Is it still the case that there is no way of allowing Location Services for a specific app, for non admin users? I don’t see a PPPC option for it, and it’s been stated that this is impossible in the past.
Zoom soft-phone client wants location services enabled for 911 call routing. Users don’t have admin rights.
I've seen someone say the below works for Big Sur, but even then I believe that just enables the general Apple location services, and not specifically for an app in particular.
#!/bin/sh
sudo /usr/bin/defaults write /var/db/locationd/Library/Preferences/ByHost/com.apple.locationd LocationServicesEnabled -int 1
sudo /usr/bin/defaults write /Library/Preferences/com.apple.timezone.auto Active -bool trueI need Location Services checked for Zoom specifically.
I recently got this working for Zoom. Many thanks to @williamaddis and @bmcintire for doing the heavy lifting. It saved me a ton of time.
I'll confirm that this only works if Zoom is installed via the IT Admin installer: https://amherstcollege.zoom.us/client/5.16.10.25689/ZoomInstallerIT.pkg if Zoom was installed using the standard Zoom client, I saw the same behavior that @bmcintire was reporting. I only tested up to macOS 14.1.2 though so I suppose there could be an additional issue with 14.2+
Simply writing over the original Zoom client with the ZoomInstallerIT.pkg seems to solve the problem, no need to uninstall first.
- Chris
Awesome, thanks for the update. Glad it was helpful!
Actually yes, Sonoma brought about some interesting changes to the format of the plist, including adding an "i" to the beginning, lol. So its icom.microsoft.teams2, for example. I've updated the script since it was originally posted to now recursively handle all Teams instances ("classic" teams and "new" teams). The extension attribute has been updated as well to simply show the true/false values for any Teams instance on the machine so you can basically just create a smart group based on if the extension attribute contains "false" and then have the location enable script automated to run on those.
#!/bin/bash
####################################################################################################
# DESC: When the script runs, it will make a copy of the existing location services
# /var/db/locationd/client.plist to be used in case a revert is needed. Following, we swap 0's
# to 1's within the client.plist for Teams and Teams helper to enable them.
# REFS: N/A
#
# HISTORY
# - v.1.5 Bill Addis, Sep 15, 2023: Added for loop to update all Teams location entries (old Teams and new)
# - v.1.6 Bill Addis, Oct 23, 2023: Added support for Sonoma. Updated script to loop for all Teams versions
####################################################################################################
# Set line debugging
PS4='Line ${LINENO}: '
# Echo mount point in Jamf
echo $1
# Is location services enabled?
location_enabled=$(sudo -u "_locationd" defaults -currentHost read "/var/db/locationd/Library/Preferences/ByHost/com.apple.locationd" LocationServicesEnabled)
if [[ "$location_enabled" = "1" ]]; then
echo ""
echo "Location Services are enabled, moving on..."
echo ""
else
echo ""
echo "Location Services disabled. Enabling them..."
jamf policy -event location
sleep 3
location_enabled=$(sudo -u "_locationd" defaults -currentHost read "/var/db/locationd/Library/Preferences/ByHost/com.apple.locationd" LocationServicesEnabled)
if [[ "$location_enabled" = "0" ]]; then
echo "Unable to enable location services...exiting"
exit 1
fi
fi
# Does the clients.plist exist?
echo "Current contents of /var/db/locationd directory:"
echo "$(ls /var/db/locationd)"
osVers=$(sw_vers -productVersion)
echo "macOS $osVers currently installed."
if [[ "$osVers" == *12* ]] ; then
echo "Executing for macOS 12 Monterey..."
clients="/var/db/locationd/clients.plist"
if [[ -f "$clients" ]]; then
echo "$clients already exists! Moving on..."
