Posted on 12-16-2019 12:58 PM
I have seen some similar threads and some posts in the MacAdmins slack channel about DEPNotify not starting on Catalina, however I am unlucky enough to have it start, but not install any packages.
My workflow is as follows:
Install package (Contains DEPNotify.app, a postinstall script, launch daemon and depNotify.sh)
DEPNotify gets placed in /Applications/Utilities.
LaunchDaemon is placed in /Library/LaunchDaemons
depNotify.sh is placed in /var/tmp
postinstall sets permissions and initiates the LaunchDaemon.
The script is as follows below, and the majority of the processes seem to work. Computer name gets updated, the DEPNotify UI is configured properly, just applications will not install.
I watched the output of console errors while attempting this on Catalina and noticed the following (and most relevant error)"Sandbox: cp(2783) System Policy: deny(1) file-read-data /Volumes/jamf-1/Packages/VLC 3.0.8.pkg"
I do have a PPPC profile installed that gives access to systemuiserver
, systemevents
and finder
to jamf and its components, so I am not sure what the issue is. Does something need a disk access permission?
additionally, my github repo is here, should you need to look at the rest of the process.
Thanks in advance.
#!/bin/bash
setupDone="/Library/Application Support/Jamf/setupDone" #Legacy Extension Attribute to check if DEPNotify ran
dLOG=/var/tmp/depnotify.log
dLIST=/var/tmp/DEPNotify.plist
JAMF_BINARY=/usr/local/bin/jamf
CURRENTUSER=$(/usr/bin/python -c 'from SystemConfiguration import SCDynamicStoreCopyConsoleUser; import sys; username = (SCDynamicStoreCopyConsoleUser(None, None, None) or [None])[0]; username = [username,""][username in [u"loginwindow", None, u""]]; sys.stdout.write(username + "
");')
inputList="/Users/$CURRENTUSER/Library/Preferences/menu.nomad.DEPNotifyUserInput.plist"
configList="/Users/$CURRENTUSER/Library/Preferences/menu.nomad.DEPNotify.plist"
BANNER_IMG="/var/tmp/banner.png"
REGISTRATION_DONE="/var/tmp/com.depnotify.registration.done"
BUILDING_ARRAY=(
"Chapman Center"
"Coates University Center"
"Center for Science & Innovation"
"Dicke Smith Building"
"Elizabeth Huth Coates Library"
"Halsell Administrative Studies"
"Holt Conference Center"
"King's Court"
"Laurie Auditorium"
"Marrs McLean Hall"
"Margarite B. Parker Chapel"
"Northrup Hall"
"Richardson Communication Center"
"Ruth Taylor Theatre"
"Storch Memorial Building"
"William Bell Center"
)
DEPARTMENT_ARRAY=(
"Academic Affairs"
"Academic Support"
"Admissions"
"Alumni Relations & Development"
"Art & Art History"
"Athletics"
"Biology"
"Business Office"
"Chemistry"
"Classical Studies"
"Collaborative for Learning & Teaching"
"Communication"
"Computer Science"
"Counseling Services"
"Dean of Students"
"Economics"
"Education"
"Endowments"
"Engineering"
"English"
"Environmental Health & Safety"
"Facilities Services"
"Finance & Administration"
"Geosciences"
"Health Care Administration"
"Health Services"
"History"
"Human Communication & Theatre"
"Human Resources"
"Information Technology Services"
"Library"
"Mathematics"
"Modern Languages & Literatures"
"Music"
"Philosophy"
"Physics & Astronomy"
"Political Science"
"President's Office"
"Psychology"
"Purchasing"
"Registrar"
"Religion"
"Residential Life"
"Risk Management & Insurance"
"School of Business"
"Sociology & Anthropology"
"Strategic Communications & Marketing"
"Student Financial Services"
"Tiger Card Office"
"Trinitonian"
"Trinity University Press"
"TUPD"
"Other"
)
POLICY_ARRAY=(
"Installing Google Chrome,CHROME"
"Installing Mozilla Firefox,FIREFOX"
"Installing VLC Media Player,VLC"
"Installing Java Runtime Environment,JRE"
"Installing Adobe Flash Player,FLASH"
"Installing Microsoft Office 2019,O2019"
"Installing BitDefender,BDFS"
"Installing KACE Agent,KACE"
"Enabling Remote Management,SCRIPTS"
"Adding to Faculty/Staff Group,FACSTAFF"
)
if [ -f "${setupDone}" ]; then exit 0; fi
if pgrep -x "Finder"
&& pgrep -x "Dock"
&& [ "$CURRENTUSER" != "_mbsetupuser" ]
&& [ ! -f "${setupDone}" ]; then
/usr/bin/caffeinate -d -i -m -u -s &
caffeinatepid=$!
