Login Hook not working

guidotti
Contributor II

Good Morning, all.

I am attempting to deploy a Filevault policy with a login hook.
It does not seem to be kicking off on any of my machines, and it is driving me crazy.
I enabled status windows so I could see if it is attempting to run, and it is not, although logouthook is running!
Has anyone had issues with this?

loginhook.sh is present on the clients, and the com.apple.loginwindow.plist file that it alters looks fine.
When I run the loginhook.sh script manually, the policy kicks off and all is well.

Thanks for your assistance!
I am running Yosemite 10.10.1 on the clients and Casper 9.62 on the JSS.

31 REPLIES 31

davidacland
Honored Contributor II

I'm guessing its already enabled in the Check-in settings?

If it is, could you try adding something else to a login policy. That will tell you if it is login triggers in general, or just the filevault policy.

guidotti
Contributor II

So I've tried that, and even edited loginhook.sh to just touch a file.
It is not running at all on my devices...
Any ideas?

brad
Contributor

Does it work at logout? We were having some issues with 10.10 and using the login trigger but it would work on logout.

brad
Contributor

Also, can you try any other payload in a login policy, does it kick off?

guidotti
Contributor II

OK, so logouthook is working fine.
Startup script is working fine.
Just not loginhook.sh!

I can use a launchdaemon and manually launch things.
I've only been testing on Yosemite since I don't have a Mavericks machine handy.
Did you hear from anyone else or JAMF that loginhook is having issues on 10.10.x?

brad
Contributor

This might be totally random but it just popped in my head, are the permissions the same for loginhook.sh as the logouthook.sh?

BenDenham
New Contributor

Hi @guidotti
Have you tried pulling the trigger from terminal and see if it finds and runs the policy?
On the client open terminal and run the command "sudo jamf policy -trigger login". Enter the admin password and the machine will poll the JSS for any outstanding policies set to run on Login and execute.

Also can run "sudo jamf policy -trigger any" to check for any policies due to run on any trigger.

guidotti
Contributor II

@BenDenham to answer your question:

When I run the trigger manually, it works fine.
When I run loginhook.sh as root, it works fine.
It's just that the loginhook.sh is not running on it's own.
Very mysterious...

alexjdale
Valued Contributor III

Silly question, but is the network active and the JSS reachable when the computer is at the login screen? I know some folks use network profiles where wifi is only enabled at login time, and I wonder if a timing issue could cause the login hook to think the JSS is not available since the network is not yet up.

guidotti
Contributor II

@alexjdale I am using USB to ethernet adapters.
In the future, I may use wi-fi that connects at login with AD credentials, but right now, USB to ethernet.
I still haven't figured this out. I might resort to explicitly calling loginhook.sh in a launchd that stays there permanently... Not sure if that is a terrible idea! :D

sgorney
New Contributor III

Hi.

I am also having this issue with JSS 9.63 and a Mavericks client doing the same payload for file vault. Manual trigger does not fire off the policy. It will run if I delete the policy and then re-create it, but then is stops working after a short period.

guidotti
Contributor II

I never did get this to work.
I ended up using a self-service policy that technicians kick off to enable FileVault when we deploy the devices... Let me know if you find anything out.

davidacland
Honored Contributor II

On a related note, I've been hearing people say recently that enabling FileVault with a config profile is the preferred method. Tried it a few weeks ago and it did work well.

A workaround to get back to a more automated system could be to deploy a LaunchAgent into /Library/LaunchAgents that triggers a policy.

sgorney
New Contributor III

Yeah. I may use the Config Profiles. Thing is this workflow was working in 9.61, stopped when I updated to 9.93

bentoms
Release Candidate Programs Tester

@guidotti, custom login/logout hooks can conflict with the JSS deployed one's,https://jamfnation.jamfsoftware.com/article.html?id=131 so that may be what you've been seeing.

Also, for the policy working than failing... What's the scope & execution frequency?

guidotti
Contributor II

Ben, thanks for the information.
I will try to revisit it again and see if the behavior is still happening the same way.
@davidacland I tried to use config profiles but they were flaky for me; that's why I went with self-service for the technicians. @sgorney can answer his scope & execution frequency.

sgorney
New Contributor III

Hey,
Glad I brought this back to life. I have no custom login/logout hooks set, just the ones as set in the Check-In settings in the JSS. @bentoms The scope is set to all managed clients, login, once per user, limited to jss-assigned user on computer.

dfarnworth
New Contributor III

Not sure if I'm dragging this off-topic, but I'm seeing a similar issue on a machine here. I have a login policy that will not run on first login, only subsequent logins. It is set up as ongoing, run on login and I can see the scope is good for the machine in question. Creating a new policy (not cloned), scoped and triggered the same also does not run the first time I login, only the second time. Startup and enrolment policies do run as expected and the login policies always run on any login after the first.

