Target devices: macOS Catalina and higher
I could use some help fixing a problem in a script that is supposed to trigger an osascript notification whenever a user tries to connect to a banned SSID. The notification should only occur when the user is either already connected or is trying to connect to one of the banned SSIDs.
I though the problem was due to the fact that the script is being run by launchd, and so is running as root, however, even after running the notification command as the logged in user, no notification occurs even as the rest of the script works fine.
Secondarily, we are also unable to remove credentials for a banned SSID from the local items keychain, but as is, the script has the desired effect of kicking the machine off a banned network if connected and preventing the machine from automatically connecting in the future. We are able to remove the credentials from the System Keychain, but it would be nice to find a way to also remove the item from the Local Items keychain as well.
Anyway, the main issue occurs at line 47 of the modified code below. Any help in fixing either of these issues would be greatly appreciated.
This snippet has been modified to more easily identify the offending command:
#
# This script will find all saved SSIDs, compare them to a list of banned SSIDs and if found, removes them
#
# If the client is connected to a banned SSID, Wi-Fi is toggled to allow automatic connection to a non-banned SSID
#
# Script is only able to remove SSID from System keychain as delete-generic-password is not "Local Items" aware
# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
# Change Internal Field Seperator to " " to allow for SSIDs that contain spaces in array "bannedNetworks"
IFS=' '
# Get current logged in user
loggedInUser=`ls -l /dev/console | cut -d " " -f 4`
# Determine the Wi-Fi interface
interface=$(networksetup -listallhardwareports | grep -E '(Wi-Fi|AirPort)' -A 1 | grep -o en.)
# Get all saved SSIDs
savedNetworks=($(networksetup -listpreferredwirelessnetworks $interface | tail -n +2))
# SSIDs to be removed
bannedNetworks=("SSIDone" "SSIDtwo" "SSIDthree")
# Power cycle wireless adapter if connected to a banned network, then remove it
for i in "${bannedNetworks[@]}"
do
if [[ $(networksetup -getairportnetwork $interface | cut -d ":" -f 2 | cut -c 2-) != $i ]]; then
echo "Not connected to $i"
else
networksetup -removepreferredwirelessnetwork $interface $i
sudo security delete-generic-password -l $i "/Library/Keychains/System.keychain" >/dev/null 2>&1
# Update savedNetworks variable to prevent "…not found" error as the connected network has already been removed yet remains in the array
savedNetworks=($(networksetup -listpreferredwirelessnetworks $interface | tail -n +2))
# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
# Notify the user: Doesn't trigger properly, even when run as the logged in user
sudo -u $loggedInUser osascript -e 'display notification "The Wi-Fi network you selected is not for use with district devices. If \"ApprovedNetwork\" fails, please use \"BackupNetwork.\"" with title "Blocked Network"'
# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
networksetup -setairportpower $interface off
sleep 5
networksetup -setairportpower $interface on
fi
done```
Well, the problem with notifications from daemon you met is there by design.
It is related to how macOS operates with different sessions, you can read here and here for more information.
What you need to know now, is that when running as daemon you have no default access to user GUI session, even with sudo -u.
There are, however, some ways to access the user GUI session from your context, as it was described here
To sum it up, what you need to do is:
sudo -u $loggedInUser osascript -e ...
to
sudo launchctl asuser $userId osascript -e ...
where $userId is something like this:
userId=`sudo -u $USER id -u`
(I'm not really into bash, it could be done in a more clear way)