killall Installer
pkill "Self Service"
# Register input plist
sudo -u "$CURRENTUSER" defaults write "$configList" pathToPlistFile "$inputList"
# Global app preferences
sudo -u "$CURRENTUSER" defaults write "$configList" statusTextAlignment center
echo "Status: Performing black magic..." >> $dLOG
# Main Window Look'n'Feel
echo "Command: Determinate: 16" >> $dLOG
echo "Command: Image: /var/tmp/banner.png" >> $dLOG
echo "Command: MainTitle: New Mac Deployment" >> $dLOG
echo "Command: MainText: Make sure the device is using a wired connection before proceeding. This process should take approximately 25 minutes and the machine will reboot when completed.
Additional software can be found in the Self Service app" >> $dLOG
echo "Command: ContinueButtonRegister: Begin Registration" >> $dLOG
# Registration Window Look'n'Feel
sudo -u "$CURRENTUSER" defaults write "$configList" registrationTitleMain "Enter Device Details"
sudo -u "$CURRENTUSER" defaults write "$configList" registrationPicturePath "$BANNER_IMG"
sudo -u "$CURRENTUSER" defaults write "$configList" registrationButtonLabel "Register & Image Device"
sudo -u "$CURRENTUSER" defaults write "$configList" textField1Label "Device Name"
sudo -u "$CURRENTUSER" defaults write "$configList" textField1Placeholder "DEPT-USER"
sudo -u "$CURRENTUSER" defaults write "$configList" textField1IsOptional -bool false
sudo -u "$CURRENTUSER" defaults write "$configList" textField2Label "Assigned User"
sudo -u "$CURRENTUSER" defaults write "$configList" textField2Placeholder "mkotara"
sudo -u "$CURRENTUSER" defaults write "$configList" textField2Bubble -array "Criteria" "Please enter the user's AD username"
sudo -u "$CURRENTUSER" defaults write "$configList" textField2IsOptional -bool false
sudo -u "$CURRENTUSER" defaults write "$configList" popupButton1Label "Building"
for BUILDING_ARRAY in "${BUILDING_ARRAY[@]}"; do
sudo -u "$CURRENTUSER" defaults write "$configList" popupButton1Content -array-add "$BUILDING_ARRAY"
done
sudo -u "$CURRENTUSER" defaults write "$configList" popupButton2Label "Department"
for DEPARTMENT_ARRAY in "${DEPARTMENT_ARRAY[@]}"; do
sudo -u "$CURRENTUSER" defaults write "$configList" popupButton2Content -array-add "$DEPARTMENT_ARRAY"
done
# Open DepNotify
sudo -u "$CURRENTUSER" /Applications/Utilities/DEPNotify.app/Contents/MacOS/DEPNotify &
while [ ! -f "$REGISTRATION_DONE" ]; do
echo "$(date "+%a %h %d %H:%M:%S"): Waiting on completion of registration" >> $dLOG
sleep 2
done
#Computer Name Logic
REG_FIELD_1_VALUE=$(defaults read "$inputList" "Device Name") #This field is mandatory
if [ ! "$REG_FIELD_1_VALUE" = "" ]; then
echo "Status: Setting computer name to $REG_FIELD_1_VALUE" >> $dLOG
scutil --set HostName "$REG_FIELD_1_VALUE"
scutil --set LocalHostName "$REG_FIELD_1_VALUE"
