Skip to main content

I have seen some similar threads and some posts in the MacAdmins slack channel about DEPNotify not starting on Catalina, however I am unlucky enough to have it start, but not install any packages.



My workflow is as follows:
Install package (Contains DEPNotify.app, a postinstall script, launch daemon and depNotify.sh)



DEPNotify gets placed in /Applications/Utilities.
LaunchDaemon is placed in /Library/LaunchDaemons
depNotify.sh is placed in /var/tmp
postinstall sets permissions and initiates the LaunchDaemon.



The script is as follows below, and the majority of the processes seem to work. Computer name gets updated, the DEPNotify UI is configured properly, just applications will not install.
I watched the output of console errors while attempting this on Catalina and noticed the following (and most relevant error)
"Sandbox: cp(2783) System Policy: deny(1) file-read-data /Volumes/jamf-1/Packages/VLC 3.0.8.pkg"



I do have a PPPC profile installed that gives access to systemuiserver, systemevents and finder to jamf and its components, so I am not sure what the issue is. Does something need a disk access permission?
additionally, my github repo is here, should you need to look at the rest of the process.
Thanks in advance.



#!/bin/bash

setupDone="/Library/Application Support/Jamf/setupDone" #Legacy Extension Attribute to check if DEPNotify ran

dLOG=/var/tmp/depnotify.log

dLIST=/var/tmp/DEPNotify.plist

JAMF_BINARY=/usr/local/bin/jamf

CURRENTUSER=$(/usr/bin/python -c 'from SystemConfiguration import SCDynamicStoreCopyConsoleUser; import sys; username = (SCDynamicStoreCopyConsoleUser(None, None, None) or [None])[0]; username = [username,""][username in [u"loginwindow", None, u""]]; sys.stdout.write(username + "

");')

inputList="/Users/$CURRENTUSER/Library/Preferences/menu.nomad.DEPNotifyUserInput.plist"

configList="/Users/$CURRENTUSER/Library/Preferences/menu.nomad.DEPNotify.plist"

BANNER_IMG="/var/tmp/banner.png"

REGISTRATION_DONE="/var/tmp/com.depnotify.registration.done"



BUILDING_ARRAY=(

    "Chapman Center"

    "Coates University Center"

    "Center for Science & Innovation"

    "Dicke Smith Building"

    "Elizabeth Huth Coates Library"

    "Halsell Administrative Studies"

    "Holt Conference Center"

    "King's Court"

    "Laurie Auditorium"

    "Marrs McLean Hall"

    "Margarite B. Parker Chapel"

    "Northrup Hall"

    "Richardson Communication Center"

    "Ruth Taylor Theatre"

    "Storch Memorial Building"

    "William Bell Center"

    )



DEPARTMENT_ARRAY=(

    "Academic Affairs"

    "Academic Support"

    "Admissions"

    "Alumni Relations & Development"

    "Art & Art History"

    "Athletics"

    "Biology"

    "Business Office"

    "Chemistry"

    "Classical Studies"

    "Collaborative for Learning & Teaching"

    "Communication"

    "Computer Science"

    "Counseling Services"

    "Dean of Students"

    "Economics"

    "Education"

    "Endowments"

    "Engineering"

    "English"

    "Environmental Health & Safety"

    "Facilities Services"

    "Finance & Administration"

    "Geosciences"

    "Health Care Administration"

    "Health Services"

    "History"

    "Human Communication & Theatre"

    "Human Resources"

    "Information Technology Services"

    "Library"

    "Mathematics"

    "Modern Languages & Literatures"

    "Music"

    "Philosophy"

    "Physics & Astronomy"

    "Political Science"

    "President's Office"

    "Psychology"

    "Purchasing"

    "Registrar"

    "Religion"

    "Residential Life"

    "Risk Management & Insurance"

    "School of Business"

    "Sociology & Anthropology"

    "Strategic Communications & Marketing"

    "Student Financial Services"

    "Tiger Card Office"

