Yo with Casper hangs

[danshaw]

I've set up an alert in Casper using the Yo Casper script, but for some reason I am having issues with it hanging on multiple user laptops. What's strange is that it works when I try it on my computer (10.12.3) or on a VM that I have set up 10.11.6). Looking at the Casper logs I see:

KeyboardInterrupt below means that I cancelled out of the process via ssh when testing this.

Executing Policy Notify Users that Sierra is Available
Running script yo-casper...
Script exit code: 1
Script result: 2017-03-10 08:27:55.798 yo[25654:3807934] CFPasteboardRef CFPasteboardCreate(CFAllocatorRef, CFStringRef) : failed to create global data
2017-03-10 08:27:55.799 yo[25654:3807934] CFPasteboardRef CFPasteboardCreate(CFAllocatorRef, CFStringRef) : failed to create global data
2017-03-10 08:27:55.799 yo[25654:3807934] CFPasteboardRef CFPasteboardCreate(CFAllocatorRef, CFStringRef) : failed to create global data
2017-03-10 08:27:55.800 yo[25654:3807934] CFPasteboardRef CFPasteboardCreate(CFAllocatorRef, CFStringRef) : failed to create global data
2017-03-10 08:27:55.831 yo[25654:3807934] Posting notification.
Traceback (most recent call last):
File "/Library/Application Support/JAMF/tmp/yo-casper", line 118, in 
main()
File "/Library/Application Support/JAMF/tmp/yo-casper", line 90, in main
subprocess.call(constructed_args)
File "/System/Library/Frameworks/Python.framework/Versions/2.7/lib/python2.7/subprocess.py", line 522, in call
return Popen(*popenargs, **kwargs).wait()
File "/System/Library/Frameworks/Python.framework/Versions/2.7/lib/python2.7/subprocess.py", line 1384, in wait
pid, sts = _eintr_retry_call(os.waitpid, self.pid, 0)
File "/System/Library/Frameworks/Python.framework/Versions/2.7/lib/python2.7/subprocess.py", line 476, in _eintr_retry_call
return func(*args)
KeyboardInterrupt
Error running script: return code was 1.

[tulgeywood]

So I'm investigating this myself, I think for it to work with Jamf correctly a LaunchAgent or Daemon needs to be configured to run the yo_scheduler code and then have that be called by launchctl bootstrap gui/501 or whatever. There are a lot of different scenarios where the structure would have to adjust though. I'm hoping to figure something out next week for it though and will post back here a potential Jamf friendly add-on.

[mikevmeyer]

I've had quite a bit of extensive experience with yo in Casper... prior to the 2.0 release, you could not script yo, from within the Casper (or at least there were a ton of hoops to jump thru, I can't exactly remember). The workaround was to call it in a policy, using the "Files and Processes" payload, and using the "Execute Command" box. I would enter in something like:

open /Applications/Utilities/yo.app --args -t 'Policy Name' -s 'Subject Words' -n 'Note about this policy!'; logger 'Posting Notification'

I'd have to custom write each notification code, for the policies that needed them.

HOWEVER, I did get to test the 2.0/2.0.1 release last night, and it seems to work just fine now as a script with variables. However, in my script, I did have to make it look like this:

#!/bin/bash /Applications/Utilities/yo.app/Contents/MacOS/yo -t "Policy Name" -s "$4" -n "$5"

Whereas the "$" are variables that can be defined in a policy, script payload.

This correctly will push/display notifications. Mind you, I did not run the .pkg installer, I custom built a "yo.app" in lieu of custom icons, and then made sure to deposit "yo_scheduler" in /usr/local/bin/.

The only thing I'm not 100% sure is if 2.0 yo will work initially on a fresh install, onboard into the JSS. I tried one last night, and it didn't work right off the bat, but that might be b/c of something else. I will report back when I find out more. Hope this helps you all.....

[mikevmeyer]

UPDATE: I tested a fresh install, with a fresh capture into Casper, and it worked like a charm in 10.12.5.

The takeaway here should be that you should be using the latest Xcode or .pkg for yo that @sheagcraig has posted.

[tulgeywood]

@mikevmeyer did you call the policy via terminal using the jamf binary? Or did you let it trigger based on recurring check-in?

[mikevmeyer]

Both - totally works both ways.

[primalcurve]

The best way to avoid issues with running apps in another user's console (because the jamf binary runs as root) is to use launchctl.

Get the console user via this python snippet: consoleUser=$(/usr/bin/python -c 'from SystemConfiguration import SCDynamicStoreCopyConsoleUser; import sys; username = (SCDynamicStoreCopyConsoleUser(None, None, None) or [None])[0]; username = [username,""][username in [u"loginwindow", None, u""]]; sys.stdout.write(username + "\n");') Then get the console user's UUID with id -u consoleUserUUID=$(/usr/bin/id -u "${consoleUser}")

Once you have this, it's a simple matter to launch yo without issues: /bin/launchctl asuser "${consoleUserUUID}" /path/to/yo <options>

Sources: https://macmule.com/2014/11/19/how-to-get-the-currently-logged-in-user-in-a-more-apple-approved-way/ https://derflounder.wordpress.com/2016/03/25/running-processes-in-os-x-as-the-logged-in-user-from-outside-the-users-account/

[sheagcraig]

I'll add the launchctl asuser stuff to the documentation if it isn't already.

It's a slightly different context when calling from JAMF as it is from Munki and Ansible, which is what I use at work. For me, I usually want to deliver notifications either immediately to the current user, or once to every potential user who could sign in. The yo_scheduler does that pretty flawlessly for me.

Calling yo directly is absolutely possible as @primalcurve has shown above. Unfortunately, there's not a great way to get that stuff all into Casper, short of creating a policy and then duplicating it when needed and customizing the duplicates. With this documentation in place, it will be a lot easier for people to do this!

[pleegor]

@mikevmeyer Could you please confirm that all you need to have is #!/bin/bash /Applications/Utilities/yo.app/Contents/MacOS/yo -t "Policy Name" -s "$4" -n "$5" and parameter values in your policy? Trying to run yo via jamf/casper policy without any luck so far....

[primalcurve]

Well this is kind of one of those fundamentals of macOS management, isn't it? How do you run something in the Console User's space when you are root? Currently you use launchctl asuser, but there's some controversy there as Apple has threatened to deprecate it.

[pleegor]

@primalcurve 100% agree regarding fundamentals. I had this weird issue when JAMF was not distributing policy; however, when I manually checked for policies from client device everything did work. Currently, I have a support issue opened with JAMF folks. So my questions was of those desperate moments :) Thanks anyways for trying to help!!!