Jamf Helper at Login window

mconners
Valued Contributor

Hello Everyone,

I know I have seen this discussion in the past but I haven't seen an answer that works for us.

We have our Jamf Helper configured and it works while a user is logged in. Is there a way or command to get the Jamf Helper window to appear over the login window?

If someone has a tried and true method you wouldn't mind sharing, I would love to see it. I know some have used a launch agent, but I am not well versed in launch agents. If you wouldn't mind sharing with me your steps, I can work to reproduce.

Thank you so much!!

32 REPLIES 32

cbrewer
Valued Contributor II

Using a script to write a launch agent that launches jamfHelper works pretty well. Here's an example.

#!/bin/bash

rm /private/tmp/splash_screen.sh
rm /Library/LaunchAgents/ORG.computer_setup.plist

#Write jamfHelper splash screen script
echo "#!/bin/bash" >> /private/tmp/splash_screen.sh
echo ""/Library/Application Support/JAMF/bin/jamfHelper.app/Contents/MacOS/jamfHelper" -windowType fs -heading "My Organization" -description "Finishing Setup..." -icon "/private/tmp/ORG_Logo.png"" >> /private/tmp/splash_screen.sh
chmod +x /private/tmp/splash_screen.sh

#Write LaunchAgent to load jamfHelper script
defaults write /Library/LaunchAgents/ORG.computer_setup.plist Label "ORG.computer_setup"
defaults write /Library/LaunchAgents/ORG.computer_setup.plist LimitLoadToSessionType "LoginWindow"
defaults write /Library/LaunchAgents/ORG.computer_setup.plist ProgramArguments -array
defaults write /Library/LaunchAgents/ORG.computer_setup.plist KeepAlive -bool true
defaults write /Library/LaunchAgents/ORG.computer_setup.plist RunAtLoad -bool true
/usr/libexec/PlistBuddy -c "Add ProgramArguments: string /private/tmp/splash_screen.sh" /Library/LaunchAgents/ORG.computer_setup.plist

chown root:wheel  /Library/LaunchAgents/ORG.computer_setup.plist
chmod 644 /Library/LaunchAgents/ORG.computer_setup.plist
echo "Created Launch Agent to run jamfHelper"

#launchctl load /Library/LaunchAgents/ORG.computer_setup.plist

#Kill/restart the loginwindow process to load the LaunchAgent
echo "Ready to lock screen. Restarting loginwindow process..."
kill -9 $(ps axc | awk '/loginwindow/{print $1}')

mconners
Valued Contributor

@cbrewer thank you. When I attempt to use this. The login window will flash but re appear right away without displaying the jamf helper window. Am I missing something or is there something more I have to do?

Kallendal
New Contributor III

This is a interesting idea.
Did you add any extra scripted items to your /private/tmp/splash_screen.sh ?

May give this a try, we are global, and trying to find ways to make the system inaccessible for X amount of minutes to assure a good image, and trickle down of scripts (date/time/set, cached files, etc.).

This can probably do the trick. Add my extra script commands into a .sh to run in the back ground.

@mconners were you successful in using this? or did the helper app continue not starting over the login window?

cbrewer
Valued Contributor II

I've added some more complexity to the script above. I found that I needed to determine if a user is logged in. I also need to know if that user is _mbsetupuser. Here's what I'm currently using.

Edit: old script removed. See here for current version.

denmoff
Contributor III

Wow! this is exactly what i'm looking for. Thanks @cbrewer

cbrewer
Valued Contributor II

Glad it helped you out. I've pretty much entirely replaced my imaging process with this workflow and it's been pretty smooth.

denmoff
Contributor III

@cbrewer Curious how you're deploying the ORG_Logo.png. That's a nice little touch. But not sure how to deploy it. As a package with the policy that calls the script?

cbrewer
Valued Contributor II

@denmoff I run a Once per computer policy on Enrollment trigger that deploys a DMG package with the image and then runs this script. Just make sure the script is set to run after.

jon_mann
New Contributor III

@cbrewer What part of this script actually tells the jamfhelper window to go away? I'm not seeing a kill command or unload of the launch agent in that code. How are you handling this?

cbrewer
Valued Contributor II

@jon.mann

For my very last enrollment policy, I run a script that removes the splash_screen.sh script and the LaunchAgent. Then I reboot the machine.

#!/bin/bash

if [ -f /private/tmp/splash_screen.sh ];then
  echo "Removing /private/tmp/splash_screen.sh"
  rm /private/tmp/splash_screen.sh
fi
if [ -f /Library/LaunchAgents/ORG.computer_setup.plist ];then
  echo "Removing /Library/LaunchAgents/ORG.computer_setup.plist"
  rm /Library/LaunchAgents/ORG.computer_setup.plist
fi

jon_mann
New Contributor III

Thanks @cbrewer Seeing some success doing the same but using this to kill instead of restart:

#!/bin/sh

if [ -f /private/tmp/splash_screen.sh ];then
  echo "Removing /private/tmp/splash_screen.sh"
  rm /private/tmp/splash_screen.sh
fi
if [ -f /Library/LaunchAgents/ORG.computer_setup.plist ];then
  echo "Removing /Library/LaunchAgents/ORG.computer_setup.plist"
  rm /Library/LaunchAgents/ORG.computer_setup.plist
fi

ps axco pid,command | grep jamfHelper | awk '{ print $1; }' | xargs kill -9

ktaylor25
New Contributor II

Any idea why the policy execution isn't showing in the logs? I put your script as a policy payload with a startup trigger. It works great but the log still says "pending", and so it runs again the next time I restart the computer. Or should I be running it a different way?

