DEPNotify not installing Apps on Catalina

seraphina
Contributor II

I have seen some similar threads and some posts in the MacAdmins slack channel about DEPNotify not starting on Catalina, however I am unlucky enough to have it start, but not install any packages.

My workflow is as follows:
Install package (Contains DEPNotify.app, a postinstall script, launch daemon and depNotify.sh)

DEPNotify gets placed in /Applications/Utilities.
LaunchDaemon is placed in /Library/LaunchDaemons
depNotify.sh is placed in /var/tmp
postinstall sets permissions and initiates the LaunchDaemon.

The script is as follows below, and the majority of the processes seem to work. Computer name gets updated, the DEPNotify UI is configured properly, just applications will not install.
I watched the output of console errors while attempting this on Catalina and noticed the following (and most relevant error)
"Sandbox: cp(2783) System Policy: deny(1) file-read-data /Volumes/jamf-1/Packages/VLC 3.0.8.pkg"

I do have a PPPC profile installed that gives access to systemuiserver, systemevents and finder to jamf and its components, so I am not sure what the issue is. Does something need a disk access permission?
additionally, my github repo is here, should you need to look at the rest of the process.
Thanks in advance.

#!/bin/bash
setupDone="/Library/Application Support/Jamf/setupDone" #Legacy Extension Attribute to check if DEPNotify ran
dLOG=/var/tmp/depnotify.log
dLIST=/var/tmp/DEPNotify.plist
JAMF_BINARY=/usr/local/bin/jamf
CURRENTUSER=$(/usr/bin/python -c 'from SystemConfiguration import SCDynamicStoreCopyConsoleUser; import sys; username = (SCDynamicStoreCopyConsoleUser(None, None, None) or [None])[0]; username = [username,""][username in [u"loginwindow", None, u""]]; sys.stdout.write(username + "
");')
inputList="/Users/$CURRENTUSER/Library/Preferences/menu.nomad.DEPNotifyUserInput.plist"
configList="/Users/$CURRENTUSER/Library/Preferences/menu.nomad.DEPNotify.plist"
BANNER_IMG="/var/tmp/banner.png"
REGISTRATION_DONE="/var/tmp/com.depnotify.registration.done"

BUILDING_ARRAY=(
    "Chapman Center"
    "Coates University Center"
    "Center for Science & Innovation"
    "Dicke Smith Building"
    "Elizabeth Huth Coates Library"
    "Halsell Administrative Studies"
    "Holt Conference Center"
    "King's Court"
    "Laurie Auditorium"
    "Marrs McLean Hall"
    "Margarite B. Parker Chapel"
    "Northrup Hall"
    "Richardson Communication Center"
    "Ruth Taylor Theatre"
    "Storch Memorial Building"
    "William Bell Center"
    )

DEPARTMENT_ARRAY=(
    "Academic Affairs"
    "Academic Support"
    "Admissions"
    "Alumni Relations & Development"
    "Art & Art History"
    "Athletics"
    "Biology"
    "Business Office"
    "Chemistry"
    "Classical Studies"
    "Collaborative for Learning & Teaching"
    "Communication"
    "Computer Science"
    "Counseling Services"
    "Dean of Students"
    "Economics"
    "Education"
    "Endowments"
    "Engineering"
    "English"
    "Environmental Health & Safety"
    "Facilities Services"
    "Finance & Administration"
    "Geosciences"
    "Health Care Administration"
    "Health Services"
    "History"
    "Human Communication & Theatre"
    "Human Resources"
    "Information Technology Services"
    "Library"
    "Mathematics"
    "Modern Languages & Literatures"
    "Music"
    "Philosophy"
    "Physics & Astronomy"
    "Political Science"
    "President's Office"
    "Psychology"
    "Purchasing"
    "Registrar"
    "Religion"
    "Residential Life"
    "Risk Management & Insurance"
    "School of Business"
    "Sociology & Anthropology"
    "Strategic Communications & Marketing"
    "Student Financial Services"
    "Tiger Card Office"
    "Trinitonian"
    "Trinity University Press"
    "TUPD"
    "Other"
    )

