-
-
Save rtrouton/91a7c7fc35bc338cff54f48a01f2e899 to your computer and use it in GitHub Desktop.
| #!/bin/bash | |
| # postinstall.sh | |
| # Marc Thielemann, 2020/01/21 | |
| exitCode=0 | |
| helperPath="$3/Applications/Privileges.app/Contents/XPCServices/PrivilegesXPC.xpc/Contents/Library/LaunchServices/corp.sap.privileges.helper" | |
| if [[ -f "$helperPath" ]]; then | |
| # create the target directory if needed | |
| if [[ ! -d "$3/Library/PrivilegedHelperTools" ]]; then | |
| /bin/mkdir -p "$3/Library/PrivilegedHelperTools" | |
| /bin/chmod 755 "$3/Library/PrivilegedHelperTools" | |
| /usr/sbin/chown -R root:wheel "$3/Library/PrivilegedHelperTools" | |
| fi | |
| # move the privileged helper into place | |
| /bin/cp -f "$helperPath" "$3/Library/PrivilegedHelperTools" | |
| if [[ $? -eq 0 ]]; then | |
| /bin/chmod 755 "$3/Library/PrivilegedHelperTools/corp.sap.privileges.helper" | |
| # create the launchd plist | |
| helperPlistPath="$3/Library/LaunchDaemons/corp.sap.privileges.helper.plist" | |
| /bin/cat > "$helperPlistPath" << EOF | |
| <?xml version="1.0" encoding="UTF-8"?> | |
| <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> | |
| <plist version="1.0"> | |
| <dict> | |
| <key>Label</key> | |
| <string>corp.sap.privileges.helper</string> | |
| <key>MachServices</key> | |
| <dict> | |
| <key>corp.sap.privileges.helper</key> | |
| <true/> | |
| </dict> | |
| <key>ProgramArguments</key> | |
| <array> | |
| <string>/Library/PrivilegedHelperTools/corp.sap.privileges.helper</string> | |
| </array> | |
| </dict> | |
| </plist> | |
| EOF | |
| /bin/chmod 644 "$helperPlistPath" | |
| # load the launchd plist only if installing on the boot volume | |
| if [[ "$3" = "/" ]]; then | |
| /bin/launchctl bootstrap system "$helperPlistPath" | |
| fi | |
| # restart the Dock if Privileges is in there. This ensures proper loading | |
| # of the (updated) Dock tile plug-in | |
| # get the currently logged-in user and go ahead if it's not root | |
| currentUser=$(/bin/ls -l /dev/console | /usr/bin/awk '{ print $3 }') | |
| if [[ -n "$currentUser" && "$currentUser" != "root" ]]; then | |
| if [[ -n $(/usr/bin/sudo -u "$currentUser" /usr/bin/defaults read com.apple.dock "persistent-apps" | /usr/bin/grep "/Applications/Privileges.app") ]]; then | |
| /usr/bin/killall Dock | |
| fi | |
| fi | |
| # make sure PrivilegesCLI can be accessed without specifying the full path | |
| echo "/Applications/Privileges.app/Contents/Resources" > "$3/private/etc/paths.d/PrivilegesCLI" | |
| else | |
| exitCode=1 | |
| fi | |
| else | |
| exitCode=1 | |
| fi | |
| exit $exitCode |
I'm not able to replicate this on my end, using an installer package generated by the Privileges.pkg AutoPkg recipe:
https://github.com/autopkg/rtrouton-recipes/blob/master/Privileges/Privileges.pkg.recipe
AutoPkg is my usual recommendation for building a Privileges installer package, as I've received multiple reports from folks manually building installer packages and getting Privileges installers which don't quite work right:
https://derflounder.wordpress.com/2022/04/20/building-a-privileges-installer-package-using-autopkg/
Howdy @rtrouton- I am not using AutoPkg but a combo of Installomator with WS1. I will play with other MDMs that I have access to but I have been able to reproduce with this workflow
OK. I don’t have your setup and I believe you when you’re saying you’re seeing this issue, but I’m not able to reproduce it in a freshly built Sonoma 14.1 VM running on Apple Silicon using an installer package built using AutoPkg.
Posted on the Privileges repo as well but thought I would put here for anyone who comes across this too.
It appears that on Sonoma and/or with the latest build (1.5.4), some of the permissions have minor changes causing the postinstall script to not properly auth the helper and thus causing an enduser to auth with admin creds to use the app the first time. In my workflows, users come in as standard users via ADE and cannot do this auth. This lead me to find two minor differences in Sonoma and 1.5.4 of Privileges.
Below are the two lines I needed to modify. It appears that a sticky bit has been added to the PrivilegedHelperTools folder and the helper itself needs 544 vs 755.
/bin/chmod 1755 "/Library/PrivilegedHelperTools"/bin/chmod 544 "/Library/PrivilegedHelperTools/corp.sap.privileges.helper"