Posted on 09-15-2016 07:56 AM
Worked this out with @rtrouton based on both his installation script as well as the one located at cobbservations.wordpress.com
Wanted to offer Xcode 8 (requires OS X 10.11.5 or later) to our user population via Self Service.
Downloaded the Xcode 8 installation package from the App Store using the App Store Capture Methodology (yes, VPP would be better), described at:
https://derflounder.wordpress.com/2013/10/19/downloading-microsofts-remote-desktop-installer-package-from-the-app-store/
Added the 4.43GB installation package to the JSS, created a Self Service policy to install it, and used this script below (set to Run After) to handle all of the post-installation processing (so that users are not prompted for admin credentials). You may want to customize the script for your environment (we don't disable the Gatekeeper validation, and our users are already developers, nor do we have multiple versions of Xcode installed, so those line-items are disabled, but it's your call):
#!/bin/bash
# Accept EULA so there is no prompt
if [[ -e "/Applications/Xcode.app/Contents/Developer/usr/bin/xcodebuild" ]]; then
"/Applications/Xcode.app/Contents/Developer/usr/bin/xcodebuild" -license accept
fi
# Just in case the xcodebuild command above fails to accept the EULA, set the license acceptance info
# in /Library/Preferences/com.apple.dt.Xcode.plist. For more details on this, see Tim Sutton's post:
# http://macops.ca/deploying-xcode-the-trick-with-accepting-license-agreements/
if [[ -e "/Applications/Xcode.app/Contents/Resources/LicenseInfo.plist" ]]; then
xcode_version_number=`/usr/bin/defaults read "/Applications/Xcode.app/Contents/"Info CFBundleShortVersionString`
xcode_build_number=`/usr/bin/defaults read "/Applications/Xcode.app/Contents/Resources/"LicenseInfo licenseID`
xcode_license_type=`/usr/bin/defaults read "/Applications/Xcode.app/Contents/Resources/"LicenseInfo licenseType`
if [[ "${xcode_license_type}" == "GM" ]]; then
/usr/bin/defaults write "/Library/Preferences/"com.apple.dt.Xcode IDEXcodeVersionForAgreedToGMLicense "$xcode_version_number"
/usr/bin/defaults write "/Library/Preferences/"com.apple.dt.Xcode IDELastGMLicenseAgreedTo "$xcode_build_number"
else
/usr/bin/defaults write "/Library/Preferences/"com.apple.dt.Xcode IDEXcodeVersionForAgreedToBetaLicense "$xcode_version_number"
/usr/bin/defaults write "/Library/Preferences/"com.apple.dt.Xcode IDELastBetaLicenseAgreedTo "$xcode_build_number"
fi
fi
# DevToolsSecurity tool to change the authorization policies, such that a user who is a
# member of either the admin group or the _developer group does not need to enter an additional
# password to use the Apple-code-signed debugger or performance analysis tools.
/usr/sbin/DevToolsSecurity -enable
# Add all users to developer group, if they're not admins
/usr/sbin/dseditgroup -o edit -a everyone -t group _developer
# If you have multiple versions of Xcode installed, specify which one you want to be current.
/usr/bin/xcode-select --switch /Applications/Xcode.app
# Bypass Gatekeeper verification for Xcode, which can take awhile.
if [[ -e "/Applications/Xcode.app" ]]; then xattr -dr com.apple.quarantine /Applications/Xcode.app
fi
# Install Mobile Device Packages so there is no prompt
if [[ -e "/Applications/Xcode.app/Contents/Resources/Packages/MobileDevice.pkg" ]]; then
/usr/sbin/installer -dumplog -verbose -pkg "/Applications/Xcode.app/Contents/Resources/Packages/MobileDevice.pkg" -target /
fi
if [[ -e "/Applications/Xcode.app/Contents/Resources/Packages/MobileDeviceDevelopment.pkg" ]]; then
/usr/sbin/installer -dumplog -verbose -pkg "/Applications/Xcode.app/Contents/Resources/Packages/MobileDeviceDevelopment.pkg" -target /
fi
# Install XcodeSystemResources.pkg so there is no prompt
if [[ -e "/Applications/Xcode.app/Contents/Resources/Packages/XcodeSystemResources.pkg" ]]; then
/usr/sbin/installer -dumplog -verbose -pkg "/Applications/Xcode.app/Contents/Resources/Packages/XcodeSystemResources.pkg" -target /
fi
exit 0
Posted on 09-15-2016 09:35 AM
Awesome work gentleman. I'll try this out later today, you have made this request so much easier.
