Posted on 04-30-2019 03:51 AM
Hey there,
I edited a /bin/bash script that automatically checks the devices uptime and tells the user to restart his computer after 2weeks uptime (with the help of https://www.jamf.com/jamf-nation/discussions/17336/user-has-not-restarted-in-x-number-of-days)
The following part generates the ""jamf" wants access to control "system events"" message for end users:
#!/bin/bash
# Discover logged in user
user=`stat -f%Su /dev/console`
#Execute code as logged in user (instead of root)
sudo -u $user /usr/bin/osascript <<-EOF
tell application "System Events"
activate
set question to display dialog "The device has not been restared for [...]"
with title "RESTART YOUR COMPUTER" buttons {"Shut Down", "Restart", "Cancel"} ¬
cancel button "Cancel" with icon caution
set answer to button returned of question
if answer is equal to "Shut Down" then
tell application "System Events"
shut down
end tell
end if
if answer is equal to "Restart" then
tell application "System Events"
restart
end tell
end if
if answer is equal to "Cancel" then
return
end if
end tell
EOF
exit 0
fi
I already read the thread (https://www.jamf.com/jamf-nation/discussions/30388/loginwindow-wants-access-to-control-system-events) but couldn't find the solution there.
The issue seems to be the tell / end tell statement but I can't find a way to change the script.
I tried several PPPCs and gave JAMF access to Accessibility, System Events and everything else that's required.
The script itself works fine.
Can someone help me out here?
Posted on 02-14-2022 02:44 PM
I haven't used the path name in my profiles but can try and let you know
Posted on 02-14-2022 08:54 AM
So now if I approve accessibility for "JamfDaemon" manually for accessibility it works but including accessibility on the profile doesnt work because of the child/parent process mismatch.
Or if I click approve for the "Allow Jamf to control system events" it works. Since this 2nd option hold the process/script at bay and lets the script run right after it, I suppose its the lesser of two evils. Just going to have the end user click the allow button until someone else can figure this out.
Posted on 02-17-2022 01:37 AM
I'm also getting this 'jamf wants access to control system events' when I run an osascript to rename a computer. i have a popup appear for user to enter computer name and click save. It works fine on Intel macs but with M1 macs I get the 'jamf wants access to control system events'. The M1 macs are running macOS Monterey.
This script is only run once via self service but I would rather not see that 'jamf wants access to control system events' regardless of how many times I run the policy.
I want to try the following PPPC configuration profile (see link). What do I do? Copy the code and upload it to JAMF in a configuration profile or pppc payload?
Posted on 02-24-2022 03:52 PM
WE had a script to mount network shares that started doing this and I fixed it by removing all "tell" blocks.
still used osascript, just differently
Posted on 02-25-2022 11:42 AM
Apparently this is a known issue for Apple where the Jamf.app has 2 child processes that don't properly get whitelisted for the TCC process. We have seen some convoluted ways to maybe get around it with making a new jamf PPPC with the processes using the info from the main app and then it works without removing the tell...however its a bigger issue. This apparently started back around 11.4 with a security update apple made to the system which broke apps that have differently named child processes. I have an open escalation with apple at the moment, but its on their side since the PP profile should allow for this. It gets even more complicated when the process also requires accessibility, for which there is no current workaround.
Posted on 02-25-2022 07:35 PM
That change was to fix actively exploited CVE-2021-30713 which is ironic, seems it's a lot easier to bypass than to correctly whitelist permissions!
Kudos to you Mr Shackney for the update, I wasn't aware the accessibility side has been acknowledged and will stop looking into it.
Frankly, the state of tcc right now is a dogs breakfast to say the least. Keep us in the loop!
Posted on 02-27-2022 08:55 AM
from what I've been reading it's JAMF requesting access to 'system events' so it's a JAMF PPPC setting not an 'osascript' setting.
It looks like my PPPC settings is allowing JAMF system events access but I still get the popup.
Posted on 02-28-2022 09:13 AM
Posted on 02-28-2022 09:18 AM
osascript is only if you are using Jamf to run an apple script at any given time. The PPPC utility (or config profile) wont allow the child process of the "Jamf" app to be named differently than the main app or it will still prompt. This isnt something that will be easily solved unless Apple fixes it. Nothing to do with the Big Sur compatibility check box, which just allows for the config profile to prompt the user to allow for screen recording, microphone access and anything users can still select.
