When Docker installs on a machine, it asks the user for root privileges to finish its installation process after you start it the first time. In our environment, we decided that it's best users don't need to enter any sort of credentials to finish the installation of an application. So, via a trail of troubleshooting steps I found online and some trial & error, I was able to put together an installer that does not need root privileges to finish its installation. Use the following directions to create a version of the installer that does not require Admin Rights. If you are already familiar with making JSS policies and using Composer, check out the TLDR section at the bottom. Download Docker For Mac Mount the Docker DMG Open Composer Click on New Select Normal Snapshot Click Next Name the Snapshot and click next Once the Snapshot has finished creating, drag the Docker application into the root Applications folder Open Applications, and then open Docker Docker will post an introductory window, click OK Docker will ask for privileged access, click OK Enter your Admin credentials and click okay Docker will run its final installation steps Click Got It after Docker has finished running its post-installation In Composer, click Create Package Source Drill down Library>LaunchDaemons Select the com.docker.vmnetd.plist file Ensure that the file's owner is root, and group is wheel. Check the box for X (execute) on the Owner row. Verify that it states Mode: 744 (not 644) Drill down Users>{username}>Library>Containers>com.docker.docker Delete the Data folder within the com.docker.docker folder Ensure there are no additional folders unrelated to the Docker installation in the package source. In my case I removed the Saved Application State folder. Once you've done this, click on Build as DMG and save to your package build location Open Casper Admin and drag the DMG into Casper Admin to upload. Change the settings on the DMG to turn on FEU (Fill Existing User Template) Categorize the file Save Log into the JSS and Create the Docker policy. Place the DMG in the policy Set the policy to restart after install (Restart Options>User Logged In Action> Restart) Add Files and Processes, add the following one liner to Execute Command: /bin/launchctl load -Fw /Library/LaunchDaemons/com.docker.vmnetd.plist Setup to install from Self Service TLDR Version;Install using a composer snapshot as normal.The only major differences are as follows:Change /Library/LaunchDaemon/com.docker.vmnetd.plist to 744 and root:wheelDelete the Data folder found in Users/{username}/Library/Containers/com.docker.dockerSave as DMG, place on Casper Admin with FEU enabledIn Policy: Ensure that the computer restarts after install. Add the following one liner in Execute Command:/bin/launchctl load -Fw /Library/LaunchDaemons/com.docker.vmnetd.plist

Question

How To: Package a Docker Installer that Does Not Request Admin Privileges

Forum|Forum|8 years ago
March 2, 2017
57 replies
654 views

Jacher
New Contributor

When Docker installs on a machine, it asks the user for root privileges to finish its installation process after you start it the first time. In our environment, we decided that it's best users don't need to enter any sort of credentials to finish the installation of an application. So, via a trail of troubleshooting steps I found online and some trial & error, I was able to put together an installer that does not need root privileges to finish its installation.

Use the following directions to create a version of the installer that does not require Admin Rights. If you are already familiar with making JSS policies and using Composer, check out the TLDR section at the bottom.

Download Docker For Mac
Mount the Docker DMG
Open Composer
Click on New
Select Normal Snapshot
Click Next
Name the Snapshot and click next
Once the Snapshot has finished creating, drag the Docker application into the root Applications folder
Open Applications, and then open Docker
Docker will post an introductory window, click OK
Docker will ask for privileged access, click OK
Enter your Admin credentials and click okay
Docker will run its final installation steps
Click Got It after Docker has finished running its post-installation
In Composer, click Create Package Source
Drill down Library>LaunchDaemons
Select the com.docker.vmnetd.plist file
Ensure that the file's owner is root, and group is wheel.
Check the box for X (execute) on the Owner row. Verify that it states Mode: 744 (not 644)
Drill down Users>{username}>Library>Containers>com.docker.docker
Delete the Data folder within the com.docker.docker folder
Ensure there are no additional folders unrelated to the Docker installation in the package source. In my case I removed the Saved Application State folder.
Once you've done this, click on Build as DMG and save to your package build location
Open Casper Admin and drag the DMG into Casper Admin to upload.
Change the settings on the DMG to turn on FEU (Fill Existing User Template)
Categorize the file
Save
Log into the JSS and Create the Docker policy.
Place the DMG in the policy
Set the policy to restart after install (Restart Options>User Logged In Action> Restart)
Add Files and Processes, add the following one liner to Execute Command: /bin/launchctl load -Fw /Library/LaunchDaemons/com.docker.vmnetd.plist
Setup to install from Self Service

