Jamf Nation Community

This is what I have set a Script Part 1 before the AD bind

#!/bin/sh


username=$(/usr/bin/osascript -e 'Tell application "System Events" to display dialog "Please enter the domain username for the end-user of this Mac or select Cancel." default answer "johdoe"' -e 'text returned of result' 2>/dev/null)

#rename mac
serial_no=$(ioreg -c IOPlatformExpertDevice -d 2 | awk -F" '/IOPlatformSerialNumber/{print $(NF-1)}' | tail -c 5)

computer_name="${username}-${serial_no}"

/usr/sbin/scutil --set LocalHostName "${computer_name}"
/usr/sbin/scutil --set ComputerName "${computer_name}"
/usr/sbin/scutil --set HostName "${computer_name}"


dscacheutil -flushcache

sudo jamf recon

Ok, interesting. The dscacheutil -flushcache should help things I would think.

Can you add an echo command at the end to see what it prints back for the computer name. Maybe add a scutil --get ComputerName to it. I'd be curious to see if it's sending back the updated name or the old one. If it's printing back the new name, then it's something with the jamf binding that is, for whatever reason, picking up the old name. Though I can't imagine why that would be.

This is my log

#!/bin/sh

[STEP 1 of 7]
Executing Policy AD Bind DEP
[STEP 2 of 7]
Running script DEP (Domain) Part 1 of 2...
Script exit code: 0
Script result: johdoe-J1WV
Retrieving inventory preferences from https://truemfg.jamfcloud.com/...
Finding extension attributes...
Locating accounts...
Locating applications...
Locating hard drive information...
Searching path: /Applications
Locating package receipts...
Locating software updates...
Locating plugins...
Searching path: /Library/Internet Plug-Ins
Locating fonts...
Searching path: /Users/Administrator/Library/Fonts
Searching path: /Library/Fonts
Locating printers...
Searching path: /System/Library/Fonts
Searching path: /Library/Application Support/Adobe/Fonts
Locating hardware information (Mac OS X 10.13.3)...
Gathering application usage information...
Submitting data to https://truemfg.jamfcloud.com/...
<computer_id>133</computer_id>
MacBook Air
[STEP 3 of 7]
Binding MacBook Air to mydomain.com...
Bound to Active Directory (mydomain.com)
[STEP 4 of 7]
Running script DEP (Domain) Part 2 of 2...
Script exit code: 0
Script result: createmobileaccount built Oct 24 2017 18:43:04
[STEP 5 of 7]
[STEP 6 of 7]
Inventory will be updated when all queued actions in Self Service are complete.
[STEP 7 of 7]

Updated script

#!/bin/sh


username=$(/usr/bin/osascript -e 'Tell application "System Events" to display dialog "Please enter the domain username for the enduser of this Mac or select Cancel." default answer "johdoe"' -e 'text returned of result' 2>/dev/null)

#rename mac
serial_no=$(ioreg -c IOPlatformExpertDevice -d 2 | awk -F" '/IOPlatformSerialNumber/{print $(NF-1)}' | tail -c 5)

computer_name="${username}-${serial_no}"

/usr/sbin/scutil --set LocalHostName "${computer_name}"
/usr/sbin/scutil --set ComputerName "${computer_name}"
/usr/sbin/scutil --set HostName "${computer_name}"


dscacheutil -flushcache

/usr/sbin/scutil --get ComputerName

sudo jamf recon
echo $2

Ok, so.. weird. It's echoing back "MacBook Air" but earlier up it's showing that the name it generates is "johdoe-J1WV" ? Strange.
I have another question. Can you explain what the policy itself looks like? Is it the above script set up in the same policy as the AD bind payload?
If so, that might be the problem. I have a feeling the script is running after the AD bind portion, even though you would not expect that to happen.

If I'm correct that the AD bind is included in the same policy, I have a suggestion. This is how we have things set up.
Create a standalone AD bind policy that has that AD bind setting section added in. Scope to all computers, and Ongoing, but don't set any specific triggers other than a manual trigger. Something like "BindToAD" or whatever makes sense to you.
In your script that renames the Mac, call that policy using

/usr/local/bin/jamf policy -event BindToAD

See if that addresses the issue.

If I'm not correct in my assumption and you are already calling the bind policy separately from the script policy, well then... I got nothing.

@kerickson This is what we used to rename and rebind 700 machines based on serial numbers.

#!/bin/sh

# HARDCODED VALUES ARE SET HERE
Pass=""

# CHECK TO SEE IF VALUES WERE PASSED FOR $4, AND IF SO, ASSIGN THEM
if [ "$4" != "" ] && [ "$Pass" == "" ]; then 
Pass=$4
fi

# Check to make sure Pass variable was passed down from Casper
if [ "$Pass" == "" ]; then 
echo "Error: The parameter 'Pass' is blank. Please specify a value." 
exit 1 
fi

# Set Variables
CompName=$(dsconfigad -show | awk '/Computer Account/{print $NF}' | sed 's/$$//')

# Get current OU of Computer Object
OU="OU=General Business Computers,OU=Domain,DC=Corp,DC=domain,DC=us"

echo "$OU"

# get machine serial number
MAC_SERIAL_NUMBER=`ioreg -l | grep IOPlatformSerialNumber|awk '{print $4}' | cut -d " -f 2`
echo MAC_SERIAL_NUMBER $MAC_SERIAL_NUMBER

serial=$MAC_SERIAL_NUMBER

# set name to machine serial number
scutil --set ComputerName $serial
scutil --set HostName $serial
scutil --set LocalHostName $serial

sleep 2

    ## Begin rebinding process

    #Basic variables
    computerid=`scutil --get LocalHostName`
    domain=yourdomainhere
    udn=yourbindingaccount

