Posted on 04-30-2019 03:51 AM
Hey there,
I edited a /bin/bash script that automatically checks the devices uptime and tells the user to restart his computer after 2weeks uptime (with the help of https://www.jamf.com/jamf-nation/discussions/17336/user-has-not-restarted-in-x-number-of-days)
The following part generates the ""jamf" wants access to control "system events"" message for end users:
#!/bin/bash
# Discover logged in user
user=`stat -f%Su /dev/console`
#Execute code as logged in user (instead of root)
sudo -u $user /usr/bin/osascript <<-EOF
tell application "System Events"
activate
set question to display dialog "The device has not been restared for [...]"
with title "RESTART YOUR COMPUTER" buttons {"Shut Down", "Restart", "Cancel"} ¬
cancel button "Cancel" with icon caution
set answer to button returned of question
if answer is equal to "Shut Down" then
tell application "System Events"
shut down
end tell
end if
if answer is equal to "Restart" then
tell application "System Events"
restart
end tell
end if
if answer is equal to "Cancel" then
return
end if
end tell
EOF
exit 0
fi
I already read the thread (https://www.jamf.com/jamf-nation/discussions/30388/loginwindow-wants-access-to-control-system-events) but couldn't find the solution there.
The issue seems to be the tell / end tell statement but I can't find a way to change the script.
I tried several PPPCs and gave JAMF access to Accessibility, System Events and everything else that's required.
The script itself works fine.
Can someone help me out here?
Posted on 04-30-2019 05:19 AM
Hey!
Can you post a screenshot of your PPPC's you are creating for this to happen.
if you have not used the PPPC utility on GitHub i would use this and add the jamf binary this way and allow access, you can physically tick which parts need access. However you may have already done so.
Thanks,
G
Posted on 04-30-2019 05:26 AM
Hey!
For testing purposes I tried the following:
I
I know that most permissions are unnecessary, just wanted to be sure nothings missing.
Posted on 04-30-2019 07:27 AM
The problem isn't the Jamf binary. It's osascript
, which is what is actually calling the AppleScript event to control "System Events". If you add in osascript to your PPPC profile (or better yet, create a new PPPC profile just for osascript
) and give it access to System Events, and maybe a few other items under the Apple Events section for good measure, and then deploy that, I'm betting the prompt will go away. I may be wrong, but I do think that's the issue.
In case it helps, osascript is in /usr/bin/
You should be able to just navigate to that and add it into the PPPC Utility.
Posted on 04-30-2019 07:53 AM
I just did the following:
and the issue still exists.
Thanks for the input anyway!
Posted on 04-30-2019 09:02 AM
@leonwun Are you certain the profile had been pushed to the Mac by the time the script was re-run? Because I have a PPPC profile to allow osascript control over the various System Events and I don't get a prompt. I used your exact script in fact for testing and it comes up for me without prompting to allow any control over System Events. So I can't explain (yet) what the difference may be.
Posted on 04-30-2019 10:43 AM
@leonwun are you that PPPC profiles is actually installed on target machines? for example if it's not DEP enrolled and not UAMDM accepted, it just won't work
Posted on 05-02-2019 12:32 AM
On my testing machine under "System Preferences" -> "Profiles" the following Profiles are shown:
JAMF:
JamfAgent:
osascript:
So this doesn't seem to be the issue.
I already tried to reset the permissions of my testing machine with:
tccutil reset AppleEvents; tccutil reset SystemPolicy AllFiles
to make sure there were no changes specifically on my testing machine that cause the issue.
I still can't figure out why it doesn't work - especially now that I know it works on @mm2270 's machine.
Does your profile look anything different? Also, it works when I run it in terminal, just not when I run it remotely via jamf policy.
Posted on 05-02-2019 03:56 AM
I also see this prompt with my script for renaming Mac
The most strange is that on some mac´s it works fine without any popup, while other it is showed - and with the exact same profiles installed and in Mojave latest.. But I have stopped using time on this and instead instructed users to click "allow" on this
Posted on 05-02-2019 05:33 AM
This seems to be a bug on JAMF or Apple's side then. I might create a ticket for that - if someone finds a solution please post ;)
Posted on 05-02-2019 06:09 AM
Have you seen this pre-built (JamfAppleEvents.mobileconfig) for osascript?
https://github.com/jamf/JamfPrivacyPreferencePolicyControlProfiles
Posted on 05-02-2019 06:58 AM
Yes I have this config on all machines. Btw this is the error message that gets logged if you ignore the box:
Script result: 140:645: execution error: System Events got an error: AppleEvent timed out. (-1712)
Edit:
Maybe someone can say something about this post?
