Okta Device Trust Error on Keychain Access

KevyKev_7
New Contributor II

Hey there Jamf people! 

I am currently hitting a wall during Okta Device Trust Enrollment. 

ERROR: Command '['launchctl', 'asuser', '502', 'sudo', '-u', 'jcombs', 'security', 'default-keychain']' returned non-zero exit status 1. 
ERROR: Error in accessing default keychain

During my testing, I had it set to a custom trigger so I could invoke the policies I need whenever, and that all worked great. I would get the certificates downloaded just fine. However, since replacing the policy with run on either enrollment complete or recurring check-in, I get the above error "Error in accessing default keychain."

If I switch it back to a custom trigger to test again though, it works flawlessly and enrolls/downloads the certificate no problem. 

I am using the scripts and guide from Okta, and can't find anything like this in their troubleshooting section and tried searching here on Jamf if anyone else ran into this, but can't seem to find anything that is similar. 

Does anyone by chance know why it would fail on recurring check-in but work fine if run locally with a custom trigger, or potentially know a workaround with that?

1 ACCEPTED SOLUTION

KevyKev_7
New Contributor II

I think I got this solved for me. Posting here if anyone else runs into it, can give this a try. 

how I have it currently planned is 4 separate policies with custom triggers so they kick off in specific order.

  1. policy for python upgrade (custom trigger
  2. policy for module dependencies (custom trigger)
  3. policy for downloading the certificate needed (custom trigger)
  4. policy to invoke the other custom trigger policies in order on check-in/or enrollment, run once per machine per user.

however the way I was doing policy 4 was a script invoking the jamf command and trigger with sudo. so "sudo jamf policy -trigger pythonupgrade" or something like that. which works when you run locally, but in a script, it already runs sudo so adding it in the script was causing it to error. so I updated the script to remove the sudo's and that seemed to work no problem after that. 

hopefully that helps!

View solution in original post

4 REPLIES 4

Jonathan_Kane
New Contributor II

I'm currently new to device trust and experiencing the same issue while getting a test machine up and running for this. This is unfortunately an improvement from the registration task being unable to find the dependencies (that I installed the way Okta specified).

KevyKev_7
New Contributor II

I think I got this solved for me. Posting here if anyone else runs into it, can give this a try. 

how I have it currently planned is 4 separate policies with custom triggers so they kick off in specific order.

  1. policy for python upgrade (custom trigger
  2. policy for module dependencies (custom trigger)
  3. policy for downloading the certificate needed (custom trigger)
  4. policy to invoke the other custom trigger policies in order on check-in/or enrollment, run once per machine per user.

however the way I was doing policy 4 was a script invoking the jamf command and trigger with sudo. so "sudo jamf policy -trigger pythonupgrade" or something like that. which works when you run locally, but in a script, it already runs sudo so adding it in the script was causing it to error. so I updated the script to remove the sudo's and that seemed to work no problem after that. 

hopefully that helps!

Thank you! I got about 25% of the way there this morning after realizing that Jamf Remote wasn't cutting the mustard. Deploying via policy did the trick!

@Jonathan_Kane  @KevyKev_7  Using the Enforce Okta Device Trust for Jamf Pro managed macOS devices guide, I am a bit confused on Step 3. I created a policy with all 3 scripts (Python 3 install, Device Trust Dependencies install, and Okta Device Registration Task) in that order. Received the following errors (see below), which indicate that although the Python 3 script did not fail, it did not install the Apple Developer Tools either - causing the subsequent scripts to fail. I believe the scripts provided in the guide are not working? What Python 3 and Device Trust Dependencies scripts did you use to successfully implement ODT on Jamf Pro? Any help would be very much appreciated. Thank you!

 

Executing Policy Install Okta Device Trust via Script
Running script A_Python 3...
Script exit code: 0
Script result: Checking for the existence of the Apple Command Line Developer Tools
xcode path is which xcode-select
Apple Command Line Developer Tools not found.
Installing 
2022-07-16 23:35:22.101 softwareupdate[11912:7233487] XType: com.apple.fonts is not accessible.
2022-07-16 23:35:22.102 softwareupdate[11912:7233487] XType: XTFontStaticRegistry is enabled.
: No such update
No updates are available.
Software Update Tool
Finding available software

Running script B_Device Trust Dependencies...
Script exit code: 1
Script result: Running pip3 install --upgrade pip
xcode-select: error: no developer tools were found at '/Applications/Xcode.app', and no install could be requested (perhaps no UI is present), please install manually from 'developer.apple.com'.
Running pip3 install pyobjc-framework-SystemConfiguration
xcode-select: error: no developer tools were found at '/Applications/Xcode.app', and no install could be requested (perhaps no UI is present), please install manually from 'developer.apple.com'.
Error running script: return code was 1.

Running script C_Okta Device Trust...
Script exit code: 1
Script result: xcode-select: error: no developer tools were found at '/Applications/Xcode.app', and no install could be requested (perhaps no UI is present), please install manually from 'developer.apple.com'.
Error running script: return code was 1.