Jamf Nation Community

That was actually my question as well...

Line 6 lists ..* as your JSS in the first log set, while in the second it is the default my.jss.com.

edited to remove the actual Jss.

@hkabik oh that's my bad, I modified the logs to take out my has server, missed one. But they both do go to the correct server

@iJake yes they are passing the same info/using same script... I tried to filter out the actual jss but missed that one :)

<bump>

Would you please post sanitized copies of both the script and LaunchDaemon you're using? That may help folks assess what's going on, and why it's not working when run via the LaunchDaemon.

@rtrouton Good call

in /Library/LaunchDeamons/com.company.caspercheck.plist

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>Label</key>
    <string>com.company.caspercheck</string>
    <key>ProgramArguments</key>
    <array>
        <string>sh</string>
        <string>/Library/Scripts/CasperCheck.sh</string>
    </array>
    <key>RunAtLoad</key>
    <true/>
    <key>StartInterval</key>
    <integer>590400</integer>
</dict>
</plist>

then in /Library/Scripts/CasperCheck.sh

#!/bin/bash

#
# User-editable variables
#

# For the fileURL variable, put the complete address 
# of the zipped Casper QuickAdd installer package

fileURL="http://my.jss.com/QuickAdd.pkg.zip"

# For the jss_server_address variable, put the complete 
# fully qualified domain name address of your Casper server

jss_server_address="my.jss.com"

# For the jss_server_address variable, put the port number 
# of your Casper server. This is usually 8443; change as
# appropriate.

jss_server_port="8443"

# For the log_location variable, put the preferred 
# location of the log file for this script. If you 
# don't have a preference, using the default setting
# should be fine.

log_location="/var/log/caspercheck.log"

#
# The variables below this line should not need to be edited.
# Use caution if doing so. 
#

quickadd_dir="/var/root/quickadd"
quickadd_zip="/tmp/QuickAdd.pkg.zip"
quickadd_installer="$quickadd_dir/QuickAdd.pkg"
quickadd_timestamp="$quickadd_dir/quickadd_timestamp"

#
# Begin function section
# =======================
#

# Function to provide custom curl options
myCurl () { /usr/bin/curl -k --silent --retry 3 --show-error "$@" ; }

# Function to provide logging of the script's actions to
# the log file defined by the log_location variable

ScriptLogging(){

    DATE=`date +%Y-%m-%d %H:%M:%S`
    LOG="$log_location"

    echo "$DATE" " $1" >> $LOG
}

CheckForNetwork(){

# Determine if the network is up by looking for any non-loopback network interfaces.

    local test

    if [[ -z "${NETWORKUP:=}" ]]; then
        test=$(ifconfig -a inet 2>/dev/null | sed -n -e '/127.0.0.1/d' -e '/0.0.0.0/d' -e '/inet/p' | wc -l)
        if [[ "${test}" -gt 0 ]]; then
            NETWORKUP="-YES-"
        else
            NETWORKUP="-NO-"
        fi
    fi
}

CheckSiteNetwork (){

  #  CheckSiteNetwork function adapted from Facebook's check_corp function script.
  #  check_corp script available on Facebook's IT-CPE Github repo:
  #
  # check_corp:
  #   This script verifies a system is on the corporate network.
  #   Input: CORP_URL= set this to a hostname on your corp network
  #   Optional ($1) contains a parameter that is used for testing.
  #   Output: Returns a check_corp variable that will return "True" if on 
  #   corp network, "False" otherwise.
  #   If a parameter is passed ($1), the check_corp variable will return it
  #   This is useful for testing scripts where you want to force check_corp
  #   to be either "True" or "False"
  # USAGE: 
  #   check_corp        # No parameter passed
  #   check_corp "True"  # Parameter of "True" is passed and returned


  site_network="False"
  ping=`host -W .5 $jss_server_address`

  # If the ping fails - site_network="False"
  [[ $? -eq 0 ]] && site_network="True"

  # Check if we are using a test
  [[ -n "$1" ]] && site_network="$1"
}

#
# The update_quickadd function checks the timestamp of the fileURL variable and compares it against a locally
# cached timestamp. If the hosted file's timestamp is newer, then the Casper 
# QuickAdd installer gets downloaded and extracted into the target directory.
#
# This function uses the myCurl function defined at the top of the script.
#

update_quickadd () {

    # Get modification date of fileURL

    modDate=$(myCurl --head $fileURL 2>/dev/null | awk -F': ' '/Last-Modified/{print $2}')

    # Downloading Casper agent installer

    ScriptLogging "Downloading Casper agent installer from server."

