Skip to main content
Solved

Scripting help - get SecureToken status

  • September 20, 2018
  • 1 reply
  • 0 views

easyedc
Forum|alt.badge.img+16
  • Esteemed Contributor
  • 623 replies

I am trying to write a script to report back an extension attribute on SecureToken status. Background - we push out a default admin account (aka "admin") during DEP enrollment. DEP prompts for creation of a user through the GUI and our frontline techs will often create a "localadmin" account, which they're supposed to delete later on. Well, things happen, and the account doesnt get deleted every time. I'm trying to make sure that if there's a local admin, it's got SecureToken, which ever account it has. I've got a script that works on one user, but won't work for more than one user returned. I've not really played with

for;do

statements, so this is my first go round. Can someone give me a pointer on where I may be going wrong?

#!/bin/sh
#
#  SecureToken for Admin.sh
#
# Get the Username of the local Admin account

ADMINid=$( dscl . list /Users | grep -v ^_.* | grep dmin | grep -v JAMF )

# Get SecureTokenStaus
status=$( dscl . -read /Users/$ADMINid AuthenticationAuthority | grep -o SecureToken )

for i in $ADMINid ; do $status
done

if [[ $status == SecureToken ]]; then
echo "<result>ENABLED for $ADMINid</result>"
else
echo "<result>DISABLED for $ADMINid</result>"
fi

currently I get a result of

<result>ENABLED for admin
localadmin</result>

where it fails to run against the 2nd admin account "localadmin" for me. I'd hope it would return something like

<result>ENABLED for admin
ENABLED for localadmin</result>

Best answer by mm2270

Your for i in $ADMINid part isn't working, so "admin" and "localadmin" are being treated as one item, most likely. I usually use a while read loop for these kinds of things myself as it tends to handle each item individually a little better.
Also consider using an array to populate, and then printing the array in the end.

#!/bin/bash

ADMINid=$(dscl . list /Users | grep -v ^_.* | grep dmin | grep -v JAMF)

while read ACCT; do
    if [[ $(dscl . -read /Users/$ACCT AuthenticationAuthority | grep -o SecureToken) == "SecureToken" ]]; then
        RESULT+=("ENABLED for $ACCT")
    else
        RESULT+=("DISABLED for $ACCT")
    fi
done <<< "$ADMINid"

echo "<result>$(printf '%s
' "${RESULT[@]}")</result>"
View original
Did this topic help you find an answer to your question?

1 reply

mm2270
Forum|alt.badge.img+16
  • Legendary Contributor
  • 7880 replies
  • Answer
  • September 20, 2018

Your for i in $ADMINid part isn't working, so "admin" and "localadmin" are being treated as one item, most likely. I usually use a while read loop for these kinds of things myself as it tends to handle each item individually a little better.
Also consider using an array to populate, and then printing the array in the end.

#!/bin/bash

ADMINid=$(dscl . list /Users | grep -v ^_.* | grep dmin | grep -v JAMF)

while read ACCT; do
    if [[ $(dscl . -read /Users/$ACCT AuthenticationAuthority | grep -o SecureToken) == "SecureToken" ]]; then
        RESULT+=("ENABLED for $ACCT")
    else
        RESULT+=("DISABLED for $ACCT")
    fi
done <<< "$ADMINid"

echo "<result>$(printf '%s
' "${RESULT[@]}")</result>"

Reply


Cookie policy

We use cookies to enhance and personalize your experience. If you accept you agree to our full cookie policy. Learn more about our cookies.

 
Cookie settings