Policies failing - "Operation not permitted"

ooshnoo
Valued Contributor

Yo.

A recent couple of new macs were setting up came with Catalina, and I've noticed that when they try to copy packages down from our SMB shares, often times htey fail with a message that states "Operation not permitted"

For example, logs show

Executing Policy VMWare Horizon Client
    Mounting ATL DP
    cp: /Volumes/JamfProShare-ATL/Packages/VMwareHorizon_v5.10.pkg: Operation not permitted

    Error: The package (VMwareHorizon_v5.10.pkg) could not be found.

Any idea what this is and now to fix? I was told it was a brand new Mac and it came with Catalina, so not sure if that has something to do with it.

51 REPLIES 51

Hugonaut
Valued Contributor II

I had experienced this problem way back during the early days of the beta. I quickly spun up 2 HTTPS Distribution Points & have not had a problem since.

I haven't pinned down the "Why" this happened yet, i've been searching & searching for NetBios / SMB Version Deprecation / Configuration changes but have not been able to find something directly from apple stating changes made in catalina that causes this issue. Tons of discussions regarding this though, if anyone has official documentation regarding Samba from Apple please share. Would love to get to the bottom of this as well.

________________
Looking for a Jamf Managed Service Provider? Look no further than Rocketman
________________


Virtual MacAdmins Monthly Meetup - First Friday, Every Month

stiermanc
New Contributor

What version of the JSS are you running? I'm having exactly the same problem on a Catalina machine running 10.15.1-t1569637051

lukasz_molenda
New Contributor II

It's a tricky one!

First of all I suggest to start using HTTP/HTTPS instead of SMB ;) You will avoid then a lot of pain in the future.

In regards to your problem.. You can find out by yourself what's wrong with that by executing a simple policy trigger on a machine that's enrolled to Jamf Pro. For example:

sudo jamf policy -event "install-vmwarehorizoneclient"

For 99,9% you will get a prompt that "Terminal.app would like to access files on a network volume". It's obvious as you're using Terminal to trigger this policy... so what if you're using Jamf Pro and would like to install something that is on your SMB share? Looks like DP is mounting and then copy command is executing. Nothing big, but during this proces the parent of this command is bash. In case of that you have to allow /bin/bash to access SystemPolicyAllFiles via Privacy Preferences Policy Control payload under configuration profiles. 1b64260abffd4deb9df0549a66f8526f

I know that this isn't a good approach to giving bash full access.. and it's more like workaround than a solution. The solution for sure is to avoid SMB use and go for HTTP/HTTPS.

This might work in previous versions of macOS, but definitely DOES NOT work in Monterey.

leegalan
New Contributor III

I'm also having the same issue. Unfortunately, it won't be so easy for us to enable HTTP/HTTPS. Unless I'm missing something.

tanderson
Contributor

I'm seeing the same issue here. My DEPNotify script calls several installations and they all fail in Catalina. Installations based on a login policy fail as well. Self Service initiated installations seem to go fine. Jamf cannot replicate the problem. Turning off SIP resolved the problem, but obviously that's not a good path.

donmontalvo
Esteemed Contributor III

@tanderson On an unmanaged CataVista computer, found my script was being quarantined, this fixed it:

xattr -d com.apple.quarantine ~/Desktop/sipsResize800max.sh

Not sure if that's helpful for any scripts being deployed by Jamf Pro, or embedded in PKGs.

--
https://donmontalvo.com

carlo_anselmi
Contributor III
Posted: 11/22/2019 at 10:05 AM CST by @tanderson I'm seeing the same issue here. My DEPNotify script calls several installations and they all fail in Catalina. Installations based on a login policy fail as well. Self Service initiated installations seem to go fine. Jamf cannot replicate the problem. Turning off SIP resolved the problem, but obviously that's not a good path.

Same here

carlo_anselmi
Contributor III

@lukasz.molenda @tanderson Me too I can't easily switch to http/https
In my testing with DEPNotify and Catalina I noticed you also need to set Terminal with PPPC profile to access SystemPolicyAllFiles
Maybe there's a better/safer solution

