Auto-Update Magic! Keep Mac Apps Current with the Casper Suite and AutoPkgr

elliotjordan
Contributor III

For those of you who weren't at JNUC this year, here are the notes and slides for my presentation, Auto-Update Magic:
https://github.com/homebysix/auto-update-magic

Here's the link to the latest version of AutoPkgr, which now supports direct JSS integration:
https://github.com/lindegroup/autopkgr/releases/latest

If you find a reproducible bug with AutoPkgr, please open or update an issue on GitHub:
https://github.com/lindegroup/autopkgr/issues

If you have feedback or questions, I'd love to hear from you here!

96 REPLIES 96

loceee
Contributor

Oh golly! Cool beans.

Simmo
Contributor II

Going to test this out, will let you know how I go!

hcodfrie
Contributor II

Looks great going to play with it today cheers

mrowell
Contributor

@elliotjordan Awesome work. I can't wait to watch your JNUC presentation video when it is released. In the mean time I've got some wonderful release notes to digest.

Thank You!

brandonusher
Contributor II

+1 This is amazing. Thank you for posting al the information!

ben_hertenstein
Release Candidate Programs Tester

Good presentation. Am hoping to put it to good use.

FritzsCorner
Contributor III

First I wanted to say that I enjoyed your presentation at JNUC. I have had a chance to download and install Autopkgr and I seem to be having a bit of an issue getting connected to my lab JSS. I am seeing the following error when I try to connect to the JSS.

Error getting distribution points
The Casper server's response could not be correctly interpreted.

Looking in the system.log file I see the following:

Oct 23 19:51:41 MacbookPro1 secd[558]: securityd_xpc_dictionary_handler AutoPkgr[21620] copy_matching The operation couldn’t be completed. (OSStatus error -34018 - client has neither application-identifier nor keychain-access-groups entitlements)
Oct 23 19:51:41 MacbookPro1 AutoPkgr[21620]: SecOSStatusWith error:[-34018] The operation couldn’t be completed. (OSStatus error -34018 - Remote error : The operation couldn't be completed. (OSStatus error -34018 - client has neither application-identifier nor keychain-access-groups entitlements))

This is a lab server with no production data and I am testing with an account that has full admin perms in the JSS just to see how things work. When I first try to connect to the JSS I get a mismatched certificate pop-up, which I chose to always trust. I have a feeling the answer to my problem is right in front of my face and I am simply missing it.

Any ideas?

bog
New Contributor

FritzsCorner I believe you need to setup API access in your JSS.

elliotjordan
Contributor III

Definitely check the API access levels first. Even if you've got full admin access to the JSS, that doesn't necessarily mean you have full Create/Read/Update/Delete access to the API. You'll need access to the following objects:

• Categories (C/R/U)
• Smart Computer Groups (C/R/U)
• Static Computer Groups (C/R/U)
• Computer Extension Attributes (C/R/U)
• Packages (C/R/U)
• Policies (C/R/U)
• Scripts (C/R/U)
• File Share Distribution Points (R)

If that doesn't fix it, then the next thing to check is the certificate. Although you may have trusted it manually, that doesn't necessarily mean that jss-autopkg-addon will too. If you run this command, it will tell the jss-autopkg-addon to ignore invalid SSL certificates:

defaults write com.github.autopkg JSS_VERIFY_SSL -bool false

Good for testing environments; not recommended for production.

emily
Valued Contributor III
Valued Contributor III

It's like Xmas!

FritzsCorner
Contributor III

@elliotjordan

I verified I have all the required API permissions and made sure I could run my own custom API scripts we use against the JSS. I also went ahead and set the JSS_VERIFY_SSL to false as well with no luck. I have tested this on a few clean builds so far so I am guessing my issue is with the JSS. I will try setting up another lab JSS over the weekend to see if that works.

Thanks again!

bauer_cole
New Contributor

I'm having a tad bit of trouble getting this running myself. After turning the JSS_VERIFY_SSL to false I get an error that I'm not sure what to do with. I feel so close to getting this up and running, and I'm super excited. Hopefully someone smarter than me will have some time to check my error and give me a hand. Here is a link to a txt file containing the error:

https://dl.dropboxusercontent.com/u/1219256/autopkgrJSSerror.txt

Thanks in advance for any help that may come!
Cole

EDIT: After some testing on my own, I found that the issue is probably in mounting the SMB share it is trying to mount. I am unable to mount it manually using the command in the logs that throws the error. But if I edit that line to remove the port number (:139) I can manually mount the share. Do I have some configuration wrong on my server maybe? I don't see where I could change anything obvious to fix it. Anyway, any suggestions appreciated!

EDIT 2: Figured it out. In the JSS you set the default port for a Dist. Point and for some reason it was set to 139. Changed to 445 and connection goes through.

jlejeune
New Contributor

First, this has changed my world.

Im currently trying to create override on Numbers, Keynote, and Pages and it will not create.

