Jamf Nation Community

What version of the JSS are you running? I'm having exactly the same problem on a Catalina machine running 10.15.1-t1569637051

It's a tricky one!

First of all I suggest to start using HTTP/HTTPS instead of SMB ;) You will avoid then a lot of pain in the future.

In regards to your problem.. You can find out by yourself what's wrong with that by executing a simple policy trigger on a machine that's enrolled to Jamf Pro. For example:

sudo jamf policy -event "install-vmwarehorizoneclient"

For 99,9% you will get a prompt that "Terminal.app would like to access files on a network volume". It's obvious as you're using Terminal to trigger this policy... so what if you're using Jamf Pro and would like to install something that is on your SMB share? Looks like DP is mounting and then copy command is executing. Nothing big, but during this proces the parent of this command is bash. In case of that you have to allow /bin/bash to access SystemPolicyAllFiles via Privacy Preferences Policy Control payload under configuration profiles.

I know that this isn't a good approach to giving bash full access.. and it's more like workaround than a solution. The solution for sure is to avoid SMB use and go for HTTP/HTTPS.

I'm also having the same issue. Unfortunately, it won't be so easy for us to enable HTTP/HTTPS. Unless I'm missing something.

I'm seeing the same issue here. My DEPNotify script calls several installations and they all fail in Catalina. Installations based on a login policy fail as well. Self Service initiated installations seem to go fine. Jamf cannot replicate the problem. Turning off SIP resolved the problem, but obviously that's not a good path.

@tanderson On an unmanaged CataVista computer, found my script was being quarantined, this fixed it:

xattr -d com.apple.quarantine ~/Desktop/sipsResize800max.sh

Not sure if that's helpful for any scripts being deployed by Jamf Pro, or embedded in PKGs.

Posted: 11/22/2019 at 10:05 AM CST by @tanderson I'm seeing the same issue here. My DEPNotify script calls several installations and they all fail in Catalina. Installations based on a login policy fail as well. Self Service initiated installations seem to go fine. Jamf cannot replicate the problem. Turning off SIP resolved the problem, but obviously that's not a good path.

Same here

@lukasz.molenda @tanderson Me too I can't easily switch to http/https
In my testing with DEPNotify and Catalina I noticed you also need to set Terminal with PPPC profile to access SystemPolicyAllFiles
Maybe there's a better/safer solution

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>PayloadContent</key>
    <array>
        <dict>
            <key>Services</key>
            <dict>
                <key>SystemPolicySysAdminFiles</key>
                <array> 
                    <dict>
                        <key>Identifier</key>
                        <string>com.apple.Terminal</string>
                        <key>IdentifierType</key>
                        <string>bundleID</string>
                        <key>CodeRequirement</key>
                        <string>identifier &quot;com.apple.Terminal&quot; and anchor apple</string>
                        <key>Allowed</key>                  
                        <true/>
                        <key>Comment</key>
                        <string>Allow Terminal to modify sysadminfiles</string>
                    </dict>   
                </array>
                <key>Accessibility</key>
            </dict>
            <key>PayloadDescription</key>
            <string>Desc: TCC SystemPolicySysAdminFiles</string>
            <key>PayloadDisplayName</key>
            <string>Name: TCC SystemPolicySysAdminFiles</string>
            <key>PayloadIdentifier</key>
            <string>test.mdm.tcc.SystemPolicySysAdminFiles.1</string>
            <key>PayloadOrganization</key>
            <string>My Company</string>
            <key>PayloadType</key>
            <string>com.apple.TCC.configuration-profile-policy</string>
            <key>PayloadUUID</key>
            <string>0D4540F5-35EC-45B8-9F11-46F6CA7721ED</string>
            <key>PayloadVersion</key>
            <integer>1</integer>
        </dict>
    </array>
    <key>PayloadDescription</key>
    <string>Desc: TCC SystemPolicySysAdminFiles</string>
    <key>PayloadDisplayName</key>
    <string>Name: TCC SystemPolicySysAdminFiles</string>
    <key>PayloadIdentifier</key>
    <string>test.mdm.tcc.SystemPolicySysAdminFiles</string>
    <key>PayloadOrganization</key>
    <string>My Company</string>
    <key>PayloadScope</key>
    <string>system</string>
    <key>PayloadType</key>
    <string>Configuration</string>
    <key>PayloadUUID</key>
    <string>963857BE-CDFF-4ED5-95CD-08FE187E1365</string>
    <key>PayloadVersion</key>
    <integer>1</integer>
</dict>
</plist>

Not what you're asking for, but we have a script set up that installs vmware horizon direct from vmware. It is using a variable where you just plug in the name of the .dmg file to the version you want downloaded and the url for the download

This is based on a script that did the same thing for chrome.