    "Trinitonian"

    "Trinity University Press"

    "TUPD"

    "Other"

    )



POLICY_ARRAY=(

    "Installing Google Chrome,CHROME"

    "Installing Mozilla Firefox,FIREFOX"

    "Installing VLC Media Player,VLC"

    "Installing Java Runtime Environment,JRE"

    "Installing Adobe Flash Player,FLASH"

    "Installing Microsoft Office 2019,O2019"

    "Installing BitDefender,BDFS"

    "Installing KACE Agent,KACE"

    "Enabling Remote Management,SCRIPTS"

    "Adding to Faculty/Staff Group,FACSTAFF"

    )



if [ -f "${setupDone}" ]; then exit 0; fi



if pgrep -x "Finder" 

    && pgrep -x "Dock" 

    && [ "$CURRENTUSER" != "_mbsetupuser" ] 

    && [ ! -f "${setupDone}" ]; then



        /usr/bin/caffeinate -d -i -m -u -s &

        caffeinatepid=$!



        killall Installer

        pkill "Self Service"



        # Register input plist 

        sudo -u "$CURRENTUSER" defaults write "$configList" pathToPlistFile "$inputList"



        # Global app preferences

        sudo -u "$CURRENTUSER" defaults write "$configList" statusTextAlignment center



        echo "Status: Performing black magic..." >> $dLOG



        # Main Window Look'n'Feel

        echo "Command: Determinate: 16" >> $dLOG

        echo "Command: Image: /var/tmp/banner.png" >> $dLOG

        echo "Command: MainTitle: New Mac Deployment" >> $dLOG

        echo "Command: MainText: Make sure the device is using a wired connection before proceeding. This process should take approximately 25 minutes and the machine will reboot when completed.

 Additional software can be found in the Self Service app" >> $dLOG

        echo "Command: ContinueButtonRegister: Begin Registration" >> $dLOG



        # Registration Window Look'n'Feel

        sudo -u "$CURRENTUSER" defaults write "$configList" registrationTitleMain "Enter Device Details"

        sudo -u "$CURRENTUSER" defaults write "$configList" registrationPicturePath "$BANNER_IMG"

        sudo -u "$CURRENTUSER" defaults write "$configList" registrationButtonLabel "Register & Image Device"



        sudo -u "$CURRENTUSER" defaults write "$configList" textField1Label "Device Name"

        sudo -u "$CURRENTUSER" defaults write "$configList" textField1Placeholder "DEPT-USER"

        sudo -u "$CURRENTUSER" defaults write "$configList" textField1IsOptional -bool false



        sudo -u "$CURRENTUSER" defaults write "$configList" textField2Label "Assigned User"

        sudo -u "$CURRENTUSER" defaults write "$configList" textField2Placeholder "mkotara"

        sudo -u "$CURRENTUSER" defaults write "$configList" textField2Bubble -array "Criteria" "Please enter the user's AD username"

        sudo -u "$CURRENTUSER" defaults write "$configList" textField2IsOptional -bool false



        sudo -u "$CURRENTUSER" defaults write "$configList" popupButton1Label "Building"

        for BUILDING_ARRAY in "${BUILDING_ARRAY[@]}"; do

            sudo -u "$CURRENTUSER" defaults write "$configList" popupButton1Content -array-add "$BUILDING_ARRAY"

        done



        sudo -u "$CURRENTUSER" defaults write "$configList" popupButton2Label "Department"

        for DEPARTMENT_ARRAY in "${DEPARTMENT_ARRAY[@]}"; do

            sudo -u "$CURRENTUSER" defaults write "$configList" popupButton2Content -array-add "$DEPARTMENT_ARRAY"

        done





        # Open DepNotify

        sudo -u "$CURRENTUSER" /Applications/Utilities/DEPNotify.app/Contents/MacOS/DEPNotify &



        while [ ! -f "$REGISTRATION_DONE" ]; do

            echo "$(date "+%a %h %d %H:%M:%S"): Waiting on completion of registration" >> $dLOG

            sleep 2

        done



        #Computer Name Logic

        REG_FIELD_1_VALUE=$(defaults read "$inputList" "Device Name") #This field is mandatory

        if [ ! "$REG_FIELD_1_VALUE" = "" ]; then

            echo "Status: Setting computer name to $REG_FIELD_1_VALUE" >> $dLOG

            scutil --set HostName "$REG_FIELD_1_VALUE"

            scutil --set LocalHostName "$REG_FIELD_1_VALUE"

            scutil --set ComputerName "$REG_FIELD_1_VALUE"