POLICY_ARRAY=(
    "Installing Google Chrome,CHROME"
    "Installing Mozilla Firefox,FIREFOX"
    "Installing VLC Media Player,VLC"
    "Installing Java Runtime Environment,JRE"
    "Installing Adobe Flash Player,FLASH"
    "Installing Microsoft Office 2019,O2019"
    "Installing BitDefender,BDFS"
    "Installing KACE Agent,KACE"
    "Enabling Remote Management,SCRIPTS"
    "Adding to Faculty/Staff Group,FACSTAFF"
    )

if [ -f "${setupDone}" ]; then exit 0; fi

if pgrep -x "Finder" 
    && pgrep -x "Dock" 
    && [ "$CURRENTUSER" != "_mbsetupuser" ] 
    && [ ! -f "${setupDone}" ]; then

        /usr/bin/caffeinate -d -i -m -u -s &
        caffeinatepid=$!

        killall Installer
        pkill "Self Service"

        # Register input plist 
        sudo -u "$CURRENTUSER" defaults write "$configList" pathToPlistFile "$inputList"

        # Global app preferences
        sudo -u "$CURRENTUSER" defaults write "$configList" statusTextAlignment center

        echo "Status: Performing black magic..." >> $dLOG

        # Main Window Look'n'Feel
        echo "Command: Determinate: 16" >> $dLOG
        echo "Command: Image: /var/tmp/banner.png" >> $dLOG
        echo "Command: MainTitle: New Mac Deployment" >> $dLOG
        echo "Command: MainText: Make sure the device is using a wired connection before proceeding. This process should take approximately 25 minutes and the machine will reboot when completed.
 Additional software can be found in the Self Service app" >> $dLOG
        echo "Command: ContinueButtonRegister: Begin Registration" >> $dLOG

        # Registration Window Look'n'Feel
        sudo -u "$CURRENTUSER" defaults write "$configList" registrationTitleMain "Enter Device Details"
        sudo -u "$CURRENTUSER" defaults write "$configList" registrationPicturePath "$BANNER_IMG"
        sudo -u "$CURRENTUSER" defaults write "$configList" registrationButtonLabel "Register & Image Device"

        sudo -u "$CURRENTUSER" defaults write "$configList" textField1Label "Device Name"
        sudo -u "$CURRENTUSER" defaults write "$configList" textField1Placeholder "DEPT-USER"
        sudo -u "$CURRENTUSER" defaults write "$configList" textField1IsOptional -bool false

        sudo -u "$CURRENTUSER" defaults write "$configList" textField2Label "Assigned User"
        sudo -u "$CURRENTUSER" defaults write "$configList" textField2Placeholder "mkotara"
        sudo -u "$CURRENTUSER" defaults write "$configList" textField2Bubble -array "Criteria" "Please enter the user's AD username"
        sudo -u "$CURRENTUSER" defaults write "$configList" textField2IsOptional -bool false

        sudo -u "$CURRENTUSER" defaults write "$configList" popupButton1Label "Building"
        for BUILDING_ARRAY in "${BUILDING_ARRAY[@]}"; do
            sudo -u "$CURRENTUSER" defaults write "$configList" popupButton1Content -array-add "$BUILDING_ARRAY"
        done

        sudo -u "$CURRENTUSER" defaults write "$configList" popupButton2Label "Department"
        for DEPARTMENT_ARRAY in "${DEPARTMENT_ARRAY[@]}"; do
            sudo -u "$CURRENTUSER" defaults write "$configList" popupButton2Content -array-add "$DEPARTMENT_ARRAY"
        done


        # Open DepNotify
        sudo -u "$CURRENTUSER" /Applications/Utilities/DEPNotify.app/Contents/MacOS/DEPNotify &

        while [ ! -f "$REGISTRATION_DONE" ]; do
            echo "$(date "+%a %h %d %H:%M:%S"): Waiting on completion of registration" >> $dLOG
            sleep 2
        done

