Creating a plist with a script, having problems calling Jamf

huysf
New Contributor

In our organization, I am trying to have a pop up window show up when the user is on the desktop where it will prompt for a selection of roles the user must choose. For instance, developers must choose DEV-1. After selecting their roles, I want it to update JAMF (with recon) to update their department. In doing this, I can have role-specific apps get pulled down from other policies that have specific software scoped out to these departments. DEV-1 gets java, IDES, Sublime text, and HR-1 would get Office 2016, etc etc.

In JAMF, I have the following script scoped out to all newly enroll laptops to run on enrollment. It is a script that creates a Launch Agent and an Application Support/SF folder. In thes script under application support/SF, it will check that the logged in user is not mbsetupuser, finder process is running, and a "done-file" is NOT created so it can run. After creating the script and running it through its process, I do get the popup asking about which role the user is, but after their input, it does not continue with jamf recon -department "$roleID". If I run that same exact script locally on a saved text edit, the script works perfectly, updating the $roleID to JAMF's department field. The problem I see is that if the script is created via a script, it doesn't work as intended, as its not able to do a recon to Jamf, even though I hardcode the path. Please help!

####################

!/bin/bash

cat > /Library/LaunchAgents/com.SF.roleid.plist << 'ENDSCRIPT'

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict> <key>StartInterval</key> <integer>10</integer> <key>RunAtLoad</key> <true/> <key>Label</key> <string>com.SF.roleid.plist</string> <key>ProgramArguments</key> <array> <string>/Library/Application Support/SF/roleid.launch.sh</string> </array>
</dict>
</plist>

ENDSCRIPT

chmod 755 /Library/LaunchAgents/com.SF.roleid.plist
/usr/sbin/chown -R root:wheel /Library/LaunchAgents/com.SF.roleid.plist

if [ ! -d /Library/Application Support/SF/ ]; then mkdir /Library/Application Support/SF/
fi

touch /Library/Application Support/SF/

chown -R root:wheel /Library/Application Support/SF/
/bin/cat > /Library/Application Support/SF/roleid.launch.sh << 'ENDSCRIPT'

!/bin/bash

loggedInUser=$(/usr/bin/python -c 'from SystemConfiguration import SCDynamicStoreCopyConsoleUser; import sys; username = (SCDynamicStoreCopyConsoleUser(None, None, None) or [None])[0]; username = [username,""][username in [u"loginwindow", None, u""]]; sys.stdout.write(username + " ");')

doneFile="/Users/Shared/.roleid"

Check if User is on desktop (Finder process exists)

function finderRunning { /usr/bin/pgrep Finder && return 0 || return 1
}

Check if User is in control (not _mbsetupuser)

doneFile does not exist

if finderRunning && [ "$loggedInUser" != "_mbsetupuser" ] && [ ! -f "${doneFile}" ]; then

roleID=$(osascript -e 'tell application "SystemUIServer" choose from list {"DEV-1","DEV-2","QA-1","QA-2","QA-3","IT-1","IT-2", "ACC-1", "SOPS-1", "FA-1", "DS-1", "MA-1","PM-1", "HR-1"} end tell')

touch "$doneFile"
/usr/bin/local/jamf recon -department "$roleID"

fi

exit 0

ENDSCRIPT
chmod +x /Library/Application Support/SF/
chmod +x /Library/Application Support/SF/roleid.launch.sh

loggedInUser=python -c 'from SystemConfiguration import SCDynamicStoreCopyConsoleUser; import sys; username = (SCDynamicStoreCopyConsoleUser(None, None, None) or [None])[0]; username = [username,""][username in [u"loginwindow", None, u""]]; sys.stdout.write(username + " ");'
loggedInUID=id -u ${loggedInUser}

if [[ ${loggedInUID} -gt 500 ]]; then echo "Launching RoleID for user ${loggedInUID}…" sudo -u #${loggedInUID} launchctl enable gui/${loggedInUID}/roleid.launch.sh sudo -u #${loggedInUID} launchctl bootstrap gui/${loggedInUID}/ /Library/LaunchAgents/com.sigfig.roleid.plist
fi

sleep 30
sudo -u #${loggedInUID} launchctl unload /Library/LaunchAgents/com.SF.roleid.plist

exit 0

#################
4 REPLIES 4

sdagley
Esteemed Contributor II

@huysf You might want to edit your post to put the script begin/end tag, which is three consecutive backpacks (```), immediately before and after your script so it'll display properly.