Muy bueno.
Posted on 09-21-2016 12:36 AM
Wow...I may owe @RobertHammen a beer, and @rtrouton a Pepsi at JNUC2016...if they're going this year. :)
PS, any way to get the Additional Components installed without having to snapshoot? Thought the last two sections to install PKGs would eliminate that?
Posted on 09-21-2016 09:38 AM
@donmontalvo Not seeing that. Are you sure the script is running? Because it should handle the licensing and install the components...
Posted on 09-21-2016 11:01 AM
@RobertHammen hmm...I'll double check now, will shout back.
Posted on 10-27-2016 07:21 PM
@donmontalvo @RobertHammen @rtrouton
I get the prompt when going to xcode - preferences - components and i try to download an ios simulator
What part of this script is actually covering this?
Im running versions 7.3.1, 8.0 and 8.1GMSeed
Help please
Posted on 11-09-2016 11:15 AM
@MaCaDmIn82 Simulators are a different story.
Some of the info documented here is still relevant:
Basically, you can start the download on your Mac, and the downloads still go to:
~/Library/Caches/com.apple.dt.Xcode/Downloads
However, be aware:
1) the dmg files don't show up in the Finder, at least on my Mac (had to use Terminal)
2) after I mounted one of those dmg's, they also appeared empty/the pkg files had to be accessed/copied via Terminal
Might just be an anomaly on my Mac.
Anyway, you'd have to capture the .pkg files for the simulators, and install them/check where the files were actually installed - if in the Xcode app bundle itself, or in /Library, you're OK, but if in the ~/Library folder hierarchy, obviously you have a larger issue...
Posted on 01-10-2017 08:23 AM
@RobertHammen Great work and thank you for sharing!
Posted on 01-31-2017 11:17 AM
@RobertHammen... Newbie here. Just wanted to say I tested this approach and it worked flawlessy (El Cap 10.11.6/xCode 8.2.1).
And learning how to capture. pkg's from MAS was very helpful too.
Posted on 03-28-2017 12:23 PM
The debug menu is gone in Sierra.
Use this link instead of the one above to get the package from MAS
https://derflounder.wordpress.com/2015/11/19/downloading-installer-packages-from-the-mac-app-store-with-appstoreextract/
Posted on 03-29-2017 08:06 AM
Disregard!
Posted on 03-29-2017 02:47 PM
Just out of interest, why not download Xcode directly from developer.apple.com?
Posted on 03-30-2017 08:27 AM
It still requires a "hop" from a browser to the Mac App Store app (and an Apple ID etc). It's not a "direct" download, correct?
Posted on 03-30-2017 02:47 PM
@jazzyj When I go to download Xcode from developer.apple.com it takes me right to the App Store to download. Previous versions on that site have a .XIP file which is significantly larger than the App Store .pkg file, and to which no native tools can use.
Posted on 04-12-2017 07:02 AM
If you go to developer.apple.com, and click Downloads on the left then scroll to the bottom, there's a link saying: "Don't see what you're looking for? See more downloads", click that and you can download the XIP. Or the direct URL is https://developer.apple.com/download/more/
Posted on 05-16-2017 09:21 AM
@dfarnworth_barc pretty sure you're thinking of older versions of Xcode being downloadable. New version will always direct you to App Store. [See correction below] Apple provides downloads for versions are provided so developers can run concurrent versions and use xcode-select
to toggle between versions. Like when a developer needs to create something for an older iOS version that the new version of Xcode doesn't support iOS Simulators for that iOS version.
@RobertHammen My apologies, I forgot to circle back after testing. The only difference between this process and ours, we don't hijack Apple's App Store packages. Instead we allow App Store to install, and we grab it from there. This way we don't get in the way of the App Store process, and a proper _MASReceipt
is present.
Pretty sure first launch prompted me, thinking back it may have been to install or update Command Line Tools. We ended up adding a line to the script to run /usr/bin/xcode-select --install
, but I have to search through my notes.