        #Computer Name Logic
        REG_FIELD_1_VALUE=$(defaults read "$inputList" "Device Name") #This field is mandatory
        if [ ! "$REG_FIELD_1_VALUE" = "" ]; then
            echo "Status: Setting computer name to $REG_FIELD_1_VALUE" >> $dLOG
            scutil --set HostName "$REG_FIELD_1_VALUE"
            scutil --set LocalHostName "$REG_FIELD_1_VALUE"
            scutil --set ComputerName "$REG_FIELD_1_VALUE"
            $JAMF_BINARY setComputerName -name "$REG_FIELD_1_VALUE"
        else
            echo "Status: Something went wrong because DEVICE_NAME can't be empty." >> $dLOG
            exit 1
        fi

        # Asset Tag Logic
        REG_FIELD_2_VALUE=$(defaults read "$inputList" "Assigned User")
        REG_FIELD_2_OPTIONAL=$(defaults read "$configList" "textField2IsOptional")
        if [ "$REG_FIELD_2_OPTIONAL" = 1 ] && [ "$REG_FIELD_2_VALUE" = "" ]; then
            echo "Status: Asignee was left empty... Skipping" >> $dLOG
            sleep 2
        else #set the asset tag
            echo "Status: Setting assigne to $REG_FIELD_2_VALUE." >> $dLOG
            $JAMF_BINARY recon -endUsername "$REG_FIELD_2_VALUE"
        fi

        #Device Building Logic
        REG_FIELD_3_VALUE=$(defaults read "$inputList" "Building")
        if [ ! "$REG_FIELD_3_VALUE" = "" ]; then
            echo "Status: Setting building to $REG_FIELD_3_VALUE" >> $dLOG
            $JAMF_BINARY recon -building "$REG_FIELD_3_VALUE"
        else
            echo "Something went wrong when setting BUILDING" >> $dLOG
            exit 1
        fi


        #Device Department Logic
        REG_FIELD_4_VALUE=$(defaults read "$inputList" "Department")
        if [ ! "$REG_FIELD_4_VALUE" = "" ]; then
            echo "Status: Setting department to $REG_FIELD_4_VALUE" >> $dLOG
            "$JAMF_BINARY" recon -department "$REG_FIELD_4_VALUE"
        else
            echo "Something went wrong when setting DEPARTMENT" >> $dLOG
            exit 1
        fi


        #Begin device imaging
        for POLICY in "${POLICY_ARRAY[@]}"; do
            echo "Status: $(echo "$POLICY" | cut -d ',' -f1)" >> "$dLOG"
            "$JAMF_BINARY" policy -event "$(echo "$POLICY" | cut -d ',' -f2)"
        done

        touch /var/db/receipts/edu.trinity.imaging.bom
        echo "Status: Updating device inventory" >> $dLOG
        $JAMF_BINARY recon
        echo "Status: Cleaning up files and restarting the system" >> $dLOG
        sleep 2
        kill $caffeinatepid
        rm -fr /Library/LaunchDaemons/edu.trinity.launch.plist
        rm -fr $inputList
        rm -fr $configList
        rm -fr /var/tmp/banner.png
        pwpolicy -u "$CURRENTUSER" -setpolicy "newPasswordRequired=1"
        echo "Command: RestartNow:" >> $dLOG

        rm -fr /Applications/Utilities/DEPNotify.app
        rm -- "$0"
fi
exit 0
21 REPLIES 21

Hugonaut
Valued Contributor II

Is your server on-prem & are your distribution points samba? @mlizbeth

________________
Looking for a Jamf Managed Service Provider? Look no further than Rocketman
________________


Virtual MacAdmins Monthly Meetup - First Friday, Every Month

seraphina
Contributor II

@Hugonaut Our Jamf is cloud hosted and we are using an on-prem SMB share for package distribution.

m_donovan
Contributor III

We are on-prem JamfPro and using SMB distribution points. I am running into the same issue. I get the operation not permitted for the cp from /Volumes... The same policies run fine on Mojave and below or when manually fired.

seraphina
Contributor II

@m.donovan This makes sense! my DEPNotify policies are all on a custom trigger. So when installing flash player with sudo jamf policy -event FLASH in terminal, I was given a TCC prompt to allow Terminal (or perhaps bash) access to a network volume. I think there's some missing entitlements, I just don't know where.

