-
Notifications
You must be signed in to change notification settings - Fork 5
/
Copy pathAutoIdentityPreferences.bash
67 lines (53 loc) · 2.4 KB
/
AutoIdentityPreferences.bash
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
#!/bin/bash
#Watch the ~/Library/Preferences/com.apple.security.ctkd-db.plist for changes
#If a card is inserted, run the script.
#Auto creates identity preferences for specificed services on card insertion
loggedInUser="$(/usr/sbin/scutil <<< "show State:/Users/ConsoleUser" | awk -F': ' '/[[:space:]]+Name[[:space:]]:/ { if ( $2 != "loginwindow" ) { print $2 }} ' )"
System_UUID=$(system_profiler SPHardwareDataType 2>&1 | grep "Hardware UUID" | cut -d: -f2|sed -e 's/^ *//g')
########################
###CREATE LAUNCHAGENT###
########################
USERS=$(dscl . list /users shell 2>&1 | grep -v /usr/bin/false | grep -v "_mbsetupuser" |grep -v "^root" | grep -v 'Guest' | awk '{print $1}')
for USER in $USERS; do
if [ ! -d /Users/$USER/Library/LaunchAgents ]; then
mkdir /Users/$USER/Library/LaunchAgents
chmod 755 /Users/$USER/Library/LaunchAgents
chown $USER /Users/$USER/Library/LaunchAgents
fi
cat << EOF > /Users/$USER/Library/LaunchAgents/com.YourOrg.prefident.plist
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>Label</key>
<string>com.YourOrg.prefident</string>
<key>ProgramArguments</key>
<array>
<string>bash</string>
<string>/var/tools/identpref.bash</string>
</array>
<key>WatchPaths</key>
<array>
<string>/Users/$USER/Library/Preferences/com.apple.security.ctkd-db.plist</string>
</array>
</dict>
</plist>
EOF
chown $USER /Users/$USER/Library/LaunchAgents/com.YourOrg.prefident.plist
chmod 644 /Users/$USER/Library/LaunchAgents/com.YourOrg.prefident.plist
done
##################
##CREATE SCRIPT###
##################
cat << EOF > var/tools/identpref.bash
#!/bin/bash
cardPresent=\$(sc_auth identities)
if [ "\$cardPresent" != "" ]; then
loggedInUser="\$(/usr/sbin/scutil <<< "show State:/Users/ConsoleUser" | awk -F': ' '/[[:space:]]+Name[[:space:]]:/ { if ( \$2 != "loginwindow" ) { print \$2 }} ' )"
sha1=\$(/usr/bin/security export-smartcard -t certs | grep "Certificate For PIV Authentication" -A 5 | grep sha1 | head -n1 | cut -d'<' -f2 | sed "s/[ >]//g")
/usr/bin/security set-identity-preference -c "\$loggedInUser" -s 'identprefadded whatever.com' -Z "\$sha1"
fi
EOF
chown root:wheel var/tools/identpref.bash
chmod 755 var/tools/identpref.bash
sudo -u $loggedInUser launchctl load -w /Users/$loggedInUser/Library/LaunchAgents/com.YourOrg.prefident.plist