TLDR Version;
Install using a composer snapshot as normal.
The only major differences are as follows:
Change /Library/LaunchDaemon/com.docker.vmnetd.plist to 744 and root:wheel
Delete the Data folder found in Users/{username}/Library/Containers/com.docker.docker
Save as DMG, place on Casper Admin with FEU enabled
In Policy: Ensure that the computer restarts after install. Add the following one liner in Execute Command:
/bin/launchctl load -Fw /Library/LaunchDaemons/com.docker.vmnetd.plist

Show first post

Forum|pagination.label 3 / 3

DDP
New Contributor
Forum|Forum|2 years ago
July 25, 2023

Not that I have seen so far. I have had about 20 users run the install. My assumption is this was changed in the more current version of docker.

Did anything get adjusted script wise? Spaces added?

Thanks,

MARK CORUM | sr SYSTEMS ENGINEER

CELL : 402-213-7633

Mark.Corum@earlywarning.com

www.earlywarning.com<>

[signature_1859496312]

This email transmission may contain confidential and/or private information, which is the property of the sender. The information in this email or attachments thereto is intended for the attention and the use only of the addressee. If you are not the intended recipient, you are hereby notified that any disclosure, copying, or distribution of the contents of this email transmission, or the taking of any action in reliance thereon or pursuant thereto, is strictly prohibited. Should you have received this email in error, please contact the sender and delete and destroy all copies of the original message

Hey @themarkdad, no changes were made, I simply used your modified script and unfortunately, the agreement window keeps popping back up post install. I have a sneaky suspicion that it's because the flag doesn't run properly if invoked while the dmg is still mounted. Going to try to unmount first and see what happens. Would love to hear if you or anyone experiences the same thing.

monktoninc
New Contributor
Forum|Forum|2 years ago
August 8, 2023

Hi I am new to Jamf and trying to deploy Docker 4.7.1. I have tried using both execute command or just run as Sudo in terminal with this command and both are giving me error “Permission error” Running Docker Desktop as root is dangerous. Please run it as a regular user. If I run as regular user it requires me to enter my privilege password.

Appreciate if you can help.

After fighting to get all this working, the following three commands will get Docker running without asking the user for any permissions. Additionally, it configures Docker Desktop without root permissions.

su ${3} -c "/Applications/Docker.app/Contents/MacOS/Docker --unattended --install-privileged-components"

/Volumes/Docker/Docker.app/Contents/MacOS/install --accept-license

/Volumes/Docker/Docker.app/Contents/MacOS/install --user=${3}

beek
New Contributor
Forum|Forum|2 years ago
August 24, 2023

I started getting tickets with the previous Docker install no longer working. I rewrote my script this morning with the following and it seems to be functioning just fine now. I am by no means a scripting pro but it does the job for me. Feel free to offer up any changes. I also did not write the original script, I made adjustments to the one we were using.

#!/bin/bash

if [[ `uname -m` == 'arm64' ]]; then
# Apple Silicon
echo 'Downloading Apple Silcon release'
curl -o ~/Downloads/Docker.dmg https://desktop.docker.com/mac/main/arm64/Docker.dmg
else
# Intel
echo 'Downloading Apple Intel release'
curl -o ~/Downloads/Docker.dmg https://desktop.docker.com/mac/main/amd64/Docker.dmg
fi

