Guides – Mostly Mac

I have been doing this little trick for years so I thought I would create a blog post to share it.

Imagine you need to get your company logo onto computers so that you can brand some widget. When using tools that the user can interact with (like Nudge, IBM Notifier, Jamf Helper, SwiftDialog, or DEPNotify for instance) having a familiar logo or icon helps users to understand, verify, and trust the source of that window when it is presented. There’s the added benefit that it looks good too!

This method can be used to get any image file placed in any location, without having to build a package for distribution, all within Jamf Pro.

All you need do is upload an image to the Self Service section of a policy in Jamf, then use curl in a script to download that image from your Jamf Pro server and place it in the specified location. Here’s how I set it up:

Upload the following script to your Jamf Pro server:

	#!/bin/bash

	fetch_from="$4"
	save_to="$5"

	# Check for the image and grab it if it does not exist
	if [ ! -f "$save_to" ]; then
	curl -o "$save_to" "$fetch_from"
	fi

view raw Fetch Image from Jamf Server.sh hosted with ❤ by GitHub

Give the script parameters some useful labels. I used “Image URL” for parameter $4. This is the location of the image we will download. And “Path to Destination” for parameter $5. This is where the image will be saved on disk.

Create a new policy in Jamf Pro and save it.
IMPORTANT: When first creating the policy, leave it disabled by unchecking the “Enabled” checkbox.

General
Name: Download Company Logo
Enabled: No
Trigger: Recurring Check-in
Frequency: Once per computer

Scripts
Select script uploaded previously – do not configure any parameter values yet.

Scope
Targets: All Managed Clients or All Computers

Self Service
Check the box for “Make the policy available in Self Service”
Upload the image you would like to distribute.

After creating and saving your policy, go to the Self Service tab and find the icon that you uploaded. Right click and select “Copy Image Address” to copy the URL of the image to your clipboard. Take note of this URL.

While still on the Self Service page for your policy, click Edit in the lower right corner, then deselect the checkbox for “Make the policy available in Self Service”. Even though the policy is no longer available in Self Service, the icon remains so we can still access it in our script.

Select the Options tab, then the Scripts section. Paste the image URL copied in step 4 into the “Image URL” field under Script Parameters.

Enter the full path to where the image should be placed on disk, including the image name, into the “Path to Destination” field under Script Parameters. For example /Users/Shared/logo.png

Return to the General section and check the Enabled box to enable the policy, then Save in the lower right corner.

That’s it. The image will be downloaded to each machine in scope and placed in the location of your choice. Now you can reference that image in other scripts and configurations as needed.

Occasionally end users may end up without a secure token. This attribute is required to enable FileVault on any macOS device. Additionally, it is required for the end user to install updates on Apple silicon devices (this is a little complicated but for the purpose of this post I am ignoring volume ownership, as it is functionally equivalent to secure token in this respect).

Use the following script in a Self Service policy to grant the end user a secure token. This script will check if the currently logged in user has a secure token. If so, a notification informs them that no action is required.

If the currently logged in user does not have a secure token you will be guided through the process to grant one. In order to grant a secure token to a user without one, an account with a secure token must be used. The script will find all secure token users on the system and list them for you. Select an account that you already know the password for.

Next you will be prompted for the existing secure token user’s password. This is required to grant the token to other users

Then, you will be prompted for the end user’s password to complete the process.

Finally, the script will check if a bootstrap token is escrowed with MDM, and escrows the token if needed.

The script is available below:

	#!/bin/sh

	# Set the icons and branding
	selfServiceBrandIcon="/Users/$3/Library/Application Support/com.jamfsoftware.selfservice.mac/Documents/Images/brandingimage.png"
	fileVaultIcon="/System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/FileVaultIcon.icns"

	if [[ -f $selfServiceBrandIcon ]]; then
	brandIcon="$selfServiceBrandIcon"
	else
	brandIcon="$fileVaultIcon"
	fi

	# Start by setting result to UNDEFINED
	result="UNDEFINED"

	MissingSecureTokenCheck() {

	# Get the currently logged-in user and go ahead if not root.
	userName=$(/bin/ls -l /dev/console \| /usr/bin/awk '{ print $3 }')

	# This function checks if the logged-in user has Secure Token attribute associated
	# with their account. If the token_status variable returns "0", then YES is set.
	# If anything else is returned, NO is set.
	if [[ -n "${userName}" && "${userName}" != "root" ]]; then

	# Get the Secure Token status.
	token_status=$(/usr/sbin/sysadminctl -secureTokenStatus "${userName}" 2>&1 \| /usr/bin/grep -ic enabled)

	# If there is no secure token associated with the logged-in account,
	# the token_status variable should return "0".
	if [[ "$token_status" -eq 0 ]]; then
	result="NO"
	fi

