A BYOD setup script

December 4, 2015

32180

Scripts can be fun but they can also be a never-ending nightmare. A friend recently asked me to share my BYOD setup script that I use in my environment. It may be a little rough and in some spots quite specific however I thought I would share it. I utilise Jamf’s Casper suite (can’t recommend them enough!) so some parts of the script do reference their tools.

I use this script on BYOD devices. It sets up some basic things: ntp servers, gatekeeper, it also installs some additional packages. The script also creates some hidden management accounts on the device. This is not a copy/paste script, you will need to change it to suit your environment.

If there is enough interest I’m happy to write a generic setup script. If you have any suggestions or request you can reach me @jacobcurulli

#!/bin/bash
# BYOD Setup script - now with popups!
# J.Curulli - 20th November 2015
# Updated 03 December 2015 - Fixed computer naming section, updated to standalone for BYOD USB deployment
# Also now logs to the /var/log/jamf_imaging.log file

invitationid="yourInvitationIdHere"

##################################
# Check is jamf_imaging.log file exists, if not then create it and let us write to it
log="/var/log/jamf_imaging.log"
if [ ! -f "$log" ]; then
  touch $log
  chmod 777 $log
  echo "$(date +"%a %b %d %H:%M:%S") - Created jamf_imaging.log file just now" >> /var/log/jamf_imaging.log
  fi

# Turn off Gatekeeper because it's icky
spctl --master-disable

# Install some important packages
installer -pkg /private/var/.temp/agent-setup-2.47.23-unmanaged -target /
installer -pkg /private/var/.temp/Certificates.pkg -target /

# Remove the packages
rm -rf /private/var/.temp/agent-setup-2.47.23-unmanaged.mpkg
rm -rf /private/var/.temp/Certificates.pkg

# Setup the login window to display some additional information
#
# Computer name
# Version of OS X installed
# IP address
# clicking on the time will show the next item
defaults write /Library/Preferences/com.apple.loginwindow AdminHostInfo HostName

# Configure time settings
# Set the time zone
/usr/sbin/systemsetup -settimezone Australia/Perth

# Set the primary network server using systemsetup -setnetworktimeserver
# This will clear any current ntp settings
# add the first time server as the first line.
/usr/sbin/systemsetup -setnetworktimeserver ntp.yourtimeserver

# Add the second time server as the second line in /etc/ntp.conf
echo "server ntp.yourdomain.local" >> /etc/ntp.conf

# Add the third time server as the third line in /etc/ntp.conf
# I use time.apple.com just incase all else fails
echo "server time.apple.com" >> /etc/ntp.conf

# Sets the Mac to get the time from the network
/usr/sbin/systemsetup -setusingnetworktime on

# Do a sync now
ntpdate -u ntp.yourserver

# Disable Time Machine's pop-up message whenever an external drive is plugged in because it's annoying
defaults write /Library/Preferences/com.apple.TimeMachine DoNotOfferNewDisksForBackup -bool true

# This part of the script can be removed if not needed. It gets the students details in order to correctly name their laptop.
# This part could be edited to enable account creation for the BYOD student

# Get some details to correctly name the laptop
# prompt and get firstname
function getfirstname() {
    osascript <<EOT
        tell app "System Events"
            text returned of (display dialog "$1" default answer "$2" default button 2 with title "$(basename $0)")
        end tell
EOT
}
firstname="$(getfirstname 'Please enter the students first name:' '')"

# prompt and get lastname
function getlastname() {
    osascript <<EOT
        tell app "System Events"
            text returned of (display dialog "$1" default answer "$2" default button 2 with title "$(basename $0)")
        end tell
EOT
}
lastname="$(getlastname 'Please enter the students last name:' '')"

# prompt and get username
function getusername() {
    osascript <<EOT
        tell app "System Events"
            text returned of (display dialog "$1" default answer "$2" default button 2 with title "$(basename $0)")
        end tell
EOT
}
username="$(getusername 'Please enter the students school username:' '')"
# The school username is so we can enroll them in Capser and have the device assigned to them

# prompt and get cohort
# This is the students graduating year and is picked up by Casper to use with smart groups
function getcohort() {
    osascript <<EOT
        tell app "System Events"
            text returned of (display dialog "$1" default answer "$2" default button 2 with title "$(basename $0)")
        end tell
EOT
}
cohort="$(getcohort 'Please enter the students cohort:' '')"

# Create Computer Name and Local Host name
computername="$firstname $lastname``'s Macbook"
localhostname="$firstname"-"$lastname"-"Macbook"

# Set computer name but first log the current name for records
echo "$(date +"%a %b %d %H:%M:%S") - Getting ready to update computer name, current name is $CurrentName" >> /var/log/jamf_imaging.log

# This line can be used if you utilise the Casper suite from Jamf
jamf setComputerName -target / -name "$computername"

# Set the computer name
/usr/sbin/scutil --set ComputerName "$computername"
/usr/sbin/scutil --set HostName "$computername"
/usr/sbin/scutil --set LocalHostName $localhostname

echo "$(date +"%a %b %d %H:%M:%S") - Name has now been updated to: $CurrentName" >> /var/log/jamf_imaging.log

# Set BYOD to yes
byod="Yes"

# Check if /var/.temp exists if it doens't then create it
dir="/var/.temp"
if [ ! -d $dir ]; then
  mkdir $dir
fi

# Write to the text files to be picked up by the recon
# These variables are picked up by the extension attributes in Casper for smart groups
echo "$computername" > /var/.temp/computerName.txt
echo "$cohort" > /var/.temp/department.txt
echo "Yes" > /var/.temp/BYOD.txt

# Create the management account
# I like to hide the user home folders so students don't get curious
mkdir /var/.admin
dscl . -create /Users/admin
dscl . -create /Users/admin UserShell /bin/bash
dscl . -create /Users/teacher RealName "Administrator"
dscl . -create /Users/admin UniqueID 404
dscl . -create /Users/admin Picture /Library/User\ Pictures/Sports/Hockey.tif
dscl . -create /Users/admin PrimaryGroupID 20
dscl . -create /Users/admin NFSHomeDirectory /var/.admin
dscl . -passwd /Users/admin yourpasswordhere
cp -R /System/Library/User\ Template/English.lproj /var/.admin
chown -R admin:staff /var/.admin
dscl . -append /Groups/admin GroupMembership admin

# Also create the tech admin account for repairs
mkdir /var/.tech
dscl . -create /Users/tech
dscl . -create /Users/tech UserShell /bin/bash
dscl . -create /Users/tech RealName "Tech User"
dscl . -create /Users/tech UniqueID 407
dscl . -create /Users/tech Picture /Library/User\ Pictures/Sports/Hockey.tif
dscl . -create /Users/tech PrimaryGroupID 20
dscl . -create /Users/tech NFSHomeDirectory /var/.tech
dscl . -passwd /Users/tech yourpasswordhere
cp -R /System/Library/User\ Template/English.lproj /var/.tech
chown -R tech:staff /var/.tech
sudo dscl . -append /Groups/admin GroupMembership tech

# Hide service accounts from users and groups
defaults write /Library/Preferences/com.apple.loginwindow Hide500Users -bool TRUE

Display a popup
osascript -e `display notification "Created service accounts" with title "Attention"`

# recon with username and enroll if needed
jamf recon -endUsername $username
jamf enroll -invitation $ivitationid

exit 0

Notify users about external emails

Restrict Office 365 Distribution Groups from receiving external email

Bulk create private channels in Microsoft Teams

Manually Archive Microsoft Teams with Powershell

A BYOD setup script