# Mount image
hdiutil attach ~/Downloads/Docker.dmg

# Copy to Applcation folder
rm -rf /Applications/Docker.app # For updates remove the old app
cp -R /Volumes/Docker/Docker.app /Applications
/Applications/Docker.app/Contents/MacOS/install --accept-license --user=$3

# Clean up.
echo 'Cleaning up'
hdiutil unmount /Volumes/Docker/Docker.app
rm ~/Downloads/Docker.dmg

#Configure Docker
cp -R /Applications/Docker.app/Contents/Resources/bin /Users/$3/.docker
ln -s -f /Users/$3/.docker/bin/docker /usr/local/bin
ln -s -f /Users/$3/.docker/run/docker.sock /var/run/docker.sock

This seems to work if I'm signed in to macOS Ventura but not if the policy is running as root at the login screen.

themarkdad
Contributor
Forum|Forum|2 years ago
August 28, 2023

#!/bin/bash

# Mount image
hdiutil attach ~/Downloads/Docker.dmg

# Clean up.
echo 'Cleaning up'
hdiutil unmount /Volumes/Docker/Docker.app
rm ~/Downloads/Docker.dmg

adjustment to my script due to my offensive security team. Using random temp directory.

#!/bin/bash

if [[ `uname -m` == 'arm64' ]]; then
# Apple Silicon
echo 'Downloading Apple Silcon release'
url="https://desktop.docker.com/mac/main/arm64/Docker.dmg"
tmpDir=$(/usr/bin/mktemp -d "/tmp/docker-install.XXXXXX")
curl -s -o "$tmpDir/Docker.dmg" ${url}
else
# Intel
echo 'Downloading Apple Intel release'
url="https://desktop.docker.com/mac/main/amd64/Docker.dmg"
tmpDir=$(/usr/bin/mktemp -d "/tmp/docker-install.XXXXXX")
curl -s -o "$tmpDir/Docker.dmg" ${url}
fi

cd $tmpDir
# Mount image
hdiutil attach Docker.dmg -nobrowse

# Clean up.
echo 'Cleaning up'
hdiutil unmount /Volumes/Docker/Docker.app
rm -rf $tmpDIR

DebstepFRB
Contributor
Forum|Forum|2 years ago
November 13, 2023

su ${3} -c "/Applications/Docker.app/Contents/MacOS/Docker --unattended --install-privileged-components"

/Volumes/Docker/Docker.app/Contents/MacOS/install --accept-license

/Volumes/Docker/Docker.app/Contents/MacOS/install --user=${3}

which version of Docker are you using for this script ?
I am using composer to build and deploy our package.
basically, I copy the dmg to a tmp directory

mount the dmg using  hdiutil -attach <path to dmg> -nobrowse
# remove an exsiting version of the app
/Applications/Docker.app/Contents/MacOS/uninstall
rm -rf /Applications/Docker.app
cp -R /Volumes/Docker/Docker.app /Applications/Docker.app
hdiutil unmount /Volumes/Docker   (should I use hdiutil -detach /Volumes/Docker here ?)
/usr/binxattr -dr "com.apple.quarantine" /Aplications/Docker.app 2> /dev/null

( now i should switch to the logged on user ? ) 
# I have a runasUser function 
runAsUser() 
{ 
        if [[ "${currentUser}" != "loginwindow" ]]; then
            launchctl asuser "$uid" sudo -u "${currentUser}" "$@"
        else
            echo "no user logged in"
            exit 1
        fi
}
currentUser=$( echo "show State:/Users/ConsoleUser" | scutil | awk '/Name :/ { print $3 }' )
uid=$(id -u "${currentUser}")
/Applications/Docker.app/Contents/MacOS/install --accept-license --user=$currentUser
#or 
runAsUser /Applications/Docker.app/Contents/MacOS/install --accept-license --user=$currentUser
runAsUser "/Applications/Docker.app/Contents/MacOS/Docker --unattended --install-privileged-components" 
# I am not sure the --install-priveleged-components option exists in version 4.25 ?