scutil --set ComputerName "$REG_FIELD_1_VALUE"
$JAMF_BINARY setComputerName -name "$REG_FIELD_1_VALUE"
else
echo "Status: Something went wrong because DEVICE_NAME can't be empty." >> $dLOG
exit 1
fi
# Asset Tag Logic
REG_FIELD_2_VALUE=$(defaults read "$inputList" "Assigned User")
REG_FIELD_2_OPTIONAL=$(defaults read "$configList" "textField2IsOptional")
if [ "$REG_FIELD_2_OPTIONAL" = 1 ] && [ "$REG_FIELD_2_VALUE" = "" ]; then
echo "Status: Asignee was left empty... Skipping" >> $dLOG
sleep 2
else #set the asset tag
echo "Status: Setting assigne to $REG_FIELD_2_VALUE." >> $dLOG
$JAMF_BINARY recon -endUsername "$REG_FIELD_2_VALUE"
fi
#Device Building Logic
REG_FIELD_3_VALUE=$(defaults read "$inputList" "Building")
if [ ! "$REG_FIELD_3_VALUE" = "" ]; then
echo "Status: Setting building to $REG_FIELD_3_VALUE" >> $dLOG
$JAMF_BINARY recon -building "$REG_FIELD_3_VALUE"
else
echo "Something went wrong when setting BUILDING" >> $dLOG
exit 1
fi
#Device Department Logic
REG_FIELD_4_VALUE=$(defaults read "$inputList" "Department")
if [ ! "$REG_FIELD_4_VALUE" = "" ]; then
echo "Status: Setting department to $REG_FIELD_4_VALUE" >> $dLOG
"$JAMF_BINARY" recon -department "$REG_FIELD_4_VALUE"
else
echo "Something went wrong when setting DEPARTMENT" >> $dLOG
exit 1
fi
#Begin device imaging
for POLICY in "${POLICY_ARRAY[@]}"; do
echo "Status: $(echo "$POLICY" | cut -d ',' -f1)" >> "$dLOG"
"$JAMF_BINARY" policy -event "$(echo "$POLICY" | cut -d ',' -f2)"
done
touch /var/db/receipts/edu.trinity.imaging.bom
echo "Status: Updating device inventory" >> $dLOG
$JAMF_BINARY recon
echo "Status: Cleaning up files and restarting the system" >> $dLOG
sleep 2
kill $caffeinatepid
rm -fr /Library/LaunchDaemons/edu.trinity.launch.plist
rm -fr $inputList
rm -fr $configList
rm -fr /var/tmp/banner.png
pwpolicy -u "$CURRENTUSER" -setpolicy "newPasswordRequired=1"
echo "Command: RestartNow:" >> $dLOG
rm -fr /Applications/Utilities/DEPNotify.app
rm -- "$0"
fi
exit 0
Posted on 12-16-2019 01:02 PM
Is your server on-prem & are your distribution points samba? @mlizbeth
Posted on 12-16-2019 01:04 PM
@Hugonaut Our Jamf is cloud hosted and we are using an on-prem SMB share for package distribution.
Posted on 12-16-2019 01:29 PM
We are on-prem JamfPro and using SMB distribution points. I am running into the same issue. I get the operation not permitted for the cp from /Volumes... The same policies run fine on Mojave and below or when manually fired.
Posted on 12-16-2019 01:41 PM
@m.donovan
This makes sense! my DEPNotify policies are all on a custom trigger. So when installing flash player with sudo jamf policy -event FLASH
in terminal, I was given a TCC prompt to allow Terminal (or perhaps bash) access to a network volume. I think there's some missing entitlements, I just don't know where.
