Help

Is Signed QuickAdd package is must ?

Go to solution
khurram
Contributor III

Posted on ‎08-03-2014 09:38 PM

Please advise if QuickAdd package must be signed. When we install the package on our clients they turn up as "Verified" under Profiles. Is it necessary to Sign the QuickAdd packages ?

0 Kudos
2 ACCEPTED SOLUTIONS

Go to solution
justinrummel
Contributor III

Posted on ‎08-04-2014 05:35 AM

Required, no. "Best Practice", sure... it just depends on your enrollment workflow.

If you as the admin double click on the PKG to enroll each machine, no big issue. You know that you may have to "Ctrl + Click" the pkg to bypass Gatekeeper security features (vs. lowering the security preference to "Anywhere"... that is not advised).

However if you ask your end users to enroll themselves into the JSS, each users MUST be an admin of their machine to bypass Gatekeeper in addition to installing the jamf binary. Signing your PKG is doing something for your users so they don't have to worry about knowing how to "Ctrl + Click" to bypass (and doesn't teach them a bad habit).

- Justin

View solution in original post

0 Kudos

Go to solution
RobertHammen
Valued Contributor II

Posted on ‎08-04-2014 06:45 AM

Gatekeeper uses Apple's quarantine system. Files downloaded via a web browser (or sent via email) typically are quarantined. Files copied from a server via AFP/SMB are not.

If your workflow includes downloading a QuickAdd package from a web server, or emailing a QuickAdd package, you should sign your package.
If it does not, you probably do not need to, although, as Justin posted above, it's a best practice, just in case your workflow changes.

View solution in original post

0 Kudos
2 REPLIES 2

Go to solution
justinrummel
Contributor III

Posted on ‎08-04-2014 05:35 AM

Required, no. "Best Practice", sure... it just depends on your enrollment workflow.

If you as the admin double click on the PKG to enroll each machine, no big issue. You know that you may have to "Ctrl + Click" the pkg to bypass Gatekeeper security features (vs. lowering the security preference to "Anywhere"... that is not advised).

However if you ask your end users to enroll themselves into the JSS, each users MUST be an admin of their machine to bypass Gatekeeper in addition to installing the jamf binary. Signing your PKG is doing something for your users so they don't have to worry about knowing how to "Ctrl + Click" to bypass (and doesn't teach them a bad habit).

- Justin

0 Kudos

Go to solution
RobertHammen
Valued Contributor II

Posted on ‎08-04-2014 06:45 AM

Gatekeeper uses Apple's quarantine system. Files downloaded via a web browser (or sent via email) typically are quarantined. Files copied from a server via AFP/SMB are not.

If your workflow includes downloading a QuickAdd package from a web server, or emailing a QuickAdd package, you should sign your package.
If it does not, you probably do not need to, although, as Justin posted above, it's a best practice, just in case your workflow changes.

0 Kudos