Posted on 02-28-2022 11:39 AM
Hi @GabeShack yep that's what I'm doing is running a script from self service and I get that JAmF wants to control system events popup. The script works great but I don't like that popup. Here is the script.
#!/bin/bash
# GetUserInputFromSelfService-ComputerName.bash
# slightly modified from suggestion by Mauricio Pellizzon https://www.jamf.com/jamf-nation/discussions/32795/script-best-way-to-request-user-input
# 2019-10-29
#
# T C
# 2/14/2022
userName=$(ls -la /dev/console | cut -d " " -f 4)
# echo ""$userName is the logged in user"";
user_entry=""
validateResponce() {
case "$user_entry" in
"noinput" ) echo "empty input" & askInput ;;
"cancelled" ) echo "time out/cancelled" & exit 0 ;;
* ) echo "$user_entry" ;;
esac
}
askInput() {
user_entry=$(sudo -u "$userName" osascript <<EOF
use AppleScript version "2.4" -- Yosemite (10.10) or later
use scripting additions
set theTextReturned to "nil"
tell application "System Events"
activate
try
set theResponse to display dialog "Please enter Computer Name (enter nil to cancel)" with title "Set Computer Name" buttons "Save" default button "Save" default answer ""
set theTextReturned to the text returned of theResponse
end try
if theTextReturned is "nil" then
return "cancelled"
else if theTextReturned is "" then
return "noinput"
else
return theTextReturned
end if
end tell
EOF
)
validateResponce "$user_entry"
}
askInput "$userName"
# Make it upper case - just a convention
upper="$(echo $user_entry | tr [:lower:] [:upper:])"
#/usr/local/bin/jamf setComputerName -name $user_entry
/usr/local/bin/jamf setComputerName -name $upper
# Update the server so it knows the name
/usr/local/bin/jamf recon
exit 0
02-28-2022 11:54 AM - edited 02-28-2022 11:56 AM
Yea, I see AppleScript in there. You can try changing that by removing the tell command but I'm going to bet that breaks the script. Until Apple fixes their TCC issues, it's most likely going to have to have that first prompt, which is really not great.
For your script though I believe I've seen ways to get that computer name inputted without having to use AppleScript...you maybe able to do that with JamfHelper....but DEPNotify is probably your best bet.
Previously we used DEPNotify to name computers, which can easily pop up a menu when the user logs in and then prompt to name the machine. We used to also have them set the barcode (asset tag) number. I might suggest looking at DEPNotify as an alternative.
Posted on 02-28-2022 03:59 PM
@GabeShack @tcandela Removing these lines will work and won't break the script;
tell application "System Events"
activate
end tell
With those lines, you are sending the display dialogue to another process (System Events) which isn't required.
You are seeing a tcc prompt as the process running your script ( below ) does not have approval to send to system events.
com.jamf.management.service : /Library/Application Support/JAMF/Jamf.app/Contents/MacOS/JamfManagementService.app/Contents/MacOS/JamfManagementService
Scripting additions includes the use of display dialog without this requirement.
Posted on 02-28-2022 04:23 PM
@teodle wrote:WE had a script to mount network shares that started doing this and I fixed it by removing all "tell" blocks.
still used osascript, just differently
Mount volume is the same, it does not require sending the command to another process. Same for list disks, set volume etc.
03-04-2022 10:04 AM - edited 03-04-2022 10:07 AM
Hey Guys, I found this thread while trying to solve a similar issue we were having with prompts popping when running AppleScripts through JAMF. Following @GabeShack 's advice, I wrote a new PPPC for all the JAMF binaries and apps that seems to be working. The main issue seems to be that Mac's TCC does not like the default CodeRequirement for the binaries/apps and so it must be replaced with that of the main Jamf.app bundle. Here's the core of the PPPC stripped down to just the JAMF things with full file access, accessibility, and appleevents access to System Events, SystemUIServer, Finder, and Mail.
I included the JamfAAD and SelfService as well but I'm not 100% on those as I couldn't think of a good way to test.
Warning: It's Huge.
Posted on 03-04-2022 10:42 AM
@ToddB Can I ask do you have a separate one for just osascript? If so can you just screen shot it so I can compare? Im going to try yours in place of my jamf TCC to see if changes the input from keyboards using AppleScript and accessibility.