            $JAMF_BINARY setComputerName -name "$REG_FIELD_1_VALUE"

        else

            echo "Status: Something went wrong because DEVICE_NAME can't be empty." >> $dLOG

            exit 1

        fi



        # Asset Tag Logic

        REG_FIELD_2_VALUE=$(defaults read "$inputList" "Assigned User")

        REG_FIELD_2_OPTIONAL=$(defaults read "$configList" "textField2IsOptional")

        if [ "$REG_FIELD_2_OPTIONAL" = 1 ] && [ "$REG_FIELD_2_VALUE" = "" ]; then

            echo "Status: Asignee was left empty... Skipping" >> $dLOG

            sleep 2

        else #set the asset tag

            echo "Status: Setting assigne to $REG_FIELD_2_VALUE." >> $dLOG

            $JAMF_BINARY recon -endUsername "$REG_FIELD_2_VALUE"

        fi



        #Device Building Logic

        REG_FIELD_3_VALUE=$(defaults read "$inputList" "Building")

        if [ ! "$REG_FIELD_3_VALUE" = "" ]; then

            echo "Status: Setting building to $REG_FIELD_3_VALUE" >> $dLOG

            $JAMF_BINARY recon -building "$REG_FIELD_3_VALUE"

        else

            echo "Something went wrong when setting BUILDING" >> $dLOG

            exit 1

        fi





        #Device Department Logic

        REG_FIELD_4_VALUE=$(defaults read "$inputList" "Department")

        if [ ! "$REG_FIELD_4_VALUE" = "" ]; then

            echo "Status: Setting department to $REG_FIELD_4_VALUE" >> $dLOG

            "$JAMF_BINARY" recon -department "$REG_FIELD_4_VALUE"

        else

            echo "Something went wrong when setting DEPARTMENT" >> $dLOG

            exit 1

        fi





        #Begin device imaging

        for POLICY in "${POLICY_ARRAY[@]}"; do

            echo "Status: $(echo "$POLICY" | cut -d ',' -f1)" >> "$dLOG"

            "$JAMF_BINARY" policy -event "$(echo "$POLICY" | cut -d ',' -f2)"

        done



        touch /var/db/receipts/edu.trinity.imaging.bom

        echo "Status: Updating device inventory" >> $dLOG

        $JAMF_BINARY recon

        echo "Status: Cleaning up files and restarting the system" >> $dLOG

        sleep 2

        kill $caffeinatepid

        rm -fr /Library/LaunchDaemons/edu.trinity.launch.plist

        rm -fr $inputList

        rm -fr $configList

        rm -fr /var/tmp/banner.png

        pwpolicy -u "$CURRENTUSER" -setpolicy "newPasswordRequired=1"

        echo "Command: RestartNow:" >> $dLOG



        rm -fr /Applications/Utilities/DEPNotify.app

        rm -- "$0"

fi

exit 0

Is your server on-prem & are your distribution points samba? @mlizbeth

@Hugonaut
Our Jamf is cloud hosted and we are using an on-prem SMB share for package distribution.

We are on-prem JamfPro and using SMB distribution points. I am running into the same issue. I get the operation not permitted for the cp from /Volumes... The same policies run fine on Mojave and below or when manually fired.

@m.donovan
This makes sense! my DEPNotify policies are all on a custom trigger. So when installing flash player with sudo jamf policy -event FLASH in terminal, I was given a TCC prompt to allow Terminal (or perhaps bash) access to a network volume. I think there's some missing entitlements, I just don't know where.