We were packaging iOS Simulators but are trying to avoid having to deal with that madness (that's a lot of bits dude!)...we opened a ticket with AppleCare Enterprise Support to see if they've got a command line method to install so we don't have to reinvent the wheel.
Yea, admin rights would alleviate this, but we have to play by the rules. Admin rights where I'm employed requires a Security Exception. Queue in the occasional "You're not doing it my way, so you're doing it rong!" mantras...#rollsEyes
Not interested in being on the front page of <redacted> with the headline"Famous company hacked because IT Department was too cool to give a $#!+". My mom isn't famous, so being employable is a thing for most of us.
Posted on 05-16-2017 09:27 AM
Xcode is still available for (non-App Store) download from the Apple Developer site. You need to be a registered developer.
Posted on 05-16-2017 09:37 AM
@gregneagle hmmm...the 8.3.2 download link https://developer.apple.com/download/ takes us back to App Store.
Is there a hidden link you might want to share? :):):)
EDIT: I stand corrected: http://adcdownload.apple.com/Developer_Tools/Xcode_8.3.2/Xcode8.3.2.xip
Posted on 05-16-2017 10:03 AM
@donmontalvo We were packaging iOS Simulators but are trying to avoid having to deal with that madness (that's a lot of bits dude!)...we opened a ticket with AppleCare Enterprise Support to see if they've got a command line method to install so we don't have to reinvent the wheel.
Let me know if you do get a response of some sort as I do it the manual way as well and no admin rights for my users
Would love to know if apple has a solution to this
Cheers
Posted on 05-17-2017 10:16 AM
I solved the simulator issue by allowing the user to install them without admin rights. I've a highly modified script I run after Xcode deployment to make it all possible.
https://github.com/franton/Xcode-Scripts/blob/master/finalise.sh
Posted on 05-18-2017 09:52 AM
Thanks @franton great script, saved me a bit of time!
Posted on 05-18-2017 01:03 PM
Using the collaborative script(s) on this forum..here is what we got from Apple regarding iOS Simulators requiring admin rights:
Hello Don,
I reviewed the script you provided and, because "everyone" is being added to the developer group, you can modify the authorizations database to allow developers to install Apple provided software by running the following command:
sudo security authorizationdb write system.install.apple-software authenticate-developer
System Integrity Protection(SIP) will not prevent you from performing this task. Please note that the combination of adding everyone to the _developer group and allowing any member of _developer to install Apple provided software means that any user can install Apple provided software. If that presents a concern, you'll need to modify your script to add specific users to _developer instead of adding everyone.
Please let me know if you have additional questions.
Regards,
XXXXXXXX
Basically added these two commands to @RobertHammen's excellent and quite useful script:
# Install Command Line Tools.
if [[ /usr/bin/xcode-select ]]; then
/usr/bin/xcode-select --install
fi
# Allow any member of _developer to install Apple provided software.
/usr/bin/security authorizationdb write system.install.apple-software authenticate-developer
Posted on 06-09-2017 03:04 PM
@MaCaDmIn82 confirmed two things today.
First, this command, added to @RobertHammen's script, as per AppleCare Enterprise Support, does indeed enable non-admin developers to install iOS Simulators without prompting for admin rights. #fistPump:
/usr/bin/security authorizationdb write system.install.apple-software authenticate-developer
Confirmed that deplying non-App Store copy of Apple Xcode 8.3.2, and following it up with the Command Line Tools for that same version, available from the https://developer.apple.com/download/more/ site did the trick.
Install is silent, whether someone is logged on to the Mac or not...and whether the user has admin rights or not.
Just in time for the weekend!
Don
Posted on 06-10-2017 08:39 AM
this command, added to @RobertHammen's script, as per AppleCare Enterprise Support, does indeed enable non-admin developers to install iOS Simulators without prompting for admin rights. #fistPump:/usr/bin/security authorizationdb write system.install.apple-software authenticate-developer
Pretty sure this allows anyone in the developer group (and since you've added everyone to the developer group, allows everyone) to install anything from softwareupdate without prompting for admin rights (system.install.apple-software). That might be acceptable, but make sure you understand the ramifications. It may also allow the install of other "apple-software" from other sources.
