Thank you. The command given looks like this:

http://enterprisename.atera.com/GetAgent/mac/0035z00008xcPuhATE/59

When I copy/paste the link into a browser, it actually downloads an sh file and not a pkg.

If I copy/paste the entire command in terminal

sudo curl "http://enterprisename.atera.com/GetAgent/mac/0035z00008xcPuhATE/59" | sudo bash

It installs the agent directly on the machine without me having to do anything else. Is there any way I could automate this on Jamf? I tried copy/pasting the command in the script policy but got error 23 and the agent did not install on the target machine.

Have you tried creating a new policy and putting the command here:

New Policy > Files and Processes > Configure > Execute Command

Jamf policies automatically execute with admin rights, so you can drop both sudos.

Also, CURL error 23 is a write failure to the local disk, so wherever it's running might not have file permissions. So to modify @DBrowning's suggestion, use the following command above:

curl "http://enterprisename.atera.com/GetAgent/mac/0035z00008xcPuhATE/59" -o /tmp/atera.sh; bash /tmp/atera.sh

I was just going to suggest what @PhillyPhoto posted.

Hello, I juste tried a new policy within Files and Processes and tried the suggested command above and got the same error message.

try using: curl "http://enterprisename.atera.com/GetAgent/mac/0035z00008xcPuhATE/59" -o /tmp/atera.sh && bash /tmp/atera.sh

Finally worked after one million methods. Thank you so much.

One thing I noticed is that it works on Mojave but not Catalina. Pretty much back to square 1.

Further digging tells me it might be something with the default shall? It's a bash script whereas Catalina uses zsh which might be causing compatibility issues?

Edit: Also discovered this:

"With macOS Catalina, you can no longer store files or data in the read-only system volume, nor can you write to the "root" directory ( / ) from the command line, such as with Terminal."

@user-uArBIPgPMp The default shell doesn't matter as you are telling the script to run with bash. Are you using the command u posted above or are you putting the file in some other location? The /tmp location is a usable location. You may need to specify /private/tmp.

I am using this command

curl "http://enterprisename.atera.com/GetAgent/mac/0035z00008xcPuhATE/59" -o /tmp/atera.sh; bash /tmp/atera.sh

Posted above. I get the same error. I will try /private/tmp to see if it makes any difference. The command works on Mojave but not Catalina. Also, perhaps this was not clear but I am doing this with the Jamf policy. I choose either a script or by executing the command with Files and Processes. Neither works and both give the same result.

Tried again adding /private to the file path and same error.

I know we've had a couple different versions of the command, but have you tried putting just this command in the Files & Processes.

curl "http://enterprisename.atera.com/GetAgent/mac/0035z00008xcPuhATE/59" | bash

Thank you for the quick response. Same thing. It seems it's really a write permission with Catalina.

Warning: Failed to create the file AgentInstaller.pkg: Read-only file system

0 5510k 0 15962 0 0 13596 0 0:06:54 0:00:01 0:06:53 13596
curl: (23) Failed writing body (0 != 15962)

But if you manually run the command its working fine? Only via jamf its failing?

Yes. If I do it on the computer directly, it works no problem. On Jamf, the same command does not. Whether with the script or by executing it through Processes and Files.

that leads me to believe its something in the script that downloads since i don't have access, I can't take a look and try and figure it out.

If I copy the url in the command into a browser, it downloads a an sh file with this script:

!/bin/bash

[ -f "/Library/Application Support/com.atera.ateraagent/regstore.json" ] && rm "/Library/Application Support/com.atera.ateraagent/regstore.json";mkdir -p "/Library/Application Support/com.atera.ateraagent" && echo '{"CompanyId": “78”, "IntegratorLogin": “name@domain.com}’ >> "/Library/Application Support/com.atera.ateraagent/regstore.json" && curl -L -o 'AgentInstaller.pkg' "https://Production.atera.com/GetAgent/mac/?0022z00003xcPuhBHE" && (sudo installer -pkg ./AgentInstaller.pkg -target /)

Can you please repost the script but using the code block. To do this, click on the >_ icon just above the text box. Put the code in the section that gets highlighted.