eb6921c28bc9496f9a63ce5b97d2e98a

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>PayloadContent</key>
    <array>
        <dict>
            <key>Services</key>
            <dict>
                <key>SystemPolicySysAdminFiles</key>
                <array> 
                    <dict>
                        <key>Identifier</key>
                        <string>com.apple.Terminal</string>
                        <key>IdentifierType</key>
                        <string>bundleID</string>
                        <key>CodeRequirement</key>
                        <string>identifier &quot;com.apple.Terminal&quot; and anchor apple</string>
                        <key>Allowed</key>                  
                        <true/>
                        <key>Comment</key>
                        <string>Allow Terminal to modify sysadminfiles</string>
                    </dict>   
                </array>
                <key>Accessibility</key>
            </dict>
            <key>PayloadDescription</key>
            <string>Desc: TCC SystemPolicySysAdminFiles</string>
            <key>PayloadDisplayName</key>
            <string>Name: TCC SystemPolicySysAdminFiles</string>
            <key>PayloadIdentifier</key>
            <string>test.mdm.tcc.SystemPolicySysAdminFiles.1</string>
            <key>PayloadOrganization</key>
            <string>My Company</string>
            <key>PayloadType</key>
            <string>com.apple.TCC.configuration-profile-policy</string>
            <key>PayloadUUID</key>
            <string>0D4540F5-35EC-45B8-9F11-46F6CA7721ED</string>
            <key>PayloadVersion</key>
            <integer>1</integer>
        </dict>
    </array>
    <key>PayloadDescription</key>
    <string>Desc: TCC SystemPolicySysAdminFiles</string>
    <key>PayloadDisplayName</key>
    <string>Name: TCC SystemPolicySysAdminFiles</string>
    <key>PayloadIdentifier</key>
    <string>test.mdm.tcc.SystemPolicySysAdminFiles</string>
    <key>PayloadOrganization</key>
    <string>My Company</string>
    <key>PayloadScope</key>
    <string>system</string>
    <key>PayloadType</key>
    <string>Configuration</string>
    <key>PayloadUUID</key>
    <string>963857BE-CDFF-4ED5-95CD-08FE187E1365</string>
    <key>PayloadVersion</key>
    <integer>1</integer>
</dict>
</plist>

AdamCraig
Contributor III

Not what you're asking for, but we have a script set up that installs vmware horizon direct from vmware. It is using a variable where you just plug in the name of the .dmg file to the version you want downloaded and the url for the download

This is based on a script that did the same thing for chrome.

#!/bin/bash

dmgfile=$4
volname="VMware Horizon Client"
logfile="/Library/Logs/HorizonInstallScript.log"

url=$5

echo "$dmgfile"
echo "$url"

echo "--" >> ${logfile}
echo "`date`: Downloading latest VMware Horizon Client version." >> ${logfile}
echo `curl -s -o /tmp/${dmgfile} ${url}`
echo "$?"
echo "`date`: Mounting installer disk image." >> ${logfile}
echo `/usr/bin/hdiutil attach /tmp/${dmgfile} -nobrowse -quiet`
echo "$?"
echo "`date`: Installing VMware Horizon Client..." >> ${logfile}
echo `ditto -rsrc "/Volumes/${volname}/VMware Horizon Client.app" "/Applications/VMware Horizon Client.app"`
echo "$?"
/bin/sleep 10
echo "`date`: Unmounting installer disk image." >> ${logfile}
echo `/usr/bin/hdiutil detach $(/bin/df | /usr/bin/grep "${volname}" | awk '{print $1}') -quiet`
echo "$?"
/bin/sleep 10
/bin/echo "`date`: Deleting disk image." >> ${logfile}
echo `/bin/rm /tmp/"${dmgfile}"`
echo "$?"

exit 0

rickgmac
Contributor

Thought I had it working by allowing DEPNotify PPPC control. But apparently not

Shamagi
New Contributor II

Hi, you can check the logs for TCC Requests:

https://carlashley.com/2018/09/06/reading-tcc-logs-in-macos/

Regards

cnelson
Contributor

I would try messing with PPPC control having to do with Jamf binary and/or Apple Remote Desktop. I use ARD to run my policies so I don't have to wait for the policies to run on their own. So giving ARD access to All Files and Jamf access to All Files, finally allowed my policies to run again.

5f111adfe8ed4fa3905f0600288b1719

4abbebd38e29462c8f866226371042aa

70d14d697f9046aa866fde75eb24934e

a8c3421a0d5a457298fd423937d6ee3a

atrystan
New Contributor III

WIth Big Sur or Monterey, does this still work and did you need to keep all of the allowances you specified here?

jmercier
Contributor II

here is another little update... if I try to deploy couple of packages with a policy set to login trigger... I get operation not permitted if I try to deploy the same policy by pushing the script with Jamf Remote : sudo jamf policy -id XXXX : IT WORKS ALL THE TIME !!!

