PPPC issue - Jamf Agent

jameson
Contributor II

I have a issue with PPPC I cannot get rid of
In my enrollment process I have a script that prompt user for country looks like below

#!/bin/bash
sleep 20
# Create folder
/bin/mkdir -p /Library/company
/bin/chmod -R 755 /Library/company
serialNumber=$( ioreg -c IOPlatformExpertDevice -d 2 | awk -F" '/IOPlatformSerialNumber/{print $(NF-1)}' )

# Prompt for Country
countryValue=`/usr/bin/osascript <<EOT
tell application "System Events"
    with timeout of 9999 seconds
    activate
    set theCountry to {"IDMAC", "NLMAC", "JPMAC", "USMAC"}
    set selectedCountry to {choose from list theCountry with prompt "Select Country"}
    end timeout
end tell
EOT`

# Set ComputerName|LocalHostName|HostName
scutil --set ComputerName  "$countryValue-$serialNumber"
scutil --set LocalHostName  "$countryValue-$serialNumber"
scutil --set HostName  "$countryValue-$serialNumber"

exit 0

Just before this scripts it called the following popup appears
f9a8bea7bd7d43b6ae7a1173b7a6ea25

I have of course used the PPPC tool and set it up the following way but it keep showing up. I have checked the macs and the config profile has been loaded, so cannot understand why this keep popping up when I have created the matching PPPC

Do anyone has an idea what is going wrong
dda26f4fbe094e34b2635992101bc6b7

11 REPLIES 11

bethjohnson
New Contributor III

Have you tried using this Jamf-built profile that does additional whitelisting beyond the automatically-installed profile for the framework?
https://github.com/jamf/JamfPrivacyPreferencePolicyControlProfiles

If you didn't catch the recent webinar, the recording is now posted and is very helpful.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
"You do not rise to the level of your goals; you fall to the level of your systems." James Clear

talkingmoose
Moderator
Moderator

@jameson, Jamf Pro 10.7.1 has built-in support for macOS Mojave's new PPPC security. Is your server updated to at least that version? You can find the version number in the left bar after logging in and viewing your Dashboard.

sshort
Valued Contributor

Here's another good resource for generating a profile that will whitelist jamfagent and the Jamf binary for various AppleEvents: https://github.com/rtrouton/privacy_preferences_control_profiles/tree/master/Privacy%20Settings%20Wh...

mm2270
Legendary Contributor III

In addition to what's being stated above about the latest versions of Jamf Pro auto installing a PPPC Profile that whitelists the entire Jamf toolset, you also need to add /usr/bin/osascript to a PPPC profile to whitelist. It's not the Jamf binary specifically in your script that's causing the pop up, it's osascript. You can tell that by the fact that it's asking for control over System Events, and in your script you have this code:

countryValue=`/usr/bin/osascript <<EOT
tell application "System Events"
...

As indicated, you are telling osascript to tell System Events to do something, but because it's not whitelisted to allow that, it's causing the prompt to come up.

swapple
Contributor III

@talkingmoose if we are on jamf cloud 10.9, do we still need to go to https://github.com/jamf/JamfPrivacyPreferencePolicyControlProfiles and get the mobileconfig profile and load it up?

mm2270
Legendary Contributor III

@swhps 10.9 will load the Jamf PPPC profile automatically. It always has for me since I started using that version.
Are you not seeing a "Privacy Preferences Policy Control" profile being installed that looks like this?
9a9e4337c4a74e6baccef8ddd5941df8

jameson
Contributor II

Thanks for the input all

@mm2270 I just added the osascript to the PPPC and allowing systemevents. Just tried on a brand new mac I got in and even the pick country policy stand as "completed" nothing was prompted on enrollment. It just skipped the prompt and not even asking about the popup(this error that it sometimes just skip the whole policy have seen before on some few new clients)
Below is the log from the policy that stand as completed. If I run the same policy afterwards in self service it works fine, which does not make sense for me

Script result: 70:78: execution error: An error of type -10810 has occurred. (-10810)
scutil: invalid option -- C
usage: scutil
    interactive access to the dynamic store.

   or: scutil --prefs [preference-file]
    interactive access to the [raw] stored preferences.

   or: scutil [-W] -r nodename
   or: scutil [-W] -r address
   or: scutil [-W] -r local-address remote-address
    check reachability of node, address, or address pair (-W to "watch").

   or: scutil -w dynamic-store-key [ -t timeout ]
    -w  wait for presense of dynamic store key
    -t  time to wait for key

   or: scutil --get pref
   or: scutil --set pref [newval]
   or: scutil --get filename path key  
    pref    display (or set) the specified preference.  Valid preferences
        include:
            ComputerName, LocalHostName, HostName
    newval  New preference value to be set.  If not specified,
        the new value will be read from standard input.

   or: scutil --dns
    show DNS configuration.

   or: scutil --proxy
    show "proxy" configuration.

   or: scutil --nwi
    show network information

   or: scutil --nc
    show VPN network configuration information. Use --nc help for full command list

   or: scutil --allow-new-interfaces [off|on]
    manage new interface creation with screen locked.

   or: scutil --error err#
    display a descriptive message for the given error code
scutil: invalid option -- C
usage: scutil
    interactive access to the dynamic store.

   or: scutil --prefs [preference-file]
    interactive access to the [raw] stored preferences.

   or: scutil [-W] -r nodename
   or: scutil [-W] -r address
   or: scutil [-W] -r local-address remote-address
    check reachability of node, address, or address pair (-W to "watch").

