- Jamf Nation Community
- Products
- Jamf Pro
- Hiding launch agents
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 02-09-2017 07:17 AM
I have a launch agent that points to a bash script that gets executed on login.
I have some users who like to "investigate" and I don't want them to see the script contents that the launch agent is calling to execute.
I think the user has to have read access to the script to execute it since its a launch agent...
I've heard about SHC which can convert bash scripts into executables but never used it. I know there are ways around SHC but I just want something quick that hides the contents of the script to the end user. They won't be doing any lengthy investigation.
Any advice on how I could hide the contents of the script or compile it so the end user cannot see is contents would be greatly appreciated.
Solved! Go to Solution.
2 ACCEPTED SOLUTIONS
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 02-09-2017 07:33 AM
You could use an app called Platypus - this allows you to wrap shell scripts into an app that can then be run at login via MCX, Profile etc. I've used it in the past for this exact reason and it's never failed me.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 02-09-2017 10:26 AM
You could look at Platypus for this as suggested. It does a pretty good job of hiding the script contents in a way that only someone who really understands what they are doing could possibly obtain the script contents.
Platypus apps can be made more or less invisible if you choose not to give them any GUI elements and also make sure the app doesn't show up in the Dock when its launched. It might be a good option for this.
A couple other suggestions you may want to consider to help curb users exploring your LaunchAgents
- Name them as generically as you can, while still having some meaning to you. Try not to make the naming of the plist so obvious as to what it does or what its for.
- Make the actual plist files invisible when deployed by using the following code on them -
/usr/bin/chflags hidden /Library/LaunchAgents/com.org.name.plist
The last command will make it invisible when they open the /Library/LaunchAgents/ directory in Finder, though they'd still be able to see if they do something like ls -al /Library/LaunchAgents/
8 REPLIES 8
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 02-09-2017 07:33 AM
You could use an app called Platypus - this allows you to wrap shell scripts into an app that can then be run at login via MCX, Profile etc. I've used it in the past for this exact reason and it's never failed me.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 02-09-2017 09:42 AM
@EduMac89 Thanks, you know I've heard of Platypus but didn't even come to mind for this.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 02-09-2017 10:26 AM
You could look at Platypus for this as suggested. It does a pretty good job of hiding the script contents in a way that only someone who really understands what they are doing could possibly obtain the script contents.
Platypus apps can be made more or less invisible if you choose not to give them any GUI elements and also make sure the app doesn't show up in the Dock when its launched. It might be a good option for this.
A couple other suggestions you may want to consider to help curb users exploring your LaunchAgents
- Name them as generically as you can, while still having some meaning to you. Try not to make the naming of the plist so obvious as to what it does or what its for.
- Make the actual plist files invisible when deployed by using the following code on them -
/usr/bin/chflags hidden /Library/LaunchAgents/com.org.name.plist
The last command will make it invisible when they open the /Library/LaunchAgents/ directory in Finder, though they'd still be able to see if they do something like ls -al /Library/LaunchAgents/
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 02-09-2017 10:29 AM
@mm2270 Wow, Thanks for the info! This is exactly what I was looking for. We restrict terminal access so users won't have the chance to do an ls -al on the directory.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 02-09-2017 11:03 AM
Another option is to use a login policy in Casper that runs a script. The script that runs can use echo commands to build a launch agent as well as the script that you want the launch agent to trigger. This script that gets created can include a line to remove the launch agent. Basically what you end up with here is a launch agent and related script that's controlled by your JSS. Its invisible to the end user because after it runs it no longer exists.
If you want a sample of what I'm talking about let me know.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 02-09-2017 11:43 AM
@cbrewer that is brilliant!!. Please post a sanitized sample if you can
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 02-09-2017 11:59 AM
@LSinNY Just wrote a long reply and it failed to post so here we go again...
Below is a sample from a script I use to launch ADPassMon on a user's login. For this to work I think you need ManagementFramework Check-In set to NOT "Perform login hook actions in background".
The script will build a temp script in /private/var/tmp. The temp script in my case just has a line to open the ADPassMon app. It also has lines to remove the temp script itself as well as the launch agent.
#Script to launch ADPassMon and remove LaunchAgent
echo "open /Applications/ADPassMon.app/" >> /private/var/tmp/Activate_ADPassMon.sh
echo "rm /Users/$3/Library/LaunchAgents/ORG.ADPassMon.plist" >> /private/var/tmp/Activate_ADPassMon.sh
echo "rm /private/var/tmp/Activate_ADPassMon.sh" >> /private/var/tmp/Activate_ADPassMon.sh
chown $3 /private/var/tmp/Activate_ADPassMon.sh
chmod 755 /private/var/tmp/Activate_ADPassMon.sh
#Check for existing launch agent
if [ -f /Users/$3/Library/LaunchAgents/ORG.ADPassMon.plist ]; then
echo "LaunchAgent for ADPassMon already exists. Removing..."
rm /Users/$3/Library/LaunchAgents/ORG.ADPassMon.plist
fi
#Write LaunchAgent to launch ADPassMon on login
defaults write /Users/$3/Library/LaunchAgents/ORG.ADPassMon.plist Label ORG.ADPassMon
defaults write /Users/$3/Library/LaunchAgents/ORG.ADPassMon.plist ProgramArguments -array
defaults write /Users/$3/Library/LaunchAgents/ORG.ADPassMon.plist RunAtLoad -bool YES
/usr/libexec/PlistBuddy -c "Add ProgramArguments: string /private/var/tmp/Activate_ADPassMon.sh" /Users/$3/Library/LaunchAgents/ORG.ADPassMon.plist
chown -R $3 /Users/$3/Library/LaunchAgents
chmod 644 /Users/$3/Library/LaunchAgents/ORG.ADPassMon.plist
echo "Created LaunchAgent to launch ADPassMon on login"
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 02-13-2017 06:27 AM
Another option is to adopt an open and transparent relationship with your users, and abandon "us vs them" IT philosophy
Just sayin
