Skip to main content
Question

DEPNotify not installing Apps on Catalina

  • December 16, 2019
  • 21 replies
  • 108 views
S
Forum|alt.badge.img+8

I have seen some similar threads and some posts in the MacAdmins slack channel about DEPNotify not starting on Catalina, however I am unlucky enough to have it start, but not install any packages.

My workflow is as follows:
Install package (Contains DEPNotify.app, a postinstall script, launch daemon and depNotify.sh)

DEPNotify gets placed in /Applications/Utilities.
LaunchDaemon is placed in /Library/LaunchDaemons
depNotify.sh is placed in /var/tmp
postinstall sets permissions and initiates the LaunchDaemon.

The script is as follows below, and the majority of the processes seem to work. Computer name gets updated, the DEPNotify UI is configured properly, just applications will not install.
I watched the output of console errors while attempting this on Catalina and noticed the following (and most relevant error)
"Sandbox: cp(2783) System Policy: deny(1) file-read-data /Volumes/jamf-1/Packages/VLC 3.0.8.pkg"

I do have a PPPC profile installed that gives access to systemuiserver, systemevents and finder to jamf and its components, so I am not sure what the issue is. Does something need a disk access permission?
additionally, my github repo is here, should you need to look at the rest of the process.
Thanks in advance.

#!/bin/bash
setupDone="/Library/Application Support/Jamf/setupDone" #Legacy Extension Attribute to check if DEPNotify ran
dLOG=/var/tmp/depnotify.log
dLIST=/var/tmp/DEPNotify.plist
JAMF_BINARY=/usr/local/bin/jamf
CURRENTUSER=$(/usr/bin/python -c 'from SystemConfiguration import SCDynamicStoreCopyConsoleUser; import sys; username = (SCDynamicStoreCopyConsoleUser(None, None, None) or [None])[0]; username = [username,""][username in [u"loginwindow", None, u""]]; sys.stdout.write(username + "
");')
inputList="/Users/$CURRENTUSER/Library/Preferences/menu.nomad.DEPNotifyUserInput.plist"
configList="/Users/$CURRENTUSER/Library/Preferences/menu.nomad.DEPNotify.plist"
BANNER_IMG="/var/tmp/banner.png"
REGISTRATION_DONE="/var/tmp/com.depnotify.registration.done"

BUILDING_ARRAY=(
    "Chapman Center"
    "Coates University Center"
    "Center for Science & Innovation"
    "Dicke Smith Building"
    "Elizabeth Huth Coates Library"
    "Halsell Administrative Studies"
    "Holt Conference Center"
    "King's Court"
    "Laurie Auditorium"
    "Marrs McLean Hall"
    "Margarite B. Parker Chapel"
    "Northrup Hall"
    "Richardson Communication Center"
    "Ruth Taylor Theatre"
    "Storch Memorial Building"
    "William Bell Center"
    )

DEPARTMENT_ARRAY=(
    "Academic Affairs"
    "Academic Support"
    "Admissions"
    "Alumni Relations & Development"
    "Art & Art History"
    "Athletics"
    "Biology"
    "Business Office"
    "Chemistry"
    "Classical Studies"
    "Collaborative for Learning & Teaching"
    "Communication"
    "Computer Science"
    "Counseling Services"
    "Dean of Students"
    "Economics"
    "Education"
    "Endowments"
    "Engineering"
    "English"
    "Environmental Health & Safety"
    "Facilities Services"
    "Finance & Administration"
    "Geosciences"
    "Health Care Administration"
    "Health Services"
    "History"
    "Human Communication & Theatre"
    "Human Resources"
    "Information Technology Services"
    "Library"
    "Mathematics"
    "Modern Languages & Literatures"
    "Music"
    "Philosophy"
    "Physics & Astronomy"
    "Political Science"
    "President's Office"
    "Psychology"
    "Purchasing"
    "Registrar"
    "Religion"
    "Residential Life"
    "Risk Management & Insurance"
    "School of Business"
    "Sociology & Anthropology"
    "Strategic Communications & Marketing"
    "Student Financial Services"
    "Tiger Card Office"
    "Trinitonian"
    "Trinity University Press"
    "TUPD"
    "Other"
    )

