"jamf" wants access to control "system events"

leonwun
Contributor

Hey there,

I edited a /bin/bash script that automatically checks the devices uptime and tells the user to restart his computer after 2weeks uptime (with the help of https://www.jamf.com/jamf-nation/discussions/17336/user-has-not-restarted-in-x-number-of-days)

The following part generates the ""jamf" wants access to control "system events"" message for end users:

#!/bin/bash

# Discover logged in user
user=`stat -f%Su /dev/console`

#Execute code as logged in user (instead of root)
sudo -u $user /usr/bin/osascript <<-EOF

tell application "System Events"
    activate
    set question to display dialog "The device has not been restared for [...]"
with title "RESTART YOUR COMPUTER" buttons {"Shut Down", "Restart", "Cancel"} ¬
cancel button "Cancel" with icon caution
    set answer to button returned of question
    if answer is equal to "Shut Down" then
        tell application "System Events"
            shut down
        end tell
    end if
    if answer is equal to "Restart" then
        tell application "System Events"
            restart
        end tell
    end if
    if answer is equal to "Cancel" then
        return
    end if
end tell
EOF
exit 0
fi

I already read the thread (https://www.jamf.com/jamf-nation/discussions/30388/loginwindow-wants-access-to-control-system-events) but couldn't find the solution there. The issue seems to be the tell / end tell statement but I can't find a way to change the script.
I tried several PPPCs and gave JAMF access to Accessibility, System Events and everything else that's required.

The script itself works fine.
Can someone help me out here?

da3c46b8cc8a4e86b9472a57ee959fec

108 REPLIES 108

Geelcey
New Contributor III
New Contributor III

Hey!

Can you post a screenshot of your PPPC's you are creating for this to happen.

if you have not used the PPPC utility on GitHub i would use this and add the jamf binary this way and allow access, you can physically tick which parts need access. However you may have already done so.

Thanks,

G

leonwun
Contributor

Hey!

For testing purposes I tried the following:

2278a48248fe42eba81ce6504f89e9c5

I20e3ab34dc62416aae50cb07d1342193

I know that most permissions are unnecessary, just wanted to be sure nothings missing.

mm2270
Legendary Contributor III

The problem isn't the Jamf binary. It's osascript, which is what is actually calling the AppleScript event to control "System Events". If you add in osascript to your PPPC profile (or better yet, create a new PPPC profile just for osascript) and give it access to System Events, and maybe a few other items under the Apple Events section for good measure, and then deploy that, I'm betting the prompt will go away. I may be wrong, but I do think that's the issue.

In case it helps, osascript is in /usr/bin/ You should be able to just navigate to that and add it into the PPPC Utility.

leonwun
Contributor

I just did the following:
c991699855d44e869f0189b882c18bd6

and the issue still exists.

Thanks for the input anyway!

mm2270
Legendary Contributor III

@leonwun Are you certain the profile had been pushed to the Mac by the time the script was re-run? Because I have a PPPC profile to allow osascript control over the various System Events and I don't get a prompt. I used your exact script in fact for testing and it comes up for me without prompting to allow any control over System Events. So I can't explain (yet) what the difference may be.

defiler
New Contributor III

@leonwun are you that PPPC profiles is actually installed on target machines? for example if it's not DEP enrolled and not UAMDM accepted, it just won't work

leonwun
Contributor

On my testing machine under "System Preferences" -> "Profiles" the following Profiles are shown:

JAMF:
c6185de2802d449aa9519b4b88290d38

JamfAgent:
71072dbc807442509b974636fbdf3b6c

osascript:
952c6cbc4e584fbeab929dddf390159b

So this doesn't seem to be the issue.
I already tried to reset the permissions of my testing machine with:

tccutil reset AppleEvents; tccutil reset SystemPolicy AllFiles

to make sure there were no changes specifically on my testing machine that cause the issue.

I still can't figure out why it doesn't work - especially now that I know it works on @mm2270 's machine.
Does your profile look anything different? Also, it works when I run it in terminal, just not when I run it remotely via jamf policy.

jameson
Contributor II

I also see this prompt with my script for renaming Mac
The most strange is that on some mac´s it works fine without any popup, while other it is showed - and with the exact same profiles installed and in Mojave latest.. But I have stopped using time on this and instead instructed users to click "allow" on this

leonwun
Contributor

This seems to be a bug on JAMF or Apple's side then. I might create a ticket for that - if someone finds a solution please post ;)

LaMantia
New Contributor III

Have you seen this pre-built (JamfAppleEvents.mobileconfig) for osascript?

https://github.com/jamf/JamfPrivacyPreferencePolicyControlProfiles

leonwun
Contributor

Yes I have this config on all machines. Btw this is the error message that gets logged if you ignore the box:

Script result: 140:645: execution error: System Events got an error: AppleEvent timed out. (-1712)

Edit:

Maybe someone can say something about this post?

