-
Notifications
You must be signed in to change notification settings - Fork 2
/
JamfWATCH_Install.sh
executable file
·284 lines (177 loc) · 7.11 KB
/
JamfWATCH_Install.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
#!/bin/bash
#Context: This should be a script in Jamf Pro assigned to/run via a Policy
#Purpose: Create and load the files needed to monitor and self heal Jamf Pro enrolment if framework is removed
#Policy Scope: All Computers & All Users (or just user/device groups where users have admin rights)
#Policy Site: None/All or inline with above
#Policy Frequency: Once Per Computer
#Policy Trigger: Check-In or Enrolment or Start-Up
#How to get Invitation ID?#
#On any macOS device, use the Jamf Recon.app to generate a quick add package with the
#correct settings for enrolment including management account, SSH settings, etc
#Then, use composer or similar tool to extract the post-install script
#Near the end of the script will be a multi-use enrolment ID like the one seen below
#Replace the one below with your invitation ID from the QuickAdd package
#IMPORTANT: do not generate your QuickAdd package from the User Initiated Enrolment Page
#This will give you a one time enrolment ID which will not work for this use case
#Only use an ID found in a recon generated QuickAdd package
#Define Variables#
#Note: make sure to edit between the "" quotes. Leave all other formatting intact
#Include port number in URL and do not use ending slash as per example below
JamfProURLinsert='JamfProURL="https://jamfpro.mycompany.com:8443"'
InvitationIDinsert='InvitationID="56186073070322895268787070779579085172"'
#############################################################################
####### NO EDITING BEYOND THIS POINT ########################################
#############################################################################
#Check for PLIST folder and create#
if [ ! -d "/private/var/db/JamfWATCH/LaunchDaemons/" ]; then
mkdir -p "/private/var/db/JamfWATCH/LaunchDaemons/"
fi
#Create WatchPaths PLIST#
tee /private/var/db/JamfWATCH/LaunchDaemons/com.github.aarondavidpolley.JamfWATCH.WatchPaths.plist <<\EOF
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>Label</key>
<string>com.github.aarondavidpolley.JamfWATCH.WatchPath</string>
<key>ProgramArguments</key>
<array>
<string>/private/var/db/JamfWATCH/Scripts/JamfWATCH.sh</string>
</array>
<key>WatchPaths</key>
<array>
<string>/Library/Application Support/JAMF/JAMF.keychain</string>
<string>/usr/local/jamf/bin/jamf</string>
</array>
</dict>
</plist>
EOF
#Create Daily PLIST#
tee /private/var/db/JamfWATCH/LaunchDaemons/com.github.aarondavidpolley.JamfWATCH.Daily.plist <<\EOF
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>Label</key>
<string>com.github.aarondavidpolley.JamfWATCH.Daily</string>
<key>ProgramArguments</key>
<array>
<string>/private/var/db/JamfWATCH/Scripts/JamfWATCH.sh</string>
</array>
<key>StartCalendarInterval</key>
<dict>
<key>Hour</key>
<integer>12</integer>
<key>Minute</key>
<integer>0</integer>
</dict>
</dict>
</plist>
EOF
#Set PLIST Permissions#
chown root:wheel /private/var/db/JamfWATCH/LaunchDaemons/com.github.aarondavidpolley.JamfWATCH.WatchPaths.plist
chmod 644 /private/var/db/JamfWATCH/LaunchDaemons/com.github.aarondavidpolley.JamfWATCH.WatchPaths.plist
chown root:wheel /private/var/db/JamfWATCH/LaunchDaemons/com.github.aarondavidpolley.JamfWATCH.Daily.plist
chmod 644 /private/var/db/JamfWATCH/LaunchDaemons/com.github.aarondavidpolley.JamfWATCH.Daily.plist
#LOAD PLIST#
