Jamf Nation Community

Since you're deploying the app to every managed computer that you have, you could probably not bother making the smart computer group -- just set a trigger ("Recurring Check-in" is probably easiest, that way they pull the app when they talk to your JSS) and change your execution frequency to "Once per computer." You could make a smart group and it wouldn't harm anything, I just don't think it'd be necessary.

Hi m.kindelberger, I changed as you sad and it worked for me. Thank you.

We just had a user report that when Microsoft Teams.app is owned by root, only the root user can update it.

We're now testing the following postinstall script:

#!/bin/sh
## postinstall

pathToScript=$0
pathToPackage=$1
targetLocation=$2
targetVolume=$3

####################################################################################################
# Import logging functions
source /path/to/client-side/functions.sh
####################################################################################################

ScriptLog "Installed."

ScriptLog "Apply odd-ball permissions ..." # Thanks, Randy T.
loggedInUser=$( /usr/bin/stat -f%Su /dev/console )
/usr/sbin/chown -Rv ${loggedInUser}:admin /Applications/Microsoft Teams.app/

ScriptLog "Reveal app ..."
revealMe "/Applications/Microsoft Teams.app"

exit 0      ## Success
exit 1      ## Failure

Hi Dan, any luck with the post install script.

@MDM The following seems to be working for us:

The important bits from two of the scripts are below; please let me know if your mileage varies too greatly.

Microsoft Teams Clean-up

#!/bin/sh
####################################################################################################
#
# ABOUT
#
#   Removes user-specific files prior to upgrading Microsoft Teams
#
####################################################################################################
#
# HISTORY
#
#   Version 1.0, 12-Dec-2017, Dan K. Snelson
#
####################################################################################################

# Variables
loggedInUser=$(stat -f%Su /dev/console)
applicationPath="Microsoft Teams.app"


# Check if the specified application is installed ...
testDirectory="/Applications/${applicationPath}"
if [ -d "${testDirectory}" ] ; then

    echo "/Applications/${applicationPath} located; proceeding ..."

    echo "Removing ${loggedInUser}-specific files for ${applicationPath} ..."

    /bin/rm -Rf /Users/${loggedInUser}/Library/Caches/com.microsoft.teams*

    /bin/rm -Rf /Users/${loggedInUser}/Library/Application Support/Microsoft/Teams

    /bin/rm -Rf /Users/${loggedInUser}/Library/Application Support/com.microsoft.teams

    echo "Removed ${loggedInUser}-specific files for ${applicationPath}."

    exit 0

else

    echo "/Applications/${applicationPath} NOT found; nothing to do."

    exit 0

fi

exit 0

Application Permission

#!/bin/sh
####################################################################################################
#
# ABOUT
#
#   Sets permissions on the application passed as Parameters 4 & 5. 
#
####################################################################################################
#
# HISTORY
#
#   Version 1.0, 12-Dec-2017, Dan K. Snelson
#
####################################################################################################


# Variables
loggedInUser=$(stat -f%Su /dev/console)
applicationPath="$5"


# If Parameter 5 is blank, exit ...
if [ -z "${applicationPath}" ]; then

    echo "Application Path not specified; exiting."

    exit 1

fi



# Check for a specified owner (Parameter 4)
# Defaults to currently logged-in user
if [ "$4" != "" ] && [ "$owner" == "" ]; then
    owner="${4}"
else
    echo "Parameter 4 is blank; using "${loggedInUser}" as the owner."
    owner="${loggedInUser}"
fi



# Check if the specified application is installed ...
testDirectory="/Applications/${applicationPath}"
if [ -d "${testDirectory}" ] ; then

    echo "/Applications/${applicationPath} located; proceeding ..."

    echo "Setting permissions on /Applications/${applicationPath} ..."

    /usr/sbin/chown ${owner} "/Applications/${applicationPath}"

    echo "Set owner of "/Applications/${applicationPath}" to ${owner}."

    exit 0

else

    echo "/Applications/${applicationPath} NOT found; nothing to do."

    exit 0

fi

exit 0

Hey @dan.snelson any chance you'd be willing to share two scripts I see in that image: Close Applications Gracefully and Update Inventory? The second one I'm just more curious than anything as to what you are doing in it.

