Monterey "Jamf wants access to control finder"

Mojinkii
New Contributor III

Hi All,

We didn't have this issue deploying to Big Sur or earlier.
Since installing Monterey and testing policys against it were are hit with "Jamf wants access to control finder" and "Terminal wants access to control finder". The existing PPPC seem to not work but are deployed. Nothing shows up in automation.

We have 2 other issues as well and thats with Symantec Antivirus and Wacom, both of which worked prior.

Can anyone point me in the right direction.

Thanks

13 REPLIES 13

walt
Contributor III

any more details on the solution for this? the link provided is a config profile from a few years ago and not much context on Monterey or modern jamf versions.

 

getting this prompt when deploying a script that makes an OSA call using tell Application Finder.

cbennett
New Contributor

I was getting this as well when deploying an OSA call using tell Application Finder. A contributor, timdambrosio,  in another article, https://community.jamf.com/t5/jamf-pro/quot-jamf-quot-wants-access-to-control-quot-system-events-quo... suggested removing  "Tell Application "Finder" activate. I removed that from my OSA script as well "end tell" and no more prompt ""Jamf wants access to control finder".

 

I was having this issue as well and removed "Tell Application "Finder" activate and the 'end tell' from my script and the prompts also ended. Thanks!!!! 

Mojinkii
New Contributor III

There is so little info about this. I have read all that I can find and nothing seems to work. Dose anyone have anthing working in Monterey?

timlarsen
Contributor

Bump (I've been seeing this as well).

csabado
New Contributor

We've been seeing this as well on Monterey and BigSur. Anyone found a solution yet? 

ubcoit
Contributor II

Also seeing this here as well.  Jamf 10.36.1.  OSA script with a tell in it runs at login we get, Jamf wants access to system events.  I've applied the github configuration profiles which work on Big Sur and older but not so much on Monterey.

Edit.

As a quick test I used Cocodialog to get a prompt a login, no complaints about Jamf wanting to access anything which makes sense since it's not an "Apple" system event/app.  Do I want to go this route, not really.... who knows when Cocodialog will break but perhaps I need to.  Until that days comes...

I'm seeing in the PPPC utility an option for Big Sur compatible but when I uploaded the created profile and apply it, it fails due to value of authorization missing.  Perhaps that's bugged.  The noted change selecting Big Sur compatibility appears to be user based approval vs system.  Guessing here.

Edit 2.

Should also mention when I get the Jamf wants access to system events prompt and I hit Ok, checking System Preferences ... Automation JamfDaemon > System Events appears.  JamfDaemon is contained within the Jamf.app which the Jamf app is "allowed" with the github profile.

ubcoit_0-1647640064565.png

 

ubcoit
Contributor II

Okay, a new week, more playing around and I have this working, tested on 10.15, 11 and 12.  I have the github configuration profiles installed as well.  The answer above is correct in removing the "tell" which is how my polices/scripts were running before I upgraded to 10.36.1 which then broke.  The difference now in my scripts is I'm running osascript as the console user.  I've only got two polices/scripts that need to do this, posting the scripts below for others to consume the code for their needs.  Hope it works out for you.

Profiles applied = https://github.com/jamf/JamfPrivacyPreferencePolicyControlProfiles

 

 

#!/bin/bash

### Variables
fileVaultIcon="/System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/FileVaultIcon.icns"
loggedInUser=$(stat -f%Su /dev/console)
loggedInUID=$(id -u $loggedInUser)

## Check to see if the encryption process is complete
encryptCheck=`fdesetup status`
statusCheck=$(echo "${encryptCheck}" | grep "FileVault is On.")
expectedStatus="FileVault is On."
if [ "${statusCheck}" = "${expectedStatus}" ]; then
    echo "The encryption process is complete."
    echo "${encryptCheck}"
    jamf recon
    exit 0
fi

fileVaultNotify=$(/bin/launchctl asuser $loggedInUID sudo -iu $loggedInUser << EOF
/usr/bin/osascript -e 'display dialog "To enabled FileVault please log out or reboot." with title "UBC IT FileVault" buttons {"Ok"} default button 1 with icon POSIX file "$fileVaultIcon"' 2>/dev/null
EOF)

exit 0
#!/bin/bash

### Variables
apiURL="https://ladeda:8443"
serialNumber=$(ioreg -l | grep IOPlatformSerialNumber | awk '{print $4}' | cut -d \" -f 2)
jamfBrandIcon="/Library/Application Support/JAMF/Jamf.app/Contents/Resources/AppIcon.icns"
loggedInUser=$(stat -f%Su /dev/console)
loggedInUID=$(id -u $loggedInUser)

workstationName=$(/bin/launchctl asuser $loggedInUID sudo -iu $loggedInUser << EOF
/usr/bin/osascript -e 'display dialog "Please enter the asset number. e.g. A1234567" default answer "" with title "UBC IT rename workstation" buttons {"Ok"} default button 1 with icon POSIX file "$jamfBrandIcon"
set workstationName to text returned of the result' 2>/dev/null
EOF)

