-
Notifications
You must be signed in to change notification settings - Fork 115
Expand file tree
/
Copy pathEscrow Buddy.munki.recipe
More file actions
168 lines (150 loc) · 5.19 KB
/
Escrow Buddy.munki.recipe
File metadata and controls
168 lines (150 loc) · 5.19 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>Description</key>
<string>Downloads the latest Escrow Buddy and imports into Munki.</string>
<key>Identifier</key>
<string>com.github.homebysix.munki.EscrowBuddy</string>
<key>Input</key>
<dict>
<key>MUNKI_REPO_SUBDIR</key>
<string>apps/Escrow Buddy</string>
<key>NAME</key>
<string>Escrow Buddy</string>
<key>pathname</key>
<string>%pathname%</string>
<key>pkginfo</key>
<dict>
<key>blocking_applications</key>
<array/>
<key>catalogs</key>
<array>
<string>testing</string>
</array>
<key>category</key>
<string>Utilities</string>
<key>description</key>
<string>Escrow Buddy is a tool used by MDM administrators to ensure a valid FileVault recovery key is escrowed for your Mac.</string>
<key>developer</key>
<string>Netflix</string>
<key>display_name</key>
<string>Escrow Buddy</string>
<key>minimum_os_version</key>
<string>10.14.4</string>
<key>name</key>
<string>%NAME%</string>
<key>unattended_install</key>
<true/>
<key>unattended_uninstall</key>
<true/>
<key>uninstall_method</key>
<string>uninstall_script</string>
<key>uninstall_script</key>
<string>#!/bin/bash
AuthDBTeardown() {
# Create temporary directory for storage of authorization database files
# Using hyphen to prevent escape issues in PlistBuddy commands
EB_DIR="${TMPDIR:=/private/tmp}/com.netflix.Escrow-Buddy"
mkdir -pv "$EB_DIR"
AUTH_DB="$EB_DIR/auth.db"
# Output current loginwindow auth database
echo "Reading system.login.console section of authorization database..."
/usr/bin/security authorizationdb read system.login.console > "$AUTH_DB"
if [[ ! -f "$AUTH_DB" ]]; then
echo "ERROR: Unable to save the current authorization database."
exit 1
fi
# Check current loginwindow auth database for desired entry
if ! grep -q '<string>Escrow Buddy:Invoke,privileged</string>' "$AUTH_DB"; then
echo "Escrow Buddy is not configured in the loginwindow authorization database."
return
fi
# Create a backup copy
cp "$AUTH_DB" "$AUTH_DB.backup"
echo "Removing Escrow Buddy from authorization database..."
INDEX=$(/usr/libexec/PlistBuddy -c "Print :mechanisms:" "$AUTH_DB" 2>/dev/null | grep -n "Escrow Buddy:Invoke,privileged" | awk -F ":" '{print $1}')
if [[ -z $INDEX ]]; then
echo "ERROR: Unable to index current loginwindow authorization database."
exit 1
fi
# Subtract 2 from the index to account for PlistBuddy output format
INDEX=$((INDEX-2))
# Remove Escrow Buddy mechanism
/usr/libexec/PlistBuddy -c "Delete :mechanisms:$INDEX" "$AUTH_DB"
# Save authorization database changes
if ! security authorizationdb write system.login.console < "$AUTH_DB"; then
echo "ERROR: Unable to save changes to authorization database."
exit 1
fi
}
# If in-bundle AuthDB teardown script exists on disk, prefer using that
echo "Removing Escrow Buddy from authorization database..."
"/Library/Security/SecurityAgentPlugins/Escrow Buddy.bundle/Contents/Resources/AuthDBTeardown.sh" || AuthDBTeardown
echo "Deleting Escrow Buddy bundle..."
rm -rf "/Library/Security/SecurityAgentPlugins/Escrow Buddy.bundle"
echo "Forgetting receipt..."
pkgutil --forget "com.netflix.Escrow-Buddy" 2>/dev/null
echo "Escrow Buddy successfully uninstalled."
</string>
<key>uninstallable</key>
<true/>
</dict>
</dict>
<key>MinimumVersion</key>
<string>1.0.0</string>
<key>ParentRecipe</key>
<string>com.github.homebysix.download.EscrowBuddy</string>
<key>Process</key>
<array>
<dict>
<key>Arguments</key>
<dict>
<key>additional_pkginfo</key>
<dict>
<key>installcheck_script</key>
<string>#!/bin/zsh
# Exit codes
PROCEED_WITH_INSTALL=0
INSTALL_NOT_NEEDED=1
# Check whether mechanism is present in the authorization database
DBENTRY="<string>Escrow Buddy:Invoke,privileged</string>"
if ! /usr/bin/security authorizationdb read system.login.console 2>/dev/null | grep -q "$DBENTRY"; then
exit $PROCEED_WITH_INSTALL
fi
# Check whether receipt is present
if [[ ! -f "/var/db/receipts/com.netflix.Escrow-Buddy.plist" ]]; then
exit $PROCEED_WITH_INSTALL
fi
# Check whether bundle is present
if [[ ! -d "/Library/Security/SecurityAgentPlugins/Escrow Buddy.bundle" ]]; then
exit $PROCEED_WITH_INSTALL
fi
# Check whether bundle is up to date
autoload is-at-least
INSTALLED_VERSION=$(defaults read "/Library/Security/SecurityAgentPlugins/Escrow Buddy.bundle/Contents/Info.plist" CFBundleShortVersionString)
OFFERED_VERSION="%version%"
if ! is-at-least "$OFFERED_VERSION" "$INSTALLED_VERSION"; then
exit $PROCEED_WITH_INSTALL
fi
exit $INSTALL_NOT_NEEDED
</string>
</dict>
</dict>
<key>Processor</key>
<string>MunkiPkginfoMerger</string>
</dict>
<dict>
<key>Arguments</key>
<dict>
<key>pkg_path</key>
<string>%pathname%</string>
<key>repo_subdirectory</key>
<string>%MUNKI_REPO_SUBDIR%</string>
</dict>
<key>Processor</key>
<string>MunkiImporter</string>
</dict>
</array>
</dict>
</plist>