I am looking at changing the way we do inventory updates due to the load on the servers, and I'm always curious how other folks do things.

Thanks!

Hi, @stevewood. Hopefully these are worth the wait:

Close Applications Gracefully

#!/bin/sh
####################################################################################################
#
# ABOUT
#
#   Quits apps gracefully as specified in JSS script parameters
#
####################################################################################################
#
# HISTORY
#
#   Version 1.0, 29-Jun-2015, Dan K. Snelson
#       Original
#   Version 2.0, 10-Nov-2016, Dan K. Snelson
#       Added check for app's existence 
#
####################################################################################################


### Variables
appName1="$4"     # App Name (i.e., "Microsoft Excel")
appName2="$5"     # App Name (i.e., "Microsoft OneNote")
appName3="$6"     # App Name (i.e., "Microsoft Outlook")
appName4="$7"     # App Name (i.e., "Microsoft PowerPoint")
appName5="$8"     # App Name (i.e., "Microsoft Word")
appName6="$9"     # App Name (i.e., "Microsoft Lync")



### Gracefully quit apps
echo "### Gracefully Quitting Apps ###"

### Functions
quitAppGracefully() {

    echo " " # Blank line for readability

    echo "* App to quit: ${1}"

    echo "* Verify ${1} is installed ..."

    testDirectory="/Applications/${1}.app"

    if [ -d "${testDirectory}" ]; then

        echo "* ${1} is installed; quit if running ..."
        /usr/bin/osascript -e 'quit app "'"${1}"'"'
        echo "* Quit ${1}."

    else

        echo "* ${1} is NOT installed; nothing to quit."

    fi
}



### Call the Functions

# App Name 1 to quit
if [ ! -z "${appName1}" ]; then
    quitAppGracefully "${appName1}"
fi

# App Name 2 to quit
if [ ! -z "${appName2}" ]; then
    quitAppGracefully "${appName2}"
fi

# App Name 3 to quit
if [ ! -z "${appName3}" ]; then
    quitAppGracefully "${appName3}"
fi

# App Name 4 to quit
if [ ! -z "${appName4}" ]; then
    quitAppGracefully "${appName4}"
fi

# App Name 5 to quit
if [ ! -z "${appName5}" ]; then
    quitAppGracefully "${appName5}"
fi

# App Name 6 to quit
if [ ! -z "${appName6}" ]; then
    quitAppGracefully "${appName6}"
fi


exit 0      ## Success
exit 1      ## Failure

Update Inventory

#!/bin/sh

echo "*** Updating inventory ***"

# Get the logged in users username
loggedInUser=$(/usr/bin/stat -f %Su "/dev/console")

# Identify location of the logged-in user's home directory
user_home_location=$( /usr/bin/dscl . -read /Users/"${loggedInUser}" NFSHomeDirectory 2>/dev/null | /usr/bin/sed 's/^[^/]*//g' )

if [ ${loggedInUser} == "root" ] || [ ${loggedInUser} == "adobeinstall" ] || [ ${loggedInUser} == "_mbsetupuser" ] ; then

    echo "${loggedInUser} is currently the logged-in user; starting normal inventory update ..."

    /usr/local/jamf/bin/jamf recon

    echo "Finished running inventory update"

else

    if [ -d "/Applications/Enterprise Connect.app" ] ; then # https://derflounder.wordpress.com/2017/04/12/identifying-which-active-directory-account-is-logged-into-enterprise-connect/

        /usr/bin/security find-generic-password -l "Enterprise Connect" "${user_home_location}"/Library/Keychains/login.keychain > /dev/null 2>&1

        if [[ $? -eq 0 ]]; then # Enterprise Connect installed AND configured

            ec_user=$( /usr/bin/security find-generic-password -l "Enterprise Connect" "${user_home_location}"/Library/Keychains/login.keychain | awk -F "=" '/acct/ {print $2}' | tr -d """ )

            echo "Starting inventory update for Enterprise Connect user ${ec_user} ..."

