Mojave requires user approval for SetDockItems script

bvanpeski
New Contributor III

In our environment we use a custom Guest account to be used in the break room. We have a script that runs on startup that sets the dock the way we need it for that environment (SetDockItems.sh). Mojave's user approval requirement means that any time the machine is rebooted or the user logs in, they need to allow the script that sets the dock to run. Does anyone know of any workaround for this so we don't have to rely on user input?

Thanks!6f52e7834f5e4019b4176158380979d5

1 ACCEPTED SOLUTION

russeller
Contributor III

Hey @bvanpeski I have a similar script that runs at first login that sets the Dock and a bunch of other fun stuff. I ended up code signing the script. I have a launch agent kick it off at login for users.

Here is a really good write up on how to codesign scripts: https://carlashley.com/2018/09/23/code-signing-scripts-for-pppc-whitelisting/

Something like this:

codesign -s "Developer ID Application: Company Name (AJU874DKSKK)" -i com.company.whatever /path/to/script/scriptname

I don't use the extension. I did this so I could drop the signed script into jamf's pppc utility and have it generate the "code requirements" for me. You can also grab the code requirements from the command line too. Hope this helps and maybe someone could clarify and provide a better workflow.

View solution in original post

13 REPLIES 13

Hugonaut
Valued Contributor

What is your shell script calling on? Point being, are you using Dockutil?

If not, give it a whirl! - https://github.com/kcrawford/dockutil

________________
Looking for a Jamf Managed Service Provider? Look no further than Rocketman

connor
New Contributor III

Can absolutely recommend Dockutil! Really made a big difference for us!

cprimero
New Contributor III

I ran in to this as well through testing. I ended up canning the script and using Dockutil. Worth looking in to.

bvanpeski
New Contributor III

Yup! The script itself DOES call on dockutil. Having a difficult time getting it to work without user approval in Mojave. I've tried signing and whitelisting the script, turning it into an app and whitelist that... still no dice.

Hugonaut
Valued Contributor

@bvanpeski I have no experience using the script locally, I would have to take a deep dive into your process. What I do have experience with, regarding dockutil, is running it directly from JAMF, are you at all able to trigger, run your process involving dockutil via the JAMF? Works flawlessly for my Mojave workflow.

________________
Looking for a Jamf Managed Service Provider? Look no further than Rocketman

Nix4Life
Valued Contributor

have you tried using dockutil with outset? I run login docks under Mojave 10.4.3 at once and every frequency with no issues

bentoms
Honored Contributor III
Honored Contributor III

@bvanpeski can you post then script?

You’ll likely have a “tell application Finder” block in their & you should be able to remove that.

Which means that you should not then be presented with the prompt.

bvanpeski
New Contributor III

@bentoms yup, we do have an osascript that has "tells application Finder" to set the background. I tried whitelisting using a profile to give bash/shell access to Finder, but no dice. Script is below. This is for the Guest User account as well, so it needs to be something that launches at every login since Guest settings get wiped out between reboots/logouts.

#!/bin/bash

# script to set dock icons & wallpaper based on user account

# ---------------------------------------------------------
#   Set all Variables
# ---------------------------------------------------------
#----- Get Computer Name
CompName=$(scutil --get ComputerName)

#----- Standards
script=$"Set User Account Icons "
now=$(date +"%m-%d-%Y %H:%M:%S")
Result=$?

#----- Debugging
#bash -x ./[script_name.sh] for detailed script output
#bash -n ./[script_name.sh] for syntax checking
set -u   # verbose error checking during execution

#----- Executables
mkdir=`which mkdir`
chown=`which chown`
chmod=`which chmod`
dockutil="/usr/local/bin/dockutil"

#----- User Account Variables
user=$(id -un)

#--- Set Logging
Log="/Users/$user/Library/Logs/"
if [ ! -d "${Log}" ];
then
    mkdir $Log
    chown $user:staff $Log
    chmod 777 $Log
fi
exec >> "${Log}"/Retail.SetDockIcons.log 2>&1

#----------------------------------------------------------
#  Timestamp
#----------------------------------------------------------
echo ""
echo "##### $script"
echo "##### $now"

#----------------------------------------------------------
#  Script
#----------------------------------------------------------

