Help

The "Logout" policy trigger will be removed in a future release.

claudiogardini
Contributor

Posted on ‎05-04-2020 02:18 AM

Hi all,

I've just seen the News that the Logout Trigger will be removed in the Future. Is there a underlying Reason for this (eg. change in Apple Security)?

Do we know in which release the Trigger will be removed?

Labels:
1 REPLY 1

mike_paul
Contributor III
Contributor III

Posted on ‎05-07-2020 02:03 PM

Hey @claudiogardini, thanks for the post and asking the question. You are correct that we didn't provide much information around our reasoning for planning to remove that functionality in an upcoming release. We are currently unsure on when this work will be complete and it will take us a little while to get there but we always like to give a heads up around future removal plans.

For recap the Jamf Pro 10.21 release notes stated:

Login/logout hook settings for background actions and user actions—The Perform login hook actions in background and Display status of login/logout hook actions to users checkboxes will be removed in a future release. Logout policy trigger—The "Logout" policy trigger will be removed in a future release.

To be as clear and candid about it as we can I'll give a brief rundown on why:
1. Per Apple, Login and logout scripts are a deprecated technology, technically they still kind of work but are much less reliable than they previously were
2. Starting with any newer macOS (10.14+) with PPPC/TCC requirements they do not allow for these processes to be ran while NOT in the background if they are doing anything that interact with these newly protected areas. For example running a policy that is mounting an smb distribution point would fail if not ran in the background.
3. So that means that all process must be ran in the background so we are going to remove the ability disable that as its a global setting
4. Since everything will be ran in the background it won't be able to hold any processes so any policy that ran at logout that didn't complete in the short bit it takes to finish logging out/shutting down would fail. Which would be the large majority of things. The end result of a Login is the user is on a booted computer so it doesn't run this risk so we will keep that.
5. "Display status of login/logout hook actions to users" is part of this non-background stuff and also very limited on functionality and minimally used so we figured we yank while we were there too.

I hope this helps clear up why we are moving this direction.