Digging deeper, I remember when we upgraded to Mojave for the first time and the kernel was spitting errors about file-data-read and file-data-write for Bitdefender, and it didn't work, until I granted full disk access.

@mlizbeth I have been playing around with PPPC's for a couple of days now. Still not sure what is going to allow these to run correctly. There is also this thread. https://www.jamf.com/jamf-nation/discussions/34030/policies-failing-operation-not-permitted

@m.donovan
If I am understanding correctly, the only 2 workarounds are to use HTTP/HTTPS or to allow bash/Terminal/jamf access to all files?

The HTTP/HTTPS is not really an option for us. I have 6 SMB DP's and don't relish the idea of having to convert those. I have a PPPC scoped to the DEP computers that allows SystemPolicyNetworkVolumes, SystemPolicySysAdminfiles, as well as SystemPolicyAllFiles for good measure. The PPPC's are for terminal as well as JamfAgent and Jamf binary.

@mlizbeth Our externally facing DP is HTTP/HTTPS so I can do a test with it and see. I won't be able to until tomorrow but I will post what I find out.

I understand that. We only have 1 SMB DP, but our network administrators highly prefer we use SMB if the machines are on the campus network segment. So with all those PPPC profiles in place, have you had success?

No luck thus far. I am really starting to dislike Catalina A LOT!!!

@mlizbeth @m.donovan I was adjusting my instance of DEPNotify today on 10.15.2 without issue. Jamf Cloud is the primary distribution point with a local SMB fileshare, and all the pkgs came from SMB. I haven’t updated to DEPNotify 1.1.5 yet, still on 1.1.4.



Jamf is given full disk access, here’s an example of my profile to compare against what you have.

I have no issues whatsoever with the Prestage and DepNotify scripts that I previously used in Mojave.
On Prem totally and SMB shares. using v.1.1.3
I take it that you are creating an additional admin account in the Prestage, then logging in as that to start the DepNotify script??

Yes, we create the user's account in prestage so it logs in automatically and kicks off DEPNotify. Every aspect of the script is working except for package installation.



Plist creation is fine, properly relays the computer's name and other asset information to the server, etc.

@sshort
I tried your profile with no success :(

If I point the network segment I am testing on to the HTTP/HTTPS DP everything works fine.

I have also moved to the HTTP/HTTPS cloud DP.
Having a functioning workflow is more important at the moment. However, I will continue to debug this. Just needed a working solution in the meantime.

@m.donovan



I switched from SMB to cloud and was unable to replicate the contents of cloud to SMB. I granted bash access to network volumes and this fixed the problem. I need to check if it fixes the cp error when installing packages from SMB.



Can you test out a profile like this?



