Unable to use osascript in JAMF script.

bvanpeski
New Contributor III

We use several mac minis as caching servers in some of my company's locations around the world. To be able to access them remotely, we need our screensharing utility (Bomgar) to be approved in Security & Privacy > Screen Recording. It is important this happens BEFORE it ships out, because otherwise we've got a headless mac mini that we can't access remotely.

To ensure it gets approved, I have an until loop set to prompt the end user and bring up the appropriate preference pane until access is granted. However, it looks like the osascript prompt I'm using throws an error:

020-08-04 19:19:12.566 osascript[5461:27615] -[__NSCFConstantString objectAtIndex:]: unrecognized selector sent to instance 0x7fff8f3960e0
2020-08-04 19:19:12.567 osascript[5461:27615] *** Terminating app due to uncaught exception 'NSInvalidArgumentException', reason: '-[__NSCFConstantString objectAtIndex:]: unrecognized selector sent to instance 0x7fff8f3960e0'
*** First throw call stack:
(
    0   CoreFoundation                      0x00007fff37b63b57 __exceptionPreprocess + 250
    1   libobjc.A.dylib                     0x00007fff708115bf objc_exception_throw + 48
    2   CoreFoundation                      0x00007fff37be2be7 -[NSObject(NSObject) __retain_OA] + 0
    3   CoreFoundation                      0x00007fff37ac83bb ___forwarding___ + 1427
    4   CoreFoundation                      0x00007fff37ac7d98 _CF_forwarding_prep_0 + 120
    5   CoreFoundation                      0x00007fff37a96ed7 CFArrayContainsValue + 197
    6   HIServices                          0x00007fff35d9d7b9 TransformProcessType + 927
    7   osascript                           0x0000000106c9b02c osascript + 12332
    8   HIToolbox                           0x00007fff367b27c5 AEInteractWithUser + 53
    9   StandardAdditions                   0x00000001097a98b9 CSDSTEXTurl_ + 5865
    10  StandardAdditions                   0x000000010979779d AEVTsysodisA + 145
    11  AE                                  0x00007fff38e5a203 _AppleEventsCheckInAppWithBlock + 18103
    12  AE                                  0x00007fff38e69c83 AESendMessage + 2838
    13  AE                                  0x00007fff38e75fb1 aeSend + 355
    14  osascript                           0x0000000106c99b25 osascript + 6949
    15  AppleScript                         0x00007fff4b7f6342 _Z13ComponentSendPK6AEDescPS_ii + 485
    16  AppleScript                         0x00007fff4b807f0a _ZN15TUASApplication4SendEP25TStackFrame_UASRemoteSendP6AEDescS3_hhh + 2332
    17  AppleScript                         0x00007fff4b828ca7 _Z13UASRemoteSendhhhhhPh + 548
    18  AppleScript                         0x00007fff4b8011f0 _Z13UASActor_Sendhhh + 383
    19  AppleScript                         0x00007fff4b834402 _Z13UASValue_Sendhh14TUASClassIndexh + 326
    20  AppleScript                         0x00007fff4b80bff9 _Z11UASExecute1v + 288
    21  AppleScript                         0x00007fff4b7dfb26 _Z14ASExecuteEventPK6AEDescjiPj + 614
    22  AppleScript                         0x00007fff4b7d8971 AppleScriptComponent + 1677
    23  AppleScript                         0x00007fff4b7f1bdb _ZN12AGenericCall8DelegateEP23ComponentInstanceRecord + 37
    24  AppleScript                         0x00007fff4b7f1ba1 _ZN15AGenericManager13HandleOSACallEP19ComponentParameters + 57
    25  AppleScript                         0x00007fff4b7f118c GenericComponent + 156
    26  OpenScripting                       0x00007fff369f53e2 OSAExecuteEvent + 50
    27  osascript                           0x0000000106c9a5bd osascript + 9661
    28  libdyld.dylib                       0x00007fff719b9cc9 start + 1
    29  ???                                 0x0000000000000003 0x0 + 3
)
libc++abi.dylib: terminating with uncaught exception of type NSException
/Library/Application Support/JAMF/tmp/Catalina Message Test: line 36:  5461 Abort trap: 6           osascript -e 'display alert "Screen Recording Approval Required" message "Please approve Screen Recording for Bomgar in System Preferences > Security & Privacy > Privacy > Screen Recording"'

Full loop below:

osVer="$(sw_vers -productVersion)"
BomgarApproval="$(sqlite3 "/Library/Application Support/com.apple.TCC/TCC.db" 'SELECT service, client FROM access WHERE allowed = '1'' | grep -o "com.bomgar.bomgar-scc")"
if [[ $osVer == 10.15.* ]]; then
  echo "### macOS 10.15 Catalina Found. Prompting for ScreenCapture approval."
  until [[ $BomgarApproval = "kTCCServiceScreenCapture|com.bomgar.bomgar-scc" ]]
    do
        open "x-apple.systempreferences:com.apple.preference.security?Privacy_ScreenCapture"
        osascript -e 'display alert "Screen Recording Approval Required" message "Please approve Screen Recording for Bomgar in System Preferences > Security & Privacy > Privacy > Screen Recording"'
        sleep 5
        echo "--- Checking for approval of ScreenCapture for Bomgar..."
        export BomgarApproval=$(/usr/bin/sqlite3 "/Library/Application Support/com.apple.TCC/TCC.db" 'SELECT service, client FROM access WHERE allowed = '1'' | grep bomgar)
        echo "Bomgar status is $BomgarApproval"
    done
  echo "Bomgar has been approved"
fi

If I allow Terminal full disk access and run the piece of code locally on the machine, it works fine. JAMF by default whitelists itself for full disk access, so why doesn't the script work when being run via jamf policy?

Thanks,
-Brian

3 REPLIES 3

talkingmoose
Honored Contributor II
Honored Contributor II

That TCC database is protected by Apple's System Integrity Protection (SIP). The macOS won't let you modify that file and you shouldn't try to work around Apple's safeguards. That would only lower security.

Generally, instead of modifying that file directly or via script, you should be using a Configuration Profile to push a Privacy Protection Policy Control profile for Bomgar to allow it the access it needs. The PPPC Utility can help you do that.

https://github.com/jamf/PPPC-Utility

However, for the privacy of the end user, Apple disables access to screen recording along with camera and microphone to all but the user. You'll need to log in to the account where Bomgar will generally run and manually approve access.

I'm a couple years late, but could we not place a script in Self Service for the user to run to alter screen recording settings? Apologies if this has been answered in the years since this was asked, but I'm not seeing any solutions other than deploying the Configuration Profile you've mentioned.

chadlawson
Contributor
Contributor

I agree with Bill. And despite the fact that the error message is claiming the issue is with the osascript command, I think you are seeing errors from your sqlite command in your until loop that are affecting your comparison in the second pass of your until clause.

A PPPC configuration profile payload should resolve this instantly.

FWIW, I think your approach is impressive and exactly the way I'd take it on pre-Catalina.