Jamf Pro to run shell script to use osascript to control Finder via Apple events

jelockwood
Contributor

Sadly Apple continue to make life harder for us Mac admins. πŸ˜’

I currently need to uninstall Sophos Anti-Virus from every Mac so I can then replace it with an alternative. (This is because Sophos still have not released a fully native Apple Silicon version.)

It would be easy to use a script to run the Sophos uninstall command, bypassing the anti Tamper measures of Sophos is also easy. The problem is an Apple one.

Sophos correctly uses System Extensions. For macOS Big Sur there seems to be only two working approaches that let you uninstall System Extensions. Either you can turn off SIP and do whatever you want, or the only other method - and clearly the one Apple want you to use is to drag the application that contains the System Extensions to the Bin. This then triggers an OS dialog asking for user approval to remove the contained system extensions. If you otherwise uninstall Sophos, or drag the wrong thing, or use a script to delete items, the System Extensions do not get uninstalled and will remain forever more.

As mentioned this is not Sophos' fault and affects any other software using System Extensions. As one example article on this topic see - https://grahamrpugh.com/2021/04/06/delete-system-extension-command-line.html

In theory the systemextensionsctl tool has an uninstall option and this indeed did work in Catalina but it does not if SIP is enabled on macOS Big Sur.

So, what I am trying to do is write a shell script that uses osascript to 'tell' the Finder to move the required applications to the Bin. In fact before I get that far I wisely decided to do a much simpler and safer test which was to have a shell script which uses osascript and tells the Finder to open a new Finder window.

 

 

#!/bin/sh

osascript <<EOF
tell application "Finder"
activate
make new Finder window
end tell
EOF

 

This script itself seems fine but I am hitting a problem with it resulting in 

Running script Test osascript...

Script exit code: 1

Script result: 37:59: execution error: Not authorised to send Apple events to Finder. (-1743)

I have created a PPPC profile in Jamf Pro to allow Jamf itself as per https://github.com/jamf/JamfPrivacyPreferencePolicyControlProfiles  and /usr/bin/osascript and Terminal.app permissions to send Apple Events to the Finder. Attached is an example of this PPPC.

 

Screenshot 2021-11-18 at 18.29.41.png

 

So why is this still failing?

Note: The intent is that the final script tells the Finder to move the offending files to the Bin, which will trigger the Apple dialogs asking the user to approve this, this uninstalls the System Extensions, and I will then in the same script complete the rest of uninstalling Sophos and then trigger a reboot. After the reboot the replacement Anti-Virus tool will be installed.

6 REPLIES 6

sdagley
Honored Contributor II

@jelockwood Scripts running from the Jamf binary run as root, and you need to run an AppleScript as the user. A good article on how to do that is Running a Command as another User 

As an alternative to your AppleScript, it turns out it _is_ possible to remove a System Extension on Mac without prompting the user. @rtrouton documented it in this blog post: https://derflounder.wordpress.com/2021/10/26/silently-uninstalling-system-extensions-on-macos-monter... 

Hi your information all makes sense, I am first trying the simple Finder control script - this time running 'as user'. Unfortunately I am still getting the same error

35:57: execution error: Not authorised to send Apple events to Finder. (-1743)

Here is the current code in the script

 

export PATH=/usr/bin:/bin:/usr/sbin:/sbin

# get the currently logged in user
currentUser=$( echo "show State:/Users/ConsoleUser" | scutil | awk '/Name <li-emoji id="lia_confused-face" title=":confused_face:"></li-emoji> { print $3 }' )

# global check if there is a user logged in
if [ -z "$currentUser" -o "$currentUser" = "loginwindow" ]; then
  echo "no user logged in, cannot proceed"
  exit 1
fi
# now we know a user is logged in

# get the current user's UID
uid=$(id -u "$currentUser")

# main code starts here

# run script as user
if [ "$currentUser" != "loginwindow" ]; then
  	launchctl asuser "$uid" sudo -u "$currentUser" /usr/bin/osascript <<-EOF
tell application "Finder"
	activate
	make new Finder window
end tell
EOF
else
    echo "no user logged in"
    # uncomment the exit command
    # to make the function exit with an error when no user is logged in
    # exit 1
fi

 

I tried the same script on a Mac running a much older version of macOS and it works. It is failing under macOS 11.6.1 Big Sur.

I do have the following two profiles deployed to the test Big Sur Mac, in theory these should allow Jamf and Terminal and OSAScript to send Apple Events.

https://drive.google.com/file/d/1Kb2r7ZQyYEHJqdzredHD-isrsozrvfBy/view?usp=sharing

https://drive.google.com/file/d/15h4E9BN1n_lJpUYFsxUIH4h7-hxc0Jxo/view?usp=sharing 

sdagley
Honored Contributor II

@jelockwood The sudo -u is redundant if you're using launchctl asuser

@sda

True, but the article you pointed me to suggested using both as a way to bullet proof the command. (For the benefit of others this is sudo -u runs as a specified user.)

This also does not answer the issue of not being able to get it to have permission to send an apple event. πŸ˜₯

Hugonaut
Valued Contributor

@jelockwood 

 

This did if for me.

 

 

#!/bin/bash

rm -R "/Library/Sophos Anti-Virus/product-info.plist"

"/Library/Application Support/Sophos/saas/Installer.app/Contents/MacOS/tools/InstallationDeployer" --force_remove

 

 

________________
Looking for a Jamf Managed Service Provider? Look no further than Rocketman

jelockwood
Contributor

@sdagley Thank you for the pointer to Richard's article. I had seen and read an earlier article by him on this topic but I had not seen this much newer one. I will look into it further and do more testing.

@Hugonaut Yes, I had found this command here in the Jamf Community and already tried it. My admittedly brief testing suggests it does uninstall Sophos but leaves the System Extensions installed and running. This would be consistent with the article by Graham Pugh I linked to in my original message. Again I shall be doing more testing.

Based on the miserable failure still of Sophos to provide a native Apple Silicon version I don't hold out a lot of hope that Sophos have added the official mechanism for removing System Extensions as per the newer Richard Troughton article linked to by @sdagley It is however good news that Microsoft apparently have. I am actually moving to Microsoft Defender and we are going to try it for a month or so which their licensing terms makes possible as it is a monthly subscription linked to our existing Office365 subscription.