Jamf Nation Community

Script was provided to be by JAMF Support team

#!/bin/sh
####################################################################################################
#
# Copyright (c) 2013, JAMF Software, LLC. All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are met:
# Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
# Redistributions in binary form must reproduce the above copyright
# notice, this list of conditions and the following disclaimer in the
# documentation and/or other materials provided with the distribution.
# * Neither the name of the JAMF Software, LLC nor the
# names of its contributors may be used to endorse or promote products
# derived from this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED BY JAMF SOFTWARE, LLC "AS IS" AND ANY
# EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
# WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
# DISCLAIMED. IN NO EVENT SHALL JAMF SOFTWARE, LLC BE LIABLE FOR ANY
# DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
# (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
# LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
# ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
# SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
#
####################################################################################################
#
# ABOUT THIS PROGRAM
#
# NAME
# changeUserID.sh -- Change the UniqueID for the specified user
#
# SYNOPSIS
# sudo changeUserID.sh
# sudo changeUserID.sh <mountPoint> <computerName> <loginUsername> <username> <newUID>
#
# DESCRIPTION
# This script changes the UniqueID for the specified user. If the specified UID is already assigned
# to another user it will be incremented and checked to find the next available UID.
#
####################################################################################################
#
# version 1.0
# Created by Jason Van Zanten, JAMF Software, LLC, on February 21, 2013
#
# version 1.1
# Updated by Jason Van Zanten, JAMF Software, LLC, on February 22, 2013
# - Added functions for setting UID and hiding 500 users
# - Improved handling of edge case where UID = 1000
# - Improved error checking
#
####################################################################################################

# HARDCODED VARIABLES
username="CasperSSH" # Username to change UID
newuid="504" # New UID

# CHECK FOR SCRIPT PARAMETERS
if [ "$3" != "" ] && [ "$username" == "" ]
then username="$3"
fi

if [ "$4" != "" ] && [ "$newuid" == "" ]
then newuid="$4"
fi

####################################################################################################
#
# SCRIPT CONTENTS - DO NOT MODIFY BELOW THIS LINE
#
####################################################################################################
# FUNCTIONS
function is_integer() { printf "%d" $1 > /dev/null 2>&1 return $?
}

function setUserID() { username=$1 olduid=$2 testuid=$3

/usr/bin/dscl . change /Users/$username UniqueID $olduid $testuid error=$? if [ "$error" == "0" ] then echo "UID for $username set to $testuid." else echo "ERROR: $error." fi
}

function hide500Users() { username=$1 newuid=$2 testuid=$3

if [ "$newuid" -lt "501" ] && [ "$testuid" -gt "500" ] then echo "Next available UID above 500. User $username will not be hidden." elif [ "$testuid" -le "500" ] then echo "Hiding 500 users from login window..." /usr/bin/defaults write /Library/Preferences/com.apple.loginwindow Hide500Users -bool TRUE fi
}

# ERROR CHECKING
if [ "$username" == "" ]
then echo "ERROR: Username cannot be blank. Exiting." exit 1
fi

if [ "$newuid" == "" ]
then echo "WARN: No new UID specified. Setting to 100." newuid="100"
elif is_integer "$newuid"
then if [ "$newuid" -gt "1000" ] then echo "ERROR: Script unable to set UID above 1000. Exiting." exit 2 elif [ "$newuid" -gt "500" ] then echo "WARN: New UID above 500. User $username will not be hidden." elif [ "$newuid" -lt "0" ] then echo "ERROR: Script unable to set UID below 0. Exiting." exit 3 fi
else echo "ERROR: New UID must be an integer value between 0 and 1000. Exiting." exit 4
fi

# FIND EXISTING UID FOR SPECIFIED USERNAME
olduid=/usr/bin/dscl . read /Users/$username UniqueID 2> /dev/null | /usr/bin/awk '{ print $2 }'

if [ "$olduid" == "" ]
then echo "ERROR: Existing UID not found. Exiting." exit 5
fi

# CHANGE UID FOR SPECIFIED USERNAME
if [ "$olduid" == "$newuid" ]
then # No change required echo "Nothing to change for $username: UID $olduid."
else # Change required echo "Attempting to change UID for $username from $olduid to $newuid..."