  #  myCurl -L --output "$quickadd_zip" $fileURL
    curl -k --retry 3 -L -o /tmp/QuickAdd.pkg.zip http://my.jss.com/QuickAdd.pkg.zip

    # Check to make sure download occurred

    if [[ ! -f "$quickadd_zip" ]]; then
        ScriptLogging "$quickadd_zip not found. Exiting CasperCheck."
        ScriptLogging "======== CasperCheck Finished ========"
        exit 0
    fi

    # Verify that the downloaded zip file is a valid zip archive.

    zipfile_chk=`/usr/bin/unzip -tq $quickadd_zip > /dev/null; echo $?`

    if [ "$zipfile_chk" -eq 0 ]; then
       ScriptLogging "Downloaded zip file appears to be a valid zip archive. Proceeding."
    else
       ScriptLogging "Downloaded zip file appears to be corrupted. Exiting CasperCheck."
       ScriptLogging "======== CasperCheck Finished ========"
       rm "$quickadd_zip"
       exit 0
    fi

    # Create the destination directory if needed

    if [[ ! -d "$quickadd_dir" ]]; then
        mkdir "$quickadd_dir"
    fi

    # If needed, remove existing files from the destination directory

    if [[ -d "$quickadd_dir" ]]; then
        /bin/rm -rf "$quickadd_dir"/*
    fi

    # Unzip the Casper agent install into the destination directory
    # and remove the __MACOSX directory, which is created as part of
    # the uncompression process from the destination directory.

    /usr/bin/unzip "$quickadd_zip" -d "$quickadd_dir";/bin/rm -rf "$quickadd_dir"/__MACOSX

    # Rename newly-downloaded installer to be casper.pkg

    mv "$(/usr/bin/find $quickadd_dir -maxdepth 1 ( -iname *.pkg -o -iname *.mpkg ))" "$quickadd_installer"

    # Remove downloaded zip file
    if [[ -f "$quickadd_zip" ]]; then
        /bin/rm -rf "$quickadd_zip"
    fi

    # Add the quickadd_timestamp file to the destination directory. 
    # This file is used to help verify if the current Casper agent 
    # installer is already cached on the machine.

    if [[ ! -f "$quickadd_timestamp" ]]; then
        echo $modDate > "$quickadd_timestamp"
    fi   


}

CheckTomcat (){

# Verifies that the JSS's Tomcat service is responding via its assigned port.


tomcat_chk=`nc -z -w 5 $jss_server_address $jss_server_port > /dev/null; echo $?`

if [ "$tomcat_chk" -eq 0 ]; then
       ScriptLogging "Machine can connect to $jss_server_address over port $jss_server_port. Proceeding."
else
       ScriptLogging "Machine cannot connect to $jss_server_address over port $jss_server_port. Exiting CasperCheck."
       ScriptLogging "======== CasperCheck Finished ========"
       exit 0
fi

}

CheckInstaller (){

# Compare timestamps and update the Casper agent
# installer if needed.

    modDate=$(myCurl --head $fileURL 2>/dev/null | awk -F': ' '/Last-Modified/{print $2}')

if [[ -f "$quickadd_timestamp" ]]; then
    cachedDate=$(cat "$quickadd_timestamp")


    if [[ "$cachedDate" == "$modDate" ]]; then
        ScriptLogging "Current Casper installer already cached."
    else
        update_quickadd
    fi
else
    update_quickadd
fi

}

CheckBinary (){

# Identify location of jamf binary.
#
# If the jamf binary is not found, this check will return a
# null value. This null value is used by the CheckCasper
# function, in the "Checking for the jamf binary" section
# of the function.

