This is an extension attribute script to determine if the user assigned to the computer is a member of a given AD group or groups.
In the example below, the script will return a “Yes” result if the user to which the computer is assigned in Jamf Pro is a member of the groups “ADGroupX” or “ADGroupY”.
The script will…
- Get the computer’s serial number
- Pull the computer record via the Jamf Pro API
- Harvest the contents of the “username” field
- Get the domain via dscl (computer must be bound to AD)
- Determine if “username” is a member of “ADGroupX” or “ADGroupY”
This script can certainly be cleaned up a bit but does the job effectively.
#!/bin/sh
# Is the user assigned to this computer a member of a given AD group or groups.
# In this example, the target groups are "ADGroupX" and "ADGroupY"
serialNumber=$(ioreg -l | awk -F'"' '/IOPlatformSerialNumber/ { print $4;}')
response=$(curl -v -k -u apiComputerReadUsername:apiComputerReadPassword -H "Accept: application/xml" -H "Content-Type: application/xml" https://JamfProUrl/JSSResource/computers/serialnumber/$serialNumber)
assignedUser=$(echo $response | xpath '/computer/location/username/text()' 2>/dev/null)
domain=$(dscl /Active\ Directory/ -read . | grep SubNodes | sed 's|SubNodes: ||g')
membership=$(dscl /Active\ Directory/"$domain"/All\ Domains read /Users/$assignedUser dsAttrTypeNative:memberOf | egrep 'ADGroupX|ADGroupY')
if [[ "$membership" == "" ]]; then
echo "<result>No</result>"
else
echo "<result>Yes</result>"
fi
exit 0
The script can also be found on GitHub below.
https://github.com/themacadmin/extensionAttributes/blob/master/EAMemberOfADGroup
The Mac Admin 