Posted on 01-29-2019 09:50 AM
During our testing, we noticed the following. Excel installed via Self Service without an issue. However when we tested Word and PowerPoint as a push. It installed successfully and then created a "stub" record as well for both of these applications. I let it sit for a while to see if it would self-correct, but it has not. I ran Recon in hopes that it would delete this stub entry, same results as pervious. Lastly, I rebooted the machine and upon login, they were still there. I'm able to launch the applications without an issue. If we launch any of the stub records it launches the AppStore and gives us an error. The AppStore opens and it quickly shows "No Purchase" before it loads the AppStore. Has anyone come across this yet?
Posted on 01-29-2019 11:19 PM
@Echevarria Same here! it is not consistent because it is not on every machine where we pushed the MAS Office 365 apps via VPP.
maybe we can involve @pbowden he's the wizzard with hamsters in this game!
Posted on 01-30-2019 09:11 AM
@Echevarria @txhaflaire yeah, I've noticed something very similar in my lab a couple of times. The first Office app seems to install okay, but subsequent Office apps end up as a stub. The apps end up with a .appdownload extension. For me, running recon for a second time fixed the issue. I'll reach out to my contacts at Jamf to see if they've seen this kind of issue before with other VPP apps.
Posted on 01-30-2019 11:19 AM
@pbowden Awesome! Yeah a second recon did the trick in this particular case. Still curious tho!
Posted on 01-30-2019 11:24 AM
@txhaflaire I've got a support case open with Jamf (JAMF-0630832).
Posted on 01-30-2019 12:39 PM
If I can extend on this... in our setup, when I added MAS 365 to Self Service, the button just went to "open", like it knew it was already installed. But its the pgk installed version with MAU. Will the app store take over updating it?
screen shot below, used that pkg to install office, MAS Office is in self service with "open" and MAU is installed still.
Posted on 01-30-2019 12:42 PM
@ScottSimmons No, the App Store will not take over the update mechanics for installations installed through the CDN network. You still have to use MAU / 3rd party patching for that.
Please check how to migrate to MAS 365 apps.
Also @daz_wallace did an awesome job on writing a how-to and script to get this train going!
https://dazwallace.wordpress.com/2019/01/30/migrating-microsoft-office-suite-to-mas-deployment/
Posted on 01-30-2019 01:13 PM
Hey Bud, Really? I thought the entire point of using VPP and configuring its settings for the "Free" App, would automatically apply updates.
So then why should we go with VPP deployment? Just curious.. I am freaking out here.
Posted on 01-30-2019 01:15 PM
@aaelic24 You are right, if the apps are installed through VPP the Apps got maintained and up to date via the mac App Store.
But.. if you have a Application installed through an .pkg for instance, and then scope that same application via VPP the application is not been overwritten so the _MASReceipt folder is not in the package contents and will not be updated by the App Store
Posted on 01-30-2019 01:30 PM
@txhaflaire
Thanks for clarifying this. I have only tested with Word, I am about to test the other Apps. I will let you guys know how it goes for me and if we see any issues.
Thanks for the help guys!
Posted on 01-30-2019 01:39 PM
@ScottSimmons
I was having the same issue. I used this script to remove the current installed version. Then I cleared caches then restared machine.
Scoped the VPP App to the machine and via self service the App now says Install:
consoleuser=$(ls -l /dev/console | awk '{ print $3 }')
echo "logged in user is" $consoleuser
pkill -f Microsoft
folders=(
"/Applications/Microsoft Excel.app"
"/Applications/Microsoft OneNote.app"
"/Applications/Microsoft Outlook.app"
"/Applications/Microsoft PowerPoint.app"
"/Applications/Microsoft Word.app"
"/Users/$consoleuser/Library/Containers/com.microsoft.Excel"
"/Users/$consoleuser/Library/Containers/com.microsoft.netlib.shipassertprocess"
"/Users/$consoleuser/Library/Containers/com.microsoft.Office365ServiceV2"
"/Users/$consoleuser/Library/Containers/com.microsoft.Outlook"
"/Users/$consoleuser/Library/Containers/com.microsoft.Powerpoint"
"/Users/$consoleuser/Library/Containers/com.microsoft.RMS-XPCService"
"/Users/$consoleuser/Library/Containers/com.microsoft.Word"
"/Users/$consoleuser/Library/Containers/com.microsoft.onenote.mac"
)
search="*"
for i in "${folders[@]}"
do
echo "removing folder ${i}"
rm -rf "${i}"
done
if [ $? == 0 ]; then
echo "Success"
else
echo "Failure"
fi
Posted on 01-30-2019 04:16 PM
@Echevarria @txhaflaire We made some progress narrowing down the issue. The store download daemon is crashing, so the problem is in core macOS. We have a RADAR open with Apple now.
