Posted on 06-23-2021 08:24 AM
I understand the spirit of Homebrew being secure and permissions set to the owner of the device.
I've developed a workflow around scripts that pull the latest apps via brew to newly deployed machines. I have run across a newish issue where when I try and install google-drive, it prompts for a password. If I'm running the script during DEP Notify, there's no chance to enter this password.
Logs show that a password is needed to allow it to be installed, but it knows that a script is in use and just silently ends the script and moves on to the next part of the DEP Notify workflow.
tl;dr - How do I skip password prompts in brew scripts?
Here's the code that I have:
#!/bin/sh
#
# Installs a Homebrew app. Homebrew dependent for this to work.
# Use brew search <app name> to get the exact app name to use
#
# Call the Jamf value $4 here
appName="$4"
# Get the current logged in user
loggedInUser=$(stat -f%Su /dev/console)
loggedInUID=$(id -u $loggedInUser)
# Homebrew path needed
homebrewPath=$(/bin/launchctl asuser $loggedInUID sudo -iu $loggedInUser which brew)
if [ -f "$homebrewPath" ]
then
/bin/launchctl asuser $loggedInUID sudo -iu $loggedInUser $homebrewPath install $appName;
exit 0
else
echo "Homebrew not installed";
exit 1
fi
The part in particular I'm thinking I need to add some extra hooks is this line:
/bin/launchctl asuser $loggedInUID sudo -iu $loggedInUser $homebrewPath install $appName;
Anyone have any suggestions?
Posted on 07-16-2021 01:12 AM
Hi,
I'm encountering similar issues like you.
At the moment I run the brew installations after the enrolment when the User logs in the first time to have clean aqua session.
Some casks need to create their folders which will be created by the script called be the installation trough brew. I monitor which folders will be created with Jamf Composer so I can adapt it in my scripts. Most of the time I can use variables like you with $4, but at some points creating those folder before the installation can result in success.
So if you know which formulaes and casks you need, you could create a virtual machine, give it DEP enabled SN and hardware ID like in the links below, snapshot it after the basic installation of macOS right before you run into the configuration assistant and test your deployment with brew over and over again.
https://jerbecause.wordpress.com/2018/02/09/creating-a-dep-vm-using-parallels-desktop/
https://travellingtechguy.blog/vmware-dep/
also I install my brew packages with the following :
#!/bin/bash
currentUser=`ls -l /dev/console | awk '{print $3}'`
sudo -iu $currentUser /usr/local/bin/brew install $4
or
sudo -iu $currentUser /usr/local/bin/brew install --cask $4
In the enrolment installation process nearly any task would be run by _mbsetupuser which doesn't work with brew. Getting the real user session and run my brew install policies within the first login and notifying the user about it works like charm for me.
Also I created a policy with a custom trigger to install brew if it is not installed, so if the check for brew in the install brew packages policy doesn't find brew, it will install it silently and then continue with the installation of the package.