Install Google Drive File Stream - System Extension Blocked

svallas
New Contributor III

Hi,

Using the script below I can silently install Google Drive on the workstations. I just run into the following problem, and that a pop-up appears from System Extension Blocked, in which I have to approve Google.

Is there a way to forcefully approve this in the script?

Thanks in advance.

# Script to download, Silent Install and then clean up once installed Google DrivE FileStream

#Make temp folder for downloads.
mkdir "/tmp/filestream/";
cd "/tmp/filestream/";

#Download filestream.
curl -L -o /tmp/filestream/GoogleDriveFileStream.dmg "https://dl.google.com/drive-file-stream/GoogleDriveFileStream.dmg";

#Mount, Install, and unmount GoogleDriveFileStream.dmg
hdiutil mount GoogleDriveFileStream.dmg; 
sudo installer -pkg /Volumes/Install Google Drive File Stream/GoogleDriveFileStream.pkg -target "/Volumes/Macintosh HD"; 
hdiutil unmount /Volumes/Install Google Drive File Stream/;

#Tidy up
sudo rm -rf /tmp/filestream/
64 REPLIES 64

larry_barrett
Valued Contributor

PPPC utility download here

cbrewer
Valued Contributor II

Config profile with Approved Kernel Extensions payload.
86c5685fa6d546179f22085a8d4a8e2f

larry_barrett
Valued Contributor

We do exactly what @cbrewer does and use a PPPC entry in the same profile.

5ab25e76f7c84453ad384b7180b0f5a7

47a37a6c6efb4b58a6f7a9b2203b77db

svallas
New Contributor III

I don't use jamf yet, I remotely kick the script, so I wondered if something like that could be edited in the script?

mattia_giuffrid
New Contributor

@cbrewer solution worked even without PPPC configs.

Flaurian
New Contributor III

I actually configured it like you but I still got this notification if I started Google FS for the first time. Did I something wrong?
8fe8657f4cba42c6953b1c60588eec9f

McLeanSchool
New Contributor III

@svallas With the release of the rebranded Google Drive File Stream, it is now called Google Drive. I had to update your script to accommodate for this:

#!/bin/zsh

# Make temp folder for downloads
mkdir "/tmp/googledrive"
cd "/tmp/googledrive"

# Download Google Drive
curl -L -o "/tmp/googledrive/GoogleDriveFileStream.dmg" "https://dl.google.com/drive-file-stream/GoogleDriveFileStream.dmg"

# Mount and install GoogleDriveFileStream.dmg
hdiutil mount GoogleDriveFileStream.dmg
installer -pkg "/Volumes/Install Google Drive/GoogleDrive.pkg" -target "/Volumes/Macintosh HD"

# Tidy up
hdiutil unmount "/Volumes/Install Google Drive"
sudo rm -rf "/tmp/googledrive"

MacJunior
Contributor

I deployed the same config profile @cbrewer mentioned but I still get the popup window asking to approve it from system preferences !!

Anybody managed to fix it ?

konstantinb
New Contributor II

interested in this too!

robertliebsch
Contributor

Be mindful, Kernel Extensions are 10.15 while System Extensions are 11.
@Flaurian @MacJunior

Flaurian
New Contributor III

Yes, I already found it out but thanks to clarify it. I also checked Google working on a new tool for Google Drive to combine Drive and Backup as one product. So, fingers crossed it using System Extensions.

yo_ann
New Contributor

Hello,

same problem as Flaurian, what ever i set up, i still have the approval asking.... but with the message "Google, Inc has been blocked" :'(

mosermat
New Contributor II

Adding some things here that can hopefully help someone. I modified the script posted by @McLeanSchool so it will still install File Stream even if the Volume Name is unique and has a space in it (ex. "Joes Mac" instead of "Macintosh HD"). I tested and this is working on multiple MacBooks via Jamf on Catalina and Big Sur (caveat below).

