"jamf" wants access to control "system events"

leonwun
Contributor

Hey there,

I edited a /bin/bash script that automatically checks the devices uptime and tells the user to restart his computer after 2weeks uptime (with the help of https://www.jamf.com/jamf-nation/discussions/17336/user-has-not-restarted-in-x-number-of-days)

The following part generates the ""jamf" wants access to control "system events"" message for end users:

#!/bin/bash

# Discover logged in user
user=`stat -f%Su /dev/console`

#Execute code as logged in user (instead of root)
sudo -u $user /usr/bin/osascript <<-EOF

tell application "System Events"
    activate
    set question to display dialog "The device has not been restared for [...]"
with title "RESTART YOUR COMPUTER" buttons {"Shut Down", "Restart", "Cancel"} ¬
cancel button "Cancel" with icon caution
    set answer to button returned of question
    if answer is equal to "Shut Down" then
        tell application "System Events"
            shut down
        end tell
    end if
    if answer is equal to "Restart" then
        tell application "System Events"
            restart
        end tell
    end if
    if answer is equal to "Cancel" then
        return
    end if
end tell
EOF
exit 0
fi

I already read the thread (https://www.jamf.com/jamf-nation/discussions/30388/loginwindow-wants-access-to-control-system-events) but couldn't find the solution there. The issue seems to be the tell / end tell statement but I can't find a way to change the script.
I tried several PPPCs and gave JAMF access to Accessibility, System Events and everything else that's required.

The script itself works fine.
Can someone help me out here?

da3c46b8cc8a4e86b9472a57ee959fec

108 REPLIES 108

Bol
Valued Contributor

I haven't used the path name in my profiles but can try and let you know

GabeShack
Valued Contributor III

So now if I approve accessibility for "JamfDaemon" manually for accessibility it works but including accessibility on the profile doesnt work because of the child/parent process mismatch.  

Or if I click approve for the "Allow Jamf to control system events" it works.  Since this 2nd option hold the process/script at bay and lets the script run right after it, I suppose its the lesser of two evils.  Just going to have the end user click the allow button until someone else can figure this out. 

Gabe Shackney
Princeton Public Schools

tcandela
Valued Contributor II

I'm also getting this 'jamf wants access to control system events' when I run an osascript to rename a computer. i have a popup appear for user to enter computer name and click save. It works fine on Intel macs but with M1 macs I get the 'jamf wants access to control system events'. The M1 macs are running macOS Monterey.

This script is only run once via self service but I would rather not see that 'jamf wants access to control system events' regardless of how many times I run the policy.

I want to try the following PPPC configuration profile (see link). What do I do? Copy the code and upload it to JAMF in a configuration profile or pppc payload?

https://github.com/jamf/JamfPrivacyPreferencePolicyControlProfiles/blob/master/JamfAppleEvents.mobil...

20220216_130325.jpg

WE had a script to mount network shares that started doing this and I fixed it by removing all "tell" blocks. 

still used osascript, just differently

GabeShack
Valued Contributor III

Apparently this is a known issue for Apple where the Jamf.app has 2 child processes that don't properly get whitelisted for the TCC process.  We have seen some convoluted ways to maybe get around it with making a new jamf PPPC with the processes using the info from the main app and then it works without removing the tell...however its a bigger issue.  This apparently started back around 11.4 with a security update apple made to the system which broke apps that have differently named child processes.  I have an open escalation with apple at the moment, but its on their side since the PP profile should allow for this.  It gets even more complicated when the process also requires accessibility, for which there is no current workaround.

Gabe Shackney
Princeton Public Schools

Bol
Valued Contributor

That change was to fix actively exploited CVE-2021-30713 which is ironic, seems it's a lot easier to bypass than to correctly whitelist permissions!
Bol_0-1645845821462.png

Kudos to you Mr Shackney for the update, I wasn't aware the accessibility side has been acknowledged and will stop looking into it.
Frankly, the state of tcc right now is a dogs breakfast to say the least. Keep us in the loop!

tcandela
Valued Contributor II

from what I've been reading it's JAMF requesting access to 'system events' so it's a JAMF PPPC setting not an 'osascript' setting.   

It looks like my PPPC settings is allowing JAMF system events access but I still get the popup.

tcandela
Valued Contributor II

@lparnell  mobileconfig did not work for me, I still get the Jamf wants to control system events popup.

I'm going to try the @rmorse config

are you 'enabling' Big Sur compatibility when creating the config profile with PPPC utility?

GabeShack
Valued Contributor III

osascript is only if you are using Jamf to run an apple script at any given time.  The PPPC utility (or config profile) wont allow the child process of the "Jamf" app to be named differently than the main app or it will still prompt.  This isnt something that will be easily solved unless Apple fixes it.  Nothing to do with the Big Sur compatibility check box, which just allows for the config profile to prompt the user to allow for screen recording, microphone access and anything users can still select.