echo ""
echo "Current key values for teams app and teams helper:"
echo $(/usr/libexec/PlistBuddy -c "Print :com.microsoft.teams" $clients)
echo ""
echo $(/usr/libexec/PlistBuddy -c "Print :com.microsoft.teams.helper" $clients)
echo ""
echo "================================="
# Create a backup of the existing client location services file
cp $clients /var/db/locationd/clients.BAK
# Create an extra working backup
cp $clients /private/var/tmp/
# Convert our working backup client plist to xml for editing
plutil -convert xml1 /private/var/tmp/clients.plist
# Use Plist Buddy to mark-up client plist, enabling Teams' location services
/usr/LibExec/PlistBuddy -c "Set :com.microsoft.teams:Authorized true" /private/var/tmp/clients.plist
# Check return for last command
if [[ "$?" = "1" ]]; then
echo "Authorized key seems to be missing...re-adding the key"
/usr/LibExec/PlistBuddy -c "Add :com.microsoft.teams:Authorized bool true" /private/var/tmp/clients.plist
echo "Adding 'authorized' key for Teams app location services returned: $?"
#/usr/LibExec/PlistBuddy -c "Set :com.microsoft.teams:Authorized true" /private/var/tmp/clients.plist
fi
echo "Setting Teams app location services returned: $?"
/usr/LibExec/PlistBuddy -c "Set :com.microsoft.teams.helper:Authorized true" /private/var/tmp/clients.plist
# Check return for last command
if [[ "$?" = "1" ]]; then
echo "Authorized key seems to be missing...re-adding the key"
/usr/LibExec/PlistBuddy -c "Add :com.microsoft.teams.helper:Authorized bool true" /private/var/tmp/clients.plist
echo "Adding 'authorized' key for Teams helper location services returned: $?"
#/usr/LibExec/PlistBuddy -c "Set :com.microsoft.teams.helper:Authorized true" /private/var/tmp/clients.plist
fi
echo "Enabling Teams helper location services returned: $?"
# Convert back to binary
plutil -convert binary1 /private/var/tmp/clients.plist
# Put the updated client plist into appropriate dir
cp /private/var/tmp/clients.plist $clients
# Kill and restart the location services daemon and remove our temp file
killall locationd
rm /private/var/tmp/clients.plist
else
echo "$clients does not exist...exiting"
exit 1
fi
elif [[ "$osVers" == *13* ]] ; then
echo "Executing for macOS Ventura 13 Ventura..."
clients="/var/db/locationd/clients.plist"
if [[ -f "$clients" ]]; then
echo "$clients already exists! Moving on..."
echo ""
# Create a backup of the existing client location services file
cp $clients /var/db/locationd/clients.BAK
# Create an extra working backup
cp $clients /private/var/tmp/
# Convert our working backup client plist to xml for editing
plutil -convert xml1 /private/var/tmp/clients.plist
count=1
for i in $(/usr/libexec/PlistBuddy -c "Print" /private/var/tmp/clients.plist | grep :com.microsoft.teams | awk -F '=Dict{' '{gsub(/ /,"");gsub(":","\\\\:");print $1}');
do
echo "Current key value for key$count:"
echo $(/usr/libexec/PlistBuddy -c "Print $i" $clients)
# Use Plist Buddy to mark-up client plist, enabling Teams location services
/usr/LibExec/PlistBuddy -c "Set :$i:Authorized true" /private/var/tmp/clients.plist
# Check return for last command
if [[ "$?" = "1" ]]; then
echo "Authorized key seems to be missing...re-adding the key"
/usr/LibExec/PlistBuddy -c "Add :$i:Authorized bool true" /private/var/tmp/clients.plist
echo "Adding 'authorized' key for $i location services returned: $?"
fi
echo "Setting $i location services returned: $?"
echo ""
((count=count+1))
done
# Convert back to binary
plutil -convert binary1 /private/var/tmp/clients.plist
# Put the updated client plist into appropriate dir
cp /private/var/tmp/clients.plist $clients
# Kill and restart the location services daemon and remove our temp file
killall locationd
rm /private/var/tmp/clients.plist
else
echo "$clients does not exist...exiting"
exit 1
fi
elif [[ "$osVers" == *14* ]] ; then
echo "Executing for macOS 14 Sonoma..."
