Posted on 11-05-2018 01:36 PM
I wrote a quick and dirty script to detect if SIP is disabled, and then notify the user.
#!/bin/bash
# Paths to binaries
JAMFHELPER="/Library/Application Support/JAMF/bin/jamfHelper.app/Contents/MacOS/jamfHelper"
# Prompt GUI Config
GUI_WINDOW_TITLE="Jamf - System Integrity Protection Disabled"
GUI_ICON="/Library/Application Support/Iterable/logo.png"
GUI_MESSAGE="We have detected your macOS System Integrity Protection (SIP) is disabled. Please re-enable it as soon as possible."
GUI_BUTTON1="OK"
GUI_BUTTON2="Enable SIP"
# Get the System Integrity Protection status
sip_status=$(csrutil status)
if [[ ${sip_status} == *"disabled"* ]]; then
userSelection=$("$JAMFHELPER" -windowType utility -title "$GUI_WINDOW_TITLE" -icon "$GUI_ICON" -description "$GUI_MESSAGE" -button1 "$GUI_BUTTON1" -button2 "$GUI_BUTTON2")
if [ "$userSelection" == "2" ]; then
open https://developer.apple.com/library/archive/documentation/Security/Conceptual/System_Integrity_Protection_Guide/ConfiguringSystemIntegrityProtection/ConfiguringSystemIntegrityProtection.html
else
exit 0
fi
fi
exit $?;
Script works fine when I run it locally, it doesn't work so well when it executes through policy:
Script result: 2018-11-05 11:39:42.290 jamfHelper[33228:2536785] GetInputSourceEnabledPrefs user file path = /Users/ankur.mathur/Library/Preferences/com.apple.HIToolbox.plist
2018-11-05 11:39:42.291 jamfHelper[33228:2536785] GetInputSourceEnabledPrefs effective user id path = 0
2018-11-05 11:39:42.291 jamfHelper[33228:2536785] GetInputSourceEnabledPrefs user pref content = <CFBasicHash 0x7f9d4c104650 [0x7fffacae0af0]>{type = immutable dict, count = 4,
entries =>
0 : <CFString 0x7fffaca14ab8 [0x7fffacae0af0]>{contents = "AppleEnabledInputSources"} = <CFArray 0x7f9d4c11bf00 [0x7fffacae0af0]>{type = immutable, count = 2, values = (
0 : <CFBasicHash 0x7f9d4c11b300 [0x7fffacae0af0]>{type = immutable dict, count = 3,
entries =>
0 : <CFString 0x7fffaca12218 [0x7fffacae0af0]>{contents = "InputSourceKind"} = <CFString 0x7fffaca59098 [0x7fffacae0af0]>{contents = "Keyboard Layout"}
1 : <CFString 0x7fffaca0cd78 [0x7fffacae0af0]>{contents = "KeyboardLayout Name"} = U.S.
2 : <CFString 0x7fffaca44b78 [0x7fffacae0af0]>{contents = "KeyboardLayout ID"} = <CFNumber 0x37 [0x7fffacae0af0]>{value = +0, type = kCFNumberSInt64Type}
}
1 : <CFBasicHash 0x7f9d4c11bec0 [0x7fffacae0af0]>{type = immutable dict, count = 2,
entries =>
0 : <CFString 0x7fffaca12218 [0x7fffacae0af0]>{contents = "InputSourceKind"} = <CFString 0x7f9d4c11b340 [0x7fffacae0af0]>{contents = "Non Keyboard Input Method"}
1 : Bundle ID = <CFString 0x7f9d4c11be80 [0x7fffacae0af0]>{contents = "com.apple.inputmethod.EmojiFunctionRowItem"}
}
)}
1 : <CFString 0x7fffaca34618 [0x7fffacae0af0]>{contents = "AppleSelectedInputSources"} = <CFArray 0x7f9d4c10ec70 [0x7fffacae0af0]>{type = immutable, count = 2, values = (
0 : <CFBasicHash 0x7f9d4c10ebf0 [0x7fffacae0af0]>{type = immutable dict, count = 2,
entries =>
0 : <CFString 0x7fffaca12218 [0x7fffacae0af0]>{contents = "InputSourceKind"} = <CFString 0x7f9d4c104e50 [0x7fffacae0af0]>{contents = "Non Keyboard Input Method"}
1 : Bundle ID = <CFString 0x7f9d4c10ebb0 [0x7fffacae0af0]>{contents = "com.apple.inputmethod.EmojiFunctionRowItem"}
}
1 : <CFBasicHash 0x7f9d4c10ec30 [0x7fffacae0af0]>{type = immutable dict, count = 3,
entries =>
0 : <CFString 0x7fffaca12218 [0x7fffacae0af0]>{contents = "InputSourceKind"} = <CFString 0x7fffaca59098 [0x7fffacae0af0]>{contents = "Keyboard Layout"}
1 : <CFString 0x7fffaca0cd78 [0x7fffacae0af0]>{contents = "KeyboardLayout Name"} = U.S.
