Help

Big Sur - Policy banner and Screensaver

walt
Contributor III

Posted on ‎09-23-2020 10:53 AM

Is there any documentation or anyone find a way to deploy a Policy Banner and Screensaver in Big Sur?

• Prior to macOS 11 Big Sur, we used the following Policy Banner from Apple:
https://support.apple.com/en-us/HT202277

• We also have a company screensaver that is not working in our Big Sur testing and not sure if there is something in the script (image location or script itself) that may need adjusting to changes with macOS 11?

#!/bin/zsh
# Get user logged into console and put into variable "user"
user=`ls -l /dev/console | cut -d " " -f 4`
osMajor=$(sw_vers -productVersion | awk -F"." '{print $2}')
osMinor=$(sw_vers -productVersion | awk -F"." '{print $3}')


sudo -u $user defaults -currentHost write com.apple.screensaver CleanExit -string "YES"
sudo -u $user defaults -currentHost write com.apple.screensaver PrefsVersion -int 100
sudo -u $user defaults -currentHost write com.apple.screensaver showClock -string "NO"
sudo -u $user defaults -currentHost write com.apple.screensaver idleTime -int 600


if [[ $osMajor -eq 14  && $osMinor -ge 2 ]] || [[ $osMajor -ge 15 ]] ; then

        sudo -u $user defaults -currentHost write com.apple.screensaver moduleDict -dict moduleName -string "iLifeSlideshows" path -string "/System/Library/Frameworks/ScreenSaver.framework/PlugIns/iLifeSlideshows.appex" type -int 0

        else

        sudo -u $user defaults -currentHost write com.apple.screensaver moduleDict -dict moduleName -string "iLifeSlideshows" path -string "/System/Library/Frameworks/ScreenSaver.framework/Resources/iLifeSlideshows.saver" type -int 0
fi


sudo -u $user defaults -currentHost write com.apple.screensaver tokenRemovalAction -int 0

sudo -u $user defaults -currentHost write com.apple.ScreenSaverPhotoChooser LastViewedPhotoPath -string ""
sudo -u $user defaults -currentHost write com.apple.ScreenSaverPhotoChooser SelectedFolderPath -string "/usr/local/CorporateScreenSaver/"
sudo -u $user defaults -currentHost write com.apple.ScreenSaverPhotoChooser SelectedSource -int 3

sudo -u $user defaults -currentHost write com.apple.ScreenSaver.iLifeSlideShows styleKey -string "Classic"

killall -hup cfprefsd
0 Kudos
10 REPLIES 10

mm2270
Legendary Contributor III

Posted on ‎09-23-2020 11:30 AM

It could be that the sudo -u $user commands aren't working anymore. Those have been a little spotty in my experience, even going back a few major OS releases. I've been using the launchctl asuser method to run script commands as the user for some time now, but I haven't had a chance to test those with Big Sur yet, so I can't say if it fares any better than the sudo ones. I sure hope those still work ok, or a lot of stuff that I used to do will stop working in Big Sur (not that it would be any real surprise)

The other option is to write out a script to disk, and then have a LaunchAgent run the script instead of trying to run the script itself through Jamf.

This would be a good time to bring up that it would be super cool and awesome if Jamf came up with some way to flag a script to run as the local logged in user instead of root, for times when we need that to happen. I trust that they can find a good and secure way to do that. I hope they consider it for a future release.

0 Kudos

bradtchapman
Valued Contributor II

Posted on ‎09-24-2020 10:24 AM

Prior to 10.14 you could modify the User Template folder and every new user would get this setting automatically.

Is there no configuration profile payload for this? Why not a user level profile with custom plists?

0 Kudos

sdagley
Esteemed Contributor II

Posted on ‎09-24-2020 02:15 PM

@mm2270 You don't have a FR link for "Run script as logged in user" do you? I'd definitely Up Vote it if so.

0 Kudos

mm2270
Legendary Contributor III

Posted on ‎09-24-2020 03:08 PM

@sdagley Sadly, I don't believe there is an existing FR for that. Though there probably should be. The closest one I can locate is this one from @mvdbent - https://www.jamf.com/jamf-nation/feature-requests/5865/select-with-script-is-send-out-with-the-sudo-.... It's not exactly the same thing, but gets at the same idea, i.e, not always running a script as root.

Outside of this, I feel like @rtrouton mentioned this idea of Jamf using a LaunchAgent of their own to allow policy items to run as the current user in a thread, but I'm having trouble locating that now. Maybe he can chime in if he remembers where he mentioned it. Or if I manage to find it, I'll post it here. But I think it should be a formal FR so we can all vote on it.

Edit: Found it! It IS in fact a Feature Request, by Rich Trouton. You can find it here. Please upvote if you haven't already. Jamf needs to make this happen.
https://www.jamf.com/jamf-nation/feature-requests/3721/add-run-as-logged-in-user-options-in-casper-p...

0 Kudos

walt
Contributor III

Posted on ‎09-24-2020 05:58 PM

interestingly enough, on a new Beta 7 to Beta 8 upgrade, the Policy Banner and Screensavers appear to be working. I don't know if it will continue to work or what changes there were, but I will certainly look into the above FR.

Would policies such as the policy banner and screensaver running as the user make a difference since these are loaded into /Library/Security/ and /usr/local folders respectively?

appreciate the input and insight

0 Kudos

sdagley
Esteemed Contributor II

Posted on ‎09-24-2020 06:40 PM

@mm2270 Thanks, vote added

0 Kudos

MischaB
New Contributor II
New Contributor II

Posted on ‎09-25-2020 01:20 AM

@sdagley @mm2270 have a look at Argus blog post. This will help you understand how you can run script as logged in user. https://scriptingosx.com/2020/08/running-a-command-as-another-user/

0 Kudos

sdagley
Esteemed Contributor II

Posted on ‎09-25-2020 07:28 AM

@mvdbent I think the spirit of this request is that a Jamf provided option to run a script as the logged in user would be beneficial in at least a couple of ways:

1) It'd eliminate the confusion for new users on what context a script is going to be run (I can't make an estimate on the #, but it seems to be a frequent topic of discussion on Jamf Nation)
2) By handing off the responsibility of running a script in user space to Jamf if Apple did make a change to how that was done (as the OP suggested may be the case with Big Sur) it's one fix from Jamf to correct rather than every admin having to change every script in their environment which needed that

mm2270
Legendary Contributor III

Posted on ‎09-25-2020 07:47 AM

Seconding what @sdagley is stating. A lot of us know the intricate tricks out there to run scripts or specific commands as the currently logged in user. But as stated, given how much this comes up, it would really be a boon to the Jamf toolset if they provided a supported and standardized method for doing this, instead of each of us hacking together our own processes.
The blog post from Argus and the lengths they went to to build in a repeatable process for this is further evidence of how much something like this is needed in my opinion.

0 Kudos

theilgaard
New Contributor

Posted on ‎10-14-2020 07:06 AM

@Walt, I think you should look at the macOS version checking. Big Sur is 11.0.0, and not 10.15.x, so you Major and Minor will not work for too long (I know that Big Sur is also 10.16.x, so maybe that is why it suddently works for you).

(Sorry I can't get a link to the profile—don't know how to do that).

0 Kudos