Help

How To: Package a Docker Installer that Does Not Request Admin Privileges

Jacher
New Contributor II

Posted on ‎03-02-2017 01:22 PM

b9c261957662430aa13822579cd4cd8b

When Docker installs on a machine, it asks the user for root privileges to finish its installation process after you start it the first time. In our environment, we decided that it's best users don't need to enter any sort of credentials to finish the installation of an application. So, via a trail of troubleshooting steps I found online and some trial & error, I was able to put together an installer that does not need root privileges to finish its installation.

Use the following directions to create a version of the installer that does not require Admin Rights. If you are already familiar with making JSS policies and using Composer, check out the TLDR section at the bottom.

  1. Download Docker For Mac
  2. Mount the Docker DMG
  3. Open Composer
  4. Click on New
  5. Select Normal Snapshot
  6. Click Next
  7. Name the Snapshot and click next
  8. Once the Snapshot has finished creating, drag the Docker application into the root Applications folder
  9. Open Applications, and then open Docker
  10. Docker will post an introductory window, click OK
  11. Docker will ask for privileged access, click OK
  12. Enter your Admin credentials and click okay
  13. Docker will run its final installation steps
  14. Click Got It after Docker has finished running its post-installation d14f28b4a41743ba9355c5e2a24870db
  15. In Composer, click Create Package Source
  16. Drill down Library>LaunchDaemons
  17. Select the com.docker.vmnetd.plist file
  18. Ensure that the file's owner is root, and group is wheel.
  19. Check the box for X (execute) on the Owner row. Verify that it states Mode: 744 (not 644) e2159ca02bba4e98bf4f7525189a309f
  20. Drill down Users>{username}>Library>Containers>com.docker.docker
  21. Delete the Data folder within the com.docker.docker folder afb33a1bf1e444da8c8e4d247841f592
  22. Ensure there are no additional folders unrelated to the Docker installation in the package source. In my case I removed the Saved Application State folder.
  23. Once you've done this, click on Build as DMG and save to your package build location
  24. Open Casper Admin and drag the DMG into Casper Admin to upload.
  25. Change the settings on the DMG to turn on FEU (Fill Existing User Template)
  26. Categorize the file
  27. Save
  28. Log into the JSS and Create the Docker policy.
  29. Place the DMG in the policy
  30. Set the policy to restart after install (Restart Options>User Logged In Action> Restart)
  31. Add Files and Processes, add the following one liner to Execute Command: /bin/launchctl load -Fw /Library/LaunchDaemons/com.docker.vmnetd.plist
  32. Setup to install from Self Service

TLDR Version;
Install using a composer snapshot as normal.
The only major differences are as follows:
Change /Library/LaunchDaemon/com.docker.vmnetd.plist to 744 and root:wheel
Delete the Data folder found in Users/{username}/Library/Containers/com.docker.docker
Save as DMG, place on Casper Admin with FEU enabled
In Policy: Ensure that the computer restarts after install. Add the following one liner in Execute Command:
/bin/launchctl load -Fw /Library/LaunchDaemons/com.docker.vmnetd.plist

45 REPLIES 45

cpotrebka
New Contributor II
In response to mm2270

Posted on ‎07-27-2021 12:48 PM

Thanks tones for the kudos! Greatly appreciated. 

P.S. l've consolidated my Jamf accounts down to this my original one. 🙂 

user-iZgcKItEmv
New Contributor

Posted on ‎09-09-2021 07:01 AM

This seems broken again with the latest version of Docker:

Beginning on August 31, 2021, you must agree to the Docker Subscription Service Agreement to continue using Docker Desktop. Read the Blog and the Docker subscription FAQs to learn more about the changes.

Using the --install-privileged-components command doesn't bypass needing to accept the new Service Agreement. 

Any thoughts?

