Policy runs differently when pushed VS self service

NiclausDutter
New Contributor II

I have a macOS Big Sur upgrade script that has worked perfectly in my testing on dummy machines but when I have it pushed via policy, everything works, except for the part after they click upgrade. It's as if the script just halts and exits. However, when I run it through self-service as that same user on their machine, it works normally and begins the upgrade! Any ideas on why they are different? Apologies for the caveman script

Below is my script; after the user accepts the upgrade, is when it stops (line 77 or ## Upgrade Here ##):

#!/bin/bash

if ! [[ $(sw_vers | grep ProductVersion | awk -F ":" '{print $2}' | awk '{$1=$1};1' | awk -F "." '{print $1}') == 11 ]]
then

    if [ -e "/Users/Shared/deferrals_MacOSUpgrade.txt" ]
    then
        deferralsleft=$(cat /Users/Shared/deferrals_MacOSUpgrade.txt)
    else
        echo 3 > /Users/Shared/deferrals_MacOSUpgrade.txt
        deferralsleft=$(cat /Users/Shared/deferrals_MacOSUpgrade.txt)
    fi


    if [[ $(sudo find /Users -name "Install macOS Big Sur.app") ]] || [[ $(sudo find /Applications -name "Install macOS Big Sur.app") ]]
    then

        ## Find where Installer is located
        testpath=$(sudo find /Users -name "Install macOS Big Sur.app")
        if [ -z "${testpath}" ]
        then
            echo "Not in Users"
        else
            echo "Found in $testpath"
            path=$(sudo find /Users -name "Install macOS Big Sur.app")
        fi

        testpath=$(sudo find /Applications -name "Install macOS Big Sur.app")
        if [ -z "${testpath}" ]
        then
            echo "Not in Applications"
        else
            echo "Found in $testpath"
            path=$(sudo find /Applications -name "Install macOS Big Sur.app")
        fi
        
        ## Set Install Args ##
        install_args=()
        install_args+=("--forcequitapps")
        

        ## Set Prompt Icon Location ##
        iconpath=$path$"/Contents/Resources"
        iconpathHFS=$(/usr/bin/osascript -e "return POSIX file \"$iconpath\"" | awk -F "file" '{print $2}' | awk '{$1=$1};1')
        ## Fix Icon HFS Path for Mojave ##
        if [[ $(sw_vers | grep ProductVersion | awk -F ":" '{print $2}' | awk '{$1=$1};1' | awk 'BEGIN{FS="."} {print $1 "." $2}') == 10.14 ]]
        then
        	iconpathHFS=$iconpathHFS$":"
        fi
        echo $iconpathHFS
        
        ## Set jamfHelper Info ##
        heading="Please wait as we prepare your computer for macOS Big Sur..."

		description="

		This process will take approximately 5-10 minutes.

		Once completed your computer will reboot and begin the upgrade."
        
        jamfIcon=$iconpath$"/InstallAssistant.icns"
        

        ## Prompt User to Begin Installation
        if [ $deferralsleft -gt 0 ]
            then
            
            currentdeferrals=$(echo $deferralsleft)
            ((deferralsleft--))
            echo $deferralsleft > /Users/Shared/deferrals_MacOSUpgrade.txt
            
            response=$(/usr/bin/osascript -e 'tell application "Finder"' -e "with timeout of 3600 seconds" -e 'activate' -e "display dialog \"A New MacOS upgrade is required!\n\nYou are receiving this prompt because your machine is currently on an out-of-date MacOS version. We need to get you updated to MacOS Big Sur for compliance with Security policies. This upgrade will not affect any of your files or applications.\n\nWe understand this may not be a good time and have allowed up to 3 deferrals. After these two deferrals are used up, the MacOS Upgrade will begin. We recommend you find 30 Minutes to an Hour for the upgrade to avoid inconveniences.\n\nDeferrals Remaining: $currentdeferrals\n\nIf you have any questions or concerns, please contact IT calling x#### or submitting a Ticket!\" with icon file ((\"$iconpathHFS\") & \"InstallAssistant.icns\") buttons {\"Defer\", \"Upgrade\"} default button \"Upgrade\" with title \"MacOS Big Sur Upgrade\" with hidden answer" -e 'end timeout' -e 'end tell')

