Script of login Policy keeps running from /private/tmp

Hi,

It doesn't look like it is having any trouble mounting the distribution point (hcmcas01.ap.corp.ipgnetwork.com/CasperShare). Do you have more than one DP? Is it possible that the script is on one but not the other?

@khanhlnq, can you post screenshots of your policy?

@bentoms Please see my attached screenshots below:
external image link
external image link
external image link
external image link
external image link
external image link
From the policy status log, CasperShare was mounted but I wonder why the script not executed from there instead of /private/tmp.

Looking at the last error screen it might be an error in the script rather than the policy. If there isn't anything sensitive / confidential in it, could you post the script?

Hi /url">@davidacland][/url , here is my script [http://inft.ly/8U9JiJq

I customized it from https://jamfnation.jamfsoftware.com/viewProductFile.html?id=135&fid=476

I can see a few references to /private/tmp in the mountShare function although that could be a red herring. Have you tried running the script in the terminal?

The function in the script does seem quite complex for the task its performing. In case you wanted to take a slightly different direction, we use a variation of the following (in some cases we have a group membership check, below is just a basic mounting example). Applescript has the added benefit that it will switch from Kerberos to username & password authentication without any additional code.

#!/bin/bash

protocol="$4" # This is the protocol to connect with (afp | smb)
serverName="$5"   # This is the address of the server, e.g. my.fileserver.com
shareName="$6"    # This is the name of the share to mount

# Mount the drive
    mount_script=`/usr/bin/osascript > /dev/null << EOT
    tell application "Finder" 
    activate
    mount volume "$protocol://${serverName}/${shareName}"
    end tell
EOT`

exit 0

We add the script with the appropriate parameter labels for $4, $5, $6 & $7.

@khanhlnq, ah JSS 8.73.. Hmm. What OS are you running the script on?

Also, we use a similar method to what @davidacland mentioned & I've posted it at the following: https://macmule.com/2011/09/08/how-to-map-drives-printers-based-on-ad-group-membership-on-osx/

@bentoms I have JSS 8.73 running on OS X Mavericks 10.9.5. I will try your AppleScript method.
@davidacland I think the script is executed in /tmp/private from the beginning, not just a reference inside. I will try your osascript method too.

@khanhlnq, any reason not to update to 9.63?

v9 has been out for over 15 months now, & supports 10.10

@bentoms][/url
I updated OS X to 10.10.1, Casper&JSS to 9.63. I think the script is still not run in the correct path:
Policy logs:
"Executing Policy Mount Network Share...
Mounting HCMCAS01 to /Volumes/CasperShare...
Running script mountNetworkShare_HCMHARBORLAP.sh...
Script exit code: 127
Script result:"

Running via Casper Remote is fine.

I totally forgot what version 8 looked like! Blast from the past!

Hi /url">@davidacland][/url @bentoms][/url][/url
This is the logs after I tried it again:
"Executing Policy Mount Network Share...
Mounting HCMCAS01 to /Volumes/CasperShare...
Error running script: The script could not be found.."
[external image link

Screenshots of my Policy:
external image link
external image link
external image link

I also tried to mount afp://HCMCAS01/CasperShare manually, it was successfully but I have to enter my password. Screenshots below:
File sharing settings on server:
external image link
Mounting manually on my computer:
external image link

From my inspection, the script is still not executed in the correct mounted volume.
Please help.

All looks ok. Could you try it with the "Make available offline" unchecked? That could be related.

Hi @davidacland ,
If I turn off "Make avaiable offline", then the logs show:
"Executing Policy Mount Network Share...
Mounting HCMCAS01 to /Volumes/CasperShare...
Running script mountNetworkShare_HCMHARBORLAP.sh...
Script exit code: 127
Script result:"
external image link

From my understanding exit code 127 is "Command not found" meaning the shell couldn't find script to execute.

I've just given the script a try with a file server here (commenting out the necessary parts). Unfortunately its quite complex in its operation so its a bit difficult to see if there is an error somewhere. I can't see any commands used in the script that would give a 127 error but I could just be missing it.

Just as a troubleshooting step, could you create a really simple script in the JSS, something like:

#!/bin/sh
ls /Users
exit 0

And change your policy to run that script instead.

If everything works ok, no errors etc, you can be more sure that the script has a problem, rather then the policy / JSS.

