Posted on 08-11-2022 09:42 AM
I'm a new Jamf Pro admin. The previous admin set things up to run the following script when we re-provision a Mac. It puts a full-screen splashscreen up that lets the user know that the computer shouldn't be used because software is being installed (a process that takes around an hour in a college computer lab). The script runs on our Apple Silicon Macs but not our Intel Macs. I'm new to scripting. Can anyone see why this script won't work correctly on an Intel Mac? Thanks. --Jeff
=================================
#!/bin/bash
# Variables
# Set these for your environment
jamfHelperHeading='Macalester College'
jamfHelperIconPath='/Library/Application\ Support/JAMF/extras/mac_logo.png'
launchAgentName='org.macalester.jamfHelperSplashScreen'
# You probably don't need to change these
launchAgentPath="/Library/LaunchAgents/${launchAgentName}.plist"
jamfHelperPath='/Library/Application\ Support/JAMF/bin/jamfHelper.app/Contents/MacOS/jamfHelper'
# Functions
startSplashScreen () {
# Check for user not logged in
if [[ -z "$loggedInUser" ]]; then
# Remove existing LaunchAgent
if [[ -f ${launchAgentPath} ]]; then
rm ${launchAgentPath}
fi
# Write LaunchAgent to load jamfHelper script
defaults write ${launchAgentPath} KeepAlive -bool true
defaults write ${launchAgentPath} Label ${launchAgentName}
defaults write ${launchAgentPath} LimitLoadToSessionType "LoginWindow"
defaults write ${launchAgentPath} ProgramArguments -array-add "$jamfHelperPath"
defaults write ${launchAgentPath} ProgramArguments -array-add "-windowType"
defaults write ${launchAgentPath} ProgramArguments -array-add "fs"
defaults write ${launchAgentPath} ProgramArguments -array-add "-heading"
defaults write ${launchAgentPath} ProgramArguments -array-add "$jamfHelperHeading"
defaults write ${launchAgentPath} ProgramArguments -array-add "-description"
defaults write ${launchAgentPath} ProgramArguments -array-add "$message"
defaults write ${launchAgentPath} ProgramArguments -array-add "-icon"
defaults write ${launchAgentPath} ProgramArguments -array-add "$jamfHelperIconPath"
defaults write ${launchAgentPath} RunAtLoad -bool true
chown root:wheel ${launchAgentPath}
chmod 644 ${launchAgentPath}
echo "Created Launch Agent to run jamfHelper"
# Kill/restart the loginwindow process to load the LaunchAgent
echo "Ready to lock screen. Restarting loginwindow..."
if [[ ${osversMajor} -eq 10 && ${osversMinor} -le 14 ]]; then
killall -HUP loginwindow
fi
if [[ ${osversMajor} -eq 10 && ${osversMinor} -ge 15 ]]; then
launchctl kickstart -k system/com.apple.loginwindow # kickstarting the login window works but is slower and results in a runaway SecurityAgent process in macOS 10.15
sleep 0.5
killall -HUP SecurityAgent # kill the runaway SecurityAgent process
fi
if [[ ${osversMajor} -ge 11 ]]; then
launchctl kickstart -k system/com.apple.loginwindow
fi
fi
}
killSplashScreen () {
# Remove existing LaunchAgent and restart login window
if [[ -f ${launchAgentPath} ]]; then
echo "Removing LaunchAgent located at ${launchAgentPath}"
rm ${launchAgentPath}
fi
echo "Restarting loginwindow..."
killall loginwindow
}
removeLaunchAgentAtReboot () {
# Create a self-destructing LaunchDaemon to remove our LaunchAgent at next startup
if [[ -f ${launchAgentPath} ]]; then
launchDaemonName="${launchAgentName}.remove"
launchDaemonPath="/Library/LaunchDaemons/${launchDaemonName}.plist"
defaults write ${launchDaemonPath} Label "${launchDaemonName}"
defaults write ${launchDaemonPath} ProgramArguments -array-add "rm"
defaults write ${launchDaemonPath} ProgramArguments -array-add "${launchAgentPath}"
defaults write ${launchDaemonPath} ProgramArguments -array-add "${launchDaemonPath}"
defaults write ${launchDaemonPath} RunAtLoad -bool true
chown root:wheel ${launchDaemonPath}
chmod 644 ${launchDaemonPath}
echo "Created Launch Daemon to remove ${launchAgentPath}"
fi
}
# Start script
osversMajor=$(sw_vers -productVersion | awk -F. '{print $1}')
osversMinor=$(sw_vers -productVersion | awk -F. '{print $2}')
# Only proceed if macOS version is 10.13 or higer
if [[ ${osversMajor} -eq 10 && ${osversMinor} -le 12 ]]; then
echo "macOS version ${osversMajor}.${osversMinor} not supported."
exit 0
fi
# Get currently logged in user
loggedInUser=$( scutil <<< "show State:/Users/ConsoleUser" | awk '/Name :/ && ! /loginwindow/ { print $3 }' )
# Wait for _mbsetupuser to not be logged in (used by Apple for setup screens)
while [[ $loggedInUser = "_mbsetupuser" ]]
do
sleep 5
loggedInUser=$( scutil <<< "show State:/Users/ConsoleUser" | awk '/Name :/ && ! /loginwindow/ { print $3 }' )
#echo "Waiting for _mbsetupuser"
done
# Check for logged in user and exit if true
if [[ -n "$loggedInUser" ]]; then
echo "$loggedInUser is logged in. Exiting..."
exit 0
fi
message="Setting up computer. Please wait."
startSplashScreen
# Keep this Mac from dozing off
caffeinate -d -i -s -t 7200 &
# Prevent Jamf check-in policies from running until next reboot
launchctl unload /Library/LaunchDaemons/com.jamfsoftware.task.1.plist
launchctl unload /Library/LaunchDaemons/com.jamfsoftware.jamf.daemon.plist
Posted on 08-11-2022 11:02 AM
That looks like a script I wrote in the past. I would suggest moving away from trying to display a jamf helper message at the login window. It never worked perfectly, but somewhere around macOS 11 it got extra unreliable. I would suggest an enrollment workflow that involves a logged in user account and having something like DEPNotify deliver your status/progress information.
Here is the source for that script: https://github.com/cwmcbrewster/Jamf_Scripts/blob/master/Computer_Enrollment_LaunchAgent.sh
Posted on 08-11-2022 12:05 PM
@jconrod A definite +1 on what @cbrewer said regarding DEPNotify, but I'm a fan of DEPNotify-Starter as a starting block.
08-12-2022 06:28 AM - edited 08-12-2022 06:28 AM
for messaging, use JamfHelper Constructure https://github.com/BIG-RAT/jhc to build the message then copy / paste into script
Posted on 08-12-2022 02:28 PM
Been looking lately at Swift Dialog as a replacement for jamf helper & AppleScript dialog as it obfuscates the user typing passwords so great to use for Filevault key regen, etc
Posted on 08-12-2022 09:34 AM
Thanks, all! Time is short, so I may just have to tape a sign to the monitor for now. I'll look into redoing the process after the school year starts. Feel free to keep passing along suggestions! Thanks again, --Jeff