Office 2016 Startup/AutoUpdate Blocking

GaToRAiD
Contributor II

So, I'm not much of a writer, so I'll be quick with this.

Here is the code:

#!/bin/sh

#Find Current User
CurrentUser=`/usr/bin/who | awk '/console/{ print $1 }'`

#Set Command Variable for trusted application
register_trusted_cmd="/usr/bin/sudo -u $CurrentUser /System/Library/Frameworks/CoreServices.framework/Frameworks/LaunchServices.framework/Support/lsregister -R -f -trusted"

#Set Variable for application being run against
application="/Library/Application Support/Microsoft/MAU2.0/Microsoft AutoUpdate.app/Contents/MacOS/Microsoft AU Daemon.app"

#This runs the combination of variables above that will block the running
#of the autoupdate.app until the user actually clicks on it, or goes
#into the help check for updates menu.  Additionally this needs to be
#run for each user on a machine.
$register_trusted_cmd "$application"

#Ungracefully removes Office 2011
/bin/rm -rf /Applications/Microsoft Office 2011/

#Turns off the FirstRunScreen for each application.
/usr/bin/defaults write /Library/Preferences/com.microsoft.Outlook kSubUIAppCompletedFirstRunSetup1507 -bool true
/usr/bin/defaults write /Library/Preferences/com.microsoft.PowerPoint kSubUIAppCompletedFirstRunSetup1507 -bool true
/usr/bin/defaults write /Library/Preferences/com.microsoft.Excel kSubUIAppCompletedFirstRunSetup1507 -bool true
/usr/bin/defaults write /Library/Preferences/com.microsoft.Word kSubUIAppCompletedFirstRunSetup1507 -bool true

exit 0

Thanks to @tvsutton for his assistance for on this.

32 REPLIES 32

jrippy
Contributor II

@GaToRAiD @tvsutton
Great "write up". I do have a question and a comment.
First, its great that all the plists finally use the same key to disable the welcome screen. That just floored me in 2011 when the keys were different for every application.
Now, the question: Can you please explain the part with the trusted command? The comments mention this is to stop autoupdate from running unless the user intentionally opens it. Is there no way to change the autoupdate plist to manual checks in Office 2016? I'm not familiar with lsregister so just wanting some more information about that whole process.

Thanks

GaToRAiD
Contributor II

@jrippy The auto update config profile/preference still does apply however, with office 2016 regardless if you have the preference in place it will ignore it on first boot. What I'm doing here is telling GateKeeper to not trust the application AutoUpdater.app thus when the application tries to open it, it will fail to open.

Kumarasinghe
Valued Contributor

Also for OneNote:

/usr/bin/defaults write /Library/Preferences/com.microsoft.onenote.mac kSubUIAppCompletedFirstRunSetup1507 -bool TRUE

timsutton
Contributor

Blogged the first-run dialog preferences here:

Disabling First-run Dialogs in Office 2016 for Mac

GaToRAiD
Contributor II

@timsutton Thank you for the help troubleshooting this, also pretty sure his blog will have more detail than I provided.

jrippy
Contributor II

@GaToRAiD Ok. Interesting idea about blocking it with Gatekeeper. How does lsregister differ from spctl for controlling gatekeeper?

Thanks to you and @timsutton, the rest of us will be ready for 2016 when we adopt it!

McAwesome
Valued Contributor

@GaToRAiD Just for the record, this script would be run once on login per user right? Also, is there a significant advantage to blocking Microsoft's update through this script rather than the Restricted Software section in the JSS?

GaToRAiD
Contributor II

@McAwesome We are deploying via a self service policy so it is ran at that time, but during testing we did run at at login if it is being pushed separate of the installer. We didn't want to fully break the AutoUpdater, which is why we didn't block via Restricted Software, we just didn't want it popping up for the first run of each software.

McAwesome
Valued Contributor

@GaToRAiD Interesting. Does this get around that annoying "You are opening the application "Microsoft AU Daemon" for the first time" prompt? I just started looking around for a way to get rid of it on our lab machines before we push it out.

