What is your shell script calling on? Point being, are you using Dockutil?

If not, give it a whirl! - https://github.com/kcrawford/dockutil

Can absolutely recommend Dockutil! Really made a big difference for us!

I ran in to this as well through testing. I ended up canning the script and using Dockutil. Worth looking in to.

Yup! The script itself DOES call on dockutil. Having a difficult time getting it to work without user approval in Mojave. I've tried signing and whitelisting the script, turning it into an app and whitelist that... still no dice.

@bvanpeski I have no experience using the script locally, I would have to take a deep dive into your process. What I do have experience with, regarding dockutil, is running it directly from JAMF, are you at all able to trigger, run your process involving dockutil via the JAMF? Works flawlessly for my Mojave workflow.

have you tried using dockutil with outset? I run login docks under Mojave 10.4.3 at once and every frequency with no issues

@bvanpeski can you post then script?

You’ll likely have a “tell application Finder” block in their & you should be able to remove that.

Which means that you should not then be presented with the prompt.

@bentoms yup, we do have an osascript that has "tells application Finder" to set the background. I tried whitelisting using a profile to give bash/shell access to Finder, but no dice. Script is below. This is for the Guest User account as well, so it needs to be something that launches at every login since Guest settings get wiped out between reboots/logouts.

#!/bin/bash



# script to set dock icons & wallpaper based on user account



# ---------------------------------------------------------

#   Set all Variables

# ---------------------------------------------------------

#----- Get Computer Name

CompName=$(scutil --get ComputerName)



#----- Standards

script=$"Set User Account Icons "

now=$(date +"%m-%d-%Y %H:%M:%S")

Result=$?



#----- Debugging

#bash -x ./[script_name.sh] for detailed script output

#bash -n ./[script_name.sh] for syntax checking

set -u   # verbose error checking during execution



#----- Executables

mkdir=`which mkdir`

chown=`which chown`

chmod=`which chmod`

dockutil="/usr/local/bin/dockutil"



#----- User Account Variables

user=$(id -un)



#--- Set Logging

Log="/Users/$user/Library/Logs/"

if [ ! -d "${Log}" ];

then

    mkdir $Log

    chown $user:staff $Log

    chmod 777 $Log

fi

exec >> "${Log}"/Retail.SetDockIcons.log 2>&1



#----------------------------------------------------------

#  Timestamp

#----------------------------------------------------------

echo ""

echo "##### $script"

echo "##### $now"



#----------------------------------------------------------

#  Script

#----------------------------------------------------------



/usr/local/bin/dockutil --remove all --homeloc ~/Library/Preferences/com.apple.dock.plist

echo "All icons have been removed from the dock for all users" && echo ""



if [ $user = mobile ] ; then

        $dockutil --add /Applications/Tools.app  --homeloc ~/Library/Preferences/com.apple.dock.plist

        $dockutil --add /Applications --view grid --display folder  --homeloc ~/Library/Preferences/com.apple.dock.plist

        $dockutil --add /Applications/Utilities/ --view grid --display folder  --homeloc ~/Library/Preferences/com.apple.dock.plist

        $dockutil --add '~/Downloads' --view list --display folder  --homeloc ~/Library/Preferences/com.apple.dock.plist

        rm -f ~/Desktop/*

        osascript -e 'tell application "Finder" to set desktop picture to POSIX file "/Library/Desktop Pictures/iMacSyncBackground.jpg"'

    else

        $dockutil --add /Applications/Safari.app  --homeloc ~/Library/Preferences/com.apple.dock.plist

        $dockutil --add /Applications/Google Chrome.app  --homeloc ~/Library/Preferences/com.apple.dock.plist

        $dockutil --add /Applications/iTunes.app  --homeloc ~/Library/Preferences/com.apple.dock.plist

        $dockutil --add /Applications/VLC.app  --homeloc ~/Library/Preferences/com.apple.dock.plist

        $dockutil --add /Applications/Tools.app  --homeloc ~/Library/Preferences/com.apple.dock.plist

        $dockutil --add /Applications --view grid --display folder  --homeloc ~/Library/Preferences/com.apple.dock.plist

        $dockutil --add /Applications/Utilities/ --view grid --display folder  --homeloc ~/Library/Preferences/com.apple.dock.plist

        $dockutil --add '~/Downloads' --view list --display folder  --homeloc ~/Library/Preferences/com.apple.dock.plist

            #US Config for WFM and DTC Zero Alias for desktop

            if [[ "$CompName" = RTUS* ]] && [[ $user != sysadmin ]] ; then

                osascript -e 'tell application "Finder" to make new alias at (path to desktop folder) to file ((path to applications folder as text) & "WFM 8.0")'

                osascript -e 'tell application "Finder" to make new alias at (path to desktop folder) to file ((path to applications folder as text) & "Zero")'

            fi

        osascript -e 'tell application "Finder" to set desktop picture to POSIX file "/Library/Desktop Pictures/retailwallpaper.jpg"'

fi



$dockutil --add '~/Downloads' --view list --display folder  --homeloc ~/Library/Preferences/com.apple.dock.plist

echo "Changed Dock & Desktop Icons and Wallpaper for the $user User"



exit 0

Welp, this is still an utter mystery to me. I've done a shotgun whitelist approach to no avail including all variants of the script itself, sh, bash, osascript, etc. I took a look at the com.apple.TCC/tcc.db database before and after clicking the approval button manually, and by all accounts the config profile I've created in JAMF SHOULD allow this to work. Attaching a screenshot to show proof that what I have set up in the JAMF config should match the settings that are in that database when approved manually. I'll update here if I discover anything new.

Hey @bvanpeski I have a similar script that runs at first login that sets the Dock and a bunch of other fun stuff. I ended up code signing the script. I have a launch agent kick it off at login for users.

Here is a really good write up on how to codesign scripts: https://carlashley.com/2018/09/23/code-signing-scripts-for-pppc-whitelisting/

Something like this:

codesign -s "Developer ID Application: Company Name (AJU874DKSKK)" -i com.company.whatever /path/to/script/scriptname

I don't use the extension. I did this so I could drop the signed script into jamf's pppc utility and have it generate the "code requirements" for me. You can also grab the code requirements from the command line too. Hope this helps and maybe someone could clarify and provide a better workflow.

FYI: It has nothing to do with dock items. The issue lies with the following lines in the script:

osascript -e 'tell application "Finder" to set desktop picture to POSIX file "/Library/Desktop Pictures/iMacSyncBackground.jpg"'

osascript -e 'tell application "Finder" to make new alias at (path to desktop folder) to file ((path to applications folder as text) & "WFM 8.0")'

osascript -e 'tell application "Finder" to make new alias at (path to desktop folder) to file ((path to applications folder as text) & "Zero")'

osascript -e 'tell application "Finder" to set desktop picture to POSIX file "/Library/Desktop Pictures/retailwallpaper.jpg"'

If you commented those out, you would not see the warning.

As @ryan.ball and Mac Mule have both pointed out the issue is with the AppleScript. You don't need to use it for either instance.

Look into desktoppr to set the wallpaper.

I use something similar to this script to set the desktop picture

loggedInUser=$( scutil <<< "show State:/Users/ConsoleUser" | awk -F': ' '/[[:space:]]+Name[[:space:]]:/ { if ( $2 != "loginwindow" ) { print $2 }}' )

uid=$(id -u "$loggedInUser")



launchctl asuser "$uid" "$desktoppr" "$picturePath"

Aliases can be created with

ln -s /path/to/folder /path/to/alias

Yup! Code-signed the script, created a config profile to whitelist the newly-signed script, and all is well now. Thanks everyone!