Skip to main content

I recently wrote an extension attribute to check for the existence of a certificate in a user's keychain. I can run it without issue locally, and via policy, but when running it as an EA, no response is written to the computer record:

#!/bin/bash

CERTNAME="Okta MTLS"
currentUser=$(/usr/bin/python -c 'from SystemConfiguration import SCDynamicStoreCopyConsoleUser; import sys; username = (SCDynamicStoreCopyConsoleUser(None, None, None) or [None])[0]; username = [username,""][username in [u"loginwindow", None, u""]]; sys.stdout.write(username + "
");')
query=$(security find-certificate -a /Users/$currentUser/Library/Keychains/okta.keychain | awk -F'"' '/alis/{print $4}')

if [ "$query" == "$CERTNAME" ]; then
  result="Yes"
else
  result="No"
fi

echo "$result"

I've also tried to grab the current user's name another way:

currentUser=$(ls -l /dev/console | cut -d " " -f4)

Lastly, I tried writing the output to a txt file and simply cat'ing it via an extension attribute, all to no avail.

No matter what, my extension attribute shows no result in the computer record.

Any tips or suggestions greatly appreciated.

First thing is, Extension Attributes require that the result be surrounded by proper tags for it to populate in the computer record. Try changing echo "$result" to echo "<result>$result</result>"

Second, if that doesn't work for some reason, you may have to run the security command as the user, not as root, which is what it would typically be running as when an inventory collection happens.

But try making that first necessary change and see if it fixes it.

The tags were the problem, thanks for the quick response!

Terms & ConditionsCookie settings