Script fails from every15 trigger but works from Self Service?

Question

We have a script we've been testing that removes a bad wi-fi entry from the keychain of the local user. When this runs on the every15 trigger set in the JSS policy, the logs state the keychain entry doesn't exist.

However, if we go to the computer and run the script from Self Service (separate policy, set to just run from SS), it works perfectly! It removes the entry, shows this in the logs and fixes their issues.

I feel like I'm missing something really simple but I could sure use advice!

- Brandon

mm2270 · Accepted Answer

Self Service, I believe will run the script as the user, but with elevated privileges. Normal policies don't, so in your every15 policy, it would be trying to affect the root account's keychain entry, which probably doesn't exist, hence the error.

In your script, get the logged in user account (and if needed, the path to their home directory) and use that in the script as to what keychain to affect.

#!/bin/sh

loggedInUser=$( ls -l /dev/console | awk '{print $3}' )
userHome=$( dscl . read /Users/$loggedInUser NFSHomeDirectory | awk '{print $NF}' )

## Now your command here
security delete-generic-password [options] -keychain $userHome/Library/Keychains/login.keychain

Or whatever it is you need to do. Above is just an example.

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded