This one has me stumped. In the past when I've needed to run a bash script as the logged in end user I've simply used something along the lines of:userName=$(stat -f %Su /dev/console) sudo -u $userName -H bash -c "jamf recon"This method seems to still work just fine IF I manually call the policy (jamf -policy) or manually initiate an inventory update (jamf recon) but when it's called with the recurring policy action or daily recurring inventory action it fails, and seems to run as root. So:Logged in as sjobs, run 'jamf -policy' = Success, policy executes, relevant lines will successfully run as sjobsLogged in as sjobs, run 'jamf recon' = Success, EA executes, relevant lines will successfully run as sjobsLogged in as sjobs, Mac is not asleep or unattended, recurring policy trigger occurs in background = Failure, policy executes, relevant lines run as rootLogged in as sjobs, Mac is not asleep or unattended, recurring inventory trigger occurs in background = Failure, EA executes, relevant lines run as rootWhere is the difference in how the script interprets when called via triggers instead of manually via terminal? At first I thought it was a Ventura issue but Big Sur and Monterey behave the same way.

Question

Execute extension attribute and policy scripts as logged in user

2 years ago
January 4, 2023
3 replies
2 views

Lapin
New Contributor
2 replies

This one has me stumped. In the past when I've needed to run a bash script as the logged in end user I've simply used something along the lines of:

userName=$(stat -f %Su /dev/console)

sudo -u $userName -H bash -c "jamf recon"

This method seems to still work just fine IF I manually call the policy (jamf -policy) or manually initiate an inventory update (jamf recon) but when it's called with the recurring policy action or daily recurring inventory action it fails, and seems to run as root. So:

Logged in as sjobs, run 'jamf -policy' = Success, policy executes, relevant lines will successfully run as sjobs
Logged in as sjobs, run 'jamf recon' = Success, EA executes, relevant lines will successfully run as sjobs
Logged in as sjobs, Mac is not asleep or unattended, recurring policy trigger occurs in background = Failure, policy executes, relevant lines run as root
Logged in as sjobs, Mac is not asleep or unattended, recurring inventory trigger occurs in background = Failure, EA executes, relevant lines run as root

Where is the difference in how the script interprets when called via triggers instead of manually via terminal? At first I thought it was a Ventura issue but Big Sur and Monterey behave the same way.

+25

sdagley
Jamf Heroes
3536 replies
2 years ago
January 4, 2023

@Lapin Using stat to determine the logged in user from the console is not a reliable mechanism. Take a look at https://scriptingosx.com/2020/08/running-a-command-as-another-user/ for an example of a more reliable mechanism for running a command as the logged in user.

Lapin
Author
New Contributor
2 replies
2 years ago
January 4, 2023

sdagley wrote:

Thanks @sdagley, I tried switching up the method to determine the logged in user but it hasn't had any effect. Manually running the policy and extension attribute works without issue but when either action runs on their own in the background it executes as root. I included a simple 'echo $user' line in the policy script, when it runs in the background that line still prints out 'sjobs' even though the rest of the user centric commands run as root. So it seems like it's pulling the logged in user without issue, but the sudo (I've also tried using su) commands to run in the user context aren't working properly.

Lapin
Author
New Contributor
2 replies
2 years ago
January 5, 2023

Example output from manually executing the policy (running sudo jamf -policy from the Mac):

Executing Policy Weekly Mac App Store Updates
Running script Weekly MAS...
Script exit code: 0
Script result: sjobs
-----------------

Mac App Store Applications:
1295203466 Microsoft Remote Desktop (10.8.0) 1333542190 1Password 7 (7.9.6) 682658836 GarageBand (10.4.7) 408981434 iMovie (10.3.5) 409201541 Pages (12.2.1) 409183694 Keynote (12.2.1) 409203825 Numbers (12.2.1) 

----------------
----------------

No available Mac App Store updates 

----------------

And an example of the same output when the policy ran on it's own via the recurring policy trigger 15 minutes later:

Executing Policy Weekly Mac App Store Updates
Running script Weekly MAS...
Script exit code: 0
Script result: sjobs
-----------------

Mac App Store Applications:
No installed apps found 

----------------
----------------

No available Mac App Store updates 

----------------

You can see that in both instances it correctly identified the logged in user (sjobs), but only when run via sudo jamf -policy did it successfully run the subsequent commands as the logged in user.

Reply

Cookie policy

We use cookies to enhance and personalize your experience. If you accept you agree to our full cookie policy. Learn more about our cookies.

Cookie settings

We use 3 different kinds of cookies. You can choose which cookies you want to accept. We need basic cookies to make this site work, therefore these are the minimum you can select. Learn more about our cookies.

Basic
Functional

Normal
Functional + analytics

Complete
Functional + analytics + social media + embedded videos + marketing

Reply

Related topics

homebrew and js deloyment using only scriptsicon

macOS Conditional Access Best Practices

Extension Attribute - Give a device an EA in GUI dialogue box, dropdown, etc.icon

Run Extension Attribute as logged in user and script adviceicon

Enforcing Apple software updates in the year 2021.icon

Most helpful members this week

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded

Cookie policy

Cookie settings