Hi davidacland,
I tried your script (http://inft.ly/3j5D5Bj) and this is the log:
"Executing Policy TestJSSPolicyLoginScript...
Mounting HCMCAS01 to /Volumes/CasperShare...
Running script TestJSSPolicyLoginScript.sh...
Error running script: *** -[NSConcreteTask terminationStatus]: task not launched."

Excecuting the script directy with CasperRemote has same error:
"Sending Wake On LAN command...
Opening SSH Connection to 10.148.128.91...
Authenticating...
Successfully authenticated.
Verifying Computer's Identity...
The MAC Address has been verified.
Checking Operating System Version...
Running Mac OS X 10.9.5 (13F34)
Verifying /usr/sbin/jamf...
/usr/sbin/jamf is current (9.63)
Verifying /Library/Preferences/com.jamfsoftware.jamf.plist...
Preparing Policy...
Executing Policy 2015-01-26 at 10:47 AM | jssadmin | 1 Computer...
Mounting HCMCAS01 to /Volumes/CasperShare...
Running script TestJSSPolicyLoginScript.sh...
Error running script: *** -[NSConcreteTask terminationStatus]: task not launched.
Submitting log to https://hcmcas01.ap.corp.ipgnetwork.com:8443/
Finished."

I just looked at the script and it didn't have the shebang at the top.

Could you add:

#!/bin/sh

To the top of it.

Hi /url][/url">@davidacland][/url][/url
I added #!/bin/sh ([http://inft.ly/BWJ5PFb), still same error.

I found out this: - JSS server is running 10.10. - If target client is 10.9: Failed. Error running script: *** -[NSConcreteTask terminationStatus]: task not launched.
- If target client is 10.10: Successul. Logs:
"Sending Wake On LAN command...
Opening SSH Connection to 10.148.129.63...
Accepting authentication method...
Authenticating...
Successfully authenticated.
Verifying Computer's Identity...
The MAC Address has been verified.
Checking Operating System Version...
Running Mac OS X 10.10.1 (14B25)
Verifying /usr/sbin/jamf...
/usr/sbin/jamf is current (9.63)
Verifying /Library/Preferences/com.jamfsoftware.jamf.plist...
Preparing Policy...
Executing Policy 2015-01-26 at 2:44 PM | jssadmin | 1 Computer...
Mounting HCMCAS01 to /Volumes/CasperShare...
Running script TestJSSPolicyLoginScript.sh...
Script exit code: 0
Script result: .localized
Deleted Users
Shared
khanh.le
Submitting log to https://hcmcas01.ap.corp.ipgnetwork.com:8443/
Finished."

Ok, so on 10.10, the whole process is working.

It sounds like 10.9 clients are having trouble accessing the script on the distribution point. I remember you could mount the DP ok on your Mac, is that running 10.10? From a 10.9 client have you tried mounting the DP manually and running the script?

Hi @davidacland][/url][/url][/url][/url,
I have no problem mounting "afp://HCMCAS01/CasperShare" manually on OS X 10.9 (of course I have to enter my password).

From policy logs until now, I can confirm TestJSSPolicyLoginScript policy (http://inft.ly/BWJ5PFb) is Completed on 10.10 and Failed on 10.9.
external image link

Ok i've seen this before. Check your jamf console logs. If you spot two triggers trying to run at the same time, that will cause this issue as both try to mount the server share but the second one will fail. This is due to the process going something like ...

1) Receive job.
2) Mount fileshare
3) Do job (file delivery, script execution etc)
4) Unmount fileshare
5) Report to JSS that job is complete.

If Casper tries to do two of these at once, no. 2 fails hence the errors you're getting.

What can we do about this? Well, a tip I picked up from a couple guys at Oxford University is to run as many manually controlled triggers as possible: get the most work done for as few trigger calls as possible.

Second thing to do now that you're on Casper 9, is to load up Casper Admin and hit the migrate scripts button to move all your scripts from the deployment server into the JSS itself. This means you'll have to edit all your scripts through the JSS itself, but you'll find things be a lot quicker and more reliable for script execution as it's not mounting a file share all the time.

@franton raises a good point & one I'd forgot as moved to HTTP DP's a long time ago.

@khanhlnq does the script work correctly via HTTP?