Logs (below) show that the JAMF binary is informing the JSS of the login, but that there is no subsequent check for login policies in response.

Any thoughts?
Dan

2015-3-3 9:31:8 Formatted Macintosh HD
Tue Mar 03 01:34:01 ukm032159 jamf[559]: Creating user ca...
Tue Mar 03 01:35:00 ukm032159 jamf[559]: Enforcing management framework...
Tue Mar 03 01:35:00 ukm032159 jamf[559]: Enforcing scheduled tasks...
Tue Mar 03 01:35:00 ukm032159 jamf[559]: Adding launchd task com.jamfsoftware.task.1...
Tue Mar 03 01:35:00 ukm032159 jamf[559]: Creating launch daemon...
Tue Mar 03 01:35:00 ukm032159 jamf[559]: Downloading the agent...
Tue Mar 03 01:35:01 ukm032159 jamf[559]: Creating launch agent...
Tue Mar 03 01:35:03 ukm032159 jamf[990]: Checking for policies triggered by "enrollmentComplete"...
Tue Mar 03 01:35:03 ukm032159 jamf[990]: Upgrading JAMF notification service...
Tue Mar 03 01:35:04 ukm032159 jamf[990]: Upgrading Self Service.app...
Tue Mar 03 01:35:05 ukm032159 jamf[990]: Executing Policy IMAGING WKFLOW - Enrolment Complete...
Tue Mar 03 01:35:07 ukm032159 jamf[990]:    Installing CocoaDialog-v3.0.0b7.pkg...
Tue Mar 03 01:35:12 ukm032159 jamf[990]:    Successfully installed CocoaDialog-v3.0.0b7.pkg.
Tue Mar 03 01:35:56 ukm032159 jamf[8794]: Checking for policies triggered by "startup"...
**Tue Mar 03 01:42:38 ukm032159 jamf[972]: Informing the JSS about login for user macadmin** <-- *First Login*
Tue Mar 03 01:51:35 ukm032159 jamf[9110]: Checking for policies triggered by "logout" for user "macadmin"...
Tue Mar 03 01:51:36 ukm032159 jamf[9110]: Executing Policy Hide UID below 500...
Tue Mar 03 01:53:35 ukm032159 jamf[9090]: Checking for policies triggered by "recurring check-in"...
Tue Mar 03 01:53:37 ukm032159 jamf[9090]: Executing Policy Auto Populate Location and Update inventory...
Tue Mar 03 01:54:08 ukm032159 jamf[9090]: Executing Policy Reset macadmin password...
Tue Mar 03 01:54:08 ukm032159 jamf[9090]:   Installing PasswordReset201212.pkg...
Tue Mar 03 01:54:11 ukm032159 jamf[9090]:   Successfully installed PasswordReset201212.pkg.
Tue Mar 03 01:54:12 ukm032159 jamf[9090]:   Reset password for macadmin
**Tue Mar 03 01:57:53 ukm032159 jamf[9615]: Informing the JSS about login for user macadmin** <-- *Second Login*
**Tue Mar 03 01:57:53 ukm032159 jamf[9615]: Checking for policies triggered by "login" for user "macadmin"...** <-- *Login policies now running*
Tue Mar 03 01:57:54 ukm032159 jamf[9615]: The management framework will be enforced as soon as all policies are done executing.
Tue Mar 03 01:57:54 ukm032159 jamf[9615]: Executing Policy IMAGING WKFLOW - TEST_TEST...
Tue Mar 03 01:57:54 ukm032159 jamf[9615]: Adding launchd task com.jamfsoftware.task.checkForTasks...
Tue Mar 03 01:57:56 ukm032159 jamf[9713]: Enforcing management framework...
... etc etc

Nix4Life
Valued Contributor

Had a similar issue last month. Gave up and started using outset:
https://github.com/chilcote/outset

Good Write up By Graham Gilbert:
http://grahamgilbert.com/blog/2015/01/04/migrating-scriptrunner-to-outset/

dfarnworth
New Contributor III

Thanks, but I'm not sure that's going to resolve our issue here.

