2

We manage our Apple computers through Microsoft's MDM Intune. Intune has the ability to run a script on a computer as the root user with no end-user interaction. I have this script set to run on all Apple machines:

#!/bin/sh
sudo /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -activate -configure -allowAccessFor -specifiedUsers -clientopts -setdirlogins -dirlogins yes

Upon running it, Intune returns the error:

Can't call method "print" on an undefined value at /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart line 695.

This is the code within kickstart it is referencing:

IO::File->new(">${TargetDisk}${RemoteManagementLaunchdFile}")->print("enabled");
Echo('MSG_ACTIVATED_REMOTE_MANAGEMENT');

If I copy the script to the machine and run it locally, the script completes what is intended to do (enable directory based authentication for ARD). This error is only thrown when pushed through Intune. I am not able to edit the source code for obvious reasons, but I don't see why the print error is occurring otherwise.

Jacob Young
  • 21
  • 2

2 Answers2

1

It was unable to create the file whose name is produced by

"${TargetDisk}${RemoteManagementLaunchdFile}"

For more info, use

{
   my $qfn = $TargetDisk . $RemoteManagementLaunchdFile;
   my $fh = IO::File->new(">$qfn")
      or die( "Can't create `$qfn`: $!\n" );
   $fh->print( "enabled" )
      or die( "Error writing to `$qfn`: $!\n" );
   $fh->close()
      or die( "Error writing to `$qfn`: $!\n" );
}

Given the complete lack of information provided, we can only guess at the cause (in no particular order):

  • $RemoteManagementLaunchdFile contains garbage.
  • $TargetDisk contains garbage.
  • The directory in which the file should be created doesn't exist.
  • Insufficient permissions to access the directory in which the file should be created.
  • Insufficient permissions to create the file.
ikegami
  • 367,544
  • 15
  • 269
  • 518
  • Thank you for the response. I understand the filename was not able to be produced, but why would this script fail when run through Intune but succeed when run locally on the machine? What more information can I provide to reach a better answer? – Jacob Young May 09 '23 at 21:50
  • Did you read my answer? /// Re "*What more information can I provide to reach a better answer?*", See the first half of my answer. /// Re "*Why would this script fail when run through Intune but succeed when run locally on the machine?*", See the second half of my answer. – ikegami May 10 '23 at 02:43
  • I did read your answer. You are recommending I add code to the source file of the kickstart application, which I cannot do, as noted in my question that I am assuming you read. I am only able to edit the shell script that I push through Intune. Its apparent you are not actually trying to assist and instead providing a quick answer that does not resolve my actual problem. I will continue to research the issue. Thank you. – Jacob Young May 11 '23 at 18:31
  • Re "*You are recommending I add code to the source file of the kickstart application*", Not at all. Just saying that's how to get the information you asked for. If you don't have the necessary access, that's not on me. – ikegami May 11 '23 at 18:59
  • Re "*Its apparent you are not actually trying to assist*", You say that, but did you even try to rule out any of the five possible reasons I gave? – ikegami May 11 '23 at 19:00
1

I came across the same problem with the kickstart script. Tinkering with a copy of the perl script, I found out that the fault lies neither with an undefined or "corrupt" $RemoteManagementLaunchdFile or $TargetDisk variable. The error is due to missing write permissions for the target file:

/Library/Application\ Support/Apple/Remote\ Desktop/RemoteManagement.launchd

According to my observations, this file can only be written from a logged in GUI user.

From a ssh session, the command:

# cat >> /Library/Application\ Support/Apple/Remote\ Desktop/RemoteManagement.launchd

consistently fails with the message:

/Library/Application Support/Apple/Remote Desktop/RemoteManagement.launchd: Operation not permitted

The exact same cat command works fine when using "Terminal" from a GUI session (even via Remote Desktop). The restriction is just for the specific .launchd file. Creating a new file in that directory via touch works without throwing an error even from an ssh session.

Just for laughs, I tried an AppleScript that calls the kickstart script, and it fails with the same error message.

It seems that Apple put far-reaching limitations on changes to what it considers important system settings if they don't originate from a live GUI session.

anschluss.org
  • 11
  • 2