Skip to content

Read marker path from managed prefs + record forensic version/timestamp#4

Merged
george-elphick-talieisin merged 1 commit into
mainfrom
fix/exit-condition-read-from-managed-prefs
May 14, 2026
Merged

Read marker path from managed prefs + record forensic version/timestamp#4
george-elphick-talieisin merged 1 commit into
mainfrom
fix/exit-condition-read-from-managed-prefs

Conversation

@george-elphick-talieisin
Copy link
Copy Markdown
Contributor

@george-elphick-talieisin george-elphick-talieisin commented May 14, 2026

Why

Three issues with the previous exit-condition script (#3):

  1. Marker path was hardcoded — duplicated in three places (Terraform var default, bootstrap.sh fallback, this script). Changing any one silently broke the run-once contract.
  2. No forensic content — IT couldn't tell what version of Baseline provisioned a given device, or when, by inspecting the marker.
  3. The script was a writer with no awareness of upstream configuration.

What changed

  • Marker path read from managed prefs. The script now reads SECONDSON_BASELINE_VERSION and SECONDSON_BASELINE_EXIT_CONDITION from /Library/Managed Preferences/com.talieisin.baseline.plist. The Terraform-rendered mobileconfig is the single source of truth for both.

    If SECONDSON_BASELINE_EXIT_CONDITION is missing (shouldn't happen in normal operation), the script exits 1 — refuses to write a marker without a configured path.

  • Marker contents are now forensic:

    version=v3.0
completed=2026-05-14T08:30:00Z
hostname=AWEN-001

    bootstrap.sh treats the marker as a binary signal — presence means "device provisioned, skip Phase 3". The contents exist for IT support: cat /var/db/.talieisin-baseline-complete shows what version provisioned and when. Not parsed for control flow.

  • Marker is overwritten unconditionally on each successful run so a force-rerun (sudo rm marker && re-run bootstrap.sh) correctly captures the latest version/timestamp.

Operator contract (documented in the script header)

Bumping var.secondson_baseline_version does NOT auto-upgrade existing devices. Existing devices stay on whatever Baseline version they got at ADE enrolment. To roll out a new Baseline version across an existing fleet:

  1. Deploy a one-off Intune script that removes /var/db/.talieisin-baseline-complete
  2. Redeploy bootstrap.sh (e.g. bump MODULE_VERSION so Intune re-dispatches)
  3. Existing devices re-run Phase 3 → install + run new Baseline version

Coupling with Talieisin/intune

This file must stay byte-identical to scripts/lib/exit-condition.sh in the intune working tree. The intune Terraform pins this file's MD5 via filemd5() into the rendered SecondSon mobileconfig — Baseline downloads the script at run-time and rejects it if MD5s differ.

The intune side now has a data \"http\" + terraform_data preflight that fetches the published content from the rendered raw-URL and blocks terraform plan if MD5s drift. So a missed push here will fail loud rather than silent.

Local MD5 after this PR merges: f7314068dd2f79a651c0d747786ec5e8.

Test plan

@george-elphick-talieisin
Read marker path from managed prefs + record forensic version/timestamp
d829257 
Previously the script hardcoded the marker file path and wrote a
plain-text "Baseline script completed on <date>" content. That meant:

  1. The marker path was duplicated in three places (Terraform variable
     default, bootstrap.sh fallback, this script). Changing one without
     the others silently broke the run-once contract.
  2. The marker carried no forensic information — IT couldn't tell what
     version of Baseline provisioned a given device, or when.

Changes:

  - Marker path is now read from the SECONDSON_BASELINE_EXIT_CONDITION
    managed-pref key (rendered by Terraform from var.baseline_exit_condition).
    The Terraform-rendered mobileconfig is the single source of truth.
    If the pref is unset (shouldn't happen in normal operation), the
    script exits 1 — refuses to write a marker without a configured path.

  - Marker contents now include:
      version=<SECONDSON_BASELINE_VERSION>
      completed=<ISO 8601 UTC timestamp>
      hostname=<device shortname>
    bootstrap.sh treats the marker as a binary signal (presence = skip);
    contents are forensic only. `cat /var/db/.talieisin-baseline-complete`
    on a device shows what version provisioned it and when.

  - Marker is unconditionally overwritten on each successful Baseline
    run, so a force-rerun (`sudo rm marker && re-run bootstrap.sh`)
    correctly captures the latest version/timestamp.

Operator contract documented in the script header: bumping
`var.secondson_baseline_version` does NOT auto-upgrade existing devices.
To force re-run across the fleet, deploy a one-off Intune script that
removes the marker, then redeploy bootstrap.sh.

Must stay byte-identical to scripts/lib/exit-condition.sh in
Talieisin/intune. The intune Terraform now has a preflight that fetches
this file from the rendered URL and blocks `terraform plan` if MD5s
drift, so a missed push here will fail loud rather than silent.
Copilot AI review requested due to automatic review settings May 14, 2026 06:07
@george-elphick-talieisin george-elphick-talieisin merged commit a2a076c into main May 14, 2026
3 checks passed
@george-elphick-talieisin george-elphick-talieisin deleted the fix/exit-condition-read-from-managed-prefs branch May 14, 2026 06:09
Copilot AI reviewed May 14, 2026
View reviewed changes
Copy link
Copy Markdown

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Updates the SecondSon Baseline “exit condition” lifecycle script so the marker path comes from managed preferences (Terraform-rendered mobileconfig as source of truth) and the marker file includes forensic metadata (version/timestamp/hostname) for support visibility.

Changes:

  • Read SECONDSON_BASELINE_EXIT_CONDITION and SECONDSON_BASELINE_VERSION from /Library/Managed Preferences/com.talieisin.baseline(.plist) instead of hardcoding the marker path.
  • Write a forensic marker payload (version=…, completed=…, hostname=…) and overwrite it on each successful run.
  • Expand the script header documentation to describe the operator contract and coupling expectations.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread scripts/lib/exit-condition.sh
log="$logdir/createBaselineExitCondition.log"
exit_condition_file="/var/db/.talieisin-baseline-complete"
pref_domain="com.talieisin.baseline"
managed_prefs="/Library/Managed Preferences/$pref_domain"
Comment thread scripts/lib/exit-condition.sh
Comment on lines +18 to +19
## shouldn't happen in normal operation), the script logs a warning and
## exits without writing — Phase 3 will then re-run on the next bootstrap.
Comment thread scripts/lib/exit-condition.sh
## absence = run. The contents exist for IT support: `cat /var/db/...`
## shows what version provisioned the device and when.
##
## Operator contract (see baseline/README.md):
Comment thread scripts/lib/exit-condition.sh
Comment on lines +62 to +66
exit_condition_file=$(/usr/bin/defaults read "$managed_prefs" SECONDSON_BASELINE_EXIT_CONDITION 2>/dev/null || echo "")
baseline_version=$(/usr/bin/defaults read "$managed_prefs" SECONDSON_BASELINE_VERSION 2>/dev/null || echo "unknown")

if [[ -z "$exit_condition_file" ]]; then
echo "$(date) | ERROR: SECONDSON_BASELINE_EXIT_CONDITION not set in $managed_prefs"
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@george-elphick-talieisin