Running interactive bash/Applescript script as an 'on-demand' item

[zbennis]

We have a need for people to be able to renew their filevault recovery keys, which requires a password to be entered. I had hoped that Munki's 'on-demand' feature would work for this. I have the script working from Terminal, but the Applescript dialog doesn't show up when it's run from Munki, and is then reported to have failed in MSC. Here is my script (borrowed havily from https://github.com/JAMFSupport/FileVault2_Scripts/blob/master/reissueKey.sh):

#!/bin/bash
# User running script; must be root.

SCRIPTUSER=$(whoami)

# Currently logged in user.

userName=$(/usr/bin/stat -f%Su /dev/console)

# Location and name of plist with recovery info. .plist file extension omitted.

PLISTFILE=$"/usr/local/fvsetup/fvresults"

## Get the OS version

OS=`/usr/bin/sw_vers -productVersion | awk -F. {'print $2'}`

## This first user check sees if the logged in account is already authorized with FileVault 2

userCheck=`fdesetup list | awk -v usrN="$userName" -F, 'index($0, usrN) {print $1}'`

if [ "${userCheck}" != "${userName}" ]; then

    echo "This user is not a FileVault 2 enabled user."

    exit 3

fi

## Check to see if the encryption process is complete

encryptCheck=`fdesetup status`

statusCheck=$(echo "${encryptCheck}" | grep "FileVault is On.")

expectedStatus="FileVault is On."

if [ "${statusCheck}" != "${expectedStatus}" ]; then

    echo "The encryption process has not completed."

    echo "${encryptCheck}"

    exit 4

fi

## Get the logged in user's password via a prompt

echo "Prompting ${userName} for their login password."

cat <<'SCRIPT' > "${TMPDIR}"renewFilevault.scpt

set currentUser to do shell script "/usr/bin/stat -f%Su /dev/console"

tell application "System Events" to set fvAuth to text returned of (display dialog "Please enter login password for " & currentUser & ":" default answer "" with title "Login Password" buttons {"OK", "Cancel"} default button 1 with text and hidden answer)

return fvAuth

SCRIPT

userPass=$(osascript "${TMPDIR}"renewFilevault.scpt)

if [[ ! "$userPass" ]]; then

    echo "User cancelled or blank password."

    exit 1

fi

echo "Issuing new recovery key"

if [[ $OS -ge 9  ]]; then

    ## This "expect" block will populate answers for the fdesetup prompts that normally occur while hiding them from output

    expect -c "

    log_user 0

    spawn fdesetup changerecovery -personal -outputplist

    expect \"Enter a password for '/', or the recovery key:\"

    send "{${userPass}}"

    send \r

    log_user 1

    expect eof

    " | sed 1d > "${PLISTFILE}".plist

else

    echo "OS version not 10.9+ or OS version unrecognized"

    echo "$(/usr/bin/sw_vers -productVersion)"

    exit 5

fi
exit 0

[Gregory Neagle]

Do remember that Munki is running these tasks from root. Guessing the AppleScript being run from root can't do any GUI things.

--
You received this message because you are subscribed to the Google Groups "munki-discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email to munki-discus...@googlegroups.com.
To post to this group, send email to munki-...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/munki-discuss/1e969799-dc1b-4f9a-840b-cf4293e5a20f%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[zbennis]

Hi Greg,

Thanks for the prompt reply! It was my boneheaded mistake. This actually works, but it turns out you have to have filevault enabled on your test machine before you can renew a key on it.

Zack