El Capitan: Manually installing the current (9.73) JAMF Framework. Success!

That would be kinda cool if Apple allowed the binaries to be there and then block their removal, just like everything else in /usr/sbin.

: )

C

@calumhunter This might explain why JAMF hasn't commented on this post. They've either had internal dialogue with Apple (under NDA) to exempt their software, or some engineer slipped it in to see if anyone noticed.

Hello, Cupertino. We heard you.

All very good to read. I was wondering what was keeping the current version from installing.

Very nice effort!

Thank you.

@dvasquez, You're welcome! This was a particularly exciting result and a happy accident at that, because I didn't even expect it to work in the first place.

Running El Capitan Public Beta 5 now (15A262e), and the jamf binary still had permission to update itself at /usr/sbin. I speculate that Apple might let this get into the Golden Master.

Checking for policies triggered by "recurring check-in"...
Upgrading jamf binary...
The management framework will be enforced as soon as all policies are done executing.
Executing Policy Update Inventory...
    Running Recon...
.
.
.
Locating hardware information (Mac OS X 10.11.0)...
Gathering application usage information...
Submitting data to https://myjss.jamfcloud.com/...
<computer_id>17</computer_id>
2015-08-31 22:27:14.455 jamf[11519:174986] -[NSError init] called; this results in an invalid NSError instance. It will raise an exception in a future release. Please call errorWithDomain:code:userInfo: or initWithDomain:code:userInfo:. This message shown only once.
Submitting log to https://myjss.jamfcloud.com/
mbp15beta:sbin macuser$ ls -la /usr/sbin/jamf*
-r-xr-x--x  1 root  wheel  4194560 Aug 31 22:26 /usr/sbin/jamf
-rwxr-xr-x  1 root  wheel   415392 Aug 11 13:11 /usr/sbin/jamfAgent
mbp15beta:sbin macuser$ /usr/sbin/jamf version
version=9.73.1438183906.c

@calumhunter , @rtrouton

I've discovered that the exception isn't exactly undocumented. If you look at this file:

/System/Library/Sandbox/Compatibility.bundle/Contents/Resources/paths

It is a rather extensive list of binaries and libraries that appear to be exempted for compatibility's sake.

The file was last modified on August 10th, 2015.

The following is an excerpt:

/usr/lib/libwkextmac.dylib
/usr/lib/pkgconfig/gutenprint.pc
/usr/libexec/aksusbd
/usr/libexec/com.matrox.vpg.Agent
/usr/libexec/com.matrox.vpg.MaxAgent
/usr/libexec/cups/backend/cifs
/usr/libexec/hasplmd
/usr/netvault
/usr/sbin/AELWriter
/usr/sbin/cups-genppd.5.2
/usr/sbin/cups-genppdupdate
/usr/sbin/fsctl_ufsd
/usr/sbin/jamf
/usr/sbin/jamfAgent
/usr/sbin/nipalsm
/usr/sbin/nmnetmgrd
/usr/sbin/nmnetmgrd_launchd
/usr/sbin/nmnetmgrd_launchd_MT
/usr/sbin/palModuleMgr.sh
/usr/sbin/proxyhelper
/usr/sbin/qmasterca
/usr/sbin/qmasterd
/usr/sbin/qmasterprefs
/usr/sbin/qmasterqd
/usr/sbin/rpc.net

@bradtchapman , good catch on that! I hadn't seen that one yet; thanks for pointing it out.

Some interesting items in /System/Library/Sandbox/Compatibility.bundle/Contents/Resources/paths. The full list as of 10.11 Developer Beta 8 is available from here:

https://forums.developer.apple.com/message/7098#47433

We have many packages and scripts here. Does anyone have any thoughts on a way to script a search look through them all for references to usr/sbin/jamf ?

@patelhn

JAMF might not have to change the binary location after all, if Apple is making an exception with rootless.

The jamf binary is moving. That's already been announced and finding that Apple's made an exception for it in its current location doesn't change that. After all, that exception could disappear at any time at Apple's discretion; JAMF doesn't have any control over that.

@bradtchapman awesome stuff man.

@patelhn Haven't yet used this myself, but here's a script that will download all of your scripts locally to make them easily searchable.

This one's for Extension Attributes.

Those are my scripts. While it should work to download them all, I would hold on doing anything on this just yet. From the above, it sounds like JAMF may not even need to update the jamf binary location, if the exceptions Apple has in the latest beta builds holds true for the final version.
Even if they do need to move them, @john.miller specifically mentioned that JAMF is looking at a way to have the JSS scan your scripts after being upgraded, and build a list for you on ones that are using the explicit binary path (/usr/sbin/jamf) so you can update them.

I don't mind if you want to use my scripts, but I just hope no-one is doing any unnecessary work this early in the game.

@mm2270 It may still be advisable to put some logic into scripts due to this from @john.miller above:

Most important, the binary is moving. We're moving away from /usr/sbin to /usr/local. This change will apply to all OS X versions OS X 10.7 and later. 10.5 and 10.6 will still stay in /usr/sbin, untouched as with most upgrades.

So if people still have 10.5 or 10.6 the migration that @john.miller mentioned may be detrimental.

If you still have 10.5 and 10.6 machines in your environment, maybe it's time to think about replacing them.

Hey everyone,

Sorry I didn't respond sooner. To your post, @bentoms ,10.5 and 10.6 machines will be unaffected. And while I'd agree with @bradtchapman about trying to upgrade machines, but I know that there is still a huge demand fro 10.6.8. This is mostly because software required for those organizations hasn't been updated, especially in education settings. So to ensure functionality for folks who can't upgrade, we're leaving the 10.5 and 10.6 stuff in place, no changes to location there. We're continuing on with that and will leave the 10.5 and 10.6 binary in place.

And yeah, as @mm2270 mentioned, the JSS will scan Extension Attributes, Policies "Files and Processes," and migrated scripts for any references to /usr/sbin/jamf. If it's found, the admin gets notified and can then change it. We won't change anything automatically.

I hope that clears it up. Thanks for keeping the discussion going.

@john.miller Thanks John.

All I was trying to say was that for those with 10.6 & newer they may not want to change via the JSS as it could break their older Macs whilst fixing the newer.

For folks who need to support both 10.6.x and lower, as well as 10.7.x and higher, I've written a way to check for the current location of the jamf binary in a script using the function shown below.

# Identify location of jamf binary.

jamf_binary=`/usr/bin/which jamf`

 if [[ "$jamf_binary" == "" ]] && [[ -e "/usr/sbin/jamf" ]] && [[ ! -e "/usr/local/bin/jamf" ]]; then
    jamf_binary="/usr/sbin/jamf"
 elif [[ "$jamf_binary" == "" ]] && [[ ! -e "/usr/sbin/jamf" ]] && [[ -e "/usr/local/bin/jamf" ]]; then
    jamf_binary="/usr/local/bin/jamf"
 elif [[ "$jamf_binary" == "" ]] && [[ -e "/usr/sbin/jamf" ]] && [[ -e "/usr/local/bin/jamf" ]]; then
    jamf_binary="/usr/local/bin/jamf"
 fi

In this case, when you wanted to reference the jamf binary in a script that uses this check, you would use $jamf_binary anywhere that you would otherwise reference /usr/sbin/jamf or /usr/local/bin/jamf

To see in context how I'm using this, please see the link below:

https://github.com/rtrouton/CasperCheck/blob/master/script/caspercheck.sh#L222-L241

@bradtchapman wrote:

If you still have 10.5 and 10.6 machines in your environment, maybe it's time to think about replacing them.

There are valid reasons some workstations in some environments need to be at the OS level they are on. One high profile fashion company that shall remain nameless requires 10.5.x to run an application that hasn't been updated in many years, but is still (best effort) supported by third party consultants. When a company makes 7 figures on something that requires an old OS, it may be time to re-think the notion that being on an old OS requires thinking about replacing them. ;) Just my dos centavos.

Dammit @john.miller if you keep this up we're going to run out of beer at JNUC2015! :)

Don

@rtrouton I'm stating the obvious perhaps, but if one simply refers to just 'jamf' instead of '/usr/sbin/jamf' then this isn't a problem at all in scripts? Not best practice, but....

Interesting, did Apple just add /Applications/Utilities to the SIP protected list?

See page 5.

"Important: This is a preliminary document for an API or technology in development."

Security configuration is stored in NVRAM, and applies to the entire machine Persists across OS install.

Also, it actually bothers me (on principle) that they've limited the use of dtrace to user processes and applications only; system processes can no longer be monitored this way. So I would have to disable SIP in order to accomplish this. That's going to mess up a few developers who turn off SIP on their machines and forget it's not enabled when testing their code.

I am in the process of planning the upgrade of our JSS from 9.72 to latest 9.8.x

I have manually reviewed all scripts referencing /usr/sbin/jamf
if I substitute the full file path and only have the script contain jamf <verb> will that negate the issue of the "new" Jamf binary locations?

@myronjoffe : It should, and that's what JAMF has recommended for a long time. When upgrading to 9.8, they gave admins a warning about scripts that contained a hardcoded path of /usr/sbin/jamf , and advised them to fix it as those would no longer work.

As long as the PATH environment variable has not been modified from its default, just typing "jamf" is good enough.