clients="/var/db/locationd/clients.plist"
if [[ -f "$clients" ]]; then
echo "$clients already exists! Moving on..."
echo ""
# Create a backup of the existing client location services file
cp $clients /var/db/locationd/clients.BAK
# Create an extra working backup
cp $clients /private/var/tmp/
# Convert our working backup client plist to xml for editing
plutil -convert xml1 /private/var/tmp/clients.plist
count=1
for i in $(/usr/libexec/PlistBuddy -c "Print" /private/var/tmp/clients.plist | grep -a :icom.microsoft.teams | awk -F '=Dict{' '{gsub(/ /,"");gsub(":","\\\\:");print $1}' | sed "s/..$//");
do
echo "Current key value for key$count:"
echo $(/usr/libexec/PlistBuddy -c "Print $i" $clients)
# Use Plist Buddy to mark-up client plist, enabling Teams location services
/usr/LibExec/PlistBuddy -c "Set :$i\\::Authorized true" /private/var/tmp/clients.plist
# Check return for last command
if [[ "$?" = "1" ]]; then
echo "Authorized key seems to be missing...re-adding the key"
/usr/LibExec/PlistBuddy -c "Add :$i\\::Authorized bool true" /private/var/tmp/clients.plist
echo "Adding 'authorized' key for $i location services returned: $?"
fi
echo "Setting $i location services returned: $?"
echo ""
((count=count+1))
done
# Convert back to binary
plutil -convert binary1 /private/var/tmp/clients.plist
# Put the updated client plist into appropriate dir
cp /private/var/tmp/clients.plist $clients
# Kill and restart the location services daemon and remove our temp file
killall locationd
#rm /private/var/tmp/clients.plist
else
echo "$clients does not exist...exiting"
exit 1
fi
fi
# Display the final return code
exit $?
And here is the updated extension attribute:
#!/bin/bash
# Force the script to quit if any error encountered
set -e
osVers=$(sw_vers -productVersion)
# Initialize array variable to hold admin usernames
list=()
NL=$'\\n'
if [[ "$osVers" == *13* ]] ; then
echo "Executing for macOS Ventura 13 Ventura..."
for i in $(/usr/libexec/PlistBuddy -c "Print" /var/db/locationd/clients.plist | grep :com.microsoft.teams | awk -F '=Dict{' '{gsub(/ /,"");gsub(":","\\\\:");print $1}'); do
keyName=$(echo "$i" | awk -v FS=: '{print $2}')
authValue=$(/usr/LibExec/PlistBuddy -c "Print :$i:Authorized" /var/db/locationd/clients.plist)
list+=("$keyName: $authValue${NL}")
done
elif [[ "$osVers" == *14* ]] ; then
echo "Executing for macOS 14 Sonoma..."
for i in $(/usr/libexec/PlistBuddy -c "Print" /private/var/tmp/clients.plist | grep -a :icom.microsoft.teams | awk -F '=Dict{' '{gsub(/ /,"");gsub(":","\\\\:");print $1}' | sed "s/..$//"); do
keyName=$(echo "$i" | awk -v FS=: '{print $2}')
authValue=$(/usr/LibExec/PlistBuddy -c "Print :$i\\::Authorized" /var/db/locationd/clients.plist)
list+=("$keyName: $authValue${NL}")
done
fi
# Print all items in the list array
/bin/echo "<result>${list[@]}</result>"I made some quick edits to your fantastic approach just to make it more generic (in case anyone is interested in that).
Thank you very much for the effort!
