Fix open issues: #167, #139, #140, #148, #201#253
Open
theneiljohnson wants to merge 4 commits intomicrosoft:masterfrom
Open
Fix open issues: #167, #139, #140, #148, #201#253theneiljohnson wants to merge 4 commits intomicrosoft:masterfrom
theneiljohnson wants to merge 4 commits intomicrosoft:masterfrom
Conversation
Resolves microsoft#167. The macOS/Apps/Google Drive/readme.md previously described the enableScreenSharing script. Rewritten to accurately describe installApp3.01-GoogleDrive.sh.
- Add adminaccountname variable so the protected admin account is no longer hard-coded to the literal string 'admin' (resolves microsoft#140). - Honour downgrade=false up front and stop the ABM check from re-enabling downgrading (resolves microsoft#139).
When the Intune agent invokes pluginkit directly it isn't attached to the user's Aqua GUI launchd session, so pluginkit returns "match: connection invalid" and the extension is never enabled. Rewrite the script to: - run as root (Intune setting: Run as signed-in user = No) - detect the active console user - re-enter the user's GUI launchd session via 'launchctl asuser <uid>' for every pluginkit call - detect both standalone and VPP/Mac App Store extension IDs - verify post-enable status before reporting success Updates README to reflect the new Intune setting and explain why. Resolves microsoft#148 (also fixes the regression that re-opened microsoft#137).
Jamf Pro 10.49+ introduced API Roles & Clients (OAuth2
client_credentials). The previous get_auth_token() only spoke
HTTP Basic against /api/v1/auth/token, which silently returned an
empty token for tenants using API Clients and caused every
subsequent call to fail with HTTP 401.
Changes:
- New JAMF_AUTH_METHOD switch ('basic' or 'oauth')
- New JAMF_CLIENT_ID / JAMF_CLIENT_SECRET variables for OAuth
- get_auth_token() branches on method, captures HTTP status, and
fails fast with a clear error if the token comes back empty/null
instead of letting the script send 'Bearer null' downstream
- Avoid logging the bearer token verbatim; log token length only
- README documents both methods and the minimum role permissions
required (Send Computer Unmanage Command + Read Computers)
Resolves microsoft#201.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Batch fixes for several open issues:
Resolves
macOS/Apps/Google Drive/readme.md— Rewrites the readme so it actually describes the Google Drive installer (was the unrelated screen-sharing readme).macOS/Config/Manage Accounts/downgradeUsertoStandard.sh— Honourdowngrade=falseup front so the ABM check can no longer re-enable downgrading against the user's wishes.adminaccountnamevariable so the protected admin account is no longer hard-coded to the literal stringadmin.macOS/Config/Enable OneDrive Finder Sync/EnableOneDriveFinderSync.sh— When the Intune agent invokespluginkitdirectly it isn't attached to the user's Aqua GUI launchd session, sopluginkitreturnsmatch: connection invalidand the extension is never enabled. Rewrites the script to run as root, detect the active console user, and re-enter the user's GUI session vialaunchctl asuser <uid>for everypluginkitcall. Also updates the readme (Intune setting changes from "Run as signed-in user: Yes" to "No").macOS/Tools/Migration/intuneMigrationSample.sh— Adds Jamf Pro API Client (OAuth) auth alongside the existing basic auth path. Jamf Pro 10.49+ tenants using API Roles & Clients were getting silent empty tokens followed by HTTP 401 on every call. NewJAMF_AUTH_METHOD=basic|oauthswitch withJAMF_CLIENT_ID/JAMF_CLIENT_SECRET, fail-fast token validation, and stops logging the bearer token verbatim. Readme documents both methods and the minimum Jamf role permissions required.Testing
bash -nandzsh -n.launchctl asuserpattern matches the working community fix from macOS - Intune - ABM/ADE - Sonoma 14.5 M3 - EnableOneDriveFinderSync.sh (logs show "match: connection invalid") #137.