Grant Secure Token (Mac)
Log In or Register to download the BES file, and more.

0 Votes

Versioning - This is the latest version.

1Grant Secure Token (Mac)1/11/2024 10:15:07 PM
2Grant Secure Token (Mac)5/6/2024 9:34:45 AM

Description

This fixlet uses an existing account with a secure token to grant a secure token to another account. Additionally, "secure parameters" are used to encrypt the passwords and securely transfer them to the endpoint.

If the granting user is not an administrator, they will be temporarily elevated for the duration of the script, and then returned to a standard user account.

Logs are written to /Library/Application Support/BigFix/BES Agent/__BESData/__Global/SWDDeployData/SWD_DeploymentResults.log


Property Details

ID27341
StatusProduction - Fully Tested and Ready for Production
TitleGrant Secure Token (Mac)
DomainBESC
SourceInternal
Source Release Date1/11/2024 12:00:00 AM
Keywordsmacos, secure token, grant, secure, token, volume owner, mac
Added by on 5/6/2024 9:34:45 AM
Last Modified by on 5/6/2024 9:34:45 AM
Counters 299 Views / 0 Downloads
User Rating 1 star 2 star 3 star 4 star 5 star * Average over 0 ratings. ** Log In or Register to add your rating.

Relevance

Used in 226 fixlets and 100 analyses   * Results in a true/false
Show indented relevance
mac of operating system

Actions

Action 1 (default)

Action Link Click here to deploy this action.
Script Type BigFix Action Script
parameter "mainSWDLogFolder" = "{parent folder of client folder of current site}/__Global/SWDDeployData"
folder create "{parameter "mainSWDLogFolder"}"
parameter "logFile" = "SWD_DeploymentResults.log"
parameter "logFolder" = "{parameter "mainSWDLogFolder"}"

wait sh -c "echo '' >> '{parameter "mainSWDLogFolder"}/{parameter "logFile"}'"
wait sh -c "echo $(date +%Y_%m_%d' '%T) >> '{parameter "mainSWDLogFolder"}/{parameter "logFile"}'"
wait sh -c "echo Action ID: {id of active action} >> '{parameter "mainSWDLogFolder"}/{parameter "logFile"}'"

delete __createfile
delete "__Download/broker.sh"
createfile until _end_
#/!bin/zsh

adminUser="{parameter "adminUser" of action}"
adminPass="{parameter "adminPass" of action}"
receiverUser="{parameter "receiverUser" of action}"
receiverPass="{parameter "receiverPass" of action}"

precheck=$(sysadminctl -secureTokenStatus $adminUser 2>&1)
if [[ "$precheck" == *"ENABLED"* ]]; then
echo "Granting user $adminUser has a secure token. Continuing..." >> "{parameter "logFolder"}/{parameter "logFile"}"
elif [[ "$precheck" == *"DISABLED"* ]]; then
echo "Granting user $adminUser does not have a secure token" >> "{parameter "logFolder"}/{parameter "logFile"}"
exit 1
else
echo "Error checking $adminUser secure token status" >> "{parameter "logFolder"}/{parameter "logFile"}"
exit 2
fi

if [ -z "$adminPass" ]; then
adminPass="-"
fi

if [ -z "$receiverPass" ]; then
receiverPass="-"
fi

resetUser=false
if id -Gn $adminUser | grep -q -w admin;
then
echo "Granting user $adminUser is an administrator. Continuing..." >> "{parameter "logFolder"}/{parameter "logFile"}"
else
echo "Granting user $adminUser is NOT an administrator. Temporarily elevating..." >> "{parameter "logFolder"}/{parameter "logFile"}"
dscl . -merge /Groups/admin GroupMembership $adminUser >> "{parameter "logFolder"}/{parameter "logFile"}" 2>&1
resetUser=true
fi

yes "" | sysadminctl -secureTokenOn $receiverUser -password $receiverPass -adminUser $adminUser -adminPassword $adminPass >> "{parameter "logFolder"}/{parameter "logFile"}" 2>&1

if [ "$resetUser" = true ]; then
echo "Returning $adminUser to standard user" >> "{parameter "logFolder"}/{parameter "logFile"}"
dseditgroup -o edit -d $adminUser -t user admin >> "{parameter "logFolder"}/{parameter "logFile"}" 2>&1
fi

check=$(sysadminctl -secureTokenStatus $receiverUser 2>&1)
if [[ "$check" == *"ENABLED"* ]]; then
echo "Target user $receiverUser has a secure token" >> "{parameter "logFolder"}/{parameter "logFile"}"
exit 0
elif [[ "$check" == *"DISABLED"* ]]; then
echo "Target user $receiverUser does not have a secure token" >> "{parameter "logFolder"}/{parameter "logFile"}"
exit 1
else
echo "Error checking $receiverUser secure token status" >> "{parameter "logFolder"}/{parameter "logFile"}"
exit 2
fi
_end_
copy "__createfile" "__Download/broker.sh"
wait chmod +x "__Download/broker.sh"
wait /bin/zsh "__Download/broker.sh"
parameter "error" = "{exit code of action}"
delete __createfile
delete "__Download/broker.sh"

if {parameter "error" != "0"}
exit {parameter "error"}
endif

exit {parameter "error"}
Success Criteria

This action will be considered successful when all lines of the action script have completed successfully.


Sharing

Social Media:
Share this page on Yammer

Comments

Log In or Register to leave comments!
Mitin77 -
Grant Secure Token (Mac) refers to a process in macOS that enables a user account to access FileVault encryption keys, allowing for secure login and access to encrypted data. [url=https://scholarshipup.org/]uttar pradesh scholarship[/url] This feature is particularly important for managing user authentication and access control in enterprise environments or shared Mac systems. Granting Secure Tokens ensures that users can securely access their encrypted data while maintaining system security and integrity.