Jamf Pro EA: Member of AD Group

jamfProThis is an extension attribute script to determine if the user assigned to the computer is a member of a given AD group or groups.

In the example below, the script will return a “Yes” result if the user to which the computer is assigned in Jamf Pro is a member of the groups “ADGroupX” or “ADGroupY”.

The script will…

  • Get the computer’s serial number
  • Pull the computer record via the Jamf Pro API
  • Harvest the contents of the “username” field
  • Get the domain via dscl (computer must be bound to AD)
  • Determine if “username” is a member of “ADGroupX” or “ADGroupY”

This script can certainly be cleaned up a bit but does the job effectively.

#!/bin/sh

# Is the user assigned to this computer a member of a given AD group or groups.
# In this example, the target groups are "ADGroupX" and "ADGroupY"

serialNumber=$(ioreg -l | awk -F'"' '/IOPlatformSerialNumber/ { print $4;}')
response=$(curl -v -k -u apiComputerReadUsername:apiComputerReadPassword -H "Accept: application/xml" -H "Content-Type: application/xml" https://JamfProUrl/JSSResource/computers/serialnumber/$serialNumber)

assignedUser=$(echo $response | xpath '/computer/location/username/text()' 2>/dev/null)

domain=$(dscl /Active\ Directory/ -read . | grep SubNodes | sed 's|SubNodes: ||g')

membership=$(dscl /Active\ Directory/"$domain"/All\ Domains read /Users/$assignedUser dsAttrTypeNative:memberOf | egrep 'ADGroupX|ADGroupY')

if [[ "$membership" == "" ]]; then
 echo "<result>No</result>"
 else
 echo "<result>Yes</result>"
 fi

exit 0

The script can also be found on GitHub below.

https://github.com/themacadmin/extensionAttributes/blob/master/EAMemberOfADGroup

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s