macos_security icon indicating copy to clipboard operation
macos_security copied to clipboard

Published 20 hours ago verified publisher icon usnistgov

Modify the arg checking to suit Jamf Pro policies

Open Honestpuck opened this issue 2 years ago • 8 comments

Problem to solve

As written the compliance script cannot be run from a Jamf Pro policy as Jamf Pro inserts three arguments before the policy arguments

Intended users

Jamf Pro admins

Further details

Fixing this will be a minor change.

Proposal

At the top of the compliance script (around line 18) I will insert

# set the number of args expected
# if running from a Jamf Pro policy set this to 4
number_of_args=1

Then close to the bottom

# check for command line arguments, if --check or --fix, then just do them.
if (( # >= 2));then
    echo "Too many arguments. Usage: $0 [--check| --fix]"
    exit 1
fi

could have # >= 2 replaced with > $number_of_args

Documentation

Perhaps a note in the Wiki

Testing

I have made the changes and tested from both the command line and a Jamf policy and it all works.

What does success look like, and how can we measure that?

It is easier for Jamf Pro admins to use the compliance script. I will only do it if the team thinks it's acceptable.

Links / references

I couldn't find the spot in the Jamf doco that tells you about the script parameters.

If this is a good idea I can quickly put together a PR. Comments?

Honestpuck avatar Apr 22 '22 05:04 Honestpuck

Check out the dev_monterey_compliance_script branch and see if that works better with Jamf. Changes have been made to make it work more universal.

robertgendler avatar Apr 22 '22 13:04 robertgendler

That removes the check on the number of arguments entirely so that works better than the original. I guess you can argue either way, remove the arg checking entirely or maker the number of args a constant. I went for minimal change.

Is that branch likely to get merged any time soon?

Honestpuck avatar Apr 22 '22 22:04 Honestpuck

Yup. Just needs testing to make sure we haven't broke anything too badly with changes in the script.

robertgendler avatar Apr 22 '22 23:04 robertgendler

I will do some testing early next week.

Next thing I want to do is write a script that generates the EAs and computer groups for Jamf and then uploads them. generate_jamf.py maybe.

Honestpuck avatar Apr 23 '22 00:04 Honestpuck

@Honestpuck / @robertgendler I've made a small tweak to the generate_guidance.py script to take this a step further and run multiple functions if an admin passes multiple arguments into the script.

https://github.com/usnistgov/macos_security/pull/141

smithjw avatar May 28 '22 10:05 smithjw

Brilliant @smithjw. Good change. Is this now in main? When it is I'll edit my HOWTO

Honestpuck avatar May 28 '22 22:05 Honestpuck

@Honestpuck this is now in the OS branches. We probably won't merge to main until the fall is my guess with the release of the new version of the OS.

robertgendler avatar Jun 03 '22 20:06 robertgendler

I might leave the HOWTO the way it is now until the merge. Branches might be a task too far for some. Thanks for letting me know.

Honestpuck avatar Jun 06 '22 10:06 Honestpuck

This is merged into the OS branches, will be merged into main at ventura release

golbiga avatar Sep 08 '22 15:09 golbiga