Jamf Nation Community

Thanks Steve,

I've done some testing with unload and loading as well, however since my launchd script has some other variables, that doesn't work real well either. In fact I had to do a "killall loginwindow" and then a "launchctl start /System/Library/LaunchDaemons/com.apple.loginwindow.plist" in my launchd scrtipt just to keep then window fro appearing during the script. But the delay from re-starting doesn't seem to keep the loginwindow from starting to soon. Which is why I'm looking for alternatives.

unload the loginwindow instead of killall, launchd restarts it for you if you use killall

launchctl unload /System/Library/LaunchDaemons/com.apple.loginwindow.plist
then load when ready for it

space is getting eaten and just like @stevewood said, unload it then load when done.

Well what I found using that method was the loginwindow wasn't reloading in my "else" statement if my network wasn't found. I have computers getting imaged off site I need these computers joined to AD when they get brought back to our district. So the script looks to see if it's on the network before attempting to join AD.

Here's the script.

#!/bin/bash

computerid=/usr/sbin/scutil --get LocalHostName

# Standard parameters
domain="xxx.xxxxxxx.xxx" # fully qualified DNS name of Active Directory Domain
udn="xxxxxx" # username of a privileged network user
password="xxxxxx" # password of a privileged network user
ou="OU=MacOS,DC=xxx,DC=xxxxxxx,DC=xxx" # Distinguished name of container for the computer

# Advanced options
alldomains="enable" # 'enable' or 'disable' automatic multi-domain authentication
localhome="enable" # 'enable' or 'disable' force home directory to local drive
protocol="smb" # 'afp' or 'smb' change how home is mounted from server
mobile="enable" # 'enable' or 'disable' mobile account support for offline logon
mobileconfirm="disable" # 'enable' or 'disable' warn the user that a mobile acct will be created
useuncpath="enable" # 'enable' or 'disable' use AD SMBHome attribute to determine the home dir
user_shell="/bin/bash" # e.g., /bin/bash or "none"
preferred="-preferred xxx.xxxxxx.xxx" # Use the specified server for all Directory lookups and authentication
# (e.g. "-nopreferred" or "-preferred ad.server.edu")
admingroups="xxxdomain admins,xxxenterprise admins,xxx eacher98,xxxADManagement - Computers,xxxadmin employees" # These comma-separated AD groups may administer the machine (e.g. "" or "APPLEmac admins")

### End of configuration

# Delay the login window by unloading the com.apple.loginwindow
# LaunchDaemon in /System/Library/LaunchDaemons/

launchctl unload -w /System/Library/LaunchDaemons/com.apple.loginwindow.plist

## Wait until all network services are up.
sleep 10

# Check to see if we're in the district
if ping -c 1 xxx.xxx.x.x > /dev/null; then

#make sure time is set correctly ntpdate -u time.xxxxxxx.xxx

# Activate the AD plugin defaults write /Library/Preferences/DirectoryService/DirectoryService "Active Directory" "Active" plutil -convert xml1 /Library/Preferences/DirectoryService/DirectoryService.plist sleep 5

# Remove computer from OU dsconfigad -f -r -u xxxxxx -p xxxxxx sleep 5

# Bind to AD dsconfigad -f -a $computerid -domain $domain -u $udn -p "$password" -ou "$ou"

# Configure advanced AD plugin options if [ "$admingroups" = "" ]; then dsconfigad -nogroups else dsconfigad -groups "$admingroups" fi

dsconfigad -alldomains $alldomains -localhome $localhome -protocol $protocol -mobile $mobile -mobileconfirm $mobileconfirm -useuncpath $useuncpath -shell $user_shell $preferred

# Restart DirectoryService (necessary to reload AD plugin activation settings) killall DirectoryService

# Add the AD node to the search path if [ "$alldomains" = "enable" ]; then csp="/Active Directory/All Domains" else csp="/Active Directory/$domain" fi

# This works in a pinch if the above code does not defaults write /Library/Preferences/DirectoryService/SearchNodeConfig "Search Node Custom Path Array" -array "/Active Directory/All Domains" defaults write /Library/Preferences/DirectoryService/SearchNodeConfig "Search Policy" -int 4 defaults write /Library/Preferences/DirectoryService/ContactsNodeConfig "Search Node Custom Path Array" -array "/Active Directory/All Domains" defaults write /Library/Preferences/DirectoryService/ContactsNodeConfig "Search Policy" -int 4

plutil -convert xml1 /Library/Preferences/DirectoryService/SearchNodeConfig.plist

## Remove the script and launchd job. Be sure to delete the script. rm /Library/LaunchDaemons/com.xxxx.adbind.plist rm /usr/local/bin/adbind.bash launchctl unload -w /Library/LaunchDaemons/com.xxxx.adbind.plist

# Remove the loginwindow delay by loading the com.apple.loginwindow # LaunchDaemon in /System/Library/LaunchDaemons/

launchctl load -wF /System/Library/LaunchDaemons/com.apple.loginwindow.plist

exit 0

else

echo "District not Available Quitting"

# Remove the loginwindow delay by loading the com.apple.loginwindow # LaunchDaemon in /System/Library/LaunchDaemons/

launchctl load -wF /System/Library/LaunchDaemons/com.apple.loginwindow.plist

fi

exit 1
Thanks for any suggestions!

Just a thought but why not have a Smart group for unbound machines that are also in a certain building or on a certain network segment that then runs "jamf policy -trigger adbind" or similar and then recons.

*shrug*

I am a huge fan of bash scripting but an even bigger fan of Smart groups :)

@rmanly That would be nice if I could get the networking team to punch a hole in the firewall for the JSS. So far their last two attempts have failed and time is running out. So unfortunately these computers won't be getting Casper installed either. Therefore a Smart Group won't work. :-(

The quickadd.pkg will be installed by the same script once computers are returned to our district.

FYI Our district typically images everything in house so normally we don't have to deal with this. Because of a large volume purchase, someone thought it would be a great idea to have Apple do the imaging for us by a 3rd party contractor UGH