AppleScript via BigFix
How do I get the following AppleScript to show a dialog to the user?
display dialog "foo"
When executing the above, the client log shows “Script ended (exit code = 1)”
When logging in over ssh and sudo’ed to root, the following works (a popup is observed):
sh-3.2# echo display dialog “foo” | osascript
2018-09-18 11:26:59.061 osascript[4609:52609] GetInputSourceEnabledPrefs user file path = /var/root/Library/Preferences/com.apple.HIToolbox.plist
2018-09-18 11:26:59.061 osascript[4609:52609] GetInputSourceEnabledPrefs effective user id path = 0
2018-09-18 11:26:59.061 osascript[4609:52609] GetInputSourceEnabledPrefs user pref content = <CFBasicHash 0x7fe43cf054f0 [0x7fff8c754af0]>{type = immutable dict, count = 1,
entries =>
2 : <CFString 0x7fff8c6fcb78 [0x7fff8c754af0]>{contents = “AppleCurrentKeyboardLayoutInputSourceID”} = <CFString 0x7fff8c71acf8 [0x7fff8c754af0]>{contents = “com.apple.keylayout.US”}
}
Debugging on MacOS
On Windows computers, I use psexec to launch a command prompt as the system user to better simulate the environment in which besclient is executing. I’m not sure what the equivalent would be for MacOS and would like to hear about your techniques for creating MacOS content.
It is much easier on *nix than it is on windows, you just do sudo su to become root, then run things there. That is how you simulate the environment in which bigfix runs.
You can also run commands “as the current user” on MacOS by doing su {name of current user} -c command
It is definitely easiest if you can run the AppleScript as root and get it to work, but displaying a dialog to the user as root is not ideal for security reasons, probably best to do that as the current user.
I’ve tried many times to get BigFix’s root shell to elevate to the current user and run AppleScript in the user’s console session, but never gotten it to work.
Our Mac provisioning relies on AppleScript for a few different steps – running a .app in some cases, and just using display dialog in others. In both use cases, they need to run in the context of the account of the tech doing the provisioning. I had a hell of a time trying to get it to happen. Not saying this is the prettiest way this can be done, but it’s the way I got it working in my environment.
First I use a createfile to make a .sh file containing the osascript command I want to run. Then I make a second .sh script using osascript to open Terminal and run the first script. For that one, I override wait and run it as the current user. Every time I look at it it seems too convoluted, but it works, and nothing else I tried did, so… sometimes you just go with what works. Here is a slightly redacted example of what I’m talking about:
//create the actual script we want to run
delete __createfile
delete "/tmp/finish.sh"
createfile until EOF
osascript <<END
display dialog "Provisioning is complete! Please reboot the computer now. If this is a laptop, you'll be prompted to enter the account password to begin encryption"
END
EOF
move __createfile "/tmp/finish.sh"
wait chmod +x "/tmp/finish.sh"
parameter "Script" = "/tmp/finish.sh"
//create osascript to run provisioning complete script
delete __createfile
delete "/tmp/osascript.sh"
createfile until EOF
osascript <<END
tell application "Terminal"
do script "{parameter "Script"}"
end tell
END
EOF
move __createfile "/tmp/osascript.sh"
wait chmod +x "/tmp/osascript.sh"
//run it
override wait
runas=currentuser
wait bash "/tmp/osascript.sh"