Jamf Nation Community

So, here is my post image script in example format. Take what you want and run with it. Post any modifications that may help people here.

#!/bin/bash

########################################
# This is a post image script for student laptops
# This script will do post configurations
#
# This is for the 2011-12 school year
# Kansas City, KS Public schools
#
#       By
#
#  Thomas Larkin
#  
#
#########################################
# set all variables here, these are hardcoded for the rest of the script
# will use echo for logging and debugging
#
# WARNING!!!!!  THIS SCRIPT REQUIRES THE JAMF BINARY
#
# Local admin accounts
# only edit the variables of this script for future usage

# check for jamf binary

jamfcheck="/usr/sbin/jamf"

# now check if it exists

if [[ -e $jamfcheck ]]

    then /bin/echo "Jamf binary present, continuing as planned..."

    else /bin/echo "Jamf binary is not present, we need to halt" 

    exit 55

fi

# adding OS detection variable in case it is needed later on

OSversion=`/usr/bin/sw_vers | /usr/bin/awk '/ProductVersion:/ { print $2 }'`

# enable logging for debugging purposes.  If script complete this file will be destroyed

# now proceed with local accounts
# set all desired names and passwords with in the quotes

admin1_long="Hidden Administrator"
admin1_short="hadmin"
admin1_passwd="password1"


# info for local admin account 2 to give to users who need ARD access

admin2_long="ARD Viewer"
admin2_short="ardview"
admin2_passwd="password2"

# local student acccount in case no one can log in during deployment
# this is a temporary account and highly managed, users should log into their accounts

local_student="student"
local_stushort="student"
local_stupasswd="password"

# if root accunt will be enabled, set password here

#root_passwd="rootpw"

# set the firmware password here

FirmWarePW="fwpasswd"

# create a list of post image apps you would want deleted maintain your list here
# just add the full path with in the ( ), the script will call for this later on
# it will simulate a user logging in so any files that creates upon first log in can also 
# be wiped out


badfiles="/Library/Application Support/Bsecure/Splash.app"


# Now, use this to maintain a list of files/Apps you want moved from the default location this
# Will also be done when the script later logs in local_admin1 to configure some settings
# This is mainly used for folder level access control via MCX moving apps you want to restrict
# to folders you will restrict certain groups from using via MCX

app_list=(   
           /Applications/AppleScript/
           /Applications/Microsoft AutoUpdate.app
           /Applications/Automator.app
           /Applications/Time Machine.app
           )

###########################################################################################
#  All variables, and user entered data should be stored above this line
#  There is NO NEED to edit anything below this line
#  This script assumes you are running DHCP on your network interfaces
#  There is one point below for custom trigger policies you will have to edit those
#  There is a sectin below to add custom trigger policies
##########################################################################################
#### end of variables ####  starting the script

# now create accounts

/usr/sbin/jamf createAccount -username "$admin1_short" -realname "$admin1_long" -password "$admin1_passwd" –home /private/var/$admin1_short –shell “/bin/bash” -hiddenUser -admin

/bin/sleep 5 #allow some time between accounts to ensure they create properly

/usr/sbin/jamf createAccount -username "$admin2_short" -realname "$admin2_long" -password "$admin2_passwd" –home /private/var/$admin2_short –shell “/bin/bash” -hiddenUser -admin

/bin/sleep 5 #allow some time between accounts to ensure they create properly

/usr/sbin/jamf createAccount -username "$local_stushort" -realname "$local_student" -password "$local_stupasswd" –home /Users/$local_stushort –shell “/bin/bash”

/bin/sleep 5

# now enable root

/usr/sbin/dsenableroot -u $admin1_short -p $admin1_passwd -r $root_passwd

/bin/echo "done creating local accounts"

# 
# Now set some network preferences 
#

# require admin rights for ad_hoc creation

/usr/libexec/airportd en1 -ibss_admin 1

/bin/echo "adhoc networks require admin set"

