@Echevarria @txhaflaire yeah, I've noticed something very similar in my lab a couple of times. The first Office app seems to install okay, but subsequent Office apps end up as a stub. The apps end up with a .appdownload extension. For me, running recon for a second time fixed the issue. I'll reach out to my contacts at Jamf to see if they've seen this kind of issue before with other VPP apps.

@pbowden Awesome! Yeah a second recon did the trick in this particular case. Still curious tho!

@txhaflaire I've got a support case open with Jamf (JAMF-0630832).

If I can extend on this... in our setup, when I added MAS 365 to Self Service, the button just went to "open", like it knew it was already installed. But its the pgk installed version with MAU. Will the app store take over updating it?

screen shot below, used that pkg to install office, MAS Office is in self service with "open" and MAU is installed still.

@ScottSimmons No, the App Store will not take over the update mechanics for installations installed through the CDN network. You still have to use MAU / 3rd party patching for that.

Please check how to migrate to MAS 365 apps.

https://docs.microsoft.com/en-us/deployoffice/mac/deploy-mac-app-store#can-i-convert-an-existing-cdn...

Also @daz_wallace did an awesome job on writing a how-to and script to get this train going!

https://dazwallace.wordpress.com/2019/01/30/migrating-microsoft-office-suite-to-mas-deployment/

@txhaflaire

Hey Bud, Really? I thought the entire point of using VPP and configuring its settings for the "Free" App, would automatically apply updates.
So then why should we go with VPP deployment? Just curious.. I am freaking out here.

@aaelic24 You are right, if the apps are installed through VPP the Apps got maintained and up to date via the mac App Store.
But.. if you have a Application installed through an .pkg for instance, and then scope that same application via VPP the application is not been overwritten so the _MASReceipt folder is not in the package contents and will not be updated by the App Store

@txhaflaire

Thanks for clarifying this. I have only tested with Word, I am about to test the other Apps. I will let you guys know how it goes for me and if we see any issues.

Thanks for the help guys!

@ScottSimmons I was having the same issue. I used this script to remove the current installed version. Then I cleared caches then restared machine.
Scoped the VPP App to the machine and via self service the App now says Install:

!/bin/bash

consoleuser=$(ls -l /dev/console | awk '{ print $3 }')

echo "logged in user is" $consoleuser

pkill -f Microsoft

folders=(
"/Applications/Microsoft Excel.app"
"/Applications/Microsoft OneNote.app"
"/Applications/Microsoft Outlook.app"
"/Applications/Microsoft PowerPoint.app"
"/Applications/Microsoft Word.app"

"/Users/$consoleuser/Library/Containers/com.microsoft.errorreporting"

"/Users/$consoleuser/Library/Containers/com.microsoft.Excel"
"/Users/$consoleuser/Library/Containers/com.microsoft.netlib.shipassertprocess"
"/Users/$consoleuser/Library/Containers/com.microsoft.Office365ServiceV2"
"/Users/$consoleuser/Library/Containers/com.microsoft.Outlook"
"/Users/$consoleuser/Library/Containers/com.microsoft.Powerpoint"
"/Users/$consoleuser/Library/Containers/com.microsoft.RMS-XPCService"
"/Users/$consoleuser/Library/Containers/com.microsoft.Word"
"/Users/$consoleuser/Library/Containers/com.microsoft.onenote.mac"

WARNING: Outlook data will be removed when you move the three folders listed below.

You should back up these folders before you delete them.

"/Users/$consoleuser/Library/Group Containers/UBF8T346G9.ms"

"/Users/$consoleuser/Library/Group Containers/UBF8T346G9.Office"

"/Users/$consoleuser/Library/Group Containers/UBF8T346G9.OfficeOsfWebHost"

)

search="*"

for i in "${folders[@]}"
do echo "removing folder ${i}" rm -rf "${i}"
done

if [ $? == 0 ]; then echo "Success"
else echo "Failure"
fi

@Echevarria @txhaflaire We made some progress narrowing down the issue. The store download daemon is crashing, so the problem is in core macOS. We have a RADAR open with Apple now.

