Jamf Script running locally but via Jamf

user-1011
New Contributor

I am running the below script to autoupdate MS Defender. The script will run fine when I run it locally but will not run via Jamf

 

#!/bin/sh
cd /Library/Application\ Support/Microsoft/MAU2.0/Microsoft\ AutoUpdate.app/Contents/MacOS
./msupdate --install --apps wdav00

 

On most macs it looks like the script has run fine and Script error code is 0 but MS Defender does not update.

A few macs give below error

 

Script exit code: 139
Script result: /Library/Application Support/JAMF/tmp/ie.tudublin.script.UpdateMSDefender.sh: line 3: 11274 Segmentation fault: 11 ./msupdate --install --apps wdav00
Error running script: return code was 139.

 

6 REPLIES 6

chrisB
Contributor II
  • Identifiers are not case-sensitive when run interactively from the command-line, but use the character casing in the table when running from a management tool such as Jamf Pro.

Source: https://docs.microsoft.com/en-us/DeployOffice/mac/update-office-for-mac-using-msupdate

 

So you may better use "WDAV00" (than "wdav00").

sdagley
Esteemed Contributor II

@user-1011 I never tried it with MSDefender, but when using msupdate to update the standard Office apps it had to be called from the user context, not the root context scripts from Jamf Pro normally run. The following post shows an mechanism to run something as the logged in user: https://scriptingosx.com/2020/08/running-a-command-as-another-user/

 

user-1011
New Contributor

Does a user have to login in order for the script to run? Should it run once it checks in with Jamf?

I have also tried the below script - I'm new to scripting 

#!/bin/sh
#
# Microsoft AutoUpdate Trigger for Jamf Pro
# Script Version 1.7
#
## Copyright (c) 2020 Microsoft Corp. All rights reserved.
## Scripts are not supported under any Microsoft standard support program or service. The scripts are provided AS IS without warranty of any kind.
## Microsoft disclaims all implied warranties including, without limitation, any implied warranties of merchantability or of fitness for a
## particular purpose. The entire risk arising out of the use or performance of the scripts and documentation remains with you. In no event shall
## Microsoft, its authors, or anyone else involved in the creation, production, or delivery of the scripts be liable for any damages whatsoever
## (including, without limitation, damages for loss of business profits, business interruption, loss of business information, or other pecuniary
## loss) arising out of the use of or inability to use the sample scripts or documentation, even if Microsoft has been advised of the possibility
## of such damages.
## Feedback: pbowden@microsoft.com

# IT Admin constants for application path
PATH_DEFENDER="/Applications/Microsoft Defender ATP.app"

APPID_DEFENDER="WDAV00"

# Function to check whether MAU 3.18 or later command-line updates are available
function CheckMAUInstall() {
if [ ! -e "/Library/Application Support/Microsoft/MAU2.0/Microsoft AutoUpdate.app/Contents/MacOS/msupdate" ]; then
echo "ERROR: MAU 3.18 or later is required!"
exit 1
fi
}

# Function to check whether we are allowed to send Apple Events to MAU
function CheckAppleEvents() {
MAURESULT=$(${CMD_PREFIX}/Library/Application\ Support/Microsoft/MAU2.0/Microsoft\ AutoUpdate.app/Contents/MacOS/msupdate --config | /usr/bin/grep 'No result returned from Update Assistant')
if [[ "$MAURESULT" = *"No result returned from Update Assistant"* ]]; then
echo "ERROR: Cannot send Apple Events to MAU. Check privacy settings"
exit 1
fi
}

# Function to check whether MAU is up-to-date
function CheckMAUUpdate() {
MAUUPDATE=$(${CMD_PREFIX}/Library/Application\ Support/Microsoft/MAU2.0/Microsoft\ AutoUpdate.app/Contents/MacOS/msupdate --list | /usr/bin/grep 'MSau04')
if [[ "$MAUUPDATE" = *"MSau04"* ]]; then
echo "Updating MAU to latest version... $MAUUPDATE"
echo "$(/bin/date)"
RESULT=$(${CMD_PREFIX}/Library/Application\ Support/Microsoft/MAU2.0/Microsoft\ AutoUpdate.app/Contents/MacOS/msupdate --install --apps MSau04)
sleep 120
fi
}

