Help

Script fails from every15 trigger but works from Self Service?

Go to solution
btaitt
Contributor

Posted on ‎09-27-2013 08:57 AM

We have a script we've been testing that removes a bad wi-fi entry from the keychain of the local user. When this runs on the every15 trigger set in the JSS policy, the logs state the keychain entry doesn't exist.

However, if we go to the computer and run the script from Self Service (separate policy, set to just run from SS), it works perfectly! It removes the entry, shows this in the logs and fixes their issues.

I feel like I'm missing something really simple but I could sure use advice!

- Brandon

0 Kudos
Reply
1 ACCEPTED SOLUTION

Go to solution
mm2270
Legendary Contributor III

Posted on ‎09-27-2013 09:09 AM

Self Service, I believe will run the script as the user, but with elevated privileges. Normal policies don't, so in your every15 policy, it would be trying to affect the root account's keychain entry, which probably doesn't exist, hence the error.

In your script, get the logged in user account (and if needed, the path to their home directory) and use that in the script as to what keychain to affect.

#!/bin/sh

loggedInUser=$( ls -l /dev/console | awk '{print $3}' )
userHome=$( dscl . read /Users/$loggedInUser NFSHomeDirectory | awk '{print $NF}' )

## Now your command here
security delete-generic-password [options] -keychain $userHome/Library/Keychains/login.keychain

Or whatever it is you need to do. Above is just an example.

View solution in original post

0 Kudos
Reply
1 REPLY 1

Go to solution
mm2270
Legendary Contributor III

Posted on ‎09-27-2013 09:09 AM

Self Service, I believe will run the script as the user, but with elevated privileges. Normal policies don't, so in your every15 policy, it would be trying to affect the root account's keychain entry, which probably doesn't exist, hence the error.

In your script, get the logged in user account (and if needed, the path to their home directory) and use that in the script as to what keychain to affect.

#!/bin/sh

loggedInUser=$( ls -l /dev/console | awk '{print $3}' )
userHome=$( dscl . read /Users/$loggedInUser NFSHomeDirectory | awk '{print $NF}' )

## Now your command here
security delete-generic-password [options] -keychain $userHome/Library/Keychains/login.keychain

Or whatever it is you need to do. Above is just an example.

0 Kudos
Reply