/usr/local/bin/dockutil --remove all --homeloc ~/Library/Preferences/com.apple.dock.plist
echo "All icons have been removed from the dock for all users" && echo ""

if [ $user = mobile ] ; then
        $dockutil --add /Applications/Tools.app  --homeloc ~/Library/Preferences/com.apple.dock.plist
        $dockutil --add /Applications --view grid --display folder  --homeloc ~/Library/Preferences/com.apple.dock.plist
        $dockutil --add /Applications/Utilities/ --view grid --display folder  --homeloc ~/Library/Preferences/com.apple.dock.plist
        $dockutil --add '~/Downloads' --view list --display folder  --homeloc ~/Library/Preferences/com.apple.dock.plist
        rm -f ~/Desktop/*
        osascript -e 'tell application "Finder" to set desktop picture to POSIX file "/Library/Desktop Pictures/iMacSyncBackground.jpg"'
    else
        $dockutil --add /Applications/Safari.app  --homeloc ~/Library/Preferences/com.apple.dock.plist
        $dockutil --add /Applications/Google Chrome.app  --homeloc ~/Library/Preferences/com.apple.dock.plist
        $dockutil --add /Applications/iTunes.app  --homeloc ~/Library/Preferences/com.apple.dock.plist
        $dockutil --add /Applications/VLC.app  --homeloc ~/Library/Preferences/com.apple.dock.plist
        $dockutil --add /Applications/Tools.app  --homeloc ~/Library/Preferences/com.apple.dock.plist
        $dockutil --add /Applications --view grid --display folder  --homeloc ~/Library/Preferences/com.apple.dock.plist
        $dockutil --add /Applications/Utilities/ --view grid --display folder  --homeloc ~/Library/Preferences/com.apple.dock.plist
        $dockutil --add '~/Downloads' --view list --display folder  --homeloc ~/Library/Preferences/com.apple.dock.plist
            #US Config for WFM and DTC Zero Alias for desktop
            if [[ "$CompName" = RTUS* ]] && [[ $user != sysadmin ]] ; then
                osascript -e 'tell application "Finder" to make new alias at (path to desktop folder) to file ((path to applications folder as text) & "WFM 8.0")'
                osascript -e 'tell application "Finder" to make new alias at (path to desktop folder) to file ((path to applications folder as text) & "Zero")'
            fi
        osascript -e 'tell application "Finder" to set desktop picture to POSIX file "/Library/Desktop Pictures/retailwallpaper.jpg"'
fi

$dockutil --add '~/Downloads' --view list --display folder  --homeloc ~/Library/Preferences/com.apple.dock.plist
echo "Changed Dock & Desktop Icons and Wallpaper for the $user User"

exit 0

bvanpeski
New Contributor III

Welp, this is still an utter mystery to me. I've done a shotgun whitelist approach to no avail including all variants of the script itself, sh, bash, osascript, etc. I took a look at the com.apple.TCC/tcc.db database before and after clicking the approval button manually, and by all accounts the config profile I've created in JAMF SHOULD allow this to work. Attaching a screenshot to show proof that what I have set up in the JAMF config should match the settings that are in that database when approved manually. I'll update here if I discover anything new.

75dc74fb1eb847e0bb802e5730ef6917

russeller
Contributor III

Hey @bvanpeski I have a similar script that runs at first login that sets the Dock and a bunch of other fun stuff. I ended up code signing the script. I have a launch agent kick it off at login for users.

Here is a really good write up on how to codesign scripts: https://carlashley.com/2018/09/23/code-signing-scripts-for-pppc-whitelisting/

Something like this:

codesign -s "Developer ID Application: Company Name (AJU874DKSKK)" -i com.company.whatever /path/to/script/scriptname

I don't use the extension. I did this so I could drop the signed script into jamf's pppc utility and have it generate the "code requirements" for me. You can also grab the code requirements from the command line too. Hope this helps and maybe someone could clarify and provide a better workflow.

View solution in original post

ryan_ball
Valued Contributor

FYI: It has nothing to do with dock items. The issue lies with the following lines in the script:

osascript -e 'tell application "Finder" to set desktop picture to POSIX file "/Library/Desktop Pictures/iMacSyncBackground.jpg"'
osascript -e 'tell application "Finder" to make new alias at (path to desktop folder) to file ((path to applications folder as text) & "WFM 8.0")'
osascript -e 'tell application "Finder" to make new alias at (path to desktop folder) to file ((path to applications folder as text) & "Zero")'
osascript -e 'tell application "Finder" to set desktop picture to POSIX file "/Library/Desktop Pictures/retailwallpaper.jpg"'

If you commented those out, you would not see the warning.

dtommey
New Contributor III

As @ryan.ball and Mac Mule have both pointed out the issue is with the AppleScript. You don't need to use it for either instance.

Look into desktoppr to set the wallpaper.

I use something similar to this script to set the desktop picture

loggedInUser=$( scutil <<< "show State:/Users/ConsoleUser" | awk -F': ' '/[[:space:]]+Name[[:space:]]:/ { if ( $2 != "loginwindow" ) { print $2 }}' )
uid=$(id -u "$loggedInUser")

launchctl asuser "$uid" "$desktoppr" "$picturePath"

Aliases can be created with

ln -s /path/to/folder /path/to/alias

bvanpeski
New Contributor III

Yup! Code-signed the script, created a config profile to whitelist the newly-signed script, and all is well now. Thanks everyone!