# Function to determine the logged-in state of the Mac
function DetermineLoginState() {
# The following line is is taken from: https://erikberglund.github.io/2018/Get-the-currently-logged-in-user,-in-Bash/
CONSOLE="$(/usr/sbin/scutil <<< "show State:/Users/ConsoleUser" | /usr/bin/awk '/Name :/ && ! /loginwindow/ { print $3 }')"
if [ "$CONSOLE" == "" ]; then
echo "No user currently logged in to console - using fall-back account"
CONSOLE=$(/usr/bin/last -1 -t ttys000 | /usr/bin/awk '{print $1}')
echo "Using account $CONSOLE for update"
userID=$(/usr/bin/id -u "$CONSOLE")
CMD_PREFIX="/bin/launchctl asuser $userID "
else
echo "User $CONSOLE is logged in"
userID=$(/usr/bin/id -u "$CONSOLE")
CMD_PREFIX="/bin/launchctl asuser $userID "
fi
}

# Function to register an application with MAU
function RegisterApp() {
$(${CMD_PREFIX}/usr/bin/defaults write com.microsoft.autoupdate2 Applications -dict-add "$1" "{ 'Application ID' = '$2'; LCID = 1033 ; }")
}

# Function to flush any existing MAU sessions
function FlushDaemon() {
$(${CMD_PREFIX}/usr/bin/defaults write com.microsoft.autoupdate.fba ForceDisableMerp -bool TRUE)
$(${CMD_PREFIX}/usr/bin/pkill -HUP "Microsoft Update Assistant")
}

# Function to call 'msupdate' and update the target applications
function PerformUpdate() {
echo "$(/bin/date)"
${CMD_PREFIX}/Library/Application\ Support/Microsoft/MAU2.0/Microsoft\ AutoUpdate.app/Contents/MacOS/msupdate --install --apps $1 --wait 600 2>/dev/null
}

## MAIN
echo "Started - $(/bin/date)"
DetermineLoginState
CheckMAUInstall
FlushDaemon
CheckAppleEvents
CheckMAUUpdate
FlushDaemon
RegisterApp "$PATH_DEFENDER" "$APPID_DEFENDER"
OppCloseExcel

PerformUpdate "$APPID_WORD $APPID_EXCEL $APPID_POWERPOINT $APPID_OUTLOOK $APPID_ONENOTE $APPID_SKYPEBUSINESS $APPID_REMOTEDESKTOP $APPID_COMPANYPORTAL $APPID_DEFENDER $APPID_EDGE $APPID_TEAMS $APPID_ONEDRIVE"

echo "Finished - $(/bin/date)"

exit 0

iGuessRo
New Contributor II

Your script is calling on the CD command which is Change Directory. So its going to come back as successful run because its not actually initiating the arguments youre trying to pass to msupdate.

The easiest thing to do in this case is create a policy and add 

Files and Processes 
Execute Command
/Library/Application\ Support/Microsoft/MAU2.0/Microsoft\ AutoUpdate.app/Contents/MacOS
./msupdate --install --apps wdav00
 
Conversely, you can manage Defender with a JSON schema they provide at https://github.com/microsoft/mdatp-xplat/tree/master/macos/schema 

Thank you iGuessRo. I'm not sure what you mean by Files and processes? Sorry I'm very new to scripting so very little knowledge on it

 

iGuessRo
New Contributor II

Files and Processes is a module you can add when creating or modifying a Policy. At the bottom of that module is an option to execute a command as root. Since your script is only one command, it may be easier to get the desired result using that. With the command to run being set as -

/Library/Application\ Support/Microsoft/MAU2.0/Microsoft\ AutoUpdate.app/Contents/MacOS/msupdate -i -a wdav00

 

At first I thought your script was one line but now I see its two. My apologies for confusing things.