TheJumpCloud · jworkmanjc · Sep 24, 2024 · Sep 23, 2024 · Sep 23, 2024 · Sep 23, 2024
@@ -1,6 +1,6 @@
 #### Name
 
-Mac - Enroll MDM System in DEP | v1.1 JCCG
+Mac - Enroll MDM System in DEP | v1.0.2 JCCG
 
 #### commandType
 
@@ -12,33 +12,66 @@ mac
 #!/bin/bash
 
 # Verify JumpCloud MDM
-verify_jc_mdm (){
+verify_jc_mdm(){
     # Check the system for the following profileIdentifier
     mdmID="com.jumpcloud.mdm"
     check=$(profiles -Lv | grep "name: $4" -4 | awk -F": " '/attribute: profileIdentifier/{print $NF}')
     if [[ $check == *$mdmID* ]] ; then
         echo "ProfileIdentifier: ${mdmID} found on system. MDM Verified"
+        depApproveCheck=$(profiles status -type enrollment | grep "Enrolled via DEP:" | awk 'NF>1{print $NF}')
+        if [[ $depApproveCheck = "No" ]]; then
+            false
+        elif [[ $depApproveCheck = "Yes)" ]]; then
+            echo "MDM is DEP enrolled already"
+        fi
         return
     else
         echo "JumpCloud MDM profile not found on system."
         false
     fi
 }
 