POLICY_ARRAY=(
    "Installing Google Chrome,CHROME"
    "Installing Mozilla Firefox,FIREFOX"
    "Installing VLC Media Player,VLC"
    "Installing Java Runtime Environment,JRE"
    "Installing Adobe Flash Player,FLASH"
    "Installing Microsoft Office 2019,O2019"
    "Installing BitDefender,BDFS"
    "Installing KACE Agent,KACE"
    "Enabling Remote Management,SCRIPTS"
    "Adding to Faculty/Staff Group,FACSTAFF"
    )

if [ -f "${setupDone}" ]; then exit 0; fi

if pgrep -x "Finder" 
    && pgrep -x "Dock" 
    && [ "$CURRENTUSER" != "_mbsetupuser" ] 
    && [ ! -f "${setupDone}" ]; then

        /usr/bin/caffeinate -d -i -m -u -s &
        caffeinatepid=$!

        killall Installer
        pkill "Self Service"

        # Register input plist 
        sudo -u "$CURRENTUSER" defaults write "$configList" pathToPlistFile "$inputList"

        # Global app preferences
        sudo -u "$CURRENTUSER" defaults write "$configList" statusTextAlignment center

        echo "Status: Performing black magic..." >> $dLOG

        # Main Window Look'n'Feel
        echo "Command: Determinate: 16" >> $dLOG
        echo "Command: Image: /var/tmp/banner.png" >> $dLOG
        echo "Command: MainTitle: New Mac Deployment" >> $dLOG
        echo "Command: MainText: Make sure the device is using a wired connection before proceeding. This process should take approximately 25 minutes and the machine will reboot when completed.
 Additional software can be found in the Self Service app" >> $dLOG
        echo "Command: ContinueButtonRegister: Begin Registration" >> $dLOG

        # Registration Window Look'n'Feel
        sudo -u "$CURRENTUSER" defaults write "$configList" registrationTitleMain "Enter Device Details"
        sudo -u "$CURRENTUSER" defaults write "$configList" registrationPicturePath "$BANNER_IMG"
        sudo -u "$CURRENTUSER" defaults write "$configList" registrationButtonLabel "Register & Image Device"

        sudo -u "$CURRENTUSER" defaults write "$configList" textField1Label "Device Name"
        sudo -u "$CURRENTUSER" defaults write "$configList" textField1Placeholder "DEPT-USER"
        sudo -u "$CURRENTUSER" defaults write "$configList" textField1IsOptional -bool false

        sudo -u "$CURRENTUSER" defaults write "$configList" textField2Label "Assigned User"
        sudo -u "$CURRENTUSER" defaults write "$configList" textField2Placeholder "mkotara"
        sudo -u "$CURRENTUSER" defaults write "$configList" textField2Bubble -array "Criteria" "Please enter the user's AD username"
        sudo -u "$CURRENTUSER" defaults write "$configList" textField2IsOptional -bool false

        sudo -u "$CURRENTUSER" defaults write "$configList" popupButton1Label "Building"
        for BUILDING_ARRAY in "${BUILDING_ARRAY[@]}"; do
            sudo -u "$CURRENTUSER" defaults write "$configList" popupButton1Content -array-add "$BUILDING_ARRAY"
        done

        sudo -u "$CURRENTUSER" defaults write "$configList" popupButton2Label "Department"
        for DEPARTMENT_ARRAY in "${DEPARTMENT_ARRAY[@]}"; do
            sudo -u "$CURRENTUSER" defaults write "$configList" popupButton2Content -array-add "$DEPARTMENT_ARRAY"
        done


        # Open DepNotify
        sudo -u "$CURRENTUSER" /Applications/Utilities/DEPNotify.app/Contents/MacOS/DEPNotify &

        while [ ! -f "$REGISTRATION_DONE" ]; do
            echo "$(date "+%a %h %d %H:%M:%S"): Waiting on completion of registration" >> $dLOG
            sleep 2
        done

        #Computer Name Logic
        REG_FIELD_1_VALUE=$(defaults read "$inputList" "Device Name") #This field is mandatory
        if [ ! "$REG_FIELD_1_VALUE" = "" ]; then
            echo "Status: Setting computer name to $REG_FIELD_1_VALUE" >> $dLOG
            scutil --set HostName "$REG_FIELD_1_VALUE"
            scutil --set LocalHostName "$REG_FIELD_1_VALUE"
            scutil --set ComputerName "$REG_FIELD_1_VALUE"
            $JAMF_BINARY setComputerName -name "$REG_FIELD_1_VALUE"
        else
            echo "Status: Something went wrong because DEVICE_NAME can't be empty." >> $dLOG
            exit 1
        fi