Posted: 29/1/19 at 10:49 AM by bentoms @UESCDurandal You likely have some AppleScript blocks which say "tell application System Events"... remove the tell & end tell bits then try again.. you can often amend the scripts.

From this thread by @bentoms

Mauricio
Contributor III

@leonwun

If you run the script locally/manually and leave the display box there, AppleScript will time out after 2 minutes.
That is what you are getting on the error message, end users not "actioning" the request, they may be away from the computer for example.

712c8258f81645cc9845f4157748402c

37dda72276be4535b260ef7586f6909e

A possible solution is to add a "giving up" parameter, capture the output and do some logic with it.
Example from your script.

use AppleScript version "2.4" -- Yosemite (10.10) or later
use scripting additions

tell application "System Events"
    activate
    set question to display dialog "The device has not been restared for [...]" with title "RESTART YOUR COMPUTER" buttons {"Shut Down", "Restart", "Cancel"}  ¬
        cancel button "Cancel" with icon caution giving up after 5

    if gave up of question is false then
        set answer to button returned of question
        if answer is equal to "Shut Down" then
            tell application "System Events"
                shut down
            end tell
        end if
        if answer is equal to "Restart" then
            tell application "System Events"
                restart
            end tell
        end if
        if answer is equal to "Cancel" then
            return
        end if
    else
        set isActioned to "Not there"
    end if
end tell

A note about the "Cancel" button, the way it is set it will stop and exit the script at that point, it will not run to the end.

3fe6112cf64a4a00b6253c7c4f27b1e4

I would recommend a small change to allow the script to run.

use AppleScript version "2.4" -- Yosemite (10.10) or later
use scripting additions

tell application "System Events"
    activate
    set question to display dialog "The device has not been restared for [...]" with title "RESTART YOUR COMPUTER" buttons {"Shut Down", "Restart", " Cancel"} ¬
        with icon caution giving up after 10

    if gave up of question is false then
        set answer to button returned of question
        if answer is equal to "Shut Down" then
            tell application "System Events"
                shut down
            end tell
        end if
        if answer is equal to "Restart" then
            tell application "System Events"
                restart
            end tell
        end if
        if answer is equal to " Cancel" then
            return
        end if
    else
        set isActioned to "Not there"
    end if
end tell

If you must use Cancel add a space to it " Cancel" that bypass the internal Cancel function of the script and allow the flow to continue. Of course you could call it "Not Now".

f0131e636e95442c88f4403a387fac23

Regards

leonwun
Contributor

Hey there, thanks for your advice! That's a nice addition to the script.

Still, the error message is generated from this window I think, not the script itself. If you don't respond to the ""jamf" wants to control..." message and wait 2 minutes the error is generated.

So the problem with the window that should not appear still exists.

Mauricio
Contributor III

@leonwun Oh yeah, that is the TCC bit, several places to set

a6bc6d8fee5a4e9882db6ab415351b1f

leonwun
Contributor

Hey, I have the same (and even more) Profiles on the my testing machines - the window still pops up. It only works without this popup when I run it locally and not via jamf.

leonwun
Contributor

I created a ticket regarding this issue as we can't find a solution and it might be a problem from JAMF / Apples side..

If you still find anything I would really appreciate a post ;)

koalatee
Contributor II

Are you on 10.11? Small note from the bottom of the release notes

6972fad1c5804912a85fc7cc0bc3bcdc

You'll want your PPPC profile to allow

/Library/Application Support/JAMF/Jamf.app

kdean
New Contributor III

@koalatee Thats good to know, I am interested if this resolved the issue for @leonwun .

leonwun
Contributor

Hey @koalatee , thanks for your post! I don't use 10.11 on any of my testing devices - We only use Mojave & High Sierra.

I tried this PPPC anyway, sadly nothing has changed.

LeidenUniv
New Contributor III

I think @koalatee means Jamf Pro 10.11 (not macOS)

leonwun
Contributor

Yes, we're at 10.11.1-t1553545638.

chrisdaggett
Contributor II

Definitely a big problem. Hopefully a solution is found.

jbutler47
Contributor II

Experienced a similar issue, was able to resolve in the following fashion, which was posted earlier in this thread.

  • Jamf Pro is 10.11.1 (cloud)
  • Via PPPCU created a profile for "com.jamf.management.Jamf"
  • Open your /Library/Application Support/JAMF folder, drag the Jamf application to PPPCU
  • Set all access items but camera and mic
  • In the Apple Events section, add allow for Finder, System Events, and SystemUIServer
  • Save the config to your computer
  • Upload config to Configuration Profiles, set scope and etc.
  • Allow config to propagate, tested Self Service item that runs a bash script with OSASCRIPT elements, joy.

