Grant Secure Token (Mac) - superseded
Log In or Register to download the BES file, and more.

1 Votes

Versioning - This is an older version.

1Grant Secure Token (Mac)1/11/2024 10:15:07 PM
2Grant Secure Token (Mac)5/6/2024 9:34:45 AM

Description

This fixlet uses an existing account with a secure token to grant a secure token to another account.

If the granting user is not an administrator, they will be temporarily elevated for the duration of the script, and then returned to a standard user account.

Logs are written to /Library/Application Support/BigFix/BES Agent/__BESData/__Global/SWDDeployData/SWD_DeploymentResults.log


Property Details

ID27326
StatusQA - Ready for Production Level Testing
TitleGrant Secure Token (Mac)
SourceInternal
Source Release Date1/11/2024 12:00:00 AM
Keywordsmacos, secure token, grant, secure
Added by on 1/11/2024 10:15:07 PM
Last Modified by on 1/11/2024 10:23:07 PM
Counters 1047 Views / 1 Download
User Rating 1 star 2 star 3 star 4 star 5 star * Average over 0 ratings. ** Log In or Register to add your rating.

Relevance

Used in 227 fixlets and 100 analyses   * Results in a true/false
Show indented relevance
mac of operating system

Actions

Action 1 (default)

Action Link Click here to deploy this action.
Script Type BigFix Action Script
parameter "mainSWDLogFolder" = "{parent folder of client folder of current site}/__Global/SWDDeployData"
folder create "{parameter "mainSWDLogFolder"}"
parameter "logFile" = "SWD_DeploymentResults.log"
parameter "logFolder" = "{parameter "mainSWDLogFolder"}"

wait sh -c "echo '' >> '{parameter "mainSWDLogFolder"}/{parameter "logFile"}'"
wait sh -c "echo $(date +%Y_%m_%d' '%T) >> '{parameter "mainSWDLogFolder"}/{parameter "logFile"}'"
wait sh -c "echo Action ID: {id of active action} >> '{parameter "mainSWDLogFolder"}/{parameter "logFile"}'"

delete __createfile
delete "__Download/broker.sh"
createfile until _end_
#/!bin/zsh

adminUser="{parameter "adminUser" of action}"
adminPass="{parameter "adminPass" of action}"
receiverUser="{parameter "receiverUser" of action}"
receiverPass="{parameter "receiverPass" of action}"

precheck=$(sysadminctl -secureTokenStatus $adminUser 2>&1)
if [[ "$precheck" == *"ENABLED"* ]]; then
echo "Granting user $adminUser has a secure token. Continuing..." >> "{parameter "logFolder"}/{parameter "logFile"}"
elif [[ "$precheck" == *"DISABLED"* ]]; then
echo "Granting user $adminUser does not have a secure token" >> "{parameter "logFolder"}/{parameter "logFile"}"
exit 1
else
echo "Error"
exit 2
fi

if [ -z "$adminPass" ]; then
adminPass="-"
fi

if [ -z "$receiverPass" ]; then
receiverPass="-"
fi

resetUser=false
if id -Gn $adminUser | grep -q -w admin;
then
echo "Granting user $adminUser is an administrator. Continuing..." >> "{parameter "logFolder"}/{parameter "logFile"}"
else
echo "Granting user $adminUser is NOT an administrator. Temporarily elevating..." >> "{parameter "logFolder"}/{parameter "logFile"}"
dscl . -merge /Groups/admin GroupMembership $adminUser >> "{parameter "logFolder"}/{parameter "logFile"}" 2>&1
resetUser=true
fi

yes "" | sysadminctl -secureTokenOn $receiverUser -password $receiverPass -adminUser $adminUser -adminPassword $adminPass >> "{parameter "logFolder"}/{parameter "logFile"}" 2>&1

if [ "$resetUser" = true ]; then
echo "Returning $adminUser to standard user" >> "{parameter "logFolder"}/{parameter "logFile"}"
dseditgroup -o edit -d $adminUser -t user admin >> "{parameter "logFolder"}/{parameter "logFile"}" 2>&1
fi

check=$(sysadminctl -secureTokenStatus $receiverUser 2>&1)
if [[ "$check" == *"ENABLED"* ]]; then
echo "Target user $receiverUser has a secure token" >> "{parameter "logFolder"}/{parameter "logFile"}"
exit 0
elif [[ "$check" == *"DISABLED"* ]]; then
echo "Target user $receiverUser does not have a secure token" >> "{parameter "logFolder"}/{parameter "logFile"}"
exit 1
else
echo "Error" >> "{parameter "logFolder"}/{parameter "logFile"}"
exit 2
fi
_end_
copy "__createfile" "__Download/broker.sh"
wait chmod +x "__Download/broker.sh"
wait /bin/zsh "__Download/broker.sh"
parameter "error" = "{exit code of action}"
delete __createfile
delete "__Download/broker.sh"

if {parameter "error" != "0"}
exit {parameter "error"}
endif

exit {parameter "error"}
Success Criteria

This action will be considered successful when all lines of the action script have completed successfully.


Sharing

Social Media:
Share this page on Yammer

Comments

Log In or Register to leave comments!
Mitin77 -
https://scholarshipup.org/
Mitin77 -
Grant Secure Token (Mac) refers to a process in macOS that enables a user account to access FileVault encryption keys, allowing for secure login and access to encrypted data. [url=https://scholarshipup.org/]uttar pradesh scholarship[/url] This feature is particularly important for managing user authentication and access control in enterprise environments or shared Mac systems. Granting Secure Tokens ensures that users can securely access their encrypted data while maintaining system security and integrity.