	# If there is a secure token associated with the logged-in account,
	# the token_status variable should return "1".
	if [[ "$token_status" -eq 1 ]]; then
	result="YES"
	fi
	fi

	# If unable to determine the logged-in user
	# or if the logged-in user is root, then UNDEFINED is returned
	}

	MissingSecureTokenCheck

	if [[ $result = "NO" ]]; then
	# Current user does not have a secure token. Need to generate one.
	# Granting user needs to be an admin. Get all the admin users on the computer.
	adminUsers=$(dscl . read /Groups/admin GroupMembership \| cut -d " " -f 2-)

	# For each user, check if they have a secure token
	for EachUser in $adminUsers; do

	TokenValue=$(sysadminctl -secureTokenStatus $EachUser 2>&1)

	if [[ $TokenValue = "ENABLED" ]]; then
	SecureTokenUsers+=($EachUser)
	fi

	done

	# List out the users with a secure token
	if [[ -z "${SecureTokenUsers[@]}" ]]; then
	# If no secure token admin users, show dialog stating such
	/usr/bin/osascript -e "display dialog \"\" & return & \"There are no secure token admin users on this device.\" with title \"Grant Secure Token\" buttons {\"OK\"} default button 1 with icon POSIX file \"$brandIcon\""
	exit 0
	else
	# Have user select a secure token user they know the password for
	adminUser=$( osascript -e "set ASlist to the paragraphs of \"$(printf '%s\n' "${SecureTokenUsers[@]}")\"" -e 'return choose from list ASlist with prompt "Select a user you know the password for:"' )

	# Get a secure token users password
	adminPassword=$( /usr/bin/osascript -e "display dialog \"To grant a secure token\" & return & \"Enter login password for '$adminUser'\" default answer \"\" with title \"Grant Secure Token\" buttons {\"Cancel\", \"Ok\"} default button 2 with icon POSIX file \"$brandIcon\" with text and hidden answer
	set adminPassword to text returned of the result
	return adminPassword")

	# Exit if user cancels
	if [ "$?" != "0" ] ; then
	echo "User aborted. Exiting…"
	exit 0
	fi
	fi

	# Try the entered password
	passCheck=`dscl /Local/Default -authonly "${adminUser}" "${adminPassword}"`

	# If the credentials pass, continue, if not, tell user password is incorrect and exit.
	if [ "$passCheck" == "" ]; then
	echo "Password Verified"
	else
	echo "Password Verification Failed. Please try again."
	/usr/bin/osascript -e "display dialog \"\" & return & \"Password Verification Failed. Please try again.\" with title \"Grant Secure Token\" buttons {\"OK\"} default button 1 with icon POSIX file \"$brandIcon\""
	exit 1
	fi

	# Get the logged in user's password via a prompt
	echo "Prompting ${userName} for their login password."

	userPassword=$( /usr/bin/osascript -e "display dialog \"To grant a secure token\" & return & \"Enter login password for '$userName'\" default answer \"\" with title \"Grant Secure Token\" buttons {\"Cancel\", \"Ok\"} default button 2 with icon POSIX file \"$brandIcon\" with text and hidden answer
	set userPassword to text returned of the result
	return userPassword")

	# Exit if user cancels
	if [ "$?" != "0" ] ; then
	echo "User aborted. Exiting…"
	exit 0
	fi

	echo "Granting secure token."

	# Grant the token
	sysadminctl -secureTokenOn ${userName} -password ${userPassword} -adminUser ${adminUser} -adminPassword ${adminPassword}

	# Check for bootstrap token escrowed with Jamf Pro
	bootstrap=$(profiles status -type bootstraptoken)

	if [[ $bootstrap == "escrowed to server: YES" ]]; then
	echo "Bootstrap token already escrowed with Jamf Pro!"
	else
	# Escrow bootstrap token with Jamf Pro
	echo "No Bootstrap token present. Escrowing with Jamf Pro now…"
	sudo profiles install -type bootstraptoken -user "${adminUser}" -pass "${adminPassword}"
	fi

	elif [[ $result = "YES" ]]; then
	echo "Current user already has a secure token. No action necessary."
	/usr/bin/osascript -e "display dialog \"\" & return & \"$userName already has a secure token. No action necessary.\" with title \"Grant Secure Token\" buttons {\"OK\"} default button 1 with icon POSIX file \"$brandIcon\""
	else
	echo "Undefined secure token status"
	/usr/bin/osascript -e "display dialog \"\" & return & \"Could not determine secure token status.\" with title \"Grant Secure Token\" buttons {\"OK\"} default button 1 with icon POSIX file \"$brandIcon\""
	exit 1
	fi

view raw Grant Current User Secure Token.sh hosted with ❤ by GitHub

Tag: Guides

Install a Company Logo Without a Pkg using Jamf Pro

Using a Self Service Policy to Grant End Users a Secure Token