Script to enroll Devices. Need help with adding credentials

sudoErase
New Contributor III

I have a bit of dilemma where I need to remove Jamf Framework and enroll many devices at once.

 

I was thinking we can do something with a script:
#!/bin/bash

sudo jamf removeFramework

sudo jamf enroll -prompt -nopolicy

 

#After this is run, it would request for JSS and password.

 

 

This is where I am stuck. I understand this is a bad Security practice. But I still want to do this. I was thinking of creating a one-time account to do this push and removing the account.

With that said, my question is:

Is there a way to add the username and password inside the script so that when "sudo jamf enroll" runs, it uses the credential to bypass it?

 I don't want the users to enter the credentials instead use a one-time script to run everything and complete it.

1 ACCEPTED SOLUTION

jamf-42
Valued Contributor II

while its a 'very bad idea' it can be done via 'expect'  see 

https://daniel-ellis.medium.com/shell-script-submitting-a-password-after-a-prompt-690bcf144c0e

more the questions is why are you removing framework then re-enrolling.. ? what are you trying to achive?

if you have ABM - and prestage, you could run a 'profiles renew -type enrollment'  ..maybe?

View solution in original post

6 REPLIES 6

jamf-42
Valued Contributor II

while its a 'very bad idea' it can be done via 'expect'  see 

https://daniel-ellis.medium.com/shell-script-submitting-a-password-after-a-prompt-690bcf144c0e

more the questions is why are you removing framework then re-enrolling.. ? what are you trying to achive?

if you have ABM - and prestage, you could run a 'profiles renew -type enrollment'  ..maybe?

dvasquez
Valued Contributor

To be honest you should test, test, and test again. 

But to try and accomplish this you can do the following

#!/bin/bash

active_user=$(stat -f "%Su" /dev/console) 

sudo -u $active_user /usr/local/bin/jamf removeFramework

sudo -u $active_user /usr/local/bin/jamf enroll -prompt -nopolicy

I used a variable in combination with the first command to capture the current shell user and run the commands as that user.

Could you test it and see how it goes?

Best of luck. If I reply slowly it is due to being super busy at work. 

 

dvasquez
Valued Contributor

@jamf-42 I agree.

easyedc
Valued Contributor II

Not sure where you landed with this but there is one obvious flaw with running this

sudo jamf removeFramework
sudo jamf enroll -prompt -nopolicy

 step 1 - remove Jamf

step 2 - there is no Jamf to call to perform the enrollment (because you removed them in step 1).

sudoErase
New Contributor III

haha  yep I wasnt thinking... 😂

easyedc
Valued Contributor II

I thought I'd drop this here in case anyone ever stumbles across this, but did you ever think about Jamf's re-enroller?You could remove/readd the same server theoretically.  https://github.com/jamf/ReEnroller