One of the security tools we use in our environment is Tenable’s Nessus agent, and with that we’ve got to install it on every single MacBook we deploy.
Along with installation, we also have to make sure the agent on the machine is scoped to the proper group, which is based on the end-user’s department.
My original install script looked something like this:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
|
#!/bin/sh
# Installs the Nessus Agent from Jamf
/usr/local/jamf/bin/jamf policy -event <INSERT_JAMF_POLICY>
# Loads the agent
launchctl load -w /Library/LaunchDaemons/com.tenablesecurity.nessusagent.plist
# Prompts for department selection
getDepartment() {
theDepartment=$(/usr/bin/osascript <<AppleScript
set myDepartments to {"Admin", "Creative", "Developers", "Finance", "IT", "Operations"}
set selectedDepartment to {choose from list myDepartments with prompt "Select the Department:"}
AppleScript
echo "${theDepartment}"
)
}
getDepartment
echo "${theDepartment}"
# Selected department will kick off the link
case ${theDepartment} in
${theDepartment})
sudo /Library/NessusAgent/run/sbin/nessuscli agent link \
--key=<INSERT_NESSUS_KEY> \
--host=<INSERT_NESSUS_HOST> \
--port=<INSERT_NESSUS_PORT> \
--groups=${theDepartment};;
esac
exit 0
|
What this does is prompts the user to select their department; however, there would be times that new users didn’t know their department. At that point one of two things would happen:
- They would select the wrong department, and later we would need to run another script to fix it.
- They wouldn’t proceed with the enrollment and be stuck; therefore, unable to work until they get a hold of HR or the Help Desk.
Both aren’t great end-user experiences, especially on the user’s first day.
I put this script together using the Jamf API for a more automated approach:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
|
#!/bin/sh
# Installs the Nessus Agent from Jamf
/usr/local/jamf/bin/jamf policy -event <INSERT_JAMF_POLICY>
# Loads the agent
launchctl load -w /Library/LaunchDaemons/com.tenablesecurity.nessusagent.plist
# Jamf Pro Server URL
jss_url=$(defaults read /Library/Preferences/com.jamfsoftware.jamf.plist jss_url \
| sed s'/.$//')
# API User and Password are stored and defined in the jamf pro server
# in the script parameters $4 and $5
api_user="$4"
api_pass="$5"
# Get the serial number of the mac running this script.
serial_number=$(system_profiler SPHardwareDataType \
| awk '/Serial Number/{print $4}')
# Use the API to get the assigned Department
department=$(curl -su "$api_user":"$api_pass" -H "Accept: application/xml" "$jss_url"/JSSResource/computers/serialnumber/"$serial_number" \
| xmllint --xpath 'computer/location/department/text()' -)
# Links the Nessus Agent to the proper department in the Tenable instance
/Library/NessusAgent/run/sbin/nessuscli agent link \
--key=<INSERT_NESSUS_KEY> \
--host=<INSERT_NESSUS_HOST> \
--port=<INSERT_NESSUS_PORT> \
--groups=$department
exit 0
|
Two keys to this automation are:
- Utilizing an LDAP/SSO login at the beginning of enrollment.
- Making sure the end-user’s department is populated in the directory.
The workflow goes something like this:
- During an initial step of the PreStage enrollment the user will be prompted to log in with their credentials. This will “assign” the machine to them in Jamf.
- The Nessus agent is install and launched.
- A command is then run to grab the serial number of the MacBook, which will allow us to locate it in Jamf.
- Using the Jamf API we are able to locate the machine’s record via the serial number. This gathers the assigned user’s department from the record and places it into a variable.
- Finally, that department varible is placed into the Nessus link command, and the device will now be successfully linked to the proper group in Tenable.
Something like this could run silently on a user’s machine, or via Self-Service.
For what we want to achieve here, it would be done during enrollment using a tool such as DEPNotify
or swiftDialog
.
Take it easy y’all.