0 Kudos

JamieG
New Contributor III

Posted on ‎01-25-2022 07:51 AM

My learned colleague has scripted this and has it working (for initial installs and updates) with the attached script. All users are not admins. Tested and working on Intel and Apple Silicon.

https://gist.github.com/SamStenton/716fb44fae9d59b320a4b92108af0beb

 

#!/bin/bash


if [[ `uname -m` == 'arm64' ]]; then
    # Apple Silicon
    echo 'Downloading Apple Silcon release'
    curl -o ~/Downloads/Docker.dmg https://desktop.docker.com/mac/main/arm64/Docker.dmg
else
    # Intel 
    echo 'Downloading Apple Intel release'
    curl -o ~/Downloads/Docker.dmg https://desktop.docker.com/mac/main/amd64/Docker.dmg
    # curl -o ~/Downloads/Docker.dmg https://desktop.docker.com/mac/main/amd64/72729/Docker.dmg #old version to test updating
fi


# Mount image 
hdiutil attach ~/Downloads/Docker.dmg

# Copy to Applcation folder
rm -rf /Applications/Docker.app # For updates remove the old app
cp -R /Volumes/Docker/Docker.app /Applications

# Install docker privilaged components
/Applications/Docker.app/Contents/MacOS/Docker --unattended --install-privileged-components


# Accept license (doesn't seem to be working)
open -a /Applications/Docker.app --args --unattended --accept-license

# Clean up.
echo 'Cleaning up'
hdiutil unmount /Volumes/Docker/Docker.app 
rm ~/Downloads/Docker.dmg

 

0 Kudos

cdev
Contributor II
In response to JamieG

Posted on ‎02-10-2023 01:03 PM

We've taken a bit of a different approach so as not to make it a live download. We are packaging the docker.dmg with a postinstall script that installs and configures based on the Docker docs. The only weird thing is I have to temporarily disable Gatekeeper or the install will fail:

 

#!/bin/bash

## based on Jamf Nation content:
# https://community.jamf.com/t5/jamf-pro/how-to-package-a-docker-installer-that-does-not-request-admin/m-p/199627

## Docker "Command-line" install
# https://docs.docker.com/desktop/install/mac-install/#install-from-the-command-line

# installed resources in /tmp/docker/*
dockerDMG="Docker.dmg"
mountName="Docker"
currentUser=$( /usr/sbin/scutil <<< "show State:/Users/ConsoleUser" | awk '/Name :/ && ! /loginwindow/ { print $3 }' )

#################
# NEED TO DISABLE GATEKEEPER TO INSTALL THIS WAY?!!? Yep. Wow.
/usr/sbin/spctl --master-disable
#################

/usr/bin/xattr -d com.apple.quarantine "/tmp/docker/${dockerDMG}"

echo "Mounting Docker DMG"
/usr/bin/hdiutil attach "/tmp/docker/${dockerDMG}"

echo "DMG attached at /Volumes/${mountName}"
echo
echo "Starting Docker installation"
"/Volumes/${mountName}/Docker.app/Contents/MacOS/install" --accept-license --user="$currentUser"
echo

echo "Setting permissions on Docker.app"
/usr/sbin/chown -R "$currentUser" "/Applications/Docker.app"

echo "Clearing Quarantine Flags"
/usr/bin/xattr -dr com.apple.quarantine /Applications/Docker.app

echo "Installing additional Docker components so users don't need admin rights"
"/Applications/Docker.app/Contents/MacOS/Docker" --install-privileged-components

## Cleanup
/usr/sbin/spctl --master-enable

/bin/echo "Starting cleanup"
echo "Unmounting $dockerDMG"
/usr/bin/hdiutil detach "/Volumes/$mountName"
sleep 5
echo "Removing temp files"
/bin/rm -rf /tmp/docker

exit 0

 

0 Kudos

Eric1115
New Contributor II
In response to cdev

Posted on ‎02-13-2023 09:29 AM

Thank you! I will give this a try.
0 Kudos

Eric1115
New Contributor II
In response to cdev

Posted on ‎02-13-2023 06:45 PM

Hi I tried the script and not sure what I am doing wrong but I still can’t get pass the issue I am getting when running docker - -install-privileged-components

i get a pop-up

”Permission erro”

Running Docker Desktop as root is dangerous. Please run it as a regular user.

 

thanks