Posted on 01-31-2019 01:32 AM
@pbowden Cool! The monkey is out of the sleeve, keep us posted! Gracia!
Posted on 01-31-2019 05:56 AM
There are lots of Office 365 scripts out there taking care of all kind of stuff. Just throwing a ball up in the air - is this VPP something that is the way to go or is there some limitations on some configuration, that exists in many of the script. I can of course see the big advantage of making it auto update, but don´t know if there is any issues. For example, what about the first run dialogs that often appears - is it still possible to use same config profiles to hide those ?
Posted on 01-31-2019 05:59 AM
@Captainamerica I get your concerns. In fact the Applications are identical to the ones installed via the .pkg / CDN network.
You have to check if the update mechanism fits your organisation needs.
Mac App Store = No control on the updates
CDN / .pks = Conrol over updates via MUA / update packages etc. ( only the frequency when VPP/App store checks and forces updates)
So, the MAS Office 365 apps use the same domains for the profiles.
Posted on 01-31-2019 06:17 AM
@pbowden Thanks for looking into this. I thought it was weird at first, so I wanted to make sure. @txhaflaire unfortunately doing recon via SelfService or the binary itself did not address the issue for me. I'm glad that I posted this and that the community saw similar things. I will share this with my team and let them know.
Posted on 02-01-2019 10:19 AM
I built a lab computer from scratch. The MAS versions of Word, Excel and PowerPoint were installed as expected thru VPP. We have an Office 365 Business subscription. I can sign-in to all of these apps, however, activation never succeeds and I'm prompted to authenticate again, even though I'm already signed in. After entering my password for activation I just get the dots scrolling across the top. I let it run for about 8 hours yesterday and it just kept going and never activated, no error message. Same result if I try activating before logging in.
From all the documentation, and maybe I'm reading it wrong, it looks like you should be able to activate MAS deployed versions of Office Apps using any type of Office 365 subscription. Is that correct or am I totally missing something? It seems like that's the case as it prompts me to select Work/Personal during activation.
UPDATE: Activation magically started working. My guess is that it was due to the fact that one of the apps still had the App Store stub when I tried activating.
Thanks for the webinar last week, @pbowden!
Posted on 02-01-2019 11:13 AM
I wonder if this issue has any relation to Xcode refusing to download in VPP, get very similar results as being reported here.
Posted on 02-01-2019 12:56 PM
Thought this might be a good place to ask. Has anyone else seen the numerous prompts for you password when starting an O365 app for the first time? Is there a work around for it?
Posted on 02-01-2019 01:19 PM
@landon_Starr Yeah, when migrating this occurs. Search for pbowden his nukeofkeychain script
Posted on 02-01-2019 01:40 PM
Yep. Multiple times. Not sure why. I am trying to figure that out. I wonder if it was to to do with Privacy Preference Policy Control....?
Posted on 02-04-2019 06:19 AM
Thanks @txhaflaire for pointing me to that bad boy! So with the O365 apps being deployed through VPP, what's the best way to run it since they're getting pulled down from the app store.
Posted on 02-04-2019 07:18 AM
Hey guys, has anyone the same issue if you try to install the apps via Self Service (VPP) and for example "Word" didn't download/ installed, just an icon for forwarding the user to the App Store. If I click again on install Word (Self Service) it works, but the user has to accept many keychain notifications with my own password. Any ideas?
Posted on 02-04-2019 07:21 AM
@Florian.Proft I asked the same question a few days ago, and the answer is sitting right above your question :)
There's a script to nuke those keychain prompts, I'm just looking into what's the best way to push it out now that the apps are VPP.
Posted on 02-04-2019 07:25 AM
@Florian Yeah you have to nuke the users his keychain, we mean some of the keychain items.
@landon_Starr Check out @daz_wallace his blog for more information https://dazwallace.wordpress.com/2019/01/30/migrating-microsoft-office-suite-to-mas-deployment/
Posted on 02-06-2019 08:06 AM
Hi. Can someone point me to the nukeofkeychain script referred to above by @txhaflaire . I searched jamf nation for it and only find this thread. THANKS!