Digging deeper, I remember when we upgraded to Mojave for the first time and the kernel was spitting errors about file-data-read and file-data-write for Bitdefender, and it didn't work, until I granted full disk access.

m_donovan
Contributor III

@mlizbeth I have been playing around with PPPC's for a couple of days now. Still not sure what is going to allow these to run correctly. There is also this thread. https://www.jamf.com/jamf-nation/discussions/34030/policies-failing-operation-not-permitted

seraphina
Contributor II

@m.donovan If I am understanding correctly, the only 2 workarounds are to use HTTP/HTTPS or to allow bash/Terminal/jamf access to all files?

m_donovan
Contributor III

The HTTP/HTTPS is not really an option for us. I have 6 SMB DP's and don't relish the idea of having to convert those. I have a PPPC scoped to the DEP computers that allows SystemPolicyNetworkVolumes, SystemPolicySysAdminfiles, as well as SystemPolicyAllFiles for good measure. The PPPC's are for terminal as well as JamfAgent and Jamf binary.

m_donovan
Contributor III

@mlizbeth Our externally facing DP is HTTP/HTTPS so I can do a test with it and see. I won't be able to until tomorrow but I will post what I find out.

seraphina
Contributor II

I understand that. We only have 1 SMB DP, but our network administrators highly prefer we use SMB if the machines are on the campus network segment. So with all those PPPC profiles in place, have you had success?

m_donovan
Contributor III

No luck thus far. I am really starting to dislike Catalina A LOT!!!

sshort
Valued Contributor

@mlizbeth @m.donovan I was adjusting my instance of DEPNotify today on 10.15.2 without issue. Jamf Cloud is the primary distribution point with a local SMB fileshare, and all the pkgs came from SMB. I haven’t updated to DEPNotify 1.1.5 yet, still on 1.1.4.

Jamf is given full disk access, here’s an example of my profile to compare against what you have.

kerouak
Valued Contributor

I have no issues whatsoever with the Prestage and DepNotify scripts that I previously used in Mojave.
On Prem totally and SMB shares. using v.1.1.3
I take it that you are creating an additional admin account in the Prestage, then logging in as that to start the DepNotify script??

seraphina
Contributor II

Yes, we create the user's account in prestage so it logs in automatically and kicks off DEPNotify. Every aspect of the script is working except for package installation.

Plist creation is fine, properly relays the computer's name and other asset information to the server, etc.

seraphina
Contributor II

@sshort I tried your profile with no success :(

m_donovan
Contributor III

If I point the network segment I am testing on to the HTTP/HTTPS DP everything works fine.

seraphina
Contributor II

I have also moved to the HTTP/HTTPS cloud DP.
Having a functioning workflow is more important at the moment. However, I will continue to debug this. Just needed a working solution in the meantime.

seraphina
Contributor II

@m.donovan

I switched from SMB to cloud and was unable to replicate the contents of cloud to SMB. I granted bash access to network volumes and this fixed the problem. I need to check if it fixes the cp error when installing packages from SMB.

Can you test out a profile like this?