    #Advanced variables
    alldomains="disable"
    localhome="enable"
    protocol="smb"
    mobile="enable"
    mobileconfirm="disable"
    user_shell="/bin/bash"
    admingroups="Corpdomain group"
    namespace="domain"
    packetsign="allow"
    packetencrypt="allow"
    useuncpath="disable"
    passinterval="90"

    # Bind to AD
    dsconfigad -add $domain -alldomains $alldomains -username $udn -password $Pass -computer $computerid -ou "$OU" -force -packetencrypt $packetencrypt
    sleep 1
    echo "Rebinding to AD and setting advanced options"

    #set advanced options
    dsconfigad -localhome $localhome
    sleep 1
    dsconfigad -groups "$admingroups"
    sleep 1
    dsconfigad -mobile $mobile
    sleep 1
    dsconfigad -mobileconfirm $mobileconfirm
    sleep 1
    dsconfigad -alldomains $alldomains
    sleep 1
    dsconfigad -useuncpath "$useuncpath"
    sleep 1
    dsconfigad -protocol $protocol
    sleep 1
    dsconfigad -shell $user_shell
    sleep 1
    dsconfigad -passinterval $passinterval
    sleep 1

    #dsconfigad adds "All Domains"
    # Set the search paths to "custom"
    dscl /Search -create / SearchPolicy CSPSearchPath
    dscl /Search/Contacts -create / SearchPolicy CSPSearchPath

    sleep 1

    # Add the "domain.us" search paths
    dscl /Search -append / CSPSearchPath "/Active Directory/yourdomainhere"
    dscl /Search/Contacts -append / CSPSearchPath "/Active Directory/yourdomainhere"

    sleep 1

    # Delete the "All Domains" search paths
    dscl /Search -delete / CSPSearchPath "/Active Directory/CORP/All Domains"
    dscl /Search/Contacts -delete / CSPSearchPath "/Active Directory/CORP/All Domains"


    sleep 1

    # Restart opendirectoryd
    killall opendirectoryd
    sleep 5


exit 0

Ok got it to work by doing what @mm2270 said to do. One last question I have to prompt the admin twice for the same info is there a way to get rid of that. Example
I prompt them in the first part for the domain user who will use this Mac. Then it names the Mac johdoe-last4serial#. Then after the Mac is bound to AD I create the mobile account and enable that user for FileVault2 which I prompt for the domain username again and password. Can I pull the username from the Mac name from step one somehow?

@kericson I would think you could do one of a few things.
If the username they entered in step #1 is being used in full to rename the Mac, like, they put in "johndoe" and that is used to name it to johndoe-las4serial# as in your example, you should be able to extract it back out from the computer name when it needs it again, like

userN=$(scutil --get ComputerName | cut -d- -f1)

which uses cut and the - delimiter, which is what it looks like you're using in the computer name.

Another option would be to write out that name after it receives it from the admin and uses it to rename the computer, into a local file or plist, and then pick it up on the second round with cat or defaults.

Lastly, if this is all happening in one script, none of this should be necessary since the variable captured from the first user input should still be accessible in the script. Meaning you can use $username again. It should still be valid as long as it hasn't been purged.

Whichever method you use, just prompt for the password for that account in the Applescript dialog.

@mm2270 Ok last question I promise I want this script to only run if the FileVault2 policy has been completed.

I tried this but doesn't seem to work on 10.13
I tried changing the on to off as well

#!/bin/sh


## Check to see if the encryption process is complete
encryptCheck=fdesetup status
statusCheck=$(echo "${encryptCheck}" | grep "FileVault is On.")
expectedStatus="FileVault is On."
if [ "${statusCheck}" != "${expectedStatus}" ]; then echo "The encryption process has not completed, restart and try again." echo "${encryptCheck}" exit 4
fi

@kericson

encryptCheck=fdesetup status

is not a command, it's just a string. You either need to do it like

encryptCheck=$(fdesetup status)

or just do

statusCheck=$(fdesetup status | grep "FileVault is On.")

And then do the rest of the if/then block.

@mm2270 Sorry for the dumb question how would I write that?
I want it to stop the script if the system is not encrypted.

@kericson Try something like the below. I reworked it. As you had it, it wasn't capturing if the Cancel button was clicked. The revise should recognize that and exit if needed.
This should also not run if FileVault is not enabled and the machine encrypted.

You just need to change "<customeventtrigger>" to your actual trigger for the AD bind policy.

#!/bin/sh

function renameComputer ()
{

username=$(/usr/bin/osascript << EOF
tell application "System Events"
    try
        set answer to text returned of (display dialog "Please enter the domain username for the enduser of this Mac or select Cancel." default answer "johdoe")
    on error
        set answer to "null"
    end try
end tell
EOF)

if [ "$username" == "null" ]; then
    exit 0
else
    #rename mac
    serial_no=$(ioreg -rd1 -c IOPlatformExpertDevice | awk -F'"' '/IOPlatformSerialNumber/{print $4}' | tail -c 5)

    computer_name="${username}-${serial_no}"

    /usr/sbin/scutil --set LocalHostName "${computer_name}"
    /usr/sbin/scutil --set ComputerName "${computer_name}"
    /usr/sbin/scutil --set HostName "${computer_name}"

    dscacheutil -flushcache

    /usr/local/bin/jamf policy -event "<customeventtrigger>"
fi

}

statusCheck=$(fdesetup status | grep "On")

if [ ! -z "$statusCheck" ]; then
    renameComputer
else
    echo "FileVault encryption not complete"
    exit 0
fi