            if [[ $(echo "$response" | /usr/bin/awk -F "button returned:" '{print $2}' | /usr/bin/awk -F "," '{print $1}') = *Upgrade* ]]
            then
                echo "Upgrade Selected"
                ## Upgrade HERE ##
                /Library/Application\ Support/JAMF/bin/jamfHelper.app/Contents/MacOS/jamfHelper -windowType fs -title "" -icon "$jamfIcon" -heading "$heading" -description "$description" &
                jamfHelperPID=$!
                "$iconpath/startosinstall" "${install_args[@]}" --agreetolicense --nointeraction --pidtosignal $jamfHelperPID >> /var/log/startosinstall.log 2>&1 &
            else
                echo "User Deferred. Deferrals remaining: $deferralsleft"
            fi
        else
            echo "Defer Limit Reached"
            response=$(/usr/bin/osascript -e 'tell application "Finder"' -e "with timeout of 3600 seconds" -e 'activate' -e "display dialog \"A New MacOS upgrade is required!\n\nYou are receiving this prompt because your machine is currently on an out-of-date MacOS version. We need to get you updated to MacOS Big Sur for compliance with Security policies. This upgrade will not affect any of your files or applications.\n\nDEFERRALS LIMIT REACHED!\n\nYou have reached your deferral limit and MacOS will force the upgrade upon closer of this window OR on reboot.\" with icon file ((\"$iconpathHFS\") & \"InstallAssistant.icns\") buttons {\"Upgrade\"} default button \"Upgrade\" with title \"MacOS Big Sur Upgrade\" with hidden answer" -e 'end timeout' -e 'end tell')
            ## Force Upgrade HERE ##
            /Library/Application\ Support/JAMF/bin/jamfHelper.app/Contents/MacOS/jamfHelper -windowType fs -title "" -icon "$jamfIcon" -heading "$heading" -description "$description" &
            jamfHelperPID=$!
            "$iconpath/startosinstall" "${install_args[@]}" --agreetolicense --nointeraction --pidtosignal $jamfHelperPID >> /var/log/startosinstall.log 2>&1 &
        fi

    else
        echo "MacOS Big Sur Installer has not been located. Initiating Download..."
        
        curl "http://swcdn.apple.com/content/downloads/04/42/002-42341-A_4PL6G0S8GN/cs65avpi1aelh133lc36fy0ste3lihe71n/InstallAssistant.pkg" --output "/Users/Shared/BigSur_11_6_Installer.pkg"
        sudo installer -pkg "/Users/Shared/BigSur_11_6_Installer.pkg" -target /
    fi

else
    echo "Already on Big Sur!"
fi

 
Here is an image of the policy log after it's been pushed; there should be steps after:
Log ResultLog Result

1 ACCEPTED SOLUTION

charlie
New Contributor

I've found startosinstall needs to have "set -m" and "set +m" around where the command get built in the end of the script.

https://github.com/kc9wwh/macOSUpgrade/issues/44#issuecomment-578631891

                ## Upgrade HERE ##
set -m
                /Library/Application\ Support/JAMF/bin/jamfHelper.app/Contents/MacOS/jamfHelper -windowType fs -title "" -icon "$jamfIcon" -heading "$heading" -description "$description" &
                jamfHelperPID=$!
                "$iconpath/startosinstall" "${install_args[@]}" --agreetolicense --nointeraction --pidtosignal $jamfHelperPID >> /var/log/startosinstall.log 2>&1 &
            else
                echo "User Deferred. Deferrals remaining: $deferralsleft"
            fi
        else
            echo "Defer Limit Reached"
            response=$(/usr/bin/osascript -e 'tell application "Finder"' -e "with timeout of 3600 seconds" -e 'activate' -e "display dialog \"A New MacOS upgrade is required!\n\nYou are receiving this prompt because your machine is currently on an out-of-date MacOS version. We need to get you updated to MacOS Big Sur for compliance with Security policies. This upgrade will not affect any of your files or applications.\n\nDEFERRALS LIMIT REACHED!\n\nYou have reached your deferral limit and MacOS will force the upgrade upon closer of this window OR on reboot.\" with icon file ((\"$iconpathHFS\") & \"InstallAssistant.icns\") buttons {\"Upgrade\"} default button \"Upgrade\" with title \"MacOS Big Sur Upgrade\" with hidden answer" -e 'end timeout' -e 'end tell')
            ## Force Upgrade HERE ##
            /Library/Application\ Support/JAMF/bin/jamfHelper.app/Contents/MacOS/jamfHelper -windowType fs -title "" -icon "$jamfIcon" -heading "$heading" -description "$description" &
            jamfHelperPID=$!
            "$iconpath/startosinstall" "${install_args[@]}" --agreetolicense --nointeraction --pidtosignal $jamfHelperPID >> /var/log/startosinstall.log 2>&1 &
        fi
set +m

 

View solution in original post

5 REPLIES 5

mm2270
Legendary Contributor II

Most likely the issue is you're attempting to use osascript to call up Applescript dialogs, but when those get run from root as is the case when a policy is called by the recurring checkin trigger, the OS will block those, because of a no user interaction constraint that the OS puts in place. You'll have to run those commands as the logged in user, which should properly display the dialogs.