#!/bin/bash
####################################################################################################
# DESC: When the script runs, it will make a copy of the existing location services
# /var/db/locationd/client.plist to be used in case a revert is needed. Following, we swap 0's
# to 1's within the client.plist for Teams and Teams helper to enable them.
# REFS: N/A
#
# Author: Bill Addis
#
# HISTORY
# - v.0.0: discovery of appropriate directories and files for manipulation
# - v.1.0: initial script upload
# - v.1.1: added additional logging, as well as error checking to ensure the plist exists before manipulation
# - v.1.1: discovered+fixed a bug where if an end-user manually DISABLES Teams from using location services, the "authorized key" disappears and cannot be set
# - v.1.2: Adding an initial check at the top to see if location services for MacOS are enabled
# - v.1.3: Updated to account for changes in macOS Ventura
# - v.1.5 Bill Addis, Sep 15, 2023: Added for loop to update all Teams location entries (old Teams and new)
# - v.1.6 Bill Addis, Oct 23, 2023: Added support for Sonoma. Updated script to loop for all Teams versions
# - v.1.7: Julian Ortega, Dec 20, 2023: Updated to work for generic apps instead of MS Teams
####################################################################################################
scriptVersion="2023.12.2"
scriptLog="${4:-"/var/log/com.jamf.appLocationServices.log"}"
appName="${5:-"Google Chrome"}"
appIdentifier="${6:-"com.google.Chrome"}"
function updateScriptLog() {
echo -e "$( date +%Y-%m-%d\\ %H:%M:%S ) - ${1}" | tee -a "${scriptLog}"
}
updateScriptLog "SCRIPT VERSION: $scriptVersion"
if [[ ! -f "${scriptLog}" ]]; then
touch "${scriptLog}"
fi
# Set line debugging
PS4='Line ${LINENO}: '
# updateScriptLog mount point in Jamf
updateScriptLog $1
# Is location services enabled?
location_enabled=$(sudo -u "_locationd" defaults -currentHost read "/var/db/locationd/Library/Preferences/ByHost/com.apple.locationd" LocationServicesEnabled)
if [[ "$location_enabled" = "1" ]]; then
updateScriptLog "Location Services are enabled, moving on..."
else
updateScriptLog "Location Services disabled. Enabling them..."
# UPDATE THIS LINE TO ACTUALLY ENABLE LOCATION SERVICES
jamf policy -event location
sleep 3
location_enabled=$(sudo -u "_locationd" defaults -currentHost read "/var/db/locationd/Library/Preferences/ByHost/com.apple.locationd" LocationServicesEnabled)
if [[ "$location_enabled" = "0" ]]; then
updateScriptLog "Unable to enable location services...exiting"
exit 1
fi
fi
# Does the clients.plist exist?
updateScriptLog "Current contents of /var/db/locationd directory:"
updateScriptLog "$(ls /var/db/locationd)"
osVers=$(sw_vers -productVersion)
updateScriptLog "macOS $osVers currently installed."
if [[ "$osVers" == *13* ]] ; then
updateScriptLog "Executing for macOS Ventura..."
clients="/var/db/locationd/clients.plist"
if [[ -f "$clients" ]]; then
key1=$(/usr/libexec/PlistBuddy -c "Print" /var/db/locationd/clients.plist | grep :$appIdentifier | awk -F '=Dict{' '{gsub(/ /,"");gsub(":","\\\\:");print $1}' | head -1)
updateScriptLog "$clients already exists! Moving on..."
