1stBoot-OverTheWireInstallation.sh

#!/bin/sh
#
# 1st boot script runs as a Launchd startup script,
# then deletes itself after completion. Fixes problems left by Apple.
# Copyright, David Koff 2013© for the J. Paul Getty Trust
#
# Created: 3.15.13
# Last Updated: 5.7.13

#----------------------------------------------------------
#   Variables
#----------------------------------------------------------

#-----Assignments
SCRIPTNAME=$0
user405=ard

#--- Set Logging
exec >> "/Library/Logs/Getty Installations.log" 2>&1

#-----Directories & Files
kickstart="/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart"
systemsetup="/usr/sbin/systemsetup"
PlistBuddy="/usr/libexec/PlistBuddy"
login="/Library/Preferences/com.apple.loginwindow"
xProtect_MetaPlist="$3/System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/XProtect.meta.plist"
xProtect_Plist="$3/System/Library/LaunchDaemons/com.apple.xprotectupdater.plist"
LaunchDaemons="/System/Library/LaunchDaemons"
LaunchDaemonsDisabled="/System/Library/LaunchDaemonsDisabled"
RepoURL="http://xserve-timcook.getty.edu:8088/content/catalogs/others"

#-----Computationals
xProtect=`launchctl list | grep com.apple.xprotectupdater`
over500=`dscl . list /Users UniqueID | awk '$2 > 500 { print $1 }'`
USER=`defaults read $login lastUserName`
MSpid=`ps -ax | grep Microsoft | cut -c 1-5`
macname=`systemsetup -getcomputername | awk '{ print $3 }'`
hwVers=`system_profiler | grep "Model Name" | awk '{ print $3, $4, $5 }'`
OS=`sw_vers | grep ProductVersion | awk '{ print $2 }'`
ip=`ifconfig | grep "inet 153" | cut -d ' ' -f 2`

#-----Array
Apps2Quit=( Safari firefox-bin firefox JavaApplicationStub groupwise ) ### use of array allows us to add/subtract titles


#-----Dynamically Set
if [[ `ioreg -rd1 -c IOPlatformExpertDevice | grep -i "UUID" | cut -c27-50` == "00000000-0000-1000-8000-" ]]; then
    MAC_UUID=`ioreg -rd1 -c IOPlatformExpertDevice | grep -i "UUID" | cut -c51-62 | awk {'print tolower()'}`
elif [[ `ioreg -rd1 -c IOPlatformExpertDevice | grep -i "UUID" | cut -c27-50` != "00000000-0000-1000-8000-" ]]; then
    MAC_UUID=`ioreg -rd1 -c IOPlatformExpertDevice | grep -i "UUID" | cut -c27-62`
fi

#----------------------------------------------------------
#  Timestamp
#----------------------------------------------------------
echo "                                   "
echo "###################################"
echo "##### $SCRIPTNAME"
echo "##### `date "+%A %m/%d/%Y %H:%M"`"
echo "###################################"
echo "                                   "

echo "
# ---------------------------------------------------------
#  ---------------------- FIXES --------------------------
# ---------------------------------------------------------"

echo ">>>>>>>>  RECREATE ARD ACCOUNT IF BROKEN"
if [ -d /private/var/$user405 ]; then
    echo "the ard directory is already present, no need to recreate..."
else
    mkdir /private/var/$user405
fi
dscl . -create /Users/$user405
dscl . -create /Users/$user405 realname "${user405}"
dscl . -create /Users/$user405 NFSHomeDirectory /private/var/$user405
chown -R $user405 /private/var/$user405
dscl . -passwd /Users/$user405 ma5ter
dscl . -create /Users/$user405 PrimaryGroupID 405
dscl . -create /Users/$user405 UniqueID 405
dscl . -create /Users/$user405 shell /bin/bash
dscl . -append /Groups/admin GroupMembership $user405
defaults write $login Hide500Users -bool TRUE  ### hides this user from user list and user switching
defaults write $login HiddenUsersList -array add $user405 ### hides this user from login screen

echo ""
echo ">>>>>>>>  PREVENT iCLOUD WIZARD FROM RUNNING"
# in any user account
for i in $over500
do
    defaults write /Users/$i/Library/Preferences/com.apple.SetupAssistant DidSeeCloudSetup -bool TRUE
    defaults write /Users/$i/Library/Preferences/com.apple.SetupAssistant LastSeenCloudProductVersion -string '10.8'
    chown "${i}":staff /Users/$i/Library/Preferences/com.apple.SetupAssistant.plist
    echo "iCloud wizard removed from the $i account..."
done