# Check for availability of specified new UID result=/usr/bin/dscl . list /Users UniqueID | /usr/bin/grep -w $newuid | /usr/bin/grep -v $username testuid="$newuid"

# If new UID is unavailable, check for next available UID while [ "$result" != "" ] && [ "$testuid" -le "1000" ] do testuid=$[$testuid+1] result=/usr/bin/dscl . list /Users UniqueID | /usr/bin/grep -w $testuid | /usr/bin/grep -v $username done

# If available UID found, change UID for specified user if [ "$testuid" -le "1000" ] then # Change UID for specified user setUserID $username $olduid $testuid

# If necessary, hide 500 users from login window hide500Users $username $newuid $testuid else echo "No available UID between $newuid and 1000." echo "UID for $username left at $olduid." fi
fi

echo "DONE"

exit 0

Oh lordy, look at that.

What we did was add the users to the loginwindow hidden user list instead of messing with the UIDs post upgrade.

defaults write /Library/Preferences/com.apple.loginwindow HiddenUsersList -array-add user1 user2 user3

What I was orginally going to do was just a quick 1line script that changes the UID to a number I define in the command line then do upgrade then run same script but manually set the UID back to 80

What do you recommend.

There's no guarantee that any given UID won't be taken.

I wouldn't change the UID at all. I'd add the user to the hidden user list and be done with it.

we use installOSX.pkg developed by greg neagle:
http://managingosx.wordpress.com/2012/07/25/son-of-installlion-pkg/

but yes: starting with lion, any HIDDEN admin user will be broken and you'd need to recreate it. jamf's script renumbers the user account but we developed another approach - resetting the original, hidden user account.

the script we developed also enables java web plug-ins for older versions of java, DISables the iCloud start-up wizard, installs any available software updates that we've approved on our internal server and calls a custom trigger that fixed a few other things that the new OS install breaks: namely, installing new versions of java and flash.

our script runs as a launchd process on firstboot AFTER the new OS install has completed.

enjoy, customize, comment, lemme know.

#!/bin/sh

# copyright ©, david koff for the j. paul getty trust
# permission to use if these two lines are included

# this script runs via launchd at start-up immediately following
# the installation of a new OS utilizing OSX Lion or higher
# it deletes itself after completion but fixes several issues left by Apple:

# recreates a hidden admin account called "ard" (although you can substitute any you prefer)
# resets ard access settings
# installs any available SuS patches
# re-creates the Java prefs to auto-enable web-plug-ins (older versions of java)



#----------------------------------------------------------
#   Variables
#----------------------------------------------------------

#-----Assignments
SCRIPTNAME=$0
user405=ard

#-----Directories & Files
LOG="/Library/Logs/Your Company Installations.log" ##enter the path to whatever log file you'd prefer
kickstart="/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart"
systemsetup="/usr/sbin/systemsetup"
PlistBuddy="/usr/libexec/PlistBuddy"
login="/Library/Preferences/com.apple.loginwindow"

#-----Computations
over500=`dscl . list /Users UniqueID | awk '$2 > 500 { print $1 }'`
USER=`defaults read $login lastUserName`
hwVers=`system_profiler | grep "Model Name" | awk '{ print $3 }'`
MSpid=`ps -ax | grep Microsoft | cut -c 1-5`

#-----Dynamically Set
if [[ `ioreg -rd1 -c IOPlatformExpertDevice | grep -i "UUID" | cut -c27-50` == "00000000-0000-1000-8000-" ]]; then
    MAC_UUID=`ioreg -rd1 -c IOPlatformExpertDevice | grep -i "UUID" | cut -c51-62 | awk {'print tolower()'}`
elif [[ `ioreg -rd1 -c IOPlatformExpertDevice | grep -i "UUID" | cut -c27-50` != "00000000-0000-1000-8000-" ]]; then
    MAC_UUID=`ioreg -rd1 -c IOPlatformExpertDevice | grep -i "UUID" | cut -c27-62`
fi

