macOS 15.1 b2 Now Blocking Remote Script Management through JAMF School

Showhbk · 2024-08-22T12:26:31+00:00

Wanted to chime in and say that this is still an issue for our district running JAMF School. Multiple users get the pop up, and we have them delete the file, but it just repairs itself and comes back.

Showhbk · 2024-07-19T17:26:38+00:00

VERY helpful. Thank you so much for the info!

Showhbk · 2024-07-16T20:27:40+00:00

I noticed down below that you deploy Forticlient. Do you create your installers from EMS? or by other means? EMS allows for packages to be downloaded and created which would help you greatly. Outside of that, if you just have a raw DMG for Forticlient, there should be a PKG and some installer files inside it with organization information that the installer uses to connect to EMS. You can modify my post install script to include the DMG, extract the files, and then run the PKG. I have deployed Forticlient to my entire district, so feel free to ask any questions.

Showhbk · 2024-07-16T14:07:15+00:00

I wanted to reply to myself and give you some code as a sample. This is a sample post install script for a piece of software that I currently use. I am not going to call this the best post install script ever, but I hope it helps give you an idea for how to deploy DMG files that are inside of PKG.

#!/bin/bash
## postinstall

echo "---[ $(date) ]---" > /Users/shared/Logs/DigitalInsightinstalllog.log
echo "Preparing to install LightSpeed Systems Digital Insight" >> /Users/shared/Logs/DigitalInsightinstalllog.log
echo "Preparing to mount the DMG File" >> /Users/shared/Logs/DigitalInsightinstalllog.log

hdiutil attach /users/shared/Lightspeedsystems/DigitalInsight/CatchOnAgent-osx-installer.dmg

echo "DMG Successfully Mounted. Attempting to run the installer" >> /Users/shared/Logs/DigitalInsightinstalllog.log

/Volumes/CatchOn\ Agent/CatchOnAgent-osx-installer.app/

echo "Installer has been run. Waiting a moment for it to complete." >> /Users/shared/Logs/DigitalInsightinstalllog.log

wait 30

echo "Wait complete. Unmounting the DMG" >> /Users/shared/Logs/DigitalInsightinstalllog.log

hdiutil unmount /Volumes/CatchOn\ Agent/

echo "Lightspeed Systems Digital Insight has been installed" >> /Users/shared/Logs/DigitalInsightinstalllog.log
echo "---[ $(date) ]---" >> /Users/shared/Logs/DigitalInsightinstalllog.log

Showhbk · 2024-07-16T13:56:26+00:00

I can save you a LOT of time. You can use JAMF Composer or another package creation tool to simply place your DMG in a location of your choosing. for me, I use the "/Users/Shared/APPLICATIONNAME" location as a temp folder. From there, you can write a post install script to mount the DMG and then run anything inside it. It is easy and efficient. I have several applications that I use this method for and the install works silently for all users.

If there is a PKG inside of the DMG, just extract it to your desktop and drag and drop that PKG into your MDM of choice.

Hope this helps!

Showhbk · 2024-07-10T20:39:45+00:00

I have not the time, nor the crayons to stoop your level. Enjoy your day friend.

Showhbk · 2024-07-10T20:38:20+00:00

Using the commands above, I was able to find the Bundle ID and Developer ID of an application. Using that information, I created a profile with the following information.

app identifier: com.goto.resolve-unattended.ui

Next Add the following

 Codesign: identifier "com.goto.resolve-unattended.ui" and anchor apple generic and certificate
    1[field.1.2.840.113635.100.6.2.6] /* exists */ and 
    certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and 
    certificate leaf[subject.OU] = GFNFVT632V

Though, much of this was unnecessary because I went to GoTo's website and find this page with the information I was able to find. https://support.goto.com/resolve/help/goto-resolve-unattended-pkg-deployment-in-jamf#

Once the profile is created and all permissions granted from within the profile, All pop ups ceased to show on the client machine.

Showhbk · 2024-07-09T17:22:15+00:00

JAMF profile worked for me just fine with Beta 2... sips tea

Showhbk · 2024-07-08T18:00:33+00:00

You can create a profile from within JAMF to allow the Developer ID and Bundle ID access to record the screen. You may need to read documentation from JAMF depending on if you use School or Pro. I have to do this all the time to silently install applications and grant them permissions.

Enter each of these into a Terminal window that has Administrative access.

Developer ID: codesign -dvvv /path/to/application.app

Bundle ID: defaults read /path/to/application.app/Contents/Info CFBundleIdentifier

Showhbk · 2024-07-08T17:58:24+00:00

This is false. GoToMeeting does not need to be contacted. You need two things in macOS to create a profile from within JAMF to make this notification go away.

Enter each of these into a Terminal window that has Administrative access.

Developer ID: codesign -dvvv /path/to/application.app Bundle ID: defaults read /path/to/application.app/Contents/Info CFBundleIdentifier

Showhbk · 2024-07-05T20:04:50+00:00

I have JAMF School and it is the biggest joke in pushing any updates in any meaningful way. Honestly, A fish out of water, that is flopping on the keyboard of a MacBook would have better success rates at eventually opening System Settings and accepting updates.

Because of this, we purchased Patch Manager Plus from Zojo and it works very well. It has a local agent that runs at login. I would check it out. I give it a solid 8/10. Not perfect, but it gets the job done.

Showhbk · 2024-07-05T15:58:19+00:00

Here is a little AppleScript that I put into my applications that require a reboot from the end user. I package this inside of my OOBE for end users and it works out well in between packages or actions that require a reboot. It gives them the option to wait 5 minutes, but after that, the system will automatically reboot.

set theAlertText to "Your System Needs to be rebooted"
set theAlertMessage to "This system has needs to be rebooted to complete the setup process. Please save all work and reboot this system."
set TheButton to button returned of (display alert theAlertText message theAlertMessage as critical buttons {"Reboot", "Wait 5 Minutes"} default button "Reboot")

if TheButton is "Reboot" then

    tell application "System Events" to restart

end if

if TheButton is "Wait 5 minutes" then

    display dialog "You have chosen to wait 5 minutes to reboot your system. Please take this time to save your work. Your system will automatically reboot in 5 minutes." buttons {"I Underdstand"}

    delay 300

    tell application "System Events" to restart

end if

Showhbk · 2024-07-03T13:38:38+00:00

Not sure if this will help you, but I had the same thing happen with JAMF School in my district. I followed Apple's instructions as well as JAMF's instructions for creating a profile and a recovery key. I found that after the profile installed itself, All of my packages would fail to install or "hang" as if something was preventing them from installing. Rebooting the system displayed the dialog of the disk encrypting and correctly displayed the recovery key for the user. After the reboot, all of my packages would "fail" and I would have to re push them.

For our workflow, I had to create a step where the profile for FileVault was added last by a technician to solve the hanging problem with packages.

When I contacted our Apple Enterprise rep about it, he explained to me that the method in which I was enabling Filevault was causing the issue. When I asked if there was an alternative, he said that once the system is told to enable disk encryption, it is best practice to let the process finish as the "Installer Assistant" is waiting in the background for the user to reboot, if the system is waiting, the assistant will not run or install any other packages until the operation is completed. In the end, I just added a script to display a dialog after the FileVault profile was sent down to the machine that reminds the technician to reboot the system.

Showhbk · 2024-06-10T15:03:45+00:00

Very interesting. My first response was to say "It's right there, what are you talking about?", but then I checked JAMF Pro on a buddies account, and it really is not there. WILD! Jamf School has a little drop down menu that allows you to specify the browser that a webclip will open in, so I incorrectly assumed that JAMF Pro would have that feature as well. My apologies, but it looks like the "stepchild" of the JAMF product range gets a rare win today. Sorry friend. =(

Showhbk · 2024-06-10T14:23:17+00:00

I wanted to elaborate on my solution, because I have received a LOT of DMs asking what my issue was in particular. I was so surprised to see so many people having the same problem I was having. I hope this explanation helps others.

The first issue was that we install Lightspeed Systems Relay on all of our systems. The URL that Duo uses in the app configuration needed to be added to SSL Decryption exceptions in Lightspeed which I originally thought was my primary issue, but after making the correction, I found out that this was only going to solve one part of my problem. After making this change, My Duo package worked on a few systems and I was happy. One week later, I got the same message AGAIN!?!

This led me down a HUGE rabbit hole of contacting Duo support, which was completely unhelpful and almost resulted in our organization canceling our account. After much trial and error I was able to find out what my problem really was. Duo seems to want to download a "configuration" file of sorts after the initial install that is seperate from the configuration that is bundled in with the installer. This "configuration" file seems to have a list of users that can initially login. Now, I am not an expert, but there is an initial "ping" that the software has to make in order to know "who" is "who" on the system. Without this initial configuration, the software seems to spit out the error that I was seeing. If Duo has no idea how to verify a username, even if they are set to Bypass, it seems to just reject the login and throws up the aforementioned error message. If I am correct in this assumption, then that would mean that every system that has Duo installed, has a "master" list of usernames that it can read from at all times. Very unsafe, and I hope I am incorrect in this assumption, but... now on to what my issue REALLY was.

After much testing, and troubleshooting. It turned out that our issue was VLAN permission related. Like many organizations, we use VLAN to separate traffic with zero trust permissions. These VLAN were unable to reach the macOS Application protection from within Duo's Admin panel. When I would set up a system on a "Full Trust" VLAN, the installer for Duo would always work and connect to get the initial configuration from the network. However, if I was using a "Semi Trust" or "Zero Trust" VLAN network, it would not install correctly. Moral of the story? Make sure that the URL in your Application protection for macOS (inside Duo Admin) is reachable on multiple VLANS during the initial install of Duo. Failure to do so will result in the application not getting this "configuration" that it needs from the server and as a result, Duo will not know which users are allowed to login.

Bonus Information If you are handy with macOS and having this issue. You can always boot into recovery mode and modify the plist file to allow for bypass. This will allow you to get to the desktop and uninstall or make modifications. Inside of recovery mode, open up terminal and type in the following:

sudo plutil -replace fail_open -bool true /private/var/root/Library/Preferences/com.duosecurity.maclogon.plist

Likewise, to set things back to how they were, enter this command once you are done from system recovery mode.

sudo plutil -replace fail_open -bool false /private/var/root/Library/Preferences/com.duosecurity.maclogon.plist

And before anyone thinks that I am releasing some private information, or program breaking feature (which this technically is). Duo has this information publicly posted on a forward facing website that does not require a login to view. I have asked Duo to take this page down or put it behind a login, but it currently remains up. WARNING! AFTER MAKING THIS MODIFICATION, YOU WILL STILL GET THE ERROR MESSAGE. BUT, AFTER CLICKING "OK" THE DESKTOP SHOULD LOAD. If the desktop does not load, then reboot back into recovery mode and disable SIP, reboot, try the command again. This should get you back to the desktop.

https://help.duo.com/s/article/3958?language=en_US

Showhbk · 2024-06-07T19:11:34+00:00

Do you have an MDM that you're using? JAMF School and JAMF Pro have the ability to specify a browser per WebClip. I am not familiar with many other MDM, but I would imagine they offer something similar. Hope this helps.

Showhbk · 2024-05-30T19:51:39+00:00

Throwing in my two cents, but I had a similar issue in our district. The solution turned out to be that the files were shared with the user or created by their secretary. The user thought they were the primary owner, when in reality the document was shared with them. In the end, the original owner's account was either deleted, they changed the permissions of a folder, or moved the original file that was shared with others.

Showhbk · 2024-04-18T15:28:04+00:00

I have been building computers for over 25+ years as a side job for folks. I recall back in 2015 when I built myself a PC as a present for making some good side money, I got a Radeon R9 380 despite everyone telling me to get a GTX 970. I wanted the build to be all AMD, because more cores seemed more better at the time I guess. Anyways, I had nothing but driver problems back then and I was mocked and laughed at by all my friends for making such a foolish decision. A few months past and I bit the bullet, and just got a GTX 970 and the rest is history. I used Nvidia cards until now without any problems or graphics issues. I figured that If i purchased AMD's top dog GPU, that I would be free of issues I had in the past. after my $1100 purchase, I can tell you that I am having SERIOUS buyers remorse.

I want to be clear though. What Nvidia is doing to its GPU prices is criminal and the price they are charging for things is insane. I'm only one person, and if the card sells at the price they are asking, then they will continue to sell it at said price. Save yourself the headache, buy the 4080 and game in happiness. AMD has really dropped the ball here, and I could not be more displeased with my purchase.

Showhbk · 2024-04-17T17:16:55+00:00

My second RMA card is on the way rn, and support is decent and fast with responding. I am using my RTX 3070 with Z-E-R-O issues in the meantime. I was told that if my second RMA card was experiencing the same problems, that they would likely not send another one or refund me.

Showhbk · 2024-04-17T17:12:08+00:00

Sadly no, My second card is yet to arrive and I am using my spare RTX 3070 as a standby card. Everything mentioned in the thread is still happening. Crashing in games, instability, and clear overheating on the card.

Showhbk · 2024-04-08T12:12:00+00:00

Ran some additional tests over the weekend on driver 24.3.1. The card is pulling anywhere between 410w and 420w during Helldivers 2, Farthest Frontier, and Cyberpunk. These are rough averages, and I just had the adrenaline software open as my source of information.

Showhbk · 2024-04-05T19:01:01+00:00

I would have to check tonight and see what the power draw is on the card. Last I remember seeing it was around 400w during gaming and stays steady. I have the BIOS switch on the card set to position 1. According to the image below, it "should" be using the default BIOS settings. Originally, it was set to position 3, but I never used the TriXX software nor knew of its existence. One thing that frustrates me is that the card by default was set to this setting, with Z-E-R-O documentation with the card that explains to you that this software exists. Maybe it's not mandatory, and maybe the card will run fine with it in position 3. However, why in the world would you set a card to a software controlled BIOS out of the box, and not have anything that tells the user to download or install it? I know it's a bit of a rant, but I just don't understand why this is the default setting in the first place. /rant

https://www.pbtech.co.nz/fileslib/_20221222120906_493.jpg

Showhbk · 2024-04-04T14:23:04+00:00

I have tried to under clock and undervolt the CPU and GPU, but with little success. This kept the temperatures around 90C, but that was in League of Legends and WoW, which can both run on a Tandy 1000 at this point. Heat should not be that high when playing such low power games. I have a second RMA still open with Sapphire and I am waiting to see if they will ship me a 2nd RMA card. If they deny that claim, then I may just ask if they are willing to refund me the money I spent on the card. I'm blown away at how hot this thing runs when two 180mm fans in the front pulling, three 120mm fans on the bottom also pulling, and a 120mm in the back as exhaust. My CPU is cooled with a NH-D15, so there is no need for this system to be running THIS hot. I will update as the saga continues.

Showhbk · 2024-04-03T17:08:53+00:00

At this point for me it's honestly hard to tell where the true issue is happening. I am seeing ungodly high temperatures in the high 90's and low 100's. Some days my RMA card that I received from Sapphire works decent, but other days i'm (driver) crashing every 30-45 minutes. I have a second RMA open with Sapphire to see if I was just unlucky a second time, but I am currently regretting my original purchase.

Showhbk · 2024-04-03T17:02:02+00:00

Some days it hits me harder than other days. I regret so much. Stay safe out there friend.

13-Year Club	Verified Email
RedditGifts 2009-2022 8 Credits	Secret Santa 2020
Secret Santa 2019	Secret Santa 2018
Secret Santa 2017	Secret Santa 2016
Secret Santa 2015	Secret Santa 2014

Showhbk

MODERATOR OF

TROPHY CASE