Skip to main content

Hey there,



I edited a /bin/bash script that automatically checks the devices uptime and tells the user to restart his computer after 2weeks uptime (with the help of https://www.jamf.com/jamf-nation/discussions/17336/user-has-not-restarted-in-x-number-of-days)



The following part generates the ""jamf" wants access to control "system events"" message for end users:



#!/bin/bash



# Discover logged in user

user=`stat -f%Su /dev/console`



#Execute code as logged in user (instead of root)

sudo -u $user /usr/bin/osascript <<-EOF



tell application "System Events"

    activate

    set question to display dialog "The device has not been restared for [...]"

with title "RESTART YOUR COMPUTER" buttons {"Shut Down", "Restart", "Cancel"} ¬

cancel button "Cancel" with icon caution

    set answer to button returned of question

    if answer is equal to "Shut Down" then

        tell application "System Events"

            shut down

        end tell

    end if

    if answer is equal to "Restart" then

        tell application "System Events"

            restart

        end tell

    end if

    if answer is equal to "Cancel" then

        return

    end if

end tell

EOF

exit 0

fi


I already read the thread (https://www.jamf.com/jamf-nation/discussions/30388/loginwindow-wants-access-to-control-system-events) but couldn't find the solution there.
The issue seems to be the tell / end tell statement but I can't find a way to change the script.
I tried several PPPCs and gave JAMF access to Accessibility, System Events and everything else that's required.



The script itself works fine.
Can someone help me out here?



Hey!



Can you post a screenshot of your PPPC's you are creating for this to happen.



if you have not used the PPPC utility on GitHub i would use this and add the jamf binary this way and allow access, you can physically tick which parts need access. However you may have already done so.



Thanks,



G

Hey!



For testing purposes I tried the following:





I



I know that most permissions are unnecessary, just wanted to be sure nothings missing.

The problem isn't the Jamf binary. It's osascript, which is what is actually calling the AppleScript event to control "System Events". If you add in osascript to your PPPC profile (or better yet, create a new PPPC profile just for osascript) and give it access to System Events, and maybe a few other items under the Apple Events section for good measure, and then deploy that, I'm betting the prompt will go away. I may be wrong, but I do think that's the issue.



In case it helps, osascript is in /usr/bin/ You should be able to just navigate to that and add it into the PPPC Utility.

I just did the following:



and the issue still exists.



Thanks for the input anyway!

@leonwun Are you certain the profile had been pushed to the Mac by the time the script was re-run? Because I have a PPPC profile to allow osascript control over the various System Events and I don't get a prompt. I used your exact script in fact for testing and it comes up for me without prompting to allow any control over System Events. So I can't explain (yet) what the difference may be.

@leonwun are you that PPPC profiles is actually installed on target machines? for example if it's not DEP enrolled and not UAMDM accepted, it just won't work

On my testing machine under "System Preferences" -> "Profiles" the following Profiles are shown:



JAMF:



JamfAgent:



osascript:



So this doesn't seem to be the issue.
I already tried to reset the permissions of my testing machine with:



tccutil reset AppleEvents; tccutil reset SystemPolicy AllFiles


to make sure there were no changes specifically on my testing machine that cause the issue.



I still can't figure out why it doesn't work - especially now that I know it works on @mm2270 's machine.
Does your profile look anything different? Also, it works when I run it in terminal, just not when I run it remotely via jamf policy.

I also see this prompt with my script for renaming Mac
The most strange is that on some mac´s it works fine without any popup, while other it is showed - and with the exact same profiles installed and in Mojave latest.. But I have stopped using time on this and instead instructed users to click "allow" on this

This seems to be a bug on JAMF or Apple's side then. I might create a ticket for that - if someone finds a solution please post ;)

Have you seen this pre-built (JamfAppleEvents.mobileconfig) for osascript?



https://github.com/jamf/JamfPrivacyPreferencePolicyControlProfiles

Yes I have this config on all machines.
Btw this is the error message that gets logged if you ignore the box:



Script result: 140:645: execution error: System Events got an error: AppleEvent timed out. (-1712)


Edit:



Maybe someone can say something about this post?



Posted: 29/1/19 at 10:49 AM by bentoms
@UESCDurandal You likely have some AppleScript blocks which say "tell application System Events"... remove the tell & end tell bits then try again.. you can often amend the scripts.


From this thread by @bentoms

@leonwun



If you run the script locally/manually and leave the display box there, AppleScript will time out after 2 minutes.
That is what you are getting on the error message, end users not "actioning" the request, they may be away from the computer for example.







