Posted on 09-20-2017 01:15 PM
We have a script which I'm attempting to run once a week via a launchd task. Launchd appears to be working normally, script launches, but at the end of the script it calls a JSS policy via a custom trigger. This portion of the script appears to be failing. If I run the script manually, it tells me "There was an error. This application must be run as root. Try the sudo command." Running with sudo produces the desired result.
What is the best-practice in terms of having launchd execute the script with admin/root privileges?
My launch daemon plist is in /Library/LaunchDaemons, ownership set to root:wheel, -rw-r--r--
Script itself is located in /Library/Application Support/JAMF/Scripts, and similarly, root wheel -rwxr-xr-x
It appears that the "jamf -policy -event <trigger> command in the script is where it is asking for sudo - what is the best way to make this run correctly when triggered by launchd?
Solved! Go to Solution.
Posted on 09-20-2017 01:29 PM
LaunchDaemons always run with root privileges. There's nothing to do to make that happen, so that isn't the reason it's failing. Plenty of us use LaunchDaemons to run root level tasks or scripts with root. In fact, the "Recurring Check-in" trigger is really just being run by one of the Jamf LaunchDaemons. It just calls /usr/local/jamf/bin/jamf policy -randomDelaySeconds <integer>
It's possible it's not working because the script itself doesn't use the full path to the jamf binary. Edit the script to either locate the path to the jamf binary, or just hardcode it in. Unload and reload the LaunchDaemon and try it again.
Posted on 09-20-2017 01:29 PM
LaunchDaemons always run with root privileges. There's nothing to do to make that happen, so that isn't the reason it's failing. Plenty of us use LaunchDaemons to run root level tasks or scripts with root. In fact, the "Recurring Check-in" trigger is really just being run by one of the Jamf LaunchDaemons. It just calls /usr/local/jamf/bin/jamf policy -randomDelaySeconds <integer>
It's possible it's not working because the script itself doesn't use the full path to the jamf binary. Edit the script to either locate the path to the jamf binary, or just hardcode it in. Unload and reload the LaunchDaemon and try it again.
Posted on 09-20-2017 01:50 PM
I owe you one, again. Full path makes perfect sense, just hadn't occurred to me. I'll make the change and test.
Posted on 09-22-2017 07:11 AM
Apologies for the delay, but wanted to say "thanks again" @mm2270
"jamf policy -event <trigger>" hung the script every time, "/usr/local/jamf/bin/jamf policy -event <trigger>" works exactly as intended.