/bin/launchctl unload /private/var/db/JamfWATCH/LaunchDaemons/com.github.aarondavidpolley.JamfWATCH.WatchPaths.plist
/bin/launchctl load /private/var/db/JamfWATCH/LaunchDaemons/com.github.aarondavidpolley.JamfWATCH.WatchPaths.plist
/bin/launchctl unload /private/var/db/JamfWATCH/LaunchDaemons/com.github.aarondavidpolley.JamfWATCH.Daily.plist
/bin/launchctl load /private/var/db/JamfWATCH/LaunchDaemons/com.github.aarondavidpolley.JamfWATCH.Daily.plist
#Check for Script folder and create#
if [ ! -d "/private/var/db/JamfWATCH/Scripts/" ]; then
mkdir -p "/private/var/db/JamfWATCH/Scripts/"
fi
#Create Script#
tee /private/var/db/JamfWATCH/Scripts/JamfWATCH.sh <<EOF
#!/bin/bash
#Define Variables
EOF
echo $JamfProURLinsert >> /private/var/db/JamfWATCH/Scripts/JamfWATCH.sh
echo $InvitationIDinsert >> /private/var/db/JamfWATCH/Scripts/JamfWATCH.sh
tee -a /private/var/db/JamfWATCH/Scripts/JamfWATCH.sh <<\EOF
log_file="/private/var/log/JamfWATCH.log"
#---Redirect output to log---#
exec >> $log_file 2>&1
#Sleep for 20 seconds#
echo "****************************************"
date
echo "Script started, sleeping for 20 seconds"
sleep 20
#Check in with JSS#
if [ ! -e /usr/local/jamf/bin/jamf ]; then
JamfWATCHCheck="Binary Missing"
echo $JamfWATCHCheck
else
JamfWATCHCheck=$(/usr/local/jamf/bin/jamf policy -event JamfWATCHCheck | grep "Script result" | awk '{print $3}')
if [ "$JamfWATCHCheck" == "up" ]; then
echo "Jamf binary was able to communicate with the JSS"
echo "Script Complete"
date
echo "****************************************"
exit 0
fi
fi
#Run re-manage if JSS NOT responding as expected#
if [ -e /usr/local/jamf/bin/jamf ]; then
/usr/local/jamf/bin/jamf manage
else
echo "Binary Missing"
fi
sleep 3
#Check again with JSS#
if [ ! -e /usr/local/jamf/bin/jamf ]; then
JamfWATCHCheck2="Binary Missing"
echo $JamfWATCHCheck2
else
JamfWATCHCheck2=$(/usr/local/jamf/bin/jamf policy -event JamfWATCHCheck | grep "Script result" | awk '{print $3}')
if [ "$JamfWATCHCheck2" == "up" ]; then
echo "Jamf binary was able to communicate with the JSS"
echo "Script Complete"
date
echo "****************************************"
exit 0
fi
fi
#Run re-install if JSS NOT responding as expected#
#Downloading the jamf binary from the Jamf Pro server
curl -ks $JamfProURL/bin/jamf -o /tmp/jamf
#Creating the required directories
mkdir -p /usr/local/jamf/bin /usr/local/bin
#Moving the jamf binary to the correct location
mv /tmp/jamf /usr/local/jamf/bin
#Making the jamf binary executable
chmod +x /usr/local/jamf/bin/jamf
#Creating a symbolic link
ln -s /usr/local/jamf/bin/jamf /usr/local/bin
#Creating the configuration file
/usr/local/jamf/bin/jamf createConf -k -url $JamfProURL
#Enrolling the computer
/usr/local/jamf/bin/jamf enroll -invitation $InvitationID -noPolicy
enrolled=$?
if [ $enrolled -eq 0 ]
then
/usr/local/jamf/bin/jamf update
/usr/local/jamf/bin/jamf policy -event enrollmentComplete
enrolled=$?
fi
echo "Enrolled: $enrolled"
sleep 3
#Check again with JSS#
if [ ! -e /usr/local/jamf/bin/jamf ]; then
JamfWATCHCheck3="Binary Missing"
echo $JamfWATCHCheck3
else
JamfWATCHCheck3=$(/usr/local/jamf/bin/jamf policy -event JamfWATCHCheck | grep "Script result" | awk '{print $3}')
if [ "$JamfWATCHCheck3" == "up" ]; then
echo "Jamf binary was able to communicate with the JSS"
fi
fi
echo "Script Complete"
date
echo "****************************************"
exit 0
EOF
#Set Script Permissions#
chown root:wheel /private/var/db/JamfWATCH/Scripts/JamfWATCH.sh
chmod 755 /private/var/db/JamfWATCH/Scripts/JamfWATCH.sh