Jamf Nation Community

pwsh does not seem to be a built-in binary. You can install powershell via homebrew with the below command (if you have homebrew installed):

brew cask install powershell

Then you can verify installation with:

pwsh -version

So your client Mac, the Mac you intend to run the powershell script on, would need to have gone through this process first.

Next, you can package the script up using Composer, which places the script into /private/tmp/script.ps1. Then you can create a postinstall script with a line similar to this to run the script:

#!/bin/bash
pwsh /private/tmp/script.ps1

Kinda a lot of work. I'd rewrite the scripts in bash but that is just me. You'd have much better success with a native scripting language as many of the modules you might use (Like AD modules for example) are not available for powershell on Mac.

We do no use Homebrew since the users do not have sudo rights, but since it is the preferred for PSC I'm not opposed to using it. The idea is that if we have 10 scripts we need to run against the Macs that 8 of them work in PSC then I we only need to write 2 scripts. But I'm also seeing many of the limitations of PSC. I'll give your idea a try after I figure out how to pull the files from the Jamf repository.

@ctw The .pkg listed here might eliminate the need for homebrew:
https://github.com/PowerShell/PowerShell/releases

That is very true, if I can curl from that page whatever .pkg file it finds to install if I boolean a statement checking for pwsh then I can just grab the current version.

Just download that, drag it into Jamf Admin, create a policy to deploy that package to a test machine to install it. If it works fine then you might consider pushing it out to more systems.

I have to ask - does anyone see any issues with homebrew from a security standpoint?
I like it and it opens up a lot to the user, however I decided not to use it in my professional environment due to the fact that it takes over permissions on the entire /usr/local, not just the folders that it needs.
For us, that was a turn off as there are other things installed here that it should have no rights to, such as our AV executables.
I went so far as to open up a dialog with the creator and while he acknowledged that was how they decided to implement the program to make it useful, he said there was no way they could change it and it still function. Even if they could, he felt there was too much invested to change it at this point unless forced to by Apple.
While I do understand, the security risk for us was just too great in my opinion.

I'm writing this just to see if anyone else shared that feeling. Like I said, I liked the possibilities that it opened up, I just couldn't justify my perceived risk.

EDIT: While this behavior may also be more acceptable on single user machines, I also manage several multi-user labs.

@jrippy I've thought about similar concepts since I've known of it as a repository for many applications and doesn't require Apple account authentication which is a massive bonus. I'll have to test on our domain joined computers with no admin rights to see what the users could possibly break with it.