[EDIT] Nevermind, I see it in the script there. I should read more thoroughly before asking questions.

donmontalvo
Esteemed Contributor III

We really need an ether-beer button here on JAMF Nation and on blogs like http://macops.ca/. :)

--
https://donmontalvo.com

bofh
New Contributor III

There is some other thing which should be mentioned ... After installing I stumbled through the plists and found this:

defaults read com.microsoft.autoupdate.fba
{ SendAllTelemetryEnabled = 0; }

I guess you all want that deactivated, here is a little untested script. (If I find more, I'll post that.)

#!/bin/bash
# Disable Ugly Microsoft Features...
# Within USER_TEMPLATEs
for USER_TEMPLATE in "/System/Library/User Template"/*
do
    #Turn off Telemetry
    defaults write "${USER_TEMPLATE}/Library/Preferences/com.microsoft.autoupdate.fba.plist" SendAllTelemetryEnabled -bool false
done
# Within USERs
for USER in "/Users"/*
do
    #Turn off Telemetry
    defaults write "${USER}/Library/Preferences/com.microsoft.autoupdate.fba.plist" SendAllTelemetryEnabled -bool false
done

donmontalvo
Esteemed Contributor III

@bofh How does ownership of com.microsoft.autoupdate.fba.plist look when you run it on your Mac?

--
https://donmontalvo.com

bofh
New Contributor III

@donmontalvo In my User Folder:

-rw------- 1 root wheel 73 Aug 10 11:00 com.microsoft.autoupdate.fba.plist

In one of the User Templates:

-rw------- 1 root wheel 73 Aug 10 11:00 com.microsoft.autoupdate.fba.plist

I'm not sure if that happened with the script above or if the filerights where like that before

donmontalvo
Esteemed Contributor III

OK so I'm not losing my mind. Mine looks like that too. I ran it locally, might be why root shows as owner.

I'll test through Self Service when I get to the office (since it runs as user with root rights). Guessing as well the User Template plist may need to be chown'd (additional line) if Self Service sets owner of all the files it is touching to current user.

--
https://donmontalvo.com

bpavlov
Honored Contributor

I'm just thinking out loud here, but could one not specify a choices installer with the following content so that AutoUpdate is never installed to begin with?

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<array>
    <dict>
        <key>attributeSetting</key>
        <integer>0</integer>
        <key>choiceAttribute</key>
        <string>selected</string>
        <key>choiceIdentifier</key>
        <string>com.microsoft.autoupdate</string>
    </dict>
</array>
</plist>

I mean if the goal is to manage the updates yourself then this would surely stop it from coming up on first launch. I know I'm probably overlooking something, so someone please tell me why this approach isn't the way to go.

GaToRAiD
Contributor II

@bpavlov Funny you say that, the issue is, if you have office 2011 on there, which would include the MAU as well, it will actually run that if the other is not found.

bpavlov
Honored Contributor

Right, there's the issue of computers that already have Office 2011. But what about machines that don't have it? Not sure about others, but are others going to keep both 2011 and 2016 running side by side? I know it's possible, but I imagine usually companies leave the old version behind and uninstall it (emphasis on usually).

bpavlov
Honored Contributor

So a bit more investigating on what kicks off Word launching after install:

postinstall in the Word installer

#!/bin/sh

if ! [[ $COMMAND_LINE_INSTALL && $COMMAND_LINE_INSTALL != 0 ]]
then
    domain="com.microsoft.autoupdate2"
    defaults_cmd="/usr/bin/sudo -u $USER /usr/bin/defaults"
    application="/Applications/Microsoft Word.app"
    application_info_plist="$application/Contents/Info.plist"
    lcid="1033"

    if /bin/test -f "$application_info_plist"
    then
        application_bundle_signature=`$defaults_cmd read "$application_info_plist" CFBundleSignature`
        application_bundle_version=`$defaults_cmd read "$application_info_plist" CFBundleVersion`
        application_id=`printf "%s%02s" $application_bundle_signature ${application_bundle_version%%.*}`
        $defaults_cmd write $domain Applications -dict-add "$application" "{ 'Application ID' = $application_id; LCID = $lcid ; }"
    fi

    parent_dir=`/usr/bin/dirname "$0"`
    chain_clu="$parent_dir/chain_app"
    perpetual_license="/Library/Preferences/com.microsoft.office.licensingv2.plist"
    office365_license="$HOME/Library/Group Containers/UBF8T346G9.Office/com.microsoft.Office365.plist"

