Looks like no one’s replied in a while. To start the conversation again, simply ask a new question.

User profile for user: John Lockwood
John Lockwood Author
User level: Level 6
13,679 points

Login & Logout hooks and MCX settings

Firstly yes I am perfectly aware that Apple no longer want people to use Login and Logout hooks or MCX i.e. Workgroup Manager managed preferences. Apple would prefer you use either Profile Manager to push settings which ironically can still include Login and Logout hooks, or to use a launchagent.


Unfortunately Apple have not taken in to consideration a number of valid reasons why people may still need to use Login and Logout hooks or MCX preferences. As it happens in my own case all those reasons apply in this situation.


  1. Some tasks require root level permission, a launchagent runs as the user who has logged in not as root and so can be insufficient for this
  2. Some tasks need to be done at logout, there is no equivalent to a launchagent for logout tasks, even if problem 1 above did not apply
  3. Using an MDM solution e.g. Profile Manager requires you have Internet connectivity - my own case is for a network deliberately setup with no connection at all to the Internet for security reasons


I can confirm that individual Login and Logout hooks still work in Mavericks and Yosemite when defined locally on a Mac. I can also confirm that Login and Logout hooks pushed via Profile Manager also still work in Mavericks and Yosemite however see problem 3 above. I would therefore like to use instead Login and Logout hooks defined via Workgroup Manager and assigned to a computer group - just like the good old days. 😉


Unfortunately I am getting the impression due to a lack of success so far that trying to apply Login and Logout hooks this way does not still work for Mavericks and Yosemite clients. 😟 I can confirm that a file does appear at /Library/Managed Preferences/com.apple.mcxloginscripts.plist but this appears to have zero effect. 😢


Note: I have added the desired computers to a computer group being managed for MCX settings, and the fact that the file does appear implies that this part at least of MCX settings still works, i.e. a Mac bound to an Open Directory server as a client does read the MCX settings and download them. It is just it appears not to be then obeying them.


I would be grateful if anyone has a solution to this or as I suspect will be extremely unlikely an alternative approach that will fit my requirements.


At the moment the only solution I can currently see that will work is the fact that in this particular situation I can just about get away with just using the locally defined Login and Logout hooks. On a 'normal' Internet connected network I have been able to have the luxury of having two Login hooks - one local and one via Profile Manager. I even managed a clever cheat of using a custom Profile Manager setting and a launchd script to activate/deactivate a local Login hook.

Posted on Aug 3, 2015 10:27 AM

Reply
5 replies
User profile for user: John Lockwood
John Lockwood Author
User level: Level 6
13,679 points

Aug 3, 2015 2:01 PM in response to Grant Bennet-Alder

That article and the applying of permissions to a script file only apply to locally created and defined Login and Logout hooks, which as I mentioned I do have working successfully. They do not apply to pushing out the same via MCX managed preferences. If you do this in Workgroup Manager then the file is pushed out/created on the client via Open Directory. In fact strictly speaking the files do not exist as a script file since they are stored in the /Library/Managed Preferences/com.apple.mcxloginscripts.plist file itself.


So unfortunately it is not a permissions issue. 😟

Reply
User profile for user: VinceHunter
VinceHunter
User level: Level 1
0 points

Aug 13, 2015 11:51 AM in response to John Lockwood

John, I am experiencing the same problem that you are. It is very frustrating and Apple just doesn't seem to care anymore. I have had limited success using Workgroup Manager 10.9 on 10.9 server and managing 10.10.4 clients. There are several things that are broken, but I have been able to get a logout hook working for most machines. Why it does not work for all machines, I do not know, but my failure rate seems to be about 1 in 10. Are you using Workgroup Manager 10.9?

Reply
User profile for user: John Lockwood
John Lockwood Author
User level: Level 6
13,679 points

Aug 13, 2015 12:05 PM in response to VinceHunter

I have hit this problem off and on for quite a while but in the past I was able to use Profile Manager (as Apple intend) as a working solution. This time around as mentioned I have to manage a network with no possibility of Internet connectivity so Profile Manager is not an option.


I have mainly tried defining the setting via an older Workgroup Manager on an older server. I think I did look at it via the 10.9 version but will revisit that. As mentioned the login/logout hook scripts are being pushed to clients they are just being ignored by Yosemite clients. When I originally found this problem on a different network it was only affecting Mavericks clients and earlier OS versions like Mountain Lion worked. (That pre-dated the release of Yosemite.) So my theory is that Mavericks and later clients no longer respect this particular MCX setting even though it seems all others including folder-redirections still work for Mavericks and Yosemite clients.


My current workaround is to pre-install on all Macs the login/logout hooks scripts but to control the enabling of the scripts via another script which does a default write of the appropriate settings. That script the 'control' script, is triggered by a launchdaemon which looks for the creation of a plist file, the plist file is created by being a member of a computer group in Workgroup Manager and has a custom setting defined to define a simple boolean field in a plist. So if the computer is a member it gets that custom MCX setting which triggers the creation of the plist. The creation of the plist triggers the running of the launchdaemon which then runs my control script which then enables the login/logout hooks. If the computer is removed from that group the custom setting is also removed which means the plist gets deleted, this again triggers the launchdaemon which see the file no longer exists and then disabled the login/logout hooks.

Reply
User profile for user: VinceHunter
VinceHunter
User level: Level 1
0 points

Aug 13, 2015 12:19 PM in response to John Lockwood

You may want to try creating a new 10.9 server with 10.9 WGM unless you would prefer your alternative. I can verify that it still works correctly for Mavericks clients. I ran roughly 900 macs for a year using 10.9 clients with 10.9 server and 10.9 workgroup manager with nothing broken. 10.10 clients seem to be a bigger problem, some things have broken, but my logout hook still works on machines that Workgroup Manager is still able to control.

Reply

Login & Logout hooks and MCX settings

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple ID.
Learn more Sign up