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>PayloadContent</key>
    <array>
        <dict>
            <key>PayloadDescription</key>
            <string>Bash Tester</string>
            <key>PayloadDisplayName</key>
            <string>Bash Tester</string>
            <key>PayloadIdentifier</key>
            <string>3CE7323C-527B-4E61-A382-6CA1910871E3</string>
            <key>PayloadOrganization</key>
            <string>Trinity</string>
            <key>PayloadType</key>
            <string>com.apple.TCC.configuration-profile-policy</string>
            <key>PayloadUUID</key>
            <string>147B368C-0894-424C-8FB8-E3DD38B1B03E</string>
            <key>PayloadVersion</key>
            <integer>1</integer>
            <key>Services</key>
            <dict>
                <key>AppleEvents</key>
                <array>
                    <dict>
                        <key>AEReceiverCodeRequirement</key>
                        <string>identifier "com.apple.finder" and anchor apple</string>
                        <key>AEReceiverIdentifier</key>
                        <string>com.apple.finder</string>
                        <key>AEReceiverIdentifierType</key>
                        <string>bundleID</string>
                        <key>Allowed</key>
                        <true/>
                        <key>CodeRequirement</key>
                        <string>identifier "com.apple.bash" and anchor apple</string>
                        <key>Comment</key>
                        <string></string>
                        <key>Identifier</key>
                        <string>/bin/bash</string>
                        <key>IdentifierType</key>
                        <string>path</string>
                    </dict>
                    <dict>
                        <key>AEReceiverCodeRequirement</key>
                        <string>identifier "com.apple.systemuiserver" and anchor apple</string>
                        <key>AEReceiverIdentifier</key>
                        <string>com.apple.systemuiserver</string>
                        <key>AEReceiverIdentifierType</key>
                        <string>bundleID</string>
                        <key>Allowed</key>
                        <true/>
                        <key>CodeRequirement</key>
                        <string>identifier "com.apple.bash" and anchor apple</string>
                        <key>Comment</key>
                        <string></string>
                        <key>Identifier</key>
                        <string>/bin/bash</string>
                        <key>IdentifierType</key>
                        <string>path</string>
                    </dict>
                    <dict>
                        <key>AEReceiverCodeRequirement</key>
                        <string>identifier "com.apple.systemevents" and anchor apple</string>
                        <key>AEReceiverIdentifier</key>
                        <string>com.apple.systemevents</string>
                        <key>AEReceiverIdentifierType</key>
                        <string>bundleID</string>
                        <key>Allowed</key>
                        <true/>
                        <key>CodeRequirement</key>
                        <string>identifier "com.apple.bash" and anchor apple</string>
                        <key>Comment</key>
                        <string></string>
                        <key>Identifier</key>
                        <string>/bin/bash</string>
                        <key>IdentifierType</key>
                        <string>path</string>
                    </dict>
                </array>
                <key>SystemPolicyNetworkVolumes</key>
                <array>
                    <dict>
                        <key>Allowed</key>
                        <true/>
                        <key>CodeRequirement</key>
                        <string>identifier "com.apple.bash" and anchor apple</string>
                        <key>Comment</key>
                        <string></string>
                        <key>Identifier</key>
                        <string>/bin/bash</string>
                        <key>IdentifierType</key>
                        <string>path</string>
                    </dict>
                </array>
            </dict>
        </dict>
    </array>
    <key>PayloadDescription</key>
    <string>Bash Tester</string>
    <key>PayloadDisplayName</key>
    <string>Bash Tester</string>
    <key>PayloadIdentifier</key>
    <string>3CE7323C-527B-4E61-A382-6CA1910871E3</string>
    <key>PayloadOrganization</key>
    <string>Trinity</string>
    <key>PayloadType</key>
    <string>com.apple.TCC.configuration-profile-policy</string>
    <key>PayloadUUID</key>
    <string>4A664E5A-4355-4136-9C4F-2255852C7D2C</string>
    <key>PayloadVersion</key>
    <integer>1</integer>
    <key>payloadScope</key>
    <string>system</string>
</dict>
</plist>

m_donovan
Contributor III

@mlizbeth Still not working for me. So far the only thing that has resolved the issue for me is pointing it at a HTTP/HTTPS DP. I'm going to look into converting my SMB DPs over.

dng2000
Contributor II

I encountered this same situation in my on-prem environment (and still on 10.15.1) and working with Jamf support on this. Haven't figured out a working resolution yet though.

tlarkin
Honored Contributor

FWIW I have had much better success using launchctl asuser or launchctl boostrap versus sudo -u user_name as far as getting DEP Notify to reliably launch and work in the user context

dstranathan
Valued Contributor II

I havent seen any issues with DEPNotify installing on Catalina, but I have noticed that the DEPNotify Registration UI sheet is blank when deploying on Catalina (10.15.1). Im referring to the optional interface that prompts for site-specific values such as Hostname, Department, Building, etc. The sheet doesnt render any info at all - other than the button to advance to the next step.

Edit: Im running DEPNotify 1.1.4 (1.1.5 is out). Need to update and test again.