Jamf Nation Community

remove the quarantine flags from the file/app

xattr -d com.apple.quarantine /path/to/DEPNotify.app

This will then remove the quarantine flag from the file/object and Gatekeeper will not prompt you

@tlarkin would this work with the DEPNotify.pkg (v1.1.5)? or do we need to install DEPNotify and repackage? our current workflow just deploys the DEPNotify.pkg as is (or with the HCS DEPNotifty workflow) without it being installed or touched.

that will work with any pkg you download from the web. If you remove the quarantine flags GateKeeper will not prompt you. It will work this way on all packages until Apple changes this behavior

@tlarkin to clearly understand, the terminal command can be run on the .pkg file itself (ie; from the developers GitLab) or does it need to be run on the .app file specifically (which is installed in the /Applications/Utilities folder)?

would this command need to be run on Big Sur or does it not matter?

I did perform the command on the .pkg file (on a Mac with Catalina) and DEPNotify still prompted to accept on the Big Sur beta computer.

additionally, if I let the prompt sit there for a while, DEPNotify does install and appears it does run through the policy triggers (not DEPNotify screen at this point, I see things show up in the Apps folder, etc), so when I click open, it takes me to where ever DEPNotify is in the process.

@walt, I think what @tlarkin is suggesting is to have a script run the xattr command after the DEPNotify.pkg is deployed. Since Jamf allows us to easily run scripts in any policy after a payload is deployed, it should be an easy thing to add in to whatever policy is pushing out your DEPNotify.pkg. Or even just drop into the Execute Command field.

Another option would be to do what you stated and simply repackage DEPNotify yourself, making sure of course that the Apple quarantine flag is removed before doing so, but I would be careful with that, since unsigned packages could cause trouble too. If I'm not mistaken, the main DEPNotify.pkg from Orchard & Grove is signed with their developer certificate, so it would probably be safer to use theirs. Unless you have your own dev certificate you can add to the manually created package that is.

nope just run the xattr command before you upload it to jamf. macOS only quarantines files downloaded from apps and browsers and not from anything that uses API/ABIs, like curl for example

so to be clear, the command can be run on either the .pkg or the .app file? does the command need to be run on a specific macOS version?

in my case, using macOS 10.15.6, I ran the xattr command on the DEPNotify.pkg file from the GitLab page, packaged with using the depnotify-with-installers guide, and same prompt.

ultimately this sounds like the developer would need to remediate this issue?

The xattrs are attached to the DEPNotify app in the .pkg, so clearing them on the .pkg itself shouldn't help. Either clear after the app is installed, or re-package and specify that xattrs aren't preserved (if you use Composer it has no option to preserve xattrs as of 10.23)

So, anything downloaded via web browser Apple flags with a quarantine meta data tag to tell GateKeeper to inform the user it was "downloaded from the web". You can check it by doing this

xattr DEPNotify.pkg 
com.apple.metadata:kMDItemWhereFroms
com.apple.quarantine

You can see it has the quarantine flag. If you use xattr you can delete it. When in doubt just google search @rtrouton 's blog

@tlarkin just added that to post install script works fine now.

though I got to figure why self-service is crashing post enrolment when depNotify kicks it in, I get presented with this prompt to reopen it.

Using 1.1.6 depnotify got rid of that.

So Joel updated DEPNotify to 1.1.6 and universal binaries - but didn't make a downloadable .pkg of the latest version, which I need because I can't sign a binary in Xcode myself. Is there a source for this that I am missing? this is holding me up from DEP workflows on our M1 hardware :/

@egjerde Look in the Depnotify slack channel that is where I got the PKG file from.

@keric haha of course, why didn't I think of that? :facepalm:

Ok, i was wrong Self-Service still crashes and prompts to reopen, DEPNotify works fine though when relaunched, still no clue about this. :(