It's possible that I may have created a bunch of install packages (with Composer) that set bad permissions recursively on /Applications. When I re-image a Mac running 10.10, I get lots of "Unapproved caller" errors, requiring multiple safe-mode reboots and manual permissions repair.
Is it possible for a script to fix permissions in the payload of a compiled package, or do I really have to open every single one in Composer and check it by hand?
There are well over 100 packages in my JSS ... not sure how many of them have the bad permissions. If there's a way to correct all of them, that will take less time than finding the specific bad ones.
I'm guessing that I'm waxed here, but I'm hoping for a miracle …
Until you get your packages fixed, you could add a script to the end of your imaging workflow that fixes permissions on /Applications.
chown -R root:wheel /Applications/
Also, in the past I've seen that unapproved caller messages are usually tied to a software update getting installed that requires a reboot yet the computer hasn't rebooted yet.