Thanks

cbrewer
Valued Contributor II

@ktaylor25 I use this script with an enrollment trigger set to once per computer. You won't see results in the policy log until all of the enrollment policies at the bottom of script are finished. Maybe one of your other enrollment policies isn't finishing?

cbrewer
Valued Contributor II

I've made quite a few changes to this script since I posted it in here. Notable changes are that I now wait for the _mbsetupuser account to be logged out before proceeding. I also disable the local admin account while enrollment policies are running and then re-enable it afterward. I'm also checking the OS version so I can do things different between 10.11 and 10.12+.

Edit: old script removed. See here for current version.

a_simmons
Contributor II

@cbrewer Are you running the following for your clean up script. I've tried it with a restart but the splash screen loads on the first boot

!/bin/bash

if [ -f /private/tmp/splash_screen.sh ];then echo "Removing /private/tmp/splash_screen.sh" rm /private/tmp/splash_screen.sh
fi
if [ -f /Library/LaunchAgents/ORG.computer_setup.plist ];then echo "Removing /Library/LaunchAgents/ORG.computer_setup.plist" rm /Library/LaunchAgents/ORG.computer_setup.plist
fi

cbrewer
Valued Contributor II

@a.simmons Yes - I'm running that script as the last part of my enrollment process (jamf policy -event enrollment_20). The enrollment_20 policy runs that cleanup script and then reboots. As long as the launchagent is removed, there shouldn't be any way that the splash screen will load again.

a_simmons
Contributor II

@cbrewer what jamf version are you on? Your clean up script worked correctly once I removed the reboot script. I was using your process last week with out any issues, upgraded to 10.6 now it seems the policy with the reboot script in to keeps looping. Not sure if its linked to the upgrade

cbrewer
Valued Contributor II

@a.simmons I'm on 10.6 as well. Are you running these policies One per Computer? It sounds like either the launchagent isnt being removed or the policy to create the launchagent is running again.

a_simmons
Contributor II

Hi @cbrewer what a you using for your reboot command? I tested 'shutdown -r now' and that makes it restart, but thats causing the policy to loop. 'jamf reboot' didn't seem like it did anything.

mconners
Valued Contributor

Hello @a.simmons you could swap out the -r for -h for halt which shuts the system down.

a_simmons
Contributor II

Hi @mconners I want it to restart and be at the login screen.

cbrewer
Valued Contributor II

@a.simmons I'm using the restart function that Jamf makes available for policies. Just set it to Current Startup Disk, Restart Immediately, Restart Immediately.

a_simmons
Contributor II

@cbrewer That worked. Thanks a lot for your assistance.

captam3rica
New Contributor III

@cbrewer Have you tried or had any luck putting the LaunchAgent piece into a package then kicking it off in the Enrollment script versus hardcoding it in?

cbrewer
Valued Contributor II

@captam3rica I prefer creating LaunchAgents with scripts. It's easy to manage. Plus, the way I'm using it, if there is a user logged in I'm able to exit the process without creating the LaunchAgent. You could package it up if you want - personal preference.

nwagner
Contributor

NVM. I am dumb. I had it as a launch daemon.

cbrewer
Valued Contributor II

If you want to use this process with macOS 10.15 (10.15.0 specifically), I've found that you need to kill the loginwindow process twice back to back in order for jamfHelper to stay present. Killing loginwindow once quickly flashes a jamfHelper screen and then it goes away.

Also, I've updated the script I'm using for this to be more versatile. I've put the LaunchAgent creation and loginwindow restarts into a function, making it easy to change the jamfHelper message if you want to.

Computer_Enrollment_LaunchAgent.sh

dkwon
New Contributor III

Thank you for your contribution. I am trying to use your script on Monterey and having issue.

When I apply it to Mac which no one logged on previously, log in screen flash and goes back to the log in screen. When I apply it to Mac after any account logged on and out, it works perfectly. Any suggestion I can try? thanks! 

cbrewer
Valued Contributor II

I am no longer using this method. Running jamfHelper at the login window got too unreliable for us. We are now creating a dedicated setup user account, logging into that account and then using DEPNotify for progress status. I then use a jamf startup policy and script to remove the setup account. It's much more reliable and DEPNotify is a very common workflow at this point.

dkwon
New Contributor III

Thanks. I will check out the workflow using the DEPNotify.

atrystan
New Contributor III

@cbrewer Thanks for that, I came in just to see if someone had a Catalina update available. We're going to start testing your script. Cheers!

cbrewer
Valued Contributor II

Delete