Posted on 03-03-2022 02:05 PM
I'm going to mass deploy Duo for our Macs. Duo has documentation on how to deploy to a single machine:
For mass deployment I need to make a policy and have some scripting in the policy. Duo provides this script:
#!/bin/bash
# Usage: configure_maclogon.sh /path/to/maclogon-x.x.pkg
# NOTE: The path to the MacLogon package is optional.
# This script will look for a package to configure
# in the current working directory if not provided.
version="1.1.0"
echo "Duo Security Mac Logon configuration tool v${version}."
echo "See https://duo.com/docs/macos for documentation"
read_bool() {
local bool_val
read -r bool_val
while ! [[ "$bool_val" == "true" || "$bool_val" == "false" ]]; do
read -rp "Invalid value. Enter true or false: " bool_val
done
echo "$bool_val"
}
# if a package was passed in, always use it
if [[ $# -ge 1 ]]; then
pkg_path=$1
else
# otherwise try to find the default package in this dir
pkgs=( $(find . -name 'MacLogon-NotConfigured-*.pkg') )
num_pkgs=${#pkgs[@]}
if [[ "$num_pkgs" -eq "1" ]]; then
pkg_path=${pkgs[0]}
elif [[ "$num_pkgs" -eq "0" ]]; then
echo "No packages found. Please provide a package."
exit 1
else
echo "Multiple packages found. Please specify one."
echo "Usage: configure_maclogon.sh /path/to/MacLogon-NotConfigured-x.x.pkg"
exit 1
fi
fi
if [ ! -f "${pkg_path}" ]; then
echo "No package found at $pkg_path. Exiting."
exit 1
fi
echo -n "Enter ikey: "
read -r ikey
echo -n "Enter skey: "
read -r skey
echo -n "Enter API Hostname: "
read -r host
echo -n "Should fail open (true or false): "
fail_open=$(read_bool)
echo -n "Should bypass 2FA when using smartcard (true or false): "
smartcard_bypass=$(read_bool)
echo -n "Should auto push if possible (true or false): "
auto_push=$(read_bool)
pkg_dir=$(dirname "${pkg_path}")
pkg_name=$(basename "${pkg_path}" | awk -F\. '{print $1 "." $2}')
tmp_path="/tmp/${pkg_name}"
echo -e "\nModifying ${pkg_path}...\n"
pkgutil --expand "${pkg_path}" "${tmp_path}"
echo -e "Updating config.plist ikey, skey, host, fail_open, smartcard_bypass, and auto_push config...\n"
defaults write "${tmp_path}"/Scripts/config.plist ikey -string "${ikey}"
defaults write "${tmp_path}"/Scripts/config.plist skey -string "${skey}"
defaults write "${tmp_path}"/Scripts/config.plist host -string "${host}"
defaults write "${tmp_path}"/Scripts/config.plist fail_open -bool "${fail_open}"
defaults write "${tmp_path}"/Scripts/config.plist smartcard_bypass -bool "${smartcard_bypass}"
defaults write "${tmp_path}"/Scripts/config.plist auto_push -bool "${auto_push}"
plutil -convert xml1 "${tmp_path}/Scripts/config.plist"
out_pkg="${pkg_dir}/MacLogon-${version}.pkg"
echo -e "Finalizing package, saving as ${out_pkg}\n"
pkgutil --flatten "${tmp_path}" "${out_pkg}"
echo -e "Cleaning up temp files...\n"
rm -rf "${tmp_path}"
echo -e "Done! The package ${out_pkg} has been configured for your use."
exit 0
I know some changes need to be made to answer the prompts but not sure how? How can I add a line at the end to open the newly formed PKG?
Posted on 03-04-2022 05:05 AM
Unless you need to have something in this installer be client specific it appears you can just run this script locally on your machine then just deploy the PKG out to your end users using a policy. Just be aware that if your gatekeeper settings don't allow unsigned packages that it will fail to install.
Posted on 03-04-2022 06:01 AM
Thank you. I appriecate the insight.