# ensure that airport and ethernet are set to DHCP & set IPv6 off

/usr/sbin/networksetup -setv6off Ethernet

/usr/sbin/networksetup -setv6off Airport

/usr/sbin/networksetup -setdhcp Ethernet

/usr/sbin/networksetup -setdhcp Airport

# enable remote log in, ssh

/usr/sbin/systemsetup -setremotelogin on

# enforce clear text passwords in AFP

/usr/bin/defaults write com.apple.AppleShareClient "afp_cleartext_allow" 1

/bin/echo "network configuration complete"

#
# ensure remote desktop is enabled for our local admin accounts
#

/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -activate

# now set access to remote desktop, refer to admin 1 and admin 2 from above

/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -configure -users $admin1_short,$admin2_short -access -on -privs -all

/bin/echo "ARD client configured"

########################################
#
# bleow this point, put any custom trigger policies you want to be installed
#
#######################################

# add the web filter client

/usr/sbin/jamf policy -trigger addfilter

/bin/echo "Internet Filter is now installed..."

#
# add computrace to all HS laptops
# commenting this out for the middle school script

/usr/sbin/jamf policy -trigger addcomputrace

/bin/echo "Comp-U-Trace installed!"

# install mcx for local student

/usr/sbin/jamf policy -trigger studentmcx

#
# now to set up system settings like time zone, time server, etc
# firmware passwords
#

# set the time zone to US/Central

/usr/sbin/systemsetup -settimezone America/Chicago

# set the time server to our internal time server

/usr/sbin/systemsetup -setusingnetworktime on

/usr/sbin/systemsetup -setnetworktimeserver 10.156.3.1

# set the firmware password

/usr/sbin/setregproptool -m command -p "$FirmWarePW" -o ${FirmWarePW}

/bin/echo "System settings now configured"

# Now that system settings have been set we will log in as local admin, and customize 
# our pristine install.  Move certain apps to restrict by file path for later MCX management
# For this part of the script we will use Apple Script
# commenting this out for now, no longer needed.
#/usr/bin/osascript <<AppleScript
#   tell application "System Events" 
#      keystroke "$local_stushort" 
#      keystroke return 
#      delay 3.0 
#      keystroke "$local_stupasswd" 
#      delay 3.0 
#      keystroke tab 
#      keystroke return 
#  end tell
#AppleScript

# give it a few seconds to fully log in

/bin/sleep 25

# we also need to purge any unwanted files, the the filter client splash screen for example
# this should be done after all packages have been installed
# add any full path of a file you wish to get rid of inside the ( )

/bin/echo "Now proceeding to remove unwanted apps"

for file in "${badfiles[@]}" ; do

if [[ -e $file ]]

     then /bin/rm -rf $file

     else /bin/echo "$file is already destroyed"

fi

done


#
# Now we will move any applications we don't want users to have access to from 
# the applications folder to /Applications/Utilties and have MCX disallow apps to
# run from /Applications/Utilies on managed user accounts
#
# put full app paths in here spaces are allowed if you stay inside the quotes
# see beginning of script to set these file paths
#

# now move those apps 

for file in "${app_list[@]}" ; do

if [[ -e $file ]]

    then /bin/mv $file /Applications/Utilities/

    else /bin/echo "$file already moved"
fi

done

/bin/echo "done moving apps"

#########################################
#
#  Put any custom trigger policies that require a user to be logged in here:
#
#######################################

# test to see if systemis running 10.6, if it is execute from command line, if not execute the add wifi pkg in Casper

case $OSversion in 

     10.5*) `/usr/sbin/jamf policy -trigger addwireless`;;
     10.6*) `/usr/sbin/networksetup -addpreferredwirelessnetworkatindex Airport usd500_wpa 0 WPA2 mypasskey`;;

esac     


#
# Now we must purge the system log to get rid of any passwords that may be in plain text
#

#
# now apply MCX settings to our local account
#

/bin/rm -rf /var/log/*

/bin/echo "purged logs"

# reset policies that need to run again

/usr/sbin/jamf FlushPolicyHistory

# rebooting system one more time so all mcx and updates and first run boot polices run through

/sbin/shutdown -h +1 &

exit 0

Now things are commented out because at some point I used them, but I left them there in case I ever needed them again.