Compliance check for macOS.
This was written to help with some compliance. (wow, so descriptive)
If a mac is a member of any of the smart groups (not on the $company approved macOS version, has macOS software updates, is not encrypted, does not have antivirus installed) they will see this policy. This script double-checks which smart group this computer is a part of, and checks locally if it should be in those smart groups (to ensure accuracy) and acts accordingly.
e.g. If a user is encrypted, but is on an old version of macOS and has software updates, they'll be prompted to upgrade macOS. If a user is on a current version (major) of macOS but is not encrypted and requires software updates, encryption will trigger and software updates will be run.
¯\_(ツ)_/¯
This account needs READ access to Smart Groups. Use https://github.com/jamfit/Encrypted-Script-Parameters for more information on encrypted string parameters.
Note, this is used for error-checking in case a user's machine is compliant but they are still in the smart groups that tell them they're not compliant. This may happen if you have infrequent inventory or other policies that run on a schedule that you want to bypass.
- Operating System {like} $full_os_version - you can set the macOS version you want to be 'compliant' (e.g. 10.14.6) - this should equal the version in your macOS upgrade policy.
- Has Software Updates available - either use an EA or jamf built-in.
- Machine not encrypted - use your discretion on the best way to check this. I use https://github.com/koalatee/scripts/blob/master/jamf/EAs/EA-AccurateFilevaultReporting.zsh to set an EA that is used for Smart Groups.
- Machine does not have antivirus installed.
- Scope this script to Computer Group {member of} $above_group1 [or] Computer Group {member of} $above_group2 [or] Computer Group {member of} $above_group3 [or] Computer Group {member of} $above_group4.
Note the ids of the first 4, as they are needed for the script. You can find these in the url - https://your.jamf.here:8443/smartComputerGroups.html?id=64&o=r&nav=null
- Rotate / re-key FileVault key - personally using https://github.com/koalatee/newFileVaultKey
- macOS upgrade - personally using https://github.com/bp88/JSS-Scripts/blob/master/OS_Upgrade.sh
- Run software updates - personally using command "softwareupdate -iaR"
- Start encryption - recommend policy that enforces on next login
- Install antivirus
- Load script into jamf.
- Update the following values (required):
- jamfURL
- it_contact
- smart group IDs (sg_Full_OS, sg_encryption, sg_encryption, sg_antivirus)
- apiUser salt and passphrase
- apiPass salt and passphrase
- Update the following values/variables (optional):
- Messages to users - by default, macos_upgrade_message recommends backing up to Dropbox. Change if using a different service/method.
- Display name for array (array_macOS, array_encryption, array_software, array_antivirus). These names also display to the user - "your machine is/not compliant with $array_macOS, $array_encryption, $array_software, $array_antivirus.
- Under the script options, change the display names for the parameters:
- Parameter 04 = apiUser encrypted string
- Parameter 05 = apiPass encrypted string
- Parameter 06 = macOS version to check (e.g. 10.12.6) - as required by $company
- Parameter 07 = antivirus install trigger
- Parameter 08 = FileVault re-key trigger
- Parameter 09 = macOS upgrade trigger
- Parameter 10 = software update installer trigger
- Parameter 11 = encryption trigger
- Create new policy with the script.
- Fill in the script parameters as noted.
- Scope to Smart Group 5.