Jamf Nation Community

justin_beek · ‎04-20-2023

We are working on a Secure Token policy and have traced the issue to the Parameter Labels not resolving.

Here is the script we made to test it:

#!/bin/sh

## Pass the credentials for an admin account that is authorized with FileVault 2
adminName=$4
adminPass=$5
userName=$3

## Prompt for Password
userPass=$(/usr/bin/osascript<<END
application "System Events"
activate
set the answer to text returned of (display dialog "IT needs to Activate Encryption, Please Enter your Password:" default answer "" with hidden answer buttons {"Continue"} default button 1)
END
)


# create the plist file:
echo '<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>Username</key>
<string>'$adminName'</string>
<key>Password</key>
<string>'$adminPass'</string> 
<key>AdditionalUsers</key>
<array>
    <dict>
        <key>Username</key>
        <string>'$userName'</string>
        <key>Password</key>
        <string>'$userPass'</string>
    </dict>
</array>
</dict>
</plist>' > /Library/ITS/credstest.txt



exit 0

Here is the result:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>Username</key>
<string></string>
<key>Password</key>
<string></string> 
<key>AdditionalUsers</key>
<array>
    <dict>
        <key>Username</key>
        <string>myusernamecorrect</string>
        <key>Password</key>
        <string>typedpassword</string>
    </dict>
</array>
</dict>
</plist>

Am I just too tired that I am missing something here?

TIA

JB

mm2270 · ‎04-21-2023

Ok, I'm not sure you're understanding me. The labels are just names for those parameters. Those never get sent to the script when it gets run by Jamf. Only the text you enter into the script fields (Parameter Values) when you ADD a script or EDIT an existing script in a policy is what gets sent down to the machine.

Look back at my image a few posts above. You'll see the difference. Your image above is in the path of Settings : Computer Management > Scripts. Mine is from within a policy that RUNS that script. That's where you have to enter the admin name.

Here's a clearer image showing what I mean

You see where my path is Computers : Policies ?

View solution in original post

sdagley · ‎04-20-2023

@justin_beek Just on a quick glance you shouldn't be using '$variable' as single quotes doesn't evaluate the expression - if you want the contents of the variable to replace $variable it needs to be double quoted (e.g. "$variable")

You'd also want to use double quotes when reading parameters since adminName=$4 won't work well for you if parameter 4 has spaces, but adminName="$4" will

justin_beek · ‎04-20-2023

I added double quotes to the read even though I don't have spaces.

Not sure what your other comment means.

If I change the script to

<key>Username</key>
<string>"$adminName"</string>

It literally writes it:

<key>Username</key>
<string>"$adminName"</string>

justin_beek · ‎04-20-2023

I simplified the task:

#!/bin/sh


## Pass the credentials for an admin account that is authorized with FileVault 2
adminName="$4"
echo $adminName

# create the plist file:
echo '<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>Username</key>
<string>'$adminName'</string>
</dict>
</plist>' > /Library/ITS/credstest.txt



exit 0

The result:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>Username</key>
<string></string>
</dict>
</plist>

justin_beek · ‎04-20-2023

FYI: Parameter 4: Parameter_4

mm2270 · ‎04-20-2023

Try using this format for creating the file.

/bin/cat << EOF > /Library/ITS/credstest.txt
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>Username</key>
<string>$adminName</string>
<key>Password</key>
<string>$adminPass</string> 
<key>AdditionalUsers</key>
<array>
    <dict>
        <key>Username</key>
        <string>$userName</string>
        <key>Password</key>
        <string>$userPass</string>
    </dict>
</array>
</dict>
</plist>
EOF

i.e, use the HEREDOC method to create the file and drop any of the quotes around the variables within the XML/Plist section. That seems to work ok for me.

justin_beek · ‎04-20-2023

I did a copy&paste = same result:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>Username</key>
<string></string>
<key>Password</key>
<string></string> 
<key>AdditionalUsers</key>
<array>
    <dict>
        <key>Username</key>
        <string>correctname</string>
        <key>Password</key>
        <string>correctpassword</string>
    </dict>
</array>
</dict>
</plist>

mm2270 · ‎04-20-2023

What I recommend you do is modify your script to just echo back the variables to start with. Let’s make sure you’re capturing the input as you’re expecting. Once you confirm those variables are being populated as expected, then add in the output to a file part of the script again.

Are the adminName and adminPass script parameters double quoted when the variables are being established, like?

adminUser="$4"

adminPass="$5"

justin_beek · ‎04-21-2023

Here is the most simplified i could think of:

#!/bin/sh

currentUser="$3"
adminName="$4"
/bin/echo "Parameter 3 is $currentUser and Parameter 4 is $adminName"

exit 0

The result is #3 is good. #4 isn't.

[STEP 1 of 4]
Executing Policy Enable FileVault2
[STEP 2 of 4]
Running script PassSecureToken.sh...
Script exit code: 0
Script result: Parameter 3 is <CorrectName> and Parameter 4 is 
[STEP 3 of 4]
[STEP 4 of 4]

I think I need to open a support ticket...?

JB

mm2270 · ‎04-21-2023

Uhm, what's populating $4 in your script above? Have you checked to make sure the policy calling that script has something in the parameter 4 field at execution time?

justin_beek · ‎04-21-2023

How would I log what $4 is populating?

mm2270 · ‎04-21-2023

When you add the script into a policy in Jamf Pro, there are fields that can be populated with some data, called Parameter Values. See the image below.

Are you entering anything where it shows "Parameter 4"? If not, that's why it comes back blank. It either has to be populated within the script payload in your policy, or something in your script needs to populate that. Usually with the Jamf script parameters, it would be the former though.

justin_beek · ‎04-21-2023

Ahh. What are my parameter values?

See attached.

mm2270 · ‎04-21-2023

Ok, what you posted is when viewing the script itself. If you click Edit, you can change those parameter labels, which are just names you give to each parameter. It's just something to remind you what those parameters will apply to within your script when it gets run.

For example, you can change the Parameter 4 label to "Local admin account name", so you'll know that when back in your policy and you add the script to it, that you have to type in the local admin account name into that field.

Does that make sense? The labels are just the human readable names. But in the Jamf Pro policy itself is where you define what each of those parameters will actually pass down to the script when it gets executed.

justin_beek · ‎04-21-2023

I literally entered that in place of what I had = no difference.

Result is:

"Script result: Parameter 3 is <correct> and Parameter 4 is"

See attached:

mm2270 · ‎04-21-2023

Ok, I'm not sure you're understanding me. The labels are just names for those parameters. Those never get sent to the script when it gets run by Jamf. Only the text you enter into the script fields (Parameter Values) when you ADD a script or EDIT an existing script in a policy is what gets sent down to the machine.

Look back at my image a few posts above. You'll see the difference. Your image above is in the path of Settings : Computer Management > Scripts. Mine is from within a policy that RUNS that script. That's where you have to enter the admin name.

Here's a clearer image showing what I mean

You see where my path is Computers : Policies ?

justin_beek · ‎04-21-2023

OMG. I need some sleep.

Thank you for being patient with me.

I will re-test.

justin_beek · ‎04-21-2023

That was it. I guess I need a refresher in sweating the details.

mm2270 · ‎04-21-2023

It happens, no worries. Glad that was the fix and it wasn't something that needed further attention.

Jamf Nation Community

Parameter Labels are not being passed?