Running commands from policy issues :(

rmaldonado
New Contributor

Hello JAMFers,

So I am curious if anyone has any experience with running commands from a policy. Basically, my employers have requested I have a video download locally to all managed clients, and have them auto-play the video on a certain day of the week until the end of February. Making the policy to get the video on everyones machine was easy enough, but I am having inconsistent results with the policy I created to run the video. The command I am using is:

osascript -e 'tell application "QuickTime Player" to open "Macintosh HD:System:TAX_Center_2013.mp4"' -e 'tell application "QuickTime Player" to play document 1'

The weird part is if I run this command manually from terminal, it plays the video every time without fail, but when the JSS tries to run the command, I am getting an error I am unfamiliar with.

Running command osascript -e 'tell application "QuickTime Player" to open "Macintosh HD:System:TAX_Center_2013.mp4"' -e 'tell application "QuickTime Player" to play document 1'...
Result of command:
39:85: execution error: An error of type -10810 has occurred. (-10810)

I guess I just dont understand why the command works when I run it from terminal and not when the JSS tries to run it. Does anyone have any insight or tips for me? I am guessing it's something easy I just don't know about -_-

thanks in advance

1 ACCEPTED SOLUTION

mm2270
Legendary Contributor III

This happens because anything that the JSS runs, either from a script or the Run Command, runs under the service account or as root. Given this, an osascript command that tries to interact with the user won't work right unless you specify that it run as the logged in user and not as the service account. Otherwise its attempting to display a message or open a file to an account that isn't at the console, in other words, a non logged in user account. The OS won't allow that.

Under 10.8, this got even more strict. I run into issues more frequently than ever that used to work OK under 10.7 and lower but flat out fail in Mountain Lion due to stricter sandboxing rules.

Edit: OK so to make my post a bit more useful to you, (rather than, 'you can't do that!' ;-) try adding the following in front of your osascript line:

sudo -u $( /usr/bin/who | /usr/bin/awk '/console/{ print $1 }' )

So it should look something like the following:

sudo -u $( /usr/bin/who | /usr/bin/awk '/console/{ print $1 }' ) osascript -e 'tell application "QuickTime Player" to open "Macintosh HD:System:TAX_Center_2013.mp4"' -e 'tell application "QuickTime Player" to play document 1'

Not 100% sure that will work, but give it a try.

View solution in original post

4 REPLIES 4

mm2270
Legendary Contributor III

This happens because anything that the JSS runs, either from a script or the Run Command, runs under the service account or as root. Given this, an osascript command that tries to interact with the user won't work right unless you specify that it run as the logged in user and not as the service account. Otherwise its attempting to display a message or open a file to an account that isn't at the console, in other words, a non logged in user account. The OS won't allow that.

Under 10.8, this got even more strict. I run into issues more frequently than ever that used to work OK under 10.7 and lower but flat out fail in Mountain Lion due to stricter sandboxing rules.

Edit: OK so to make my post a bit more useful to you, (rather than, 'you can't do that!' ;-) try adding the following in front of your osascript line:

sudo -u $( /usr/bin/who | /usr/bin/awk '/console/{ print $1 }' )

So it should look something like the following:

sudo -u $( /usr/bin/who | /usr/bin/awk '/console/{ print $1 }' ) osascript -e 'tell application "QuickTime Player" to open "Macintosh HD:System:TAX_Center_2013.mp4"' -e 'tell application "QuickTime Player" to play document 1'

Not 100% sure that will work, but give it a try.

rmaldonado
New Contributor

@mm2270

You are a jamf god... haha. I am not the most experienced at scripting, and have been wrestling with this for a week now, but I am more than ecstatic to say after putting the string you suggested in front of the command, it runs perfectly. Again you are awesome. You have been most helpful in a lot of my threads, so thanks again!!

mm2270
Legendary Contributor III

Hey, no problem, glad it worked. No god here, just comes from experience, and truthfully from the knowledge of others more experienced than myself at this, most of which are here in this community. Keep at it and someday you will be helping solve issues for others less experienced,

Just curious, but are you running this on 10.8 systems or 10.7 and lower? I ask because I haven't really tested this, was kinda off the cuff, so hopefully Mountain Lion's extra security won't bite you with it. It probably won't though.

rmaldonado
New Contributor

Well this community is definitely helping me get there. I have come a long way since the jump start but there is still so much to learn. I'm really enjoying it though.

I am actually running this on 10.8 systems, approximately 6000. Right now the logs are returning successful results with no errors in my testbed of 30, but I'm going to run it continually for a couple hours before I scope it to the whole network. Pretty good for off the cuff!