Help

Scripting help - get SecureToken status

Go to solution
easyedc
Valued Contributor II

Posted on β€Ž09-20-2018 10:43 AM

I am trying to write a script to report back an extension attribute on SecureToken status. Background - we push out a default admin account (aka "admin") during DEP enrollment. DEP prompts for creation of a user through the GUI and our frontline techs will often create a "localadmin" account, which they're supposed to delete later on. Well, things happen, and the account doesnt get deleted every time. I'm trying to make sure that if there's a local admin, it's got SecureToken, which ever account it has. I've got a script that works on one user, but won't work for more than one user returned. I've not really played with 

for;do

statements, so this is my first go round. Can someone give me a pointer on where I may be going wrong?

#!/bin/sh
#
#  SecureToken for Admin.sh
#
# Get the Username of the local Admin account

ADMINid=$( dscl . list /Users | grep -v ^_.* | grep dmin | grep -v JAMF )

# Get SecureTokenStaus
status=$( dscl . -read /Users/$ADMINid AuthenticationAuthority | grep -o SecureToken )

for i in $ADMINid ; do $status
done

if [[ $status == SecureToken ]]; then
echo "<result>ENABLED for $ADMINid</result>"
else
echo "<result>DISABLED for $ADMINid</result>"
fi

currently I get a result of 

<result>ENABLED for admin
localadmin</result>

where it fails to run against the 2nd admin account "localadmin" for me. I'd hope it would return something like 

<result>ENABLED for admin
ENABLED for localadmin</result>
Labels:
0 Kudos
1 ACCEPTED SOLUTION

Go to solution
mm2270
Legendary Contributor II

Posted on β€Ž09-20-2018 11:23 AM

Your for i in $ADMINid part isn't working, so "admin" and "localadmin" are being treated as one item, most likely. I usually use a while read loop for these kinds of things myself as it tends to handle each item individually a little better.
Also consider using an array to populate, and then printing the array in the end.

#!/bin/bash

ADMINid=$(dscl . list /Users | grep -v ^_.* | grep dmin | grep -v JAMF)

while read ACCT; do
    if [[ $(dscl . -read /Users/$ACCT AuthenticationAuthority | grep -o SecureToken) == "SecureToken" ]]; then
        RESULT+=("ENABLED for $ACCT")
    else
        RESULT+=("DISABLED for $ACCT")
    fi
done <<< "$ADMINid"

echo "<result>$(printf '%s
' "${RESULT[@]}")</result>"

View solution in original post

1 REPLY 1

Go to solution
mm2270
Legendary Contributor II

Posted on β€Ž09-20-2018 11:23 AM

Your for i in $ADMINid part isn't working, so "admin" and "localadmin" are being treated as one item, most likely. I usually use a while read loop for these kinds of things myself as it tends to handle each item individually a little better.
Also consider using an array to populate, and then printing the array in the end.

#!/bin/bash

ADMINid=$(dscl . list /Users | grep -v ^_.* | grep dmin | grep -v JAMF)

while read ACCT; do
    if [[ $(dscl . -read /Users/$ACCT AuthenticationAuthority | grep -o SecureToken) == "SecureToken" ]]; then
        RESULT+=("ENABLED for $ACCT")
    else
        RESULT+=("DISABLED for $ACCT")
    fi
done <<< "$ADMINid"

echo "<result>$(printf '%s
' "${RESULT[@]}")</result>"

View solution in original post

Jamf helps organizations succeed with Apple. By enabling IT to empower end users, we bring the legendary Apple experience to businesses, education and government organizations. Learn about Jamf.