Jamf Nation Community

I got this one from Zach over at Puppet.

#!/bin/bash
declare -x perl="/usr/bin/perl"
declare -x date="/bin/date"
declare -xi FIRST_BOOT_EPOCH="$($perl -e 'print ((stat($ARGV[0]))[9]);' /var/db/SystemKey)"
declare -x  FIRST_BOOT_GUESS="$($date -r $FIRST_BOOT_EPOCH "+%Y-%m-%d %H:%M:%S")"

printf "<result>%s</result>
" "$FIRST_BOOT_GUESS"

Zach's explanation: "So this is a bit of a hard one, as to my knowledge asr does not store this data in the file system itself, and if you used a OSInstall.mpkg the /var/log/install.log might be rotated by the time the script runs. So I think you would have to do this in directly. My first impulse was to look at the /System directory, but then it occurred to me that the date there comes from the image not the first boot. So the best I could come up with would be the date the key for your system keychain was generated as this should happen at first boot most days."

We have some users who have their own OS and few we image. Machine we image has a plist which has the Installed date(we query the date from plist)... but we have to determine the OS Install date of the own OS installed by the user..

@jhbush1973 Nice...

$ ./test.sh 
<result>2011-10-24 13:38:35</result>
$

@jhbush1973 Circling back a few years later...we've been using:

#!/bin/bash
echo "<result>`ls -l /var/db/SystemKey | cut -d' ' -f 9-13`</result>"

Test (different machine than previous post):

$ ls -l /var/db/SystemKey | cut -d' ' -f 9-13
Oct  5  2015

Love these EA scripting posts!

So, I never did this in my environment, but, if I had, even though about 30% of my users had full admin privileges the vast majority of them would have never messed with changing date / time stamps on files. In light of this it seems to me that a pretty good indication of when a computer was imaged would be when the top level directory

/

was created.

All files on the OS X file system (or any UNIX) have an inode number, therefore, all files have a built in chronology of creation independent of date / time. Here's a command you could run to get this information:

/usr/bin/find / -maxdepth 1 -inum 2 -exec stat -f %B {} ;

That's using find to search the top level directory for a file with an inode number of 2 (which just so happens to be the inode number of)

/

without searching into any directories below that, then, using the stat command to show the inode birth date in seconds (or epoch time.) On my computer the result is:

But we can do better...

#!/bin/bash

# determine the inode birth date for / then convert seconds to "WeekdayName MonthName DD YYYY" format

eval $(/usr/bin/stat -s /)
result=$(/bin/date -j -f "%s" "$st_birthtime" "+%a %b %d %Y")
echo "<result>$result</result>"

# /usr/bin/find / -maxdepth 1 -inum 2 -exec stat -f %B {} ;
# result=$(/bin/date -j -f "%s" "$st_birthtime" "+%Y%m%d")

This uses eval with a handy feature of stat: shell output. It sets the values stat outputs as shell variables so they can be used in a script! I wish more binaries had this feature. The value we need is $st_birthtime, i.e., the inode birth date. I'm also using the date command to convert the seconds into a human-readable date.

You could replace that line with the line I have commented at the bottom if you wanted a YYYYMMDD format instead. You may proceed with telling me why this is a bad idea but it still has some fun stuff in it. Enjoy!

Hmmm...my MBPr was imaged on Oct 5, 2015, but your script gives me:

$ /tmp/test.sh 
<result>Thu Nov 20 2014</result>

That actually makes sense to me: the OS is copied into the top level directory. :)

So, any suggestions out there? What would be the definitive directory to check inode birth date? Here are 2 other very low inode numbers.

1 last thing @donmontalvo -

If you run this instead does it match your last imaged date? Thanks!

#!/bin/bash

# determine the inode birth date for /System/ then convert seconds to "WeekdayName MonthName DD YYYY" format

eval $(/usr/bin/stat -s /System/)
result=$(/bin/date -j -f "%s" "$st_birthtime" "+%a %b %d %Y")
echo "<result>$result</result>"

So, read back carefully through this post & tested some results:

On my computer

/usr/bin/stat -s /var/db/SystemKey

outputs a converted date of Sun Aug 30 2015. All of these, however

/usr/bin/stat -s /var/db/install.log /var/db/.AppleSetupDone /System/Library/CoreServices/.disk_label.contentDetails | awk '{print $12}'

return Thu Apr 23 2015. This means that my System Keychain was generated again after my OS install. It has also been recreated several times since then, so, I don't think it's the definitive file to look at...

The install log file on my system has inode number 27 - pretty low. But, I was not thinking about this correctly when I started, e.g. my /System folder has inode number 36, but, stat -s shows it has an inode birthdate of Tue Sep 09 2014 - 8 months before the creation of the install.log & .AppleSetupDone (files that I know for certain were created at the time of the install.) inodes apparently don't change when a file or directory is copied to a new location on the same filesystem, meaning, DURING IMAGING. Unfortunately, as mentioned above the install.log file might not be definitive because of rolling over. .AppleSetupDone might not be either, say, in the case where a computer was imaged but shelved & not used for some period of time.

Still looking for the right way to do this. :)

Hi Guys,

how about we check the install.log? It logs when you install the os in the first line

#!/bin/sh
head -1 /var/log/install.log | awk -F " " '{print $1, $2}'

logs are great & sure.

This EA wasn't my idea :) , but, my understanding of what was wanted was something independent of the log entries. I think I have the best candidate file. Posting later... Thanks!