Login Hook not working

I'm guessing its already enabled in the Check-in settings?

If it is, could you try adding something else to a login policy. That will tell you if it is login triggers in general, or just the filevault policy.

So I've tried that, and even edited loginhook.sh to just touch a file.
It is not running at all on my devices...
Any ideas?

Does it work at logout? We were having some issues with 10.10 and using the login trigger but it would work on logout.

Also, can you try any other payload in a login policy, does it kick off?

OK, so logouthook is working fine.
Startup script is working fine.
Just not loginhook.sh!

I can use a launchdaemon and manually launch things.
I've only been testing on Yosemite since I don't have a Mavericks machine handy.
Did you hear from anyone else or JAMF that loginhook is having issues on 10.10.x?

This might be totally random but it just popped in my head, are the permissions the same for loginhook.sh as the logouthook.sh?

Hi @guidotti
Have you tried pulling the trigger from terminal and see if it finds and runs the policy?
On the client open terminal and run the command "sudo jamf policy -trigger login". Enter the admin password and the machine will poll the JSS for any outstanding policies set to run on Login and execute.

Also can run "sudo jamf policy -trigger any" to check for any policies due to run on any trigger.

@BenDenham to answer your question:

When I run the trigger manually, it works fine.
When I run loginhook.sh as root, it works fine.
It's just that the loginhook.sh is not running on it's own.
Very mysterious...

Silly question, but is the network active and the JSS reachable when the computer is at the login screen? I know some folks use network profiles where wifi is only enabled at login time, and I wonder if a timing issue could cause the login hook to think the JSS is not available since the network is not yet up.

@alexjdale I am using USB to ethernet adapters.
In the future, I may use wi-fi that connects at login with AD credentials, but right now, USB to ethernet.
I still haven't figured this out. I might resort to explicitly calling loginhook.sh in a launchd that stays there permanently... Not sure if that is a terrible idea! :D

Hi.

I am also having this issue with JSS 9.63 and a Mavericks client doing the same payload for file vault. Manual trigger does not fire off the policy. It will run if I delete the policy and then re-create it, but then is stops working after a short period.

I never did get this to work.
I ended up using a self-service policy that technicians kick off to enable FileVault when we deploy the devices... Let me know if you find anything out.

On a related note, I've been hearing people say recently that enabling FileVault with a config profile is the preferred method. Tried it a few weeks ago and it did work well.

A workaround to get back to a more automated system could be to deploy a LaunchAgent into /Library/LaunchAgents that triggers a policy.

Yeah. I may use the Config Profiles. Thing is this workflow was working in 9.61, stopped when I updated to 9.93

@guidotti, custom login/logout hooks can conflict with the JSS deployed one's,https://jamfnation.jamfsoftware.com/article.html?id=131 so that may be what you've been seeing.

Also, for the policy working than failing... What's the scope & execution frequency?

Ben, thanks for the information.
I will try to revisit it again and see if the behavior is still happening the same way.
@davidacland I tried to use config profiles but they were flaky for me; that's why I went with self-service for the technicians. @sgorney can answer his scope & execution frequency.

Hey,
Glad I brought this back to life. I have no custom login/logout hooks set, just the ones as set in the Check-In settings in the JSS. @bentoms The scope is set to all managed clients, login, once per user, limited to jss-assigned user on computer.

Not sure if I'm dragging this off-topic, but I'm seeing a similar issue on a machine here. I have a login policy that will not run on first login, only subsequent logins. It is set up as ongoing, run on login and I can see the scope is good for the machine in question. Creating a new policy (not cloned), scoped and triggered the same also does not run the first time I login, only the second time. Startup and enrolment policies do run as expected and the login policies always run on any login after the first.

Logs (below) show that the JAMF binary is informing the JSS of the login, but that there is no subsequent check for login policies in response.