@pbowden Cool! The monkey is out of the sleeve, keep us posted! Gracia!

There are lots of Office 365 scripts out there taking care of all kind of stuff. Just throwing a ball up in the air - is this VPP something that is the way to go or is there some limitations on some configuration, that exists in many of the script. I can of course see the big advantage of making it auto update, but don´t know if there is any issues. For example, what about the first run dialogs that often appears - is it still possible to use same config profiles to hide those ?

@Captainamerica I get your concerns. In fact the Applications are identical to the ones installed via the .pkg / CDN network.
You have to check if the update mechanism fits your organisation needs.

Mac App Store = No control on the updates
CDN / .pks = Conrol over updates via MUA / update packages etc. ( only the frequency when VPP/App store checks and forces updates)

So, the MAS Office 365 apps use the same domains for the profiles.

@pbowden Thanks for looking into this. I thought it was weird at first, so I wanted to make sure. @txhaflaire unfortunately doing recon via SelfService or the binary itself did not address the issue for me. I'm glad that I posted this and that the community saw similar things. I will share this with my team and let them know.

I built a lab computer from scratch. The MAS versions of Word, Excel and PowerPoint were installed as expected thru VPP. We have an Office 365 Business subscription. I can sign-in to all of these apps, however, activation never succeeds and I'm prompted to authenticate again, even though I'm already signed in. After entering my password for activation I just get the dots scrolling across the top. I let it run for about 8 hours yesterday and it just kept going and never activated, no error message. Same result if I try activating before logging in.

From all the documentation, and maybe I'm reading it wrong, it looks like you should be able to activate MAS deployed versions of Office Apps using any type of Office 365 subscription. Is that correct or am I totally missing something? It seems like that's the case as it prompts me to select Work/Personal during activation.

UPDATE: Activation magically started working. My guess is that it was due to the fact that one of the apps still had the App Store stub when I tried activating.

Thanks for the webinar last week, @pbowden!

I wonder if this issue has any relation to Xcode refusing to download in VPP, get very similar results as being reported here.

Thought this might be a good place to ask. Has anyone else seen the numerous prompts for you password when starting an O365 app for the first time? Is there a work around for it?

@landon_Starr Yeah, when migrating this occurs. Search for pbowden his nukeofkeychain script

@landon_Starr

Yep. Multiple times. Not sure why. I am trying to figure that out. I wonder if it was to to do with Privacy Preference Policy Control....?

Thanks @txhaflaire for pointing me to that bad boy! So with the O365 apps being deployed through VPP, what's the best way to run it since they're getting pulled down from the app store.

Hey guys, has anyone the same issue if you try to install the apps via Self Service (VPP) and for example "Word" didn't download/ installed, just an icon for forwarding the user to the App Store. If I click again on install Word (Self Service) it works, but the user has to accept many keychain notifications with my own password. Any ideas?

@Florian.Proft I asked the same question a few days ago, and the answer is sitting right above your question :)

There's a script to nuke those keychain prompts, I'm just looking into what's the best way to push it out now that the apps are VPP.

@Florian Yeah you have to nuke the users his keychain, we mean some of the keychain items.

@landon_Starr Check out @daz_wallace his blog for more information https://dazwallace.wordpress.com/2019/01/30/migrating-microsoft-office-suite-to-mas-deployment/

Hi. Can someone point me to the nukeofkeychain script referred to above by @txhaflaire . I searched jamf nation for it and only find this thread. THANKS!

@dswitmer here ya go...

https://github.com/pbowden-msft/NukeOffKeychain

@dswitmer

Are we supposed to use some parameters when deplying this in JAMF? I can't seem to get this working for me.
Thanks. Do any of you have an example of the NukeOff Keychain Policy?

@aaelic24 Package the script, push it out to clients to a /tmp/ dir or so and then use an script (see below) to clear keychain as user.

