Skip to main content

Yo.



A recent couple of new macs were setting up came with Catalina, and I've noticed that when they try to copy packages down from our SMB shares, often times htey fail with a message that states "Operation not permitted"



For example, logs show 



Executing Policy VMWare Horizon Client

    Mounting ATL DP

    cp: /Volumes/JamfProShare-ATL/Packages/VMwareHorizon_v5.10.pkg: Operation not permitted



    Error: The package (VMwareHorizon_v5.10.pkg) could not be found.


Any idea what this is and now to fix? I was told it was a brand new Mac and it came with Catalina, so not sure if that has something to do with it.

I had experienced this problem way back during the early days of the beta. I quickly spun up 2 HTTPS Distribution Points & have not had a problem since.



I haven't pinned down the "Why" this happened yet, i've been searching & searching for NetBios / SMB Version Deprecation / Configuration changes but have not been able to find something directly from apple stating changes made in catalina that causes this issue. Tons of discussions regarding this though, if anyone has official documentation regarding Samba from Apple please share. Would love to get to the bottom of this as well.

What version of the JSS are you running? I'm having exactly the same problem on a Catalina machine running 10.15.1-t1569637051

It's a tricky one!



First of all I suggest to start using HTTP/HTTPS instead of SMB 😉 You will avoid then a lot of pain in the future.



In regards to your problem.. You can find out by yourself what's wrong with that by executing a simple policy trigger on a machine that's enrolled to Jamf Pro. For example: 



sudo jamf policy -event "install-vmwarehorizoneclient"


For 99,9% you will get a prompt that "Terminal.app would like to access files on a network volume". It's obvious as you're using Terminal to trigger this policy... so what if you're using Jamf Pro and would like to install something that is on your SMB share? Looks like DP is mounting and then copy command is executing. Nothing big, but during this proces the parent of this command is bash. In case of that you have to allow /bin/bash to access SystemPolicyAllFiles via Privacy Preferences Policy Control payload under configuration profiles.



I know that this isn't a good approach to giving bash full access.. and it's more like workaround than a solution. The solution for sure is to avoid SMB use and go for HTTP/HTTPS.

I'm also having the same issue. Unfortunately, it won't be so easy for us to enable HTTP/HTTPS. Unless I'm missing something.

I'm seeing the same issue here. My DEPNotify script calls several installations and they all fail in Catalina. Installations based on a login policy fail as well. Self Service initiated installations seem to go fine. Jamf cannot replicate the problem. Turning off SIP resolved the problem, but obviously that's not a good path.

@tanderson On an unmanaged CataVista computer, found my script was being quarantined, this fixed it:



xattr -d com.apple.quarantine ~/Desktop/sipsResize800max.sh



Not sure if that's helpful for any scripts being deployed by Jamf Pro, or embedded in PKGs.

Posted: 11/22/2019 at 10:05 AM CST by @tanderson

I'm seeing the same issue here. My DEPNotify script calls several installations and they all fail in Catalina. Installations based on a login policy fail as well. Self Service initiated installations seem to go fine. Jamf cannot replicate the problem. Turning off SIP resolved the problem, but obviously that's not a good path.


Same here

@lukasz.molenda @tanderson Me too I can't easily switch to http/https
In my testing with DEPNotify and Catalina I noticed you also need to set Terminal with PPPC profile to access SystemPolicyAllFiles
Maybe there's a better/safer solution