#in the user template
for USER_TEMPLATE in "/System/Library/User Template"/*
do
    defaults write "${USER_TEMPLATE}"/Library/Preferences/com.apple.loginwindow -dict ” #creates a blank file if none exists
    defaults write "${USER_TEMPLATE}"/Library/Preferences/loginwindow -dict ” #creates a blank file if none exists
    defaults write "${USER_TEMPLATE}"/Library/Preferences/com.apple.SetupAssistant DidSeeCloudSetup -bool TRUE
    defaults write "${USER_TEMPLATE}"/Library/Preferences/com.apple.SetupAssistant LastSeenCloudProductVersion -string '10.8'
    echo "com.apple.SetupAssistant for the $USER_TEMPLATE now won't propmpt for iCloud..."
done

echo ""
echo ">>>>>>>>  DISABLE XPROTECT"
if [ -f $LaunchDaemons/com.apple.xprotectupdater.plist ]; then
    echo "x-Protect has been found in $LaunchDaemons and will now be edited and unloaded:"
    $PlistBuddy -c "Delete :JavaWebComponentVersionMinimum" "$xProtect_MetaPlist"
    echo "     Minimum Java Component removed from x-Protect."
    $launchctl unload -w "$xProtect_Plist"
    echo "     x-Protect has been unloaded via launchctl."
    if [ ! -d $LaunchDaemonsDisabled ]; then
        echo ""
        echo "Now creating: $LaunchDaemonsDisabled to store xProtect plist:"
        mkdir -v $LaunchDaemonsDisabled
    else
        echo ""
        echo "$LaunchDaemonsDisabled:"
        echo "     Directory found & emptied."
        echo "     x-Protect moved into that directory:"
        rm -fv $LaunchDaemonsDisabled/*
        mv -v $LaunchDaemons/com.apple.xprotectupdater.plist $LaunchDaemonsDisabled
    fi
else
    echo "x-Protect hasn't been found in: $LaunchDaemons"
    if [ -f $LaunchDaemonsDisabled/com.apple.xprotectupdater.plist ]; then
        echo "It has already been moved to: $LaunchDaemonsDisabled"
    fi
fi

echo "
# ---------------------------------------------------------
#  ------------ PREFERENCE MODIFICATIONS -----------------
# ---------------------------------------------------------"

echo ""
echo ">>>>>>>>  SET PROPER ARD PREFS"
$kickstart -activate
$kickstart -configure -users ard -access -on -privs -DeleteFiles -TextMessages -OpenQuitApps -GenerateReports -RestartShutdown -SendFiles -ChangeSettings -clientopts -setmenuextra -menuextra no -setreqperm -reqperm yes

echo ""
echo ">>>>>>>>  SET PROPER SSH PREFS"
$systemsetup -setremotelogin on

echo ""
echo ">>>>>>>>  SET PROPER TIME PREFS"
$systemsetup -setusingnetworktime on
$systemsetup -settimezone America/Los_Angeles
$systemsetup -setnetworktimeserver time.getty.edu

echo "
#----------------------------------------------------------
# ------------------- INSTALLATIONS ----------------------
#----------------------------------------------------------"

echo ""
echo ">>>>>>>>  QUIT COMPETING APPS" #Mar2013
killall "${Apps2Quit[@]}"
kill $MSpid

echo ""
echo ">>>>>>>>  QUIT EPO"
sudo launchctl unload /Library/LaunchDaemons/com.mcafee.ssm.ScanManager.plist
sudo /usr/local/McAfee/Antimalware/VSControl stop

echo ""
echo ">>>>>>>>  SET TO REPOSADO & RUN INSTALLS"
case `sw_vers -productVersion | awk -F . '{print $2}'` in
  4) URL="${RepoURL}/index-1_production.sucatalog" ;;
  5) URL="${RepoURL}/index-leopard.merged-1_LabTesters.sucatalog" ;;
  6) URL="${RepoURL}/index-leopard-snowleopard.merged-1_LabTesters.sucatalog" ;;
  7) URL="${RepoURL}/index-lion-snowleopard-leopard.merged-1_LabTesters.sucatalog" ;;
  8) URL="${RepoURL}/index-mountainlion-lion-snowleopard-leopard.merged-1_LabTesters.sucatalog" ;;
  *) echo "Unsupported client OS"; exit 1 ;;
esac
defaults write /Library/Preferences/com.apple.SoftwareUpdate CatalogURL "${URL}"
echo "Software Update Server set to PRODUCTION branch at: $URL"
echo "Now installing Apple updates:"
softwareupdate -ia