   or: scutil -w dynamic-store-key [ -t timeout ]
    -w  wait for presense of dynamic store key
    -t  time to wait for key

   or: scutil --get pref
   or: scutil --set pref [newval]
   or: scutil --get filename path key  
    pref    display (or set) the specified preference.  Valid preferences
        include:
            ComputerName, LocalHostName, HostName
    newval  New preference value to be set.  If not specified,
        the new value will be read from standard input.

   or: scutil --dns
    show DNS configuration.

   or: scutil --proxy
    show "proxy" configuration.

   or: scutil --nwi
    show network information

   or: scutil --nc
    show VPN network configuration information. Use --nc help for full command list

   or: scutil --allow-new-interfaces [off|on]
    manage new interface creation with screen locked.

   or: scutil --error err#
    display a descriptive message for the given error code
scutil: invalid option -- C
usage: scutil
    interactive access to the dynamic store.

   or: scutil --prefs [preference-file]
    interactive access to the [raw] stored preferences.

   or: scutil [-W] -r nodename
   or: scutil [-W] -r address
   or: scutil [-W] -r local-address remote-address
    check reachability of node, address, or address pair (-W to "watch").

   or: scutil -w dynamic-store-key [ -t timeout ]
    -w  wait for presense of dynamic store key
    -t  time to wait for key

   or: scutil --get pref
   or: scutil --set pref [newval]
   or: scutil --get filename path key  
    pref    display (or set) the specified preference.  Valid preferences
        include:
            ComputerName, LocalHostName, HostName
    newval  New preference value to be set.  If not specified,
        the new value will be read from standard input.

   or: scutil --dns
    show DNS configuration.

   or: scutil --proxy
    show "proxy" configuration.

   or: scutil --nwi
    show network information

   or: scutil --nc
    show VPN network configuration information. Use --nc help for full command list

   or: scutil --allow-new-interfaces [off|on]
    manage new interface creation with screen locked.

   or: scutil --error err#
    display a descriptive message for the given error code

mm2270
Legendary Contributor III

@jameson Ah, well, that's a different problem. Since your osascript is asking for user interaction, and the policy (and hence the script) are running as root, the OS is preventing the pop up from appearing to the currently logged in user. This is a common issue that's been around for many years now in macOS.
The workaround is to call the osascript as the logged in user, which avoids that "An error of type -10810 has occurred." problem.

Try changing your script to look like this and see if it works:

#!/bin/bash
sleep 20
# Create folder
/bin/mkdir -p /Library/company
/bin/chmod -R 755 /Library/company
serialNumber=$( ioreg -c IOPlatformExpertDevice -d 2 | awk -F" '/IOPlatformSerialNumber/{print $(NF-1)}' )

loggedInUser=$(stat -f%Su /dev/console)
loggedInUID=$(id -u "$loggedInUser")

# Prompt for Country
countryValue=$(/bin/launchctl asuser "$loggedInUID" sudo -iu "$loggedInUser" /usr/bin/osascript <<EOT
tell application "System Events"
    with timeout of 9999 seconds
    activate
    set theCountry to {"IDMAC", "NLMAC", "JPMAC", "USMAC"}
    set selectedCountry to {choose from list theCountry with prompt "Select Country"}
    end timeout
end tell
EOT)

## Add rest of script here, etc.

The relevant bits are capturing the logged in user and that user's UID up at the top. Then using the /bin/launchctl asuser syntax to run the osascript command as the current user. This should allow the prompt to appear, allow them to choose the country, and then the rest of the script will run and do what it needs.

I see in your post though that there was an issue with the scutil command. It may just be that it errored because the computer name generated wasn't complete or something. But I would just double check your script to make sure the scutil syntax is correct. This line is making be think there might be an errant space in there somewhere: scutil: invalid option -- C

jameson
Contributor II

@mm2270

Thanks for the update. I tried your version of the script, but for some reason it still fails. Now with

#!/bin/sh


Script result: 193:249: execution error: System Events got an error: Connection is invalid. (-609)
scutil: invalid option -- C
usage: scutil
    interactive access to the dynamic store.

If you look at my first post, I don't have anything on sceutil --C ? - I don't understand where it get this parameter from, as I from no where have this parameter in my script. I have checked for spaces etc and nothing seems wrong

The things that does not make any sense at all to me, is that the script works on enrolment on some clients, while others is shows completed, but still show the execution error with "invalid option -- C"(but popup have not appeared) But running on it on the client from the self service afterwards, it works fine and no error
So the script is working, but for some reason not always as a enrolment policy

merps
Contributor III

@jameson Try to clean up the end of your script.

You have two spaces after ComputerName, LocalHostName, and HostName and before the variables you're trying to use there.

I'd guess that you could change the error output by reordering those lines and it would say "invalid option --L" or "invalid option --H" depending on which parameter is attempted first.

I've removed the extra space in the code block below.

# Set ComputerName|LocalHostName|HostName
scutil --set ComputerName "$countryValue-$serialNumber"
scutil --set LocalHostName "$countryValue-$serialNumber"
scutil --set HostName "$countryValue-$serialNumber"

jameson
Contributor II

A bit old thread, but I never got this working.
It is so strange. On some computers it prompts fine as it should and other the warning pop up and it 100% the same profiles that is on pushed to the computers

Do anyone know a different why this popup could be made, so we don´t end up in this popup mess ?