Policy not being allowed to run to completion

rlindenmuth
New Contributor III

I'm working on our OS X 10.10 image (my first image build after taking over the process) and all is working fine, except a policy we have created to install 25 packages is not being allowed to run to completion. We run this same policy in our current 10.9 image with no problem. The policy for 10.10 is cloned from the 10.9 policy, with the only changes being all references to 10.9 changed to 10.10.

The part of the script in question that is failing:

Install Standard Software Set via Policy

loginfo "Installing Standard Software Set via Policy"
/usr/sbin/jamf policy -trigger Imaging_${OS} &

Get the Process ID of the last command run in the background ($!) and wait for it to complete (wait)

SUPID=echo "$!"
wait $SUPID

When I check the initialsetup.log that is created during the this process I see that this policy is given less than 60 seconds to run, not enough time to put down all of the packages and install. Some do work, such as our Identity Finder package which installs, but most are not even copied to the machine.

Any tips as to why the package is not given time to complete? The trigger works, but the wait does not.

Thanks.

(apologies for the formatting in the script)

1 ACCEPTED SOLUTION

mm2270
Legendary Contributor III

As I guessed, this line in the script is the issue. Its in the same basic format as what some of JAMF's script were using which started to fail once 10.10 came out.

OS=`/usr/bin/defaults read /System/Library/CoreServices/SystemVersion ProductVersion | awk '{print substr($1,1,4)}'`

The awk '{print substr($1,1,4)}' part is telling it to only grab text from character position 1 thru 4, so in the case of 10.10, that only gets 10.1, just as you saw in your test.

I think it should be safe to replace that one line with the following:

OS=`sw_vers -productVersion | cut -d. -f1,2`

If you want to try that, I suggest just commenting out the existing line so you can keep it in there in case you need to go back to it for some reason.

View solution in original post

7 REPLIES 7

mm2270
Legendary Contributor III

Is there a reason you're pushing the policy to the background? You actually shouldn't need to do that I think. If you drop the "&" from the jamf policy -trigger line, it should just run to completion normally.

Since you didn't post the entire script, there may be some reason I'm just not seeing here why you're doing it the way you have it set up, but my guess is that the script is not actually capturing the PID of the policy, so it doesn't know to actually wait for it to complete. You can test this by putting in a simple echo "SUPID: $SUPID" line and see what its reporting.

rlindenmuth
New Contributor III

Thank you for the suggest to add echo line to determine if it was capturing the PID. It was not. The custom event it should trigger was called Imaging_10.10, but the script is seeing Yosemite as 10.1, not 10.10. I changed the custom event to Imaging_10.1 and it now works.

I don't know why it's hidden, it's how the previous engineer did it. Since it worked then I'm trying not to reinvent the wheel until I get more experience under my belt with JSS and have more time to change process. For now I need to get a Yosemite image up and running as we've got hardware to buy.

Thanks again for the help.

mm2270
Legendary Contributor III

If you post the entire script I'm willing to bet that the OS version is coming up as 10.1 because its using some code from one of JAMF's older scripts. Some of them had code in them pulling the OS version that was only getting the first 4 characters of the OS version, not using a delimiter like a period, so for 10.10.x its only grabbing 10.1 (first 4 characters) Prior to 10.10 this all worked fine since all previous versions of OS X were in the format of 10.x.x, not 10.xx.x.

Anyway, if changing it to 10.1 works for you then that's fine.

rlindenmuth
New Contributor III

Script is below with identifiable information hopefully all replaced with the word "company". The section in question is towards the end under Install Software via Policy heading.

#!/bin/bash

#
# initialsetup.sh
# Author: 
#
# Description:
#    Script called after the first reboot of a freshly installed system
#
# Last Changed: June 6 2014
# Revision:  1.0
#   Version 1.0: Initial Implementation


#===============================================================================
# General Configuration
#===============================================================================
APPNAME=`basename $0`
APP="${APPNAME%%.*}"
AUTHOR="company name"
VERSION=1.0

#===============================================================================
# Logging Configuration
#===============================================================================
LOGDIR=/Library/Logs/Company
LOGFILE=$LOGDIR/$APP.log

#===============================================================================
# JSS Information
#===============================================================================
JSSURL='https://jss.company.com:8443'
JSSCONTACTTIMEOUT=120
FIRSTRUN='/Library/Application Support/JAMF/FirstRun/Enroll/enroll.sh'
ENROLLLAUNCHDAEMON='/Library/LaunchDaemons/com.jamfsoftware.firstrun.enroll.plist'


#===============================================================================
# Configuration Information
#===============================================================================
SearchDomains="company.corp sas.company.com"
strDomainSuffix=".company.corp"

timeZone="America/New_York"
TimeServer1=time.apple.com
TimeServer2=0.us.pool.ntp.org
TimeServer3=1.us.pool.ntp.org

# Get the major version of the OS and format it in an acceptable form for shell scripting
OS=`/usr/bin/defaults read /System/Library/CoreServices/SystemVersion ProductVersion | awk '{print substr($1,1,4)}'`

# Determine OS version
osvers=$(sw_vers -productVersion | awk -F. '{print $2}')
sw_vers=$(sw_vers -productVersion)

tmpUUID=`ioreg -rd1 -c IOPlatformExpertDevice | grep -E '(UUID)' | awk '{print $3}'`
sysUUID=${tmpUUID:1:${#tmpUUID}-2}



