Jamf Nation Community

steventhemacman · ‎02-25-2013

Hi,

Any way to allow non admins to run system updates through the App store? We have a working SUS that works great (so far), and would love to just have kids fire up the App store App and install the updates that way instead of through Self Service.

Thanks!

Steve

jarednichols · ‎02-25-2013

You'll need to fire off AppStore with Self Service. You may want to further limit AppStore to updates only via this:
http://support.apple.com/kb/HT5391

steventhemacman · ‎02-25-2013

I can't get into that link with my apple ID? I must not be special enough.

jarednichols · ‎02-25-2013

Doesn't seem to be special for me or anything.

timsutton · ‎02-25-2013

Parallel thread here, where Greg Neagle posted a link to a session in which he demonstrates exactly how to do this:

https://jamfnation.jamfsoftware.com/discussion.html?id=5527

steventhemacman · ‎02-25-2013

Jared, seems to be working for me now....not sure what was up with that....Thanks!

steventhemacman · ‎02-25-2013

Thanks for the video link Tim, I will check out both ideas here.

tron_jones · ‎02-25-2013

with 10.8 you could try and change the rule from "root or entitled admin or authenticate admin" to "allow"

/usr/libexec/PlistBuddy -c 'Set :rights:system.install.app-store-software:rule allow' /etc/authorization
/usr/libexec/PlistBuddy -c 'Set :rights:system.install.apple-software:rule allow' /etc/authorization
/usr/libexec/PlistBuddy -c 'Set :rights:com.apple.SoftwareUpdate.scan:rule allow' /etc/authorization
killall Finder

I don't have a system that has updates available at the moment to see if it asks for any more authentication beyond that

This will just bypass the admin username and password that pops up when you click on Updates in the app store.

Also the rule "allow" opens it to everyone you could further scope it by changing "allow" to another group.

aamjohns · ‎06-24-2013

I tried your code above and I am getting this result:

Script result: Set: Entry, ":rights:system.install.app-store-software:rule", Does Not Exist File Doesn't Exist, Will Create: /etc/authorization Set: Entry, ":rights:system.install.apple-software:rule", Does Not Exist Set: Entry, ":rights:com.apple.SoftwareUpdate.scan:rule", Does Not Exist No matching processes were found

gregneagle · ‎06-24-2013

If the /etc/authorization file is missing, you've got serious problems.

aamjohns · ‎06-24-2013

I'm going to image a machine again and check this. The script is running on an unbooted image made with instadmg. Is it possible that because the machine has never been logged onto when the script ran, the file had not been created yet. Sorry pretty ignorant about this. We have had no issues with our machines so I would expect if we had 'serious problems' I would have seen a problem by now.

bentoms · ‎06-24-2013

@Aaron. Try prefixing those Plist Buddy commands with "sudo"

tkimpton · ‎06-24-2013

https://jamfnation.jamfsoftware.com/discussion.html?id=5012

aamjohns · ‎06-24-2013

Will do. The file is definitely there. I think it may be syntax errors on my part.

aamjohns · ‎06-24-2013

Thanks, that linked discussion is helpful. I will see how it goes.

bentoms · ‎06-24-2013

@Aaron.. I was thinking syntax too.

But the link that Tim gave contains the link to Apple's "approved" way... I'd probably lean that way.

(I was carping on about /etc/authorization in that thread too).

Jamf Nation Community

Allow non admins to install system updates through App Store with SUS?