#----------------------------------------------------------
#  Timestamp
#----------------------------------------------------------
echo "                                   " >> $LOG
echo "###################################" >> $LOG
echo "########## Beginning Log ##########" >> $LOG
echo "##### $SCRIPTNAME ######" >> $LOG
echo "#### `date "+%A %m/%d/%Y %H:%M"` #####" >> $LOG
echo "###################################" >> $LOG
echo "                                   " >> $LOG

#----------------------------------------------------------
# Admin Account Recreation
#----------------------------------------------------------

echo "---Recreate ARD account" >> $LOG
if [ -d /private/var/$user405 ]; then
    echo "the ard directory is already present, no need to recreate..." >> $LOG
else
    mkdir /private/var/$user405 >> $LOG
fi
dscl . -create /Users/$user405 >> $LOG
dscl . -create /Users/$user405 realname "${user405}" >> $LOG
dscl . -create /Users/$user405 NFSHomeDirectory /private/var/$user405 >> $LOG
chown -R $user405 /private/var/$user405 >> $LOG
dscl . -passwd /Users/$user405 yourpasswordhere >> $LOG #we cleartext the password as it changes via policy later
dscl . -create /Users/$user405 PrimaryGroupID 405 >> $LOG
dscl . -create /Users/$user405 UniqueID 405 >> $LOG
dscl . -create /Users/$user405 shell /bin/bash >> $LOG
dscl . -append /Groups/admin GroupMembership $user405 >> $LOG
defaults write $login Hide500Users -bool TRUE  ### hides this user from user list and user switching
defaults write $login HiddenUsersList -array add $user405 ### hides this user from login screen

#----------------------------------------------------------
#  Disable iCloud Wizard from current & future users
#----------------------------------------------------------

for USER_TEMPLATE in "/System/Library/User Template"/*
do
    defaults write "${USER_TEMPLATE}"/Library/Preferences/com.apple.loginwindow -dict ” #creates a blank file if none exists
    defaults write "${USER_TEMPLATE}"/Library/Preferences/loginwindow -dict ” #creates a blank file if none exists
    defaults write "${USER_TEMPLATE}"/Library/Preferences/com.apple.SetupAssistant DidSeeCloudSetup -bool TRUE
    defaults write "${USER_TEMPLATE}"/Library/Preferences/com.apple.SetupAssistant LastSeenCloudProductVersion -string '10.8'
    echo "com.apple.SetupAssistant for the $USER_TEMPLATE now won't propmpt for iCloud..."
done

for i in $over500
do
    defaults write /Users/$i/Library/Preferences/com.apple.SetupAssistant DidSeeCloudSetup -bool TRUE
    defaults write /Users/$i/Library/Preferences/com.apple.SetupAssistant LastSeenCloudProductVersion -string '10.8'
    chown "${i}":staff /Users/$i/Library/Preferences/com.apple.SetupAssistant.plist >> $LOG
    echo "com.apple.SetupAssistant for the $i account now won't prompt for iCloud..."
done

#----------------------------------------------------------
#  Modifications: ARD, SSH, Time
#----------------------------------------------------------

echo "                                   " >> $LOG
echo "---ARD PREFS" >> $LOG
$kickstart -activate >> $LOG
$kickstart -configure -users ard -access -on -privs -DeleteFiles -TextMessages -OpenQuitApps -GenerateReports -RestartShutdown -SendFiles -ChangeSettings -clientopts -setmenuextra -menuextra no -setreqperm -reqperm yes >> $LOG

echo "---SSH PREFS" >> $LOG
$systemsetup -setremotelogin on >> $LOG

echo "---TIME PREFS" >> $LOG
$systemsetup -setusingnetworktime on >> $LOG
$systemsetup -settimezone America/Los_Angeles >> $LOG
$systemsetup -setnetworktimeserver yourdomain.timeserver.edu >> $LOG ## feel free to use whatever time server you like here

