Help

Scripting help - get SecureToken status

Go to solution
easyedc
Valued Contributor II

Posted on ‎09-20-2018 10:43 AM

I am trying to write a script to report back an extension attribute on SecureToken status. Background - we push out a default admin account (aka "admin") during DEP enrollment. DEP prompts for creation of a user through the GUI and our frontline techs will often create a "localadmin" account, which they're supposed to delete later on. Well, things happen, and the account doesnt get deleted every time. I'm trying to make sure that if there's a local admin, it's got SecureToken, which ever account it has. I've got a script that works on one user, but won't work for more than one user returned. I've not really played with 

for;do

statements, so this is my first go round. Can someone give me a pointer on where I may be going wrong?

#!/bin/sh
#
#  SecureToken for Admin.sh
#
# Get the Username of the local Admin account

ADMINid=$( dscl . list /Users | grep -v ^_.* | grep dmin | grep -v JAMF )

# Get SecureTokenStaus
status=$( dscl . -read /Users/$ADMINid AuthenticationAuthority | grep -o SecureToken )

for i in $ADMINid ; do $status
done

if [[ $status == SecureToken ]]; then
echo "<result>ENABLED for $ADMINid</result>"
else
echo "<result>DISABLED for $ADMINid</result>"
fi

currently I get a result of 

<result>ENABLED for admin
localadmin</result>

where it fails to run against the 2nd admin account "localadmin" for me. I'd hope it would return something like 

<result>ENABLED for admin
ENABLED for localadmin</result>
Labels:
0 Kudos
1 ACCEPTED SOLUTION

Go to solution
mm2270
Legendary Contributor III

Posted on ‎09-20-2018 11:23 AM

Your for i in $ADMINid part isn't working, so "admin" and "localadmin" are being treated as one item, most likely. I usually use a while read loop for these kinds of things myself as it tends to handle each item individually a little better.
Also consider using an array to populate, and then printing the array in the end.

#!/bin/bash

ADMINid=$(dscl . list /Users | grep -v ^_.* | grep dmin | grep -v JAMF)

while read ACCT; do
    if [[ $(dscl . -read /Users/$ACCT AuthenticationAuthority | grep -o SecureToken) == "SecureToken" ]]; then
        RESULT+=("ENABLED for $ACCT")
    else
        RESULT+=("DISABLED for $ACCT")
    fi
done <<< "$ADMINid"

echo "<result>$(printf '%s
' "${RESULT[@]}")</result>"

View solution in original post

1 REPLY 1

Go to solution
mm2270
Legendary Contributor III

Posted on ‎09-20-2018 11:23 AM

Your for i in $ADMINid part isn't working, so "admin" and "localadmin" are being treated as one item, most likely. I usually use a while read loop for these kinds of things myself as it tends to handle each item individually a little better.
Also consider using an array to populate, and then printing the array in the end.

#!/bin/bash

ADMINid=$(dscl . list /Users | grep -v ^_.* | grep dmin | grep -v JAMF)

while read ACCT; do
    if [[ $(dscl . -read /Users/$ACCT AuthenticationAuthority | grep -o SecureToken) == "SecureToken" ]]; then
        RESULT+=("ENABLED for $ACCT")
    else
        RESULT+=("DISABLED for $ACCT")
    fi
done <<< "$ADMINid"

echo "<result>$(printf '%s
' "${RESULT[@]}")</result>"