Posted on 09-22-2014 02:03 PM
Reaching out to the JAMFNation for thoughts….
We use profiles created in v9.32 of the JSS and 10.9.4 clients scoped to user level to enforce launching some apps, some system preference panes and disallow launching apps from all user folders with the exception of ~/Library.
Our users are mobile users with no admin rights but I have a few machines that are simply standard users.
What has occurred on multiple clients, but only machines that are standard users (502), have the restriction profile installed and not mobile users (1000+ or whatever) is they fail to boot (hang just past Apple+Gear but before login)
We have auto login enabled, here is what appears to be the relevant logs:
mcxalr_agent[271]: FCIsAppAllowedToLaunchExt [343] -- ** _FCMIGAppCanLaunch timed out. Returning false.
Sep 22 08:45:48 kernel[0]: mcxalr{5} ** Denying execute for uid=502 path=/usr/sbin/distnoted
Sep 22 08:45:48 com.apple.launchd.peruser.502[168] (com.apple.distnoted.xpc.agent[391]): Exited with code: 13
Sep 22 08:45:48 com.apple.launchd.peruser.502[168] (com.apple.distnoted.xpc.agent): Throttling respawn: Will start in 5 seconds
Sep 22 08:45:53 mcxalr_agent[271]: FCIsAppAllowedToLaunchExt [343] -- ** FCMIGAppCanLaunch timed out. Returning false.
Sep 22 08:45:53 kernel[0]: mcxalr{6} ** Denying execute for uid=502 path=/usr/sbin/cfprefsd
Sep 22 08:45:53 com.apple.launchd.peruser.502[168] (com.apple.cfprefsd.xpc.agent[393]): Exited with code: 13
Sep 22 08:45:58 mcxalr_agent[271]: FCIsAppAllowedToLaunchExt [343] -- ** FCMIGAppCanLaunch timed out. Returning false.
Sep 22 08:45:58 kernel[0]: mcxalr{7} ** Denying execute for uid=502 path=/usr/sbin/universalaccessd
Sep 22 08:45:58 com.apple.launchd.peruser.502[168] (com.apple.universalaccessd[392]): Exited with code: 13
Sep 22 08:46:03 mcxalr_agent[271]: FCIsAppAllowedToLaunchExt [343] -- ** FCMIGAppCanLaunch timed out. Returning false.
Sep 22 08:46:04 kernel[0]: mcxalr{8} ** Denying execute for uid=502 path=/usr/sbin/distnoted
Sep 22 08:46:04 com.apple.launchd.peruser.502[168] (com.apple.distnoted.xpc.agent[424]): Exited with code: 13
Sep 22 08:46:09 mcxalr_agent[271]: FCIsAppAllowedToLaunchExt [343] -- ** _FCMIGAppCanLaunch timed out. Returning false.
Sep 22 08:46:10 kernel[0]: mcxalr{9} ** Denying execute for uid=502 path=/usr/sbin/cfprefsd
The issue is just emerging so I am only beginning to systematically troubleshoot but the “fix” so far is rather extreme. I have set to “always allow launching apps” from these folders to include /system, /usr, /usr/sbin and pretty much anything else I could think of…
Is this an issue with aggressive caching of the restrictions? Could this occur with mobile users as well? Should this restriction be scoped to computer level? What am I missing? I have more questions than answers.
Any thoughts are welcome and appreciated, my concern is that, since I don’t really know what is occurring here (or even why), the mobile users will become affected once the (students) decide to begin restarting their computers.
Steve
Posted on 02-19-2015 12:22 PM
Steve, I just submitted a bug to Apple about a similar situation where a 10.10 system went totally unresponsive. It's managed by Bushel, but nothing else seems remotely similar to your setup. Stand alone Mac, no outside directory, no parental controls, one single full admin user on my Mac.
Feb 19 13:42:51 Mac.local pkd[296]: FCIsAppAllowedToLaunchExt [343] -- *** _FCMIGAppCanLaunch timed out. Returning false.
If I get anything useful, I'll post back here what was found. Do you have any data on how often this is happening now that several months have gone by?