#!/bin/sh
# get the current user
loggedInUser=$(/usr/bin/python -c 'from SystemConfiguration import SCDynamicStoreCopyConsoleUser; import sys; username = (SCDynamicStoreCopyConsoleUser(None, None, None) or [None])[0]; username = [username,""][username in [u"loginwindow", None, u""]]; sys.stdout.write(username + "
");')

# test if a user is logged in
if [[ $loggedInUser != "" ]]; then
    # get the uid
    uid=$(id -u "$loggedInUser")
    # do what you need to do
    launchctl asuser "$uid" /bin/sh /private/tmp/NukeOffKeychain --All --Force --Jamf
fi

echo
exit 0

@txhaflaire

Thank you for the QUICK response! I will do that. I have tried running that scrip locally on a machine without using JAMF, and for some reason it still did not work. Sorry..

@aaelic24 I just use params in Jamf and run the script directly through a policy:
The script entry:

The policy entry:

The --Jamf flag just informs the script that the script is being ran through Jamf so the first 3 positional arguments are Jamf arguments that should be ignored by the script, and skip to arguments 4 or higher. If you run the command through the command line directly, you just just be able to use one of the other flags.

@nahrens Let me try that.. thanks!

Hey guys, The script worked, thanks a lot for sharing. Anyone an idea of how it makes sense to enrol the script because if the user downloaded/ installed one of the Office Suite products - it has to be enrolled, right? (if not the user getting the notification about keychain)
I've not many experiences with jamf Pro, so I'd like to double check my idea about the following smart group.

Smart Group:

(Department YX
or Department XY
or Department YY
or Department XX)

and

(Application Title Microsoft Excel.app
or Application Title Microsoft Word.app
or Application Title Microsoft Outlook.app
or Application Title Microsoft PowerPoint.app)

Policy: Recurring Check-in - ongoing

thanks

@Flaurian

• New MAS installs do not need to have the script / NukeKeyChain to be run because there are no entries.
• For migrating users from NON-MAS to MAS apps the script have run prior the launch of the MAS apps.

Depending on your needs and migration traject you can define your scopes and if the NukeKeyChain is necessary.

in our situation;

1. User has 1 or more Office apps installed through PKG/CDN
2. Then we scope a migration policy via Self Service. Apps get removed / NukeOffKeyChain runs and new apps get triggered by RECON
3. We report the installations status through an EA.

Here an EA as example. When app is CDN we scope the migration policy to the user.

#!/bin/bash

appTitle="OneNote"

if [ -d /Applications/"Microsoft ${appTitle}".app ]
then
    if [ -d /Applications/"Microsoft ${appTitle}".app/Contents/_MASReceipt/ ]
    then
        result="Installed through App Store"
    else
        result="Installed through CDN"
    fi
else
    result="Cannot find Microsoft ${appTitle}.app..."
    fi

echo "<result>$result</result>"

I'm pretty sure that I had this kind of issue on one of our new computer (installed via DEP, clear without Office Suite)
That's the reason why I'm thinking about a solution for everyone they installed the new version. Sorry for confusing

So I am able to run the NukeOffKeychain, remove the old CDN versions of the Office apps and then install the new VPP versions. However, when I launch one of the apps the first time it is acting like it needs to be activated. I first get the "Get Started" screen and then the "Start Your Free Month" screen show below. Is there something I am missing here?

@kricotta, with today's release of Office (v16.22, I believe), the OfficeAutoSignIn key in a configuration profile set to TRUE should suppress that dialog. I haven't tested yet myself, but this information was given by the Microsoft folks over in MacAdmins Slack.

@talkingmoose thanks for your response, I'm looking in the MacAdmins Slack for this info but can't find it for some reason.

@kricotta, here's a direct link to let you confirm:

https://macadmins.slack.com/archives/C07UZ1X7B/p1548460641991700

Even better! @pbowden with Microsoft made a few updates to this page last night.

https://macadmins.software/mas/

First item confirms the change.