Deployment
#Deploying ADPassMon
There are a few things to think of when deploying ADPassMon, below are some pointers.
ADPassMon itself is an Application, so is to be deployed via your tools as any other.
The recommended location is in /Applications/, but it's up to you where you put it. This guide will presume that ADPassMon is in /Applications/.
Before you deploy ADPassMon, you may wish to change the attributes so GateKeeper doesn't prompt.
This can be accomplished via the below, which should be run before packaging/deployment.
xattr -d com.apple.quarantine /Applications/ADPassMon.app
There are a number of recipes available via AutoPKG, with some found at: https://github.com/autopkg/homebysix-recipes/tree/master/ADPassMon
These will remove the extended attributes given above & create a PKG for you to deploy.
ADPassMon is an application that needs to run as the user, as such a LaunchAgent is the recommended method to launch the Application.
Below are two example LaunchAgents, these should be deployed to either /Library/LaunchAgents/ to launch the application for every user, or ~/Library/LaunchAgents/ & then placed in the home folders for specific users.
Amend the paths of the application as wanted & Label, & as always with LaunchAgents.. be mindful of the permissions on the files.
The owner should be root & the mode, 644.
The below will run ADPassMon at login, but the user can quit the application.
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>Label</key>
<string>org.pmbuko.ADPassMon</string>
<key>LimitLoadToSessionType</key>
<string>Aqua</string>
<key>Program</key>
<string>/Applications/ADPassMon.app/Contents/MacOS/ADPassMon</string>
<key>RunAtLoad</key>
<true/>
</dict>
</plist>
The below again will run at login, but will stop the user from being able to quit the application.
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>Label</key>
<string>org.pmbuko.ADPassMon</string>
<key>LimitLoadToSessionType</key>
<string>Aqua</string>
<key>Program</key>
<string>/Applications/ADPassMon.app/Contents/MacOS/ADPassMon</string>
<key>RunAtLoad</key>
<true/>
<key>KeepAlive</key>
<true/>
</dict>
</plist>
If you are deploying ADPassMon through a standard Apple package installer and want to make sure the app is unloaded and reloaded through your launch agent, the following preinstall and postinstall scripts will let you do just that. Note, you should edit the LAUNCH_AGENT_PATH variable with the exact file name used for your Launch Agent.
#!/bin/bash
#Path to Launch Agent
#Edit the Launch Agent file name
LAUNCH_AGENT_PATH="$3/Library/LaunchAgents/com.company.adpassmon.plist"
#Determine current user, user's Process ID, user's User ID, and OS version
currentUser=$(python -c 'from SystemConfiguration import SCDynamicStoreCopyConsoleUser; import sys; username = (SCDynamicStoreCopyConsoleUser(None, None, None) or [None])[0]; username = [username,""][username in [u"loginwindow", None, u""]]; sys.stdout.write(username + "\n");')
currentUserPID=$(pgrep WindowServer -m1)
currentUserUID=$(id -u "$currentUser")
osvers=$(/usr/bin/sw_vers -productVersion | /usr/bin/cut -d . -f 2)
if [ ! -e "$LAUNCH_AGENT_PATH" ]; then
/bin/echo "Launch agent not found at path: $LAUNCH_AGENT_PATH"
exit 0
fi
if [[ $osvers -lt 10 ]]; then
/bin/launchctl bsexec "$currentUserPID" /bin/launchctl unload "$LAUNCH_AGENT_PATH" > /dev/null 2>&1 &
elif [[ $osvers -eq 10 ]]; then
/bin/launchctl asuser "$currentUserUID" /bin/launchctl unload "$LAUNCH_AGENT_PATH" > /dev/null 2>&1 &
elif [[ $osvers -ge 11 ]]; then
/bin/launchctl bootout "gui/$currentUserUID" "$LAUNCH_AGENT_PATH" > /dev/null 2>&1 &
else
/bin/echo "Not a supported operating system: $osvers"
exit 1
fi
#Path to app
AppPath="$3/Applications/Utilities/ADPassMon.app"
if [ -d "$AppPath" ]; then
/bin/rm -rf "$AppPath"
fi
#!/bin/bash
#Path to Launch Agent
#Edit the Launch Agent file name
LAUNCH_AGENT_PATH="$3/Library/LaunchAgents/com.company.adpassmon.plist"
#Determine current user, user's Process ID, user's User ID, and OS version
currentUser=$(python -c 'from SystemConfiguration import SCDynamicStoreCopyConsoleUser; import sys; username = (SCDynamicStoreCopyConsoleUser(None, None, None) or [None])[0]; username = [username,""][username in [u"loginwindow", None, u""]]; sys.stdout.write(username + "\n");')
currentUserPID=$(pgrep WindowServer -m1)
currentUserUID=$(id -u "$currentUser")
osvers=$(/usr/bin/sw_vers -productVersion | /usr/bin/cut -d . -f 2)
if [ ! -e "$LAUNCH_AGENT_PATH" ]; then
/bin/echo "Launch agent not found at path: $LAUNCH_AGENT_PATH"
exit 0
fi
if [[ $osvers -lt 10 ]]; then
/bin/launchctl bsexec "$currentUserPID" /bin/launchctl load "$LAUNCH_AGENT_PATH" > /dev/null 2>&1 &
elif [[ $osvers -eq 10 ]]; then
/bin/launchctl asuser "$currentUserUID" /bin/launchctl load "$LAUNCH_AGENT_PATH" > /dev/null 2>&1 &
elif [[ $osvers -ge 11 ]]; then
/bin/launchctl bootstrap "gui/$currentUserUID" "$LAUNCH_AGENT_PATH" > /dev/null 2>&1 &
else
/bin/echo "Not a supported operating system: $osvers"
exit 1
fi
When you first run ADPassMon, you'll get a few prompts, including the below. This also appears when no settings are set.
It's recommended to set ADPassMon with the settings you wish to deploy to the client. Then take the plist & remove the below keys, (as they are user specific).
<key>menu_title</key>
<string></string>
<key>pwdSetDate</key>
<string></string>
<key>tooltip</key>
<string></string>
You can then deploy the applications preferences in a couple of ways.
The plist itself can be deployed to clients to either /Library/ or ~/Library/.
The plist can be put through something like MCXToProfile, & then deployed at either a Computer or User level.