Jamf Nation Community

@jameson, Jamf Pro 10.7.1 has built-in support for macOS Mojave's new PPPC security. Is your server updated to at least that version? You can find the version number in the left bar after logging in and viewing your Dashboard.

Here's another good resource for generating a profile that will whitelist jamfagent and the Jamf binary for various AppleEvents: https://github.com/rtrouton/privacy_preferences_control_profiles/tree/master/Privacy%20Settings%20Wh...

In addition to what's being stated above about the latest versions of Jamf Pro auto installing a PPPC Profile that whitelists the entire Jamf toolset, you also need to add /usr/bin/osascript to a PPPC profile to whitelist. It's not the Jamf binary specifically in your script that's causing the pop up, it's osascript. You can tell that by the fact that it's asking for control over System Events, and in your script you have this code:

countryValue=`/usr/bin/osascript <<EOT
tell application "System Events"
...

As indicated, you are telling osascript to tell System Events to do something, but because it's not whitelisted to allow that, it's causing the prompt to come up.

@talkingmoose if we are on jamf cloud 10.9, do we still need to go to https://github.com/jamf/JamfPrivacyPreferencePolicyControlProfiles and get the mobileconfig profile and load it up?

@swhps 10.9 will load the Jamf PPPC profile automatically. It always has for me since I started using that version.
Are you not seeing a "Privacy Preferences Policy Control" profile being installed that looks like this?

Thanks for the input all

@mm2270 I just added the osascript to the PPPC and allowing systemevents. Just tried on a brand new mac I got in and even the pick country policy stand as "completed" nothing was prompted on enrollment. It just skipped the prompt and not even asking about the popup(this error that it sometimes just skip the whole policy have seen before on some few new clients)
Below is the log from the policy that stand as completed. If I run the same policy afterwards in self service it works fine, which does not make sense for me

Script result: 70:78: execution error: An error of type -10810 has occurred. (-10810)
scutil: invalid option -- C
usage: scutil
    interactive access to the dynamic store.

   or: scutil --prefs [preference-file]
    interactive access to the [raw] stored preferences.

   or: scutil [-W] -r nodename
   or: scutil [-W] -r address
   or: scutil [-W] -r local-address remote-address
    check reachability of node, address, or address pair (-W to "watch").

   or: scutil -w dynamic-store-key [ -t timeout ]
    -w  wait for presense of dynamic store key
    -t  time to wait for key

   or: scutil --get pref
   or: scutil --set pref [newval]
   or: scutil --get filename path key  
    pref    display (or set) the specified preference.  Valid preferences
        include:
            ComputerName, LocalHostName, HostName
    newval  New preference value to be set.  If not specified,
        the new value will be read from standard input.

   or: scutil --dns
    show DNS configuration.

   or: scutil --proxy
    show "proxy" configuration.

   or: scutil --nwi
    show network information

   or: scutil --nc
    show VPN network configuration information. Use --nc help for full command list

   or: scutil --allow-new-interfaces [off|on]
    manage new interface creation with screen locked.

   or: scutil --error err#
    display a descriptive message for the given error code
scutil: invalid option -- C
usage: scutil
    interactive access to the dynamic store.

   or: scutil --prefs [preference-file]
    interactive access to the [raw] stored preferences.

   or: scutil [-W] -r nodename
   or: scutil [-W] -r address
   or: scutil [-W] -r local-address remote-address
    check reachability of node, address, or address pair (-W to "watch").

   or: scutil -w dynamic-store-key [ -t timeout ]
    -w  wait for presense of dynamic store key
    -t  time to wait for key

   or: scutil --get pref
   or: scutil --set pref [newval]
   or: scutil --get filename path key  
    pref    display (or set) the specified preference.  Valid preferences
        include:
            ComputerName, LocalHostName, HostName
    newval  New preference value to be set.  If not specified,
        the new value will be read from standard input.

   or: scutil --dns
    show DNS configuration.

   or: scutil --proxy
    show "proxy" configuration.

   or: scutil --nwi
    show network information

   or: scutil --nc
    show VPN network configuration information. Use --nc help for full command list

   or: scutil --allow-new-interfaces [off|on]
    manage new interface creation with screen locked.

   or: scutil --error err#
    display a descriptive message for the given error code
scutil: invalid option -- C
usage: scutil
    interactive access to the dynamic store.

