Posted on 11-16-2021 04:13 PM
We have the majority of our laptops running Big Sur on M1 MacBook Airs. JAMF Support has told us that Apple is aware of an issue with macOS 11 and the curfew settings in the Parental Controls payload policy. We are trying to put together an alternative method of enforcing curfew by scoping a policy to a smart computer group that will run at the recurring check-in frequency of the device and do nothing if the time is outside of the curfew range, or execute "sudo shutdown -now" if the device is inside the curfew range.
We would then have a second script that would run with a login trigger that would again check the time and do nothing if outside the curfew range, or again, run sudo shutdown -now if inside the range. It would be annoying, but effective and would prevent the user from continuing to use their device if inside the curfew window. If we didn't have the second script running at log in, then the user could continue to use their device for another 15 minutes until the next check-in time.
Anyone have any ideas of where we could start developing this plan of action, or have any scripts they would like to share? I appreciate the help and am hopeful that curfew will begin working again in Monterey, which JAMF Support mentioned should fix the issue. We just don't know how long it will be before all 1000+ devices are upgraded.
Thanks in advance!
Posted on 11-16-2021 05:15 PM
For the time being I am reusing a restart script that has been working pretty well and just rewording it for shutdown:
#!/bin/bash # Create shutdowncomputer.sh echo > /tmp/shutdowncomputer.sh '#!/bin/bash # Sleep for 60 seconds sleep 60 # Shutdown Immediately sudo shutdown -h now' # Create and load a LaunchDaemon to fork shutdown echo "<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>Label</key> <string>com.company.shutdown</string> <key>UserName</key> <string>root</string> <key>ProgramArguments</key> <array> <string>sh</string> <string>/tmp/shutdowncomputer.sh</string> </array> <key>RunAtLoad</key> <true/> </dict> </plist>" > /tmp/shutdown.plist sudo chown root:wheel /tmp/shutdown.plist sudo chmod 755 /tmp/shutdown.plist sudo launchctl load /tmp/shutdown.plist exit 0
This should provide the script enough time to report back to JAMF so we know whether or not the policy ran. I've set the policy to run with a recurring check-in trigger at an ongoing execution frequency and I'm making it available offline so it will run regardless of whether they turn their wifi off or not. Finally I have set the client-side limitations so the policy will not run outside the curfew range. The final piece of the puzzle is to ensure that if the user restarts their computer, the policy will run again if inside the curfew window and shutdown once again. To do that I'm also using the login trigger in the policy. Does anyone see any issues with this approach?