updateScriptLog "Current key values for $appName app"
updateScriptLog "$(/usr/libexec/PlistBuddy -c "Print $key1" $clients)"
updateScriptLog "================================="
# Create a backup of the existing client location services file
cp $clients /var/db/locationd/clients.BAK
# Create an extra working backup
cp $clients /private/var/tmp/
# Convert our working backup client plist to xml for editing
plutil -convert xml1 /private/var/tmp/clients.plist
count=1
for i in $(/usr/libexec/PlistBuddy -c "Print" /private/var/tmp/clients.plist | grep :$appIdentifier | awk -F '=Dict{' '{gsub(/ /,"");gsub(":","\\\\:");print $1}');
do
updateScriptLog "Current key value for key$count:"
updateScriptLog "$(/usr/libexec/PlistBuddy -c "Print $i" $clients)"
# Use Plist Buddy to mark-up client plist, enabling app's location services
/usr/LibExec/PlistBuddy -c "Set :$i:Authorized true" /private/var/tmp/clients.plist
# Check return for last command
if [[ "$?" = "1" ]]; then
updateScriptLog "Authorized key seems to be missing...re-adding the key"
/usr/LibExec/PlistBuddy -c "Add :$i:Authorized bool true" /private/var/tmp/clients.plist
updateScriptLog "Adding 'authorized' key for $i location services returned: $?"
fi
updateScriptLog "Setting $i location services returned: $?"
((count=count+1))
done
# Convert back to binary
plutil -convert binary1 /private/var/tmp/clients.plist
# Put the updated client plist into appropriate dir
cp /private/var/tmp/clients.plist $clients
# Kill and restart the location services daemon and remove our temp file
killall locationd
rm /private/var/tmp/clients.plist
else
updateScriptLog "$clients does not exist...exiting"
exit 1
fi
elif [[ "$osVers" == *12* ]] ; then
updateScriptLog "Executing for macOS 12 or less..."
clients="/var/db/locationd/clients.plist"
if [[ -f "$clients" ]]; then
updateScriptLog "$clients already exists! Moving on..."
updateScriptLog "Current key values for $appName app:"
updateScriptLog "$(/usr/libexec/PlistBuddy -c "Print :$appIdentifier" $clients)"
updateScriptLog "================================="
# Create a backup of the existing client location services file
cp $clients /var/db/locationd/clients.BAK
# Create an extra working backup
cp $clients /private/var/tmp/
# Convert our working backup client plist to xml for editing
plutil -convert xml1 /private/var/tmp/clients.plist
# Use Plist Buddy to mark-up client plist, enabling app's location services
/usr/LibExec/PlistBuddy -c "Set :com.$appIdentifier:Authorized true" /private/var/tmp/clients.plist
# Check return for last command
if [[ "$?" = "1" ]]; then
updateScriptLog "Authorized key seems to be missing...re-adding the key"
/usr/LibExec/PlistBuddy -c "Add :$appIdentifier:Authorized bool true" /private/var/tmp/clients.plist
updateScriptLog "Adding 'authorized' key for $appName app location services returned: $?"
#/usr/LibExec/PlistBuddy -c "Set :$appIdentifier:Authorized true" /private/var/tmp/clients.plist
fi
updateScriptLog "Setting $appName app location services returned: $?"
# Convert back to binary
plutil -convert binary1 /private/var/tmp/clients.plist
# Put the updated client plist into appropriate dir
cp /private/var/tmp/clients.plist $clients
# Kill and restart the location services daemon and remove our temp file
killall locationd
rm /private/var/tmp/clients.plist
else
updateScriptLog "$clients does not exist...exiting"
exit 1
fi
elif [[ "$osVers" == *14* ]] ; then
updateScriptLog "Executing for macOS 14 Sonoma..."
clients="/var/db/locationd/clients.plist"
if [[ -f "$clients" ]]; then
updateScriptLog "$clients already exists! Moving on..."
# Create a backup of the existing client location services file
cp $clients /var/db/locationd/clients.BAK
# Create an extra working backup
cp $clients /private/var/tmp/
# Convert our working backup client plist to xml for editing
plutil -convert xml1 /private/var/tmp/clients.plist
count=1
for i in $(/usr/libexec/PlistBuddy -c "Print" /private/var/tmp/clients.plist | grep -a :i$appIdentifier | awk -F '=Dict{' '{gsub(/ /,"");gsub(":","\\\\:");print $1}' | sed "s/..$//");
do
updateScriptLog "Current key value for key$count:"
updateScriptLog "$(/usr/libexec/PlistBuddy -c "Print $i" $clients)"
# Use Plist Buddy to mark-up client plist, enabling app's location services
/usr/LibExec/PlistBuddy -c "Set :$i\\::Authorized true" /private/var/tmp/clients.plist
# Check return for last command
if [[ "$?" = "1" ]]; then
updateScriptLog "Authorized key seems to be missing...re-adding the key"
/usr/LibExec/PlistBuddy -c "Add :$i\\::Authorized bool true" /private/var/tmp/clients.plist
updateScriptLog "Adding 'authorized' key for $i location services returned: $?"