What am I missing or not understanding?

Shawn_Waller
New Contributor II

So either i dont have any clue what im doing or im doing something stupid lol. I cant get the Casper Suite Integration setup with the JSS on the Cloud. i keep getting an error when putting in the URL and username and password....

Thanks guys!

bentoms
Release Candidate Programs Tester

Paging @adamcodega

Stubakka
Contributor II

Hello all, I have been playing around with this today on my test JSS enviroromnt but i run into this issue, it seems that Autopkgr gets stuck at talking to my JSS distro share, This is what terminal is saying when i manually run a command to process a package.

zaen1kleug:~ administrator$ autopkg run Firefox.jss
Processing Firefox.jss...
Traceback (most recent call last): File "/usr/local/bin/autopkg", line 1334, in <module> sys.exit(main(sys.argv)) File "/usr/local/bin/autopkg", line 1328, in main exit(subcommands[verb]['function'](argv)) File "/usr/local/bin/autopkg", line 1152, in run_recipes autopackager.process(recipe) File "/Library/AutoPkg/autopkglib/init.py", line 466, in process self.env = processor.process() File "/Library/AutoPkg/autopkglib/init.py", line 295, in process self.main() File "/Library/AutoPkg/autopkglib/JSSImporter.py", line 571, in main ssl_verify=sslVerify, repo_prefs=repos) File "/Library/Python/2.7/site-packages/jss/jss.py", line 166, in init self.distribution_points = distribution_points.DistributionPoints(self) File "/Library/Python/2.7/site-packages/jss/distribution_points.py", line 58, in init self.response = j.DistributionPoint().retrieve_all() File "/Library/Python/2.7/site-packages/jss/jss.py", line 314, in DistributionPoint return self.factory.get_object(DistributionPoint, data) File "/Library/Python/2.7/site-packages/jss/jss.py", line 451, in get_object result = self.jss.get(url) File "/Library/Python/2.7/site-packages/jss/jss.py", line 193, in get response = self.session.get(url) File "/Library/Python/2.7/site-packages/jss/contrib/requests/sessions.py", line 460, in get return self.request('GET', url, *kwargs) File "/Library/Python/2.7/site-packages/jss/contrib/requests/sessions.py", line 448, in request resp = self.send(prep, *send_kwargs) File "/Library/Python/2.7/site-packages/jss/contrib/requests/sessions.py", line 554, in send r = adapter.send(request, **kwargs) File "/Library/Python/2.7/site-packages/jss/contrib/requests/adapters.py", line 417, in send raise SSLError(e, request=request)
jss.contrib.requests.exceptions.SSLError: [Errno 1] _ssl.c:504: error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure

lashomb
Contributor II
Hello all, I have been playing around with this today on my test JSS enviroromnt but i run into this issue, it seems that Autopkgr gets stuck at talking to my JSS distro share, This is what terminal is saying when i manually run a command to process a package.

Seeing the same here. Running JSS 9.6.1 on OS X 10.8.5 Server.

emily
Valued Contributor III
Valued Contributor III

I was under the impression that AutoPKGr doesn't support multi-context environments (including cloud-hosted JSS instances). I'm curious to know if it integrates with a JDS-only distribution set-up, as the JSS creates a random password for the JDS so it wouldn't be something one could enter when prompted.

adamcodega
Valued Contributor

I'm not sure about multi-context environments, but we are testing a beta for JAMF Cloud hosted JSSes, like mine. In fact I brought it up on the issues board.

If you have a multi-instance environment, use an AWS DP (not currently supported), or have errors in your log, please post online! (Turn on verbose logs in AutoPkgr, open console.app, and filter via the search bar for "AutoPkgr") I don't want to recommend flooding their GitHub page but if you find what can be called a bug I would post to the issues board.

adamcodega
Valued Contributor

@Shawn.Waller Can you post your AutoPkgr user permissions and are you getting at least a yellow light when you type in your JSS URL? Do they match the permissions in the guide (Covered in Step 2)?

lashomb
Contributor II

Edit, misread posting... reply deleted.

page_229
New Contributor II
Hello all, I have been playing around with this today on my test JSS enviroromnt but i run into this issue, it seems that Autopkgr gets stuck at talking to my JSS distro share, This is what terminal is saying when i manually run a command to process a package.

Could this be because SSLv3 is disabled?

Stubakka
Contributor II

let me get this out of the way just incase this is a stupid mistake, the instance of Autopkgr is running on an OS X 10.9 Mac Pro server, the JSS server is running on ubuntu server, in a Vm, setup to have a actual IP address on the network *bridged*, the share I have is linked back to a shared folder on the OS X server and is mapped in the JSS to that shared folder using AFP.

So the Autopkfr instance is running on the same OS X server where the JSS distribution point is mapped to.

Not sure if this matters or not but trying to clarify myself, and yes this is a Test environment for learning Casper for me.

lashomb
Contributor II

@Gabriel.Duff What version of the JSS? I'm wondering if the 9.6.1 updates for the Poodle SSL fixes are affecting this.