    # Find the PID of the installer process
    installer_pid=$(/bin/ps -o pid,command -ax | /usr/bin/grep "Installer.app/Contents/MacOS/Installer" | /usr/bin/awk '{print $1}')

    if /bin/test -d "$application"
    then
        if /bin/test -e "$perpetual_license" || /bin/test -e "$office365_license"
        then
            logger "Office product already licensed."
        else
            # Launch $application once the installer process goes away
            /usr/bin/sudo -u $USER "$chain_clu" -p "$installer_pid" -a "$application" --args -silent 1 &
        fi
    fi
fi

exit 0

and the postinstall script calls the chain_app script also located in the same scripts folder for the Word installer:

#!/bin/sh

#  Chain launch a file system object.
#
#   This script will wait for a process to complete and then open a file system
#   object.

# Exit 1 if no args.
if [ $# -eq 0 ]
then
    exit 1
fi

# Parse args.
while getopts ":a:d:p:" option
do
    case $option in
        # Application to execute.
        a ) APPLICATION=$OPTARG ;;
        # Delay in seconds to wait until $PID quits.
        d ) DELAY=$OPTARG ;;
        # PID to wait on before executing $APPLICATION.
        p ) PID=$OPTARG ;;
        * ) break ;;
    esac
done

shift $((OPTIND - 1))

# Default $DELAY to 1 if not passed.
DELAY=${DELAY:-1}

# Set extra args to rest of arguments.
EXTRA_ARGS=$*

# Sleep until $PID quits.
while [ $(/bin/ps -o pid -p"$PID" | /usr/bin/grep "$PID" | /usr/bin/awk '{print $1}') ]
do
    /bin/sleep "$DELAY"
done

# Execute application with extra args (if any).
/usr/bin/open "$APPLICATION" $EXTRA_ARGS

exit $?

Perhaps modifying the chain_app script so that it exits gracefully will do the trick so that Word isn't launched post-install.

#!/bin/sh
exit 0

Not sure why Microsoft suddenly feels the need to open up an Office app after its been installed. Anyways, I'm just sharing what I'm finding. I haven't tested or put anything together, but will post more if any other little bits like this may prove useful to someone else.

bpavlov
Honored Contributor

Just to follow up. It appears that modifying chain_app script does indeed work. Word is not auto-launched after install. And if I manually launch Word and have a profile set to make the first run preferences set to true, I get a nice clean experience. No autoupdate.

chain_app

#!/bin/sh
exit 0

Will still need to test deploying via Casper just to see how it behaves, but I'm liking the results so far.

karthikeyan_mac
Valued Contributor

Hi,

Rename the MAU2.0 folder in /Library/Application Support/Microsoft/ suppress the AutoUpdate. This removes the "Check For Updates" option in the Help Menu as well.

Thanks & Regards,
Karthikeyan

jimmy-swings
Contributor II
Rename the MAU2.0 folder in /Library/Application Support/Microsoft/ suppress the AutoUpdate. This removes the "Check For Updates" option in the Help Menu as well.

Good find! A quick question though. Would there be any reason why you might not simply create a policy to delete "Microsoft AutoUpdate.app" in this folder? It would have the same effect.

karthikeyan_mac
Valued Contributor

Yes, We can even delete it.

franton
Valued Contributor III

Yes, if the MAU app isn't present then the auto update issues go away.

