Full Disk Access / Network Volume access for script

jamfac
New Contributor

Dear all,

I have a rather specific issue with the aggressive PPPC since macOS Catalina. Currently I'm testing on 11.3 (Beta). Since network homes are not possible anymore I have a more local approach running in our lab. However to allow at least a little user configuration I was planning on creating a LaunchAgent copying e.g. Safari Bookmarks and Applications plists to the network home mounted via SMB and sync them back on relogging. I'm pretty sure this will work fine, however I'm fighting with the aggressive PPPC now. If executing the script manually the system asks if "terminal" may access network volumes. Fine! But if executing the script via the launchagent I always get a permission denied. I red only that a workaround would be to create an App and put the script in there and then whitelist the app with a PPPC profile via JAMF. I already tried this with several solutions, Script Editor, Platypus, manually created and so on. I codesigned the App but I still get a permission denied. Has somebody maybe a tip on how to allow a script to access network volumes called via LaunchAgent? I despair about this.

Kind regards,
L B

3 REPLIES 3

ianatkinson
Contributor

Hi, did you ever fix this I'm having the same issue :(

ianatkinson
Contributor

OK I've just managed to fix this I'll type it up for anyone else searching.

The launchagent that runs the script needed setting to explicitly call the shell not rely on the shebang in the script, so it's called as follows:

      <key>ProgramArguments</key>
      <array>
	<string>/bin/bash</string>
         <string>/Users/Shared/LAU/login.sh</string>
      </array>

I then made a PPPC config profile specifically for the shell in question (bash in this case), I already had one for terminal this does not work. Adding the rights needed (i.e. access files on a network volume) to the new PPPC has sorted it.

 

Ian

jamfac
New Contributor

Hello,

I'm sorry that I never answered to my own thread. I fixed it a similar way. I have a configuration Profile with PPPC :

 

Identifier: /bin/bash

Identifier Type Path

Code Requirement: identifier "com.apple.bash" and anchor apple

 

AppleEvents Allow

com.apple.systemevents

BundleID

identifier "com.apple.systemevents" and anchor apple

 

SystemPolicyAllFiles Allow

SystemPolicyNetworkVolume Allow


In the LaunchAgent I don't have to specifically call bash, but instead I call my own script as "Program" and inthere is the bash shebang line. This way in the meantime I'm rsyncing entire Library folders to mounted SMB shares! Hope this helps!