## Get logged in username
logged_in_user=$(/usr/sbin/scutil <<< "show State:/Users/ConsoleUser" | awk '/Name : / && ! /loginwindow/ {print $3}')

## Get logged in user UID
logged_in_uid=$(id -u "$logged_in_user")

## Run the command as the logged in user
/bin/launchctl asuser "$logged_in_uid" sudo -iu "$logged_in_user" <commands go here>

 

Thank you for the response! I believe the issue is after the osascript part as that is properly showing for the users. They select the correct upgrade button and the variable in the script is written too. The script confirms the upgrade button was selected but doesn't run the jamf helper window, or the upgrade:

This is the code that doesn't run it seems like.

 

## Upgrade HERE ##
/Library/Application\ Support/JAMF/bin/jamfHelper.app/Contents/MacOS/jamfHelper -windowType fs -title "" -icon "$jamfIcon" -heading "$heading" -description "$description" &

jamfHelperPID=$!

"$iconpath/startosinstall" "${install_args[@]}" --agreetolicense --nointeraction --pidtosignal $jamfHelperPID >> /var/log/startosinstall.log 2>&1 &

 

 

Maybe the JamfHelper needs to be run as the user? When I try your code I get the following error:

Failed to get user context: 1: Operation not permitted

I have confirmed the logged_in_user and logged_in_uid variables have the correct information.

Your helper section looks similar to mine although I don't have the ampersand symbol after the log output for background process.

Also is does the upgrade require admin rights, I know the erase does eg;

--nointeraction --forcequitapps --newvolumename Macintosh\ HD --user "${localUsername}" --stdinpass <<< "${localPassword}" >> "${myLogfile}" 2>&1

 

Failed to get user context: 1: Operation not permitted

 Lastly, you may need to check your TCC profiles as that error sounds like terminal (or if running through Self Service : com.jamf.management.service) may not have access to osascript. 

charlie
New Contributor

I've found startosinstall needs to have "set -m" and "set +m" around where the command get built in the end of the script.

https://github.com/kc9wwh/macOSUpgrade/issues/44#issuecomment-578631891

                ## Upgrade HERE ##
set -m
                /Library/Application\ Support/JAMF/bin/jamfHelper.app/Contents/MacOS/jamfHelper -windowType fs -title "" -icon "$jamfIcon" -heading "$heading" -description "$description" &
                jamfHelperPID=$!
                "$iconpath/startosinstall" "${install_args[@]}" --agreetolicense --nointeraction --pidtosignal $jamfHelperPID >> /var/log/startosinstall.log 2>&1 &
            else
                echo "User Deferred. Deferrals remaining: $deferralsleft"
            fi
        else
            echo "Defer Limit Reached"
            response=$(/usr/bin/osascript -e 'tell application "Finder"' -e "with timeout of 3600 seconds" -e 'activate' -e "display dialog \"A New MacOS upgrade is required!\n\nYou are receiving this prompt because your machine is currently on an out-of-date MacOS version. We need to get you updated to MacOS Big Sur for compliance with Security policies. This upgrade will not affect any of your files or applications.\n\nDEFERRALS LIMIT REACHED!\n\nYou have reached your deferral limit and MacOS will force the upgrade upon closer of this window OR on reboot.\" with icon file ((\"$iconpathHFS\") & \"InstallAssistant.icns\") buttons {\"Upgrade\"} default button \"Upgrade\" with title \"MacOS Big Sur Upgrade\" with hidden answer" -e 'end timeout' -e 'end tell')
            ## Force Upgrade HERE ##
            /Library/Application\ Support/JAMF/bin/jamfHelper.app/Contents/MacOS/jamfHelper -windowType fs -title "" -icon "$jamfIcon" -heading "$heading" -description "$description" &
            jamfHelperPID=$!
            "$iconpath/startosinstall" "${install_args[@]}" --agreetolicense --nointeraction --pidtosignal $jamfHelperPID >> /var/log/startosinstall.log 2>&1 &
        fi
set +m

 

Oddly enough, I ended up throwing SUDO in front of the line that starts the "starttoinstall". This worked for a few of the machines, but I did have a few leftover that were not kicking off. After following your guidance and adding "-m" and "+m" it upgraded with no issue!

 

Thank you!