Scripts not working in Catalina

junderwood
New Contributor III

Hello Jamf Nation!

I have a script we've been using to install various apps in Self Service that no longer works in 10.15. Wondering if anyone can tell me why.

It worked fine in 10.14. In 10.15, I can run it in Terminal from the logged in user, but I can't get it to work when I run it as a policy.

An example of the script is here (in this case, to install Chromium):

#!/bin/bash
clear && rm -rf ~/updtemp && mkdir ~/updtemp > /dev/null && cd ~/updtemp 

###############################
#    Define functions  #
###############################
versionChecker() {
    local v1=$1; local v2=$2;
    while [ `echo $v1 | egrep -c [^0123456789.]` -gt 0 ]; do
        char=`echo $v1 | sed 's/.*([^0123456789.]).*/1/'`; char_dec=`echo -n "$char" | od -b | head -1 | awk {'print $2'}`; v1=`echo $v1 | sed "s/$char/.$char_dec/g"`; done
    while [ `echo $v2 | egrep -c [^0123456789.]` -gt 0 ]; do
        char=`echo $v2 | sed 's/.*([^0123456789.]).*/1/'`; char_dec=`echo -n "$char" | od -b | head -1 | awk {'print $2'}`; v2=`echo $v2 | sed "s/$char/.$char_dec/g"`; done
    v1=`echo $v1 | sed 's/../.0/g'`; v2=`echo $v2 | sed 's/../.0/g'`;
    checkVersion "$v1" "$v2"
}

checkVersion() {
    [ "$1" == "$2" ] && return 1
    v1f=`echo $1 | cut -d "." -f -1`;v1b=`echo $1 | cut -d "." -f 2-`;v2f=`echo $2 | cut -d "." -f -1`;v2b=`echo $2 | cut -d "." -f 2-`;
    if [[ "$v1f" != "$1" ]] || [[ "$v2f" != "$2" ]]; then [[ "$v1f" -gt "$v2f" ]] && return 1; [[ "$v1f" -lt "$v2f" ]] && return 0;
        [[ "$v1f" == "$1" ]] || [[ -z "$v1b" ]] && v1b=0; [[ "$v2f" == "$2" ]] || [[ -z "$v2b" ]] && v2b=0; checkVersion "$v1b" "$v2b"; return $?
    else [ "$1" -gt "$2" ] && return 1 || return 0; fi
}