REDACTED THIS SECTION FOR PRIVACY


#===============================================================================
# Tasks that do require access to the JSS
#===============================================================================

## Following block of code provided by Oxford University
# Copyright (C) 2013 University of Oxford IT Services
#    contact <nsms-mac@it.ox.ac.uk>
#    authors: Robin Miller, Aaron Wilson, Marko Jung

# Wait a certain number of minutes for JAMF enroll.sh script to complete. We do
# this because the enroll script put in place during the JAMF Imaging process
# uses the 'jamf manage' command which seems to often fail (with a 401
# (authentication) error), so we want to run 'jamf enroll' as well before we
# start to do things that require communication with the JSS. However, we also
# don't want to have a conflict if both happen to be run at the same time,
# which has occasionally happened. The enroll.sh script will try to run, but if
# it cannot contact the JSS, will wait 5 minutes and then try only once more,
# hence the 8 minute wait. 

WAITLIMIT=$(( 8 * 60 ))
WAITINCREMENT=30
loginfo "Checking to see if JAMF enroll.sh is still running"
while [ -e "$ENROLLLAUNCHDAEMON" ]; do
  if [ $WAITLIMIT -le 0 ]; then
    loginfo "Reached wait timeout of ${WAITLIMIT} seconds!"
    break
  fi

  loginfo "Still not complete. Waiting another ${WAITINCREMENT} seconds..."
  sleep $WAITINCREMENT 
  (( WAITLIMIT -= $WAITINCREMENT ))
done
loginfo "Continuing now..."


# check for jamf binary
loginfo "Checking for JAMF binary"
jamfcheck="/usr/sbin/jamf"

if [[ -e $jamfcheck ]]; then
  loginfo "Jamf binary present, continuing as planned..."
else
  loginfo "Jamf binary is not present, we need to halt" 
  exit 55
fi

## Test the connection to the JSS
loginfo "Testing jss connection"
loop_ctr=1
while ! curl --silent -o /dev/null --insecure ${JSSURL} ; do
    sleep 1;
    loop_ctr=$((loop_ctr+1))
    if [ $((loop_ctr % 10 )) -eq 0 ]; then
        loginfo "${loop_ctr} attempts"
    fi

    if [ ${loop_ctr} -eq ${JSSCONTACTTIMEOUT} ]; then
        loginfo "I'm bored ... giving up after ${loop_ctr} attempts"
        exit 1
    fi
done    
loginfo "Contacted JSS (${loop_ctr} attempts)"


#===============================================================================
# Flush all previous policy history
#===============================================================================
loginfo "Flushing Policy History . . ."
/usr/sbin/jamf flushPolicyHistory -verbose

#===============================================================================
# Create Imaging Receipts
#===============================================================================
loginfo "Creating Imaging Receipts . . ."
touch /Library/Application Support/JAMF/Receipts/com.company.initialsetup.pkg
/usr/sbin/jamf recon

#===============================================================================
# Sleeping for 60 seconds to allow the flush to populate
#===============================================================================
loginfo "Waiting 60 seconds for policy history to flush . . ."
sleep 60

#===============================================================================
# Install software via policy
#===============================================================================
# Install Standard Software Set via Policy
loginfo "Installing Standard Software Set via Policy"
/usr/sbin/jamf policy -trigger Imaging_${OS} &
## Get the Process ID of the last command run in the background ($!) and wait for it to complete (wait)
SUPID=`echo "$!"`
wait $SUPID

# Remove Initial Setup Package Receipt
srm /Library/Application Support/JAMF/Receipts/com.company.initialsetup.pkg
/usr/sbin/jamf recon



#===============================================================================
# Reboot in 1 minute
#===============================================================================
loginfo "Initial Setup Complete.  Rebooting . . ."
shutdown -r +1 &


#===============================================================================
# Cleanup Initial Setup
#===============================================================================
# Remove the loginwindow delay by loading the com.apple.loginwindow
# LaunchDaemon in /System/Library/LaunchDaemons/
#launchctl load /System/Library/LaunchDaemons/com.apple.loginwindow.plist

# Remove setup LaunchDaemon item
srm /Library/LaunchDaemons/com.company.initialsetup.plist

# Make script self-destruct
srm $0

mm2270
Legendary Contributor III

As I guessed, this line in the script is the issue. Its in the same basic format as what some of JAMF's script were using which started to fail once 10.10 came out.

OS=`/usr/bin/defaults read /System/Library/CoreServices/SystemVersion ProductVersion | awk '{print substr($1,1,4)}'`

The awk '{print substr($1,1,4)}' part is telling it to only grab text from character position 1 thru 4, so in the case of 10.10, that only gets 10.1, just as you saw in your test.

I think it should be safe to replace that one line with the following:

OS=`sw_vers -productVersion | cut -d. -f1,2`

If you want to try that, I suggest just commenting out the existing line so you can keep it in there in case you need to go back to it for some reason.

rlindenmuth
New Contributor III

Thanks Mike, I'll try that today.

bpavlov
Honored Contributor

@rlindenmuth May want to remove some of the bits that have some company specific information.