Solved

Extension attribute script works locally but not via Jamf

7 years ago
May 14, 2018
4 replies
15 views

+6

michaelherrick
Contributor
27 replies

Hi Everyone,

I'm working on an EA to check for the presence of a particular cert in the user's Login keychain.:

1#!/bin/bash
2currentUser=`stat -f '%Su' /dev/console`
3echo "Current username is $currentUser"
4
5fullName=$(dscl . read /Users/`whoami` RealName | grep -v RealName | cut -c 2-)
6echo "Full Name is: $fullName"
7
8firstName=$(echo $fullName | awk '{print $1;}')
9echo "First Name is: $firstName"
10
11CERTNAME=$firstName
12echo "Cert Name is $CERTNAME"
13
14if [[ `security find-certificate -c $CERTNAME /Users/$currentUser/Library/Keychains/login.keychain` ]]; then
15   echo "<result>Installed</result>"
16else
17  echo "<result>Not Installed</result>"
18fi
19exit 0

Basically, the certificate we're looking for always has the user's first name. The script returns the proper result (Installed) when I run the script locally on my Mac, but always returns "Not Installed" when deployed as an EA. Has anyone else ran in to this behavior before? At first I thought it was the "currentUser" variable not setting correctly, but even when I plug in a defined user folder in the if statement , the EA returns "Not Installed"

-Mike

Best answer by thoule

Well, you've got 'whoami' in there, so that's going to return 'root' when run via jamf. Perhaps you meant to put currentUser in there?

I'd also recommend you use a full path when calling applications such as security ('/usr/bin/security')

View original

Did this topic help you find an answer to your question?

T

+15

thoule
Contributor
589 replies
Answer
7 years ago
May 14, 2018

Well, you've got 'whoami' in there, so that's going to return 'root' when run via jamf. Perhaps you meant to put currentUser in there?

I'd also recommend you use a full path when calling applications such as security ('/usr/bin/security')

M

N

+11

NowAllTheTime
Valued Contributor
120 replies
7 years ago
May 14, 2018

Does the script work if you run the script locally while logged in as a different user than the user who you are trying to inventory the certificate for? My thought is it will also fail in that scenario. I think the only reason it is succeeding in your local test is that your login keychain is already unlocked so you can read from it without any issues. To be able to search within another user's login keychain you need to unlock that keychain with their login keychain password. I'm assuming you don't (and should not) know the login keychain passwords of your users, so you cannot unlock their login keychains and search within them. It is my understanding that this is by design even with root privileges.

M

+12

mjhersh
Contributor
37 replies
7 years ago
May 14, 2018

There are dark forces at work with keychains. It's not enough to run it as a given user, and it's not enough to run it in the user's context. It takes multiple steps of contortions to go from the headless root environment of the Jamf client into proper userland where the security command will actually work.

This is how I solved a very similar problem, and I suspect it will work for you as well:

1currentUser=`python -c 'from SystemConfiguration import SCDynamicStoreCopyConsoleUser; import sys; username = (SCDynamicStoreCopyConsoleUser(None, None, None) or [None])[0]; username = [username,""][username in [u"loginwindow", None, u""]]; sys.stdout.write(username + "
2");'`
3
4uid=`id -u $currentUser`
5
6launchctl asuser $uid su $currentUser -c "/usr/bin/security find-certificate -c $CERTNAME /Users/$currentUser/Library/Keychains/login.keychain"

Tested in Sierra and High Sierra.

B

+15

bwiessner
Valued Contributor
135 replies
7 years ago
May 14, 2018

@michaelherrick I got this to work - hope it helps.

