diff --git a/Jamf Pro/Scripts/Remove-LocalAdminRights.sh b/Jamf Pro/Scripts/Remove-LocalAdminRights.sh index 3c0bec6..4820f2c 100644 --- a/Jamf Pro/Scripts/Remove-LocalAdminRights.sh +++ b/Jamf Pro/Scripts/Remove-LocalAdminRights.sh @@ -3,7 +3,7 @@ ################################################################################################### # Script Name: Remove-LocalAdminRights.sh # By: Zack Thompson / Created: 2/14/2020 -# Version: 1.0.0 / Updated: 2/14/2020 / By: ZT +# Version: 1.1.0 / Updated: 7/20/2020 / By: ZT # # Description: This script removes local accounts from the local admin group; accounts that are # desired to be in the group are be specified from the Jamf Pro script parameter 4 @@ -28,28 +28,28 @@ protected_admins+=("root") # If parameters were provided, loop through them. if [[ -n $4 ]]; then - IFS=", " read accounts <<< $4 + IFS="," read -a accounts <<< "${4}" - for account in $accounts; do - protected_admins+=("${account}") + for account in "${accounts[@]}"; do + protected_admins+=("${account## }") done fi # Check the local environment and remove the proper account if [[ -e "/Library/Preferences/com.jamfsoftware.jamf.plist" ]]; then - jss_url=$( /usr/bin/defaults read "/Library/Preferences/com.jamfsoftware.jamf" jss_url ) + jss_url=$( /usr/bin/defaults read "/Library/Preferences/com.jamfsoftware.jamf" jss_url ) - if [[ "${jss_url}" == "${prod}" ]]; then - protected_admins+=("${prod_jma}") - elif [[ "${jss_url}" == "${dev}" ]]; then - protected_admins+=("${dev_jma}") - else - echo "ERROR: Unknown Jamf Pro environment!" - exit 2 - fi + if [[ "${jss_url}" == "${prod}" ]]; then + protected_admins+=("${prod_jma}") + elif [[ "${jss_url}" == "${dev}" ]]; then + protected_admins+=("${dev_jma}") + else + echo "ERROR: Unknown Jamf Pro environment!" + exit 2 + fi else - echo "ERROR: Issue with the Jamf Framework!" - exit 1 + echo "ERROR: Issue with the Jamf Framework!" + exit 1 fi ################################################## @@ -58,7 +58,8 @@ fi exit_code=0 # Get a list of the current admin group -admin_users=$( /usr/bin/dscl . -read Groups/admin GroupMembership | /usr/bin/awk -F "GroupMembership: " '{print $2}' ) +admin_users=$( /usr/bin/dscl . -read Groups/admin GroupMembership | \ + /usr/bin/awk -F "GroupMembership: " '{print $2}' ) # For verbosity in the policy log echo "The following accounts are in the local admin group:" @@ -67,37 +68,42 @@ for user in $admin_users; do done # Loop through the admin users -for user in $admin_users; do +for local_user in $admin_users; do - echo -e "${user} - " + echo -e "${local_user} - " # Check if the admin user is a protected_admin - if [[ "${protected_admins[*]}" == *"${user}"* ]]; then + for protected_admin in "${protected_admins[@]}"; do - # Remove user from the admin group - /usr/sbin/dseditgroup -o edit -d "${user}" -t user admin - exit_code_check=$? + if [ "${protected_admin}" == "${local_user}" ] ; then + + # Remove user from the admin group + /usr/sbin/dseditgroup -o edit -d "${local_user}" -t user admin + exit_code_check=$? + + # Check if the removal was successful + if [ $exit_code_check == "0" ]; then + echo "removed from admin group" + else + echo "FAILED to remove from admin group" + exit_code=1 + fi - # Check if the removal was successful - if [ $exit_code_check == "0" ]; then - echo "removed from admin group" else - echo "FAILED to remove from admin group" - exit_code=1 + echo "protected admin" fi - else - echo "protected admin" - fi + done done # Get an updated list of the local admin group -updatedLocalAdminGroup=$( /usr/bin/dscl . -read Groups/admin GroupMembership | /usr/bin/awk -F "GroupMembership: " '{print $2}' ) +updated_local_admin_group=$( /usr/bin/dscl . -read Groups/admin GroupMembership | \ + /usr/bin/awk -F "GroupMembership: " '{print $2}' ) # For verbosity in the policy log echo "Updated local admin group:" -for user in $updatedLocalAdminGroup; do +for user in $updated_local_admin_group; do echo " - ${user}" done