        # Asset Tag Logic
        REG_FIELD_2_VALUE=$(defaults read "$inputList" "Assigned User")
        REG_FIELD_2_OPTIONAL=$(defaults read "$configList" "textField2IsOptional")
        if [ "$REG_FIELD_2_OPTIONAL" = 1 ] && [ "$REG_FIELD_2_VALUE" = "" ]; then
            echo "Status: Asignee was left empty... Skipping" >> $dLOG
            sleep 2
        else #set the asset tag
            echo "Status: Setting assigne to $REG_FIELD_2_VALUE." >> $dLOG
            $JAMF_BINARY recon -endUsername "$REG_FIELD_2_VALUE"
        fi

        #Device Building Logic
        REG_FIELD_3_VALUE=$(defaults read "$inputList" "Building")
        if [ ! "$REG_FIELD_3_VALUE" = "" ]; then
            echo "Status: Setting building to $REG_FIELD_3_VALUE" >> $dLOG
            $JAMF_BINARY recon -building "$REG_FIELD_3_VALUE"
        else
            echo "Something went wrong when setting BUILDING" >> $dLOG
            exit 1
        fi


        #Device Department Logic
        REG_FIELD_4_VALUE=$(defaults read "$inputList" "Department")
        if [ ! "$REG_FIELD_4_VALUE" = "" ]; then
            echo "Status: Setting department to $REG_FIELD_4_VALUE" >> $dLOG
            "$JAMF_BINARY" recon -department "$REG_FIELD_4_VALUE"
        else
            echo "Something went wrong when setting DEPARTMENT" >> $dLOG
            exit 1
        fi


        #Begin device imaging
        for POLICY in "${POLICY_ARRAY[@]}"; do
            echo "Status: $(echo "$POLICY" | cut -d ',' -f1)" >> "$dLOG"
            "$JAMF_BINARY" policy -event "$(echo "$POLICY" | cut -d ',' -f2)"
        done

        touch /var/db/receipts/edu.trinity.imaging.bom
        echo "Status: Updating device inventory" >> $dLOG
        $JAMF_BINARY recon
        echo "Status: Cleaning up files and restarting the system" >> $dLOG
        sleep 2
        kill $caffeinatepid
        rm -fr /Library/LaunchDaemons/edu.trinity.launch.plist
        rm -fr $inputList
        rm -fr $configList
        rm -fr /var/tmp/banner.png
        pwpolicy -u "$CURRENTUSER" -setpolicy "newPasswordRequired=1"
        echo "Command: RestartNow:" >> $dLOG

        rm -fr /Applications/Utilities/DEPNotify.app
        rm -- "$0"
fi
exit 0

    21 replies

    Hugonaut
    Forum|alt.badge.img+15
    • Hugonaut
    • Esteemed Contributor
    • December 16, 2019

    Is your server on-prem & are your distribution points samba? @mlizbeth

    Looking for a Jamf Managed Service Provider? Look no further than Rocketman Tech! Virtual MacAdmins Monthly Meetup - First Friday, Every Month
    S
    Forum|alt.badge.img+8
    • seraphina
    • Author
    • Valued Contributor
    • December 16, 2019

    @Hugonaut Our Jamf is cloud hosted and we are using an on-prem SMB share for package distribution.

    M
    Forum|alt.badge.img+10
    • m_donovan
    • Valued Contributor
    • December 16, 2019

    We are on-prem JamfPro and using SMB distribution points. I am running into the same issue. I get the operation not permitted for the cp from /Volumes... The same policies run fine on Mojave and below or when manually fired.

    S
    Forum|alt.badge.img+8
    • seraphina
    • Author
    • Valued Contributor
    • December 16, 2019

    @m.donovan This makes sense! my DEPNotify policies are all on a custom trigger. So when installing flash player with sudo jamf policy -event FLASH in terminal, I was given a TCC prompt to allow Terminal (or perhaps bash) access to a network volume. I think there's some missing entitlements, I just don't know where.

    Digging deeper, I remember when we upgraded to Mojave for the first time and the kernel was spitting errors about file-data-read and file-data-write for Bitdefender, and it didn't work, until I granted full disk access.

    M
    Forum|alt.badge.img+10
    • m_donovan
    • Valued Contributor
    • December 16, 2019

    @mlizbeth I have been playing around with PPPC's for a couple of days now. Still not sure what is going to allow these to run correctly. There is also this thread. https://www.jamf.com/jamf-nation/discussions/34030/policies-failing-operation-not-permitted

    S
    Forum|alt.badge.img+8
    • seraphina
    • Author
    • Valued Contributor
    • December 16, 2019

    @m.donovan If I am understanding correctly, the only 2 workarounds are to use HTTP/HTTPS or to allow bash/Terminal/jamf access to all files?