#!/bin/zsh

# make temp folder for downloads
mkdir "/tmp/googledrive"

# change working directory
cd "/tmp/googledrive"

#download Google Drive File Stream
curl -L -o "/tmp/googledrive/GoogleDriveFileStream.dmg" "https://dl.google.com/drive-file-stream/GoogleDriveFileStream.dmg"

# Mount the DMG
hdiutil mount GoogleDriveFileStream.dmg

# Get Volume Name
Volume=$(diskutil info / | grep "Volume Name:" | awk '{print $3,$4,$5,$6}')

# Install Google Drive
sudo installer -pkg /Volumes/Install Google Drive/GoogleDrive.pkg -target "/Volumes/$Volume"

#Tidy Up
hdiutil unmount "/Volumes/Install Google Drive"
sudo rm -rf "/tmp/googledrive"

In Big Sur I still haven't found a way to approve the necessary System Extension via Jamf...but it is possible to open System Preferences, Security and Privacy, General Tab, click Allow, reboot...then it works great. Hoping someone can find a fix or this is resolved by Google at some point.

2e10df09b93045899e372502a1d7433a

Geissbuhler
Contributor

@mosermat Had to Update the script a bit in more than the places listed above:

#!/bin/zsh

# make temp folder for downloads
mkdir "/tmp/googledrive"

# change working directory
cd "/tmp/googledrive"

#download Google Drive File Stream
curl -L -o "/tmp/googledrive/GoogleDrive.dmg" "https://dl.google.com/drive-file-stream/GoogleDrive.dmg"

# Mount the DMG
hdiutil mount GoogleDrive.dmg

# Get Volume Name
Volume=$(diskutil info / | grep "Volume Name:" | awk '{print $3,$4,$5,$6}')

# Install Google Drive
sudo installer -pkg /Volumes/Install Google Drive/GoogleDrive.pkg -target /

#Tidy Up
hdiutil unmount "/Volumes/Install Google Drive"
sudo rm -rf "/tmp/googledrive"

This at least seems to be downloading and installing properly now.

Geissbuhler
Contributor

Now to work on getting Auth to happen after launching the app, if anyone has any tips, please reply

bfrench
Contributor II

After running the most recent script the volume is not removing from the desktop. Does something need to be altered?

Tidy Up

hdiutil unmount "/Volumes/Install Google Drive"

it logs as successful

installer: Package name is Google Drive
installer: Installing at base path /
installer: The install was successful.
"/Volumes/Install Google Drive" unmounted successfully.
sudo rm -rf "/tmp/googledrive"

KSibley
New Contributor III

I'm not having luck the the Kext CP and PPPC. Does something need to change now that its been renamed from Google Drive FileStream to Google Drive for Desktop? NM, got it working.

KarolisB
New Contributor

@KSibley what was the solution?

RLR
Valued Contributor

Anyone got an updated version of the PPPC config they can share? We're still getting Google Drive asking for system extension approval on big sur.

I know this was a while back, but If you are still looking you can get the newest version here:

https://github.com/jamf/PPPC-Utility/releases

konstantinb
New Contributor II

Hey @RLR ,

 

we use the following:

Privacy Preferences Policy Control - App Access

Identifier

com.google.drivefs

Bundle ID

identifier "com.google.drivefs" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = EQHXZ8M8AV

APP OR SERVICE:

Accessibility: Allow

 

System Extension:

Google Drive - Allowed System Extensions - EQHXZ8M8AV - com.google.drivefs.filesystems.dfsuse

 

Hope that works for you :). Feel free to give some feedback!

@RLR  and @konstantinb    since it's not GOOGLE DRIVE FILE STREAM anymore but changed to GOOGLE DRIVE FOR DESKTOP  are the values to create the  'system extension' the same? I used the values that @konstantinb provided in the reply above two weeks ago.  (images attached of my sys ext config profile)

 

specifically these values below, do they stay the same?  i'm thinking maybe 'drivefs' would reference 'file stream' but since it's not file stream anymore i'm kinda just assuming.

---- com.google.drivefs

----- com.google.drivefs.filesystems.dfsuse

 

Screen Shot 2021-09-01 at 9.56.17 AM.pngScreen Shot 2021-09-01 at 9.55.49 AM.pngScreen Shot 2021-09-01 at 9.54.37 AM.png

Pulling the App "Google Drive" Into PPPC Utility it shows the same as before, so looks like it is indeed still using the com.google.drivefs. I wondered the same thing 🙂Screen Shot 2021-09-01 at 9.53.26 AM.png

so does my Config Profile settings look correct?

is that similar to your config profile?

does it work for both intel and M1  macs running Big Sur?  I'm testing but wont be able to for the next 2 weeks.