<?xml version="1.0" encoding="UTF-8"?>

<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">

<plist version="1.0">

<dict>

    <key>PayloadContent</key>

    <array>

        <dict>

            <key>Services</key>

            <dict>

                <key>SystemPolicySysAdminFiles</key>

                <array> 

                    <dict>

                        <key>Identifier</key>

                        <string>com.apple.Terminal</string>

                        <key>IdentifierType</key>

                        <string>bundleID</string>

                        <key>CodeRequirement</key>

                        <string>identifier &quot;com.apple.Terminal&quot; and anchor apple</string>

                        <key>Allowed</key>                  

                        <true/>

                        <key>Comment</key>

                        <string>Allow Terminal to modify sysadminfiles</string>

                    </dict>   

                </array>

                <key>Accessibility</key>

            </dict>

            <key>PayloadDescription</key>

            <string>Desc: TCC SystemPolicySysAdminFiles</string>

            <key>PayloadDisplayName</key>

            <string>Name: TCC SystemPolicySysAdminFiles</string>

            <key>PayloadIdentifier</key>

            <string>test.mdm.tcc.SystemPolicySysAdminFiles.1</string>

            <key>PayloadOrganization</key>

            <string>My Company</string>

            <key>PayloadType</key>

            <string>com.apple.TCC.configuration-profile-policy</string>

            <key>PayloadUUID</key>

            <string>0D4540F5-35EC-45B8-9F11-46F6CA7721ED</string>

            <key>PayloadVersion</key>

            <integer>1</integer>

        </dict>

    </array>

    <key>PayloadDescription</key>

    <string>Desc: TCC SystemPolicySysAdminFiles</string>

    <key>PayloadDisplayName</key>

    <string>Name: TCC SystemPolicySysAdminFiles</string>

    <key>PayloadIdentifier</key>

    <string>test.mdm.tcc.SystemPolicySysAdminFiles</string>

    <key>PayloadOrganization</key>

    <string>My Company</string>

    <key>PayloadScope</key>

    <string>system</string>

    <key>PayloadType</key>

    <string>Configuration</string>

    <key>PayloadUUID</key>

    <string>963857BE-CDFF-4ED5-95CD-08FE187E1365</string>

    <key>PayloadVersion</key>

    <integer>1</integer>

</dict>

</plist>

Not what you're asking for, but we have a script set up that installs vmware horizon direct from vmware. It is using a variable where you just plug in the name of the .dmg file to the version you want downloaded and the url for the download



This is based on a script that did the same thing for chrome.



#!/bin/bash



dmgfile=$4

volname="VMware Horizon Client"

logfile="/Library/Logs/HorizonInstallScript.log"



url=$5



echo "$dmgfile"

echo "$url"



echo "--" >> ${logfile}

echo "`date`: Downloading latest VMware Horizon Client version." >> ${logfile}

echo `curl -s -o /tmp/${dmgfile} ${url}`

echo "$?"

echo "`date`: Mounting installer disk image." >> ${logfile}

echo `/usr/bin/hdiutil attach /tmp/${dmgfile} -nobrowse -quiet`

echo "$?"

echo "`date`: Installing VMware Horizon Client..." >> ${logfile}

echo `ditto -rsrc "/Volumes/${volname}/VMware Horizon Client.app" "/Applications/VMware Horizon Client.app"`

echo "$?"

/bin/sleep 10

echo "`date`: Unmounting installer disk image." >> ${logfile}

echo `/usr/bin/hdiutil detach $(/bin/df | /usr/bin/grep "${volname}" | awk '{print $1}') -quiet`

echo "$?"

/bin/sleep 10

/bin/echo "`date`: Deleting disk image." >> ${logfile}

echo `/bin/rm /tmp/"${dmgfile}"`

echo "$?"



exit 0

Thought I had it working by allowing DEPNotify PPPC control. But apparently not

Hi,
you can check the logs for TCC Requests:



https://carlashley.com/2018/09/06/reading-tcc-logs-in-macos/



Regards

I would try messing with PPPC control having to do with Jamf binary and/or Apple Remote Desktop. I use ARD to run my policies so I don't have to wait for the policies to run on their own. So giving ARD access to All Files and Jamf access to All Files, finally allowed my policies to run again.









here is another little update... if I try to deploy couple of packages with a policy set to login trigger... I get operation not permitted if I try to deploy the same policy by pushing the script with Jamf Remote : sudo jamf policy -id XXXX : IT WORKS ALL THE TIME !!!

Staring to test Jamf Connect Login and using Notify during setup and getting this. I've added both bash and Terminal to a PPPC and still having the issue. Any ideas?

@jmercier
Still trying to understand what I am missing, once I flush the failed policies and manually run them with



sudo jamf policy


(this triggers all policies scoped) they work without requesting any further PPPC approval, with DEPNotify or following login many of keep failing.
I must be defenatly be missing something

@carlo.anselmi
same for me... so for now modified our internal procedure so we can deliver Catalina computers. Works fine but.... should be the same as Mojave...

@tanderson @jmercier
Just to confirm that with SIP disabled eveything works absolutely fine with DEPNotify/Catalina 10.15.2
Does anyone using this kind of workflow know what can be causing the errors already reported with DEPNotify-triggered policies (and following policies at login) otherwise?
Thank you all!

So we have found that this issue only applies to afp and SMB shares.



In the short term we have downloaded mamp pro and set up http downloads.

@rickgmac so you have Mac server with SMB casper share... setup with mampro for http and policies goes fine on Catalina ?

I too download Simple HTTP Server from the App Store and have the SMBShare also shared as an HTTP Share and it works fine.

I believe the error is relating to bash needing access to Network Volumes: https://www.jamf.com/jamf-nation/discussions/34278/depnotify-not-installing-apps-on-catalina#responseChild195490

So this was frustrating but after looking at what process was actually running the login scripts I realized that the loginwindow owns the process.
So if you create a PPPC for the com.apple.loginwindow bundle and give it SystemPolicyAllFiles and SystemPolicyNetworkVolumes it starts working. (Note you will also need to have defined a PPPC for jamf and also whichever shell you are using /bin/sh or /bin/bash)

@ddcdennisb is your version Pro or not ? simple to configure ? any advices ?

I was using the free version. super simple to config.



After Reading @nate.barkei reply this morning I added to my Bash PPPC settings for com.apple.loginwindow and tested this morning. It worked great. No further need to run the http server on the mac mini to get everything to work.



WOW.... i ll do more testing but by giving PPPC on Terminal, BASH and login window... login trigger on Catalina works now !!!

Reply


Terms & ConditionsCookie settings