    M
    Forum|alt.badge.img+10
    • m_donovan
    • Valued Contributor
    • December 16, 2019

    The HTTP/HTTPS is not really an option for us. I have 6 SMB DP's and don't relish the idea of having to convert those. I have a PPPC scoped to the DEP computers that allows SystemPolicyNetworkVolumes, SystemPolicySysAdminfiles, as well as SystemPolicyAllFiles for good measure. The PPPC's are for terminal as well as JamfAgent and Jamf binary.

    M
    Forum|alt.badge.img+10
    • m_donovan
    • Valued Contributor
    • December 16, 2019

    @mlizbeth Our externally facing DP is HTTP/HTTPS so I can do a test with it and see. I won't be able to until tomorrow but I will post what I find out.

    S
    Forum|alt.badge.img+8
    • seraphina
    • Author
    • Valued Contributor
    • December 16, 2019

    I understand that. We only have 1 SMB DP, but our network administrators highly prefer we use SMB if the machines are on the campus network segment. So with all those PPPC profiles in place, have you had success?

    M
    Forum|alt.badge.img+10
    • m_donovan
    • Valued Contributor
    • December 16, 2019

    No luck thus far. I am really starting to dislike Catalina A LOT!!!

    S
    Forum|alt.badge.img+15
    • sshort
    • Valued Contributor
    • December 17, 2019

    @mlizbeth @m.donovan I was adjusting my instance of DEPNotify today on 10.15.2 without issue. Jamf Cloud is the primary distribution point with a local SMB fileshare, and all the pkgs came from SMB. I haven’t updated to DEPNotify 1.1.5 yet, still on 1.1.4.

    Jamf is given full disk access, here’s an example of my profile to compare against what you have.

    K
    Forum|alt.badge.img+13
    • kerouak
    • Valued Contributor
    • December 17, 2019

    I have no issues whatsoever with the Prestage and DepNotify scripts that I previously used in Mojave.
    On Prem totally and SMB shares. using v.1.1.3
    I take it that you are creating an additional admin account in the Prestage, then logging in as that to start the DepNotify script??

    S
    Forum|alt.badge.img+8
    • seraphina
    • Author
    • Valued Contributor
    • December 17, 2019

    Yes, we create the user's account in prestage so it logs in automatically and kicks off DEPNotify. Every aspect of the script is working except for package installation.

    Plist creation is fine, properly relays the computer's name and other asset information to the server, etc.

    S
    Forum|alt.badge.img+8
    • seraphina
    • Author
    • Valued Contributor
    • December 17, 2019

    @sshort I tried your profile with no success :(

    M
    Forum|alt.badge.img+10
    • m_donovan
    • Valued Contributor
    • December 17, 2019

    If I point the network segment I am testing on to the HTTP/HTTPS DP everything works fine.

    S
    Forum|alt.badge.img+8
    • seraphina
    • Author
    • Valued Contributor
    • December 17, 2019

    I have also moved to the HTTP/HTTPS cloud DP.
    Having a functioning workflow is more important at the moment. However, I will continue to debug this. Just needed a working solution in the meantime.

    S
    Forum|alt.badge.img+8
    • seraphina
    • Author
    • Valued Contributor
    • December 17, 2019

    @m.donovan

    I switched from SMB to cloud and was unable to replicate the contents of cloud to SMB. I granted bash access to network volumes and this fixed the problem. I need to check if it fixes the cp error when installing packages from SMB.

    Can you test out a profile like this?

