Add remediation for BTM corruption if users are upgrading from 1.1.12.81501 #519
Conversation
/bin/sh behaved differently, likely due to LANG being set to something very basic. ZSH on the other hand was throwing errors about "illegal byte sequence." Forcing a basic encoding seems to get everything parsed properly.
Creates a new postinstall for the app-only pkg. This will run remediation of the 81501 issues for shops that use the separate launchagent and app packages. Modify the build_nudge.zsh to copy the post
rickheil
changed the title
|
Ready for testing! |
|
For linking purposes: fixes #515 |
|
Thanks for putting this all together @rickheil! |
|
I have a theory. What if we ran the nudge uninstall SMApp cli flag instead? Would it remove the same keys from that file? |
|
Also you need to do this on the dev branch not main. I haven't merged the other code yet into main. |
|
Erik, is that the --unregister flag? I tried that one yesterday and it didn't work. That said, I can't promise I tried it in all combinations of scenarios, so definitely worth trying again after installing 1.1.13. |
| remediate=True | ||
| echo "Set BTM plist path to v4" | ||
| else | ||
| echo "Error: unable to locate a BTM plist, no remediation occurred. Does this OS support BTM features?" |
There was a problem hiding this comment.
If we are doing nothing else in the postinstall, we should exit here.
| signing_re='.*"com.github.macadmins.Nudge".*T4SK8ZXCXG\)' | ||
| dne_re=", Does Not Exist" | ||
|
|
||
| while $remediate; do |
There was a problem hiding this comment.
Since we are exiting early above, we can get rid of the while altogether and flatten this to a if/elif/else statement.
| done | ||
|
|
||
| # Remove the touch file to not trigger remediation again. | ||
| rm /private/var/tmp/nudge_remediate |
There was a problem hiding this comment.
If we flatten this, the only negative is we may need to rm this above around line 32 as well. Flattening the loops seems worth it for readability.
| # Determine BTM plist path. On macOS 13.3 and lower, v4; higher and on to 14, v8. | ||
| if [[ -f "/private/var/db/com.apple.backgroundtaskmanagement/BackgroundItems-v8.btm" ]]; then | ||
| btm_plist_path="/private/var/db/com.apple.backgroundtaskmanagement/BackgroundItems-v8.btm" | ||
| remediate=True |
There was a problem hiding this comment.
Come to think of it, if we are exiting on the else around line 31, we don't need to set this variable at all.
|
I have a v3 file on disk on my machine, so that implies that the v4 and lower logic is not a correct assumption. |
|
Do you have a v4 or v8 on disk? It would appear the v3 is from a very early version of Ventura |
|
I no longer think this option is viable and am tempted to close the PR. This change is going to require full disk access. When I first saw the PR, I thought it was a security issue in that if you can delete, you can add. In my testing, accessing this file on a terminal without FDA gives this error. ^ error is running as the root user as well. |
|
Thats great then. Apple's edge case here is going to cause a bit of...pain. |
Preinstall: checks if a problematic version (81501) is installed, and touches a file if so.
Postinstalls: same logic in both, looks for the touch file and if found runs the remediation.
Currently getting an "illegal byte sequence" error as I wrote this assuming /bin/sh and not ZSH - will continue working on this in Slack after dinner.
All the credit to @kevinmcox and @tuxudo for finding the BTM plist is editable and figuring out the PlistBuddy pieces.