Any thoughts?
Dan

2015-3-3 9:31:8 Formatted Macintosh HD
Tue Mar 03 01:34:01 ukm032159 jamf[559]: Creating user ca...
Tue Mar 03 01:35:00 ukm032159 jamf[559]: Enforcing management framework...
Tue Mar 03 01:35:00 ukm032159 jamf[559]: Enforcing scheduled tasks...
Tue Mar 03 01:35:00 ukm032159 jamf[559]: Adding launchd task com.jamfsoftware.task.1...
Tue Mar 03 01:35:00 ukm032159 jamf[559]: Creating launch daemon...
Tue Mar 03 01:35:00 ukm032159 jamf[559]: Downloading the agent...
Tue Mar 03 01:35:01 ukm032159 jamf[559]: Creating launch agent...
Tue Mar 03 01:35:03 ukm032159 jamf[990]: Checking for policies triggered by "enrollmentComplete"...
Tue Mar 03 01:35:03 ukm032159 jamf[990]: Upgrading JAMF notification service...
Tue Mar 03 01:35:04 ukm032159 jamf[990]: Upgrading Self Service.app...
Tue Mar 03 01:35:05 ukm032159 jamf[990]: Executing Policy IMAGING WKFLOW - Enrolment Complete...
Tue Mar 03 01:35:07 ukm032159 jamf[990]:    Installing CocoaDialog-v3.0.0b7.pkg...
Tue Mar 03 01:35:12 ukm032159 jamf[990]:    Successfully installed CocoaDialog-v3.0.0b7.pkg.
Tue Mar 03 01:35:56 ukm032159 jamf[8794]: Checking for policies triggered by "startup"...
**Tue Mar 03 01:42:38 ukm032159 jamf[972]: Informing the JSS about login for user macadmin** <-- *First Login*
Tue Mar 03 01:51:35 ukm032159 jamf[9110]: Checking for policies triggered by "logout" for user "macadmin"...
Tue Mar 03 01:51:36 ukm032159 jamf[9110]: Executing Policy Hide UID below 500...
Tue Mar 03 01:53:35 ukm032159 jamf[9090]: Checking for policies triggered by "recurring check-in"...
Tue Mar 03 01:53:37 ukm032159 jamf[9090]: Executing Policy Auto Populate Location and Update inventory...
Tue Mar 03 01:54:08 ukm032159 jamf[9090]: Executing Policy Reset macadmin password...
Tue Mar 03 01:54:08 ukm032159 jamf[9090]:   Installing PasswordReset201212.pkg...
Tue Mar 03 01:54:11 ukm032159 jamf[9090]:   Successfully installed PasswordReset201212.pkg.
Tue Mar 03 01:54:12 ukm032159 jamf[9090]:   Reset password for macadmin
**Tue Mar 03 01:57:53 ukm032159 jamf[9615]: Informing the JSS about login for user macadmin** <-- *Second Login*
**Tue Mar 03 01:57:53 ukm032159 jamf[9615]: Checking for policies triggered by "login" for user "macadmin"...** <-- *Login policies now running*
Tue Mar 03 01:57:54 ukm032159 jamf[9615]: The management framework will be enforced as soon as all policies are done executing.
Tue Mar 03 01:57:54 ukm032159 jamf[9615]: Executing Policy IMAGING WKFLOW - TEST_TEST...
Tue Mar 03 01:57:54 ukm032159 jamf[9615]: Adding launchd task com.jamfsoftware.task.checkForTasks...
Tue Mar 03 01:57:56 ukm032159 jamf[9713]: Enforcing management framework...
... etc etc

Had a similar issue last month. Gave up and started using outset:
https://github.com/chilcote/outset

Good Write up By Graham Gilbert:
http://grahamgilbert.com/blog/2015/01/04/migrating-scriptrunner-to-outset/

Thanks, but I'm not sure that's going to resolve our issue here.

Does anyone know when the Login/Logout Hooks are actually created on the local machine by the binary/framework?

@danf_burberry What version of the JSS are you running?

I'm beginning to suspect that this may be a Yosemite problem.

Being that Hooks are now deprecated (and have been for a while), do JAMF have any plans to re-implement Launchd-stylee?

Hi @sgorney

We're running 9.63

I'm also experiencing problems with login hook and 10.10.3. My build hang around 50% as long as my login hook is active.

I have a very special setup and I'm not really sure if a LaunchDaemon would be able to fully replace this feature. Working on it now.

Anyone got login hook working under 10.10.3?

@haggan when running polices at login, the JSS is calling them via a Login Hook.

Maybe yours & JAMFs are conflicting?