    <?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>PayloadContent</key>
    <array>
        <dict>
            <key>PayloadDescription</key>
            <string>Bash Tester</string>
            <key>PayloadDisplayName</key>
            <string>Bash Tester</string>
            <key>PayloadIdentifier</key>
            <string>3CE7323C-527B-4E61-A382-6CA1910871E3</string>
            <key>PayloadOrganization</key>
            <string>Trinity</string>
            <key>PayloadType</key>
            <string>com.apple.TCC.configuration-profile-policy</string>
            <key>PayloadUUID</key>
            <string>147B368C-0894-424C-8FB8-E3DD38B1B03E</string>
            <key>PayloadVersion</key>
            <integer>1</integer>
            <key>Services</key>
            <dict>
                <key>AppleEvents</key>
                <array>
                    <dict>
                        <key>AEReceiverCodeRequirement</key>
                        <string>identifier "com.apple.finder" and anchor apple</string>
                        <key>AEReceiverIdentifier</key>
                        <string>com.apple.finder</string>
                        <key>AEReceiverIdentifierType</key>
                        <string>bundleID</string>
                        <key>Allowed</key>
                        <true/>
                        <key>CodeRequirement</key>
                        <string>identifier "com.apple.bash" and anchor apple</string>
                        <key>Comment</key>
                        <string></string>
                        <key>Identifier</key>
                        <string>/bin/bash</string>
                        <key>IdentifierType</key>
                        <string>path</string>
                    </dict>
                    <dict>
                        <key>AEReceiverCodeRequirement</key>
                        <string>identifier "com.apple.systemuiserver" and anchor apple</string>
                        <key>AEReceiverIdentifier</key>
                        <string>com.apple.systemuiserver</string>
                        <key>AEReceiverIdentifierType</key>
                        <string>bundleID</string>
                        <key>Allowed</key>
                        <true/>
                        <key>CodeRequirement</key>
                        <string>identifier "com.apple.bash" and anchor apple</string>
                        <key>Comment</key>
                        <string></string>
                        <key>Identifier</key>
                        <string>/bin/bash</string>
                        <key>IdentifierType</key>
                        <string>path</string>
                    </dict>
                    <dict>
                        <key>AEReceiverCodeRequirement</key>
                        <string>identifier "com.apple.systemevents" and anchor apple</string>
                        <key>AEReceiverIdentifier</key>
                        <string>com.apple.systemevents</string>
                        <key>AEReceiverIdentifierType</key>
                        <string>bundleID</string>
                        <key>Allowed</key>
                        <true/>
                        <key>CodeRequirement</key>
                        <string>identifier "com.apple.bash" and anchor apple</string>
                        <key>Comment</key>
                        <string></string>
                        <key>Identifier</key>
                        <string>/bin/bash</string>
                        <key>IdentifierType</key>
                        <string>path</string>
                    </dict>
                </array>
                <key>SystemPolicyNetworkVolumes</key>
                <array>
                    <dict>
                        <key>Allowed</key>
                        <true/>
                        <key>CodeRequirement</key>
                        <string>identifier "com.apple.bash" and anchor apple</string>
                        <key>Comment</key>
                        <string></string>
                        <key>Identifier</key>
                        <string>/bin/bash</string>
                        <key>IdentifierType</key>
                        <string>path</string>
                    </dict>
                </array>
            </dict>
        </dict>
    </array>
    <key>PayloadDescription</key>
    <string>Bash Tester</string>
    <key>PayloadDisplayName</key>
    <string>Bash Tester</string>
    <key>PayloadIdentifier</key>
    <string>3CE7323C-527B-4E61-A382-6CA1910871E3</string>
    <key>PayloadOrganization</key>
    <string>Trinity</string>
    <key>PayloadType</key>
    <string>com.apple.TCC.configuration-profile-policy</string>
    <key>PayloadUUID</key>
    <string>4A664E5A-4355-4136-9C4F-2255852C7D2C</string>
    <key>PayloadVersion</key>
    <integer>1</integer>
    <key>payloadScope</key>
    <string>system</string>
</dict>
</plist>
    M
    S
    M
    Forum|alt.badge.img+10
    • m_donovan
    • Valued Contributor
    • December 17, 2019

    @mlizbeth Still not working for me. So far the only thing that has resolved the issue for me is pointing it at a HTTP/HTTPS DP. I'm going to look into converting my SMB DPs over.

    D
    Forum|alt.badge.img+12
    • dng2000
    • Valued Contributor
    • December 18, 2019

    I encountered this same situation in my on-prem environment (and still on 10.15.1) and working with Jamf support on this. Haven't figured out a working resolution yet though.

    T
    Forum|alt.badge.img+31
    • tlarkin
    • Honored Contributor
    • December 20, 2019

    FWIW I have had much better success using launchctl asuser or launchctl boostrap versus sudo -u user_name as far as getting DEP Notify to reliably launch and work in the user context

    dstranathan
    Forum|alt.badge.img+19
    • dstranathan
    • Valued Contributor
    • January 6, 2020

    I havent seen any issues with DEPNotify installing on Catalina, but I have noticed that the DEPNotify Registration UI sheet is blank when deploying on Catalina (10.15.1). Im referring to the optional interface that prompts for site-specific values such as Hostname, Department, Building, etc. The sheet doesnt render any info at all - other than the button to advance to the next step.

    Edit: Im running DEPNotify 1.1.4 (1.1.5 is out). Need to update and test again.

    Terms & ConditionsCookie settingsAccessibility statement