- Jamf Nation Community
- Products
- Jamf Pro
- Extension Attribute - Identity Cert
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 06-18-2024 08:20 AM
Good morning!
Relatively new and inexperienced MAC admin, so please be gentle and feel free to talk to me like you're talking to a 5th grader!
In troubleshooting MDM communication with a large number of our Macs, the support tech I was working with suggested adding some EA's to assist in seeing what was going on. It definitely helped to identify and point us to a resolution, but one of them doesn't appear to be working the way I think it should? Note, that my background is mostly Windows enterprise, not any Bash, so I'm not sure exactly how to troubleshoot and resolve to get this particular EA to display what I want.
Here's what was provided:
#!/bin/bash
theIDs=$(security find-identity -v | awk '{print $3}' | tr -d '"' | grep -E '^[A-Za-z0-9]{8}-[A-Za-z0-9]{4}-[A-Za-z0-9]{4}-[A-Za-z0-9]{4}-[A-Za-z0-9]{12}$')
echo "$theIDs"
if [ -z "$theIDs" ]; then
echo <result>"ERROR - No keychain identities matching a UUID found on this system.</result>"
exit 1
else
echo "At least one keychain identity found on this system, proceeding..."
fi
for i in $theIDs; do
info=$(security find-certificate -c "$i" | grep issu | awk '{print $4, $5, $6, $7}' | tr -d '"')
echo "$info"
if [[ "$info" == 'JSS BUILT-IN CERTIFICATE AUTHORITY' ]]; then
expiry=$(security find-certificate -c "$i" -p | openssl x509 -noout -enddate | cut -f2 -d"=")
echo "<result>$i;$expiry</result>"
exit 0
fi
done
echo "<result>ERROR - No keychain certificates matching an MDM profile were detected.</result>"
exit 1
So when I am parsing this out in my simple brain, I think it's:
1) Setting the environment to the Bash shell
2) Querying the security environment to get certificates, then it takes the 3rd value, which is a string, trims the quotes, and searches for values with the regular expression values (looking for a string with 8char-4char-4char-4char-12char. Displays that value.
3) If it doesn't find this certificate, then it displays an error.
4) Otherwise, it says it found at least one and proceeds.
5) Loops through as many certs as it found, pulls certain attributes, trims them, searches for the specific one related to MDM communication/identity and outputs the deets to the EA.
Problem: Even when pulled from machines that communicate correctly, this returns that there are no certificates found. I've tried running it (as is) in terminal on my test Mac, and it returns values for #1 and #2 above, but does NOT give me anything after that.
In searching through the forum, I found this, which looks similar, but has slight differences:
theIDs=$(security find-identity -v | awk '{print $3}' | tr -d '"' | grep -E '^[A-Za-z0-9]{8}-[A-Za-z0-9]{4}-[A-Za-z0-9]{4}-[A-Za-z0-9]{4}-[A-Za-z0-9]{12}$')
if [[ -z "$theIDs" ]]
then
echo "<result>ERROR - No Keychain identities matching a UUID found on this system.</result>"
else
for i in $theIDs
do
info=$(security find-certificate -c "$i" | grep issu | awk '{print $6, $7, $8, $9}' | tr -d '"')
if [[ $info == *"BUILT-IN CERTIFICATE AUTHORITY"* ]]
then
expiry=$(security find-certificate -c "$i" -p | openssl x509 -noout -enddate | cut -f2 -d"=")
echo "<result>$theIDs + $expiry</result>"
fi
done
fi
Can anyone tell me what I'm doing wrong?
Thanks, and sorry for the long post!
Solved! Go to Solution.
1 ACCEPTED SOLUTION
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 06-18-2024 11:39 AM
I was given the same EA when I asked for help to be able to auto-detect Macs that are having issues with MDM. I made some modifications to make it easier to create a smart group. I wanted to have either "success" or "fail" to be the result. This might make this easier for you.
#!/bin/bash
theIDs=$(security find-identity -v | awk '{print $3}' | tr -d '"' | grep -E '^[A-Za-z0-9]{8}-[A-Za-z0-9]{4}-[A-Za-z0-9]{4}-[A-Za-z0-9]{4}-[A-Za-z0-9]{12}$')
echo $theIDs
if [ -z "$theIDs" ]; then
echo "<result>"Failed"</result>"
exit 1
else
echo "At least one keychain identity found on this system, proceeding..."
fi
for i in $theIDs; do
info=$(security find-certificate -c "$i" | grep issu | awk '{print $3, $4, $5, $6, $7}' | tr -d '"')
echo $info
if [[ $info == *"BUILT-IN CERTIFICATE AUTHORITY"* ]]; then
echo "found you!"
expiry=$(security find-certificate -c "$i" -p | openssl x509 -noout -enddate | cut -f2 -d"=")
echo "<result>"Success"</result>"
fi
done
exit 1
3 REPLIES 3
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 06-18-2024 11:39 AM
I was given the same EA when I asked for help to be able to auto-detect Macs that are having issues with MDM. I made some modifications to make it easier to create a smart group. I wanted to have either "success" or "fail" to be the result. This might make this easier for you.
#!/bin/bash
theIDs=$(security find-identity -v | awk '{print $3}' | tr -d '"' | grep -E '^[A-Za-z0-9]{8}-[A-Za-z0-9]{4}-[A-Za-z0-9]{4}-[A-Za-z0-9]{4}-[A-Za-z0-9]{12}$')
echo $theIDs
if [ -z "$theIDs" ]; then
echo "<result>"Failed"</result>"
exit 1
else
echo "At least one keychain identity found on this system, proceeding..."
fi
for i in $theIDs; do
info=$(security find-certificate -c "$i" | grep issu | awk '{print $3, $4, $5, $6, $7}' | tr -d '"')
echo $info
if [[ $info == *"BUILT-IN CERTIFICATE AUTHORITY"* ]]; then
echo "found you!"
expiry=$(security find-certificate -c "$i" -p | openssl x509 -noout -enddate | cut -f2 -d"=")
echo "<result>"Success"</result>"
fi
done
exit 1
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 06-18-2024 12:36 PM
Awesome, thanks Howie. This did the trick!
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 06-18-2024 12:45 PM
I'm glad it helped. Here are two more.
This one checks for a valid APNS certificate:
#!/bin/bash
APNS_certificate=`/usr/sbin/system_profiler SPConfigurationProfileDataType | awk '/Topic/{ print $NF }' | sed 's/[";]//g'`
if [[ "$APNS_certificate" = "" ]]; then
echo "<result>"Bad"</result>"
else
echo "<result>"Good"</result>"
fiThis one checks for MDM communication failures:
#!/bin/bash
result=$(log show --style compact --predicate '(process CONTAINS "mdmclient")' --last 1h | grep "Unable to create MDM identity")
if [[ $result == '' ]]
then
echo "<result>"Good"</result>"
else
echo "<result>"Bad"</result>"
fiI used these two plus the one from my earlier post to create two smart groups. One group is for bad MDM and other is for good MDM. A failure of any of the criteria is MDM bad. To be "good", the computers must pass all of the checks. Extension Attributes are available in the "advanced" criteria when creating a smart group.
