Execution error: No User interaction allowed.

[Genesis2kx]

When testing from a Jamf Pro Policy I get the following error in the policy logs.

28:320: execution error: No user interaction allowed. (-1713).

Seems to work fine when I run the script locally from terminal. The only difference is it's running as root from JAMF and not root when local.

Any ideas?

[ducksrfr]

Is this Mac on Mojave, and did that error happen when a user clicks the Change Password button?

If so, then the Jamf binary (and/or) jamfagent need a PPPC profile for Accessibility access. Both are whitelisted in my environment, but this is a good call out. I’ll work on uploading a PPPC profile that whitelists for this purpose and add a note in the script.

On Feb 19, 2019, at 16:17, Alex Hylton notifications@github.com wrote:

When testing from a Jamf Pro Policy I get the following error in the policy logs.

28:320: execution error: No user interaction allowed. (-1713).

Seems to work fine when I run the script locally from terminal. The only difference is it's running as root from JAMF and not root when local.

Any ideas?

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub, or mute the thread.

[ducksrfr]

https://github.com/ducksrfr/mac_admin/blob/master/Privacy%20Preferences%20Policy%20Control%20Profiles/Jamf_accessibility.mobileconfig

[Genesis2kx]

Yes, the mac in on Mojave and the error is only seen in the policy log in the Jamf Pro server when the policy runs. On the mac itself, no pop-ups appeared with the dialog stating the password was expired etc. and didn't open the system preferences window. It's as if the script could not execute at all on the machine. Tried another mojave machine and same error in the policy log, but no signs that the script ran at all on the target machine since no pop-ups appeared.

I uploaded the jamf accessibility config profile and got an error that it could not create an object from the file. Does the file need to be edited in some way before upload? @ducksrfr

[ducksrfr]

Ok, if the dialog won't even appear let's make sure you have Jamf whitelisted for System Events, SystemUIServer, and Finder as well. Here's an example profile: https://github.com/rtrouton/privacy_preferences_control_profiles/tree/master/Privacy%20Settings%20Whitelist%20-%20Jamf%20Notifications

I would also try signing the profiles before uploading to Jamf so that it doesn't get altered in any way.

[ducksrfr]

Ok, the script has been updated to reflect what I have in Jamf. sudo -u $currentUser is prepended on each osascript command. Added an additional note about PPPC whitelisting for AppleEvents to control System Events along with PPPC whitelisting for Accessibility.

[ducksrfr]

Prefacing osascript command with sudo -u $currentUser resolves issue when running script via Jamf/as root.