Jamf Nation Community

jameson · ‎01-26-2022

I will just try describe the overall issue, that I have spent weeks on - overall I just don´t understand why it does not work

Overall goal is when user is finished pre-stage enrollment and seing the desktop, that right away the policies are executed. The "enrollment complete" trigger Is not reliable enough to use. so thought a launchdaemon would be easy to use - but now.

Below issue is overall to get the the launchdaemon running - as this is the main issue

I have the following code as post install script in my pre-stage packet (included in the jamf connect pkg)

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
	<key>Label</key>
	<string>com.depnotify</string>
	<key>ProgramArguments</key>
	<array>
		<string>/usr/local/jamf/bin/jamf</string>
		<string>policy</string>
		<string>-event</string>
		<string>Jamfsetup</string>
	</array>
	<key>StandardErrorPath</key>
	<string>/tmp/com.depnotify.stderr</string>
	<key>StandardOutPath</key>
	<string>/tmp/com.depnotify.stdout</string>
	<key>WatchPaths</key>
	<array>
		<string>/usr/local/jamf/bin/jamf</string>
	</array>
</dict>
</plist>

So overall it should wait for the jamf binary to be there. But issue is when user is logged in and I check the launchdaemons it is not loaded for whatever reason - errorcode 78

If I install the same pkg on a running client, the launchdaemon works fine and load. So PKG is fine - but if same pkg in pre-stage it doesn´t work - and yes package is signed :)

I hope someone can explain why this does not work

DBrowning · ‎01-26-2022

Maybe check the permission, owner/group on everything.

andrew_nicholas · ‎01-26-2022

I can't say for certain, but aren't PKGs installed via the pre-stage done so with MDM commands rather than with the jamf binary? So could it be that it just isn't seeing the binary in place when it's deployed because that particular step happens after the pre-stage PKG installs?

jameson · ‎01-26-2022

Yes jamf Binary does not install pkg in pre-stage. But launchdaemon should wait for binary to appear - but something goes wrong in that

jameson · ‎01-26-2022

PKG works fine outside pre-stage. And plist is owned by Root:Wheel and 644 - also tried 755 actually

mm2270 · ‎01-26-2022

POSIX permissions on the LaunchDaemon plist should be 644, but I don't really think that's the reason it's not loading. I think it's not loading because of the use of WatchPaths in the plist. My understanding of that is that the path has to exist at the time the daemon is loaded or it will exit with an error. I have a feeling that's why when it gets installed in Pre-Stage it fails to load - the jamf agent actually isn't there yet - but if you manually install it on a Mac that already has the jamf agent in place, it loads ok.

If that's true, you might have to use a different method of kicking off your process, such as crafting a script to go along with the LaunchDaemon as its ProgramArguments and then looping every x seconds (using a StartInterval) to check if /usr/local/bin/jamf exists, then finally running the rest of your workflow.

KRIECCO · ‎01-26-2022

So something like this in the postinstall script

cat << EOF > /Library/LaunchDaemons/com.depnotify.launch.plist
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
	<key>GroupName</key>
	<string>wheel</string>
	<key>InitGroups</key>
	<false/>
	<key>Label</key>
	<string>com.depnotify.launch</string>
	<key>Program</key>
	<string>/var/tmp/launchDEPNotify.sh</string>
	<key>RunAtLoad</key>
	<true/>
	<key>StartInterval</key>
	<integer>5</integer>
	<key>UserName</key>
	<string>root</string>
	<key>StandardErrorPath</key>
	<string>/var/tmp/depnotify.launch.err</string>
	<key>StandardOutPath</key>
	<string>/var/tmp/depnotify.launch.out</string>
</dict>
</plist>
EOF

chmod 644 /Library/LaunchDaemons/com.depnotify.launch.plist
chown root:wheel /Library/LaunchDaemons/com.depnotify.launch.plist

/bin/launchctl load -w /Library/LaunchDaemons/com.depnotify.launch.plist

And then in the

KRIECCO · ‎01-26-2022

and then in the launchDEPNotify.sh file just have

while [ ! -f /usr/local/jamf/bin/jamf]
do
	sleep 5
done

jamf policy -event xxxx

I don´t know if @mm2270 agree on this

jameson · ‎01-27-2022

So just tried like above. - but launchdaemon is loaded but with status 127 - :( It makes me crazy this issue. I don´t nearly don´t care get it working, just I can understand why it doesn´t work this

mm2270 · ‎01-27-2022

You shouldn't have double quotes around the jamf policy command in the script. That just tells the script it's a string, not a command to run.

KRIECCO · ‎01-27-2022

the following is working - I just tried to test the setup, so you are good to go now :)

cat << EOF > /Library/LaunchDaemons/com.depnotify.launch.plist
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
	<key>GroupName</key>
	<string>wheel</string>
	<key>InitGroups</key>
	<false/>
	<key>Label</key>
	<string>com.depnotify.launch</string>
	<key>ProgramArguments</key>
	<array>
	<string>/var/tmp/launchDEPNotify.sh</string>
	</array>
	<key>RunAtLoad</key>
	<true/>
	<key>StartInterval</key>
	<integer>5</integer>
	<key>UserName</key>
	<string>root</string>
	<key>StandardErrorPath</key>
	<string>/var/tmp/depnotify.launch.err</string>
	<key>StandardOutPath</key>
	<string>/var/tmp/depnotify.launch.out</string>
</dict>
</plist>
EOF

chmod 644 /Library/LaunchDaemons/com.depnotify.launch.plist
chown root:wheel /Library/LaunchDaemons/com.depnotify.launch.plist

/bin/launchctl load -w /Library/LaunchDaemons/com.depnotify.launch.plist

Jamf Nation Community

Launchdaemon - Any can "script guru´s" explain this