Add a check to login-every for the console_user

[rodchristiansen]

Replicate the on-demand behaviour to get /usr/bin/profiles command to work in Catalina for user level .mobileconfig installs.

Slack discussion: https://macadmins.slack.com/archives/C0HLW2QAH/p1566613669000900?thread_ts=1566490184.060300&cid=C0HLW2QAH

[rodchristiansen]

This change is allowing me to run user level profile installs with outset login-every scripts such as: /usr/bin/profiles -I -F /path/to/profile.mobileconfig -U admin

[gregneagle]

"This change is allowing me to run user level profile installs with outset login-every scripts..."

If you are installing user-level profiles with a script instead of using Outset's built-in ability to install profiles, then wouldn't you just add your extra check to the script?

/usr/bin/profiles -I -F /path/to/profile.mobileconfig -U admin should not work as anything other than root. If your desire is to install profile.mobileconfig as a user-level profile for only the admin user then your script should check the current user and exit if it's not "admin"

[rodchristiansen]

Yes, the scripts check for the user. I'm just noticing a difference between how login-every have been behaving up to 10.14.6 and on the latest 10.15 betas. Whatever new privacy changes to the local user Apple has done changed how this worked.

Here is the script for reference:

#!/bin/sh
if [ `whoami` == admin ]; then
/usr/bin/profiles -I -F /Library/Profiles/AdminWallpaper.mobileconfig -U admin
fi

Suggestions for this should be written differently?

/usr/bin/profiles should run as root and with the -U flag and target the profile as user-level but in Catalina this won't install.

[gregneagle]

How about just:

#!/bin/sh
if [ `whoami` == admin ]; then
/usr/bin/profiles -I -F /Library/Profiles/AdminWallpaper.mobileconfig
fi

?

When profiles is run by not-root, the user is automatically the current user.

[rodchristiansen]

Occam's razor reigns supreme. Indeed that is the simplest course of action and solve the problem. I'll close this.