AD bind script does not run via Jamf, just locally

New Contributor III

Hello all.

I struggle so hard for hours now to determine what could be wrong with the following AD script:



# decrypt API user auth string
function DecryptString() {
echo "${1}" | /usr/bin/openssl enc -aes256 -d -a -A -S "${2}" -k "${3}"
apistring=$(DecryptString "somestring" "$8" "$9")
echo "$apistring"

# decrypt AD user auth string
function DecryptString() {
echo "${1}" | /usr/bin/openssl enc -aes256 -d -a -A -S "${2}" -k "${3}"
adstring=$(DecryptString "somestring" "$10" "$11")
echo "$adstring"

# get Mac's serial number
serial=$(system_profiler SPHardwareDataType | awk '/Serial/ {print $4}')
echo "$serial"

# download some xml stuff from Jamf Pro and extract site name out of it
siteName=$( curl -sku "$apistring" $apiurl/JSSResource/computers/serialnumber/$serial/subset/general -X GET -H "Accept: application/xml"  | xpath '/computer/general/site/name/text()' )
echo "$siteName"

echo "This Mac is assigned to Site $siteName"

# check AD status
adstatus=$( dsconfigad -show | awk '/Active Directory Domain/{print $NF}' )
echo $adstatus

# check if already bound to AD, then unbind
if [ "$adstatus" = "" ]
then dsconfigad -remove $adstring
echo "This Mac has been previously bound to AD and got unbound now."

# add to AD container matching to site
if [ "$siteName" = "Site1" ]
then dsconfigad -add "" $adstring -computer "$ComputerName" -mobile enable -mobileconfirm disable -localhome enable -shell /bin/bash -ou "OU=Macintosh,OU=Computer,OU=CITY1,OU=COUNTRY1,OU=CONTINENT1,DC=company,DC=com" -groups "" -passinterval 0
    echo "Mac added to AD Container"
elif [ "$siteName" = "Site2" ]
then dsconfigad -add "" $adstring -computer "$ComputerName" -mobile enable -mobileconfirm disable -localhome enable -shell /bin/bash -ou "OU=Macintosh,OU=Computer,OU=CITY2,OU=COUNTRY2,OU=CONTINENT2,DC=company,DC=com" -groups "" -passinterval 0
    echo "Mac added to AD Container"
# ...much more sites to follow, same pattern
else echo "Mac could not be added for some obscure reason to AD. Please check and do manually."


This script runs totally fine when running locally in CodeRunner and does exactly what it should. However, when running via Jamf (assumingly as root?), it just brings up:

Running script:
Script exit code: 0
Script result: (null)

Surprisingly, if I add "sudo su -" on top of local CodeRunner scripts, it also keeps on running with any progress at all, after entering password.

Does anyone might have an idea where's the flaw in my script?


Esteemed Contributor II

Try putting your salt values in parameters $4 and higher in the policy under the script payload?


New Contributor III

@donmontalvo , I just tried again by putting in the auth strings in plain text, for testing purposes... even that does not do any change. So I think we can discard Salt variables to be the cause...

New Contributor II


New Contributor III

Sorry, @timelost , would you mind telling me where I mistyped?

New Contributor II

I looked through it and can't find anything that catches my eye. Apologies it was just a misplaced response (mistype) on my part, nothing regarding your script. I thought I was typing into a different window.

New Contributor III

Sorry for pushing this up, but this drives me nuts. Anyone has any idea how to solve this?
Jamf support had the approach "Just add it as elf service policy", but that is obviously not the approach I am following, as I want to automate things in a workflow and make things easier, not more complicated.
Thanks a million...

Contributor III

I second @donmontalvo and think the issue is probably due to the fact that jamf will automatically send $1, $2, $3 parameters into your script.

I would add this to the top of your script (just below #!/bin/bash), then compare the values when running it locally vs. as a policy:

echo "param1 is $1"
echo "param2 is $2"
echo "param3 is $3"
echo "param4 is $4"
echo "param5 is $5"
echo "param6 is $6"
echo "param7 is $7"
echo "param8 is $8"
echo "param9 is $9"
echo "param10 is $10"
echo "param11 is $11"

Also, this shouldn't matter, but you don't need to define the DecryptString function twice.