appStatus() {
  if [ ! -d "/Applications/$1" ]; then echo "uninstalled"; else
    if [[ $5 == "build" ]]; then BUNDLE="CFBundleVersion"; else BUNDLE="CFBundleShortVersionString"; fi
    INSTALLED=`/usr/libexec/plistbuddy -c Print:$BUNDLE: "/Applications/$1/Contents/Info.plist"`
      if [ $4 == "dmg" ]; then COMPARETO=`/usr/libexec/plistbuddy -c Print:$BUNDLE: "/Volumes/$2/$1/Contents/Info.plist"`;
      elif [[ $4 == "zip" || $4 == "tar" ]]; then COMPARETO=`/usr/libexec/plistbuddy -c Print:$BUNDLE: "$3$1/Contents/Info.plist"`; fi
    checkVersion "$INSTALLED" "$COMPARETO"; UPDATED=$?;
    if [[ $UPDATED == 1 ]]; then echo "updated"; else echo "outdated"; fi; fi
}
installApp() {
  echo $'360237214200  - ['$2'] Downloading app...'
  if [ $1 == "dmg" ]; then curl -s -L -o "$2.dmg" $4; yes | hdiutil mount -nobrowse "$2.dmg" -mountpoint "/Volumes/$2" > /dev/null;
    if [[ $(appStatus "$3" "$2" "" "dmg" "$7") == "updated" ]]; then echo $'342235214  - ['$2'] Skipped because it was already up to date!
';
    elif [[ $(appStatus "$3" "$2" "" "dmg" "$7") == "outdated" && $6 != "noupdate" ]]; then ditto "/Volumes/$2/$3" "/Applications/$3"; echo $'360237214216  - ['$2'] Successfully updated!
'
    elif [[ $(appStatus "$3" "$2" "" "dmg" "$7") == "outdated" && $6 == "noupdate" ]]; then echo $'342235214  - ['$2'] This app cant be updated!
'
    elif [[ $(appStatus "$3" "$2" "" "dmg" "$7") == "uninstalled" ]]; then cp -R "/Volumes/$2/$3" /Applications; echo $'360237221215  - ['$2'] Succesfully installed!
'; fi
    hdiutil unmount "/Volumes/$2" > /dev/null && rm "$2.dmg"
  elif [ $1 == "zip" ]; then curl -s -L -o "$2.zip" $4; unzip -qq "$2.zip";
    if [[ $(appStatus "$3" "" "$5" "zip" "$7") == "updated" ]]; then echo $'342235214  - ['$2'] Skipped because it was already up to date!
';
    elif [[ $(appStatus "$3" "" "$5" "zip" "$7") == "outdated" && $6 != "noupdate" ]]; then ditto "$5$3" "/Applications/$3"; echo $'360237214216  - ['$2'] Successfully updated!
'
    elif [[ $(appStatus "$3" "" "$5" "zip" "$7") == "outdated" && $6 == "noupdate" ]]; then echo $'342235214  - ['$2'] This app cant be updated!
'
    elif [[ $(appStatus "$3" "" "$5" "zip" "$7") == "uninstalled" ]]; then mv "$5$3" /Applications; echo $'360237221215  - ['$2'] Succesfully installed!
'; fi;
    rm -rf "$2.zip" && rm -rf "$5" && rm -rf "$3"
  elif [ $1 == "tar" ]; then curl -s -L -o "$2.tar.bz2" $4; tar -zxf "$2.tar.bz2" > /dev/null;
    if [[ $(appStatus "$3" "" "$5" "tar" "$7") == "updated" ]]; then echo $'342235214  - ['$2'] Skipped because it was already up to date!
';
    elif [[ $(appStatus "$3" "" "$5" "tar" "$7") == "outdated" && $6 != "noupdate" ]]; then ditto "$3" "/Applications/$3"; echo $'360237214216  - ['$2'] Successfully updated!
';
    elif [[ $(appStatus "$3" "" "$5" "tar" "$7") == "outdated" && $6 == "noupdate" ]]; then echo $'342235214  - ['$2'] This app cant be updated!
'
    elif [[ $(appStatus "$3" "" "$5" "tar" "$7") == "uninstalled" ]]; then mv "$5$3" /Applications; echo $'360237221215  - ['$2'] Succesfully installed!
'; fi
    rm -rf "$2.tar.bz2" && rm -rf "$3"; fi
}

###############################
#    Install apps    #
###############################
installApp "zip" "Chromium" "Chromium.app" "https://download-chromium.appspot.com/dl/Mac" "chrome-mac/" "" ""

###############################
#    Eject Volumes            #
###############################
rm -rf ~/updtemp

When running this as policy in 10.15, I get the following error (for every app we attempt to install in this manor):

�  - [Chromium] Downloading app...
unzip:  cannot find or open Chromium.zip, Chromium.zip.zip or Chromium.zip.ZIP.
mv: rename chrome-mac/Chromium.app to /Applications/Chromium.app: No such file or directory

It appears the script can't download (or find?) the file. I guessed that maybe new security protocols in 10.15 were preventing Terminal from having access to pull and view downloaded files, so I created a PPPC profile to ensure it has access (attached). But still the same error.

220f8a58afe540f0bdad7d57f5d728cf

Just wondering if anyone has any ideas as to why this might be happening... Would love to get these scripts working again--and quickly.