jchurch
Contributor II

we use casper's receipts folder. /Library/Application Support/jamf/receipts/

we just put a policy in self-service that just runs a script

#!/bin/sh
touch "/Library/Application Support/JAMF/Receipts/Flag-DEV1
exit 0

have that policy update inventory.

then create a smart group with the criteria of "packaged installed by casper is Flag-DEV1

then scope all your DEV apps to that group.

bradtchapman
Valued Contributor II

I transcribed this into a code block and changed your hardcoded path to a variable for consistency. There is inconsistent use of /full/paths/to/binaries but they're all within the EXPORT PATH variable so you should be safe. Also replaced the "loggedInUser" population method with a native BASH varietal.

Also, I fixed the following issues:

  • loggedInUID needed to be wrapped in $(dollar parentheses)
  • when running sudo -u UID, the # needs to be escaped with a backslash. This is explained in the man for sudo.
#!/bin/bash

cat > /Library/LaunchAgents/com.SF.roleid.plist << 'ENDSCRIPT'

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict> <key>StartInterval</key> <integer>10</integer> <key>RunAtLoad</key> <true/> <key>Label</key> <string>com.SF.roleid.plist</string> <key>ProgramArguments</key> <array> <string>/Library/Application Support/SF/roleid.launch.sh</string> </array>
</dict>
</plist>
ENDSCRIPT

chmod 755 /Library/LaunchAgents/com.SF.roleid.plist
/usr/sbin/chown -R root:wheel /Library/LaunchAgents/com.SF.roleid.plist

SFdir="/Library/Application Support/SF"

if [ ! -d "$SFdir" ]; then mkdir "$SFdir"
fi

touch "$SFdir"

chown -R root:wheel "$SFdir"
/bin/cat > "$SFdir"/roleid.launch.sh << 'ENDSCRIPT'

#!/bin/bash
loggedInUser=$(ls -l /dev/console | awk '{ print $3 }')
doneFile="/Users/Shared/.roleid"

#Check if User is on desktop (Finder process exists)

function finderRunning
{
   /usr/bin/pgrep Finder && return 0 || return 1
}

#Check if User is in control (not _mbsetupuser)
# doneFile does not exist

if finderRunning && [[ "$loggedInUser" != "_mbsetupuser" ]] && [[ ! -f "${doneFile}" ]]
then
roleID=$(osascript -e 'tell application "SystemUIServer" choose from list {"DEV-1","DEV-2","QA-1","QA-2","QA-3","IT-1","IT-2", "ACC-1", "SOPS-1", "FA-1", "DS-1", "MA-1","PM-1", "HR-1"} end tell')
touch "$doneFile"
/usr/bin/local/jamf recon -department "$roleID"
fi

exit 0

ENDSCRIPT

chmod +x "$SFdir"
chmod +x "$SFdir"/roleid.launch.sh

loggedInUser=$(ls -l /dev/console | awk '{ print $3 }')
loggedInUID=$(id -u ${loggedInUser})

if [[ ${loggedInUID} -gt 500 ]]; then echo "Launching RoleID for user ${loggedInUID}…" sudo -u #${loggedInUID} launchctl enable gui/${loggedInUID}/roleid.launch.sh sudo -u #${loggedInUID} launchctl bootstrap gui/${loggedInUID}/ /Library/LaunchAgents/com.sigfig.roleid.plist
fi

sleep 30
sudo -u #${loggedInUID} launchctl unload /Library/LaunchAgents/com.SF.roleid.plist

exit 0

bradtchapman
Valued Contributor II

@huysf : Please see my post.