Does anyone know when the Login/Logout Hooks are actually created on the local machine by the binary/framework?

sgorney
New Contributor III

@danf_burberry What version of the JSS are you running?

dfarnworth
New Contributor III

I'm beginning to suspect that this may be a Yosemite problem.

Being that Hooks are now deprecated (and have been for a while), do JAMF have any plans to re-implement Launchd-stylee?

dfarnworth
New Contributor III

Hi @sgorney

We're running 9.63

haggan
New Contributor II

I'm also experiencing problems with login hook and 10.10.3. My build hang around 50% as long as my login hook is active.

I have a very special setup and I'm not really sure if a LaunchDaemon would be able to fully replace this feature. Working on it now.

Anyone got login hook working under 10.10.3?

bentoms
Release Candidate Programs Tester

@haggan when running polices at login, the JSS is calling them via a Login Hook.

Maybe yours & JAMFs are conflicting?

haggan
New Contributor II

@bentoms

No, only one login hook can be used at same time, besides, I'm not using Caspar yet...
I solved my problem by stop using LoginHook, something we probably all should do.

A good replacement is MagerValps LoginScriptPlugin. See here:

https://github.com/MagerValp/LoginScriptPlugin

and

https://developer.apple.com/library/mac/technotes/tn2228/_index.html

Cheers

bentoms
Release Candidate Programs Tester

@haggan I just presumed that as you were posting here you were using the suite.

AFAIK, Pers tool is extremely experimental. But if it works for you. Then go for it.

mtiffany
New Contributor III

Looks like no one has posted on this thread in a while so I'm going to use the defibrillator to bring it back!

I'm a noob so please forgive me in advance.

I'm also having difficulty with the loginhook. It is enabled on my JSS. My policy is a dock policy to make dock the same for all new users providing them with tiles for apps used by our students. I'm also removing tiles not needed. We are an AD environment and I run a cron every morning at 4AM to delete all users except my local admin account. Thus all users are new every day. We have about 1800 students that could use these lab iMacs so this is the best solution for us that I personally can think of at the moment.

So it appears that loginhooks do not run when a user is first created. If I logout and log back in, my loginhook for the dock runs perfectly. I can run it manually, and it runs perfectly. I can change the policy to run at recurring check-in, and it runs perfectly. I do get very weird results when I set the policy to Network State Change...basically it seems the policy is running on new user login but it removes all dock tiles save Finder and Trash.

I'm trying to figure out a way that my noob self can make this happen. I used to do it with a custom English.lproj file that I placed into /System/Library/User Template/ . This process however doesn't seem to work anymore with 10.11 El Capitan. (Thanks Apple!) So my thoughts are maybe create a script to run my policy and find a way to add it as a login item in the default user template? But I have no idea where or how to do that.

Any suggestions?

franton
Valued Contributor III

Just had a quick scan of the thread. The following springs to mind:

Do you have Casper suite set to deliver login and logout policies? If so, that'll be why as Casper will overwrite your login hook.

My thoughts: Ditch the loginhook! If you need it to run on user login, use a launch agent. Unless you need root, in which case there are ways to work around the launchdaemon running immediately thing.

The other thing to look at is Outset . This is the handiest way I know of running scripts that are locally stored on a machine.

HollyShort
New Contributor

I'm sorry If I'm asking something obvious but I don't quite understand your cron job. Do you use AD users or local users?
Concerning the login hook: I think you're right, login hooks don't work for me as well when a user is first logged in.
Maybe have a look at that? El Capitan User Template dock customisation issue

mtiffany
New Contributor III

@HollyShort Thanks for the link I'll read up on that. For now I've just about got a custom English.lproj working. One minor permissions issue but I'll keep hammering away at that. Regarding your question, our iMacs our bound to our AD and users login via their AD credentials. Unfortunately this creates an account locally and we don't want them to be saving or doing anything college students will do (nuff said on that). So we have a script to delete any account that doesn't match our local admin account. The cronjob runs that script everyday at 4AM.

@franton Thanks for the advise. I've gone back to trying to get a skeleton account setup. That worked best for us when at 10.10. I'm running into one problem with it. When I use my "setup" account to create how I want the default profile to look. I tar it, rename the original English.lproj to English.lproj.Orig and untar the one I created into /System/Library/User Templates/. Then I do a chown to root:wheel on my created English.lproj. This gets me the dock and all the settings I want with only one snag. When a new AD user logs in and opens a finder window, the favorites sidebar: Documents, Downloads, and Desktop don't work. I get an error I don't have permission to open them. If I right click on those links and click Show in Enclosing Folder, it takes me to the "setup" account's home folder.