jamf_binary=`/usr/bin/which jamf`

 if [[ "$jamf_binary" == "" ]] && [[ -e "/usr/sbin/jamf" ]] && [[ ! -e "/usr/local/bin/jamf" ]]; then
    jamf_binary="/usr/sbin/jamf"
 elif [[ "$jamf_binary" == "" ]] && [[ ! -e "/usr/sbin/jamf" ]] && [[ -e "/usr/local/bin/jamf" ]]; then
    jamf_binary="/usr/local/bin/jamf"
 elif [[ "$jamf_binary" == "" ]] && [[ -e "/usr/sbin/jamf" ]] && [[ -e "/usr/local/bin/jamf" ]]; then
    jamf_binary="/usr/local/bin/jamf"
 fi

}

InstallCasper () {

 # Check for the cached Casper QuickAdd installer and run it
 # to fix problems with Casper being able to communicate with
 # the Casper server

 if [[ ! -e "$quickadd_installer" ]] ; then
    ScriptLogging "Casper installer is missing. Downloading."
    /bin/rm -rf "$quickadd_timestamp"
    update_quickadd
 fi

  if [[ -e "$quickadd_installer" ]] ; then
    ScriptLogging "Casper installer is present. Installing."
    /usr/sbin/installer -dumplog -verbose -pkg "$quickadd_installer" -target /
    ScriptLogging "Casper agent has been installed."
 fi


}

CheckCasper () {

  #  CheckCasper function adapted from Facebook's jamf_verify.sh script.
  #  jamf_verify script available on Facebook's IT-CPE Github repo:
  #  Link: https://github.com/facebook/IT-CPE



  # Checking for the jamf binary
  CheckBinary
  if [[ "$jamf_binary" == "" ]]; then
    ScriptLogging "Casper's jamf binary is missing. It needs to be reinstalled."
    InstallCasper
    CheckBinary
  fi

  # Verifying Permissions
  /usr/bin/chflags noschg $jamf_binary
  /usr/bin/chflags nouchg $jamf_binary
  /usr/sbin/chown root:wheel $jamf_binary
  /bin/chmod 755 $jamf_binary

  # Verifies that the JSS is responding to a communication query 
  # by the Casper agent. If the communication check returns a result
  # of anything greater than zero, the communication check has failed.
  # If the communication check fails, reinstall the Casper agent using
  # the cached installer.


  jss_comm_chk=`$jamf_binary checkJSSConnection > /dev/null; echo $?`

  if [[ "$jss_comm_chk" -eq 0 ]]; then
       ScriptLogging "Machine can connect to the JSS on $jss_server_address."
  elif [[ "$jss_comm_chk" -gt 0 ]]; then
       ScriptLogging "Machine cannot connect to the JSS on $jss_server_address."
       ScriptLogging "Reinstalling Casper agent to fix problem of Casper not being able to communicate with the JSS."
       InstallCasper
       CheckBinary
  fi

  # Checking if machine can run a manual trigger
  # This section will need to be edited if the policy
  # being triggered has different options than the policy
  # described below:
  #
  # Trigger: iscasperup
  # Plan: Run Script iscasperonline.sh
  # 
  # The iscasperonline.sh script contains the following:
  #
  # | #!/bin/sh
  # |
  # | echo "up"
  # |
  # | exit 0
  #


  jamf_policy_chk=`$jamf_binary policy -trigger iscasperup | grep "Script result: up"`

  # If the machine can run the specified policy, exit the script.

  if [[ -n "$jamf_policy_chk" ]]; then
    ScriptLogging "Casper enabled and able to run policies"

  # If the machine cannot run the specified policy, 
  # reinstall the Casper agent using the cached installer.

  elif [[ ! -n "$jamf_policy_chk" ]]; then
    ScriptLogging "Reinstalling Casper agent to fix problem of Casper not being able to run policies"
    InstallCasper
    CheckBinary
  fi


}

#
# End function section
# ====================
#

# The functions and variables defined above are used
# by the section below to check if the network connection
# is live, if the machine is on a network where
# the Casper JSS is accessible, and if the Casper agent on the
# machine can contact the JSS and run a policy.
#
# If the Casper agent on the machine cannot run a policy, the appropriate
# functions run and repair the Casper agent on the machine.
#

ScriptLogging "======== Starting CasperCheck ========"

# Wait up to 60 minutes for a network connection to become 
# available which doesn't use a loopback address. This 
# condition which may occur if this script is run by a 
# LaunchDaemon at boot time.
#
# The network connection check will occur every 5 seconds
# until the 60 minute limit is reached.


