- Jamf Nation Community
- Products
- Jamf Pro
- Re: Building packages vs. scripted installs - pros...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 12-15-2021 09:53 AM
We are an MSP that supports about 20 unique Mac clients. I've been in the process of moving many of our clients' management functions from Datto RMM to Jamf MDM over the last year or so (with an increased urgency after the recent Kaseya RMM exploit this summer). As such, I've been porting over many BASH scripts that will download and run PKG- and DMG-based installers on the managed Macs. The preference is to download the most current installer directly from the developer site, and we host the installers in our own repo when that isn't a practical option (behind a login, no direct DL link, etc). Things are working great. Obviously we start running into limitations when talking about apps like Adobe CC, but aside from those, are there any other benefits to building custom packages for Jamf (Composer, AutoPKG, PKGmaker, etc) instead of continuing to use my current scripting methods? Just seems like a lot of extra work to go the custom pkg route...
Thanks in advance for the feedback
Solved! Go to Solution.
1 ACCEPTED SOLUTION
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 12-15-2021 12:21 PM
I don't think there is a perfect solution. Your points for scripted installs are valid. Your scripted method of obtaining the updated apps talks directly to the vendor's servers should make everyone feel warm and fuzzy. However, there have been recent incidents where hackers got access to those servers and inserted their own hacked version into the official channel when the old versions would autoupdate directly from the vendor's servers.One way to mitigate that might be to build in CRC checks into your scripts, but then that adds extra overhead. And what if it fails the check, then what? If I manually go to the Mozilla website (for example) and download the app, then package it up and put it in Jamf for deployment, I at least have a good grasp on how many machines got THAT package. With the script based solution in the hacked scenario, there's no way to tell. Another drawback to scripted installs is that the vendor may not have a great internet connection. I've encountered situations where Vendor X had horrible download speeds year-round no matter where I tried to connect from. So in those instances, I bite the bullet and I wait the 30 minutes to download a 20MB file, then I can package it and upload it to Jamf and then everyone gets it at a faster speed than if ALL our users had to go out and get it themselves.
3 REPLIES 3
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 12-15-2021 12:21 PM
I don't think there is a perfect solution. Your points for scripted installs are valid. Your scripted method of obtaining the updated apps talks directly to the vendor's servers should make everyone feel warm and fuzzy. However, there have been recent incidents where hackers got access to those servers and inserted their own hacked version into the official channel when the old versions would autoupdate directly from the vendor's servers.One way to mitigate that might be to build in CRC checks into your scripts, but then that adds extra overhead. And what if it fails the check, then what? If I manually go to the Mozilla website (for example) and download the app, then package it up and put it in Jamf for deployment, I at least have a good grasp on how many machines got THAT package. With the script based solution in the hacked scenario, there's no way to tell. Another drawback to scripted installs is that the vendor may not have a great internet connection. I've encountered situations where Vendor X had horrible download speeds year-round no matter where I tried to connect from. So in those instances, I bite the bullet and I wait the 30 minutes to download a 20MB file, then I can package it and upload it to Jamf and then everyone gets it at a faster speed than if ALL our users had to go out and get it themselves.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 12-22-2021 09:23 AM
Thanks @AVmcclint those are very valid points. I appreciate your time in responding and will definitely consider the security implications moving forward...
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 03-04-2022 11:32 AM
I script my installs where I can. I verify the developer cert on the pkg before running it. I think this method is superior imho versus either building your packages or using an autopkg workflow.
