- Jamf Nation Community
- Products
- Jamf Pro
- Re: AppStore without Admin rights.
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
AppStore without Admin rights.
Not applicable
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 07-27-2011 09:47 PM
Hi all.
Without opening the argument of 'why would you', we've worked out a way to give our users access to the AppStore without requiring admin access. We use a second managed account and some login/logout hooks.
Would people be interested in a howto? Right now my instructions are confusing, but I'll neaten them up and post them if people want them.
Cheers,
Lee Oliver
Network Administrator
Mount St Joseph Girls College
6 REPLIES 6
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 07-27-2011 10:05 PM
Lee
This would be wonderful, I would love to know how this is done..
John
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 07-28-2011 09:53 AM
Lee,
Yes, I would be interested.
Sean~~~~~~~~~
Sean Alexander
Desktop Analyst
Macintosh Services Delivery
Lockheed Martin - Enterprise Business Services
817-763-3259 (desk)
817-655-9153 (fax)~~~~~~~~~
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 07-28-2011 10:27 AM
I was wondering if you could just run the open command for the AppStore
APP in SelfService and it would work? Similar to doing that for Software
Update...
Craig E
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 07-28-2011 11:18 AM
Well, initial testing suggests this could work. Either the AppStore is
having issues right now or this method is just very inconsistent.
Regardless, I was able to launch self Service, click the policy, AppStore
launched, and I installed Evernote without being prompted for admin.
Like I mentioned, I keep getting lots of errors though when I try to
verify with other Apps.
See screens. Use at your own risk. Nice though, cuz you can easily scope
to particular users or computers with a policy. Note that until the
AppStore app is quit the policy appears to continue to be running. You
could put an & at the end of that command to background it.
If someone else has time to test this and it works would be nice to know.
I think I'm losing my mind...
Cheers.
Craig E
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 07-28-2011 11:19 AM
Seeing these come in now as well...
An error occurred executing the policy "Run Mac AppStore as Admin" on the
computer "LTS2653562x".
Event log from the policy:
/usr/sbin/jamf is version 8.0
Executing Policy Run Mac AppStore as Admin...
Running command /Applications/App Store.app/Contents/MacOS/App Store...
Result of command:
Thu Jul 28 13:00:52 LTS2653562x.local App Store[39584] <Error>:
CGBitmapContextGetBitsPerComponent: invalid context 0x100356720
This isn't a bitmap context. Forcing destination format to ARGB_8 for
CGContext.Thu Jul 28 13:00:52 LTS2653562x.local App Store[39584] <Error>:
CGBitmapContextGetBitsPerComponent: invalid context 0x100356720
Not applicable
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 07-28-2011 03:24 PM
Trying this ourselves, we found both this and using sudo to be very inconsistent.
A few considerations: We didn't want our users to need a new password. Once logged in as the 'appstore' user, we didn't want our users to be able to get out of simple finder mode. So on login, casper adds a password, which isn't required for AppStore downloads. On logout, casper removes both the password and admin rights for the 'appstore' user. This prevents smart little children from using the 'appstore' user to install under their own accounts.
So far this seems pretty secure. If anyone has any tips or hints, I'd love to hear them.
Lee Oliver
Network Administrator
Mount St Joseph Girls College
Here is what I came up with:
Create Casper login policy
Create a policy (including make available offline) to execute the commands 'dseditgroup -q -o edit -a appstore -t user admin; dscl . -passwd /Users/appstore "asdf"'Create Casper logoff policy
Create a policy (including make available offline) to execute the commands 'dseditgroup -q -o edit -d appstore -t user admin; dscl . -passwd /Users/appstore '''Create Parental Control Template
I used the user appstore with Simple Finder, only allow Appstore and Safari.
Export using: dscl . -mcxexport /Users/appstore > /tmp/appstore.xml
Copy this to your JSS scripts folder.Run setup script.
I schedule this in Casper to run once per machine. Change to use your jss server
<script>
#!/bin/bash
#
# Setup AppStore user script
#
#Create local user appstore with no password using:
/usr/sbin/jamf createAccount -username "appstore" -realname "Install AppStore Apps" -password "" -home /Users/appstore -shell /bin/bash
#Download appstore.xml file from JSS to client tmp folder
#modify for your JSS
/usr/bin/curl -o /tmp/appstore.xml http://jss.example.com:80/CasperShare/Scripts/appstore.xml
#Import appstore parental control settings using:
/usr/bin/dscl . -mcximport /Users/appstore /tmp/appstore.xml
</script>