Digging deeper, I remember when we upgraded to Mojave for the first time and the kernel was spitting errors about file-data-read
and file-data-write
for Bitdefender, and it didn't work, until I granted full disk access.
Posted on 12-16-2019 01:56 PM
@mlizbeth I have been playing around with PPPC's for a couple of days now. Still not sure what is going to allow these to run correctly. There is also this thread. https://www.jamf.com/jamf-nation/discussions/34030/policies-failing-operation-not-permitted
Posted on 12-16-2019 02:26 PM
@m.donovan If I am understanding correctly, the only 2 workarounds are to use HTTP/HTTPS or to allow bash/Terminal/jamf access to all files?
Posted on 12-16-2019 02:35 PM
The HTTP/HTTPS is not really an option for us. I have 6 SMB DP's and don't relish the idea of having to convert those. I have a PPPC scoped to the DEP computers that allows SystemPolicyNetworkVolumes, SystemPolicySysAdminfiles, as well as SystemPolicyAllFiles for good measure. The PPPC's are for terminal as well as JamfAgent and Jamf binary.
Posted on 12-16-2019 02:53 PM
@mlizbeth Our externally facing DP is HTTP/HTTPS so I can do a test with it and see. I won't be able to until tomorrow but I will post what I find out.
Posted on 12-16-2019 02:54 PM
I understand that. We only have 1 SMB DP, but our network administrators highly prefer we use SMB if the machines are on the campus network segment. So with all those PPPC profiles in place, have you had success?
Posted on 12-16-2019 02:56 PM
No luck thus far. I am really starting to dislike Catalina A LOT!!!
Posted on 12-16-2019 08:50 PM
@mlizbeth @m.donovan I was adjusting my instance of DEPNotify today on 10.15.2 without issue. Jamf Cloud is the primary distribution point with a local SMB fileshare, and all the pkgs came from SMB. I haven’t updated to DEPNotify 1.1.5 yet, still on 1.1.4.
Jamf is given full disk access, here’s an example of my profile to compare against what you have.
Posted on 12-17-2019 03:55 AM
I have no issues whatsoever with the Prestage and DepNotify scripts that I previously used in Mojave.
On Prem totally and SMB shares. using v.1.1.3
I take it that you are creating an additional admin account in the Prestage, then logging in as that to start the DepNotify script??
Posted on 12-17-2019 06:04 AM
Yes, we create the user's account in prestage so it logs in automatically and kicks off DEPNotify. Every aspect of the script is working except for package installation.
Plist creation is fine, properly relays the computer's name and other asset information to the server, etc.
Posted on 12-17-2019 06:30 AM
@sshort I tried your profile with no success :(
Posted on 12-17-2019 06:41 AM
If I point the network segment I am testing on to the HTTP/HTTPS DP everything works fine.
Posted on 12-17-2019 07:06 AM
I have also moved to the HTTP/HTTPS cloud DP.
Having a functioning workflow is more important at the moment. However, I will continue to debug this. Just needed a working solution in the meantime.
Posted on 12-17-2019 07:30 AM
I switched from SMB to cloud and was unable to replicate the contents of cloud to SMB. I granted bash
access to network volumes and this fixed the problem. I need to check if it fixes the cp
error when installing packages from SMB.
Can you test out a profile like this?