<?xml version="1.0" encoding="UTF-8"?>

<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">

<plist version="1.0">

<dict>

    <key>PayloadContent</key>

    <array>

        <dict>

            <key>PayloadDescription</key>

            <string>Bash Tester</string>

            <key>PayloadDisplayName</key>

            <string>Bash Tester</string>

            <key>PayloadIdentifier</key>

            <string>3CE7323C-527B-4E61-A382-6CA1910871E3</string>

            <key>PayloadOrganization</key>

            <string>Trinity</string>

            <key>PayloadType</key>

            <string>com.apple.TCC.configuration-profile-policy</string>

            <key>PayloadUUID</key>

            <string>147B368C-0894-424C-8FB8-E3DD38B1B03E</string>

            <key>PayloadVersion</key>

            <integer>1</integer>

            <key>Services</key>

            <dict>

                <key>AppleEvents</key>

                <array>

                    <dict>

                        <key>AEReceiverCodeRequirement</key>

                        <string>identifier "com.apple.finder" and anchor apple</string>

                        <key>AEReceiverIdentifier</key>

                        <string>com.apple.finder</string>

                        <key>AEReceiverIdentifierType</key>

                        <string>bundleID</string>

                        <key>Allowed</key>

                        <true/>

                        <key>CodeRequirement</key>

                        <string>identifier "com.apple.bash" and anchor apple</string>

                        <key>Comment</key>

                        <string></string>

                        <key>Identifier</key>

                        <string>/bin/bash</string>

                        <key>IdentifierType</key>

                        <string>path</string>

                    </dict>

                    <dict>

                        <key>AEReceiverCodeRequirement</key>

                        <string>identifier "com.apple.systemuiserver" and anchor apple</string>

                        <key>AEReceiverIdentifier</key>

                        <string>com.apple.systemuiserver</string>

                        <key>AEReceiverIdentifierType</key>

                        <string>bundleID</string>

                        <key>Allowed</key>

                        <true/>

                        <key>CodeRequirement</key>

                        <string>identifier "com.apple.bash" and anchor apple</string>

                        <key>Comment</key>

                        <string></string>

                        <key>Identifier</key>

                        <string>/bin/bash</string>

                        <key>IdentifierType</key>

                        <string>path</string>

                    </dict>

                    <dict>

                        <key>AEReceiverCodeRequirement</key>

                        <string>identifier "com.apple.systemevents" and anchor apple</string>

                        <key>AEReceiverIdentifier</key>

                        <string>com.apple.systemevents</string>

                        <key>AEReceiverIdentifierType</key>

                        <string>bundleID</string>

                        <key>Allowed</key>

                        <true/>

                        <key>CodeRequirement</key>

                        <string>identifier "com.apple.bash" and anchor apple</string>

                        <key>Comment</key>

                        <string></string>

                        <key>Identifier</key>

                        <string>/bin/bash</string>

                        <key>IdentifierType</key>

                        <string>path</string>

                    </dict>

                </array>

                <key>SystemPolicyNetworkVolumes</key>

                <array>

                    <dict>

                        <key>Allowed</key>

                        <true/>

                        <key>CodeRequirement</key>

                        <string>identifier "com.apple.bash" and anchor apple</string>

                        <key>Comment</key>

                        <string></string>

                        <key>Identifier</key>

                        <string>/bin/bash</string>

                        <key>IdentifierType</key>

                        <string>path</string>

                    </dict>

                </array>

            </dict>

        </dict>

    </array>

    <key>PayloadDescription</key>

    <string>Bash Tester</string>

    <key>PayloadDisplayName</key>

    <string>Bash Tester</string>

    <key>PayloadIdentifier</key>

    <string>3CE7323C-527B-4E61-A382-6CA1910871E3</string>

    <key>PayloadOrganization</key>

    <string>Trinity</string>

    <key>PayloadType</key>

    <string>com.apple.TCC.configuration-profile-policy</string>

    <key>PayloadUUID</key>

    <string>4A664E5A-4355-4136-9C4F-2255852C7D2C</string>

    <key>PayloadVersion</key>

    <integer>1</integer>

    <key>payloadScope</key>

    <string>system</string>

</dict>

</plist>

@mlizbeth Still not working for me. So far the only thing that has resolved the issue for me is pointing it at a HTTP/HTTPS DP. I'm going to look into converting my SMB DPs over.

I encountered this same situation in my on-prem environment (and still on 10.15.1) and working with Jamf support on this. Haven't figured out a working resolution yet though.

FWIW I have had much better success using launchctl asuser or launchctl boostrap versus sudo -u user_name as far as getting DEP Notify to reliably launch and work in the user context

I havent seen any issues with DEPNotify installing on Catalina, but I have noticed that the DEPNotify Registration UI sheet is blank when deploying on Catalina (10.15.1). Im referring to the optional interface that prompts for site-specific values such as Hostname, Department, Building, etc. The sheet doesnt render any info at all - other than the button to advance to the next step.



Edit: Im running DEPNotify 1.1.4 (1.1.5 is out). Need to update and test again.

Reply


Terms & ConditionsCookie settings