Grant Secure Token (Mac)
Log In or Register to download the BES file, and more.

1 Votes

Description

This fixlet uses an existing account with a secure token to grant a secure token to another account.

If the granting user is not an administrator, they will be temporarily elevated for the duration of the script, and then returned to a standard user account.

Logs are written to /Library/Application Support/BigFix/BES Agent/__BESData/__Global/SWDDeployData/SWD_DeploymentResults.log


Property Details

ID27326
StatusQA - Ready for Production Level Testing
TitleGrant Secure Token (Mac)
SourceInternal
Source Release Date1/11/2024 12:00:00 AM
Keywordsmacos, secure token, grant, secure
Added by on 1/11/2024 10:15:07 PM
Last Modified by on 1/11/2024 10:23:07 PM
Counters 439 Views / 1 Download
User Rating 1 star 2 star 3 star 4 star 5 star * Average over 0 ratings. ** Log In or Register to add your rating.

Relevance

Used in 223 fixlets and 99 analyses   * Results in a true/false
Show indented relevance
mac of operating system

Actions

Action 1 (default)

Action Link Click here to deploy this action.
Script Type BigFix Action Script
parameter "mainSWDLogFolder" = "{parent folder of client folder of current site}/__Global/SWDDeployData"
folder create "{parameter "mainSWDLogFolder"}"
parameter "logFile" = "SWD_DeploymentResults.log"
parameter "logFolder" = "{parameter "mainSWDLogFolder"}"

wait sh -c "echo '' >> '{parameter "mainSWDLogFolder"}/{parameter "logFile"}'"
wait sh -c "echo $(date +%Y_%m_%d' '%T) >> '{parameter "mainSWDLogFolder"}/{parameter "logFile"}'"
wait sh -c "echo Action ID: {id of active action} >> '{parameter "mainSWDLogFolder"}/{parameter "logFile"}'"

delete __createfile
delete "__Download/broker.sh"
createfile until _end_
#/!bin/zsh

adminUser="{parameter "adminUser" of action}"
adminPass="{parameter "adminPass" of action}"
receiverUser="{parameter "receiverUser" of action}"
receiverPass="{parameter "receiverPass" of action}"

precheck=$(sysadminctl -secureTokenStatus $adminUser 2>&1)
if [[ "$precheck" == *"ENABLED"* ]]; then
echo "Granting user $adminUser has a secure token. Continuing..." >> "{parameter "logFolder"}/{parameter "logFile"}"
elif [[ "$precheck" == *"DISABLED"* ]]; then
echo "Granting user $adminUser does not have a secure token" >> "{parameter "logFolder"}/{parameter "logFile"}"
exit 1
else
echo "Error"
exit 2
fi

if [ -z "$adminPass" ]; then
adminPass="-"
fi

if [ -z "$receiverPass" ]; then
receiverPass="-"
fi

resetUser=false
if id -Gn $adminUser | grep -q -w admin;
then
echo "Granting user $adminUser is an administrator. Continuing..." >> "{parameter "logFolder"}/{parameter "logFile"}"
else
echo "Granting user $adminUser is NOT an administrator. Temporarily elevating..." >> "{parameter "logFolder"}/{parameter "logFile"}"
dscl . -merge /Groups/admin GroupMembership $adminUser >> "{parameter "logFolder"}/{parameter "logFile"}" 2>&1
resetUser=true
fi

yes "" | sysadminctl -secureTokenOn $receiverUser -password $receiverPass -adminUser $adminUser -adminPassword $adminPass >> "{parameter "logFolder"}/{parameter "logFile"}" 2>&1

if [ "$resetUser" = true ]; then
echo "Returning $adminUser to standard user" >> "{parameter "logFolder"}/{parameter "logFile"}"
dseditgroup -o edit -d $adminUser -t user admin >> "{parameter "logFolder"}/{parameter "logFile"}" 2>&1
fi

check=$(sysadminctl -secureTokenStatus $receiverUser 2>&1)
if [[ "$check" == *"ENABLED"* ]]; then
echo "Target user $receiverUser has a secure token" >> "{parameter "logFolder"}/{parameter "logFile"}"
exit 0
elif [[ "$check" == *"DISABLED"* ]]; then
echo "Target user $receiverUser does not have a secure token" >> "{parameter "logFolder"}/{parameter "logFile"}"
exit 1
else
echo "Error" >> "{parameter "logFolder"}/{parameter "logFile"}"
exit 2
fi
_end_
copy "__createfile" "__Download/broker.sh"
wait chmod +x "__Download/broker.sh"
wait /bin/zsh "__Download/broker.sh"
parameter "error" = "{exit code of action}"
delete __createfile
delete "__Download/broker.sh"

if {parameter "error" != "0"}
exit {parameter "error"}
endif

exit {parameter "error"}
Success Criteria

This action will be considered successful when all lines of the action script have completed successfully.


Sharing

Social Media:
Share this page on Yammer

Comments

Log In or Register to leave comments!