sudo script question

MDMMan
New Contributor III

I am trying to script removing our old MDM enrollment through DEP from Macs so I can have them prompt for DEP enrollment into Jamf. I am OK with the end user being prompted for their admin password but would rather not have them manually type in the commands into the terminal.

!/bin/bash

sudo rm -rf /var/db/ConfigurationProfiles/
sudo rm /Library/Keychains/apsd.keychain
sudo /usr/libexec/mdmclient dep nag

The commands work great when manually typed into terminal. Unfortunately none of them seem to work in a script. : command not found2: Password:
rm: /Library/Keychains/apsd.keychain : No such file or directory
[ERROR] Unknown command: nag
: command not found12:

1 ACCEPTED SOLUTION

mm2270
Legendary Contributor III

Hmm, I can't really explain that off hand. I looked on my system, not part of DEP, and the apsd.keychain is in /Library/Keychains/ so it seems like a standard keychain created by the OS. Not sure why you're getting a command not found. That would mean it can't find rm which doesn't make much sense. I suppose you could put in the full paths for the binaries, just on the off chance its not resolving the path?

/bin/rm /Library/Keychains/apsd.keychain

I see that the keychain has an extended attribute on it, in my case anyway, but it's only the com.apple.quarantine flag, which I can't see how that would prevent it from being deleted.

ls -l@ /Library/Keychains/apsd.keychain 
-rw-r--r--@ 1 root  wheel  35656 Sep  8  2016 /Library/Keychains/apsd.keychain
    com.apple.quarantine       29

View solution in original post

11 REPLIES 11

osxadmin
Contributor II

you don't need to use "sudo" in your script.

MDMMan
New Contributor III

I get this when running without sudo in the script:
: command not found2: rm: /Library/Keychains/apsd.keychain : No such file or directory
[ERROR] Must run as root
: command not found12:

jrippy
Contributor II

Make sure your bash (environment) declaration is

#!/bin/bash

The leading octothorpe (pound sign) is important. Just want to make sure that didn't get left out.

MDMMan
New Contributor III

Not sure why the pound sign didn't get included in the post but that is in the script.

osxadmin
Contributor II

try this

#!/bin/sh
##rm -Rf * will delete everything inside the Keychains folder
cd /Library/Keychains/
rm -Rf *
rm -Rf /var/db/ConfigurationProfiles/
/usr/libexec/mdmclient dep nag

osxadmin
Contributor II
 

MDMMan
New Contributor III

Note that this is the in Library/Keychains folder that also includes the system.keychain. What issues will that cause?

mm2270
Legendary Contributor III

@MDMMan

I get this when running without sudo in the script: : command not found2: rm: /Library/Keychains/apsd.keychain : No such file or directory [ERROR] Must run as root : command not found12:

How is the script being run? If you're just running it in Terminal normally then that error makes sense. Generally speaking you want the whole script to run with root privileges, not have sudo's in the script. To do that you simply do something like:

sudo /path/to/script.sh

If the script is deployed and run from a Jamf Pro policy, then it automatically runs as root. So it in effect does the above command by default.

MDMMan
New Contributor III

@mm2270 After removing sudo from the script, I am running it with the sudo command. Unfortunately the devices are not yet in Jamf so the script is being run manually. I still get the command not found if I specify the apsd.keychain file.

mm2270
Legendary Contributor III

Hmm, I can't really explain that off hand. I looked on my system, not part of DEP, and the apsd.keychain is in /Library/Keychains/ so it seems like a standard keychain created by the OS. Not sure why you're getting a command not found. That would mean it can't find rm which doesn't make much sense. I suppose you could put in the full paths for the binaries, just on the off chance its not resolving the path?

/bin/rm /Library/Keychains/apsd.keychain

I see that the keychain has an extended attribute on it, in my case anyway, but it's only the com.apple.quarantine flag, which I can't see how that would prevent it from being deleted.

ls -l@ /Library/Keychains/apsd.keychain 
-rw-r--r--@ 1 root  wheel  35656 Sep  8  2016 /Library/Keychains/apsd.keychain
    com.apple.quarantine       29

MDMMan
New Contributor III

Thanks everyone for helping the noob.
The commands are now working. (except the apsd.keychain is not being recreated until reboot so I may need to use rm /var/db/.AppleSetupDone instead of /usr/libexec/mdmclient dep nag. Seems a bit inconsistent.)
Adding /bin/ in front of the commands was the final piece that got it working. sudo path/to/script.sh

!/bin/sh

/bin/rm -rf /var/db/ConfigurationProfiles/
/bin/rm /Library/Keychains/apsd.keychain
/bin/rm /var/db/.AppleSetupDone