- Jamf Nation Community
- Products
- Jamf Pro
- Re: Error running script via Policy on end-user Ma...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Error running script via Policy on end-user Mac
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 05-14-2020 05:28 PM
Hi all - I have a small issue.
Background - our organization pumped out the JAMF Enrol process to our existing fleet of Mac's via the old (now decommissioned) Mac Management System (not used anymore). This process was 100% successful in getting the Mac fleet enrolled in our JAMF instance.
The only issue is that we have a considerable amount of Mac computers that have not had the end-user manually Approve the JAMF MDM Profile in System Preferences.
I have created a Policy that runs a script on all Mac computers reporting to JAMF that have an Un)-approved MDM Profile.
When the Policy executes (at Recurring Check-in) the following error occues in the JAMF Policy status:
Script result: 36:476: execution error: An error of type -10822 has occurred. (-10822)
open requires some user to be logged in at the console, even when run as root.
Below is the script I am using in the Policy:
!/bin/bash
*osascript -e 'tell app "System Events" to display alert "You must Approve the Company MDM Profile for your Mac.
Click on the OK button below and do the following:
Click on the Profile labeled MDM Profile in the Device Profiles Column. It is identified by a yellow alert triangle.
Click on the Approve button.
When prompted, click on Approve again.
The Approval of the MDM Profile is critical in keeping your Mac maintained & secure."'
open /System/Library/PreferencePanes/Profiles.prefPane/
jamf recon
*
I have also tried using the JAMF Message System but of course if the MDM Profile has not been Approved and the end-user Mac side this will not work.
Any assistance would be greatly appreciated :)
Cheers - Paul
4 REPLIES 4
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 05-14-2020 05:39 PM
I have also tested using a Terminal windows and sudo jamf policy
This obviously works fine :)
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 05-14-2020 07:07 PM
Hi @P.Featherstonhaugh ,
Since your script works in terminal, you may just have to whitelist Jamf's ability to call on Apple Events. A great starting point would be uploading @rtrouton's Privacy Settings Whitelist - Jamf Notifications to Configuration Profiles (I think later versions of Jamf may automatically do this).
If that doesn't resolve it, you try opening the Profile Preferences as the logged in user (since Jamf runs things as root, its often helpful to run specific events as the current logged in user):
su - $(stat -f%Su /dev/console) -c "open /System/Library/PreferencePanes/Profiles.prefPane/"Or try:
#!/bin/sh
/usr/bin/osascript <<EOF
tell application "System Preferences"
activate
set current pane to pane id "com.apple.preferences.configurationprofiles"
end tell
EOFOptions
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 05-18-2020 09:11 PM
Hooroo Shaquir :)
Thanks for the response. I may have confused you with the actual issue though I think :) lol
The Preferences Pane for COnfiguration Profiles is working fine. The issue is that the initial part of the script that displays a nice message for the end-user is not working - will not display when the Policy initiates in JAMF on the end-user Mac computer.
Remember - this is a Mac that has been enrolled into JAMF, BUT, the end-user has not Approved the MDM Profile. So applying the Privacy Policy Whitelist to the Mac will not work as the initial MDM Profile has not been approved :)
Though, as I mentioned, when I activate the command "sudo jamf policy" in a Terminal instance it works a treat. Without this, and just letting the JAMF Policy run a recurring checking and it fails to display the message but will do the Prefs Pane as expected.
I think maybe I need to have the message part of the script run as the current logged in user. Not being too good with the Apple side scripting I'd appreciate anyone advising how this can be done in the script :)
Any further help would be greatly appreciated.
Cheers and thanks all in advance - Paul
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 05-19-2020 08:20 AM
Hi Paul:
Try swapping that Applescript with jamfHelper which is automatically installed. It should be natively approved:
#!/bin/sh
icon="/CompanyLogo.png"
jamfHelper="/Library/Application Support/JAMF/bin/jamfHelper.app/Contents/MacOS/jamfHelper"
answer=$( "$jamfHelper"
-windowType hud
-title "Company"
-heading "MDM Approval"
-description "1. Click on the Profile labeled MDM Profile in the Device Profiles Column. It is identified by a yellow alert triangle. Click on the Approve button.
When prompted, click on Approve again."
-icon "$icon"
-button1 "OKay" )
The jHelper GUI is a good tool to create Jamf designed dialogs.
