usnistgov/macos_security
1
0
Fork 0
mirror of https://github.com/usnistgov/macos_security.git synced 2026-02-03 05:53:24 +00:00
Code Issues 21 Actions Packages Projects Releases Wiki Activity

Modify the arg checking to suit Jamf Pro policies #247

New Issue
Closed
opened 2026-01-19 18:29:48 +00:00 by michael · 9 comments
michael commented 2026-01-19 18:29:48 +00:00
Owner
Copy Link

Originally created by @Honestpuck on GitHub.

Problem to solve

As written the compliance script cannot be run from a Jamf Pro policy as Jamf Pro inserts three arguments before the policy arguments

Intended users

Jamf Pro admins

Further details

Fixing this will be a minor change.

Proposal

At the top of the compliance script (around line 18) I will insert

# set the number of args expected
# if running from a Jamf Pro policy set this to 4
number_of_args=1

Then close to the bottom

# check for command line arguments, if --check or --fix, then just do them.
if (( # >= 2));then
    echo "Too many arguments. Usage: $0 [--check| --fix]"
    exit 1
fi

could have # >= 2 replaced with > $number_of_args

Documentation

Perhaps a note in the Wiki

Testing

I have made the changes and tested from both the command line and a Jamf policy and it all works.

What does success look like, and how can we measure that?

It is easier for Jamf Pro admins to use the compliance script. I will only do it if the team thinks it's acceptable.

Links / references

I couldn't find the spot in the Jamf doco that tells you about the script parameters.

If this is a good idea I can quickly put together a PR. Comments?

Originally created by @Honestpuck on GitHub. ### Problem to solve As written the compliance script cannot be run from a Jamf Pro policy as Jamf Pro inserts three arguments before the policy arguments ### Intended users Jamf Pro admins ### Further details Fixing this will be a minor change. ### Proposal At the top of the compliance script (around line 18) I will insert ``` # set the number of args expected # if running from a Jamf Pro policy set this to 4 number_of_args=1 ``` Then close to the bottom ``` # check for command line arguments, if --check or --fix, then just do them. if (( # >= 2));then echo "Too many arguments. Usage: $0 [--check| --fix]" exit 1 fi ``` could have `# >= 2` replaced with ` > $number_of_args` ### Documentation Perhaps a note in the Wiki ### Testing I have made the changes and tested from both the command line and a Jamf policy and it all works. ### What does success look like, and how can we measure that? It is easier for Jamf Pro admins to use the compliance script. I will only do it if the team thinks it's acceptable. ### Links / references I couldn't find the spot in the Jamf doco that tells you about the script parameters. ### If this is a good idea I can quickly put together a PR. Comments?
michael commented 2026-01-19 18:29:48 +00:00
Author
Owner
Copy Link

@robertgendler commented on GitHub:

Yup. Just needs testing to make sure we haven't broke anything too badly with changes in the script.

@robertgendler commented on GitHub: Yup. Just needs testing to make sure we haven't broke anything too badly with changes in the script.
michael commented 2026-01-19 18:29:48 +00:00
Author
Owner
Copy Link

@robertgendler commented on GitHub:

Check out the dev_monterey_compliance_script branch and see if that works better with Jamf. Changes have been made to make it work more universal.

@robertgendler commented on GitHub: Check out the [dev_monterey_compliance_script](https://github.com/usnistgov/macos_security/tree/dev_monterey_compliance_script) branch and see if that works better with Jamf. Changes have been made to make it work more universal.
michael commented 2026-01-19 18:29:48 +00:00
Author
Owner
Copy Link

@Honestpuck commented on GitHub:

I will do some testing early next week.

Next thing I want to do is write a script that generates the EAs and computer groups for Jamf and then uploads them. generate_jamf.py maybe.

@Honestpuck commented on GitHub: I will do some testing early next week. Next thing I want to do is write a script that generates the EAs and computer groups for Jamf and then uploads them. `generate_jamf.py` maybe.
michael commented 2026-01-19 18:29:48 +00:00
Author
Owner
Copy Link

@smithjw commented on GitHub:

@Honestpuck / @robertgendler I've made a small tweak to the generate_guidance.py script to take this a step further and run multiple functions if an admin passes multiple arguments into the script.

https://github.com/usnistgov/macos_security/pull/141

@smithjw commented on GitHub: @Honestpuck / @robertgendler I've made a small tweak to the `generate_guidance.py` script to take this a step further and run multiple functions if an admin passes multiple arguments into the script. https://github.com/usnistgov/macos_security/pull/141
michael commented 2026-01-19 18:29:48 +00:00
Author
Owner
Copy Link

@Honestpuck commented on GitHub:

That removes the check on the number of arguments entirely so that works better than the original. I guess you can argue either way, remove the arg checking entirely or maker the number of args a constant. I went for minimal change.

Is that branch likely to get merged any time soon?

@Honestpuck commented on GitHub: That removes the check on the number of arguments entirely so that works better than the original. I guess you can argue either way, remove the arg checking entirely or maker the number of args a constant. I went for minimal change. Is that branch likely to get merged any time soon?
michael commented 2026-01-19 18:29:48 +00:00
Author
Owner
Copy Link

@Honestpuck commented on GitHub:

Brilliant @smithjw. Good change. Is this now in main? When it is I'll edit my HOWTO

@Honestpuck commented on GitHub: Brilliant @smithjw. Good change. Is this now in main? When it is I'll edit my HOWTO
michael commented 2026-01-19 18:29:48 +00:00
Author
Owner
Copy Link

@Honestpuck commented on GitHub:

I might leave the HOWTO the way it is now until the merge. Branches might be a task too far for some. Thanks for letting me know.

@Honestpuck commented on GitHub: I might leave the HOWTO the way it is now until the merge. Branches might be a task too far for some. Thanks for letting me know.
michael commented 2026-01-19 18:29:48 +00:00
Author
Owner
Copy Link

@golbiga commented on GitHub:

This is merged into the OS branches, will be merged into main at ventura release

@golbiga commented on GitHub: This is merged into the OS branches, will be merged into main at ventura release
michael commented 2026-01-19 18:29:48 +00:00
Author
Owner
Copy Link

@robertgendler commented on GitHub:

@Honestpuck this is now in the OS branches. We probably won't merge to main until the fall is my guess with the release of the new version of the OS.

@robertgendler commented on GitHub: @Honestpuck this is now in the OS branches. We probably won't merge to main until the fall is my guess with the release of the new version of the OS.
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
No items
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
michael
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: usnistgov/macos_security#247
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?