-# If JumpCLoud MDM is on the system check for DEP Enrollment
-if verify_jc_mdm "$":; then
-    depApproveCheck=$(profiles status -type enrollment | grep "Enrolled via DEP:" | awk 'NF>1{print $NF}')
-    if [[ $depApproveCheck = "No" ]]; then
-        echo "MDM is not DEP enrolled, enrolling and prompted for User Approval"
-        # Prompt for DEP Enrollment
-        profiles renew -type enrollment
-        exit 0
-    elif [[ $depApproveCheck = "Yes)" ]]; then
-        echo "MDM is DEP enrolled already"
-        exit 0
+isAdmin(){
+    local username=${1}
+    groupMembership=$(id -nG $username)
+    for group in $groupMembership
+    do
+        if [[ $group == "admin" ]]; then
+            return
+        fi
+    done
+    false
+}
+
+currentUser=$(/usr/bin/stat -f%Su /dev/console)
+currentUserUID=$(id -u "$currentUser")
+# If JumpCloud MDM is on the system check for DEP Enrollment
+verify_jc_mdm
+verifyStatus=$?
+if [[ $verifyStatus -eq 1 ]]; then
+    echo "MDM is not DEP enrolled, enrolling and prompting for User Approval"
+    # check if the logged in user is admin
+    isAdmin $currentUser
+    status=$?
+    if [[ $status -eq 0 ]]; then
+        echo "The logged in user $currentUser: is an administrator"
+    else
+        echo "The logged in user $currentUser: is not an administrator"
+        echo "Please login as an administrator user before issuing the enrollment command to this device again"
+        adminUsers=$(dscl . -read /Groups/admin GroupMembership | awk '{$1=""; print $0}')
+        echo "The following users are administrators on this device:"
+        for adminUser in $adminUsers
+        do
+            echo $adminUser
+        done
+        exit 1
     fi
+
+    # Prompt for DEP Enrollment
+    /bin/launchctl asuser "$currentUserUID" sudo profiles renew -type enrollment
+    exit 0
 else
-    exit 1
+    exit 0
 fi
 ```
 
@@ -60,7 +93,7 @@ If the user clicks allow the device will be DEP enrolled and the MDM profile wil
 
 ![Enrollment Type](../Files/enrollmentType.png)
 
-#### *Import This Command*
+#### _Import This Command_
 
 To import this command into your JumpCloud tenant run the below command using the [JumpCloud PowerShell Module](https://github.com/TheJumpCloud/support/wiki/Installing-the-JumpCloud-PowerShell-Module)
 

@@ -112,9 +112,9 @@
     "description": "This command will disable the local users that match the regex pattern supplied in the 'usersToMatch' list variable. If for example, a system contains the following users:\n\nSteve, Administrator, IT-Admin\n\nAnd the usersToMatch variable is set to (admin it), both the 'Administrator' and 'IT-Admin' Account would be disabled. The Regex pattern searches usernames for partial matches.\n\nRun this script with disable=false to test what accounts would be disabled before running disable=true. Set the reboot=true variable to reboot the system, upon next restart the disabled users will be unable to login."
   },
   {
-    "name": "Mac - Enroll MDM System in DEP | v1.1 JCCG",
+    "name": "Mac - Enroll MDM System in DEP | v1.0.2 JCCG",
     "type": "mac",
-    "command": "#!/bin/bash\n\n# Verify JumpCloud MDM\nverify_jc_mdm (){\n    # Check the system for the following profileIdentifier\n    mdmID=\"com.jumpcloud.mdm\"\n    check=$(profiles -Lv | grep \"name: $4\" -4 | awk -F\": \" '/attribute: profileIdentifier/{print $NF}')\n    if [[ $check == *$mdmID* ]] ; then\n        echo \"ProfileIdentifier: ${mdmID} found on system. MDM Verified\"\n        return\n    else\n        echo \"JumpCloud MDM profile not found on system.\"\n        false\n    fi\n}\n\n# If JumpCLoud MDM is on the system check for DEP Enrollment\nif verify_jc_mdm \"$\":; then\n    depApproveCheck=$(profiles status -type enrollment | grep \"Enrolled via DEP:\" | awk 'NF>1{print $NF}')\n    if [[ $depApproveCheck = \"No\" ]]; then\n        echo \"MDM is not DEP enrolled, enrolling and prompted for User Approval\"\n        # Prompt for DEP Enrollment\n        profiles renew -type enrollment\n        exit 0\n    elif [[ $depApproveCheck = \"Yes)\" ]]; then\n        echo \"MDM is DEP enrolled already\"\n        exit 0\n    fi\nelse\n    exit 1\nfi",
+    "command": "#!/bin/bash\n\n# Verify JumpCloud MDM\nverify_jc_mdm(){\n    # Check the system for the following profileIdentifier\n    mdmID=\"com.jumpcloud.mdm\"\n    check=$(profiles -Lv | grep \"name: $4\" -4 | awk -F\": \" '/attribute: profileIdentifier/{print $NF}')\n    if [[ $check == *$mdmID* ]] ; then\n        echo \"ProfileIdentifier: ${mdmID} found on system. MDM Verified\"\n        depApproveCheck=$(profiles status -type enrollment | grep \"Enrolled via DEP:\" | awk 'NF>1{print $NF}')\n        if [[ $depApproveCheck = \"No\" ]]; then\n            false\n        elif [[ $depApproveCheck = \"Yes)\" ]]; then\n            echo \"MDM is DEP enrolled already\"\n        fi\n        return\n    else\n        echo \"JumpCloud MDM profile not found on system.\"\n        false\n    fi\n}\n\nisAdmin(){\n    local username=${1}\n    groupMembership=$(id -nG $username)\n    for group in $groupMembership\n    do\n        if [[ $group == \"admin\" ]]; then\n            return\n        fi\n    done\n    false\n}\n\ncurrentUser=$(/usr/bin/stat -f%Su /dev/console)\ncurrentUserUID=$(id -u \"$currentUser\")\n# If JumpCloud MDM is on the system check for DEP Enrollment\nverify_jc_mdm\nverifyStatus=$?\nif [[ $verifyStatus -eq 1 ]]; then\n    echo \"MDM is not DEP enrolled, enrolling and prompting for User Approval\"\n    # check if the logged in user is admin\n    isAdmin $currentUser\n    status=$?\n    if [[ $status -eq 0 ]]; then\n        echo \"The logged in user $currentUser: is an administrator\"\n    else\n        echo \"The logged in user $currentUser: is not an administrator\"\n        echo \"Please login as an administrator user before issuing the enrollment command to this device again\"\n        adminUsers=$(dscl . -read /Groups/admin GroupMembership | awk '{$1=\"\"; print $0}')\n        echo \"The following users are administrators on this device:\"\n        for adminUser in $adminUsers\n        do\n            echo $adminUser\n        done\n        exit 1\n    fi\n\n    # Prompt for DEP Enrollment\n    /bin/launchctl asuser \"$currentUserUID\" sudo profiles renew -type enrollment\n    exit 0\nelse\n    exit 0\nfi",
     "link": "https://github.com/TheJumpCloud/support/blob/master/PowerShell/JumpCloud%20Commands%20Gallery/Mac%20Commands/Mac%20-%20Enroll%20MDM%20System%20in%20DEP.md",
     "description": "**Note** Before using this command, a [JumpCloud tenant must first be configured with Apple Business Manager](https://jumpcloud.com/blog/integrate-apple-business-manager) or Apple School Manager. Devices must then be added to your MDM server by serial number or Apple Order ID through Apple Business Manager or Apple School Manager. Devices with matching Serial numbers will be displayed in a JumpCloud Tenant under \"DEP Devices\"\n\n![Dep Devices](../Files/depDevices.png)\n\nThis command will enroll a system with the JumpCloud MDM, in DEP. If the system is not enrolled in DEP, the active user of the system will be prompted to approve the MDM profile.\n\n![Dep Prompt](../Files/depPrompt.png)\n\nIf the user clicks the notification window, they'll be brought to the Profiles System Preference panel and prompted to Allow Device Enrollment.\n\n![User Approval](../Files/userApprovalProfile.png)\n\nIf the user clicks allow the device will be DEP enrolled and the MDM profile will become non-removable.\n\n![Enrollment Type](../Files/enrollmentType.png)"
   },