Hello Everyone,

I know I have seen this discussion in the past but I haven't seen an answer that works for us.

We have our Jamf Helper configured and it works while a user is logged in. Is there a way or command to get the Jamf Helper window to appear over the login window?

If someone has a tried and true method you wouldn't mind sharing, I would love to see it. I know some have used a launch agent, but I am not well versed in launch agents. If you wouldn't mind sharing with me your steps, I can work to reproduce.

Thank you so much!!

Page 1 / 2

Using a script to write a launch agent that launches jamfHelper works pretty well. Here's an example.

#!/bin/bash

rm /private/tmp/splash_screen.sh
rm /Library/LaunchAgents/ORG.computer_setup.plist

#Write jamfHelper splash screen script
echo "#!/bin/bash" >> /private/tmp/splash_screen.sh
echo ""/Library/Application Support/JAMF/bin/jamfHelper.app/Contents/MacOS/jamfHelper" -windowType fs -heading "My Organization" -description "Finishing Setup..." -icon "/private/tmp/ORG_Logo.png"" >> /private/tmp/splash_screen.sh
chmod +x /private/tmp/splash_screen.sh

#Write LaunchAgent to load jamfHelper script
defaults write /Library/LaunchAgents/ORG.computer_setup.plist Label "ORG.computer_setup"
defaults write /Library/LaunchAgents/ORG.computer_setup.plist LimitLoadToSessionType "LoginWindow"
defaults write /Library/LaunchAgents/ORG.computer_setup.plist ProgramArguments -array
defaults write /Library/LaunchAgents/ORG.computer_setup.plist KeepAlive -bool true
defaults write /Library/LaunchAgents/ORG.computer_setup.plist RunAtLoad -bool true
/usr/libexec/PlistBuddy -c "Add ProgramArguments: string /private/tmp/splash_screen.sh" /Library/LaunchAgents/ORG.computer_setup.plist

chown root:wheel  /Library/LaunchAgents/ORG.computer_setup.plist
chmod 644 /Library/LaunchAgents/ORG.computer_setup.plist
echo "Created Launch Agent to run jamfHelper"

#launchctl load /Library/LaunchAgents/ORG.computer_setup.plist

#Kill/restart the loginwindow process to load the LaunchAgent
echo "Ready to lock screen. Restarting loginwindow process..."
kill -9 $(ps axc | awk '/loginwindow/{print $1}')

@cbrewer thank you. When I attempt to use this. The login window will flash but re appear right away without displaying the jamf helper window. Am I missing something or is there something more I have to do?

This is a interesting idea.
Did you add any extra scripted items to your /private/tmp/splash_screen.sh ?

May give this a try, we are global, and trying to find ways to make the system inaccessible for X amount of minutes to assure a good image, and trickle down of scripts (date/time/set, cached files, etc.).

This can probably do the trick. Add my extra script commands into a .sh to run in the back ground.

@mconners were you successful in using this? or did the helper app continue not starting over the login window?

I've added some more complexity to the script above. I found that I needed to determine if a user is logged in. I also need to know if that user is _mbsetupuser. Here's what I'm currently using.

Edit: old script removed. See here for current version.

Wow! this is exactly what i'm looking for. Thanks @cbrewer

Glad it helped you out. I've pretty much entirely replaced my imaging process with this workflow and it's been pretty smooth.

@cbrewer Curious how you're deploying the ORG_Logo.png. That's a nice little touch. But not sure how to deploy it. As a package with the policy that calls the script?

@denmoff I run a Once per computer policy on Enrollment trigger that deploys a DMG package with the image and then runs this script. Just make sure the script is set to run after.

@cbrewer What part of this script actually tells the jamfhelper window to go away? I'm not seeing a kill command or unload of the launch agent in that code. How are you handling this?

@jon.mann

For my very last enrollment policy, I run a script that removes the splash_screen.sh script and the LaunchAgent. Then I reboot the machine.

