Scripts can be fun but they can also be a never-ending nightmare. A friend recently asked me to share my BYOD setup script that I use in my environment. It may be a little rough and in some spots quite specific however I thought I would share it. I utilise Jamf’s Casper suite (can’t recommend them enough!) so some parts of the script do reference their tools.
I use this script on BYOD devices. It sets up some basic things: ntp servers, gatekeeper, it also installs some additional packages. The script also creates some hidden management accounts on the device. This is not a copy/paste script, you will need to change it to suit your environment.
If there is enough interest I’m happy to write a generic setup script. If you have any suggestions or request you can reach me @jacobcurulli
#!/bin/bash # BYOD Setup script - now with popups! # J.Curulli - 20th November 2015 # Updated 03 December 2015 - Fixed computer naming section, updated to standalone for BYOD USB deployment # Also now logs to the /var/log/jamf_imaging.log file invitationid="yourInvitationIdHere" ################################## # Check is jamf_imaging.log file exists, if not then create it and let us write to it log="/var/log/jamf_imaging.log" if [ ! -f "$log" ]; then touch $log chmod 777 $log echo "$(date +"%a %b %d %H:%M:%S") - Created jamf_imaging.log file just now" >> /var/log/jamf_imaging.log fi # Turn off Gatekeeper because it's icky spctl --master-disable # Install some important packages installer -pkg /private/var/.temp/agent-setup-2.47.23-unmanaged -target / installer -pkg /private/var/.temp/Certificates.pkg -target / # Remove the packages rm -rf /private/var/.temp/agent-setup-2.47.23-unmanaged.mpkg rm -rf /private/var/.temp/Certificates.pkg # Setup the login window to display some additional information # # Computer name # Version of OS X installed # IP address # clicking on the time will show the next item defaults write /Library/Preferences/com.apple.loginwindow AdminHostInfo HostName # Configure time settings # Set the time zone /usr/sbin/systemsetup -settimezone Australia/Perth # Set the primary network server using systemsetup -setnetworktimeserver # This will clear any current ntp settings # add the first time server as the first line. /usr/sbin/systemsetup -setnetworktimeserver ntp.yourtimeserver # Add the second time server as the second line in /etc/ntp.conf echo "server ntp.yourdomain.local" >> /etc/ntp.conf # Add the third time server as the third line in /etc/ntp.conf # I use time.apple.com just incase all else fails echo "server time.apple.com" >> /etc/ntp.conf # Sets the Mac to get the time from the network /usr/sbin/systemsetup -setusingnetworktime on # Do a sync now ntpdate -u ntp.yourserver # Disable Time Machine's pop-up message whenever an external drive is plugged in because it's annoying defaults write /Library/Preferences/com.apple.TimeMachine DoNotOfferNewDisksForBackup -bool true # This part of the script can be removed if not needed. It gets the students details in order to correctly name their laptop. # This part could be edited to enable account creation for the BYOD student # Get some details to correctly name the laptop # prompt and get firstname function getfirstname() { osascript <<EOT tell app "System Events" text returned of (display dialog "$1" default answer "$2" default button 2 with title "$(basename $0)") end tell EOT } firstname="$(getfirstname 'Please enter the students first name:' '')" # prompt and get lastname function getlastname() { osascript <<EOT tell app "System Events" text returned of (display dialog "$1" default answer "$2" default button 2 with title "$(basename $0)") end tell EOT } lastname="$(getlastname 'Please enter the students last name:' '')" # prompt and get username function getusername() { osascript <<EOT tell app "System Events" text returned of (display dialog "$1" default answer "$2" default button 2 with title "$(basename $0)") end tell EOT } username="$(getusername 'Please enter the students school username:' '')" # The school username is so we can enroll them in Capser and have the device assigned to them # prompt and get cohort # This is the students graduating year and is picked up by Casper to use with smart groups function getcohort() { osascript <<EOT tell app "System Events" text returned of (display dialog "$1" default answer "$2" default button 2 with title "$(basename $0)") end tell EOT } cohort="$(getcohort 'Please enter the students cohort:' '')" # Create Computer Name and Local Host name computername="$firstname $lastname``'s Macbook" localhostname="$firstname"-"$lastname"-"Macbook" # Set computer name but first log the current name for records echo "$(date +"%a %b %d %H:%M:%S") - Getting ready to update computer name, current name is $CurrentName" >> /var/log/jamf_imaging.log # This line can be used if you utilise the Casper suite from Jamf jamf setComputerName -target / -name "$computername" # Set the computer name /usr/sbin/scutil --set ComputerName "$computername" /usr/sbin/scutil --set HostName "$computername" /usr/sbin/scutil --set LocalHostName $localhostname echo "$(date +"%a %b %d %H:%M:%S") - Name has now been updated to: $CurrentName" >> /var/log/jamf_imaging.log # Set BYOD to yes byod="Yes" # Check if /var/.temp exists if it doens't then create it dir="/var/.temp" if [ ! -d $dir ]; then mkdir $dir fi # Write to the text files to be picked up by the recon # These variables are picked up by the extension attributes in Casper for smart groups echo "$computername" > /var/.temp/computerName.txt echo "$cohort" > /var/.temp/department.txt echo "Yes" > /var/.temp/BYOD.txt # Create the management account # I like to hide the user home folders so students don't get curious mkdir /var/.admin dscl . -create /Users/admin dscl . -create /Users/admin UserShell /bin/bash dscl . -create /Users/teacher RealName "Administrator" dscl . -create /Users/admin UniqueID 404 dscl . -create /Users/admin Picture /Library/User\ Pictures/Sports/Hockey.tif dscl . -create /Users/admin PrimaryGroupID 20 dscl . -create /Users/admin NFSHomeDirectory /var/.admin dscl . -passwd /Users/admin yourpasswordhere cp -R /System/Library/User\ Template/English.lproj /var/.admin chown -R admin:staff /var/.admin dscl . -append /Groups/admin GroupMembership admin # Also create the tech admin account for repairs mkdir /var/.tech dscl . -create /Users/tech dscl . -create /Users/tech UserShell /bin/bash dscl . -create /Users/tech RealName "Tech User" dscl . -create /Users/tech UniqueID 407 dscl . -create /Users/tech Picture /Library/User\ Pictures/Sports/Hockey.tif dscl . -create /Users/tech PrimaryGroupID 20 dscl . -create /Users/tech NFSHomeDirectory /var/.tech dscl . -passwd /Users/tech yourpasswordhere cp -R /System/Library/User\ Template/English.lproj /var/.tech chown -R tech:staff /var/.tech sudo dscl . -append /Groups/admin GroupMembership tech # Hide service accounts from users and groups defaults write /Library/Preferences/com.apple.loginwindow Hide500Users -bool TRUE Display a popup osascript -e `display notification "Created service accounts" with title "Attention"` # recon with username and enroll if needed jamf recon -endUsername $username jamf enroll -invitation $ivitationid exit 0