macOS:如果屏幕锁定,launchD 将不会运行脚本

问题描述 投票:0回答:1

首先,也是最重要的:我是 macOS 脚本编写新手,并且严重依赖互联网来完成工作。我查了好久没找到解决办法,所以来这里提问。如果这不是正确的提问地点,请告诉我。

我正在尝试构建一个始终在后台运行的脚本/launchD 组合,搜索管理员(系统/服务帐户除外)。在点击时,我希望它调用一个脚本来创建另一个 LaunchD,15 分钟后,从管理组中删除所述帐户。

这意味着与 Privileges.app 一起使用,用户可以使用它来授予自己管理员权限,并在所述时间窗口后将其删除。我知道 Privileges.app 在配置文件中有一个选项可以启用此功能,但是只有在右键单击停靠图标并从那里切换它时它才有效,这是行不通的,因为我在所述配置中启用了其他选项禁用这种切换权限的方式。

通过脚本创建和部署 launchD 工作完美,命中的第二个 launchD 也可以创建而不会出现问题。如果 Mac 保持解锁状态,它就可以工作。一旦 Mac 被锁定,即使只有几秒钟,launchD 也不再工作,即使 launchctl 显示它已加载。

设备是受管理/受监督的设备。如果我通过 MDM 部署脚本或通过 sudo bash 手动执行脚本,问题不会改变。

我确保创建一个全局 launchDeamon,而不是 launchAgent。 我还确保使用 launchctl list 加载 launchD。

磁盘睡眠已禁用。 启用调试的 StandardOutPath / StandardErrorPath 不会显示任何内容,因为未创建日志。

这是完整的脚本:

#!/bin/bash

sudo defaults write /Library/LaunchDaemons/admincheck.plist Label -string "admincheck"

sudo defaults write /Library/LaunchDaemons/admincheck.plist ProgramArguments -array -string /bin/sh -string "/Library/Application Support/com.mobileiron.mac.agent/admincheck.sh"

sudo defaults write /Library/LaunchDaemons/admincheck.plist RunAtLoad -boolean yes

sudo defaults write /Library/LaunchDaemons/admincheck.plist KeepAlive -boolean yes

sudo defaults write /Library/LaunchDaemons/admincheck.plist StandardOutPath "/var/log/admincheck.log"

sudo defaults write /Library/LaunchDaemons/admincheck.plist StandardErrorPath "/var/log/admincheck.log"

sudo defaults write /Library/LaunchDaemons/admincheck.plist Debug -boolean true

sudo chown root:wheel /Library/LaunchDaemons/admincheck.plist
sudo chmod 644 /Library/LaunchDaemons/admincheck.plist

launchctl load /Library/LaunchDaemons/admincheck.plist
sleep 10

cat << 'EOF' > /Library/Application\ Support/com.mobileiron.mac.agent/admincheck.sh
#!/bin/bash

sleep 25

localadmin=$(dscacheutil -q group -a name admin | awk '$1 == "users:" { for (i=2; i<=NF; i++) { if ($i != "root") { print $i } } }')

if [ -z "$localadmin" ]; then
    while [ -z "$localadmin" ]; do
            sleep 60
            localadmin=$(dscacheutil -q group -a name admin | awk '$1 == "users:" { for (i=2; i<=NF; i++) { if ($i != "root") { print $i } } }')
                if [ -n "$localadmin" ]; then

                    sudo defaults write /Library/LaunchDaemons/removeAdmin.plist Label -string "removeAdmin"

                    sudo defaults write /Library/LaunchDaemons/removeAdmin.plist ProgramArguments -array -string /bin/sh -string "/Library/Application Support/com.mobileiron.mac.agent/removeAdminRights.sh"

                    sudo defaults write /Library/LaunchDaemons/removeAdmin.plist StartInterval -integer 900
                    
                    sudo defaults write /Library/LaunchDaemons/removeAdmin.plist StandardOutPath "/var/log/removeAdmin.log"

                    sudo defaults write /Library/LaunchDaemons/removeAdmin.plist StandardErrorPath "/var/log/removeAdmin.log"

                    sudo defaults write /Library/LaunchDaemons/removeAdmin.plist Debug -boolean true

                    sudo chown root:wheel /Library/LaunchDaemons/removeAdmin.plist
                    sudo chmod 644 /Library/LaunchDaemons/removeAdmin.plist

                    launchctl load /Library/LaunchDaemons/removeAdmin.plist
                    sleep 5

cat << 'EOF1' > /Library/Application\ Support/com.mobileiron.mac.agent/removeAdminRights.sh
#!/bin/bash

localuser=$(dscl . list /Users | grep -v "^_\|daemon\|root\|nobody\|admin")
  for User in $localuser
        do
        /usr/sbin/dseditgroup -o edit -d "$User" -t user admin
        done
sudo launchctl load /Library/LaunchDaemons/admincheck.plist
sleep 2
sudo launchctl unload /Library/LaunchDaemons/removeAdmin.plist

EOF1

sudo launchctl unload /Library/LaunchDaemons/admincheck.plist

                    fi
    done
    
else 

sudo defaults write /Library/LaunchDaemons/removeAdmin.plist Label -string "removeAdmin"

sudo defaults write /Library/LaunchDaemons/removeAdmin.plist ProgramArguments -array -string /bin/sh -string "/Library/Application Support/com.mobileiron.mac.agent/removeAdminRights.sh"

sudo defaults write /Library/LaunchDaemons/removeAdmin.plist StartInterval -integer 900

sudo defaults write /Library/LaunchDaemons/removeAdmin.plist StandardOutPath "/var/log/removeAdmin.log"

sudo defaults write /Library/LaunchDaemons/removeAdmin.plist StandardErrorPath "/var/log/removeAdmin.log"

sudo defaults write /Library/LaunchDaemons/removeAdmin.plist Debug -boolean true

sudo chown root:wheel /Library/LaunchDaemons/removeAdmin.plist
sudo chmod 644 /Library/LaunchDaemons/removeAdmin.plist

launchctl load /Library/LaunchDaemons/removeAdmin.plist
sleep 5

cat << 'EOF2' > /Library/Application\ Support/com.mobileiron.mac.agent/removeAdminRights.sh
#!/bin/bash

localuser=$(dscl . list /Users | grep -v "^_\|daemon\|root\|nobody\|admin")
  for User in $localuser
        do
        /usr/sbin/dseditgroup -o edit -d "$User" -t user admin
        done
sudo launchctl load /Library/LaunchDaemons/admincheck.plist
sleep 2
sudo launchctl unload /Library/LaunchDaemons/removeAdmin.plist

EOF2

sudo launchctl unload /Library/LaunchDaemons/admincheck.plist

fi     
     
EOF

exit 0

请告诉我如何在 Mac 锁定时让它运行。

提前tyvm!

bash macos terminal launchd
1个回答
0
投票

因此,我想分享一下我所做的事情,以防有人遇到同样的问题。 我没有使用 launchd 创建另一个 launchd,然后在 startinterval 结束后调用脚本来降级用户,而是改用 atrun。我现在正在创建一个 launchd,定期检查是否对管理组进行了更改,如果检测到,则创建一个 vi atrun 作业以在 x 分钟后将用户降级。即使屏幕锁定/系统关闭/重新启动也能完美运行。

最新问题
© www.soinside.com 2019 - 2024. All rights reserved.