Stubakka
Contributor II

@lashomb yes its 9.6.1

Shawn_Waller
New Contributor II

@adamcodega, Here is how i have it setup and it will not connect, Everything looks correct in the JSS according to the steps on the doc.

external image link
external image link

adamcodega
Valued Contributor

@Shawn.Waller Whoops! I forgot us JAMF Clouders need to run the AutoPkgr beta released after discussing JAMF Cloud with Eldon. You can find the link here.

Shawn_Waller
New Contributor II

Awesome thanks!

adamcodega
Valued Contributor

As you can see in my discussion I still don't have it working 100% but I'm excited to help contribute to the project. Let us know how it works for for you too.

Shawn_Waller
New Contributor II

For sure! Will do.

eahrold
New Contributor

For all with the ssl handshake issue, see this post https://github.com/sheagcraig/jss-autopkg-addon/issues/9#issuecomment-61490994

elliotjordan
Contributor III

@bauer.cole, glad you were able to get it to work!

@jlejeune, you'll want to learn more about @nmcspadden's AppStoreApp recipe. This isn't something I've used yet, but his readme seems like a good primer.

@Gabriel.Duff @lashomb @emilykausalik You're right, we don't yet support cloud-hosted JSS. We'd like to release an update soon that will address this. If any developers want to help, find us on GitHub.

eahrold
New Contributor

@Shawn.Waller try using

https://sirva.jamfcloud.com

instead of

https://jss.jamfcloud.com/sirva

Shawn_Waller
New Contributor II

@eahrold never knew that url! Thanks!! I will give it a shot.

eahrold
New Contributor

@Shawn.Waller, no problem.

Actually I just realized that may not work for everyone, that's the way we have it set up for the AutoPkgr dev team, where it redirects from

https://jss.jamfcloud.com/autopkgr --> https://autopkgr.jamfcloud.com

And the API won't work with the first.

But in some other tests I found it's not redirected, but it's worth a shot if you're still not able get it going with the build on my fork's page https://github.com/eahrold/autopkgr/releases/tag/1.1.1-bugfix

jennifer
Contributor

Is there a version requirement on the JSS? Its working on my test machine but not on production (which is out of date).

Thanks!

elliotjordan
Contributor III

I've tested on 9.30 through 9.51. I understand there were some problems with 9.6 because SSLv3 had been disabled, but there's a fix circulating.

jennifer
Contributor

Further testing is giving me two different issues:

First, regardless of the JSS version, Autopkgr is giving me url errors, even though I've saved the proxy information to the plist.

Can't open URL http://update.videolan.org/vlc/sparkle/vlc-intel64.xml Failed.

and

Couldn't download https://dl.google.com/chrome/mac/stable/GGRO/googlechrome.dmg: <urlopen error Tunnel connection failed: 407 Proxy Authentication Required> Failed.

Then second, I went to terminal to run a recipe on the 9.25 version of the JSS and get the following. (There is no such error on the 9.6 JSS)

PkgCreator: Package already exists at path /Users/username/Library/AutoPkg/Cache/local.jss.Firefox/Firefox-33.1.pkg.
PkgCreator: Existing package matches version and identifier, not building.
JSSImporter
Traceback (most recent call last):
  File "/usr/local/bin/autopkg", line 1334, in <module>
    sys.exit(main(sys.argv))
  File "/usr/local/bin/autopkg", line 1328, in main
    exit(subcommands[verb]['function'](argv))
  File "/usr/local/bin/autopkg", line 1152, in run_recipes
    autopackager.process(recipe)
  File "/Library/AutoPkg/autopkglib/__init__.py", line 466, in process
    self.env = processor.process()
  File "/Library/AutoPkg/autopkglib/__init__.py", line 295, in process
    self.main()
  File "/Library/AutoPkg/autopkglib/JSSImporter.py", line 571, in main
    ssl_verify=sslVerify, repo_prefs=repos)
  File "/Library/Python/2.7/site-packages/jss/jss.py", line 166, in __init__
    self.distribution_points = distribution_points.DistributionPoints(self)
  File "/Library/Python/2.7/site-packages/jss/distribution_points.py", line 75, in __init__
    dp = AFPDistributionPoint(URL=URL, port=port, share_name=share_name, mount_point=mount_point, username=username, password=password)
UnboundLocalError: local variable 'password' referenced before assignment

Any suggestions are appreciated.

tycho
New Contributor II

Just set up a test. Looks really good. Thanks a lot.
Being new to autopkg; What would be the easiest way to make two polices for the same application?
Say that I'd like to have a fresh Firefox as a self-service policy for everyone (no problem with that) and an auto-update policy for Firefox (no problem with that either). What I'm looking for is the easiest way to clone the Firefox.jss recipe so I can use it for dual purposes. Or would it be possible to have both policies done with the same recipe?