Permissions issue with app installed from Self Service

KAndrews5725
New Contributor III

Greetings!

 

I recently enrolled in the Apple Developer program so I could obtain an Installer Certificate for JAMF Composer.  I was finding that more often than not, whenever I pushed a third-party app out via Self Service, it would look like it had installed, but wouldn't.  Upon checking the install.log file, it showed that the package was not signed and therefore was not installed.

 

Obtaining the Installer Certificate has helped, but I've noticed a new issue when trying to install an app on an Intel-based MacBook Air.  The app installs fine, but when I try to open it I get the "You do not have permission to open the application..." error.  I thought installing through Self Service would prevent this since the apps are supposed to be installed as root, or SU?

 

Anyway, I've tried this on an M1 machine with no problems.  It appears to be limited to the Intel-based laptops, regardless of what macOS version is installed.  Anyone have any ideas?

 

Thanks!
Keith

 

Begin Install Log excerpt:

 

2022-01-24 09:56:54-05 Techs-MacBook-Air installer[1260]: Product archive /Library/Application Support/JAMF/Downloads/Blender_3_x64.pkg trustLevel=300

2022-01-24 09:56:54-05 Techs-MacBook-Air installer[1260]: External component packages (1) trustLevel=300

2022-01-24 09:56:54-05 Techs-MacBook-Air installer[1260]: -[IFDInstallController(Private) _buildInstallPlanReturningError:]: location = file://localhost

2022-01-24 09:56:54-05 Techs-MacBook-Air installer[1260]: -[IFDInstallController(Private) _buildInstallPlanReturningError:]: file://localhost/Library/Application%20Support/JAMF/Downloads/Blender_3_x64.pkg#payload.pkg

2022-01-24 09:56:54-05 Techs-MacBook-Air installer[1260]: Set authorization level to root for session

2022-01-24 09:56:54-05 Techs-MacBook-Air installer[1260]: Administrator authorization granted.

2022-01-24 09:56:54-05 Techs-MacBook-Air installer[1260]: Will use PK session

2022-01-24 09:56:54-05 Techs-MacBook-Air installer[1260]: Using authorization level of root for IFPKInstallElement

2022-01-24 09:56:55-05 Techs-MacBook-Air suhelperd[665]: Verifying package at path: /Library/Updates/002-23748/FirmwareUpdate.pkg

2022-01-24 09:56:55-05 Techs-MacBook-Air installer[1260]: Starting installation:

2022-01-24 09:56:55-05 Techs-MacBook-Air installer[1260]: Configuring volume "Macintosh HD"

2022-01-24 09:56:56-05 Techs-MacBook-Air installer[1260]: Preparing disk for local booted install.

2022-01-24 09:56:56-05 Techs-MacBook-Air installer[1260]: Free space on "Macintosh HD": 100 GB (99995295744 bytes).

2022-01-24 09:56:56-05 Techs-MacBook-Air installer[1260]: Create temporary directory "/var/folders/zz/zyxvpxvq6csfxvn_n0000000000000/T//Install.12608JxGE1"

2022-01-24 09:56:56-05 Techs-MacBook-Air installer[1260]: IFPKInstallElement (1 packages)

2022-01-24 09:56:56-05 Techs-MacBook-Air installer[1260]: Current Path: /usr/sbin/installer

2022-01-24 09:56:56-05 Techs-MacBook-Air installer[1260]: Current Path: /bin/bash

2022-01-24 09:56:56-05 Techs-MacBook-Air installer[1260]: Current Path: /usr/local/jamf/bin/jamf

2022-01-24 09:56:56-05 Techs-MacBook-Air installd[728]: PackageKit: Adding client PKInstallDaemonClient pid=1260, uid=0 (/usr/sbin/installer)

2022-01-24 09:56:56-05 Techs-MacBook-Air installer[1260]: PackageKit: Enqueuing install with framework-specified quality of service (utility)

2022-01-24 09:56:56-05 Techs-MacBook-Air installd[728]: PackageKit: ----- Begin install -----

2022-01-24 09:56:56-05 Techs-MacBook-Air installd[728]: PackageKit: request=PKInstallRequest <1 packages, destination=/>

