Osascript within bash ran from Jamf won't work on non-admin AD accounts

tnibbsjamf
New Contributor

Hi,

I need help with a script I want to run as a Jamf policy. It's a bash script with an Applescript entry. If I run the script from Jamf (as a policy) while logged-in with an AD account w/ admin privileges, the script works. If I run the script while logged-in with an AD account without admin privileges it fails. It provides this script result: 78:127: execution error: An error of type -10810 has occurred. (-10810)

If I run the script from the machine itself or through Apple Remote Desktop (as root), it runs as intended, whether the logged-in user has admin privileges or not.

Any help would be appreciated. Thanks.

Here's the script:

!/bin/bash

The user name of the logged-in user

LoggedInUser=$(python -c 'from SystemConfiguration import SCDynamicStoreCopyConsoleUser; import sys; username = (SCDynamicStoreCopyConsoleUser(None, None, None) or [None])[0]; username = [username,""][username in [u"loginwindow", None, u""]]; sys.stdout.write(username + " ");')

#########################################

This function mounts the network volume

#########################################

ServerMount()
{
/usr/bin/osascript << EOF
tell application "Finder"
mount volume "smb://$LoggedInUser@company.domain.com/path/to/folder/"
end tell
EOF
}

ServerMount

7 REPLIES 7

amitvasani
New Contributor

@tnibbsjamf

Have you tried searching other admins scripts. This kind of thing has been answered a number of different ways.

Check out this link:
https://www.jamf.com/jamf-nation/discussions/15108/casper-based-share-mount-script

tnibbsjamf
New Contributor

@amitvasani
Going to check out the link you posted. Thanks for answering.

tnibbsjamf
New Contributor

@amitvasani

I know the example I showed involves mounting a server but my question is about the relationship between an Applescript entry in a bash script, Jamf and the type of AD account.

The example I give above is part of a larger bash script that contains Applescript throughout it.
In the example of mounting a server (and I've used other examples), if I use straight bash to mount the server, it works fine. Once I use Applescript within the bash script, it fails.

The script above works fine through Remote Desktop or on the machine itself.

Thanks again for your help.

amitvasani
New Contributor

@tnibbsjamf Do you have error logs?

cprimero
New Contributor III

@tnibbsjamf I had nearly the same issue running an older user-input prompt. Terminal needed to access systemEvents. Apple PPPC enabling terminal to use SystemEvents. When manually initiated via "sudo jamf policy" it worked, but when ran by reoccurring check-in, it failed giving off nearly the same error. (sorry, I do not recall the exact error I have since moved over to pashua for user-input)

Jamf Pro now has a configuration profile payload to enable "com.apple.terminal" to use "com.apple.finder". Maybe turning on the Privacy Preference Policy Control (PPPC) will help. It worked for me sometime last year.

I used this Utility prior to Jamf releasing the payload in Config. Profiles.
https://github.com/jamf/PPPC-Utility

Hugonaut
Valued Contributor II

@tnibbsjamf

I believe

tell application "Finder"
mount volume "smb://$LoggedInUser@company.domain.com/path/to/folder/"
end tell

is considered "user interaction" and that isn't allowed when run via jamf. I may be 10000% wrong, but i've had a few issues before with applescript and user interaction when ran via jamf.

my workaround has been creating a separate applescript .scptd containing the applescript that needs to run with the correct user permissions -saved as a run only file - deployed and hidden on the machine, then the shell script simply calls the run only .scptd instead of containing it.

________________
Looking for a Jamf Managed Service Provider? Look no further than Rocketman
________________


Virtual MacAdmins Monthly Meetup - First Friday, Every Month

cprimero
New Contributor III

@Hugonaut I believe is correct, we both could be wrong.

My work around for a user-input script that used apple script was to first install the script in /private/tmp then call it using the "files and processes" payload execute command "/private/tmp/UsernamePrompt.sh"

PPPC payload also in configuration profiles.