Gatekeeper Path Randomization - Missing Dock Icons

wmateo
Contributor

So I finally got around to making a sierra build, and I have encountered a little annoying challenge.

After the imaging process was complete, I noticed icons in the Dock had a question mark or missing icon overlay for the application. Upon some investigation, I am lead to believe that this is a new gatekeeper function related to path randomization since I've imaged the machine 2-3 times and each time, and the icon issue became associated with a different app.

I was able to circumvent this by adding dock items as post image tasks etc. But I really want to keep my custom docks as part of the imaging process.

Has anyone run into this issue? if so what have you done to address?

1 REPLY 1

Look
Valued Contributor III

This is most likely the vendor DMG verification feature. If Gatekeeper detects certain apps (Chrome for example) were installed from a DMG that didn't match the vendor DMG exactly it will consider them suspect, what it then does is create a new copy for each user when they run it, which of course plays complete havoc with any doc icons for them.
You can resolve it by packaging up the vendor DMG itself inside a PKG with a postinstall script that mounts it and copies the app across to Applications.
I did something like this for Chrome, it's rather simplistic and I didn't worry about paths very much as I intended it to be post image (if you use it in imagingit has to be set to run on reboot as a result). Packaged up with the /private/tmp/googlechrome.dmg it deletes Chrome from Applications, then mounts the DMG and copies across a new copy.

If JAMF ever get around to supporting vendor drag and drop dmg's directly this problem will just disappear on it's own (hint, hint).

#!/bin/sh
## postinstall

The_DMG="/private/tmp/googlechrome.dmg"

echo
The_Volume=$(hdiutil mount -nobrowse  "$The_DMG" | awk '/Volumes/' | sed -e 's/.*/Volumes//Volumes/g')
if [[ "$The_Volume" ]]; then
echo "The volume is $The_Volume"
The_App=$(ls -1 "$The_Volume" | awk /.app/ | head -n 1)
fi
if [[ "$The_App" ]]; then
echo "The app is $The_App"
echo "Removing previous version from /Applications/$The_App"
rm -rf "/Applications/$The_App"
sleep 2
echo "Copying new version to /Applications/$The_App"
ditto "$The_Volume/$The_App" "/Applications/$The_App"
sleep 2
echo "Fixing permissions on /Applications/$The_App"
chown -R root:admin "/Applications/$The_App"
echo "Ejecting the volume $The_Volume"
hdiutil eject "$The_Volume"
echo "Done"
echo
exit 0      ## Success
else
echo "Failed"
echo
exit 1      ## Failure
fi