from user
defaults write org.pmbuko.ADPassMon selectedBehaviour -int 2
defaults write org.pmbuko.ADPassMon enableNotifications true
defaults write org.pmbuko.ADPassMon pwPolicy "Please ensure your password is a minimum of 8 characters including at least 1 upper case, 1 lower case & 1 number or symbol"
defaults write org.pmbuko.ADPassMon pwPolicyButton "Understood"
defaults write org.pmbuko.ADPassMon prefsLocked true
##### Restart the app to apply the changes
osascript -e 'tell application "ADPassMon" to quit'
open -a ADPassMon
##### Add the App to the users login items
osascript -e 'tell application "System Events" to make login item at end with properties {path:"/Applications/ADPassMon", hidden:false}'
I don't know about a script but here are the settings I have documented (I believe these are all of the settings) as of v2.0.9:
ADPassMon Behavior: Version 2
<key>isBehaviour2Enabled</key>
<integer>1</integer>
<key>selectedBehaviour</key>
<integer>2</integer>
Method of obtaining maximum password age: Auto
<key>selectedMethod</key>
<integer>0</integer>
Test this key as it may not be necessary if selectMethod is set to Auto
<key>expireAge</key>
<integer>0</integer>
Check "Use Notifications"
<key>enableNotifications</key>
<true/>
"Add To Login Items"
No key exist. This can be accomplished via a LaunchAgent.
"Perform Keychain Lock check at launch?"
<key>enableKeychainLockCheck</key>
<true/>
How many days before your password expires do you want to be warned? 21
<key>warningDays</key>
<integer>21</integer>
Check "Allow password change?"
<key>allowPasswordChange</key>
<true/>
Password Expiration Check Interval: 12 hrs
<key>passwordCheckInterval</key>
<integer>12</integer>
Policy Requirement message:
defaults write org.pmbuko.ADPassMon pwPolicy "ENTER YOUR MESSAGE HERE."
Lock preferences:
defaults write org.pmbuko.ADPassMon prefsLocked true
And my plist (which I've converted to a config profile) looks like so "org.pmbuko.ADPassMon.plist":
How are you running the script out of curiosity? If it's running as root then I don't believe the settings are being copied to the user's preferences which may be the cause of your problem....
Here is the script I came up with that writes our ADPassMon preference file and writes a launch agent to handle automatically launching ADPassMon. I just run this at login for all of our staff.
Test this out as I tweaked it a bit to remove some things specific to my environment.
#!/bin/bash
#Check for ADPassMon.app and exit if not found
if [ ! -d /Applications/ADPassMon.app ]; then
echo "ADPassMon not found"
exit 0
fi
#Check for existing launch agent
if [ -f /Users/$3/Library/LaunchAgents/AD.ADPassMon.plist ]; then
echo "LaunchAgent for ADPassMon already exists. Removing..."
rm /Users/$3/Library/LaunchAgents/AD.ADPassMon.plist
fi
#Write out a LaunchAgent to launch ADPassMon on login
defaults write /Users/$3/Library/LaunchAgents/AD.ADPassMon.plist Label AD.ADPassMon
defaults write /Users/$3/Library/LaunchAgents/AD.ADPassMon.plist ProgramArguments -array
defaults write /Users/$3/Library/LaunchAgents/AD.ADPassMon.plist RunAtLoad -bool YES
/usr/libexec/PlistBuddy -c "Add ProgramArguments: string /Applications/ADPassMon.app/Contents/MacOS/ADPassMon" /Users/$3/Library/LaunchAgents/AD.ADPassMon.plist
chown -R $3 /Users/$3/Library/LaunchAgents
chmod 644 /Users/$3/Library/LaunchAgents/AD.ADPassMon.plist
echo "Created LaunchAgent to launch ADPassMon on login"
#Check for org.pmbuko.ADPassMon.plist and exit if found
if [ -f /Users/$3/Library/Preferences/org.pmbuko.ADPassMon.plist ]; then
echo "org.pmbuko.ADPassMon.plist exists"
exit 0
else
defaults write /Users/$3/Library/Preferences/org.pmbuko.ADPassMon enableNotifications -bool true
defaults write /Users/$3/Library/Preferences/org.pmbuko.ADPassMon expireAge -int 365
defaults write /Users/$3/Library/Preferences/org.pmbuko.ADPassMon selectedMethod -int 1
defaults write /Users/$3/Library/Preferences/org.pmbuko.ADPassMon warningDays -int 14
defaults write /Users/$3/Library/Preferences/org.pmbuko.ADPassMon pwPolicy "Your password needs to be at least 12 characters long and cannot be a password you've used previously."
defaults write /Users/$3/Library/Preferences/org.pmbuko.ADPassMon selectedBehaviour -int 2
defaults write /Users/$3/Library/Preferences/org.pmbuko.ADPassMon prefsLocked -bool true
chown $3 /Users/$3/Library/Preferences/org.pmbuko.ADPassMon.plist
echo "Created /Users/$3/Library/Preferences/org.pmbuko.ADPassMon.plist"
fi
Thanks Guys, much appreciated, what I did in the end was log in as a user, configure ADPassMon and then use the exact .plist to create the config profile, that is now working perfectly. @cbrewer thanks very much of the script, I will use the config for now but I do prefer the scripting way of doing this type of thing and thanks to bpavlov for the Tim Sutton website, works a treat!
FWIW.. once I finish with the next release of AutoCasperNBI I'm going to give ADPassMon some love.
The forks will be merged, I also want to have an option to create a PKG from within the app of itself with a LaunchAgent as well as generate a profile for the settings.
Just wondering why on your script the LaunchAgent is being re-created everytime the user login?
Can't I just put the adpasmon launchagent in /Library/LaunchAgents so it starts irrespective of who log in?
Thanks
#!/bin/sh
#Check for existing launch agent
if [ -f /Users/$3/Library/LaunchAgents/AD.ADPassMon.plist ];
then echo "LaunchAgent for ADPassMon already exists. Removing..."
rm /Users/$3/Library/LaunchAgents/AD.ADPassMon.plist
fi