#!/bin/bash

dmgfile=$4
volname="VMware Horizon Client"
logfile="/Library/Logs/HorizonInstallScript.log"

url=$5

echo "$dmgfile"
echo "$url"

echo "--" >> ${logfile}
echo "`date`: Downloading latest VMware Horizon Client version." >> ${logfile}
echo `curl -s -o /tmp/${dmgfile} ${url}`
echo "$?"
echo "`date`: Mounting installer disk image." >> ${logfile}
echo `/usr/bin/hdiutil attach /tmp/${dmgfile} -nobrowse -quiet`
echo "$?"
echo "`date`: Installing VMware Horizon Client..." >> ${logfile}
echo `ditto -rsrc "/Volumes/${volname}/VMware Horizon Client.app" "/Applications/VMware Horizon Client.app"`
echo "$?"
/bin/sleep 10
echo "`date`: Unmounting installer disk image." >> ${logfile}
echo `/usr/bin/hdiutil detach $(/bin/df | /usr/bin/grep "${volname}" | awk '{print $1}') -quiet`
echo "$?"
/bin/sleep 10
/bin/echo "`date`: Deleting disk image." >> ${logfile}
echo `/bin/rm /tmp/"${dmgfile}"`
echo "$?"

exit 0

Thought I had it working by allowing DEPNotify PPPC control. But apparently not

Hi, you can check the logs for TCC Requests:

https://carlashley.com/2018/09/06/reading-tcc-logs-in-macos/

Regards

I would try messing with PPPC control having to do with Jamf binary and/or Apple Remote Desktop. I use ARD to run my policies so I don't have to wait for the policies to run on their own. So giving ARD access to All Files and Jamf access to All Files, finally allowed my policies to run again.

here is another little update... if I try to deploy couple of packages with a policy set to login trigger... I get operation not permitted if I try to deploy the same policy by pushing the script with Jamf Remote : sudo jamf policy -id XXXX : IT WORKS ALL THE TIME !!!

Staring to test Jamf Connect Login and using Notify during setup and getting this. I've added both bash and Terminal to a PPPC and still having the issue. Any ideas?

@jmercier Still trying to understand what I am missing, once I flush the failed policies and manually run them with

sudo jamf policy

(this triggers all policies scoped) they work without requesting any further PPPC approval, with DEPNotify or following login many of keep failing.
I must be defenatly be missing something

@carlo.anselmi same for me... so for now modified our internal procedure so we can deliver Catalina computers. Works fine but.... should be the same as Mojave...

@tanderson @jmercier
Just to confirm that with SIP disabled eveything works absolutely fine with DEPNotify/Catalina 10.15.2 Does anyone using this kind of workflow know what can be causing the errors already reported with DEPNotify-triggered policies (and following policies at login) otherwise?
Thank you all!

So we have found that this issue only applies to afp and SMB shares.

In the short term we have downloaded mamp pro and set up http downloads.

@rickgmac so you have Mac server with SMB casper share... setup with mampro for http and policies goes fine on Catalina ?

I too download Simple HTTP Server from the App Store and have the SMBShare also shared as an HTTP Share and it works fine.

I believe the error is relating to bash needing access to Network Volumes: https://www.jamf.com/jamf-nation/discussions/34278/depnotify-not-installing-apps-on-catalina#respons...

So this was frustrating but after looking at what process was actually running the login scripts I realized that the loginwindow owns the process. So if you create a PPPC for the com.apple.loginwindow bundle and give it SystemPolicyAllFiles and SystemPolicyNetworkVolumes it starts working. (Note you will also need to have defined a PPPC for jamf and also whichever shell you are using /bin/sh or /bin/bash)

@ddcdennisb is your version Pro or not ? simple to configure ? any advices ?

I was using the free version. super simple to config.

After Reading @nate.barkei reply this morning I added to my Bash PPPC settings for com.apple.loginwindow and tested this morning. It worked great. No further need to run the http server on the mac mini to get everything to work.

WOW.... i ll do more testing but by giving PPPC on Terminal, BASH and login window... login trigger on Catalina works now !!!

@ddcdennisb and all, yes allowing PPPC to com.apple.loginwindow does solve the issue!
I confirm you also also need to have defined a PPPC for jamf and also whichever shell you are using /bin/sh or /bin/bash
Many thanks to all!
Ciao
Carlo

hi all

after testing more this morning... works flawlessly !!!

I think that WE ROCK !!!!!!

@jmercier Yes we do! Although I still have some error with policies at logout which disappear if I change the DP to http, that was a given since the workaroubd with com.apple.loginwindow is meant... at login!
Cheers
Carlo

@carlo.anselmi Thank you for this thread! Could you provide screenshots of the PPPC machine you are using for /bin/bash and /bin/sh.

Thanks,
Jared

@jared_f I can't provide the screenshot immediately, I think this was where I found the configuration profile I used (credits go to its author)
Shells and Python System Events whitelist
I will update the thread once I get the test client
Cheers
Carlo

@everyone on this thread! Does adding the com.apple.loginwindow also solve this for policies failing to run during logout? I've tried it but they still seem to fail with the same "operation not permitted" error :(

@allanp81 Yes, I ended up creating a PPPC profile for com.apple.loginwindow and also allowing /bin/cp and other shells as per this duscussion Logout policies still do not work though

I don't think it'll ever work as /bin/cp is not signed.

Just want to say thank you to @nate.barkei and everyone in the thread who tested and dug into this problem. The PPPC for loginwindow has resolved my issue as well. Really appreciate the work everyone did.

@allanp81 Yup, I still haven't got this to work for deployments in my environment on Macs running macOS Catalina and still stuck with using HTTPS in the meantime.

As others have said, you can get login triggers working, but not logout and it sounds like this is unlikely to happen if Jamf etc. haven't already figured it out.

Unfortunately for me, my environment uses custom triggers for deployments, not login or logout. As Jamf support have advised me, I'm out of luck with SMB until Jamf engineers figure out a working solution, hopefully soon.