Jamf Nation Community

Taylor_Armstron · ‎02-01-2016

Creating several EA's to check if auto-update is being turned on for 3rd party software. Got some, but MS Office is giving me a bit of trouble.

Setting itself is user-specific - "defaults read /Users/username/Library/Preferences/com.microsoft.autoupdate2 HowToCheck" will return the expected value. However, I need to iterate through the users to make sure it is turned off on all. I was about to just try a "while" look to loop through, but... my problem is: if i iterate through the users, how do I keep values distinct for purposes of reporting in the EA output?

IE - if user "A" has auto updates off, and user "B" has them on... but user "C" has them off - will the EA simply report the last value of "Off"? I was intending to use this as part of a smart group to disable auto updates, but realize that going down the path of an EA may not be the most logical approach, so I'm open to suggestions on either how to script the EA or how to handle it better via another method. For apps that store the settings in the root library (Flash, etc.) it is a fairly simple task, but the user-specific settings are giving me a problem.

Being able to track which machines require correcting would be nice, but not essential. End-result is just being able to pass a quick audit verifying that auto updates are off (we push the updates after a test/validation cycle).

jason_bracy · ‎02-01-2016

Use a loop to read the users. Set the loop to end when it finds a value set to have updates On.

This will give you a quick audit and then you can enforce a policy to turn it off for all users.

View solution in original post

jason_bracy · ‎02-01-2016

Use a loop to read the users. Set the loop to end when it finds a value set to have updates On.

This will give you a quick audit and then you can enforce a policy to turn it off for all users.

Nix4Life · ‎02-01-2016

@Taylor.Armstrong

The for-loop would do it for sure,or make profile out of the .plist and install it at user-level to set it to the correct setting. You might also want to look at outset

LSinNY

Taylor_Armstron · ‎02-01-2016

Awesome... thanks guys. (and one response from a former co-worker no less! ;)

I'll probably ultimately enforce via a profile, but unfortunately, need to be able to show that we're checking for it at the same time - combination of the two should work perfectly.

mm2270 · ‎02-01-2016

Depending on how many users are on each system, you could also look at dynamically populating an array during the loop.
Example:

#!/bin/bash

plist_path="/Library/Preferences/com.microsoft.autoupdate2.plist"

all_users=$(ls /Users/ | grep -v Shared)

while read user_account; do
    if [[ $(defaults read "/Users/${user_account}${plist_path}" HowToCheck 2>/dev/null) == "Automatic" ]]; then
        enabled_accounts+=("$user_account")
    fi
done < <(printf '%s
' "$all_users")

if [ "${#enabled_accounts[@]}" -gt 0 ]; then
    echo "<result>$(printf '%s
' "${enabled_accounts[@]}")</result>"
else
    echo "<result>None</result>"
fi

This would print out a full list of any accounts that had the Auto Update setting to Automatic, rather than just stopping once it finds one account and printing something like "Yes" Either way could work for you. Just wanted to present an alternative in case you need to actually show all accounts that had the setting the way you're auditing for.

Taylor_Armstron · ‎02-02-2016

Thanks mm2270...

For our purposes, I think the 1st approach is sufficient, but I may look at the 2nd anyway. I tend to like overkill :)

We have a baseline that essentially says we're disabling auto-updates, so bottom line is that I just need some sort of "artifact" to prove that it isn't just a one-time setting. As long as I can run a simulated test and show that enabling it will be detected and disabled (via the EA and then a policy scoped to a smart group) I think I'm good.

mm2270 · ‎02-02-2016

@Taylor.Armstrong Sure, no worries. Its usually best to do what's actually needed and not go over board, so the first approach is probably the way you should go if it makes it easier to report on.

Good thing is, the script I posted above can be used as a template for checking on other things if you needed to do that for something else later, by looping over all local accounts in /Users/ and checking a preference setting.

Taylor_Armstron · ‎02-02-2016

^^ Exactly. Definitely saving it as a base to work from on some other stuff - appreciate it!!!

jason_bracy · ‎02-02-2016

@Taylor.Armstrong I have a Configuration Profile set that sets Updates to Manual and disables the new "Office Insider" Program. The XML is:

Create a Configuration Profile scoped to User Level, set the Custom settings to:
1. Preference Domain = com.microsoft.autoupdate2
2. xml =

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>DisableInsiderCheckbox</key>
    <true/>
    <key>HowToCheck</key>
        <string>Manual</string>
</dict>
</plist>

Taylor_Armstron · ‎02-02-2016

Awesome again, thanks! (and you thought you were done supporting this office long ago! ;)

jason_bracy · ‎02-02-2016

10 years! Kinda miss it, but don't miss the commute! We should try and meet up for a drink sometime. Do you ever go to the MacDMV meetings?

Jamf Nation Community

Scripting help for EA (or show me a better solution)