Posted on 03-04-2022 10:52 AM
I'm like 99% sure I don't. I've never had an issue where Jamf was requesting access to osascript (i think it already has it?). In theory, if Jamf is requesting access to 'System Events' that means the osascript portion is already working.
Posted on 03-06-2022 06:10 PM
@ToddB wrote:Hey Guys, I found this thread while trying to solve a similar issue we were having with prompts popping when running AppleScripts through JAMF. Following @GabeShack 's advice, I wrote a new PPPC for all the JAMF binaries and apps that seems to be working. The main issue seems to be that Mac's TCC does not like the default CodeRequirement for the binaries/apps and so it must be replaced with that of the main Jamf.app bundle. Here's the core of the PPPC stripped down to just the JAMF things with full file access, accessibility, and appleevents access to System Events, SystemUIServer, Finder, and Mail.
I included the JamfAAD and SelfService as well but I'm not 100% on those as I couldn't think of a good way to test.
Warning: It's Huge.
Same as what I found, Jamf documented the change on allowing the bundle but nothing to do with the code requirement..
Posted on 03-04-2022 10:56 AM
Perhaps that is part of my problem. Im telling it to do something that might be breaking it. Going to test and let you know.
Posted on 03-04-2022 11:15 AM
Just tested with a modified version of @tcandela 's rename script (edited to not rename, just echo the input back) and got no prompts.
Posted on 03-04-2022 01:39 PM
Yea, unfortunately it still doesnt seem to work for me. I think its all related to accessibility which cant get the same path for osascripts. At one point with @Bol hints, I was able to have the jamf wants access message suppressed but then it popped the accessibility message for osascript. So I never got them both working together and its because my script wants to type info in the keyboard which Apple really does't want anything to do anymore lol.
Posted on 06-06-2022 04:50 PM
@GabeShack wrote:Yea, unfortunately it still doesnt seem to work for me. I think its all related to accessibility which cant get the same path for osascripts. At one point with @Bol hints, I was able to have the jamf wants access message suppressed but then it popped the accessibility message for osascript. So I never got them both working together and its because my script wants to type info in the keyboard which Apple really does't want anything to do anymore lol.
@GabeShack Well, if you haven't given up on your Apple Script dreams yet.. It's just been acknowledged in testing so hopefully next major release, you could be back in business!
Posted on 06-09-2022 10:13 AM
I believe this is in regard to an open radar i got escalated up the the MacOS security team. (Or at least id like to think I had something to do with it lol.)
Apparently they listen when someone brings up issues listed as "security related" lol.
Posted on 06-09-2022 10:50 AM
@Bol Actually I just got confirmation that Apple did fix this bug per my escalation from my SE. They are asking me to test it...so now i need to get a machine on the beta and test my enrollment!
Posted on 06-09-2022 05:18 PM
@GabeShack wrote:I believe this is in regard to an open radar i got escalated up the the MacOS security team. (Or at least id like to think I had something to do with it lol.)
Apparently they listen when someone brings up issues listed as "security related" lol.
Well it's security related x 1000 from now on then. :D
Honestly though, it's to do with their Transparency, Consent, and Control security and has been bugged for a length of time now, it's a great thing finally been acknowledged, worked on and hopefully resolved.
Kudos to you for the radar rocket sent and let us know as soon as you've had the chance to test with your results!
Posted on 06-29-2022 10:48 AM
@GabeShack Very curious about your results after your test, how did things go?
Posted on 03-22-2023 07:37 AM
Any news here? I still try to figure out how to fix this
Posted on 03-23-2023 10:12 PM
What are you trying to fix, it was mentioned Apple did sort the system events bug filed by @GabeShack
Posted on 05-09-2023 06:05 AM
As I have tested this since Apple told me it was fixed, it still seems to be broken
Posted on 05-09-2023 05:23 PM
I was going to post here last night it seems to be working for me. Very buggy getting there and I found whitelisting the binary worked better, somehow.
I wrote a script on login / self service that launches Safari homepage / MS SSO dialogue box, then pre fill the users email address and hits enter. There are other profiles at play though, I haven't yet pulled what I think is not needed to see if it breaks it yet.