1 ACCEPTED SOLUTION

mm2270
Legendary Contributor III

While I don't know why 10.15 would react any differently with your script than 10.14 or other OS versions, I do think the problem is the use of the ~/udtemp directory in your script. I would consider using a more direct file path for the downloads and other operations, such as /private/tmp/ which is a universally accessible location on all Macs that exists by default. It doesn't need to be created or managed. You are cd'ing into ~/updtemp as your working directory in the script, which may be running into some problems, as suggested by @seann above, since the script run from a policy would be running as 'root', so the ~/ path may not be resolving correctly in that context. I would use more literal complete paths throughout the script and see if that resolves it for you.

View solution in original post

13 REPLIES 13

Gascolator
New Contributor III

https://www.jamf.com/jamf-nation/discussions/32215/heads-up-for-admins-zsh-in-now-default-shell-for-macos-catalina

If you changed the default shell to bash then ignore.

seann
Contributor

I would add -xv to #!/bin/bash to debug

That being said I wouldn't be surprised if it was having trouble with a working directory given the root context in which Jamf scripts run

junderwood
New Contributor III

@Gaslocater:

https://www.jamf.com/jamf-nation/discussions/32215/heads-up-for-admins-zsh-in-now-default-shell-for-macos-catalina If you changed the default shell to bash then ignore.

The shebang (#!/bin/bash) is calling the bash shell (still installed in 10.15, just no longer default), so shouldn't need to set bash as default. In this case, the script does in fact run perfectly in 10.15--just not when run as a policy, apparently running into a problem at/around the "downloading app" stage.

@Seann, will try the debug tomorrow and report back... I am also thinking there is an issue with working directory in root context--just not sure what issue that would be that's unique to 10.15. Policy works with no problems in 10.14 & 10.13.

mm2270
Legendary Contributor III

While I don't know why 10.15 would react any differently with your script than 10.14 or other OS versions, I do think the problem is the use of the ~/udtemp directory in your script. I would consider using a more direct file path for the downloads and other operations, such as /private/tmp/ which is a universally accessible location on all Macs that exists by default. It doesn't need to be created or managed. You are cd'ing into ~/updtemp as your working directory in the script, which may be running into some problems, as suggested by @seann above, since the script run from a policy would be running as 'root', so the ~/ path may not be resolving correctly in that context. I would use more literal complete paths throughout the script and see if that resolves it for you.

mschroder
Valued Contributor

bash-3.2$ sudo mkdir /udtemp
Password:
mkdir: /udtemp: Read-only file system
bash-3.2$

schiemsk
New Contributor III

@mschroder
~/somepath is not /somepath or have I missed something ?

btw, I do as @mm2270 wrote : use of /private/sub path for any package I have to copy before its installation.

mschroder
Valued Contributor

@schiemsk So what is the difference between ~/somepath and /somepath for user root?

schiemsk
New Contributor III

Oops, I was in another context... To much time spent on debian boxes today.

root@deb10:~# stat ~/
  File: /root/

root@deb10:~# stat /
  File: /

junderwood
New Contributor III

@mm2270, changing the location to /private/tmp/ worked. Script now runs in 10.15 as policy without issue. Thanks!

mschroder
Valued Contributor

I have to admit I am totally confused now. I just ran a policy via the Self-Service, expecting it to resolve '~' as the root homedir, and found out that it did resolve as the homedir of the user that started the Self-Service app. Why did I always make such a fuzz to find out the logged in user when running a script via Self-Service???

tlarkin
Honored Contributor

Just gonna say it again :-)

AutoPKG + JSS Importer doesn't break between major OS releases.

RobertHammen
Valued Contributor II

Going to second @tlarkin's point, and mention that, should Google rename/move the path to Chrome, it'll take you awhile before you figure out that the script isn't working/is busted and what changed.

If you're using AutoPkg + JSS Importer, the maintainer of the recipe will figure this out, your recipe will get updated, and updates will continue to be automatically pulled and made available to your JSS.

haircut
Contributor

All together now!

Don't 👏 run 👏 curl 👏 as 👏 root!