1#!/bin/bash
2
3consoleuser=$(ls -l /dev/console | cut -d " " -f4)
4
5firstName=$(dscl . read /Users/$consoleuser RealName | grep -v RealName | cut -c 2- | awk '{ print $1 }')
6echo $firstName
7
8if [[ `security find-certificate -c $firstName /Users/$consoleuser/Library/Keychains/login.keychain` ]]; then
9   echo "<result>Installed</result>"
10else
11  echo "<result>Not Installed</result>"
12fi
13exit 0

Hi Everyone,

I'm working on an EA to check for the presence of a particular cert in the user's Login keychain.:

1#!/bin/bash
2currentUser=`stat -f '%Su' /dev/console`
3echo "Current username is $currentUser"
4
5fullName=$(dscl . read /Users/`whoami` RealName | grep -v RealName | cut -c 2-)
6echo "Full Name is: $fullName"
7
8firstName=$(echo $fullName | awk '{print $1;}')
9echo "First Name is: $firstName"
10
11CERTNAME=$firstName
12echo "Cert Name is $CERTNAME"
13
14if [[ `security find-certificate -c $CERTNAME /Users/$currentUser/Library/Keychains/login.keychain` ]]; then
15   echo "<result>Installed</result>"
16else
17  echo "<result>Not Installed</result>"
18fi
19exit 0

Basically, the certificate we're looking for always has the user's first name. The script returns the proper result (Installed) when I run the script locally on my Mac, but always returns "Not Installed" when deployed as an EA. Has anyone else ran in to this behavior before? At first I thought it was the "currentUser" variable not setting correctly, but even when I plug in a defined user folder in the if statement , the EA returns "Not Installed"

-Mike

Page 1 / 1

Well, you've got 'whoami' in there, so that's going to return 'root' when run via jamf. Perhaps you meant to put currentUser in there?

I'd also recommend you use a full path when calling applications such as security ('/usr/bin/security')

Does the script work if you run the script locally while logged in as a different user than the user who you are trying to inventory the certificate for? My thought is it will also fail in that scenario. I think the only reason it is succeeding in your local test is that your login keychain is already unlocked so you can read from it without any issues. To be able to search within another user's login keychain you need to unlock that keychain with their login keychain password. I'm assuming you don't (and should not) know the login keychain passwords of your users, so you cannot unlock their login keychains and search within them. It is my understanding that this is by design even with root privileges.

There are dark forces at work with keychains. It's not enough to run it as a given user, and it's not enough to run it in the user's context. It takes multiple steps of contortions to go from the headless root environment of the Jamf client into proper userland where the security command will actually work.

This is how I solved a very similar problem, and I suspect it will work for you as well:

1currentUser=`python -c 'from SystemConfiguration import SCDynamicStoreCopyConsoleUser; import sys; username = (SCDynamicStoreCopyConsoleUser(None, None, None) or [None])[0]; username = [username,""][username in [u"loginwindow", None, u""]]; sys.stdout.write(username + "
2");'`
3
4uid=`id -u $currentUser`
5
6launchctl asuser $uid su $currentUser -c "/usr/bin/security find-certificate -c $CERTNAME /Users/$currentUser/Library/Keychains/login.keychain"

Tested in Sierra and High Sierra.

@michaelherrick I got this to work - hope it helps.

1#!/bin/bash
2
3consoleuser=$(ls -l /dev/console | cut -d " " -f4)
4
5firstName=$(dscl . read /Users/$consoleuser RealName | grep -v RealName | cut -c 2- | awk '{ print $1 }')
6echo $firstName
7
8if [[ `security find-certificate -c $firstName /Users/$consoleuser/Library/Keychains/login.keychain` ]]; then
9   echo "<result>Installed</result>"
10else
11  echo "<result>Not Installed</result>"
12fi
13exit 0

Extension attribute script works locally but not via Jamf

4 replies

Reply

Most helpful members this week

Cookie policy

Cookie settings

Reply

Related topics

Loop through 2 arrays with bashicon

Loop through files bash helpicon

CURL JAMF API URL Erroricon

Extension Attribute for Document Folder Sizeicon

Little scripting help (checking variables against array in bash)icon

Most helpful members this week

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded

Cookie policy

Cookie settings