Skip to main content
Solved

Scripting help - get SecureToken status

  • September 20, 2018
  • 1 reply
  • 0 views
easyedc
Forum|alt.badge.img+16
  • easyedc
  • Esteemed Contributor
  • 623 replies

I am trying to write a script to report back an extension attribute on SecureToken status. Background - we push out a default admin account (aka "admin") during DEP enrollment. DEP prompts for creation of a user through the GUI and our frontline techs will often create a "localadmin" account, which they're supposed to delete later on. Well, things happen, and the account doesnt get deleted every time. I'm trying to make sure that if there's a local admin, it's got SecureToken, which ever account it has. I've got a script that works on one user, but won't work for more than one user returned. I've not really played with 

for;do

statements, so this is my first go round. Can someone give me a pointer on where I may be going wrong?

#!/bin/sh
#
#  SecureToken for Admin.sh
#
# Get the Username of the local Admin account

ADMINid=$( dscl . list /Users | grep -v ^_.* | grep dmin | grep -v JAMF )

# Get SecureTokenStaus
status=$( dscl . -read /Users/$ADMINid AuthenticationAuthority | grep -o SecureToken )

for i in $ADMINid ; do $status
done

if [[ $status == SecureToken ]]; then
echo "<result>ENABLED for $ADMINid</result>"
else
echo "<result>DISABLED for $ADMINid</result>"
fi

currently I get a result of 

<result>ENABLED for admin
localadmin</result>

where it fails to run against the 2nd admin account "localadmin" for me. I'd hope it would return something like 

<result>ENABLED for admin
ENABLED for localadmin</result>

Best answer by mm2270

Your for i in $ADMINid part isn't working, so "admin" and "localadmin" are being treated as one item, most likely. I usually use a while read loop for these kinds of things myself as it tends to handle each item individually a little better.
Also consider using an array to populate, and then printing the array in the end.

#!/bin/bash

ADMINid=$(dscl . list /Users | grep -v ^_.* | grep dmin | grep -v JAMF)

while read ACCT; do
    if [[ $(dscl . -read /Users/$ACCT AuthenticationAuthority | grep -o SecureToken) == "SecureToken" ]]; then
        RESULT+=("ENABLED for $ACCT")
    else
        RESULT+=("DISABLED for $ACCT")
    fi
done <<< "$ADMINid"

echo "<result>$(printf '%s
' "${RESULT[@]}")</result>"
View original
Did this topic help you find an answer to your question?

1 reply

mm2270
Forum|alt.badge.img+16
  • mm2270
  • Legendary Contributor
  • 7880 replies
  • Answer
  • September 20, 2018

Your for i in $ADMINid part isn't working, so "admin" and "localadmin" are being treated as one item, most likely. I usually use a while read loop for these kinds of things myself as it tends to handle each item individually a little better.
Also consider using an array to populate, and then printing the array in the end.

#!/bin/bash

ADMINid=$(dscl . list /Users | grep -v ^_.* | grep dmin | grep -v JAMF)

while read ACCT; do
    if [[ $(dscl . -read /Users/$ACCT AuthenticationAuthority | grep -o SecureToken) == "SecureToken" ]]; then
        RESULT+=("ENABLED for $ACCT")
    else
        RESULT+=("DISABLED for $ACCT")
    fi
done <<< "$ADMINid"

echo "<result>$(printf '%s
' "${RESULT[@]}")</result>"
easyedc
1 person likes this
  • easyedc
    easyedc

Reply


Most helpful members this week

Terms & ConditionsCookie settingsAccessibility statement

Cookie policy

We use cookies to enhance and personalize your experience. If you accept you agree to our full cookie policy. Learn more about our cookies.

 
Cookie settings