Posted: 29/1/19 at 10:49 AM by bentoms @UESCDurandal You likely have some AppleScript blocks which say "tell application System Events"... remove the tell & end tell bits then try again.. you can often amend the scripts.
From this thread by @bentoms
Posted on 05-03-2019 01:19 AM
If you run the script locally/manually and leave the display box there, AppleScript will time out after 2 minutes.
That is what you are getting on the error message, end users not "actioning" the request, they may be away from the computer for example.
A possible solution is to add a "giving up" parameter, capture the output and do some logic with it.
Example from your script.
use AppleScript version "2.4" -- Yosemite (10.10) or later
use scripting additions
tell application "System Events"
activate
set question to display dialog "The device has not been restared for [...]" with title "RESTART YOUR COMPUTER" buttons {"Shut Down", "Restart", "Cancel"} ¬
cancel button "Cancel" with icon caution giving up after 5
if gave up of question is false then
set answer to button returned of question
if answer is equal to "Shut Down" then
tell application "System Events"
shut down
end tell
end if
if answer is equal to "Restart" then
tell application "System Events"
restart
end tell
end if
if answer is equal to "Cancel" then
return
end if
else
set isActioned to "Not there"
end if
end tell
A note about the "Cancel" button, the way it is set it will stop and exit the script at that point, it will not run to the end.
I would recommend a small change to allow the script to run.
use AppleScript version "2.4" -- Yosemite (10.10) or later
use scripting additions
tell application "System Events"
activate
set question to display dialog "The device has not been restared for [...]" with title "RESTART YOUR COMPUTER" buttons {"Shut Down", "Restart", " Cancel"} ¬
with icon caution giving up after 10
if gave up of question is false then
set answer to button returned of question
if answer is equal to "Shut Down" then
tell application "System Events"
shut down
end tell
end if
if answer is equal to "Restart" then
tell application "System Events"
restart
end tell
end if
if answer is equal to " Cancel" then
return
end if
else
set isActioned to "Not there"
end if
end tell
If you must use Cancel add a space to it " Cancel" that bypass the internal Cancel function of the script and allow the flow to continue. Of course you could call it "Not Now".
Regards
Posted on 05-03-2019 01:34 AM
Hey there, thanks for your advice! That's a nice addition to the script.
Still, the error message is generated from this window I think, not the script itself. If you don't respond to the ""jamf" wants to control..." message and wait 2 minutes the error is generated.
So the problem with the window that should not appear still exists.
Posted on 05-03-2019 01:45 AM
@leonwun Oh yeah, that is the TCC bit, several places to set
Posted on 05-03-2019 01:53 AM
Hey, I have the same (and even more) Profiles on the my testing machines - the window still pops up. It only works without this popup when I run it locally and not via jamf.
Posted on 05-06-2019 06:59 AM
I created a ticket regarding this issue as we can't find a solution and it might be a problem from JAMF / Apples side..
If you still find anything I would really appreciate a post ;)
Posted on 05-06-2019 08:39 AM
Are you on 10.11? Small note from the bottom of the release notes
You'll want your PPPC profile to allow
/Library/Application Support/JAMF/Jamf.app
Posted on 05-06-2019 09:11 AM
Posted on 05-07-2019 12:30 AM
Hey @koalatee , thanks for your post! I don't use 10.11 on any of my testing devices - We only use Mojave & High Sierra.
I tried this PPPC anyway, sadly nothing has changed.
Posted on 05-07-2019 04:06 AM
I think @koalatee means Jamf Pro 10.11 (not macOS)
Posted on 05-08-2019 01:03 AM
Yes, we're at 10.11.1-t1553545638.
Posted on 05-08-2019 06:23 AM
Definitely a big problem. Hopefully a solution is found.
Posted on 05-09-2019 11:40 AM
Experienced a similar issue, was able to resolve in the following fashion, which was posted earlier in this thread.
YMMV
Posted on 05-10-2019 01:18 AM
Hey @jbutler47 , I exactly followed your steps and uploaded the following profile:
The profile was rolled out on my testing machines and I double checked if the profile was there. Then I waited until the next recurring check-in (15min).