A possible solution is to add a "giving up" parameter, capture the output and do some logic with it.
Example from your script.



use AppleScript version "2.4" -- Yosemite (10.10) or later

use scripting additions



tell application "System Events"

    activate

    set question to display dialog "The device has not been restared for [...]" with title "RESTART YOUR COMPUTER" buttons {"Shut Down", "Restart", "Cancel"}  ¬

        cancel button "Cancel" with icon caution giving up after 5



    if gave up of question is false then

        set answer to button returned of question

        if answer is equal to "Shut Down" then

            tell application "System Events"

                shut down

            end tell

        end if

        if answer is equal to "Restart" then

            tell application "System Events"

                restart

            end tell

        end if

        if answer is equal to "Cancel" then

            return

        end if

    else

        set isActioned to "Not there"

    end if

end tell


A note about the "Cancel" button, the way it is set it will stop and exit the script at that point, it will not run to the end.





I would recommend a small change to allow the script to run.



use AppleScript version "2.4" -- Yosemite (10.10) or later

use scripting additions



tell application "System Events"

    activate

    set question to display dialog "The device has not been restared for  ...]" with title "RESTART YOUR COMPUTER" buttons {"Shut Down", "Restart", " Cancel"} ¬

        with icon caution giving up after 10



    if gave up of question is false then

        set answer to button returned of question

        if answer is equal to "Shut Down" then

            tell application "System Events"

                shut down

            end tell

        end if

        if answer is equal to "Restart" then

            tell application "System Events"

                restart

            end tell

        end if

        if answer is equal to " Cancel" then

            return

        end if

    else

        set isActioned to "Not there"

    end if

end tell


If you must use Cancel add a space to it " Cancel" that bypass the internal Cancel function of the script and allow the flow to continue. Of course you could call it "Not Now".





Regards

Hey there, thanks for your advice! That's a nice addition to the script.



Still, the error message is generated from this window I think, not the script itself. If you don't respond to the ""jamf" wants to control..." message and wait 2 minutes the error is generated.



So the problem with the window that should not appear still exists.

@leonwun
Oh yeah, that is the TCC bit, several places to set



Hey, I have the same (and even more) Profiles on the my testing machines - the window still pops up.
It only works without this popup when I run it locally and not via jamf.

I created a ticket regarding this issue as we can't find a solution and it might be a problem from JAMF / Apples side..



If you still find anything I would really appreciate a post ;)

Are you on 10.11? Small note from the bottom of the release notes





You'll want your PPPC profile to allow



/Library/Application Support/JAMF/Jamf.app

@koalatee Thats good to know, I am interested if this resolved the issue for @leonwun .

Hey @koalatee , thanks for your post!
I don't use 10.11 on any of my testing devices - We only use Mojave & High Sierra.



I tried this PPPC anyway, sadly nothing has changed.

I think @koalatee means Jamf Pro 10.11 (not macOS)

Yes, we're at 10.11.1-t1553545638.

Definitely a big problem. Hopefully a solution is found.

Experienced a similar issue, was able to resolve in the following fashion, which was posted earlier in this thread.




  • Jamf Pro is 10.11.1 (cloud)

  • Via PPPCU created a profile for "com.jamf.management.Jamf"

  • Open your /Library/Application Support/JAMF folder, drag the Jamf application to PPPCU

  • Set all access items but camera and mic

  • In the Apple Events section, add allow for Finder, System Events, and SystemUIServer

  • Save the config to your computer

  • Upload config to Configuration Profiles, set scope and etc.

  • Allow config to propagate, tested Self Service item that runs a bash script with OSASCRIPT elements, joy.



YMMV

Hey @jbutler47 , I exactly followed your steps and uploaded the following profile:





The profile was rolled out on my testing machines and I double checked if the profile was there. Then I waited until the next recurring check-in (15min).
The issue still exists. I did not try it with Self Service as thats not the intended use in the end (it should run with a recurring check-in).

We have been seeing a similar issue. It appears that if, at some point, a/the user has selected "Don't Allow" when they see the "Jamf wants access" message then the script will never work regardless of what you do. If the user has denied the Jamf System Events that setting appears to be persistent and pushing a config profile after the fact does not resolve it the problem. I'm not yet certain if the denial is a per user issue or a system wide issue.



On a test machine I've been able to run tccutil reset AppleEvents then push out a PPPC allowance for Jamf.app - System Events. After that a script we have that runs osascript will work. Here's the settings I made in the PPPC utility for /Library/Application Support/JAMF/Jamf.app



It would be useful to know if clearing the System Events works for anyone else.

Reply


Terms & ConditionsCookie settings