if [ -z "$workstationName" ]
then
    "Workstation name is empty!"
    exit 1
else
    ## Rename workstation
    /usr/sbin/scutil --set HostName "$workstationName"
    sleep 3
    /usr/sbin/scutil --set LocalHostName "$workstationName"
    sleep 3
    /usr/sbin/scutil --set ComputerName "$workstationName"
    sleep 3
    /usr/bin/dscacheutil -flushcache
    xmlString="<?xml version=\"1.0\" encoding=\"UTF-8\"?><computer><general><name>$workstationName</name></general></computer>"
    # Sets the asset values in the JSS
    /usr/bin/curl -s -u $4:$5 -X PUT -H "Content-Type: text/xml" -d "$xmlString" "$apiURL/JSSResource/computers/serialnumber/$serialNumber/subset/general"
fi
exit 0

 

 

 

bern
New Contributor III

Hey guys,

We are running into a similar issue using "tell" in our osascript on enroll.  We have a script on enroll that asks the user which office they are associated with.  Using PPPC before resolved the issue.  

What could I replace the tell command with that won't trigger the, "Jamf" wants access to control "SystemUIServer".  Allowing control will provide access to documents and data in "SystemUIServer", and to perform actions within that app."?

#!/bin/sh     
userDept=$(osascript -e 'tell application "SystemUIServer"
	set myDeptList to {"Detroit","Troy","Lansing","Washington D.C.","Grand Rapids","Nashville","Ann Arbor","Phoenix","Toronto","Lexington","Las Vegas","Columbus","Reno","Fort Lauderdale","Austin","Sunnyvale","Chicago" }
	set myDept to (choose from list myDeptList with prompt "Select the users office") 
	end tell')

if [ "$userDept" = "Detroit" ]
then
	userOffice=$"010"
elif [ "$userDept" = "Troy" ]
then
	userOffice=$"011"
elif [ "$userDept" = "Lansing" ]
then
	userOffice=$"012"
elif [ "$userDept" = "Washington D.C." ]
then
	userOffice=$"013"
elif [ "$userDept" = "Grand Rapids" ]
then
	userOffice=$"014"
elif [ "$userDept" = "Nashville" ]
then
	userOffice=$"017"
elif [ "$userDept" = "Ann Arbor" ]
then
	userOffice=$"019"
elif [ "$userDept" = "Phoenix" ]
then
	userOffice=$"021"
elif [ "$userDept" = "Toronto" ]
then
	userOffice=$"023"
elif [ "$userDept" = "Lexington" ]
then
	userOffice=$"026"
elif [ "$userDept" = "Las Vegas" ]
then
	userOffice=$"027"
elif [ "$userDept" = "Columbus" ]
then
	userOffice=$"029"
elif [ "$userDept" = "Reno" ]
then
	userOffice=$"031"
elif [ "$userDept" = "Fort Lauderdale" ]
then
	userOffice=$"032"
elif [ "$userDept" = "Austin" ]
then
	userOffice=$"033"
elif [ "$userDept" = "El Paso" ]
then
	userOffice=$"034"
elif [ "$userDept" = "Sunnyvale" ]
then
	userOffice=$"035"
elif [ "$userDept" = "Chicago" ]
then
	userOffice=$"036"
fi

echo "Setting user to Department $userOffice"
/usr/local/bin/jamf recon -department $userOffice

ubcoit
Contributor II

@bernI'm no expert but try this based on my logic above...

loggedInUser=$(stat -f%Su /dev/console)
loggedInUID=$(id -u $loggedInUser)

userDept=$(/bin/launchctl asuser $loggedInUID sudo -iu $loggedInUser /usr/bin/osascript -e 'set myDeptList to {"Detroit","Troy"}' -e 'choose from list myDeptList with prompt "Select the users office:"')

bern
New Contributor III

Thank you @ubcoit ! 

James_tolley
New Contributor II

Is there a way to remove the tell command from this osascript, as soon as the 'click checkbox' command is envoked the System Events pop-up kicks in when running from remotely from Jamf:

tell application "System Preferences"
	activate
	reveal anchor "Dictation" of pane id "com.apple.preference.universalaccess"
	-- activate
	delay 0.5
	tell application "System Events"
			delay 1
		tell application "System Events" to tell process "System Preferences"
			click checkbox "Enable Voice Control" of group 1 of window "Accessibility" of application process "System Preferences" of application "System Events"
			delay 0.5
			if exists (window "Untitled" of application process "SecurityAgent" of application "System Events") then
				set value of text field 1 of window "Untitled" of application process "SecurityAgent" of application "System Events" to "$LoggedInUserUID"
				set value of text field 2 of window "Untitled" of application process "SecurityAgent" of application "System Events" to "$Password"
				click button "Unlock" of window "Untitled" of application process "SecurityAgent" of application "System Events"
			end if
		end tell
	end tell
end tell