Thank you for any insight for this post install script ...

mmb79
New Contributor
Forum|Forum|2 years ago
November 16, 2023

which version of Docker are you using for this script ?
I am using composer to build and deploy our package.
basically, I copy the dmg to a tmp directory

mount the dmg using  hdiutil -attach <path to dmg> -nobrowse
# remove an exsiting version of the app
/Applications/Docker.app/Contents/MacOS/uninstall
rm -rf /Applications/Docker.app
cp -R /Volumes/Docker/Docker.app /Applications/Docker.app
hdiutil unmount /Volumes/Docker   (should I use hdiutil -detach /Volumes/Docker here ?)
/usr/binxattr -dr "com.apple.quarantine" /Aplications/Docker.app 2> /dev/null

( now i should switch to the logged on user ? ) 
# I have a runasUser function 
runAsUser() 
{ 
        if [[ "${currentUser}" != "loginwindow" ]]; then
            launchctl asuser "$uid" sudo -u "${currentUser}" "$@"
        else
            echo "no user logged in"
            exit 1
        fi
}
currentUser=$( echo "show State:/Users/ConsoleUser" | scutil | awk '/Name :/ { print $3 }' )
uid=$(id -u "${currentUser}")
/Applications/Docker.app/Contents/MacOS/install --accept-license --user=$currentUser
#or 
runAsUser /Applications/Docker.app/Contents/MacOS/install --accept-license --user=$currentUser
runAsUser "/Applications/Docker.app/Contents/MacOS/Docker --unattended --install-privileged-components" 
# I am not sure the --install-priveleged-components option exists in version 4.25 ?

Thank you for any insight for this post install script ...

I may be wrong, but as far as I know using

/Applications/Docker.app/Contents/MacOS/uninstall

"...destroys Docker containers, images, volumes, and other Docker related data local to the machine, and removes the files generated by the application." (See https://docs.docker.com/desktop/uninstall/ )

So in order to patch Docker I would not run the uninstall script - otherwise your user's databases will be gone.

DDP
New Contributor
Forum|Forum|2 years ago
November 16, 2023

This is the script I have been using and does bypass requesting admin priv.

#!/bin/bash

# Function to get the latest download URL for Docker
get_latest_Docker_url() {
# Replace the following line with a command or script to fetch the latest download URL
# For example, you might use curl or wget to get the download link from the Docker website
# Example: LATEST_URL=$(curl -s https://example.com/Docker-latest-url)
LATEST_URL="https://desktop.docker.com/mac/main/amd64/Docker.dmg?utm_source=docker&utm_medium=webreferral&utm_campaign=docs-driven-download-mac-amd64&_gl=1*13nvirf*_ga*MTc1MjU1MDg1OS4xNjg0Nzc1NTI3*_ga_XJWPQMJYHQ*MTY5MjczNjEwNS41OS4xLjE2OTI3MzYxMDYuNTkuMC4w"
echo "$LATEST_URL"
}
# Grab the username of the user that last logged in (current user).
currentUser=`defaults read /Library/Preferences/com.apple.loginwindow lastUserName`

# Function to download and install the latest version of Docker
install_Docker() {
# Get the latest download URL
Docker_URL=$(get_latest_Docker_url)

# Download the latest version
curl -L -o "/tmp/Docker-latest.dmg" "$Docker_URL"

# Mount the cached Docker .dmg
hdiutil attach /tmp/Docker-latest.dmg

# Install the application
"/Volumes/Docker/Docker.app/Contents/MacOS/install" --user="$currentUser" --accept-license

# Unmount the DMG
hdiutil detach "/Volumes/Docker"

# Install additional Docker components so users don't need admin rights
su "$currentUser" -c "/Applications/Docker.app/Contents/MacOS/Docker" --unattended &
su "$currentUser" -c "/Applications/Docker.app/Contents/MacOS/Docker" --install-privileged-components &

# Cleanup the temporary files
rm "/tmp/Docker-latest.dmg"

echo "Docker has been installed successfully!"
}

# Run the installation function
install_Docker

Forum|pagination.label 3 / 3

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded