Skip to main content
Question

Error running script via Policy on end-user Mac

P
Forum|alt.badge.img+4

Hi all - I have a small issue.
Background - our organization pumped out the JAMF Enrol process to our existing fleet of Mac's via the old (now decommissioned) Mac Management System (not used anymore). This process was 100% successful in getting the Mac fleet enrolled in our JAMF instance.

The only issue is that we have a considerable amount of Mac computers that have not had the end-user manually Approve the JAMF MDM Profile in System Preferences.

I have created a Policy that runs a script on all Mac computers reporting to JAMF that have an Un)-approved MDM Profile.

When the Policy executes (at Recurring Check-in) the following error occues in the JAMF Policy status:

Script result: 36:476: execution error: An error of type -10822 has occurred. (-10822)
open requires some user to be logged in at the console, even when run as root.

Below is the script I am using in the Policy:

!/bin/bash

*osascript -e 'tell app "System Events" to display alert "You must Approve the Company MDM Profile for your Mac.

Click on the OK button below and do the following:

  1. Click on the Profile labeled MDM Profile in the Device Profiles Column. It is identified by a yellow alert triangle.

  2. Click on the Approve button.

  3. When prompted, click on Approve again.

The Approval of the MDM Profile is critical in keeping your Mac maintained & secure."'

open /System/Library/PreferencePanes/Profiles.prefPane/
jamf recon
*

I have also tried using the JAMF Message System but of course if the MDM Profile has not been Approved and the end-user Mac side this will not work.

Any assistance would be greatly appreciated :)

Cheers - Paul

    4 replies

    P
    Forum|alt.badge.img+4

    I have also tested using a Terminal windows and sudo jamf policy
    This obviously works fine :)

    S
    Forum|alt.badge.img+9
    • shaquir
    • Contributor
    • 154 replies
    • May 15, 2020

    Hi @P.Featherstonhaugh ,

    Since your script works in terminal, you may just have to whitelist Jamf's ability to call on Apple Events. A great starting point would be uploading @rtrouton's Privacy Settings Whitelist - Jamf Notifications to Configuration Profiles (I think later versions of Jamf may automatically do this).

    If that doesn't resolve it, you try opening the Profile Preferences as the logged in user (since Jamf runs things as root, its often helpful to run specific events as the current logged in user): 

    su - $(stat -f%Su /dev/console) -c "open /System/Library/PreferencePanes/Profiles.prefPane/"

    Or try:

    #!/bin/sh
/usr/bin/osascript <<EOF
tell application "System Preferences"
    activate
    set current pane to pane id "com.apple.preferences.configurationprofiles"
end tell
EOF
    msample
    1 person likes this
    • msample
      msample
    P
    Forum|alt.badge.img+4

    Hooroo Shaquir :)

    Thanks for the response. I may have confused you with the actual issue though I think :) lol

    The Preferences Pane for COnfiguration Profiles is working fine. The issue is that the initial part of the script that displays a nice message for the end-user is not working - will not display when the Policy initiates in JAMF on the end-user Mac computer.

    Remember - this is a Mac that has been enrolled into JAMF, BUT, the end-user has not Approved the MDM Profile. So applying the Privacy Policy Whitelist to the Mac will not work as the initial MDM Profile has not been approved :)

    Though, as I mentioned, when I activate the command "sudo jamf policy" in a Terminal instance it works a treat. Without this, and just letting the JAMF Policy run a recurring checking and it fails to display the message but will do the Prefs Pane as expected.

    I think maybe I need to have the message part of the script run as the current logged in user. Not being too good with the Apple side scripting I'd appreciate anyone advising how this can be done in the script :)

    Any further help would be greatly appreciated.

    Cheers and thanks all in advance - Paul

    S
    Forum|alt.badge.img+9
    • shaquir
    • Contributor
    • 154 replies
    • May 19, 2020

    Hi Paul:
    Try swapping that Applescript with jamfHelper which is automatically installed. It should be natively approved:

    #!/bin/sh
icon="/CompanyLogo.png"
jamfHelper="/Library/Application Support/JAMF/bin/jamfHelper.app/Contents/MacOS/jamfHelper"
answer=$( "$jamfHelper" 
-windowType hud 
-title "Company" 
-heading "MDM Approval" 
-description "1. Click on the Profile labeled MDM Profile in the Device Profiles Column. It is identified by a yellow alert triangle.  
    


      

    1. Click on the Approve button. 
      2. 

    2. When prompted, click on Approve again." 
-icon "$icon" 
-button1 "OKay"  )

    The jHelper GUI is a good tool to create Jamf designed dialogs.

    msample
    C
    2 people like this
    • msample
      msample
    • C
      ctarbox

    Reply


    Most helpful members this week

    Terms & ConditionsCookie settingsAccessibility statement

    Cookie policy

    We use cookies to enhance and personalize your experience. If you accept you agree to our full cookie policy. Learn more about our cookies.

     
    Cookie settings