YMMV

leonwun
Contributor

Hey @jbutler47 , I exactly followed your steps and uploaded the following profile:

348220b856aa466f870620e689981692

The profile was rolled out on my testing machines and I double checked if the profile was there. Then I waited until the next recurring check-in (15min).
The issue still exists. I did not try it with Self Service as thats not the intended use in the end (it should run with a recurring check-in).

marck
New Contributor III

We have been seeing a similar issue. It appears that if, at some point, a/the user has selected "Don't Allow" when they see the "Jamf wants access" message then the script will never work regardless of what you do. If the user has denied the Jamf System Events that setting appears to be persistent and pushing a config profile after the fact does not resolve it the problem. I'm not yet certain if the denial is a per user issue or a system wide issue.

On a test machine I've been able to run tccutil reset AppleEvents then push out a PPPC allowance for Jamf.app - System Events. After that a script we have that runs osascript will work. Here's the settings I made in the PPPC utility for /Library/Application Support/JAMF/Jamf.app
b6bd065afc91465a808a29d2221882d7

It would be useful to know if clearing the System Events works for anyone else.

leonwun
Contributor

Hey @marck,

I did not select 'Don't Allow' on my testing machines. They are installed freshly and there are no permissions set yet.
The Window appears even with all those profiles.

timdambrosio
Contributor

Try changing your osascript by getting rid of the Tell Application bit.

So it should read something like...

osascript -e 'display dialog "Blah Blah...."

kdean
New Contributor III

Did your guys Jamf Pro instance update to 10.12.0 this week? Did that fix the issue @leonwun ?

leonwun
Contributor

@kdean we got updated to 10.12, the issue still exists.

@timdambrosio I don't really understand how to change it to remove the "Tell Application", can you explain further please?

B-35405
Contributor

@leonwun He means to remove "Tell Application" from the osascript. He is saying you should still get the results you want from system events w/o the Tell Application in front of it. BTW I was able to resolve this issue with a PPPC config profile from GitHub. I opened a ticket with JAMF and they pointed me to GitHub

Ref: https://www.jamf.com/jamf-nation/articles/553/preparing-your-organization-for-user-data-protections-on-macos-10-14

Ref: https://github.com/jamf/JamfPrivacyPreferencePolicyControlProfiles

brunerd
Contributor

I too was having this happen... I added the BundleID of Jamf.app with access to System Events and was getting pop-ups
Was about to go down the rabbit hole of what combo would work then I tried something simpler...

Remove the tell, activate, and end tell lines
Remove these lines:

tell application "System Events"
    activate
...
end tell

Now in the example from the original poster @leonwun , this may not be much of a help as you are explicitely telling System Events to restart and shutdown, methods that may not be available if you are not telling System Events. Not sure if these are the "nice" methods that ask for a user to save work, but if they are not (or you don't care :) perhaps you could just capture the output of the osascript for button returned and then use bash to run shutdown -h now (halt/shutdown) or shutdown -r now (restart)

osaresult=$(/usr/bin/osascript -e 'set question to display dialog "The device has not been restared for [...]" with title "RESTART YOUR COMPUTER" buttons {"Shut Down", "Restart", "Cancel"} cancel button "Cancel" with icon caution' 2>/dev/null)
button=$(awk -F 'button returned:|, gave up:' '{print $2}' <<< $osaresult)

Use a case statement (or ifs) with the ${button} variable to do what you need

NOTE: There are caveats if you omit "telling" an application and you include an icon path
It must invoked/run from Self Service to succeed if an icon path is used
If you run the script directly from Terminal it will fail
If you invoke the policy via command line, it will fail (jamf policy -id <id> or jamf policy -event <name>)
If the policy is called from another policy using "jamf policy ..." via script script or with Files and Processes "run command", it will fail also...

For example, this will fail when run from Terminal:

osascript -e 'set dialogAnswer to display dialog "You can do a simple button pop-up, with timeout of 5 seconds" with title "Title" with icon file ":System:Library:CoreServices:CoreTypes.bundle:Contents:Resources:Clock.icns" buttons {"OK"} default button 1 giving up after "5"'
20:261: execution error: File file :System:Library:CoreServices:CoreTypes.bundle:Contents:Resources:Clock.icns wasn’t found. (-43)

However if the above snippet is in a script that is run in a Self Service actuated policy it will succeed.
So... there's a workaround but it only works in Self Service otherwise it's got some serious downsides to consider... hope this saved some folks a few hours (that I'll never get back ;)

GabeShack
Valued Contributor III

@brunerd 

I know this post is a bit older, but I'm also struggling to remove the tell application commands from my osascripts that types a users email in and hits enter for them (trying for no touch deployment using microsofts sso).  I am still getting the system events message, but I cant seem to get my scripts to type in the info without the tell.