DBrowning
Valued Contributor II

Staring to test Jamf Connect Login and using Notify during setup and getting this. I've added both bash and Terminal to a PPPC and still having the issue. Any ideas?

carlo_anselmi
Contributor III

@jmercier Still trying to understand what I am missing, once I flush the failed policies and manually run them with

sudo jamf policy

(this triggers all policies scoped) they work without requesting any further PPPC approval, with DEPNotify or following login many of keep failing.
I must be defenatly be missing something

jmercier
Contributor II

@carlo.anselmi same for me... so for now modified our internal procedure so we can deliver Catalina computers. Works fine but.... should be the same as Mojave...

carlo_anselmi
Contributor III

@tanderson @jmercier
Just to confirm that with SIP disabled eveything works absolutely fine with DEPNotify/Catalina 10.15.2 Does anyone using this kind of workflow know what can be causing the errors already reported with DEPNotify-triggered policies (and following policies at login) otherwise?
Thank you all!

rickgmac
Contributor

So we have found that this issue only applies to afp and SMB shares.

In the short term we have downloaded mamp pro and set up http downloads.

jmercier
Contributor II

@rickgmac so you have Mac server with SMB casper share... setup with mampro for http and policies goes fine on Catalina ?

DBrowning
Valued Contributor II

I too download Simple HTTP Server from the App Store and have the SMBShare also shared as an HTTP Share and it works fine.

seraphina
Contributor II

I believe the error is relating to bash needing access to Network Volumes: https://www.jamf.com/jamf-nation/discussions/34278/depnotify-not-installing-apps-on-catalina#respons...

nate_barkei
New Contributor

So this was frustrating but after looking at what process was actually running the login scripts I realized that the loginwindow owns the process. So if you create a PPPC for the com.apple.loginwindow bundle and give it SystemPolicyAllFiles and SystemPolicyNetworkVolumes it starts working. (Note you will also need to have defined a PPPC for jamf and also whichever shell you are using /bin/sh or /bin/bash)

jmercier
Contributor II

@ddcdennisb is your version Pro or not ? simple to configure ? any advices ?

DBrowning
Valued Contributor II

I was using the free version. super simple to config.

After Reading @nate.barkei reply this morning I added to my Bash PPPC settings for com.apple.loginwindow and tested this morning. It worked great. No further need to run the http server on the mac mini to get everything to work.

0166500e6dbd4ff592c7adc3e15786f3

jmercier
Contributor II

WOW.... i ll do more testing but by giving PPPC on Terminal, BASH and login window... login trigger on Catalina works now !!!

carlo_anselmi
Contributor III

@ddcdennisb and all, yes allowing PPPC to com.apple.loginwindow does solve the issue!
I confirm you also also need to have defined a PPPC for jamf and also whichever shell you are using /bin/sh or /bin/bash
Many thanks to all!
Ciao
Carlo

jmercier
Contributor II

hi all

after testing more this morning... works flawlessly !!!

I think that WE ROCK !!!!!!

carlo_anselmi
Contributor III

@jmercier Yes we do! Although I still have some error with policies at logout which disappear if I change the DP to http, that was a given since the workaroubd with com.apple.loginwindow is meant... at login!
Cheers
Carlo

jared_f
Valued Contributor

@carlo.anselmi Thank you for this thread! Could you provide screenshots of the PPPC machine you are using for /bin/bash and /bin/sh.

Thanks,
Jared

carlo_anselmi
Contributor III

@jared_f I can't provide the screenshot immediately, I think this was where I found the configuration profile I used (credits go to its author)
Shells and Python System Events whitelist
I will update the thread once I get the test client
Cheers
Carlo

allanp81
Valued Contributor

@everyone on this thread! Does adding the com.apple.loginwindow also solve this for policies failing to run during logout? I've tried it but they still seem to fail with the same "operation not permitted" error :(

carlo_anselmi
Contributor III

@allanp81 Yes, I ended up creating a PPPC profile for com.apple.loginwindow and also allowing /bin/cp and other shells as per this duscussion Logout policies still do not work though

allanp81
Valued Contributor

I don't think it'll ever work as /bin/cp is not signed.

tanderson
Contributor

Just want to say thank you to @nate.barkei and everyone in the thread who tested and dug into this problem. The PPPC for loginwindow has resolved my issue as well. Really appreciate the work everyone did.

dng2000
Contributor II

@allanp81 Yup, I still haven't got this to work for deployments in my environment on Macs running macOS Catalina and still stuck with using HTTPS in the meantime.
c972acbe75ec455ab97f1b4e59135214

allanp81
Valued Contributor

As others have said, you can get login triggers working, but not logout and it sounds like this is unlikely to happen if Jamf etc. haven't already figured it out.

dng2000
Contributor II

Unfortunately for me, my environment uses custom triggers for deployments, not login or logout. As Jamf support have advised me, I'm out of luck with SMB until Jamf engineers figure out a working solution, hopefully soon.