Overview:
I'm trying to do the following for a suite of MacMini's to run in a teach suite.
After a clean install (Using Apple remote desktop and bash scripts)
- Install some applications (Chrome, Logic, Imovie)
- Create a User (u:p student/student for this example)
- Add parental control to this user, and limit the apps they can use.
- Modify the Dock (via plist file) to only show the apps we want, and run this at each boot (to stop students messing it up for the next user)
I have 90% of it working, but getting completely stuck trying to get my plist to work and load.
It works on my computer (also 10.13) and loads fine, it works loading it as the administrator on the same mac. It does not work trying to load it as the user.
Current process
Run Bash script below:
#! /bin/bash # Supercedes the above make user , this CANNOT be run as root , so run as the administrator user we added at creation. sysadminctl -addUser student -fullName "Bamm Student" -password student -hint student createhomedir -c /Users/student # Import the parental controls plist dscl . -mcximport /Users/student /tmp/parental_controls.plist # Dock script needs to be copied to the correct location first # Set the permissions on the dock script chmod +x /usr/local/dock.sh chown student:staff /usr/local/dock.sh
This part all works, I get a user, I get the home dir, I copy the dock script to the /usr/local (and it works when run as the user from command line)
- I the copy my plist file to the location
/Users/student/LaunchAgents/ - Make sure its owned by student:staff
- Make sure it s 644 permissions
- The dock script is executable and owned by the student user, this is able to be run as the student user from command line (over ssh session)
This , will not work (I've tried many ways)
# load the dock launchAgent (run as the student user)
launchctl load /Users/student/Libray/launchAgent/com.mitsuite.login.plist
give /Users/temp/Library/LaunchAgents/com.mitsuite.login.plist: Operation not permitted
I've also tried
launchctl bootstrap gui/502 /Users/student/Libray/launchAgent/com.mitsuite.login.plist
give Could not find domain for
launchctl bootstrap user/502 /Users/student/Libray/launchAgent/com.mitsuite.login.plist
These give me various errors in the system.log mostly like this:
Aug 10 15:12:59 MIT-1 com.apple.xpc.launchd[1] (com.apple.xpc.launchd.user.domain.501.100008.Aqua): Caller not allowed to perform action: launchctl.671, action = service bootstrap, code = 1: Operation not permitted, uid = 502, euid = 502, gid = 20, egid = 20, asid = 649
I've tried creating a standard user without adding any parentaly controls (via admin panel, no scripting fun) and get the same issue.
my Plist looks like this:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>Label</key>
<string>local.job</string>
<key>Program</key>
<string>/usr/local/dock.sh</string>
<key>RunAtLoad</key>
<true/>
</dict>
</plist>
Update:
As a test, I created an admin user on the same computer, and ran this, all worked fine loading the plist and running at boot.
How can I get a standard user to install a plist via command line?
Update 2:
From another Stackoverflow questions, I've added the username to the .plist file, and then placed it in /Library/LaunchDaemons, this all works when root runs launchctl load /Library/LaunchDaemons/com.mitquite.login.plist
However, this seems counter intuitive (unless its intented because a standard user cannot install apps?)
