Deploying pkg with curl

user-uArBIPgPMp
New Contributor III

Hello everyone, I would like to know if it is possible to deploy pkg from a url. The reason I'm asking is because the linked url contains a version of the pkg that automatically logs in our agent.

If I simply download the pkg of the agent and store it on a cloud or other distribution point, it simply installs a generic agent which then needs to be logged into. You can understand how it’d be problematic to log into every computer individually after the agent has been installed.

Atera has a terminal command that allows one to download an instance of their agent with a url. This instance automatically logs in the user into the linked Atera environment upon completion of the install through terminal.

Does anyone know of a way to use Jamf Pro to ease that process so the agent of the url can be deployed on computers rather than the generic one from the pkg file?

Thank you.

27 REPLIES 27

DBrowning
Valued Contributor II

you can use the curl command like this in a script: curl "https://url.com/PathToInstaller.pkg" -o /tmp/installer.pkg and then run installer -pkg /tmp/installer.pkg -target /

assuming you don't have to login to get the pkg. if you do, you'll need to add in the username/password to your curl command.

user-uArBIPgPMp
New Contributor III

Thank you. The command given looks like this:

http://enterprisename.atera.com/GetAgent/mac/0035z00008xcPuhATE/59

When I copy/paste the link into a browser, it actually downloads an sh file and not a pkg.

If I copy/paste the entire command in terminal

sudo curl "http://enterprisename.atera.com/GetAgent/mac/0035z00008xcPuhATE/59" | sudo bash

It installs the agent directly on the machine without me having to do anything else. Is there any way I could automate this on Jamf? I tried copy/pasting the command in the script policy but got error 23 and the agent did not install on the target machine.

PhillyPhoto
Valued Contributor

Have you tried creating a new policy and putting the command here:

New Policy > Files and Processes > Configure > Execute Command

Jamf policies automatically execute with admin rights, so you can drop both sudos.

Also, CURL error 23 is a write failure to the local disk, so wherever it's running might not have file permissions. So to modify @DBrowning's suggestion, use the following command above:

curl "http://enterprisename.atera.com/GetAgent/mac/0035z00008xcPuhATE/59" -o /tmp/atera.sh; bash /tmp/atera.sh

DBrowning
Valued Contributor II

I was just going to suggest what @PhillyPhoto posted.

user-uArBIPgPMp
New Contributor III

Hello, I juste tried a new policy within Files and Processes and tried the suggested command above and got the same error message.

DBrowning
Valued Contributor II

try using: curl "http://enterprisename.atera.com/GetAgent/mac/0035z00008xcPuhATE/59" -o /tmp/atera.sh && bash /tmp/atera.sh

user-uArBIPgPMp
New Contributor III

Finally worked after one million methods. Thank you so much.

user-uArBIPgPMp
New Contributor III

One thing I noticed is that it works on Mojave but not Catalina. Pretty much back to square 1.

Further digging tells me it might be something with the default shall? It's a bash script whereas Catalina uses zsh which might be causing compatibility issues?

Edit: Also discovered this:

"With macOS Catalina, you can no longer store files or data in the read-only system volume, nor can you write to the "root" directory ( / ) from the command line, such as with Terminal."

DBrowning
Valued Contributor II

@user-uArBIPgPMp The default shell doesn't matter as you are telling the script to run with bash. Are you using the command u posted above or are you putting the file in some other location? The /tmp location is a usable location. You may need to specify /private/tmp.

user-uArBIPgPMp
New Contributor III

I am using this command

curl "http://enterprisename.atera.com/GetAgent/mac/0035z00008xcPuhATE/59" -o /tmp/atera.sh; bash /tmp/atera.sh

Posted above. I get the same error. I will try /private/tmp to see if it makes any difference. The command works on Mojave but not Catalina. Also, perhaps this was not clear but I am doing this with the Jamf policy. I choose either a script or by executing the command with Files and Processes. Neither works and both give the same result.

user-uArBIPgPMp
New Contributor III

Tried again adding /private to the file path and same error.

DBrowning
Valued Contributor II

I know we've had a couple different versions of the command, but have you tried putting just this command in the Files & Processes.

curl "http://enterprisename.atera.com/GetAgent/mac/0035z00008xcPuhATE/59" | bash

user-uArBIPgPMp
New Contributor III

Thank you for the quick response. Same thing. It seems it's really a write permission with Catalina.

Warning: Failed to create the file AgentInstaller.pkg: Read-only file system

0 5510k 0 15962 0 0 13596 0 0:06:54 0:00:01 0:06:53 13596
curl: (23) Failed writing body (0 != 15962)

DBrowning
Valued Contributor II

But if you manually run the command its working fine? Only via jamf its failing?

user-uArBIPgPMp
New Contributor III

Yes. If I do it on the computer directly, it works no problem. On Jamf, the same command does not. Whether with the script or by executing it through Processes and Files.

