Jamf Nation Community

Good evening all, I'm really new to Jamf, coding and forum posting, apologise if this is blindingly obvious or I've posted something i shouldn't.

My company has a policy to not allow staff to have admin rights. Some of our more technical users, data scientists & developers really want to be able to install, uninstall & upgrade applications via HomeBrew. We also have to balance this with applications that are within HomeBrew that our info sec team don't want installed.
In order to facilitate this we have been using the fantastic code from Github by HonestPunk called homebrew.sh
We've had no issue installing Brew and command line application using brew-install-program.sh.
We've blocked the end user from using the Brew commands directly in the terminal by adding a custom .zshrc file to the user directory and making it immutable.

When we tried to use the brew-install-cask.sh 

#!/bin/zsh


item="$4"
#######################
# check something set #
if [[ "$item" == "" ]]; then
echo "****  No item set! exiting ****"
exit 1
fi

UNAME_MACHINE="$(uname -m)"

ConsoleUser=$( scutil <<< "show State:/Users/ConsoleUser" | awk '/Name :/ && ! /loginwindow/ { print $3 }' )

# Check if the item is already installed. If not, install it

if [[ "$UNAME_MACHINE" == "arm64" ]]; then
    # M1/arm64 machines
    cd /tmp/ # This is required to use sudo as another user or you get a getcwd error
        if [[ $(sudo -H -iu ${ConsoleUser} /opt/homebrew/bin/brew list --casks | grep -c ${item}) == "1"  ]]; then
        echo "${item} is installed already. Skipping installation"
        else
        echo "${item} is either not installed or not available. Attempting installation..."
        sudo -H -iu ${ConsoleUser} /opt/homebrew/bin/brew install --cask ${item}
        fi
else
    # Intel machines
    cd /tmp/ # This is required to use sudo as another user or you get a getcwd error
        if [[ $(sudo -H -iu ${ConsoleUser} /usr/local/bin/brew list --casks | grep -c ${item}) == "1" ]]; then
        echo "${item} is installed already. Skipping installation"
        else
        echo "${item} is either not installed or not available. Attempting installation..."
        sudo -H -iu ${ConsoleUser} /usr/local/bin/brew install --cask ${item}
        fi
fi

we started getting an error:

a terminal is required to read the password; either use the -S option to read from standard input or configure an askpass helper

I have tried with removing our .zshrc file before running but we still get the same error.

With this in mind I've tried to piece together my own code with a askpass helper as per below:

#!/bin/zsh

#Give user admin rights
U=`who |grep console| awk '{print $1}'`

# give current logged user admin rights
/usr/sbin/dseditgroup -o edit -a $U -t user admin

#Setsup a Askpass on the device
BIN="/usr/local/bin/askpass"; touch $BIN; chmod 755 $BIN
security add-generic-password -a $USER -s login -T "" -w 
echo "#!/bin/sh\\nsecurity find-generic-password -a $USER -s login -w" > $BIN
echo "\\n# Set sudo helper.\\nexport SUDO_ASKPASS=$BIN" >> ~/.${SHELL##/*/}rc

item="$4"
#######################
# check something set #
if [[ "$item" == "" ]]; then
echo "****  No item set! exiting ****"
exit 1
fi

UNAME_MACHINE="$(uname -m)"

ConsoleUser=$( scutil <<< "show State:/Users/ConsoleUser" | awk '/Name :/ && ! /loginwindow/ { print $3 }' )

# Check if the item is already installed. If not, install it

if [[ "$UNAME_MACHINE" == "arm64" ]]; then
    # M1/arm64 machines
    cd /tmp/ # This is required to use sudo as another user or you get a getcwd error
        if [[ $(sudo -H -iu ${ConsoleUser} /opt/homebrew/bin/brew list --casks | grep -c ${item}) == "1"  ]]; then
        echo "${item} is installed already. Skipping installation"
        else
        echo "${item} is either not installed or not available. Attempting installation..."
        sudo -H -iu ${ConsoleUser} /opt/homebrew/bin/brew install --cask ${item}
        fi
else
    # Intel machines
    cd /tmp/ # This is required to use sudo as another user or you get a getcwd error
        if [[ $(sudo -H -iu ${ConsoleUser} /usr/local/bin/brew list --casks | grep -c ${item}) == "1" ]]; then
        echo "${item} is installed already. Skipping installation"
        else
        echo "${item} is either not installed or not available. Attempting installation..."
        sudo -H -iu ${ConsoleUser} /usr/local/bin/brew install --cask ${item}
        fi
fi

#Removes the askpass
rm -rf /usr/local/bin/askpass

# This script removes admin rights
loggedInUser=$(/usr/sbin/scutil <<< "show State:/Users/ConsoleUser" | awk '/Name :/ && ! /loginwindow/ {print $3}')

/usr/sbin/dseditgroup -o edit -d "$loggedInUser" -t user admin

When i run it even with a very small application like iterm2 it just sits there spinning in the Jamf Self serve for ages.

The strange thing is if I can cancel the Self Serve and run a different script with just the brew-install-cask.sh part, it installs iterm2. I'm afraid I can't figure out why. Unless its cashing the askpass password.

I'm sure I'm missing something really simple to make this work as intended. 

Ultimately as most of the cask application seem to have dmg/pkg that are downloadable from the developers I might have to keep packaging updates for them myself but the teams would prefer it if they can rely on HomeBrew as they'll package the updates faster than I'll be able to.

Any help or guidance from, what has already proven to be a great forum, would be greatly appropriated. 

Thanks Ad