I am trying to write a script to report back an extension attribute on SecureToken status. Background - we push out a default admin account (aka "admin") during DEP enrollment. DEP prompts for creation of a user through the GUI and our frontline techs will often create a "localadmin" account, which they're supposed to delete later on. Well, things happen, and the account doesnt get deleted every time. I'm trying to make sure that if there's a local admin, it's got SecureToken, which ever account it has. I've got a script that works on one user, but won't work for more than one user returned. I've not really played with

for;do

statements, so this is my first go round. Can someone give me a pointer on where I may be going wrong?

#!/bin/sh

#

#  SecureToken for Admin.sh

#

# Get the Username of the local Admin account



ADMINid=$( dscl . list /Users | grep -v ^_.* | grep dmin | grep -v JAMF )



# Get SecureTokenStaus

status=$( dscl . -read /Users/$ADMINid AuthenticationAuthority | grep -o SecureToken )



for i in $ADMINid ; do $status

done



if [[ $status == SecureToken ]]; then

echo "<result>ENABLED for $ADMINid</result>"

else

echo "<result>DISABLED for $ADMINid</result>"

fi

currently I get a result of

<result>ENABLED for admin

localadmin</result>

where it fails to run against the 2nd admin account "localadmin" for me. I'd hope it would return something like

<result>ENABLED for admin

ENABLED for localadmin</result>