Open jelockwood opened 6 years ago
FYI - here is the script I use to populate an extension attribute to list whether the jamfmanagement account has or does not have a secure token. I then use this as part of a smart group to determine which machines need to run this script.
#!/bin/sh
accountToken=`sysadminctl -secureTokenStatus jamfmanagement 2>&1 | awk '{print $7}'`
echo "<result>$accountToken</result>"
exit
First of all many thanks to the author Joshua Roskos @kc9wwh for this script.
This script was brought to my attention by JAMF support when I hit a problem trying to automate rotating FileVault recovery keys. As Joshua will be aware the problem is that the jamfmanagement account initially has no secure token and hence when it tries to rotate and re-escrow the FileVault key it goes wrong.
With this script and some smart groups to ensure things run at the right stages I can now -
Now getting back to my proposed enhancement. This script in its current form puts up a dialog asking the logged in user to provide their password and the presumption is that the current logged in user is an admin user and has a secure token.
In my case all my JAMF enrolled Macs also have a local admin account for which the password is randomised per Mac and stored as an extension attribute in the JSS. It should therefore be possible to pass as additional parameters to a modified version of this script the local admin username and password so that the
sysadminctl -secureTokenOn -password (interactive || -adminUser -adminPassword )
command can be run automatically and invisibly to the logged in user without needing to ask the user for their password.
Yes this involves sending the local admin password over the wire but I have a policy which is regularly changing this to a new random one for each Mac - just like I have one re-randomising the jamfmanagement password.
Could therefore the author consider adding the ability to this script to accept two additional parameters which if provided mean it can run automatically and invisibly as described, and if not provided it runs in the current manner.