The issue still exists. I did not try it with Self Service as thats not the intended use in the end (it should run with a recurring check-in).
Posted on 05-14-2019 09:55 AM
We have been seeing a similar issue. It appears that if, at some point, a/the user has selected "Don't Allow" when they see the "Jamf wants access" message then the script will never work regardless of what you do. If the user has denied the Jamf System Events that setting appears to be persistent and pushing a config profile after the fact does not resolve it the problem. I'm not yet certain if the denial is a per user issue or a system wide issue.
On a test machine I've been able to run tccutil reset AppleEvents then push out a PPPC allowance for Jamf.app - System Events. After that a script we have that runs osascript will work. Here's the settings I made in the PPPC utility for /Library/Application Support/JAMF/Jamf.app
It would be useful to know if clearing the System Events works for anyone else.
Posted on 05-15-2019 12:08 AM
Hey @marck,
I did not select 'Don't Allow' on my testing machines. They are installed freshly and there are no permissions set yet.
The Window appears even with all those profiles.
Posted on 05-21-2019 09:55 PM
Try changing your osascript by getting rid of the Tell Application bit.
So it should read something like...
osascript -e 'display dialog "Blah Blah...."
Posted on 05-22-2019 11:42 AM
Did your guys Jamf Pro instance update to 10.12.0 this week? Did that fix the issue @leonwun ?
Posted on 06-04-2019 12:59 AM
@kdean we got updated to 10.12, the issue still exists.
@timdambrosio I don't really understand how to change it to remove the "Tell Application", can you explain further please?
Posted on 06-04-2019 11:22 AM
@leonwun He means to remove "Tell Application" from the osascript. He is saying you should still get the results you want from system events w/o the Tell Application in front of it. BTW I was able to resolve this issue with a PPPC config profile from GitHub. I opened a ticket with JAMF and they pointed me to GitHub
Ref: https://www.jamf.com/jamf-nation/articles/553/preparing-your-organization-for-user-data-protections-on-macos-10-14
Ref: https://github.com/jamf/JamfPrivacyPreferencePolicyControlProfiles
Posted on 06-17-2019 10:12 AM
I too was having this happen... I added the BundleID of Jamf.app with access to System Events and was getting pop-ups
Was about to go down the rabbit hole of what combo would work then I tried something simpler...
Remove the tell, activate, and end tell lines
Remove these lines:
tell application "System Events"
activate
...
end tell
Now in the example from the original poster @leonwun , this may not be much of a help as you are explicitely telling System Events to restart and shutdown, methods that may not be available if you are not telling System Events. Not sure if these are the "nice" methods that ask for a user to save work, but if they are not (or you don't care :) perhaps you could just capture the output of the osascript for button returned and then use bash to run shutdown -h now (halt/shutdown) or shutdown -r now (restart)
osaresult=$(/usr/bin/osascript -e 'set question to display dialog "The device has not been restared for [...]" with title "RESTART YOUR COMPUTER" buttons {"Shut Down", "Restart", "Cancel"} cancel button "Cancel" with icon caution' 2>/dev/null)
button=$(awk -F 'button returned:|, gave up:' '{print $2}' <<< $osaresult)
Use a case statement (or ifs) with the ${button} variable to do what you need
NOTE: There are caveats if you omit "telling" an application and you include an icon path
It must invoked/run from Self Service to succeed if an icon path is used
If you run the script directly from Terminal it will fail
If you invoke the policy via command line, it will fail (jamf policy -id <id> or jamf policy -event <name>)
If the policy is called from another policy using "jamf policy ..." via script script or with Files and Processes "run command", it will fail also...
For example, this will fail when run from Terminal:
osascript -e 'set dialogAnswer to display dialog "You can do a simple button pop-up, with timeout of 5 seconds" with title "Title" with icon file ":System:Library:CoreServices:CoreTypes.bundle:Contents:Resources:Clock.icns" buttons {"OK"} default button 1 giving up after "5"'
20:261: execution error: File file :System:Library:CoreServices:CoreTypes.bundle:Contents:Resources:Clock.icns wasn’t found. (-43)
However if the above snippet is in a script that is run in a Self Service actuated policy it will succeed.