   or: scutil --prefs [preference-file]
    interactive access to the [raw] stored preferences.

   or: scutil [-W] -r nodename
   or: scutil [-W] -r address
   or: scutil [-W] -r local-address remote-address
    check reachability of node, address, or address pair (-W to "watch").

   or: scutil -w dynamic-store-key [ -t timeout ]
    -w  wait for presense of dynamic store key
    -t  time to wait for key

   or: scutil --get pref
   or: scutil --set pref [newval]
   or: scutil --get filename path key  
    pref    display (or set) the specified preference.  Valid preferences
        include:
            ComputerName, LocalHostName, HostName
    newval  New preference value to be set.  If not specified,
        the new value will be read from standard input.

   or: scutil --dns
    show DNS configuration.

   or: scutil --proxy
    show "proxy" configuration.

   or: scutil --nwi
    show network information

   or: scutil --nc
    show VPN network configuration information. Use --nc help for full command list

   or: scutil --allow-new-interfaces [off|on]
    manage new interface creation with screen locked.

   or: scutil --error err#
    display a descriptive message for the given error code

@jameson Ah, well, that's a different problem. Since your osascript is asking for user interaction, and the policy (and hence the script) are running as root, the OS is preventing the pop up from appearing to the currently logged in user. This is a common issue that's been around for many years now in macOS.
The workaround is to call the osascript as the logged in user, which avoids that "An error of type -10810 has occurred." problem.

Try changing your script to look like this and see if it works:

#!/bin/bash
sleep 20
# Create folder
/bin/mkdir -p /Library/company
/bin/chmod -R 755 /Library/company
serialNumber=$( ioreg -c IOPlatformExpertDevice -d 2 | awk -F" '/IOPlatformSerialNumber/{print $(NF-1)}' )

loggedInUser=$(stat -f%Su /dev/console)
loggedInUID=$(id -u "$loggedInUser")

# Prompt for Country
countryValue=$(/bin/launchctl asuser "$loggedInUID" sudo -iu "$loggedInUser" /usr/bin/osascript <<EOT
tell application "System Events"
    with timeout of 9999 seconds
    activate
    set theCountry to {"IDMAC", "NLMAC", "JPMAC", "USMAC"}
    set selectedCountry to {choose from list theCountry with prompt "Select Country"}
    end timeout
end tell
EOT)

## Add rest of script here, etc.

The relevant bits are capturing the logged in user and that user's UID up at the top. Then using the /bin/launchctl asuser syntax to run the osascript command as the current user. This should allow the prompt to appear, allow them to choose the country, and then the rest of the script will run and do what it needs.

I see in your post though that there was an issue with the scutil command. It may just be that it errored because the computer name generated wasn't complete or something. But I would just double check your script to make sure the scutil syntax is correct. This line is making be think there might be an errant space in there somewhere: scutil: invalid option -- C

@mm2270

Thanks for the update. I tried your version of the script, but for some reason it still fails. Now with

#!/bin/sh


Script result: 193:249: execution error: System Events got an error: Connection is invalid. (-609)
scutil: invalid option -- C
usage: scutil
    interactive access to the dynamic store.

If you look at my first post, I don't have anything on sceutil --C ? - I don't understand where it get this parameter from, as I from no where have this parameter in my script. I have checked for spaces etc and nothing seems wrong

The things that does not make any sense at all to me, is that the script works on enrolment on some clients, while others is shows completed, but still show the execution error with "invalid option -- C"(but popup have not appeared) But running on it on the client from the self service afterwards, it works fine and no error
So the script is working, but for some reason not always as a enrolment policy

@jameson Try to clean up the end of your script.

You have two spaces after ComputerName, LocalHostName, and HostName and before the variables you're trying to use there.

I'd guess that you could change the error output by reordering those lines and it would say "invalid option --L" or "invalid option --H" depending on which parameter is attempted first.

I've removed the extra space in the code block below.

# Set ComputerName|LocalHostName|HostName
scutil --set ComputerName "$countryValue-$serialNumber"
scutil --set LocalHostName "$countryValue-$serialNumber"
scutil --set HostName "$countryValue-$serialNumber"

A bit old thread, but I never got this working.
It is so strange. On some computers it prompts fine as it should and other the warning pop up and it 100% the same profiles that is on pushed to the computers

Do anyone know a different why this popup could be made, so we don´t end up in this popup mess ?