I am trying to write a script to report back an extension attribute on SecureToken status. Background - we push out a default admin account (aka "admin") during DEP enrollment. DEP prompts for creation of a user through the GUI and our frontline techs will often create a "localadmin" account, which they're supposed to delete later on. Well, things happen, and the account doesnt get deleted every time. I'm trying to make sure that if there's a local admin, it's got SecureToken, which ever account it has. I've got a script that works on one user, but won't work for more than one user returned. I've not really played with
for;do
statements, so this is my first go round. Can someone give me a pointer on where I may be going wrong?
#!/bin/sh
#
# SecureToken for Admin.sh
#
# Get the Username of the local Admin account
ADMINid=$( dscl . list /Users | grep -v ^_.* | grep dmin | grep -v JAMF )
# Get SecureTokenStaus
status=$( dscl . -read /Users/$ADMINid AuthenticationAuthority | grep -o SecureToken )
for i in $ADMINid ; do $status
done
if [[ $status == SecureToken ]]; then
echo "<result>ENABLED for $ADMINid</result>"
else
echo "<result>DISABLED for $ADMINid</result>"
fi
currently I get a result of
<result>ENABLED for admin
localadmin</result>
where it fails to run against the 2nd admin account "localadmin" for me. I'd hope it would return something like
<result>ENABLED for admin
ENABLED for localadmin</result>