Posted on 04-02-2018 12:42 PM
In our organization, I am trying to have a pop up window show up when the user is on the desktop where it will prompt for a selection of roles the user must choose. For instance, developers must choose DEV-1. After selecting their roles, I want it to update JAMF (with recon) to update their department. In doing this, I can have role-specific apps get pulled down from other policies that have specific software scoped out to these departments. DEV-1 gets java, IDES, Sublime text, and HR-1 would get Office 2016, etc etc.
In JAMF, I have the following script scoped out to all newly enroll laptops to run on enrollment. It is a script that creates a Launch Agent and an Application Support/SF folder. In thes script under application support/SF, it will check that the logged in user is not mbsetupuser, finder process is running, and a "done-file" is NOT created so it can run. After creating the script and running it through its process, I do get the popup asking about which role the user is, but after their input, it does not continue with jamf recon -department "$roleID". If I run that same exact script locally on a saved text edit, the script works perfectly, updating the $roleID to JAMF's department field. The problem I see is that if the script is created via a script, it doesn't work as intended, as its not able to do a recon to Jamf, even though I hardcode the path. Please help!
cat > /Library/LaunchAgents/com.SF.roleid.plist << 'ENDSCRIPT'
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>StartInterval</key>
<integer>10</integer>
<key>RunAtLoad</key>
<true/>
<key>Label</key>
<string>com.SF.roleid.plist</string>
<key>ProgramArguments</key>
<array>
<string>/Library/Application Support/SF/roleid.launch.sh</string>
</array>
</dict>
</plist>
ENDSCRIPT
chmod 755 /Library/LaunchAgents/com.SF.roleid.plist
/usr/sbin/chown -R root:wheel /Library/LaunchAgents/com.SF.roleid.plist
if [ ! -d /Library/Application Support/SF/ ]; then
mkdir /Library/Application Support/SF/
fi
touch /Library/Application Support/SF/
chown -R root:wheel /Library/Application Support/SF/
/bin/cat > /Library/Application Support/SF/roleid.launch.sh << 'ENDSCRIPT'
loggedInUser=$(/usr/bin/python -c 'from SystemConfiguration import SCDynamicStoreCopyConsoleUser; import sys; username = (SCDynamicStoreCopyConsoleUser(None, None, None) or [None])[0]; username = [username,""][username in [u"loginwindow", None, u""]]; sys.stdout.write(username + " ");')
doneFile="/Users/Shared/.roleid"
function finderRunning {
/usr/bin/pgrep Finder && return 0 || return 1
}
if finderRunning && [ "$loggedInUser" != "_mbsetupuser" ] && [ ! -f "${doneFile}" ]; then
roleID=$(osascript -e 'tell application "SystemUIServer" choose from list {"DEV-1","DEV-2","QA-1","QA-2","QA-3","IT-1","IT-2", "ACC-1", "SOPS-1", "FA-1", "DS-1", "MA-1","PM-1", "HR-1"} end tell')
touch "$doneFile"
/usr/bin/local/jamf recon -department "$roleID"
fi
exit 0
ENDSCRIPT
chmod +x /Library/Application Support/SF/
chmod +x /Library/Application Support/SF/roleid.launch.sh
loggedInUser=python -c 'from SystemConfiguration import SCDynamicStoreCopyConsoleUser; import sys; username = (SCDynamicStoreCopyConsoleUser(None, None, None) or [None])[0]; username = [username,""][username in [u"loginwindow", None, u""]]; sys.stdout.write(username + "
");'
loggedInUID=id -u ${loggedInUser}
if [[ ${loggedInUID} -gt 500 ]]; then
echo "Launching RoleID for user ${loggedInUID}…"
sudo -u #${loggedInUID} launchctl enable gui/${loggedInUID}/roleid.launch.sh
sudo -u #${loggedInUID} launchctl bootstrap gui/${loggedInUID}/ /Library/LaunchAgents/com.sigfig.roleid.plist
fi
sleep 30
sudo -u #${loggedInUID} launchctl unload /Library/LaunchAgents/com.SF.roleid.plist
exit 0
Posted on 04-02-2018 01:04 PM
@huysf You might want to edit your post to put the script begin/end tag, which is three consecutive backpacks (```), immediately before and after your script so it'll display properly.
Posted on 04-02-2018 04:04 PM
we use casper's receipts folder. /Library/Application Support/jamf/receipts/
we just put a policy in self-service that just runs a script
#!/bin/sh
touch "/Library/Application Support/JAMF/Receipts/Flag-DEV1
exit 0
have that policy update inventory.
then create a smart group with the criteria of "packaged installed by casper is Flag-DEV1
then scope all your DEV apps to that group.
Posted on 04-02-2018 05:45 PM
I transcribed this into a code block and changed your hardcoded path to a variable for consistency. There is inconsistent use of /full/paths/to/binaries but they're all within the EXPORT PATH variable so you should be safe. Also replaced the "loggedInUser" population method with a native BASH varietal.
Also, I fixed the following issues:
#!/bin/bash
cat > /Library/LaunchAgents/com.SF.roleid.plist << 'ENDSCRIPT'
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict> <key>StartInterval</key> <integer>10</integer> <key>RunAtLoad</key> <true/> <key>Label</key> <string>com.SF.roleid.plist</string> <key>ProgramArguments</key> <array> <string>/Library/Application Support/SF/roleid.launch.sh</string> </array>
</dict>
</plist>
ENDSCRIPT
chmod 755 /Library/LaunchAgents/com.SF.roleid.plist
/usr/sbin/chown -R root:wheel /Library/LaunchAgents/com.SF.roleid.plist
SFdir="/Library/Application Support/SF"
if [ ! -d "$SFdir" ]; then mkdir "$SFdir"
fi
touch "$SFdir"
chown -R root:wheel "$SFdir"
/bin/cat > "$SFdir"/roleid.launch.sh << 'ENDSCRIPT'
#!/bin/bash
loggedInUser=$(ls -l /dev/console | awk '{ print $3 }')
doneFile="/Users/Shared/.roleid"
#Check if User is on desktop (Finder process exists)
function finderRunning
{
/usr/bin/pgrep Finder && return 0 || return 1
}
#Check if User is in control (not _mbsetupuser)
# doneFile does not exist
if finderRunning && [[ "$loggedInUser" != "_mbsetupuser" ]] && [[ ! -f "${doneFile}" ]]
then
roleID=$(osascript -e 'tell application "SystemUIServer" choose from list {"DEV-1","DEV-2","QA-1","QA-2","QA-3","IT-1","IT-2", "ACC-1", "SOPS-1", "FA-1", "DS-1", "MA-1","PM-1", "HR-1"} end tell')
touch "$doneFile"
/usr/bin/local/jamf recon -department "$roleID"
fi
exit 0
ENDSCRIPT
chmod +x "$SFdir"
chmod +x "$SFdir"/roleid.launch.sh
loggedInUser=$(ls -l /dev/console | awk '{ print $3 }')
loggedInUID=$(id -u ${loggedInUser})
if [[ ${loggedInUID} -gt 500 ]]; then echo "Launching RoleID for user ${loggedInUID}…" sudo -u #${loggedInUID} launchctl enable gui/${loggedInUID}/roleid.launch.sh sudo -u #${loggedInUID} launchctl bootstrap gui/${loggedInUID}/ /Library/LaunchAgents/com.sigfig.roleid.plist
fi
sleep 30
sudo -u #${loggedInUID} launchctl unload /Library/LaunchAgents/com.SF.roleid.plist
exit 0
Posted on 04-02-2018 06:00 PM
@huysf : Please see my post.