echo ""
echo ">>>>>>>>  CUSTOM TRIGGER INSTALLATIONS"
echo "Apple updates have installed. Now calling a custom policy to:"
echo "Install Java & Flash"
jamf policy -trigger UpgradeMountainLion

echo ""
echo ">>>>>>>>  RESTART EPO"
sudo launchctl load /Library/LaunchDaemons/com.mcafee.ssm.ScanManager.plist
sudo /usr/local/McAfee/Antimalware/VSControl mastart

echo "
#----------------------------------------------------------
# ----------------------- JAVA ---------------------------
#----------------------------------------------------------"

echo ""
echo ">>>>>>>>  FIX JAVA: CONFIRM PLUG-IN REVERTED TO JSE 6"
echo "Now checking Java SE 6 Status...."
if [ ! -d /Library/Internet\ Plug-Ins/disabled ]; then
    mkdir -pv /Library/Internet\ Plug-Ins/disabled
    mv -v /Library/Internet\ Plug-Ins/JavaAppletPlugin.plugin /Library/Internet\ Plug-Ins/disabled
    ln -sf /System/Library/Java/Support/Deploy.bundle/Contents/Resources/JavaPlugin2_NPAPI.plugin /Library/Internet\ Plug-Ins/JavaAppletPlugin.plugin
    ln -sf /System/Library/Frameworks/JavaVM.framework/Commands/javaws /usr/bin/javaws
    echo "Java reverted to JSE 6 on this Mac..."
else
    echo "The java applet has already been reverted to SE 6 and the newer plug-ins moved."
fi

echo ""
echo ">>>>>>>>  ENABLE JAVA PLUG-INS"
for i in $over500
do
    echo "-------------------------------------------------"
    rm -fv /Users/$i/Library/Preferences/ByHost/com.apple.java.JavaPreferences.*
    echo "JavaPrefs plist has been deleted from: $i account"
    echo "The Mac UUID has been set to: $MAC_UUID"
    # Set the "Enable applet plug-in" setting in the Java Preferences for the current user.
    $PlistBuddy -c "Delete :GeneralByTask:Any:WebComponentsEnabled" /Users/$USER/Library/Preferences/ByHost/com.apple.java.JavaPreferences.${MAC_UUID}.plist
    $PlistBuddy -c "Add :GeneralByTask:Any:WebComponentsEnabled bool true" /Users/$USER/Library/Preferences/ByHost/com.apple.java.JavaPreferences.${MAC_UUID}.plist
    $PlistBuddy -c "Delete :GeneralByTask:Any:WebComponentsLastUsed" /Users/$USER/Library/Preferences/ByHost/com.apple.java.JavaPreferences.${MAC_UUID}.plist
    $PlistBuddy -c "Add :GeneralByTask:Any:WebComponentsLastUsed real $(( $(date "+%s") - 978307200 ))" /Users/$USER/Library/Preferences/ByHost/com.apple.java.JavaPreferences.${MAC_UUID}.plist
    echo "                                   "
done
echo "Java Web-Apps have been enabled for ALL 500+ users on this Mac."

echo "
#----------------------------------------------------------
# --------------------- SEND EMAIL -----------------------
#----------------------------------------------------------"
if [ ! -d /Library/Server/Mail/Data/spool ]; then
    echo "Creating Unix mail folder hierarchy to enable sendmail..."
    mkdir -p /Library/Server/Mail/Data/spool
    $mail set-permissions
    $mail reload
    sleep 2
fi

$mail start
echo "An OTW upgrade has been performed on this Mac. Computer information follows:

Date: `date "+%m/%d/%Y"`
Time: `date "+%H:%M"`
Name: $macname
Type: $hwVers
OS: $OS
IP: $ip" | mail -s "OTW Install Notification: $macname" dkoff@getty.edu, cnorris@getty.edu
$mail stop

echo ""
echo "e-mail has been sent to ITS Lab SysAdmins."

#----------------------------------------------------------
#  Wrap-Up
#----------------------------------------------------------

# Removes the launchd items & scripts
sleep 2
rm -f $0
echo "$0 has now been deleted."
rm -f /Library/LaunchDaemons/com.getty.NewOS1stBoot.plist
echo "The 1stBoot LaunchDaemon have been deleted."

echo "                                   "
echo "###################################"
echo "##### End Log"
echo "##### `date "+%A %m/%d/%Y %H:%M"`"
echo "###################################"
echo "                                   "

/sbin/reboot #force reboot to bake it in

exit 0