Skip to main content
Solved

sudo script question


Forum|alt.badge.img+5

I am trying to script removing our old MDM enrollment through DEP from Macs so I can have them prompt for DEP enrollment into Jamf. I am OK with the end user being prompted for their admin password but would rather not have them manually type in the commands into the terminal.

!/bin/bash

sudo rm -rf /var/db/ConfigurationProfiles/
sudo rm /Library/Keychains/apsd.keychain
sudo /usr/libexec/mdmclient dep nag

The commands work great when manually typed into terminal. Unfortunately none of them seem to work in a script. : command not found2: Password:
rm: /Library/Keychains/apsd.keychain : No such file or directory
[ERROR] Unknown command: nag
: command not found12:

Best answer by mm2270

Hmm, I can't really explain that off hand. I looked on my system, not part of DEP, and the apsd.keychain is in /Library/Keychains/ so it seems like a standard keychain created by the OS. Not sure why you're getting a command not found. That would mean it can't find rm which doesn't make much sense. I suppose you could put in the full paths for the binaries, just on the off chance its not resolving the path?

/bin/rm /Library/Keychains/apsd.keychain

I see that the keychain has an extended attribute on it, in my case anyway, but it's only the com.apple.quarantine flag, which I can't see how that would prevent it from being deleted.

ls -l@ /Library/Keychains/apsd.keychain 
-rw-r--r--@ 1 root  wheel  35656 Sep  8  2016 /Library/Keychains/apsd.keychain
    com.apple.quarantine       29
View original
Did this topic help you find an answer to your question?

10 replies

Forum|alt.badge.img+7
  • Valued Contributor
  • 81 replies
  • June 28, 2017

you don't need to use "sudo" in your script.


Forum|alt.badge.img+5
  • Author
  • Contributor
  • 15 replies
  • June 28, 2017

I get this when running without sudo in the script:
: command not found2: rm: /Library/Keychains/apsd.keychain : No such file or directory
[ERROR] Must run as root
: command not found12:


Forum|alt.badge.img+13
  • Valued Contributor
  • 186 replies
  • June 28, 2017

Make sure your bash (environment) declaration is

#!/bin/bash

The leading octothorpe (pound sign) is important. Just want to make sure that didn't get left out.


Forum|alt.badge.img+5
  • Author
  • Contributor
  • 15 replies
  • June 28, 2017

Not sure why the pound sign didn't get included in the post but that is in the script.


Forum|alt.badge.img+7
  • Valued Contributor
  • 81 replies
  • June 28, 2017

try this

#!/bin/sh
##rm -Rf * will delete everything inside the Keychains folder
cd /Library/Keychains/
rm -Rf *
rm -Rf /var/db/ConfigurationProfiles/
/usr/libexec/mdmclient dep nag

Forum|alt.badge.img+5
  • Author
  • Contributor
  • 15 replies
  • June 28, 2017

Note that this is the in Library/Keychains folder that also includes the system.keychain. What issues will that cause?


mm2270
Forum|alt.badge.img+16
  • Legendary Contributor
  • 7880 replies
  • June 28, 2017

@MDMMan

I get this when running without sudo in the script: : command not found2: rm: /Library/Keychains/apsd.keychain : No such file or directory [ERROR] Must run as root : command not found12:

How is the script being run? If you're just running it in Terminal normally then that error makes sense. Generally speaking you want the whole script to run with root privileges, not have sudo's in the script. To do that you simply do something like:

sudo /path/to/script.sh

If the script is deployed and run from a Jamf Pro policy, then it automatically runs as root. So it in effect does the above command by default.


Forum|alt.badge.img+5
  • Author
  • Contributor
  • 15 replies
  • June 28, 2017

@mm2270 After removing sudo from the script, I am running it with the sudo command. Unfortunately the devices are not yet in Jamf so the script is being run manually. I still get the command not found if I specify the apsd.keychain file.


mm2270
Forum|alt.badge.img+16
  • Legendary Contributor
  • 7880 replies
  • Answer
  • June 28, 2017

Hmm, I can't really explain that off hand. I looked on my system, not part of DEP, and the apsd.keychain is in /Library/Keychains/ so it seems like a standard keychain created by the OS. Not sure why you're getting a command not found. That would mean it can't find rm which doesn't make much sense. I suppose you could put in the full paths for the binaries, just on the off chance its not resolving the path?

/bin/rm /Library/Keychains/apsd.keychain

I see that the keychain has an extended attribute on it, in my case anyway, but it's only the com.apple.quarantine flag, which I can't see how that would prevent it from being deleted.

ls -l@ /Library/Keychains/apsd.keychain 
-rw-r--r--@ 1 root  wheel  35656 Sep  8  2016 /Library/Keychains/apsd.keychain
    com.apple.quarantine       29

Forum|alt.badge.img+5
  • Author
  • Contributor
  • 15 replies
  • June 28, 2017

Thanks everyone for helping the noob.
The commands are now working. (except the apsd.keychain is not being recreated until reboot so I may need to use rm /var/db/.AppleSetupDone instead of /usr/libexec/mdmclient dep nag. Seems a bit inconsistent.)
Adding /bin/ in front of the commands was the final piece that got it working. sudo path/to/script.sh

!/bin/sh

/bin/rm -rf /var/db/ConfigurationProfiles/
/bin/rm /Library/Keychains/apsd.keychain
/bin/rm /var/db/.AppleSetupDone


Reply


Cookie policy

We use cookies to enhance and personalize your experience. If you accept you agree to our full cookie policy. Learn more about our cookies.

 
Cookie settings