fi
updateScriptLog "Setting $i location services returned: $?"
((count=count+1))
done
# Convert back to binary
plutil -convert binary1 /private/var/tmp/clients.plist
# Put the updated client plist into appropriate dir
cp /private/var/tmp/clients.plist $clients
# Kill and restart the location services daemon and remove our temp file
killall locationd
#rm /private/var/tmp/clients.plist
else
updateScriptLog "$clients does not exist...exiting"
exit 1
fi
fi
# Display the final return code
exit $?
I've managed to get a script going: should work to allow user to hit the Toggle for Zoom specifically to allow location services. I am stuck trying to piece it all together if there are any ideas?
#!/bin/bash
## Unload locationd
launchctl unload /System/Library/LaunchDaemons/com.apple.locationd.plist
## Write enabled value to locationd plist
sudo /usr/bin/defaults write /var/db/locationd/Library/Preferences/ByHost/com.apple.locationd LocationServicesEnabled -int 1
## Fix Permissions for the locationd folder
chown -R _locationd:_locationd /var/db/locationd
## Reload locationd
launchctl load /System/Library/LaunchDaemons/com.apple.locationd.plist
exit 0
On a Sonoma 14.2.1 Mac I am getting the following error, I see some others have seen this error too, anyone have a solution?
cp: /var/db/locationd/clients.plist: Operation not permitted
Just noticed a type in my Extension Attribute above. Here is the correct version:
#!/bin/bash
# Force the script to quit if any error encountered
set -e
osVers=$(sw_vers -productVersion)
# Initialize array variable to hold admin usernames
list=()
NL=$'\\n'
if [[ "$osVers" == *13* ]] ; then
echo "Executing for macOS Ventura 13 Ventura..."
for i in $(/usr/libexec/PlistBuddy -c "Print" /var/db/locationd/clients.plist | grep :com.microsoft.teams | awk -F '=Dict{' '{gsub(/ /,"");gsub(":","\\\\:");print $1}'); do
keyName=$(echo "$i" | awk -v FS=: '{print $2}')
authValue=$(/usr/LibExec/PlistBuddy -c "Print :$i:Authorized" /var/db/locationd/clients.plist)
list+=("$keyName: $authValue${NL}")
done
elif [[ "$osVers" == *14* ]] ; then
echo "Executing for macOS 14 Sonoma..."
for i in $(/usr/libexec/PlistBuddy -c "Print" /var/db/locationd/clients.plist | grep -a :icom.microsoft.teams | awk -F '=Dict{' '{gsub(/ /,"");gsub(":","\\\\:");print $1}' | sed "s/..$//"); do
keyName=$(echo "$i" | awk -v FS=: '{print $2}')
authValue=$(/usr/LibExec/PlistBuddy -c "Print :$i\\::Authorized" /var/db/locationd/clients.plist)
list+=("$keyName: $authValue${NL}")
done
fi
# Print all items in the list array
/bin/echo "<result>${list[@]}</result>"Hi @williamaddis
Thank you for your great script and EA. a few questions:
- Do you post these on Github or anywhere else (for future updates)?
- Do you know if macOS 12 is different from macOS 13 for the EA? Currently the EA is only for macOS 13 and macOS 14.
- Just to make sure I understand correctly, version 1.6 is the latest and works for both MS Teams classic and MS Teams work or school? Will the script fail if one version (i.e. classic) is not installed?