            /usr/local/jamf/bin/jamf recon -endUsername ${ec_user}

            echo "Finished running inventory update for Enterprise Connect user ${ec_user}."

        else    # Enterprise Connect installed, but NOT configured

            echo "Starting inventory update for user ${loggedInUser} ..."

            # Run recon, submitting the users username which as of 8.61+ can then perform an LDAP lookup
            /usr/local/jamf/bin/jamf recon -endUsername ${loggedInUser}

            echo "Finished running inventory update for ${loggedInUser}."

        fi

    else

        echo "Starting inventory update for user ${loggedInUser} ..."

        # Run recon, submitting the users username which as of 8.61+ can then perform an LDAP lookup
        /usr/local/jamf/bin/jamf recon -endUsername ${loggedInUser}

        echo "Finished running inventory update for ${loggedInUser}."

    fi

fi


exit 0

@dan.snelson Thanks for posting your impressive Teams update flow. Can you confirm that your method still works with the latest release of Teams (which is now a DMG)? 1.00.1253 as of this writing.

Also, has anyone tried a hybrid of Dan's method. Something like removing all the $user caches/containers, and then deploying a custom packaged Microsoft Teams.app with permissions changed?

@mtward We're using @mm2270's App Packager to create the .PKG we're deploying.

(Our testers have until Monday, 22-Jan-2018, to confirm the test policy works, but it's looking good so far.)

@dan.snelson What variable we should set for parameters $4 in script "Application Permission"?
Should it be empty?
When you creating the app do you change the permissions on MS Teams.app? Currently the standard user is not able to update this application.

@maziboss Thanks for the questions. Hopefully the following will clarify using this script:

In Settings > Computer Management > Scripts > {Script Name} > Options, set:
PARAMETER 4 to: Owner (defaults to current user)
PARAMETER 5 to: Application (i.e., Microsoft Teams.app)

So, leave Parameter 4 blank in your policy.

No, I don't change any permissions when creating the .PKG. (We use a customized version of @mm2270's App Packager to create the .PKG we're deploying.

@dan.snelson First, thank you for your answer. As I though there is something wrong with MS Teams. I have vendor old version MS Teams 1.00.026952. I installed it, used your script, checked updates and application was updated to version 1.00.29954.
Then I did the same procedure: check for new updates. In temp folder (User's Library/Application Support/Microsoft/Teams/temp) file Teams_osx.zip is downloading (build 1.00.111551). Then the app shows popup to refresh and ask to relaunch. After relaunch Ms Teams is the same version as was - 1.00.026952.
Any idea why? Maybe the issue is related to json file and difference version (in json file the build has a number 1.1.00.111551)?

@maziboss As of this writing, I'm seeing version 1.00.111551 on the Microsoft Teams download page, but the app itself reports that "You've got the latest updates" with version 1.1.00.14353.

@dan.snelson the issue is that i'm not able update applications from version 1.00.29954 to 1.1.00.14353. New version of app is downloading to temp folder, then relaunch and after all Teams has the same build (1.00.29954). Any idea why?

@maziboss Sorry, no, I don't have any idea why.

Is deleting the installed version and deploying 1.00.111551 an option for you?

Dan, I have a question regarding the current working of permissions on Microsoft Teams. On Tuesday of this week (3/19/19), I noticed the application not updating on its own. It is asking users to download and then admin username/password are required to install. I can see that the owner of the app is the current standard login user. I have also flush the policy to make the current login user owner of app. I believe that Microsoft Teams has changed the way it process updates.

Can you let me know if you are experiencing the same challenge? If yes, can you let me know if you have found a fix.

thank you for all the help on this!

If you enable a custom trigger (IE: installTeams) using the scenario at the top - you have to script it to copy to the local system and run the installer - or if you enable custom - does it know to mount the distribution point and using Installer?