Jamf Nation Community

All of the installers that are published in App installers have always gone through a validation and testing process before a new version is published to the service however this process has now been strengthened further with our recent integration with the Jamf Threat Labs Malware Threat Database. This recent integration provides even further validation of a particular version of a software by scanning it for signs of known malware using the same mechanisms as our threat researchers, before it can be published to App Installers.

Another change that we are about to start rolling out is beginning to replace the mechanism that controls how App Installers actually performs the installation on an end user Mac. The current process is that a team at Jamf sources the media for a software title from a vendor, often having to repackage it so that it can be deployed via App Installers and then it is bundled up with a LaunchDaemon and a notification binary in one package, digitally signed and then pushed out to an end user Mac via the InstallEnterpriseApplication MDM command. Once the Mac receives the MDM command it downloads the installer from a Jamf storage source, unpacks it and then the LaunchDaemon is started to perform the installation process itself.

There have been a number of limitations with this process that has prevented us from adding a large number of highly requested titles to the App Installers service. These have included the inability to add multiple packages in an installation process which is required when a vendor only provided a delta updater for a particular version. This has meant that we have been unable to provide the latest version of a title in App Installers until the next time that the vendor released a full installer. There have also been non-technical reasons that have prevented us from repackaging or hosting installation media for specific titles.

The first change that we will be making to the installation process is to replace the current LaunchDaemon with a new binary. This binary will allow us to reuse installation media from the vendor without the need to repackage in most cases. It will also allow us to support multiple package install processes where a previous version must be deployed first and then updated via a delta updater. This will ensure that we can publish the latest version of a title, even if the vendor has only provided a delta updater for that version.

The new App Installers binary will also support another change that we will start rolling out over the coming months which is the ability for the end user computer to download the media directly from the original vendor and then perform the install. In this workflow the App Installers binary is deployed to the end user Mac via the InstallEnterpriseApplication MDM command as per usual however instead of having the installation media bundled in with the package, an installation manifest file is provided that contains the URL from which the media is to be downloaded and other details that will allow the binary to check the integrity of the downloaded package to ensure that it should be trusted before performing the installation. This includes the details that we display in the metadata within an App Installers deployment window such as developer ID, media checksum, etc. The binary will download the media from the original vendor and if it passes the integrity checks, will perform the installation.

Whilst we intend to replace the current App Installers LaunchDaemon with the new binary in all of the titles over a period of months as new versions are published via the vendors, we plan to roll out the external URL download support initially to the titles that we have previously been unable to add to the App installers service. To assist our Jamf Pro admins identify which titles are being supplied via the external URL method we have added a new metadata field that shows the Media source. This metadata field was added in the Jamf Pro 11.14 release. The Media source field will either display a value of ‘Jamf server’ or ‘External URL’. The actual download URL would be the value that we currently display in the Media source URL field. We have always displayed the URL of where we have sourced the original media from, even in the instances where we have had to repackage it. We will also display a message in a prominent banner at the top of the App Installers deployment page in Jamf Pro to draw an admins attention that the title will be deployed from an external URL. This will assist Jamf Admins to be fully informed of the source of the installer should further testing and validation be required before that title is rolled out to your production environment. This Media source metadata is also available to be enabled for display on the summary view of App Installers so that admins can easily identify which of their deployments are utilising either a Jamf server or an External URL.

With these changes we are aiming to provide more of the titles that you have requested. As a reminder, if there is a title that you would like to see added to App Installers, you can go to https://ideas.jamf.com and either upvote an existing request for the title you require or you can create a new request if the title hasn’t been been requested by anyone else. You can do this by clicking on the ADD A NEW IDEA button and select the App Catalog / Installers (for Pro, School and Now) option as the product type for the request.