So... there's a workaround but it only works in Self Service otherwise it's got some serious downsides to consider... hope this saved some folks a few hours (that I'll never get back ;)
Posted on 02-08-2022 06:43 AM
I know this post is a bit older, but I'm also struggling to remove the tell application commands from my osascripts that types a users email in and hits enter for them (trying for no touch deployment using microsofts sso). I am still getting the system events message, but I cant seem to get my scripts to type in the info without the tell.
In example here I want Safari to open and type in their user name and then open the extensions preference pane of safari so the user can check the check box for the classlink extension. This works if the user clicks to allow jamf to use system events currently however I want less clicks. So in your opinion would this script run without the tell pieces?
#!/bin/bash
dockStatus=$(pgrep -x Dock)
echo "Waiting for Desktop..."
while [[ "$dockStatus" == "" ]]
do
echo "Desktop is not loaded. Waiting."
sleep 3
dockStatus=$(pgrep -x Dock)
done
echo "$currentUser has successfully logged on! The Dock appaears to be loaded with PID $dockStatus."
sleep 2
currentUser=$(/bin/ls -l /dev/console | /usr/bin/awk '{print $3}')
sudo -u $currentUser open http://classlink.com
sudo -u $currentUser osascript <<EOF
tell application "Safari"
activate
delay 3
tell application "System Events"
keystroke "$currentUser"
end tell
end tell
tell application "Safari" to activate
delay 4
tell application "System Events" to tell process "Safari"
keystroke "," using command down
tell window 1
click button "Extensions" of toolbar 1
activate "Extensions"
keystroke return
end tell
end tell
EOF
Posted on 03-31-2022 02:02 PM
Gabe, sorry I missing this. No I don't think you could get by without tell blocks since macOS isn't psychic about which app you want to talk to! Any and all pop-ups you are getting regarding interaction with an app are by design which roiled quite a few developers. Any interaction with an app is going to need user consent or a PPPC profile to maybe get it working. Don't ask me though, I've decided to stay away from AppleScript and app control as Apple has put up onerous hoops to jump through (I get it but don't want to deal with it). So yeah you might need to fool around and make a PPPC pref in Jamf or with that tool for Safari to Allow System Events. Or perhaps consider doing away with interaction via script and pop up guided messages to instruct the user how to do what they need to do (I know they're kids but how are they ever going to learn ;)
Also since my post here in 2019: I decided to stop fooling around with writing AppleScript in my shell scripts and wrote a shell function that can be embedded in any shell script (bash/zsh) to do the AppleScript for you! It's called shui
Posted on 01-17-2020 01:50 PM
Having all 3 items including allowing all the Apple Events allowed me to bypass the osascript prompt @leonwun .
Posted on 05-06-2020 11:09 AM
How do you find osascript to add to those lists?
Posted on 05-06-2020 11:15 AM
Have you looked here?: https://github.com/jamf/JamfPrivacyPreferencePolicyControlProfiles/blob/master/JamfAppleEvents.mobileconfig
Posted on 09-02-2020 11:31 PM
@gene.kennett run this command in terminal to find path for osascript.
bash-3.2# which osascript
/usr/bin/osascript
Posted on 04-26-2021 09:51 AM
I think I have this figured out. I was running into this exact problem while attempting to use osascript to remove Bluetooth devices from our loaner computers. I fixed this using a PPPC, see below:
I wasn't able to navigate to these files inside of the PPPC Utility, instead I had to open up the files in Finder and drag them into the PPPC Utility window. Add these files:
-- /Library/Application Support/JAMF/Jamf.app/Contents/MacOS/Jamf
-- /Library/Application Support/JAMF/Jamf.app/Contents/MacOS/JamfManagementService
-- (Right Click on Jamf.app and select "Show Package Contents" to get to these files)
Make sure to reference them inside of the Apple Events section as well.
Why not just add Jamf.app? I don't know. You would think that would work, but I could only get it to work by digging down to these specific files.
I hope this helps someone.
Posted on 04-30-2021 12:18 AM
I'm seeing this message on fresh DEP/ADE enrollments when it says "enroll" wants to control system events. The enroll
command is actually a tiny bash script that is installed in /usr/local/jamf
, along with jamf
binary, by the InstallApplication
payload in the MDM profile. This script contains the jamf enroll -invitation 1234567890...
and a few other commands like jamf recon
.
I speculate that this could be a race condition where Jamf's PPPC profile hasn't arrived on the system when this script starts running — OR — that macOS takes too long to process the new approval.