Gabe Shackney
Princeton Public Schools

tcandela
Valued Contributor II

Hi @GabeShack  yep that's what I'm doing is running a script from self service and I get that JAmF wants to control system events popup.  The script works great but I don't like that popup. Here is the script.  

#!/bin/bash
# GetUserInputFromSelfService-ComputerName.bash
# slightly modified from suggestion by Mauricio Pellizzon https://www.jamf.com/jamf-nation/discussions/32795/script-best-way-to-request-user-input
# 2019-10-29
#
# T C
# 2/14/2022

userName=$(ls -la /dev/console | cut -d " " -f 4)

# echo ""$userName is the logged in user"";

user_entry=""

validateResponce() {
case "$user_entry" in
"noinput" ) echo "empty input" & askInput ;;
"cancelled" ) echo "time out/cancelled" & exit 0 ;;
* ) echo "$user_entry" ;;
esac
}

askInput() {
user_entry=$(sudo -u "$userName" osascript <<EOF
use AppleScript version "2.4" -- Yosemite (10.10) or later
use scripting additions
set theTextReturned to "nil"
tell application "System Events"
activate
try
set theResponse to display dialog "Please enter Computer Name (enter nil to cancel)" with title "Set Computer Name" buttons "Save" default button "Save" default answer ""
set theTextReturned to the text returned of theResponse
end try
if theTextReturned is "nil" then
return "cancelled"
else if theTextReturned is "" then
return "noinput"
else
return theTextReturned
end if
end tell
EOF
)
validateResponce "$user_entry"
}

askInput "$userName"

# Make it upper case - just a convention
upper="$(echo $user_entry | tr [:lower:] [:upper:])"

#/usr/local/bin/jamf setComputerName -name $user_entry
/usr/local/bin/jamf setComputerName -name $upper

# Update the server so it knows the name
/usr/local/bin/jamf recon

exit 0

 

 

GabeShack
Valued Contributor III

Yea, I see AppleScript in there.  You can try changing that by removing the tell command but I'm going to bet that breaks the script.  Until Apple fixes their TCC issues, it's most likely going to have to have that first prompt, which is really not great.  

 

For your script though I believe I've seen ways to get that computer name inputted without having to use AppleScript...you maybe able to do that with JamfHelper....but DEPNotify is probably your best bet.

Previously we used DEPNotify to name computers, which can easily pop up a menu when the user logs in and then prompt to name the machine.  We used to also have them set the barcode (asset tag) number.  I might suggest looking at DEPNotify as an alternative.  

Gabe Shackney
Princeton Public Schools

Bol
Valued Contributor

@GabeShack  @tcandela  Removing these lines will work and won't break the script;

tell application "System Events"

activate

end tell

With those lines, you are sending the display dialogue to another process (System Events) which isn't required.

You are seeing a tcc prompt as the process running your script ( below ) does not have approval to send to system events.

com.jamf.management.service : /Library/Application Support/JAMF/Jamf.app/Contents/MacOS/JamfManagementService.app/Contents/MacOS/JamfManagementService

 Scripting additions includes the use of display dialog without this requirement.

Bol
Valued Contributor
@teodle wrote:

WE had a script to mount network shares that started doing this and I fixed it by removing all "tell" blocks. 

still used osascript, just differently


Mount volume is the same, it does not require sending the command to another process. Same for list disks, set volume etc.

https://developer.apple.com/library/archive/documentation/AppleScript/Conceptual/AppleScriptLangGuid...

ToddB
New Contributor II

Hey Guys, I found this thread while trying to solve a similar issue we were having with prompts popping when running AppleScripts through JAMF. Following @GabeShack 's advice, I wrote a new PPPC for all the JAMF binaries and apps that seems to be working. The main issue seems to be that Mac's TCC does not like the default CodeRequirement for the binaries/apps and so it must be replaced with that of the main Jamf.app bundle. Here's the core of the PPPC stripped down to just the JAMF things with full file access, accessibility, and appleevents access to System Events, SystemUIServer, Finder, and Mail. 

I included the JamfAAD and SelfService as well but I'm not 100% on those as I couldn't think of a good way to test. 

Warning: It's Huge. 

 

 

https://pastebin.com/s2JDK65u 

 

 

GabeShack
Valued Contributor III

@ToddB Can I ask do you have a separate one for just osascript?  If so can you just screen shot it so I can compare?  Im going to try yours in place of my jamf TCC to see if changes the input from keyboards using AppleScript and accessibility.