DBrowning
Valued Contributor II

that leads me to believe its something in the script that downloads since i don't have access, I can't take a look and try and figure it out.

user-uArBIPgPMp
New Contributor III

If I copy the url in the command into a browser, it downloads a an sh file with this script:

!/bin/bash

[ -f "/Library/Application Support/com.atera.ateraagent/regstore.json" ] && rm "/Library/Application Support/com.atera.ateraagent/regstore.json";mkdir -p "/Library/Application Support/com.atera.ateraagent" && echo '{"CompanyId": “78”, "IntegratorLogin": “name@domain.com}’ >> "/Library/Application Support/com.atera.ateraagent/regstore.json" && curl -L -o 'AgentInstaller.pkg' "https://Production.atera.com/GetAgent/mac/?0022z00003xcPuhBHE" && (sudo installer -pkg ./AgentInstaller.pkg -target /)

DBrowning
Valued Contributor II

Can you please repost the script but using the code block. To do this, click on the >_ icon just above the text box. Put the code in the section that gets highlighted.

user-uArBIPgPMp
New Contributor III
#!/bin/bash
[ -f "/Library/Application Support/com.atera.ateraagent/regstore.json" ] && rm "/Library/Application Support/com.atera.ateraagent/regstore.json";mkdir -p "/Library/Application Support/com.atera.ateraagent" && echo '{"CompanyId": “78”, "IntegratorLogin": “name@domain.com}’ >> "/Library/Application Support/com.atera.ateraagent/regstore.json" && curl -L -o 'AgentInstaller.pkg' "https://Production.atera.com/GetAgent/mac/?0033z00002xcPuhBHE" && (sudo installer -pkg ./AgentInstaller.pkg -target /)

Here it is.

DBrowning
Valued Contributor II

The way the command is running its trying to write where it doesn't have permissions. When you run the command locally, its using the path at which your logged in user is on. (/Users/uname).

I'm sure you did some cleansing of the script and there must be something missing. But I was able to get a script that should work for you after you fill in the correct info after the echo line. So you'll use this script payload instead of the File & Processes payload.

#!/bin/bash

if [ -f "/Library/Application Support/com.atera.ateraagent/regstore.json" ]; then
    rm "/Library/Application Support/com.atera.ateraagent/regstore.json"
fi

mkdir -p "/Library/Application Support/com.atera.ateraagent"

echo '{"CompanyId": “78”, "IntegratorLogin": “name@domain.com"}' >> "/Library/Application Support/com.atera.ateraagent/regstore.json"

curl -L -o '/tmp/AgentInstaller.pkg' "https://Production.atera.com/GetAgent/mac/?0033z00002xcPuhBHE"

installer -pkg /tmp/AgentInstaller.pkg -target /

user-uArBIPgPMp
New Contributor III

Thanks a lot for your help. I replaced your script with the right information but got an error message again.

Script result: /Library/Application Support/JAMF/tmp/Atera Script: line 11: unexpected EOF while looking for matching `''
/Library/Application Support/JAMF/tmp/Atera Script: line 14: syntax error: unexpected end of file
Error running script: return code was 2.

What would be the alternatives to correct the permission problems?

DBrowning
Valued Contributor II

make sure you are not missing and " around the email address on the echo line.

user-uArBIPgPMp
New Contributor III

I corrected it and the install works. I'm however stuck with the same problem, it's just a generic installer without a login.

At this point I will need to figure out how to make the agent log in to my account after I have deployed it. This sounds very tricky and specific but is my only option at the moment.

Thanks again a thousand times for your help.

Hello, did you manage to find a fix to this?

Try this:

#!/bin/bash
[ -f "/Library/Application Support/com.atera.ateraagent/regstore.json" ] && rm "/Library/Application Support/com.atera.ateraagent/regstore.json";mkdir -p "/Library/Application Support/com.atera.ateraagent" && echo '{"CompanyId": "NumberOfTheCompanyID", "IntegratorLogin": "mail@integrator.com"}' >> "/Library/Application Support/com.atera.ateraagent/regstore.json" && curl -L -o '/tmp/AgentInstaller.pkg' "https://Production.atera.com/GetAgent/mac/?0033z00002yUazFAAS" && (sudo installer -pkg /tmp/AgentInstaller.pkg -target /)

it works for me :-)

tlarkin
Honored Contributor

Hey Y'all

Just a couple of things to consider, and take them with a grain of salt. Your Org hired you to be the expert on systems administration and engineering, so will be up to you to determine the risks and impacts of these things, but using curl as root on all endpoints can be very dangerous.

MITM attacks can happen and do happen all the time. Even if you use SSL verification, that does not mitigate a MITM attack. The only thing that truly mitigates such things is certificate pinning. Most vendors that have some sort of CDN or URL to download software often times do not pin their certs. So, there is a risk of a MITM attack.

Also, since jamf runs everything as the root user, you are essentially also taking on risks around if an attack were to occur, you have now installed a malicious package as the root user. Furthermore, you have not automated this to your entire fleet most likely, or at least scoped to your partial fleet. So, take these risks into consideration and decide if the risk is there or not for you.

If you must use curl or have decided to the risks are not significant for you, you can look at tools like Installomator which has some added security features built into it, and has the same functionality as say a curl script. The repo has docs and a link to a presentation on it.

Alternatively, you can limit your scope of downloading packages from the web to a single box, and then distribute them later on with AutoPKG and furthermore integrate into Jamf Pro with something like JSS importer. This would reduce your risks to a single box and AutoPKG does have several built in security features around it as well. It is also extensible if you need to write custom processors.

Centralizing package creation and distribution also means it is much easier to audit and troubleshoot. With something like a 10% failure rate (tossing out examples) of a curl script, good luck finding out why n number of clients are just failing. Centralizing it also helps you streamline and troubleshoot when things go wrong. So, there are other benefits than just security, or rather all of it benefits security since auditing is a part of security.

I get that some vendors make horrible installers and workflows and you might be forced into a curl model versus manually doing it by hand. However, if you don't have to do that, or can get around that I would recommend looking into such things. Personally, I use AutoPKG and have been using it for over 2 years now at my current gig. It is one of the best open source tools for macOS out there.

My point is to just make some awareness around this subject. This is also why I never use a curl script unless it is really the only option I have, and even then I would take it through security approvals before deploying it.

dtekum
New Contributor III

when I run this it does not download the full pkg file.  am I missing something?