User environment applescript issue.

MrP
Contributor III

I'm running the following script. When I run directly as a user it works. When open terminal, drop to root via "sudo su -" and run the policy containing the script on the server it works. If the policy containing the applescript is run via self service, it works. If it is called by the jamf agent via normal policy trigger(startup/check-in) it produces the error "-1713 no user interaction allowed". If i call it via a parent script, which is how I need to call it because i only want it launched under certain conditions, obviously I get the same error. I have tried doing a 'tell application "System Events"', 'end tell' I get an error about the application not being found, IE SIP issues. Wrapping the osascript command in a variable provides no difference in result.

It seems to me there is a difference in the user environment under which the jamf agent is running, and under which self service and a direct root login runs, which allows the last two scenarios to work but not the first. Suggestions? As I write this I will try editing the jamf launchd items to launch with "bash -c" to load a bash environment instead of being called directly to see what happens. Other suggestions welcome.

This is the relevant part of the policy script where the policy is called:

#!/bin/bash
   ##
    # Filevault:
    ##
    ## Set "FILEVAULTGENERICUSER" account password if it has never been set by a user before.
    #   We want the domain user to set this password so they can unlock the encrypted system disk on boot.
    #    This is needed because FileVault does not sync with their PIV/CAC PIN and they do not know their account password.
    if [ ! -e $systemRecords/FILEVAULTGENERICUSERset.jssrecord ];
    then
        #checking if FILEVAULTGENERICUSER account exists        
        dscl . list /users 2> /dev/null | grep FILEVAULTGENERICUSER > /dev/null
        if [ $? == 0 ];
        then    
            log 5 "User: Filevault: FILEVAULTGENERICUSER password has not been set.  Checking if logged in account is a domain user."
            # determining if this is a domain account.  If it is, we will proceed.
            domainuser=0
            /usr/bin/dscl . read /users/$user 2> /dev/null | grep -i 'DOMAINNAME' > /dev/null
            if [ $? == 0 ]; 
            then
                log 5 "User: Filevault: User is a domain user.  Requesting FILEVAULTGENERICUSER password be set."
                # The following policy runs an apple script as root that prompts the logged in user to change the FILEVAULTGENERICUSER account password.
                jamf policy -id 1234
            else
                log 6 "User: Filevault: User is not a domain user.  Will try again later."
            fi
        fi
    fi

This is the main applescript

#!/bin/bash
# Written by Paul Dickson 01/06/2017
# This prompts the user to set the password for the account FV User.  It must run with admin privileges to be able to set the password.

APPLESCRIPT=$(/usr/bin/osascript <<-EOF
    set passwordComplex to "0"
    repeat while 1 is 1 -- Running loop inside loop to create a condition where the password prompt loop can be run again if the user accidentally clicks Cancel
        repeat while passwordComplex is "0"
            try
                display dialog ¬
                    "Please set a password for the account: FILEVAULTGENERICUSER.  

You will need to know this password when you boot the computer to unlock the encrypted disk.  Please do not forget it.  Do not share it.

Password requirements:
REQUIREMENT HERE
AND HERE

New password:" with title ¬
                    "Change password" with icon caution ¬
                    default answer ¬
                    "" buttons {"Cancel", "OK"} default button 2 ¬
                    giving up after 9999
            on error
                display dialog "Are you sure you do not want to set a password for FILEVAULTGENERICUSER?  You should do this so you know the password to boot the computer!

Click OK to set a password." buttons {"OK", "Cancel"} default button 1 with icon stop
                exit repeat
            end try
            set newpassword to text returned of the result
            --set scriptResult to 
            set scriptResult to do shell script "dscl . -passwd /Users/FILEVAULTGENERICUSER '" & newpassword & "' 2> /dev/null| grep PasswordQualityCheckFailed; exit 0"
            --A 'scriptResult' value of ANY VALUE indicates the password failed the precheck because of either complexity or use history.  Both are enforced via Configuration Profile
            --display dialog "Result-->" & scriptResult & "<--Here"
            if scriptResult is "" then
                display dialog "FILEVAULTGENERICUSER password set successfully.

You will use this password every time the computer boots." buttons "OK"
                do shell script "touch /var/log/jssrecords/FILEVAULTGENERICUSERset.jssrecord"
                set passwordComplex to "1"
            else
                display dialog "Password either did not meet complexity requirements or was used in the past.  Please try again." buttons "OK" with icon stop
            end if
        end repeat
        if passwordComplex is "1" then exit repeat
    end repeat
EOF)

$APPLESCRIPT
0 REPLIES 0