ScriptLogging "Checking for active network connection."
CheckForNetwork
i=1
while [[ "${NETWORKUP}" != "-YES-" ]] && [[ $i -ne 720 ]]
do
    sleep 5
    NETWORKUP=
    CheckForNetwork
    echo $i
    i=$(( $i + 1 ))
done

# If no network connection is found within 60 minutes,
# the script will exit.

if [[ "${NETWORKUP}" != "-YES-" ]]; then
   ScriptLogging "Network connection appears to be offline. Exiting CasperCheck."
fi


if [[ "${NETWORKUP}" == "-YES-" ]]; then
   ScriptLogging "Network connection appears to be live."

  # Sleeping for 120 seconds to give WiFi time to come online.
  ScriptLogging "Pausing for two minutes to give WiFi and DNS time to come online."
  sleep 120
  CheckSiteNetwork

  if [[ "$site_network" == "False" ]]; then
    ScriptLogging "Unable to verify access to site network. Exiting CasperCheck."
  fi 


  if [[ "$site_network" == "True" ]]; then
    ScriptLogging "Access to site network verified"
    CheckTomcat
    CheckInstaller
    CheckCasper
  fi

fi

ScriptLogging "======== CasperCheck Finished ========"

exit 0

OK, after diffing your script against a stock copy of CasperCheck, I can point out a few places where you may be having issues:

The variables in this section have been edited and that's likely where your problems began.:

From:

#
# The variables below this line should not need to be edited.
# Use caution if doing so. 
#

quickadd_dir="/var/root/quickadd"
quickadd_zip="/tmp/quickadd.zip"
quickadd_installer="$quickadd_dir/casper.pkg"
quickadd_timestamp="$quickadd_dir/quickadd_timestamp"

To:

#
# The variables below this line should not need to be edited.
# Use caution if doing so. 
#

quickadd_dir="/var/root/quickadd"
quickadd_zip="/tmp/QuickAdd.pkg.zip"
quickadd_installer="$quickadd_dir/QuickAdd.pkg"
quickadd_timestamp="$quickadd_dir/quickadd_timestamp"

It also appears the myCurl function in the script has also been edited. CasperCheck uses this function to download the QuickAdd package from the address referenced in the fileURL variable.

It also looks like the myCurl function in the script has also stopped being used to download the QuickAdd (possibly because the edits to the myCurl function made it no longer work properly.) Instead the update_quickadd function has been edited to call curl without using the myCurl function.

However, because the directory path to curl is not being provided as part of the edits, the script is now implicitly relying on a PATH environment variable being available in order to find curl. That PATH environment variable is available when run manually using a logged-in user's account, so curl can be located when the script is run that way, but it isn't there when the script is run via the LaunchDaemon, so curl can't be found.

It may be worth starting over with a fresh copy of CasperCheck and not edit anything in the section marked below, or in any of the functions:

#
# The variables below this line should not need to be edited.
# Use caution if doing so. 
#

quickadd_dir="/var/root/quickadd"
quickadd_zip="/tmp/quickadd.zip"
quickadd_installer="$quickadd_dir/casper.pkg"
quickadd_timestamp="$quickadd_dir/quickadd_timestamp"

okay, so I reset all back to original script. I generated a new quickadd package. uploaded it to the server verified the file names are right. Ran the kaleidoscope app to confirm the only changes are the fileURL and the jss server address from the original script.

