Skip to content

Instantly share code, notes, and snippets.

Show Gist options
  • Save rickgmac/532f3bdd030595b7631b9fe7ef4cb4cb to your computer and use it in GitHub Desktop.
Save rickgmac/532f3bdd030595b7631b9fe7ef4cb4cb to your computer and use it in GitHub Desktop.
Postinstall script for Jamf Composer to install DEPNotify with supporting scripts and a LaunchDaemon
#!/bin/zsh
## postinstall
pathToScript=$0
pathToPackage=$1
targetLocation=$2
targetVolume=$3
# This postinstall script for Composer creates the following
# A LaunchDaemon that starts a separate script to run a Jamf Pro policy command
# A script to wait for Jamf Pro enrollment to complete
# - then triggers a Jamf Pro policy that triggers DEPNotify
# A script that is designed to be called by a Jamf Pro policy
# - to unload the LaunchDaemon then remove the LaunchDaemon and script
#
# Q: Why not just call the `jamf policy -event` command
# from the PreStage Enrollment package postinstall script?
# A: Because the PreStage Enrollment package is installed
# before the jamf binary is installed.
#
# Q: Why not just have the postinstall script wait until jamf enrollment is complete?
# A: Because the postinstall script won't exit while it waits, which prevents enrollment
#
# Q: Why not just include the DEPNotify.sh script in the PreStage Enrollment package?
# A: Because every time you update it, for instance POLICY_ARRAY,
# you'd need to re-build and re-upload the package
#
# Q: Why not distribute the extra scripts and LaunchDaemons somewhere else,
# instead of embedding them in this funky postinstall script?
# A: This way you only have to download and maintain one extra thing.
#
# One approach is to use the following locations and files:
# LaunchDaemon:
# /Library/LaunchDaemons/com.arekdreyer.DEPNotify-prestarter.plist
#
# Temporary folder for the installer and scripts:
# /usr/local/depnotify-with-installers/
#
# Scripts:
# /usr/local/depnotify-with-installers/com.arekdreyer.DEPNotify-prestarter-installer.zsh
# /usr/local/depnotify-with-installers/com.arekdreyer.DEPNotify-prestarter-uninstaller.zsh
# This script must be run as root or via Jamf Pro.
# The resulting Script and LaunchDaemon will be run as root.
# Update this when the DEPNotify installer package is updated; earlier name was DEPNotifyInstallerName=DEPNotify-1.1.4.pkg
DEPNotifyInstallerName=DEPNotify.pkg
#
# You can change this if you have a better location to use.
# I haven't tested this with any path that has a space in the name.
TempUtilitiesPath=/usr/local/depnotify-with-installers
#
# You can change any of these:
InstallerBaseString=com.arekdreyer.DEPNotify-prestarter
InstallerScriptName=${InstallerBaseString}-installer.zsh
InstallerScriptPath=${TempUtilitiesPath}/${InstallerScriptName}
UnInstallerScriptName=${InstallerBaseString}-uninstaller.zsh
UnInstallerScriptPath=${TempUtilitiesPath}/${UnInstallerScriptName}
# Best to use /Library/LaunchDaemons for the LaunchDaemon
LaunchDaemonName=${InstallerBaseString}.plist
LaunchDaemonPath="/Library/LaunchDaemons"/${LaunchDaemonName}
DEPNOTIFYSTARTER_TRIGGER=start-depnotify
# Install the package
/usr/sbin/installer -pkg ${TempUtilitiesPath}/${DEPNotifyInstallerName} -target $3
# The following will create a script that triggers the DEPNotify script to start. Be sure the contents are between the two "ENDOFINSTALLERSCRIPT" lines.
# NOTE: Make sure to leave a full return at the end of the Script content before the last "ENDOFINSTALLERSCRIPT" line.
echo "Creating ${InstallerScriptPath}."
(
cat <<ENDOFINSTALLERSCRIPT
#!/bin/zsh
until [ -f /var/log/jamf.log ]
do
echo "Waiting for jamf log to appear"
sleep 1
done
until ( /usr/bin/grep -q enrollmentComplete /var/log/jamf.log )
do
echo "Waiting for jamf enrollment to be complete."
sleep 1
done
/usr/local/jamf/bin/jamf policy -event ${DEPNOTIFYSTARTER_TRIGGER}
exit 0
ENDOFINSTALLERSCRIPT
) > "${InstallerScriptPath}"
echo "Setting permissions for ${InstallerScriptPath}."
chmod 755 "${InstallerScriptPath}"
chown root:wheel "${InstallerScriptPath}"
#-----------
# The following will create the LaunchDaemon file that starts the script that waits for Jamf Pro enrollment
# then runs the jamf policy -event command to run your DEPNotify.sh script.
echo "Creating ${LaunchDaemonPath}."
(
cat <<ENDOFLAUNCHDAEMON
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>Label</key>
<string>${InstallerBaseString}</string>
<key>RunAtLoad</key>
<true/>
<key>UserName</key>
<string>root</string>
<key>ProgramArguments</key>
<array>
<string>/bin/zsh</string>
<string>${InstallerScriptPath}</string>
</array>
<key>StandardErrorPath</key>
<string>/var/tmp/${InstallerScriptName}.err</string>
<key>StandardOutPath</key>
<string>/var/tmp/${InstallerScriptName}.out</string>
</dict>
</plist>
ENDOFLAUNCHDAEMON
) > "${LaunchDaemonPath}"
echo "Setting permissions for ${LaunchDaemonPath}."
chmod 644 "${LaunchDaemonPath}"
chown root:wheel "${LaunchDaemonPath}"
echo "Loading ${LaunchDaemonName}."
launchctl load "${LaunchDaemonPath}"
#-----------
# The following will create the script file to uninstall the LaunchDaemon and installer script.
# You can create a Jamf Pro policy with the following characteristics:
# General settings:
# --Name: Cleanup DEPNotify Installers
# --Trigger: Custom Trigger: cleanup-depnotify-preinstaller
# --Scope: All Computers
# --Frequency: Once per Computer
# Files and Processes settings:
# --Execute Command: Whatever your $UnInstallerScriptPath is set to.
#
# In your DEPNotify.sh script, include the policy near the end of your POLICY_ARRAY.
#
# Paste your script's contents between the two "ENDOFUNINSTALLERSCRIPT" lines.
# NOTE: Make sure to leave a full return at the end of the Script content before the last "ENDOFUNINSTALLERSCRIPT" line.
echo "Creating ${UnInstallerScriptPath}."
(
cat <<ENDOFUNINSTALLERSCRIPT
#!/bin/zsh
# This is meant to be called by a Jamf Pro policy via trigger
# Near the end of your POLICY_ARRAY in your DEPNotify.sh script
rm ${TempUtilitiesPath}/${DEPNotifyInstallerName}
rm ${InstallerScriptPath}
#Note that if you unload the LaunchDaemon this will immediately kill the depNotify.sh script
#Just remove the underlying plist file, and the LaunchDaemon will not run after next reboot/login.
rm ${LaunchDaemonPath}
rm ${UnInstallerScriptPath}
rmdir ${TempUtilitiesPath}
exit 0
exit 1
ENDOFUNINSTALLERSCRIPT
) > "${UnInstallerScriptPath}"
echo "Setting permissions for ${UnInstallerScriptPath}."
chmod 644 "${UnInstallerScriptPath}"
chown root:wheel "${UnInstallerScriptPath}"
exit 0 ## Success
exit 1 ## Failure
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment