Mac OSX10.11 Bigfix doesn't make changes to directory (root permissions denied?)

WretchedKat · January 10, 2017, 4:02pm

I was pushing out a script that I had created that would hide the Menubar WiFi icon on Macs. I ran it on a test mac (osx10.10) and it worked fine, however when I pushed out the script to our labs I checked with some of them and it didn’t work. I used screen sharing to remote into one that didn’t work and tried manually doing each part of the script as our admin account and permission was denied. I was just curious if there was some patch that Apple pushed out recently for OSX10.11 that won’t allow bigfix to use root when pushing out scripts. If anyone has any ideas then please let me know! Thanks!

rustymyers · January 10, 2017, 4:18pm

Possibly System Integrity Protection (SIP) is in play here. You may be trying to touch a part of the system that is protected.

WretchedKat · January 10, 2017, 7:32pm

So is there any kind of work around to access the areas of SIP through bigfix? Or are these just untouchable now?

rustymyers · January 10, 2017, 7:38pm

Profiles are able to help manage preferences that are blocked by SIP. You could disable SIP, but I wouldn’t suggest that. What’s the command you are attempting to run?

WretchedKat · January 10, 2017, 7:42pm

Just trying to create a directory inside Menu Extras so I can put the Airport.menu inside which would hide the wifi icon in the macs menubar…the following are the commands. It won’t even get past the first:

This will create a folder called “HiddenMenuItems” in the directory path

sudo mkdir /System/Library/CoreServices/Menu\ Extras/HiddenMenuItems

This will move the desired menu extra (in this case the wifi icon) to the hidden folder created above (HiddenMenuItems)

sudo mv /System/Library/CoreServices/Menu\ Extras/Airport.menu /System/Library/CoreServices/Menu\ Extras/HiddenMenuItems

For this to take immediate effect the process needs to restart; this command will kill/restart the menu bar extras

killall SystemUIServer

rustymyers · January 10, 2017, 8:12pm

Based on this post:
https://www.jamf.com/jamf-nation/discussions/18103/hiding-the-airport-menu-item

I came up with this profile that removes the WiFi from the Menu Bar. The user can enable the wifi manually, but the profile will disable it again (some time).

Save the xml to a file that ends in .mobileconfig and install it through a task with

wait profiles -I -F "__Download/disablewifi.mobileconfig"

disablewifi.mobileconfig:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
	<key>PayloadContent</key>
	<array>
		<dict>
			<key>PayloadContent</key>
			<dict>
				<key>com.apple.mcxMenuExtras</key>
				<dict>
					<key>Forced</key>
					<array>
						<dict>
							<key>mcx_preference_settings</key>
							<dict>
								<key>AirPort.menu</key>
								<false/>
							</dict>
						</dict>
					</array>
				    <key>mcx_targets</key>
				    <array>
				        <string>user</string>
					</array>
				</dict>
			</dict>
			<key>PayloadEnabled</key>
			<true/>
			<key>PayloadIdentifier</key>
			<string>MCXToProfile.b85631c6-5988-4d80-a3e4-df04f0e3cd0f.alacarte.customsettings.6fdd6ea8-4d80-4ba9-9685-ccaf74e512e7</string>
			<key>PayloadType</key>
			<string>com.apple.ManagedClient.preferences</string>
			<key>PayloadUUID</key>
			<string>6fdd6ea8-4d80-4ba9-9685-ccaf74e512e7</string>
			<key>PayloadVersion</key>
			<integer>1</integer>
		</dict>
	</array>
	<key>PayloadDescription</key>
	<string>Disable Wifi</string>
	<key>PayloadDisplayName</key>
	<string>DisableWiFi</string>
	<key>PayloadIdentifier</key>
	<string>edu.psu.disablewifi</string>
	<key>PayloadOrganization</key>
	<string></string>
	<key>PayloadRemovalDisallowed</key>
	<true/>
	<key>PayloadScope</key>
	<string>System</string>
	<key>PayloadType</key>
	<string>Configuration</string>
	<key>PayloadUUID</key>
	<string>b85631c6-5988-4d80-a3e4-df04f0e3cd0f</string>
	<key>PayloadVersion</key>
	<integer>1</integer>
</dict>
</plist>

It’s not perfect, but it allows you to do what you want without having to change SIP.

WretchedKat · January 11, 2017, 2:59pm

Do I need to install it to a specific location? Also, do I need to run this config?

WretchedKat · January 11, 2017, 3:27pm

When I try to do the following the wifi icon doesn't disable and is still in the menubar:
delete __createfile

createfile until _end_
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
	<key>PayloadContent</key>
	<array>
		<dict>
			<key>PayloadContent</key>
			<dict>
				<key>com.apple.mcxMenuExtras</key>
				<dict>
					<key>Forced</key>
					<array>
						<dict>
							<key>mcx_preference_settings</key>
							<dict>
								<key>AirPort.menu</key>
								<false/>
							</dict>
						</dict>
					</array>
				    <key>mcx_targets</key>
				    <array>
				        <string>user</string>
					</array>
				</dict>
			</dict>
			<key>PayloadEnabled</key>
			<true/>
			<key>PayloadIdentifier</key>
			<string>MCXToProfile.b85631c6-5988-4d80-a3e4-df04f0e3cd0f.alacarte.customsettings.6fdd6ea8-4d80-4ba9-9685-ccaf74e512e7</string>
			<key>PayloadType</key>
			<string>com.apple.ManagedClient.preferences</string>
			<key>PayloadUUID</key>
			<string>6fdd6ea8-4d80-4ba9-9685-ccaf74e512e7</string>
			<key>PayloadVersion</key>
			<integer>1</integer>
		</dict>
	</array>
	<key>PayloadDescription</key>
	<string>Disable Wifi</string>
	<key>PayloadDisplayName</key>
	<string>DisableWiFi</string>
	<key>PayloadIdentifier</key>
	<string>edu.psu.disablewifi</string>
	<key>PayloadOrganization</key>
	<string></string>
	<key>PayloadRemovalDisallowed</key>
	<true/>
	<key>PayloadScope</key>
	<string>System</string>
	<key>PayloadType</key>
	<string>Configuration</string>
	<key>PayloadUUID</key>
	<string>b85631c6-5988-4d80-a3e4-df04f0e3cd0f</string>
	<key>PayloadVersion</key>
	<integer>1</integer>
</dict>
</plist>
_end_

move __createfile disablewifi.mobileconfig

wait profiles -I -F "__Download/disablewifi.mobileconfig"

rustymyers · January 11, 2017, 4:58pm

It should disappear after a log out/log in.

WretchedKat · January 11, 2017, 8:37pm

It doesn’t seem to work when I run it and then log out/log in again or even restart.

rustymyers · January 12, 2017, 1:13pm

Hmm, interesting. I only tested in on 10.12, so perhaps it doesn’t work with 10.11. Have you tried to create and install it manually, or only through BigFix?

WretchedKat · January 12, 2017, 1:50pm

I only tried it through bigfix, let me try and do it manually. Maybe I can get an error message or something as to why it isn’t working.

WretchedKat · January 12, 2017, 2:11pm

Okay, so I ran it locally and it worked fine, but I did have to change the location from where it was running. I’m going to try changing the location that it is running from in Bigfix and see if that works.

WretchedKat · January 12, 2017, 2:14pm

Also, is a logout absolutely required? Would it work to do a “killall SystemUIServer”?

WretchedKat · January 12, 2017, 2:24pm

Nevermind. I tried the command “killall SystemUIServer” and it didn’t work. However when I logged out and back in after running the fixlet the wifi icon is hidden! =)
Thanks for your help!

twhiteWC · January 13, 2017, 9:51pm

This is outstanding guys - way to go!