Posted on 02-06-2019 08:23 AM
@dswitmer here ya go...
Posted on 02-08-2019 06:57 AM
Are we supposed to use some parameters when deplying this in JAMF? I can't seem to get this working for me.
Thanks.
Do any of you have an example of the NukeOff Keychain Policy?
Posted on 02-08-2019 07:02 AM
@aaelic24 Package the script, push it out to clients to a /tmp/ dir or so and then use an script (see below) to clear keychain as user.
#!/bin/sh
# get the current user
loggedInUser=$(/usr/bin/python -c 'from SystemConfiguration import SCDynamicStoreCopyConsoleUser; import sys; username = (SCDynamicStoreCopyConsoleUser(None, None, None) or [None])[0]; username = [username,""][username in [u"loginwindow", None, u""]]; sys.stdout.write(username + "
");')
# test if a user is logged in
if [[ $loggedInUser != "" ]]; then
# get the uid
uid=$(id -u "$loggedInUser")
# do what you need to do
launchctl asuser "$uid" /bin/sh /private/tmp/NukeOffKeychain --All --Force --Jamf
fi
echo
exit 0
Posted on 02-08-2019 07:10 AM
Thank you for the QUICK response! I will do that. I have tried running that scrip locally on a machine without using JAMF, and for some reason it still did not work. Sorry..
Posted on 02-08-2019 07:18 AM
@aaelic24 I just use params in Jamf and run the script directly through a policy:
The script entry:
The policy entry:
The --Jamf flag just informs the script that the script is being ran through Jamf so the first 3 positional arguments are Jamf arguments that should be ignored by the script, and skip to arguments 4 or higher. If you run the command through the command line directly, you just just be able to use one of the other flags.
Posted on 02-08-2019 08:02 AM
@nahrens Let me try that.. thanks!
Posted on 02-11-2019 06:13 AM
Hey guys,
The script worked, thanks a lot for sharing. Anyone an idea of how it makes sense to enrol the script because if the user downloaded/ installed one of the Office Suite products - it has to be enrolled, right? (if not the user getting the notification about keychain)
I've not many experiences with jamf Pro, so I'd like to double check my idea about the following smart group.
Smart Group:
(Department YX
or Department XY
or Department YY
or Department XX)
and
(Application Title Microsoft Excel.app
or Application Title Microsoft Word.app
or Application Title Microsoft Outlook.app
or Application Title Microsoft PowerPoint.app)
Policy: Recurring Check-in - ongoing
thanks
Posted on 02-11-2019 06:20 AM
Depending on your needs and migration traject you can define your scopes and if the NukeKeyChain is necessary.
in our situation;
Here an EA as example. When app is CDN we scope the migration policy to the user.
#!/bin/bash
appTitle="OneNote"
if [ -d /Applications/"Microsoft ${appTitle}".app ]
then
if [ -d /Applications/"Microsoft ${appTitle}".app/Contents/_MASReceipt/ ]
then
result="Installed through App Store"
else
result="Installed through CDN"
fi
else
result="Cannot find Microsoft ${appTitle}.app..."
fi
echo "<result>$result</result>"
Posted on 02-11-2019 06:48 AM
I'm pretty sure that I had this kind of issue on one of our new computer (installed via DEP, clear without Office Suite)
That's the reason why I'm thinking about a solution for everyone they installed the new version. Sorry for confusing
Posted on 02-12-2019 09:39 AM
So I am able to run the NukeOffKeychain, remove the old CDN versions of the Office apps and then install the new VPP versions. However, when I launch one of the apps the first time it is acting like it needs to be activated. I first get the "Get Started" screen and then the "Start Your Free Month" screen show below. Is there something I am missing here?
Posted on 02-12-2019 10:31 AM
@kricotta, with today's release of Office (v16.22, I believe), the OfficeAutoSignIn key in a configuration profile set to TRUE should suppress that dialog. I haven't tested yet myself, but this information was given by the Microsoft folks over in MacAdmins Slack.
Posted on 02-12-2019 12:03 PM
@talkingmoose thanks for your response, I'm looking in the MacAdmins Slack for this info but can't find it for some reason.
Posted on 02-13-2019 07:04 AM
@kricotta, here's a direct link to let you confirm:
https://macadmins.slack.com/archives/C07UZ1X7B/p1548460641991700
Posted on 02-13-2019 09:08 AM
Even better! @pbowden with Microsoft made a few updates to this page last night.
https://macadmins.software/mas/
First item confirms the change.