 

In example here I want Safari to open and type in their user name and then open the extensions preference pane of safari so the user can check the check box for the classlink extension.  This works if the user clicks to allow jamf to use system events currently however I want less clicks.  So in your opinion would this script run without the tell pieces?

#!/bin/bash 
dockStatus=$(pgrep -x Dock)

echo "Waiting for Desktop..."

while [[ "$dockStatus" == "" ]]
do
  echo "Desktop is not loaded. Waiting."
  sleep 3
  dockStatus=$(pgrep -x Dock)
done
echo "$currentUser has successfully logged on! The Dock appaears to be loaded with PID $dockStatus."
sleep 2
currentUser=$(/bin/ls -l /dev/console | /usr/bin/awk '{print $3}')
sudo -u $currentUser open http://classlink.com
sudo -u $currentUser osascript <<EOF 
tell application "Safari"
	
	activate
    
    delay 3
	
	tell application "System Events"
		
		keystroke "$currentUser"
		
	end tell
	
end tell


tell application "Safari" to activate

delay 4
  
tell application "System Events" to tell process "Safari"
	
	keystroke "," using command down
    
    	tell window 1
		click button "Extensions" of toolbar 1
		activate "Extensions"
		keystroke return
		
	end tell
end tell
EOF 

 

Gabe Shackney
Princeton Public Schools

Gabe, sorry I missing this. No I don't think you could get by without tell blocks since macOS isn't psychic about which app you want to talk to! Any and all pop-ups you are getting regarding interaction with an app are by design which roiled quite a few developers. Any interaction with an app is going to need user consent or a PPPC profile to maybe get it working. Don't ask me though, I've decided to stay away from AppleScript and app control as Apple has put up onerous hoops to jump through (I get it but don't want to deal with it). So yeah you might need to fool around and make a PPPC pref in Jamf or with that tool for Safari to Allow System Events. Or perhaps consider doing away with interaction via script and pop up guided messages to instruct the user how to do what they need to do (I know they're kids but how are they ever going to learn ;)

 

Also since my post here in 2019: I decided to stop fooling around with writing AppleScript in my shell scripts and wrote a shell function that can be embedded in any shell script (bash/zsh) to do the AppleScript for you! It's called shui 

rmorse
New Contributor II

Having all 3 items including allowing all the Apple Events allowed me to bypass the osascript prompt @leonwun .

9142b3883d594d99b83b1b1f3faa3153

489e2859d247488ead40376ee5e00b52

b6448b7807de4b21b7de569754a764bc

Polybius
New Contributor III

How do you find osascript to add to those lists?

HCSTech
Contributor
Contributor

Have you looked here?: https://github.com/jamf/JamfPrivacyPreferencePolicyControlProfiles/blob/master/JamfAppleEvents.mobileconfig

alex_mcclements
New Contributor
New Contributor

@gene.kennett run this command in terminal to find path for osascript.

bash-3.2# which osascript
/usr/bin/osascript

lparnell
New Contributor II

I think I have this figured out. I was running into this exact problem while attempting to use osascript to remove Bluetooth devices from our loaner computers. I fixed this using a PPPC, see below:
22c849dcbbb04c0f99bc141bded52317

49f08750ec7a4ebbb485f212b26541ba

I wasn't able to navigate to these files inside of the PPPC Utility, instead I had to open up the files in Finder and drag them into the PPPC Utility window. Add these files:
-- /Library/Application Support/JAMF/Jamf.app/Contents/MacOS/Jamf
-- /Library/Application Support/JAMF/Jamf.app/Contents/MacOS/JamfManagementService
-- (Right Click on Jamf.app and select "Show Package Contents" to get to these files)

Make sure to reference them inside of the Apple Events section as well.
Why not just add Jamf.app? I don't know. You would think that would work, but I could only get it to work by digging down to these specific files.
I hope this helps someone.

bradtchapman
Valued Contributor II

I'm seeing this message on fresh DEP/ADE enrollments when it says "enroll" wants to control system events. The enroll command is actually a tiny bash script that is installed in /usr/local/jamf , along with jamf binary, by the InstallApplication payload in the MDM profile. This script contains the jamf enroll -invitation 1234567890... and a few other commands like jamf recon.

I speculate that this could be a race condition where Jamf's PPPC profile hasn't arrived on the system when this script starts running — OR — that macOS takes too long to process the new approval.