2 : <CFString 0x7fffaca44b78 [0x7fffacae0af0]>{contents = "KeyboardLayout ID"} = <CFNumber 0x37 [0x7fffacae0af0]>{value = +0, type = kCFNumberSInt64Type}
}
)}
2 : <CFString 0x7f9d4c11ea40 [0x7fffacae0af0]>{contents = "AppleInputSourceHistory"} = <CFArray 0x7f9d4c104610 [0x7fffacae0af0]>{type = immutable, count = 1, values = (
0 : <CFBasicHash 0x7f9d4c1045d0 [0x7fffacae0af0]>{type = immutable dict, count = 3,
entries =>
0 : <CFString 0x7fffaca12218 [0x7fffacae0af0]>{contents = "InputSourceKind"} = <CFString 0x7fffaca59098 [0x7fffacae0af0]>{contents = "Keyboard Layout"}
1 : <CFString 0x7fffaca0cd78 [0x7fffacae0af0]>{contents = "KeyboardLayout Name"} = U.S.
2 : <CFString 0x7fffaca44b78 [0x7fffacae0af0]>{contents = "KeyboardLayout ID"} = <CFNumber 0x37 [0x7fffacae0af0]>{value = +0, type = kCFNumberSInt64Type}
}
)}
5 : <CFString 0x7fffaca88b78 [0x7fffacae0af0]>{contents = "AppleCurrentKeyboardLayoutInputSourceID"} = <CFString 0x7fffacaa6cf8 [0x7fffacae0af0]>{contents = "com.apple.keylayout.US"}
}
LSOpenURLsWithRole() failed with error -600 for the URL https://developer.apple.com/library/archive/documentation/Security/Conceptual/System_Integrity_Protection_Guide/ConfiguringSystemIntegrityProtection/ConfiguringSystemIntegrityProtection.html.
Any suggestions?
Posted on 11-05-2018 02:22 PM
Not sure about the error. However if you are running 10.12.2 or better you can re-enable SIP with
/usr/bin/csrutil clear
and at the next restart SIP is enabled. No need to have the user do it. Here is a blog the Eric Gomez did about it.
Posted on 11-05-2018 03:18 PM
Outstanding, thank you @m.donovan - I'll rewrite the script to do this to reduce complexity.
Posted on 11-06-2018 01:15 AM
I am also having these kind of errors with JAMF Helper and some of our operations rely on this. Does anyone here know what's going on with it?
Thanks.
Posted on 11-06-2018 06:02 AM
I finally got some time to test your script. It worked both locally and as a policy on 10.11 - 10.14. I am currently running JamfPro 10.6.1 on self hosted Linux servers. What version of JamfPro are you running?
Posted on 11-06-2018 09:57 AM
10.7.1-t1536934276
That said, I ended up refactoring the script to use /usr/bin/csrutil clear
when SIP is disabled. Much cleaner, and no more errors :)