Thank you again for your work!
On a Sonoma 14.2.1 Mac I am getting the following error, I see some others have seen this error too, anyone have a solution?
cp: /var/db/locationd/clients.plist: Operation not permitted
Just to be sure, are you running the script via Jamf and getting this error or are you running it locally with sudo?
I believe you have to run it through Jamf which runs as root, or give full disk access permission to Terminal as a workaround for running it locally.
I ran @williamaddis original script for Teams via Jamf and no issues. Same with the EA he has for it, when run through Jamf the data populates properly.
I am on macOS 14.3, M3 Max.
I've created a feature request to ask for this kind of auditing to be added
https://ideas.jamf.com/ideas/JPRO-I-196
I've created a feature request to ask for this kind of auditing to be added
https://ideas.jamf.com/ideas/JPRO-I-196
This script can be repurposed for Zoom as well to force auto-enable location for the app, and the Extension attribute can also be tweaked to provide you inventory data on whether its enabled or not. You would just have to update the proper value from /var/db/locationd/clients.plist related to Zoom.
This script can be repurposed for Zoom as well to force auto-enable location for the app, and the Extension attribute can also be tweaked to provide you inventory data on whether its enabled or not. You would just have to update the proper value from /var/db/locationd/clients.plist related to Zoom.
I've been trying to use it, tweaked for Zoom and I've found the code for Sonoma doesn't work at all, it seems to only work for some clients on Ventura, and I have older versions of macOS I have to support as well. So while I'm working on tweaking this to see if I can get it working in my environment (and if I can I'm happy to post it here) asking for Jamf to add support for this seems like a reasonable thing to do.
I've been trying to use it, tweaked for Zoom and I've found the code for Sonoma doesn't work at all, it seems to only work for some clients on Ventura, and I have older versions of macOS I have to support as well. So while I'm working on tweaking this to see if I can get it working in my environment (and if I can I'm happy to post it here) asking for Jamf to add support for this seems like a reasonable thing to do.
@GeorgeCasper what issues are you seeing with Sonoma?
@GeorgeCasper what issues are you seeing with Sonoma?
It never returns anything; if I run the script manually it detects the OS correctly but never generates any other output other than empty <result> tags.
It never returns anything; if I run the script manually it detects the OS correctly but never generates any other output other than empty <result> tags.
How are you trying to call the script manually? If you're using Terminal you'd need to grant it FDA.
How are you trying to call the script manually? If you're using Terminal you'd need to grant it FDA.
Yes, via a script I'm invoking in terminal. Terminal has the access needed. I get "Entry blahblahblah:ius.zoom.us", Does Not Exist when it does exist (as evidenced by running /$path/PListBuddy "Print" /$otherpath/clients.plist)
I've decided to view this as an opportunity to learn some python (rather than play games with grep/awk/sed), so don't worry about it.
I'm a total python novice, so there may be better ways to do what I do here, but this seems to work properly:
#!/Library/ManagedFrameworks/Python/Python3.framework/Versions/Current/bin/python3
# using MacAdmins Recommended Python package
import plistlib
# Load the plist file into a Python data structure
with open("/var/db/locationd/clients.plist", "rb") as plist_file:
plist_data = plistlib.load(plist_file)
# Specify the key to search for
search_key = "us.zoom.xos"
# Iterate through the array and look for the key in each element
for element in plist_data:
try:
if search_key in plist_data[element]['BundleId']:
# Key found, access the value
value = plist_data[element]['Authorized']
print("<result>{}</result>".format(value))
quit()
except KeyError:
# It's possible to not have a BundleId, in which case we just carry on
pass
print("<result>Zoom not found!</result>") Note that it relies on python3, which means you'll need to have it deployed somehow; I used the MacAdmins python3 install. Also note that it'll almost certainly require Terminal to have Full Disk Access, in order to access the plist file. It also is showing you the permissions granted by the user logged in when recon was run, which may be misleading in multi-user per machine environments.