2022-01-24 09:56:56-05 Techs-MacBook-Air installd[728]: PackageKit: packages=(

    "PKLeopardPackage <id=blender3x64, version=1, url=file:///Library/Application%20Support/JAMF/Downloads/Blender_3_x64.pkg#payload.pkg>"

)

2022-01-24 09:56:56-05 Techs-MacBook-Air installd[728]: PackageKit: Set reponsibility for install to 1175

2022-01-24 09:56:57-05 Techs-MacBook-Air installd[728]: PackageKit: Will do receipt-based obsoleting for package identifier blender3x64 (prefix path=)

2022-01-24 09:56:59-05 Techs-MacBook-Air installd[728]: PackageKit: Extracting file:///Library/Application%20Support/JAMF/Downloads/Blender_3_x64.pkg#payload.pkg (destination=/Library/InstallerSandboxes/.PKInstallSandboxManager/B79EC00C-33FE-431F-8044-2D047C67DC65.activeSandbox/Root, uid=0)

2022-01-24 09:57:17-05 Techs-MacBook-Air installd[728]: PackageKit: prevent user idle system sleep

2022-01-24 09:57:17-05 Techs-MacBook-Air installd[728]: PackageKit: suspending backupd

2022-01-24 09:57:17-05 Techs-MacBook-Air installd[728]: PackageKit: Using trashcan path /var/folders/zz/zyxvpxvq6csfxvn_n0000000000000/T/PKInstallSandboxTrash/B79EC00C-33FE-431F-8044-2D047C67DC65.sandboxTrash for sandbox /Library/InstallerSandboxes/.PKInstallSandboxManager/B79EC00C-33FE-431F-8044-2D047C67DC65.activeSandbox

2022-01-24 09:57:17-05 Techs-MacBook-Air suhelperd[665]: Verifying package at path: /Library/Updates/002-23748/SecUpd2021-007Catalina.RecoveryHDUpdate.pkg

2022-01-24 09:57:17-05 Techs-MacBook-Air install_monitor[1264]: Temporarily excluding: /Applications, /Library, /System, /bin, /private, /sbin, /usr

2022-01-24 09:57:17-05 Techs-MacBook-Air installd[728]: PackageKit: Shoving /Library/InstallerSandboxes/.PKInstallSandboxManager/B79EC00C-33FE-431F-8044-2D047C67DC65.activeSandbox/Root (1 items) to /

2022-01-24 09:57:18-05 Techs-MacBook-Air installd[728]: PackageKit: Writing receipt for blender3x64 to /

2022-01-24 09:57:18-05 Techs-MacBook-Air installd[728]: PackageKit: Touched bundle /Applications/Blender_3_x64.app

2022-01-24 09:57:18-05 Techs-MacBook-Air installd[728]: Installed "Blender_3_x64" ()

2022-01-24 09:57:18-05 Techs-MacBook-Air install_monitor[1264]: Re-included: /Applications, /Library, /System, /bin, /private, /sbin, /usr

2022-01-24 09:57:18-05 Techs-MacBook-Air suhelperd[665]: Verifying package at path: /Library/Updates/002-23748/BridgeOSUpdateCustomer.pkg

2022-01-24 09:57:18-05 Techs-MacBook-Air installd[728]: PackageKit: releasing backupd

2022-01-24 09:57:18-05 Techs-MacBook-Air installd[728]: PackageKit: allow user idle system sleep

2022-01-24 09:57:18-05 Techs-MacBook-Air installd[728]: PackageKit: Cleared responsibility for install from 1260.

2022-01-24 09:57:18-05 Techs-MacBook-Air installd[728]: PackageKit: ----- End install -----

2022-01-24 09:57:18-05 Techs-MacBook-Air installd[728]: PackageKit: 21.8s elapsed install time

2022-01-24 09:57:18-05 Techs-MacBook-Air installd[728]: PackageKit: Running idle tasks

2022-01-24 09:57:18-05 Techs-MacBook-Air installd[728]: PackageKit: Done with sandbox removals

2022-01-24 09:57:18-05 Techs-MacBook-Air installer[1260]: PackageKit: Registered bundle file:///Applications/Blender_3_x64.app/ for uid 0