I inadvertently discovered this when I was attempting to package up the VL Office installer. See my blog

zbennis
New Contributor

Is there a way to disable the "Gallery" screens that continue to pop up, even after disabling the firstrun screens? I would just like the window to open to a new blank document or spreadsheet.

karthikeyan_mac
Valued Contributor

Hi @zbennis

Microsoft Stores the New Template dialog settings in

"MicrosoftRegistrationDB.reg" file in ~/Library/Group Containers/UBF8T346G9.Office. We have to include this package in file. I was not able to create the script to create the file so copying it to All Users and User Template.

Thanks & Regards,
Karthikeyan M

mvught
Contributor

@franton thanks for your clear explanation works great . Question: How do you deal with dock items? We now have office2010 in the dock for removal , we use dockutil of " kcrawford Github " and also adding of 2016. But we see that we need to repeat the command 3 times before it works.
How do you deal with it?

#!/bin/sh
Before installation:
# Remove Office dock items end user.
$dockutil --remove "Microsoft Word" --allhomes --no-restart
killall Dock
$dockutil --remove "Microsoft Excel" --allhomes --no-restart
killall Dock
$dockutil --remove "Microsoft Outlook" --allhomes --no-restart
killall Dock
$dockutil --remove "Microsoft PowerPoint" --allhomes --no-restart
killall Dock
$dockutil --remove "Microsoft OneNote" --allhomes --no-restart

killall cfprefsd
killall Dock
#!/bin/sh
After installation:
# Add Office Dock to end user 3 times.
echo "Add/Replace Office dock items"

$dockutil --add '/Applications/Microsoft Word.app' --replacing 'Microsoft Word' --allhomes --no-restart $plist
killall Dock
$dockutil --add '/Applications/Microsoft Excel.app' --replacing 'Microsoft Excel' --allhomes --no-restart $plist
killall Dock
$dockutil --add '/Applications/Microsoft Outlook.app' --replacing 'Microsoft Outlook' --allhomes --no-restart $plist
killall Dock
$dockutil --add '/Applications/Microsoft PowerPoint.app' --replacing 'Microsoft PowerPoint' --allhomes --no-restart $plist
killall Dock
$dockutil --add '/Applications/Microsoft OneNote.app' --allhomes --no-restart $plist
killall Dock

echo "Refresh Dock"
killall cfprefsd
killall Dock

AVmcclint
Honored Contributor

It would be nice if MS included a command line component to AutoUpdate so we could kick off updates in the background via ARD after we've evaluated the updates on test Macs first.

Kumarasinghe
Valued Contributor

@mvught You have to run only once if you follow these steps:
1) Don't use "--no-restart"
2) add a "sleep x" in between commands

My working script to replace Office 2011 from dock

# Dock Icons change - for current user and all existing users on this computer
/usr/local/bin/dockutil --add '/Applications/Microsoft Word.app' --replacing 'Microsoft Word' --allhomes
/bin/sleep 10
/usr/local/bin/dockutil --add '/Applications/Microsoft Excel.app' --replacing 'Microsoft Excel' --allhomes
/bin/sleep 10
/usr/local/bin/dockutil --add '/Applications/Microsoft PowerPoint.app' --replacing 'Microsoft PowerPoint' --allhomes

mvught
Contributor

@Kumarasinghe Thank you so much, works like a charm

MacGeek
New Contributor III

I'm trying to distribute Office 2016 across our Enterprise. When Office is installed locally you see a Sign In option only. When Office is installed using any Application Distribution software and our Serializer you get the option of Skip sign in (See attached .jpg).

Is there a method to install a .plist file or run a script that will prevent this option to "Sign In" all together? What .plist file needs modification? Thanks so much for any help!

wmateo
Contributor

@MacGeek There are 2 versions of Office 2016.

  1. Office 365 Version which requires sign in option to activate
  2. the VL + Serializer Version which you have to deploy after to get the "skip sign in"

There are a few pages on JAMFNATION that will show u how to avoid the sign in, but I have not tried them. Once u have serialized the install, the sign in pop up will be gone.

Lazare
New Contributor

Ok, must be that I am a shell script newbie, but how to you run this script? Google really doesn't help me on this but hopefully a kind soul here will.

Thanks in advance
Cheers