Gabe Shackney
Princeton Public Schools

ToddB
New Contributor II

I'm like 99% sure I don't. I've never had an issue where Jamf was requesting access to osascript (i think it already has it?). In theory, if Jamf is requesting access to 'System Events' that means the osascript portion is already working.   

Bol
Valued Contributor

@ToddB wrote:

Hey Guys, I found this thread while trying to solve a similar issue we were having with prompts popping when running AppleScripts through JAMF. Following @GabeShack 's advice, I wrote a new PPPC for all the JAMF binaries and apps that seems to be working. The main issue seems to be that Mac's TCC does not like the default CodeRequirement for the binaries/apps and so it must be replaced with that of the main Jamf.app bundle. Here's the core of the PPPC stripped down to just the JAMF things with full file access, accessibility, and appleevents access to System Events, SystemUIServer, Finder, and Mail. 

I included the JamfAAD and SelfService as well but I'm not 100% on those as I couldn't think of a good way to test. 

Warning: It's Huge. 

 

 

https://pastebin.com/s2JDK65u 

 

 


Same as what I found, Jamf documented the change on allowing the bundle but nothing to do with the code requirement.. 

 

https://community.jamf.com/t5/jamf-pro/quot-jamf-quot-wants-access-to-control-quot-system-events-quo...

 

GabeShack
Valued Contributor III

Perhaps that is part of my problem.  Im telling it to do something that might be breaking it.  Going to test and let you know.

Gabe Shackney
Princeton Public Schools

ToddB
New Contributor II

Just tested with a modified version of @tcandela 's rename script (edited to not rename, just echo the input back) and got no prompts.

GabeShack
Valued Contributor III

Yea, unfortunately it still doesnt seem to work for me.  I think its all related to accessibility which cant get the same path for osascripts.  At one point with @Bol hints, I was able to have the jamf wants access message suppressed but then it popped the accessibility message for osascript.  So I never got them both working together and its because my script wants to type info in the keyboard which Apple really does't want anything to do anymore lol.

Gabe Shackney
Princeton Public Schools

Bol
Valued Contributor

@GabeShack wrote:

Yea, unfortunately it still doesnt seem to work for me.  I think its all related to accessibility which cant get the same path for osascripts.  At one point with @Bol hints, I was able to have the jamf wants access message suppressed but then it popped the accessibility message for osascript.  So I never got them both working together and its because my script wants to type info in the keyboard which Apple really does't want anything to do anymore lol.


@GabeShack Well, if you haven't given up on your Apple Script dreams yet.. It's just been acknowledged in testing so hopefully next major release, you could be back in business! 

  • Resolves an issue where PPPC payloads for Accessibility and AppleEvents do not suppress user approval prompts.

GabeShack
Valued Contributor III

I believe this is in regard to an open radar i got escalated up the the MacOS security team.  (Or at least id like to think I had something to do with it lol.)

Apparently they listen when someone brings up issues listed as "security related" lol.

Gabe Shackney
Princeton Public Schools

GabeShack
Valued Contributor III

@Bol Actually I just got confirmation that Apple did fix this bug per my escalation from my SE.  They are asking me to test it...so now i need to get a machine on the beta and test my enrollment!

Gabe Shackney
Princeton Public Schools

Bol
Valued Contributor
@GabeShack wrote:

I believe this is in regard to an open radar i got escalated up the the MacOS security team.  (Or at least id like to think I had something to do with it lol.)

Apparently they listen when someone brings up issues listed as "security related" lol.


Well it's security related x 1000 from now on then. :D

Honestly though, it's to do with their Transparency, Consent, and Control security and has been bugged for a length of time now, it's a great thing finally been acknowledged, worked on and hopefully resolved.


Kudos to you for the radar rocket sent and let us know as soon as you've had the chance to test with your results! 

@GabeShack Very curious about your results after your test, how did things go?

Tim_Apple
New Contributor III

Any news here? I still try to figure out how to fix this

Bol
Valued Contributor

What are you trying to fix, it was mentioned Apple did sort the system events bug filed by @GabeShack 

https://community.jamf.com/t5/jamf-pro/quot-jamf-quot-wants-access-to-control-quot-system-events-quo...

 

GabeShack
Valued Contributor III

As I have tested this since Apple told me it was fixed, it still seems to be broken

Gabe Shackney
Princeton Public Schools

Bol
Valued Contributor

I was going to post here last night it seems to be working for me. Very buggy getting there and I found whitelisting the binary worked better, somehow.
I wrote a script on login / self service that launches Safari homepage / MS SSO dialogue box, then pre fill the users email address and hits enter. There are other profiles at play though, I haven't yet pulled what I think is not needed to see if it breaks it yet.

Bol_0-1683678087030.png

Bol_1-1683678138244.png