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>PayloadContent</key>
<array>
<dict>
<key>PayloadDescription</key>
<string>Bash Tester</string>
<key>PayloadDisplayName</key>
<string>Bash Tester</string>
<key>PayloadIdentifier</key>
<string>3CE7323C-527B-4E61-A382-6CA1910871E3</string>
<key>PayloadOrganization</key>
<string>Trinity</string>
<key>PayloadType</key>
<string>com.apple.TCC.configuration-profile-policy</string>
<key>PayloadUUID</key>
<string>147B368C-0894-424C-8FB8-E3DD38B1B03E</string>
<key>PayloadVersion</key>
<integer>1</integer>
<key>Services</key>
<dict>
<key>AppleEvents</key>
<array>
<dict>
<key>AEReceiverCodeRequirement</key>
<string>identifier "com.apple.finder" and anchor apple</string>
<key>AEReceiverIdentifier</key>
<string>com.apple.finder</string>
<key>AEReceiverIdentifierType</key>
<string>bundleID</string>
<key>Allowed</key>
<true/>
<key>CodeRequirement</key>
<string>identifier "com.apple.bash" and anchor apple</string>
<key>Comment</key>
<string></string>
<key>Identifier</key>
<string>/bin/bash</string>
<key>IdentifierType</key>
<string>path</string>
</dict>
<dict>
<key>AEReceiverCodeRequirement</key>
<string>identifier "com.apple.systemuiserver" and anchor apple</string>
<key>AEReceiverIdentifier</key>
<string>com.apple.systemuiserver</string>
<key>AEReceiverIdentifierType</key>
<string>bundleID</string>
<key>Allowed</key>
<true/>
<key>CodeRequirement</key>
<string>identifier "com.apple.bash" and anchor apple</string>
<key>Comment</key>
<string></string>
<key>Identifier</key>
<string>/bin/bash</string>
<key>IdentifierType</key>
<string>path</string>
</dict>
<dict>
<key>AEReceiverCodeRequirement</key>
<string>identifier "com.apple.systemevents" and anchor apple</string>
<key>AEReceiverIdentifier</key>
<string>com.apple.systemevents</string>
<key>AEReceiverIdentifierType</key>
<string>bundleID</string>
<key>Allowed</key>
<true/>
<key>CodeRequirement</key>
<string>identifier "com.apple.bash" and anchor apple</string>
<key>Comment</key>
<string></string>
<key>Identifier</key>
<string>/bin/bash</string>
<key>IdentifierType</key>
<string>path</string>
</dict>
</array>
<key>SystemPolicyNetworkVolumes</key>
<array>
<dict>
<key>Allowed</key>
<true/>
<key>CodeRequirement</key>
<string>identifier "com.apple.bash" and anchor apple</string>
<key>Comment</key>
<string></string>
<key>Identifier</key>
<string>/bin/bash</string>
<key>IdentifierType</key>
<string>path</string>
</dict>
</array>
</dict>
</dict>
</array>
<key>PayloadDescription</key>
<string>Bash Tester</string>
<key>PayloadDisplayName</key>
<string>Bash Tester</string>
<key>PayloadIdentifier</key>
<string>3CE7323C-527B-4E61-A382-6CA1910871E3</string>
<key>PayloadOrganization</key>
<string>Trinity</string>
<key>PayloadType</key>
<string>com.apple.TCC.configuration-profile-policy</string>
<key>PayloadUUID</key>
<string>4A664E5A-4355-4136-9C4F-2255852C7D2C</string>
<key>PayloadVersion</key>
<integer>1</integer>
<key>payloadScope</key>
<string>system</string>
</dict>
</plist>
Posted on 12-17-2019 12:34 PM
@mlizbeth Still not working for me. So far the only thing that has resolved the issue for me is pointing it at a HTTP/HTTPS DP. I'm going to look into converting my SMB DPs over.
Posted on 12-17-2019 04:16 PM
I encountered this same situation in my on-prem environment (and still on 10.15.1) and working with Jamf support on this. Haven't figured out a working resolution yet though.
Posted on 12-20-2019 11:11 AM
FWIW I have had much better success using launchctl asuser
or launchctl boostrap
versus sudo -u user_name
as far as getting DEP Notify to reliably launch and work in the user context
Posted on 01-06-2020 11:59 AM
I havent seen any issues with DEPNotify installing on Catalina, but I have noticed that the DEPNotify Registration UI sheet is blank when deploying on Catalina (10.15.1). Im referring to the optional interface that prompts for site-specific values such as Hostname, Department, Building, etc. The sheet doesnt render any info at all - other than the button to advance to the next step.
Edit: Im running DEPNotify 1.1.4 (1.1.5 is out). Need to update and test again.