Posted on 06-10-2017 10:53 AM
@gregneagle understood, and agreed. The AppleCare Engineer explained that would happen. We discussed risk, support, etc.
Two options for VPP deployment of Xcode. Apple's suggestion that elevates rights for install of Apple related stuff, or Local Admin Privileges (user requests security exception) that elevates rights across the board. We can provide most of the automation as a policy that user has to trigger through Self Service, but there is a hole.
If we deploy non-AppStore version of Xcode, we can add Command Line tools, and all the settings/suppression, to the payload. This should cover all prompts, but we are still getting a prompt due to only one of three additional required component packages installing (strange; looking into it). Same hole as VPP method.
Our intent is to provide deployment via VPP plus one Self Service policy, which results in user getting the limited elevated rights as suggested by Apple.
Or to deployment the old way, by deploying non-AppStore version, plus Command Line Tools, plus the script that gives user limited elevated rights as suggested by Apple.
The third option would be user can either submit a request for a security exception (to get Local Admin Privileges), or call Help Desk each time he/she gets a prompt.
Its good to know Apple is taking these admin prompts seriously, hopefully they'll do something soon so we won't have to jump through so many hoops to deploy their software. :)
Posted on 06-10-2017 10:57 AM
@gregneagle @donmontalvo I can't go into too much detail (work NDA etc) but I've been facing this exact problem. I've tested a couple of the privilege escalation tools (avecto being the big one) only to find they don't actually work with Xcode.
I hit on the authorisation db change because our users are not admin, and being able to install Apple updates is actually a big concern of our CISO dept: namely they want the OS patched and I don't care if users do it, or my system implementation does it :)
Posted on 08-24-2017 11:22 AM
Question to @franton @donmontalvo @RobertHammen ,
Lets say this was not done through self service, would this script then have to be run per user at login? Or could we run the bulk of the script once and just have users added to the developer group at login? Since all the users are not logged in yet, my question is the script adding any user created after the script is run to the developers group or does this have to happen as they login and get created?
Gabe Shackney
Princeton Public Schools
Posted on 08-24-2017 11:23 AM
Nope, you run this exactly once. Nothing user specific in my script.
Posted on 08-24-2017 07:28 PM
Posted on 08-24-2017 09:43 PM
October 26th, 11:30am in the Greenway Ballroom. I'm the Smart Card talk :D
Posted on 04-04-2018 06:39 PM
I wrote a tool today that should help others to download and ultimately install Xcode simulators via pkg installations. It's called "makexcodesimulators".
This has only been tested with Xcode 9.3 but it should theoretically work on older versions. Hope it helps.
Posted on 04-05-2018 12:36 AM
@eng that's very nice. nice work! I ended up approaching things from a different angle and I now include this code with my org's finalisation script. It allows non admin users to install the same products by themselves. I have not found any adverse effects from this ... yet.
# alter authorisation database to allow installation of apple components without admin rights
security authorizationdb read system.install.apple-software > /tmp/xcode.plist
defaults write /tmp/xcode.plist rule -array authenticate-session-owner-or-admin
security authorizationdb write system.install.apple-software < /tmp/xcode.plist
Posted on 04-05-2018 05:40 AM
Our users are admins, but we have "build servers" to test our apps prior to release.
We needed something that could be fully automated and unfortunately I had to figure out what it is that Xcode was doing.
This tool will parse out all of the simulators available for your version of Xcode and allow you to download them. After it downloads, it wraps the original Apple installed with productbuild using the customLocation key to allow the package to properly install. But the original package still has its signing certificates in case Apple is validating this somewhere else.
I imagine Apple uses relative links because they have changed the install path three times now, but my hope is the current folder is now the permanent one (/Library/Developer/continue/long/path)
Posted on 08-07-2019 06:28 AM
Hello Anyone know if this script still works in 10.4?
Posted on 03-13-2020 02:58 AM
@stephaniemm77 @eng the script doesn't work anymore. It was the greatest help indeed. I hope @eng will revisit it.
Posted on 02-25-2023 02:02 PM
This thing is over seven years old now. Good chance anything that old is not likely to work anymore.
I'll not likely be revisiting it because my current employer allows full admin rights to developers, so it's not required.