this is launching from the launchd

2015-08-04 10:23:22  ======== Starting CasperCheck ========
2015-08-04 10:23:22  Checking for active network connection.
2015-08-04 10:23:22  Network connection appears to be live.
2015-08-04 10:23:22  Pausing for two minutes to give WiFi and DNS time to come online.
2015-08-04 10:25:22  Access to site network verified
2015-08-04 10:25:22  Machine can connect to my.jss.com over port 8443. Proceeding.
2015-08-04 10:25:22  Downloading Casper agent installer from server.
2015-08-04 10:25:22  /tmp/quickadd.zip not found. Exiting CasperCheck.
2015-08-04 10:25:22  ======== CasperCheck Finished ========

this is from the bash -x

$ sudo bash -x /Library/Scripts/CasperCheck.sh 
+ fileURL=http://my.jss.com/QuickAdd.pkg.zip
+ jss_server_address=my.jss.com
+ jss_server_port=8443
+ log_location=/var/log/caspercheck.log
+ quickadd_dir=/var/root/quickadd
+ quickadd_zip=/tmp/quickadd.zip
+ quickadd_installer=/var/root/quickadd/casper.pkg
+ quickadd_timestamp=/var/root/quickadd/quickadd_timestamp
+ ScriptLogging '======== Starting CasperCheck ========'
++ date '+%Y-%m-%d %H:%M:%S'
+ DATE='2015-08-04 10:25:33'
+ LOG=/var/log/caspercheck.log
+ echo '2015-08-04 10:25:33' ' ======== Starting CasperCheck ========'
+ ScriptLogging 'Checking for active network connection.'
++ date '+%Y-%m-%d %H:%M:%S'
+ DATE='2015-08-04 10:25:33'
+ LOG=/var/log/caspercheck.log
+ echo '2015-08-04 10:25:33' ' Checking for active network connection.'
+ CheckForNetwork
+ local test
+ [[ -z '' ]]
++ ifconfig -a inet
++ sed -n -e /127.0.0.1/d -e /0.0.0.0/d -e /inet/p
++ wc -l
+ test='       1'
+ [[        1 -gt 0 ]]
+ NETWORKUP=-YES-
+ i=1
+ [[ -YES- != -YES- ]]
+ [[ -YES- != -YES- ]]
+ [[ -YES- == -YES- ]]
+ ScriptLogging 'Network connection appears to be live.'
++ date '+%Y-%m-%d %H:%M:%S'
+ DATE='2015-08-04 10:25:33'
+ LOG=/var/log/caspercheck.log
+ echo '2015-08-04 10:25:33' ' Network connection appears to be live.'
+ ScriptLogging 'Pausing for two minutes to give WiFi and DNS time to come online.'
++ date '+%Y-%m-%d %H:%M:%S'
+ DATE='2015-08-04 10:25:33'
+ LOG=/var/log/caspercheck.log
+ echo '2015-08-04 10:25:33' ' Pausing for two minutes to give WiFi and DNS time to come online.'
+ sleep 120
+ CheckSiteNetwork
+ site_network=False
++ host -W .5 my.jss.com
+ ping='my.jss.com has address 10.3.25.13'
+ [[ 0 -eq 0 ]]
+ site_network=True
+ [[ -n '' ]]
+ [[ True == False ]]
+ [[ True == T
ue ]]
+ ScriptLogging 'Access to site network verified'
++ date '+%Y-%m-%d %H:%M:%S'
+ DATE='2015-08-04 10:27:33'
+ LOG=/var/log/caspercheck.log
+ echo '2015-08-04 10:27:33' ' Access to site network verified'
+ CheckTomcat
++ nc -z -w 5 my.jss.com 8443
++ echo 0
+ tomcat_chk=0
+ '[' 0 -eq 0 ']'
+ ScriptLogging 'Machine can connect to my.jss.com over port 8443. Proceeding.'
++ date '+%Y-%m-%d %H:%M:%S'
+ DATE='2015-08-04 10:27:33'
+ LOG=/var/log/caspercheck.log
+ echo '2015-08-04 10:27:33' ' Machine can connect to my.jss.com over port 8443. Proceeding.'
+ CheckInstaller
++ myCurl --head http://my.jss.com/QuickAdd.pkg.zip
++ awk '-F: ' '/Last-Modified/{print $2}'
+ modDate=
+ [[ -f /var/root/quickadd/quickadd_timestamp ]]
+ update_quickadd
++ myCurl --head http://my.jss.com/QuickAdd.pkg.zip
++ awk '-F: ' '/Last-Modified/{print $2}'
+ modDate=
+ ScriptLogging 'Downloading Casper agent installer from server.'
++ date '+%Y-%m-%d %H:%M:%S'
+ DATE='2015-08-04 10:27:33'
+ LOG=/var/log/caspercheck.log
+ echo '2015-08-04 10:27:33' ' Downloading Casper agent installer from server.'
+ myCurl --output /tmp/quickadd.zip http://my.jss.com/QuickAdd.pkg.zip
+ /usr/bin/curl -k --retry 3 --silent --show-error --output /tmp/quickadd.zip http://my.jss.com/QuickAdd.pkg.zip
+ [[ ! -f /tmp/quickadd.zip ]]
++ /usr/bin/unzip -tq /tmp/quickadd.zip
[/tmp/quickadd.zip]
  End-of-central-directory signature not found.  Either this file is not
  a zipfile, or it constitutes one disk of a multi-part archive.  In the
  latter case the central directory and zipfile comment will be found on
  the last disk(s) of this archive.
unzip:  cannot find zipfile directory in one of /tmp/quickadd.zip or
        /tmp/quickadd.zip.zip, and cannot find /tmp/quickadd.zip.ZIP, period.
++ echo 9
+ zipfile_chk=9
+ '[' 9 -eq 0 ']'
+ ScriptLogging 'Downloaded zip file appears to be corrupted. Exiting CasperCheck.'
++ date '+%Y-%m-%d %H:%M:%S'
+ DATE='2015-08-04 10:27:33'
+ LOG=/var/log/caspercheck.log
+ echo '2015-08-04 10:27:33' ' Downloaded zip file appears to be corrupted. Exiting CasperCheck.'
+ ScriptLogging '======== CasperCheck Finished ========'
++ date '+%Y-%m-%d %H:%M:%S'
+ DATE='2015-08-04 10:27:33'
+ LOG=/var/log/caspercheck.log
+ echo '2015-08-04 10:27:33' ' ======== CasperCheck Finished ========'
+ rm /tmp/quickadd.zip
+ exit 0

