Jamf Nation Community

CasperSally · ‎05-02-2013

Having a strange issue where the first run script isn't usually running when I image 10.8 machines. Luckily, our production 10.7 images seem consistently ok.

I imaged a machine with 10.8 config several times yesterday, and I didn't see this issue. My 'at reboot' scripts were running. Today it started happening, can't imagine what's changed in the environment. Tried a 2nd machine, imaged ok 10.8 first time (at reboot scripts ran), on 2nd image this same issue started happening, so it's multiple machines now.

This is what jamf.log says, not much clue
2013-5-2 8:46:29 Formatted Macintosh HD
Thu May 2 08:46:30 NetBoot1618 jamf[417]: Installing x.dmg...
Thu May 2 08:46:33 NetBoot1618 jamf[542]: Installing y.dmg...
Thu May 2 08:46:36 NetBoot1618 jamf[671]: Installing x.dmg...
Thu May 02 08:48:01 TD-TESTAIR jamf[173]: Creating user jamfuser...
Thu May 2 08:48:26 TD-TESTAIR jamf[345]: Checking for policies triggered by "login" for user "admin"...
Thu May 02 08:48:27 TD-TESTAIR jamf[345]: The management framework will be enforced as soon as all policies are done executing.
Thu May 02 08:48:27 TD-TESTAIR jamf[345]: Adding launchd task com.jamfsoftware.task.checkForTasks...
Thu May 02 08:48:28 TD-TESTAIR jamf[401]: Enforcing management framework...
Thu May 02 08:48:29 TD-TESTAIR jamf[401]: Enforcing scheduled tasks...
Thu May 02 08:48:29 TD-TESTAIR jamf[401]: Adding launchd task com.jamfsoftware.task.1...
Thu May 02 08:48:29 TD-TESTAIR jamf[401]: Creating launch daemon...
Thu May 02 08:48:29 TD-TESTAIR jamf[401]: Downloading the agent...
Thu May 02 08:48:29 TD-TESTAIR jamf[401]: Creating launch agent...

and the log ends there? The config is the same, it shows my post image scripts listed on left under 'creating firstrun'

Any ideas? I have a ticket in with support as well.

CasperSally · ‎05-03-2013

I traced my problem out to a line in my post image script trying to change the firmware password on newer macs using the setregproptool (we change our firmware password annually when we reimage, this is our first time changing passwords using setregproptool).

I have an interesting problem now.

This summer, post image all of my computers will be 10.8. They all will need to run this command once to move them from the 2012 password to the 2013
/Library/Application Support/JAMF/bin/setregproptool -m command -p 2013password -o 2012password

However, when we reimage those same computers, with the same image config, they'll need to run
/Library/Application Support/JAMF/bin/setregproptool -m command -p 2013password -o 2013password (or the script errors out expecting user response, causing first run scripts not to run)

Any ideas how can I accomplish both - set the firmware password to the 2013 password - and allow the same config be used for reimaging throughout the year for these newer machines?

rtrouton · ‎05-03-2013

Do you know roughly what date you want to make the cutover?

If so, you may want to have the script check the date and express it in Epoch time. For example, you can use this command to parse the output from the date command and express it in Epoch time:

date -j -f "%a %b %d %T %Z %Y" "`date`" "+%s"

Running this now gives me a result of 1367602224. You can convert the date you want to cutover on using this website:

http://www.epochconverter.com

Assuming you were cutting over today, you could have the following if / then statements in your first boot script:

TODAY=$(date -j -f "%a %b %d %T %Z %Y" "`date`" "+%s")

if [[ ${TODAY} -lt 1367602224 ]]; then
  /Library/Application Support/JAMF/bin/setregproptool -m command -p 2013password -o 2012password
fi

if [[ ${TODAY} -eq 1367602224 ]]; then
  /Library/Application Support/JAMF/bin/setregproptool -m command -p 2013password -o 2013password
fi

if [[ ${TODAY} -gt 1367602224 ]]; then
  /Library/Application Support/JAMF/bin/setregproptool -m command -p 2013password -o 2013password
fi

As always, test first. No warranty expressed or implied. :-)

CasperSally · ‎05-03-2013

@rtrouton - thanks for the response, as always. I was trying to think through something time based as well. We have several techs who image several thousand computers a summer.

The reason I didn't think something time based would work is this scenario. If I said the cutoff is today, and tomorrow one tech has a batch of 20 imaging .. maybe 18 of them are going from 2012 to 2013 image (requiring the -o 2012password), but maybe 2 of them he isn't sure if he imaged for whatever reason and he images them again (those would require -o 2013password).

I think in our scenario, the if/then based on time doesn't work then, right, because at any time, we may be reimaging machines that already have the 2013 password (mistake, hardware repairs, whatever).

plawrence · ‎05-05-2013

Hi CasperSally

Try this:

echo "2013password" | /Library/Application Support/JAMF/bin/setregproptool -m command -p 2013password -o 2012password

When the command has the wrong password, it prompts for it. Echoing the new password to the prompt ensures that the new machines can be imaged and keep the '2013' password

CasperSally · ‎05-06-2013

Patrick,

Interesting idea, thanks. I have a machine with 2013 password. I ran

echo "2013password" | /Library/Application Support/JAMF/bin/setregproptool -m command -p 2013password -o 2012password

Got error must be ran as root so tried

echo "2013password" | sudo /Library/Application Support/JAMF/bin/setregproptool -m command -p 2013password -o 2012password

& got the prompt again for "enter current password" .. guess it's not processing the echo?

plawrence · ‎05-08-2013

hrmm, I was sure this was working before. I am able to run it once on computer and then the second time I run it I get the "Enter current password:" prompt too.

Try this solution instead, create a script with the following contents:

#!/usr/bin/expect
spawn /Library/Application Support/JAMF/bin/setregproptool -m command -p 2013password -o 2012password
expect "Enter current password:"
send "2013password ";
interact

Run that and see how you go.

CasperSally · ‎05-09-2013

@Patrick - this seems to be working. Thanks so much!

CasperSally · ‎12-09-2014

just FYI for anyone out there, the script above works great for me in 9.32 but breaks imaging in 9.6 - just hangs sitting there.

Edit: it was my own error in 9.6, script still works with osx 10.9

CasperSally · ‎04-30-2015

modified script from @plawrence to change firmware password with new built in yosemite tool if anyone needs it. We run it at reboot during imaging. If same machine is reimaged with the now 'new' password script gracefully exits out

#!/usr/bin/expect

spawn firmwarepasswd -setpasswd
expect "Enter password:"
send "oldpassword
";
expect "Enter new password:"
send "newpassword
";
expect "Re-enter new password:"
send "newpassword
";
interact

CasperSally · ‎06-22-2015

@ktappe script works better than mine (found out mine wasn't working on machines with no firmware set) so just wanted to link his here too

see this thread

crawlgsx · ‎07-21-2015

I am not having any luck getting either to work.

If I run it manually in terminal it just goes into a loop with "Enter new password:" and "Invalid Password." repeating like its not sending the text I am asking it too.
(just a basic script with that exact code (ktappe), run by going into terminal and typing sudo ./scriptname).

All I did was change password to a plain text password of my own. These machines currently have no firmware password.

I've been messing with it for a couple days now and now matter what I try it seems like it doesn't send the password over.

crawlgsx · ‎07-21-2015

Ok took quotations off and it worked great.

IE send PASSWORD instead of send "Password "

Jamf Nation Community

Firstrun script not working - 8.64 - 10.8