2022-01-24 09:57:18-05 Techs-MacBook-Air installd[728]: PackageKit: Removing client PKInstallDaemonClient pid=1260, uid=0 (/usr/sbin/installer)

2022-01-24 09:57:19-05 Techs-MacBook-Air installer[1260]: Running install actions

2022-01-24 09:57:19-05 Techs-MacBook-Air installer[1260]: Removing temporary directory "/var/folders/zz/zyxvpxvq6csfxvn_n0000000000000/T//Install.12608JxGE1"

2022-01-24 09:57:19-05 Techs-MacBook-Air installer[1260]: Finalize disk "Macintosh HD"

2022-01-24 09:57:19-05 Techs-MacBook-Air installer[1260]: Notifying system of updated components

2022-01-24 09:57:19-05 Techs-MacBook-Air installer[1260]: 

2022-01-24 09:57:19-05 Techs-MacBook-Air installer[1260]: **** Summary Information ****

2022-01-24 09:57:19-05 Techs-MacBook-Air installer[1260]:   Operation      Elapsed time

2022-01-24 09:57:19-05 Techs-MacBook-Air installer[1260]: -----------------------------

2022-01-24 09:57:19-05 Techs-MacBook-Air installer[1260]:        disk      0.03 seconds

2022-01-24 09:57:19-05 Techs-MacBook-Air installer[1260]:      script      0.00 seconds

2022-01-24 09:57:19-05 Techs-MacBook-Air installer[1260]:        zero      0.01 seconds

2022-01-24 09:57:19-05 Techs-MacBook-Air installer[1260]:     install      23.17 seconds

2022-01-24 09:57:19-05 Techs-MacBook-Air installer[1260]:     -total-      23.22 seconds

2022-01-24 09:57:19-05 Techs-MacBook-Air installer[1260]: 

1 ACCEPTED SOLUTION

mainelysteve
Valued Contributor II

You're correct that packages from policies and Self Service install as root, but... the files within the package can have differing permissions. Under sources select the appropriate file(.app extension) and verify its permissions. If you dragged a file from your source machine's applications folder or used snapshotting then some of the files probably have you(your username) as the owner. Change the owner to root and the group to wheel.  The mode readout should be 775. Also click on the gear and select the first option to ensure the permissions are recursive to the other files in the bundle.

View solution in original post

5 REPLIES 5

mainelysteve
Valued Contributor II

You're correct that packages from policies and Self Service install as root, but... the files within the package can have differing permissions. Under sources select the appropriate file(.app extension) and verify its permissions. If you dragged a file from your source machine's applications folder or used snapshotting then some of the files probably have you(your username) as the owner. Change the owner to root and the group to wheel.  The mode readout should be 775. Also click on the gear and select the first option to ensure the permissions are recursive to the other files in the bundle.

ljcacioppo
Contributor III

You don't need to use a certificate to sign installer packages that are deployed from Jamf. If deployed via MDM, whether recurring checkin or via self service, installs performed by the MDM can apply even if the package is unsigned. Where signing comes into play is if you are distributing the installer not via MDM.

You will want to check the permissions that are on the application in composer. like @mainelysteve mentioned

KAndrews5725
New Contributor III

Thank you both for your input.  I learn a little more each time I come here!  This definitely sounds like where the issue is stemming from.  I am new to Composer, so finding out there are some additional settings I need to check doesn't surprise me.

 

You are correct regarding the origin of the app package.  I generally place it in my Applications folder because I discovered early on that if I wanted the app to install to that location on the client machine, I had to put it into the correct folder to begin with.  As I understand there's another way to approach this using a sandbox method?

 

Thanks again!

Keith

Yes, Composer is putting the files in the respective directories as shown in the composer application when you build the package (including the specified permissions for those files and folders).

Unless I am modifying the installer, need to configure something additionally, etc, if the software manufacturer distributes a pkg file, I often use the installer provided and upload that to jamf if it makes sense for that scenario. 

Also, a lot of times, I use autopkg to make packages for me for items that only are distributed via a dmg. Here's a JNUC talk with more on that topic: https://www.youtube.com/watch?v=CPFSA4OOuOQ

I'll be sure to take a look at that video.  Thanks again for your input and help!

 

Keith