Testing on an Intel Machine in a bit need to wipe to fully test properly, will post results when done. I have the same as you plus a few others, which I likely do not need, The diff is that I approved both com.google.drivefs and com.google.drivefs.filesystems.dfsuse in the system extension, so we will see what happens. If it works I will post screenshots.

Also Testing this on macOS Monterey Beta FYI, 1 Big Sur Intel and 1 Monterey.

So Far worked perfectly on macOS Monterey, Testing Big Sur momentarily

No go for Big Sur, **bleep**!

Ok So Here is what I have:

Big Sur on M1 = Works
Big Sur on Intel = Fails
Monterey Beta (21a5506j) on Intel = Works
Monterey Beta (21A5304g) on M1 = Works

My setup is a bunch of me reading various items and is likely overkill, I was going to make a bunch of settings and then if it worked I could pull some back, just keep that in mind.

(Update) same results after changing a mistake i had in the screenshots below:

com.google.drivefs.filesystems.dfsuse

Screen Shot 2021-09-01 at 11.54.36 AM.png

Screen Shot 2021-09-01 at 11.54.52 AM.png

Screen Shot 2021-09-01 at 11.55.03 AM.png

Screen Shot 2021-09-01 at 11.55.14 AM.png

Screen Shot 2021-09-01 at 11.55.23 AM.png

Geissbuhler
Contributor

Any Other findings from People Specifically with Intel Macs on Big Sur would be greatly appreciated.

tcandela
Valued Contributor

@Geissbuhler  so you applied that single config profile to both intel & m1 ?  

so no separate config profile for each arch type? (probably not necessary)

Correct exact same on all of the above, only intel and Big Sur combo seems to fail. So weird

konstantinb
New Contributor II

So far this config did work for all our clients. But I will try to check it again on M1 next weeks. The Config i also pulled from the new client the name has just changed but the config is still the same basically.

tcandela
Valued Contributor

@konstantinb @Geissbuhler  are you applying this Google Drive system extension config profile to only Big Sur computers?

and a seperate Google Drive kernel extension config profile to Mojave and Catalina computers?

 

also the system extension you configured, I see the pictures you posted, does the config profile have 2 'Allow Team IDs and System Extension' sections in it?

Yes I we are doing kernel extension for Catalina and Mojave, and a separate Config Profile with System Extension for Big Sur and Monterey Beta.

konstantinb
New Contributor II

@tcandela Theoretical yes you would need to. 

The Systems extensions are as following:

Display Name:
Google Drive
System Extension Types:

Allowed System Extensions:
Team Identifier:
EQHXZ8M8AV
ALLOWED SYSTEM EXTENSIONS:
com.google.drivefs.filesystems.dfsuse

@konstantinb ok thanks. 

I'm confused with the @Geissbuhler images he attached to his reply specifically the 5th image that has the 'driver extension' box checked. Do you have that in your system extension configuration?

here is the image i'm talking about, it looks like another section of 'Allowed Team ID's and System Extensions' was added to the same config profile

 

Screen Shot 2021-09-03 at 10.51.15 AM.png

Yes in my test environment I was basically trying anything, hence the comment where I try way too much and scale back later. The way those pics are listed, is the top pic is the Config Profile as whole, then the next is of the PPPC Payload, The next is the System Extensions payload, the following snaps are of the individual sections within the System Extensions Payload.

I read early on that if you are unsure with System Extensions which bit works, like in this instance here, trying to troubleshoot, you start with approving the team as a whole, Then start on the individual extensions, Then the types, if your big old way overkill sys extension works, scale it back like maybe delete the Team as a whole bit of the payload, and get right to the bits that you actually need.

This is not in prod

Would love to know what I actually need, hence the testing above. This is currently working on Big Sur with M1, but not working on Big Sur with Intel.

a_hebert
New Contributor III

I haven't tried it on a Big Sur computer yet.   I was trying to find a solution for my 10.15 computers. This is a kernel extension so i know it will not work on Big Sur I am making a new config profile for my Big Sur computers will let you know how the testing is going after I get that one built.