Jamf Nation Community

upd: had to switch to subj package + conf profile + script instead :/

I deploy script via MDM and it works correctly.  I just followed the setup here and didn't have any issues.  Deployed the config profile ahead of the install package.  Only needed a restart before GP would connect correctly.

If add the System Extension via Config Profile in step 1 and 2 in the article, do we even need to create the System Extension XML file in step 3 in the same article?

I tested it and looks like I don't need the XML file if I have the System Extension setup as a Config Profile in Jamf.

I recently found I'm not actually installing the system extension. Because of the way I have things setup, that command doesn't function because the package has already been installed and removed. The config profile only approves the extension to run, it doesn't install it. I'm guessing you aren't using functionality of GP that depends on the extension.

That said, I think I have an easier way to do this than all of than the OP uses, I need to test it first though.

Ok, so I kinda forgot about this, but here's how I install GP...

Create a configuration file giving the system extension access by following the guide you linked to.

Then you'll create two scripts:

1. The first handles the actual installation and was created by @talkingmoose. It will handle the installation and also create the XML in step 3 of the guide you referred to. The XML essentially checks the boxes you would encounter if installing through the GUI, so the system extension won't actually install without it. The original script is here: https://gist.github.com/talkingmoose/3926e86332e32eb7d05a161c3f7e8f69
   This is what mine looks like (I chopped the beginning off just for the sake of shortening the post):

#!/bin/zsh

# ABOUT_THIS_SCRIPT

# provide the name of an Apple Installer package file that supports Choices XML
installerPackage="$4"

# modify the choiceIdentifier string with the app identifier (CFBundleIdentifier) to exclude from installation
# duplicate the full dictionary to include additional apps
choicesXML='<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<array>
           <dict>
                  <key>attributeSetting</key>
                  <integer>1</integer>
                  <key>choiceAttribute</key>
                  <string>selected</string>
                  <key>choiceIdentifier</key>
                  <string>third</string>
           </dict>
           <dict>
                  <key>attributeSetting</key>
                  <integer>1</integer>
                  <key>choiceAttribute</key>
                  <string>selected</string>
                  <key>choiceIdentifier</key>
                  <string>com.paloaltonetworks.globalprotect.systemext.pkg</string>
            </dict>
</array>
</plist>'

function logmessage()   {
    if [ $? = 0 ] ; then
        echo "$1"
    else
        echo "$2"
        echo "Aborting script"
        cleanup
        exit 1
    fi
}
 
function cleanup()  {
    /bin/rm -Rf "$tempDirectory"
    logmessage "Removed temporary items." "Failed removing temporary items."
    /bin/rm -f "/Library/Application Support/JAMF/Waiting Room/$installerPackage" && /bin/rm -Rf "/Library/Application Support/JAMF/Waiting Room/$installerPackage.cache.xml"
    logmessage "Removed $5 package and supporting files from Jamf Waiting Room." "Failed Removing $5 package and supporting files from Jamf Waiting Room."
}
 
# create temporary working directory
workDirectory=$( /usr/bin/basename $0 )
tempDirectory=$( /usr/bin/mktemp -d "/private/tmp/$workDirectory.XXXXXX" )
logmessage "Created working directory '$tempDirectory'." "Failed to create working directory '$tempDirectory'."
 
# change directory to temporary working directory
cd "$tempDirectory"
logmessage "Changed directory to working directory '$tempDirectory'." "Failed to change directory to working directory '$tempDirectory'."
 
# create choices.xml (renamed to install_system_extensions.xml for GP)
echo "$choicesXML" > "$tempDirectory/install_system_extensions.xml"
logmessage "Created install_system_extensions.xml file in '$tempDirectory'." "Created install_system_extensions.xml file in '$tempDirectory'."
 
# install GP
/usr/sbin/installer -pkg "/Library/Application Support/JAMF/Waiting Room/$installerPackage" -applyChoiceChangesXML "$tempDirectory/install_system_extensions.xml" -target /
logmessage "Installed $5 package with extension." "Failed to install $5 package with extension."
 
cleanup
 
exit 0​

Note: the original tells you to insert the app name and package name in the script, which I have replaced with Jamf script parameters, you do you.

• The second script is to create a plist that will set the portal and any other preference keys you want to specify. This is mine:

#!/bin/zsh
## Description: Checks for global preferences file and populates  
## it with the default portal if needed.
 
# Get current Console user
# active_user=$( stat -f "%Su" /dev/console )
active_user=$( scutil <<< "show State:/Users/ConsoleUser" | awk '/Name :/ && ! /loginwindow/ { print $3 }' )
 
# Global Prefs File
gPrefs=/Library/Preferences/com.paloaltonetworks.GlobalProtect.settings.plist
 
## Logic ##########################################################
 
# Check to see if the global preference file already exists...
# if [[ -e $gPrefs ]]; then
#	echo "Default global portal already exists. Skipping."
# else
if [[ -e $gPrefs ]]; then
  echo "Removing existing GlobalProtect prefs file"
  rm -f ${gPrefs}
fi
	echo "Setting default global portal to: gp-remote.overdrive.com"
     # If it does not already exist, create it and populate the default portal using the echo command
       echo '<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>Palo Alto Networks</key>
    <dict>
        <key>GlobalProtect</key>
        <dict> 
            <key>PanSetup</key>
            <dict>
                <key>Portal</key>
                <string>INSERT GP PORTAL HERE</string>
                <key>Prelogon</key>
                <string>0</string>
            </dict>
            <key>Settings</key>
            <dict>
                <key>disable-allowed</key>
                <string>yes</string>
            </dict>
        </dict>
    </dict>
</dict>
</plist>
' > $gPrefs
echo $?
	# Kill the Preference caching daemon to prevent it from overwriting any changes
	killall cfprefsd
	echo $?

# Check exit code.
exit $?​

I'm pretty sure I got part of this from another thread in the Community, but I can't recall who/where.

Now create a policy to put everything together:

1. Add the GP installation package to cache. If you install rather than cache then the first script won't have a package to work with.
2. Add the scripts to run after everything else. If not obvious, the installation script should run prior to the one for the plist.

Test!

The nicest thing about the fancy installation script is when you need to install a newer version you can just replace the package and update the filename in the script or script parameter (alternatively, you can always rename the package to GlobalProtect.pkg before uploading it to avoid having to update the version number elsewhere).

I do not have any XML scripts running for the install of GP 6.1-3.  I use configuration profiles. We have very very few issues with the installation and set up of GP.  

It can be done without scripts, it depends on your needs.