Jamf Nation Community

Oyster_rave · ‎06-23-2023

Hey community, hope you're all doing greatI need your advice regarding a script I use locally on my laptop, but have some difficulties so deploy to all the other employees.

Context :

We're using Pritunl as VPN. It's a pain for everyone to log in 1Password (our password manager), search for their VPN credentials, and type them in to connect to Pritunl.I use a simple script which links the VPN profile to the credentials in 1password ("op" is 1password's cli).

In use, I just have to click on the .command, it executes and open a popup for touchID (used to access 1password's content), gets the credentials with the name "vpn-companyname" and connect to Pritunl with this info.

What would you recommend to do to deploy it to all the employees through jamf ?

I tried to package it with Jamf composer, but Composer keeps the absolute path /Users/myusername/Desktop/VPNshortcut.command and creates it on the laptops I push the policy/package to... Which creates a new directory/user, so it's a bit of a mess

Also tried to use Shortcuts on Mac, but it's not possible to share it without iCloud etc

Ideally, the script (or the app, if I manage to make it look like one) would be automatically put in the dock, and execute just like any program with one click

Important : From what I've tried, it's important that the script runs as executed by the current user in session, as if it's not the case 1Password's touchID popup doesn't show up (probably due to a security measure)

I'd appreciate any help on the subject

Thanks in advance !

open -a Pritunl
/Applications/Pritunl.app/Contents/Resources/pritunl-client start $(/Applications/Pritunl.app/Contents/Resources/pritunl-client list | grep "vpn-companyname" | awk '{print $2}') --password "$(op item get vpn-companyname --fields password)$(op item get --otp vpn-companyname)"

PaulHazelden · ‎06-23-2023

Have you tried adding the script into an Automator workflow?
You can run Shell scripts in that, and once you have tested it and made sure it all works as a workflow, you can then make it into an App from in Automator. Should then be a simple task to use Composer to build a package of the App and put it in the Applications folder.

Oyster_rave · ‎06-23-2023

Hey Paul, thanks for the quick reply
The issue with Automator is that the TouchID pop up window to access 1Password's content doesn't show up, so the connection to the VPN ends up failing
Any clue why ? The exact same code (see code block in the original post) in the terminal, or as an executable script works perfectly fine
Does it run as root rather than as the current user ? I'm definitely not a developer though I got some superficial knowledge about it

PaulHazelden · ‎06-23-2023

It will run as the current user who launched it.
There are a few settings, which I have not used for some years in Automator, that might need to be configured for it to launch the touch ID window. It is the sort of thing I would sit down and fiddle with on a quiet day. I write shell scripts mostly to achieve what I am wanting, and I do not use Automator much at all, but I have used it and had interaction with users whilst using it. There are others here who will be better at it than me.

junjishimazaki · ‎06-23-2023

Hi Oyster_rave,

instead of packaging the script, why not add it as a script in Jamf and then add it to a policy? To execute the command as the user try these 2 tasks:

#below will return the current logged in user

curUser="`stat -f%Su /dev/console`"

# To execute the command or application or anything as the user

sudo -u $curUser "Whatever command you are executing"

Oyster_rave · ‎06-29-2023

Hey junjishimazaki, hope you're doing great
Been sick the few last days, which is why I'm replying just now
So I've tried to include your code in mine, but although stat -f%Su /dev/console gives me the right user it looks like when I combine everything, nothing happens (no touchID nor trying to connect to the VPN)

I've been trying with this version :

curUser="`stat -f%Su /dev/console`"

sudo -u $curUser "open -a Pritunl &&
/Applications/Pritunl.app/Contents/Resources/pritunl-client start $(/Applications/Pritunl.app/Contents/Resources/pritunl-client list | grep "vpn-companyname" | awk '{print $2}') --password "$(op item get vpn-companyname --fields password)$(op item get --otp vpn-companyname)""

Any clue why it doesn't work anymore with that formula ?
And if I push the script as a policy (in my company we have now to push the scripts by making a MR in Gitlab, then accessing it through Jamf so I can't try it until I'm sure that it works) in Jamf, I can make it as an exec to download so that they'll be able to execute it by double clicking on it like any app ?
Sorry I'm kinda new to all this, thanks for the help !

PREVIEW

mojo21221 · ‎06-23-2023

You could try turning your script into an app with https://sveinbjorn.org/platypus Then package and deploy the app as normal (composer etc...) that way you can customize the look and make it look even more official

Oyster_rave · ‎06-29-2023

Hey mojo21221, how are you doing ?

The thing is that everytime I try to package the thing, it doesn't work because the touchID MFA window doesn't pop up gyarg
I tried with Automator and Platypus, same issue
The only one that worked was with Shortcuts, but I can't share the app other than through icloud links, which would be a pain to apply to the whole company I guess
I'm guessing both Platypus and Automator can't access 1password's CLI, but I don't know why nor how to solve it 😿

sgiesbrecht · ‎06-26-2023

I just tried platypus.app and I like it a lot.
Thx, @mojo21221

Jamf Nation Community

Push .command to be executed as current user