This code should be easily modifiable to check for Teams, Skype or whatever else you'd like - just look at the plist and figure out the BundleId of the application you're checking on.
Finally, this just checks to see if the app has Location Services permission - it does nothing to ensure Location Services itself is turned on! But that's easy to check on it's own.
@williamaddis and @GeorgeCasper
I am looking to use a version of your approach to approve location services for a different app. (It would actually be to use Location Services for a python script being run via the MacAdmins Python3.)
Without having actually tried it, I feel this should work. However I have encountered a different but related issue which I was wondering if you or anyone else could answer.
By manually enabling location services currently, my python script via the MacAdmin Python3 is able to utilise Location Services when run as a user. If however my python script is run via root aka sudo then it fails saying Location Services has not been authorised.
This suggests either this permission is a per-user setting or perhaps more likely root is treated differently.
So anyone seen this and has anyone been able to allow root to use Location Services? (This would make life easier since as mentioned in this discussion JAMF uses root to run scripts.)
@williamaddis and @GeorgeCasper
I am looking to use a version of your approach to approve location services for a different app. (It would actually be to use Location Services for a python script being run via the MacAdmins Python3.)
Without having actually tried it, I feel this should work. However I have encountered a different but related issue which I was wondering if you or anyone else could answer.
By manually enabling location services currently, my python script via the MacAdmin Python3 is able to utilise Location Services when run as a user. If however my python script is run via root aka sudo then it fails saying Location Services has not been authorised.
This suggests either this permission is a per-user setting or perhaps more likely root is treated differently.
So anyone seen this and has anyone been able to allow root to use Location Services? (This would make life easier since as mentioned in this discussion JAMF uses root to run scripts.)
I would start by looking in /var/db/locationd/clients.plist to see how that script is listed in there. It'll probably have some com.whatever entry in there that you would want to look at changing in all the com.microsoft.teams entries in the original script. Just remember that if you are testing the script manually through Terminal or Coderunner, etc that those apps will need to have Full Disk Access granted in the Privacy & Security settings.
Just noticed a type in my Extension Attribute above. Here is the correct version:
#!/bin/bash
# Force the script to quit if any error encountered
set -e
osVers=$(sw_vers -productVersion)
# Initialize array variable to hold admin usernames
list=()
NL=$'\\n'
if [[ "$osVers" == *13* ]] ; then
echo "Executing for macOS Ventura 13 Ventura..."
for i in $(/usr/libexec/PlistBuddy -c "Print" /var/db/locationd/clients.plist | grep :com.microsoft.teams | awk -F '=Dict{' '{gsub(/ /,"");gsub(":","\\\\:");print $1}'); do
keyName=$(echo "$i" | awk -v FS=: '{print $2}')
authValue=$(/usr/LibExec/PlistBuddy -c "Print :$i:Authorized" /var/db/locationd/clients.plist)
list+=("$keyName: $authValue${NL}")
done
elif [[ "$osVers" == *14* ]] ; then
echo "Executing for macOS 14 Sonoma..."
for i in $(/usr/libexec/PlistBuddy -c "Print" /var/db/locationd/clients.plist | grep -a :icom.microsoft.teams | awk -F '=Dict{' '{gsub(/ /,"");gsub(":","\\\\:");print $1}' | sed "s/..$//"); do
keyName=$(echo "$i" | awk -v FS=: '{print $2}')
authValue=$(/usr/LibExec/PlistBuddy -c "Print :$i\\::Authorized" /var/db/locationd/clients.plist)
list+=("$keyName: $authValue${NL}")
done
fi
# Print all items in the list array
/bin/echo "<result>${list[@]}</result>"Hey Bill,
Is this and the accompanying script to enable Location Services for teams still the latest versions of your script?
I can't seem to get it to work on macOS 13.
Thank you.
