I already posted a somehow working, but solving it only in a quick and dirty way, script for this.
But over the course of the last few weeks i finally had some time to create something that worked a bit better and allows some troubleshooting.
Before using this keep in mind that it needs some Prerequisites fulfilled to work (all of them are also listed in the script) and you need to change line 34 to have your JamfServeradress in it. Beside this if you already switched to Bearertoken Authentication you need to do some changes to the setextensionattribute function to get a BearerToken and constructing the API-Call including it.
Prerequisites are:
1. Known Adminaccount from PreStage
2. API-Account with enough Privileges to write Extension Attributes
3. 2 Policies, first one to delete the Adminaccount (Customtrigger: accountdeletion) and a Second one to recreate it (Customtrigger accountcreation).
4. EA named autobootstrap (if you use a different name you need to change it in Line 36)
This script then is run in a Policy set to run with the Triggers "Enrollment Complete" and Check-In (for retry)
Excluding Computers that already have a BootstrapToken or the EA autobootstrap not being emtpy/retry
The script:
#!/bin/bash
# Author: Mengert, Florian (Ismere), Free University of Berlin
# Co-Author: TKu, Free University of Berlin
#
# This Scripts does a background Terminallogin to get a secureToken and escrowing bootstrap
# Intended Usage for ZeroTouch Enrollments with central Backupadmins, securing the secureToken on them
#
# Prerequisits:
# 1. Known Adminaccount
# 2. Known API-Account (EA write permissions)
# 3. Policy to delete and create account (customtrigger: accountdeletion ; accountcreation )
# 4. Extension Attribute to save status (StringValues Dropdown: success retry failed error
# Suggestion for Scope: SmartGroup with empty EA-Value or retry
# Suggested Trigger: Enrollment Complete and Recurring Check-in
# Retrying may repeat indefinetly if there is a generall problem with the connection to JAMF-Server
#
# ERROR CODES
# 0 everything worked
# 1 non defined error
# 11 wrong admin user or password - accound maybe corrupt -> JAMF policy called by trigger accountdeletion & accountcreation
# 12 adminaccount without secureToken
# 13 could not save Bootstrap to Server (retry recommended)
# global variables from JAMF
admin="${4}"
pass="${5}"
apiUsername="${6}"
apiPassword="${7}"
# function to set extensionAttributes in JAMF (User/Pass Auth)
setextensionattribute() {
# Variables
apiURL="yourJAMFServerURL" # JSS URL without trailing forward slash
eaName=autobootstrap # Name of Extension Attribute
eaValue="$1" # Value for Extension Attribute
computerUDID=$(/usr/sbin/system_profiler SPHardwareDataType | /usr/bin/awk '/Hardware UUID:/ { print $3 }')
# Construct the API data
apiData="<computer><extension_attributes><extension_attribute><name>${eaName}</name><value>${eaValue}</value></extension_attribute></extension_attributes></computer>"
apiPut=`curl -H "Content-Type: text/xml" -sfu ${apiUsername}:${apiPassword} ${apiURL}/JSSResource/computers/udid/${computerUDID} -d "${apiData}" -X PUT`
# Execute API Call
/bin/echo ${apiPut}
}
# function wrap expect script
securebootstrap() {
expect <<EOD
#using globaly defined arguments
#starting login process
spawn login $admin
#waiting for password question and entering password
expect {
"Password:" {send "$pass\\r"}
"Login incorrect" {exit 11}
}
#checking for secureToken
send "sysadminctl -secureTokenStatus $admin\\r"
expect {
-re "ENABLED" {send "sudo profiles install -type bootstraptoken\\r"}
-re "DISABLED" {exit 12}
}
#interaction for creating Bootstraptoken
expect "Password:"
send -- "$pass\\r"
expect "Enter the admin user name:"
send -- "$admin\\r"
expect "Enter the password for user 'admin':"
send -- "$pass\\r"
#check for success or retry
expect {
-re "Bootstrap Token escrowed" {send "logout\\r"}
-re "Unable to save" {exit 13}
}
exit 0
EOD
}
# trying to create bootstrap 1st attempt
securebootstrap
# get last error code to check result
check1=$?
echo $check1
if [ $check1 -eq 11 ]
then
# defined account not found or not working recreating account for 2nd attempt
sudo jamf policy -event accountdeletion
sudo jamf policy -event accountcreation
# 2nd attempt
securebootstrap
#getting new errorcode, retaining old one for sanity
check2=$?
echo $check2
if [ $check2 -eq 13 ]
then
# could not save
setextensionattribute retry
exit 13
elif [ $check2 -eq 12 ]
then
# secureToken missing
setextensionattribute failed
exit 12
elif [ $check2 -ne 0 ]
then
# undefined error
setextensionattribute error
exit 1
else
# created
setextensionattribute success
exit 0
fi
elif [ $check1 -eq 12 ]
then
# secureToken missing
setextensionattribute failed
exit 12
elif [ $check1 -eq 13 ]
then
# could not save
setextensionattribute retry
exit 13
elif [ $check1 -ne 0 ]
then
# undefined error
setextensionattribute error
exit 1
else
# success
setextensionattribute success
exit 0
fi
Hopefully this will help some more Admins out there.
Greetings Ismere