#----------------------------------------------------------
#  Quit apps & download updates
#----------------------------------------------------------

echo "                                   " >> $LOG
echo "---QUIT APPS" >> $LOG
killall Safari >> $LOG
killall firefox-bin >> $LOG
killall Google Chrome >> $LOG
killall JavaApplicationStub >> $LOG #groupwise
killall groupwise >> $LOG
kill $MSpid >> $LOG

echo "---SUS INSTALLS" >> $LOG
defaults write /Library/Preferences/com.apple.SoftwareUpdate CatalogURL "http://xserve-timcook.getty.edu:8088/content/catalogs/others/index-mountainlion-lion-snowleopard-leopard.merged-1_pilottesters.sucatalog"
echo "Software Update Server has been set for this Mac to use reposado at: http://xserve-timcook.getty.edu:8088"
sleep 2
softwareupdate -ia >> $LOG

echo "Apple updates complete. Now calling a custom policy to:" >> $LOG
echo "install printer drivers, Java and enable Java web-plug-ins." >> $LOG

jamf policy -trigger UpgradeMountainLion >> $LOG ## this calls a custom trigger that, for us, installs a new version of java and flash

# ---------------------------------------------------------
# Enable Java Web Plug-ins
# ---------------------------------------------------------
echo "                                   " >> $LOG

for i in $over500
do
    echo "-----------------------------------" >> $LOG
    echo "For the user account: $i" >> $LOG
    echo "-----------------------------------" >> $LOG
    rm -f /Users/$i/Library/Preferences/ByHost/com.apple.java.JavaPreferences.*
    echo "JavaPrefs plist has been deleted from: $i account" >> $LOG
    echo "The Mac UUID has been set to: $MAC_UUID" >> $LOG

    # Set the "Enable applet plug-in" setting in the Java Preferences for the current user.

    $PlistBuddy -c "Delete :GeneralByTask:Any:WebComponentsEnabled" /Users/$USER/Library/Preferences/ByHost/com.apple.java.JavaPreferences.${MAC_UUID}.plist >> $LOG
    $PlistBuddy -c "Add :GeneralByTask:Any:WebComponentsEnabled bool true" /Users/$USER/Library/Preferences/ByHost/com.apple.java.JavaPreferences.${MAC_UUID}.plist >> $LOG
    $PlistBuddy -c "Delete :GeneralByTask:Any:WebComponentsLastUsed" /Users/$USER/Library/Preferences/ByHost/com.apple.java.JavaPreferences.${MAC_UUID}.plist >> $LOG
    $PlistBuddy -c "Add :GeneralByTask:Any:WebComponentsLastUsed real $(( $(date "+%s") - 978307200 ))" /Users/$USER/Library/Preferences/ByHost/com.apple.java.JavaPreferences.${MAC_UUID}.plist >> $LOG
    echo "                                   " >> $LOG

done
echo "Java Web-Apps have been enabled for ALL 500+ users on this Mac." >> $LOG

#----------------------------------------------------------
#  Wrap-Up
#----------------------------------------------------------

# Removes the launchd item and script
echo "Pausing 2 seconds before deleting script..." >> $LOG
sleep 2
rm -f $0
echo "$0 has now been deleted." >> $LOG
rm -f /Library/LaunchDaemons/com.getty.NewOS1stBoot.plist
echo "The LaunchDaemon has now been deleted." >> $LOG


echo "                                   " >> $LOG
echo "###################################" >> $LOG
echo "############# END LOG #############" >> $LOG
echo "#### `date "+%A %m/%d/%Y %H:%M"` ####" >> $LOG
echo "###################################" >> $LOG
echo "                                   " >> $LOG

exit 0

@themacdweeb - thanks for this ill take a look but what do you do about the Casper SSH account, that is what is breaking for me... that account completely goes away then i cannot use casper remote to screenshare or push scripts, applications etc.

One thing you could do is, as part of the upgrade, copy a zip file containing a QuickAdd installer, launchdaemon and script to the Mac being upgraded.

The script would do the following:

1. Unzip the QuickAdd
2. Run the QuickAdd installer (putting back your user account along with any other missing bits.)
3. Delete the zip and QuickAdd installer.
4. Delete the launchdaemon
5. Delete itself.

The launchdaemon would trigger the script to run at first boot.

craig,

just re-read my post and my script. this isn't about your casperSSH account. it's about ANY hidden admin account as ALL hidden admin accounts will disappear after deploying lion or above. our solution: re-create that account. my script does that for our admin account. you can customize it to recreate your account.

d

Whats the process to make it "our script runs as a launchd process on firstboot AFTER the new OS install has completed. "