Script to allow non-admins to use Xcode with Bash and AppleScript. May have other uses.

MacTool
New Contributor II

Greetings from the cornfields!

I recently came across a security concern where our tech support folks were adding interns to the local admin group on developer machines in order to use Xcode and interact with the system. Not exactly appropriate on multi-user Macs.

Apple has a method of allowing non-admins to use Xcode with the Developer Tools group (aka _developer) on the local DS. In the spirit of Self Service, I wrote the following to help users help themselves in this particular situation. I have it scoped to Macs with Xcode installed, but there could be other ways (static groups by request, etc.) that will display the policy. You could also use the Script Options and JSS variable to re-use the script for other local groups, but be careful as it could be used to add someone to the local admin group.

Uses bash to perform the actions and AppleScript to interact with the user at the Desktop.

#!/bin/sh

#################################
#
# Add users to local _developer group for XCode
#
# This group is displayed as Developer Tools
# in the Directory Utility
# 
# 2017 - Frank Wolf
#
#################################

################
#
# Variable Index
#
#
################

# $doWhat - add delete or cancel
# $addDev - accountname to add
# $delDev - accountname to delete
# $areWeDone - do it again or done 
areWeDone=0

################
#
# Functions
#
################

ask_User() {

doWhat=$(osascript <<- doThis

tell application "Finder"

    activate

    display dialog "Do you want to add or remove users for the local Developer Group" buttons {"Add", "Remove", "Cancel"}

    set doWhat to (button returned of the result)

end tell

return doWhat
EOF)

}


add_User() {

addDev=$(osascript <<-addUser

tell application "Finder" 

    activate

    set devUser to display dialog "Please enter the developers username." default answer ""

    set addDev to (text returned of devUser)

end tell

return addDev
EOF)

}


delete_User() {

delDev=$(osascript <<- delUser

tell application "Finder"

        set Sources to the words 2 thru -1 of (do shell script "dscl . -read /Groups/_developer GroupMembership")
            if Sources = {} then
                display dialog "No users in local Developer group"

            else
                set delDev to choose from list Sources with title "Remove Developer Users." with prompt "Select the Users to remove." & return & return & "Use the Command key for multiple Selctions" OK button name "Next" cancel button name "Cancel" with multiple selections allowed
            end if
end tell

return delDev
EOF)

}


ask_Continue() {

areWeDone=$(osascript <<- doThis

tell application "Finder"

    activate

    display dialog "User added or removed from local Developer group." & return & return & "Would you like to add or delete another user? " buttons {"Yep", "Nope"}

    set areWeDone to (button returned of the result)

end tell

return areWeDone
EOF)

}

#########
#
# Main Script
#
#########

echo "Welcome fellow Program"
echo "Starting add developer script"

# Keep prompting until user is finished
while [ $areWeDone != "Nope" ] ;
do

#   Call ask function to  get operation

    ask_User

    echo $doWhat

    case $doWhat in

        #Add
        "Add") 
            echo "Adding user"
            add_User
            echo $addDev
            dscl . append /Groups/_developer GroupMembership $addDev
            ask_Continue
            ;;

        #delete
        "Remove") 
            echo "Deleting User"
            delete_User
            echo $delDev
                for devName in $delDev
                    do
                        dscl . -delete /Groups/_developer GroupMembership $devName
                    done 
            ask_Continue
            ;;

        *) 
            echo "User canceled"
            exit 0
            ;;
    esac
done

echo "We are done here."

exit 0
0 REPLIES 0