#!/bin/bash
[ -f "/Library/Application Support/com.atera.ateraagent/regstore.json" ] && rm "/Library/Application Support/com.atera.ateraagent/regstore.json";mkdir -p "/Library/Application Support/com.atera.ateraagent" && echo '{"CompanyId": “78”, "IntegratorLogin": “name@domain.com}’ >> "/Library/Application Support/com.atera.ateraagent/regstore.json" && curl -L -o 'AgentInstaller.pkg' "https://Production.atera.com/GetAgent/mac/?0033z00002xcPuhBHE" && (sudo installer -pkg ./AgentInstaller.pkg -target /)

Here it is.

The way the command is running its trying to write where it doesn't have permissions. When you run the command locally, its using the path at which your logged in user is on. (/Users/uname).

I'm sure you did some cleansing of the script and there must be something missing. But I was able to get a script that should work for you after you fill in the correct info after the echo line. So you'll use this script payload instead of the File & Processes payload.

#!/bin/bash

if [ -f "/Library/Application Support/com.atera.ateraagent/regstore.json" ]; then
    rm "/Library/Application Support/com.atera.ateraagent/regstore.json"
fi

mkdir -p "/Library/Application Support/com.atera.ateraagent"

echo '{"CompanyId": “78”, "IntegratorLogin": “name@domain.com"}' >> "/Library/Application Support/com.atera.ateraagent/regstore.json"

curl -L -o '/tmp/AgentInstaller.pkg' "https://Production.atera.com/GetAgent/mac/?0033z00002xcPuhBHE"

installer -pkg /tmp/AgentInstaller.pkg -target /

Thanks a lot for your help. I replaced your script with the right information but got an error message again.

Script result: /Library/Application Support/JAMF/tmp/Atera Script: line 11: unexpected EOF while looking for matching `''
/Library/Application Support/JAMF/tmp/Atera Script: line 14: syntax error: unexpected end of file
Error running script: return code was 2.

What would be the alternatives to correct the permission problems?

make sure you are not missing and " around the email address on the echo line.

I corrected it and the install works. I'm however stuck with the same problem, it's just a generic installer without a login.

At this point I will need to figure out how to make the agent log in to my account after I have deployed it. This sounds very tricky and specific but is my only option at the moment.

Thanks again a thousand times for your help.

Hey Y'all

Just a couple of things to consider, and take them with a grain of salt. Your Org hired you to be the expert on systems administration and engineering, so will be up to you to determine the risks and impacts of these things, but using curl as root on all endpoints can be very dangerous.

MITM attacks can happen and do happen all the time. Even if you use SSL verification, that does not mitigate a MITM attack. The only thing that truly mitigates such things is certificate pinning. Most vendors that have some sort of CDN or URL to download software often times do not pin their certs. So, there is a risk of a MITM attack.

Also, since jamf runs everything as the root user, you are essentially also taking on risks around if an attack were to occur, you have now installed a malicious package as the root user. Furthermore, you have not automated this to your entire fleet most likely, or at least scoped to your partial fleet. So, take these risks into consideration and decide if the risk is there or not for you.

If you must use curl or have decided to the risks are not significant for you, you can look at tools like Installomator which has some added security features built into it, and has the same functionality as say a curl script. The repo has docs and a link to a presentation on it.

Alternatively, you can limit your scope of downloading packages from the web to a single box, and then distribute them later on with AutoPKG and furthermore integrate into Jamf Pro with something like JSS importer. This would reduce your risks to a single box and AutoPKG does have several built in security features around it as well. It is also extensible if you need to write custom processors.

Centralizing package creation and distribution also means it is much easier to audit and troubleshoot. With something like a 10% failure rate (tossing out examples) of a curl script, good luck finding out why n number of clients are just failing. Centralizing it also helps you streamline and troubleshoot when things go wrong. So, there are other benefits than just security, or rather all of it benefits security since auditing is a part of security.

I get that some vendors make horrible installers and workflows and you might be forced into a curl model versus manually doing it by hand. However, if you don't have to do that, or can get around that I would recommend looking into such things. Personally, I use AutoPKG and have been using it for over 2 years now at my current gig. It is one of the best open source tools for macOS out there.

My point is to just make some awareness around this subject. This is also why I never use a curl script unless it is really the only option I have, and even then I would take it through security approvals before deploying it.

when I run this it does not download the full pkg file.  am I missing something?