Posted on 12-15-2015 05:26 PM
I have a script that sets Cisco Jabber.app (chat, phone call application) to allow all connections, but in some cases, when a user makes an external phone call with the application, the firewall will prompt for admin credentials to allow/deny access. Entering the password makes it go away, but this is not a viable solution as we have hundreds of users without admin rights.
In the gui, the firewall shows as Jabber.app always allowed.
Happens on Mavericks, Yosemite and El Capitan.
This is the script I am using to add the exceptions.
#!/bin/sh
checkFirewall=`/usr/libexec/ApplicationFirewall/socketfilterfw --getglobalstate | awk '{print $3}'`
if [[ "$checkFirewall" == "disabled." ]]; then
# Start firewall
/usr/libexec/ApplicationFirewall/socketfilterfw --setglobalstate on
# Add trusted application to firewall
/usr/libexec/ApplicationFirewall/socketfilterfw --add /Applications/Cisco Jabber.app
/usr/libexec/ApplicationFirewall/socketfilterfw --add /Applications/Skype.app
else
echo "Firewall is already enabled"
fi
exit 0
Posted on 12-16-2015 01:56 PM
is there the possibility the component that's trying to traverse the firewall lives outside the app bundle? like in /Library or /Library/Application Support? or even at the user-level?
Posted on 12-17-2015 01:58 PM
Another thing to try is adding the binary itself (or multiple of them if there are others within the app bundle) as the exceptions.
Posted on 12-17-2015 02:24 PM
@htse I wasn't able to find any relatable application files in the system and user library.
I've tried adding the binary inside the package >> MacOS folder >> Cisco Jabber with no luck :(
Posted on 05-19-2016 11:24 AM
Hi all
I've been able to replicate this and the problem has only become apparent for users without admin rights. The problem is to do with the applications code signature not being recognised and so prompts the user to allow through the firewall and requires admin rights.
No matter how i packaged the app in Composer as a pkg or dmg i kept getting the issue.
The solution was to download the Cisco Jabber installer from Cisco, put the downloaded original zip file in /private/tmp/ and have this as a postinstall script in Composer
#!/bin/sh
## postinstall
pathToScript=$0
pathToPackage=$1
targetLocation=$2
targetVolume=$3
# Check to see if the zip file exists in /tmp/
if [ -f $3/tmp/CiscoJabberMac*.zip ]; then
# If Jabber is installed, delete it
if [ -d $3/Applications/Cisco Jabber.app/ ]; then
rm -rf $3/Applications/Cisco Jabber.app/
fi
# Unzip Jabber to /tmp
unzip -q $3/tmp/CiscoJabberMac*.zip -d /tmp/
# remove resource forks
rm -rf $3/tmp/__MACOSX
#move the app from /tmp to /Applications
mv $3/tmp/Cisco Jabber.app /Applications/
# If the app still exists in /tmp delete it
if [ -d $3/tmp/Cisco Jabber.app/ ]; then
rm -rf $3/tmp/Cisco Jabber.app/
fi
# Delete the zip file in /tmp
if [ -f $3/tmp/CiscoJabberMac*.zip ]; then
rm -rf $3/tmp/CiscoJabberMac*.zip
fi
fi
exit 0 ## Success
exit 1 ## Failure
Posted on 08-05-2016 03:29 AM
I'm still having issues with this but i'm trying a new approach to modify the authorization database to allow all users to make the change. This suppresses the admin prompt and still allows the user to click allow and all is well.
#!/bin/sh
sudo security authorizationdb write com.alf allow
early testing is proving positive. Hope this helps someone out :)
Tim
Posted on 08-05-2016 10:42 AM
@tkimpton Awesome. I'll be upgrading Jabber pretty soon. Hoping this works so we can also enable the firewall. Thanks!
Posted on 08-08-2016 07:26 AM
so ive been in support calls with Cisco (email anyway) the command i provided stops the admin pop up for the application firewall.
Cisco have told me to carry out this codesign --verify --deep -vvvvvvv --strict "Cisco Jabber.app"
If is comes back verified then its ok.
So i ran codesign --verify --deep -vvvvvvv --strict "/Applications/Cisco Jabber.app" and it passed after a manual install drag and drop.
However when either dragging the app in Composer or scripting the installation with the downloaded zip file the signature check fails!
It seems you cannot package up Cisco Jabber at all as a pkg. The only way i have been able to deploy it with a signature intact is to deploy if via a dmg made in Composer and then it seems ok.
In version 11.7 Cisco are switching to a native pkg installer so we shouldn't need to faff around like this.
Posted on 02-16-2017 01:53 PM
@tkimpton We're on Jabber 11.7.1 and Jabber appears to be fine deploying from a .pkg. No firewall prompts when making phone calls. How about you?