and the log output from bash -x

2015-08-04 10:25:33  ======== Starting CasperCheck ========
2015-08-04 10:25:33  Checking for active network connection.
2015-08-04 10:25:33  Network connection appears to be live.
2015-08-04 10:25:33  Pausing for two minutes to give WiFi and DNS time to come online.
2015-08-04 10:27:33  Access to site network verified
2015-08-04 10:27:33  Machine can connect to my.jss.com over port 8443. Proceeding.
2015-08-04 10:27:33  Downloading Casper agent installer from server.
2015-08-04 10:27:33  Downloaded zip file appears to be corrupted. Exiting CasperCheck.
2015-08-04 10:27:33  ======== CasperCheck Finished ========

OK, when reset back to the original script's parameters, it looks like you have an issue curl'ing down the zipped QuickAdd to your machine. When run via the LaunchDaemon, it looks like curl is not downloading the file and not leaving anything in /tmp. That's triggering this warning and script exit:

https://github.com/rtrouton/CasperCheck/blob/master/script/caspercheck.sh#L124-L130

When run while logged in, it appears that curl is downloading something to /tmp but it's not a valid zip file. That's triggering this warning and script exit:

https://github.com/rtrouton/CasperCheck/blob/master/script/caspercheck.sh#L132-L143

Long story short, you've got a curl issue downloading from the webserver the QuickAdd is hosted on.

@rtrouton right, that's why I changed that originally, which solved the curl issue, but only when running bash -x, not from the launchD.

@jwojda did you figure this out? If not, does your casper packages share allow downloads without authentication?

I ask because we modified the myCurl to use a .curlrc file (stored in /var/root) that contains credentials so the script can authenticate before downloading the quickadd package.

myCurl () { /usr/bin/curl -K /var/root/curlqa/.curlrc -k --retry 3 --silent --show-error "$@"; }

and the .curlrc looks like this

# --- Example file ---
# this is a comment
# url = "curl.haxx.se"
# output = "curlhere.html"
user = readonlyusernam:readonlyusernamepassword

# and fetch another URL too
# url = "curl.haxx.se/docs/manpage.html"
# -O
# referer = "http://nowhereatall.com/"
# --- End of example file ---

IIRC every other piece of the script aside from the variables at the top remained stock in our implementation.

Maybe this will help?