Help

PPPC with codesigned script as LaunchAgent

Over9000
New Contributor III

Posted on β€Ž08-29-2019 07:28 AM

I have a script that runs as a launchagent but since Mojave's release, we haven't been able to get it to run. I codesigned the script and verified it's still codesigned during deployment and have every PPPC config profile I can think of applied to the machines but I see these two end results when it tries to execute:

execution error: Not authorized to send Apple events to Finder. (-1743)

internal_TCCCreateDesignatedRequirementIdentityFromMessage: Refusing TCCCreateDesignatedRequirementIdentityFromAuditToken (kTCCServiceAppleEvents) RESP:{ID: com.apple.bash, PID[27621], auid: 639612192, euid: 639612192, responsible path: '/Library/Scripts/nameofscript.sh', binary path: '/bin/bash'}, ACC:{ID: com.apple.osascript, PID[27658], auid: 639612192, euid: 639612192, binary path: '/usr/bin/osascript'}, REQ:{ID: com.apple.appleeventsd, PID[65], auid: 55, euid: 55, binary path: '/System/Library/CoreServices/appleeventsd'}: unable to compute designated requirement for: file:///Library/Scripts/nameofscript.sh.,

The script calls finder to mount a user's Active Directory Home drive:

osascript -e " tell application "Finder" mount volume "${REMOTE_MOUNT_POINT}" end tell

Does anyone know if I am just simply missing something to whitelist or is this simply not possible to do with a codesigned script running as a launch agent?

2 REPLIES 2

mm2270
Legendary Contributor II

Posted on β€Ž08-29-2019 07:42 AM

I know you said you've tried numerous PPPC profile options, but just to be sure, have you added osascript to a PPPC profile to allow it to control the Finder? The error message is indicating the binary requesting control is /usr/bin/osascript which makes sense since you are using it in your script being run by the LaunchAgent.

999a7552eb3f4cb5b77a804122c24b20

IOW, I don't think it's the script itself or the LaunchAgent, its the binary you are calling within the script that you have to grant access to for it to work.

If you've already done that and it's not working, maybe you can provide a snapshot of how your PPPC profile(s) is set up so someone can help pinpoint what may be wrong.

Over9000
New Contributor III

Posted on β€Ž08-29-2019 08:25 AM

@mm2270 Thanks for the suggestion. I added a PPPC profile with what you mentioned and it did still result with the same error. Here's the profile I have for the script itself (other than the osascript with finder one by itself). Sorry they are so tiny!

8e95938dff6b43f1b26517978fce54ce
af296a350fab446d9f6f9829e471de15

Jamf helps organizations succeed with Apple. By enabling IT to empower end users, we bring the legendary Apple experience to businesses, education and government organizations. Learn about Jamf.