#!/bin/bash

if [ -f /private/tmp/splash_screen.sh ];then
  echo "Removing /private/tmp/splash_screen.sh"
  rm /private/tmp/splash_screen.sh
fi
if [ -f /Library/LaunchAgents/ORG.computer_setup.plist ];then
  echo "Removing /Library/LaunchAgents/ORG.computer_setup.plist"
  rm /Library/LaunchAgents/ORG.computer_setup.plist
fi

Thanks @cbrewer Seeing some success doing the same but using this to kill instead of restart:

#!/bin/sh

if [ -f /private/tmp/splash_screen.sh ];then
  echo "Removing /private/tmp/splash_screen.sh"
  rm /private/tmp/splash_screen.sh
fi
if [ -f /Library/LaunchAgents/ORG.computer_setup.plist ];then
  echo "Removing /Library/LaunchAgents/ORG.computer_setup.plist"
  rm /Library/LaunchAgents/ORG.computer_setup.plist
fi

ps axco pid,command | grep jamfHelper | awk '{ print $1; }' | xargs kill -9

Any idea why the policy execution isn't showing in the logs? I put your script as a policy payload with a startup trigger. It works great but the log still says "pending", and so it runs again the next time I restart the computer. Or should I be running it a different way?

Thanks

@ktaylor25 I use this script with an enrollment trigger set to once per computer. You won't see results in the policy log until all of the enrollment policies at the bottom of script are finished. Maybe one of your other enrollment policies isn't finishing?

I've made quite a few changes to this script since I posted it in here. Notable changes are that I now wait for the _mbsetupuser account to be logged out before proceeding. I also disable the local admin account while enrollment policies are running and then re-enable it afterward. I'm also checking the OS version so I can do things different between 10.11 and 10.12+.

Edit: old script removed. See here for current version.

@cbrewer Are you running the following for your clean up script. I've tried it with a restart but the splash screen loads on the first boot

!/bin/bash

if [ -f /private/tmp/splash_screen.sh ];then echo "Removing /private/tmp/splash_screen.sh" rm /private/tmp/splash_screen.sh
fi
if [ -f /Library/LaunchAgents/ORG.computer_setup.plist ];then echo "Removing /Library/LaunchAgents/ORG.computer_setup.plist" rm /Library/LaunchAgents/ORG.computer_setup.plist
fi

@a.simmons Yes - I'm running that script as the last part of my enrollment process (jamf policy -event enrollment_20). The enrollment_20 policy runs that cleanup script and then reboots. As long as the launchagent is removed, there shouldn't be any way that the splash screen will load again.

@cbrewer what jamf version are you on? Your clean up script worked correctly once I removed the reboot script. I was using your process last week with out any issues, upgraded to 10.6 now it seems the policy with the reboot script in to keeps looping. Not sure if its linked to the upgrade

@a.simmons I'm on 10.6 as well. Are you running these policies One per Computer? It sounds like either the launchagent isnt being removed or the policy to create the launchagent is running again.

Hi @cbrewer what a you using for your reboot command? I tested 'shutdown -r now' and that makes it restart, but thats causing the policy to loop. 'jamf reboot' didn't seem like it did anything.

Hello @a.simmons you could swap out the -r for -h for halt which shuts the system down.

Hi @mconners I want it to restart and be at the login screen.

@a.simmons I'm using the restart function that Jamf makes available for policies. Just set it to Current Startup Disk, Restart Immediately, Restart Immediately.

@cbrewer That worked. Thanks a lot for your assistance.

@cbrewer Have you tried or had any luck putting the LaunchAgent piece into a package then kicking it off in the Enrollment script versus hardcoding it in?

@captam3rica I prefer creating LaunchAgents with scripts. It's easy to manage. Plus, the way I'm using it, if there is a user logged in I'm able to exit the process without creating the LaunchAgent. You could package it up if you want - personal preference.

!/bin/bash

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded