Posted on 01-24-2022 07:14 AM
Greetings!
I recently enrolled in the Apple Developer program so I could obtain an Installer Certificate for JAMF Composer. I was finding that more often than not, whenever I pushed a third-party app out via Self Service, it would look like it had installed, but wouldn't. Upon checking the install.log file, it showed that the package was not signed and therefore was not installed.
Obtaining the Installer Certificate has helped, but I've noticed a new issue when trying to install an app on an Intel-based MacBook Air. The app installs fine, but when I try to open it I get the "You do not have permission to open the application..." error. I thought installing through Self Service would prevent this since the apps are supposed to be installed as root, or SU?
Anyway, I've tried this on an M1 machine with no problems. It appears to be limited to the Intel-based laptops, regardless of what macOS version is installed. Anyone have any ideas?
Thanks!
Keith
Begin Install Log excerpt:
2022-01-24 09:56:54-05 Techs-MacBook-Air installer[1260]: Product archive /Library/Application Support/JAMF/Downloads/Blender_3_x64.pkg trustLevel=300
2022-01-24 09:56:54-05 Techs-MacBook-Air installer[1260]: External component packages (1) trustLevel=300
2022-01-24 09:56:54-05 Techs-MacBook-Air installer[1260]: -[IFDInstallController(Private) _buildInstallPlanReturningError:]: location = file://localhost
2022-01-24 09:56:54-05 Techs-MacBook-Air installer[1260]: -[IFDInstallController(Private) _buildInstallPlanReturningError:]: file://localhost/Library/Application%20Support/JAMF/Downloads/Blender_3_x64.pkg#payload.pkg
2022-01-24 09:56:54-05 Techs-MacBook-Air installer[1260]: Set authorization level to root for session
2022-01-24 09:56:54-05 Techs-MacBook-Air installer[1260]: Administrator authorization granted.
2022-01-24 09:56:54-05 Techs-MacBook-Air installer[1260]: Will use PK session
2022-01-24 09:56:54-05 Techs-MacBook-Air installer[1260]: Using authorization level of root for IFPKInstallElement
2022-01-24 09:56:55-05 Techs-MacBook-Air suhelperd[665]: Verifying package at path: /Library/Updates/002-23748/FirmwareUpdate.pkg
2022-01-24 09:56:55-05 Techs-MacBook-Air installer[1260]: Starting installation:
2022-01-24 09:56:55-05 Techs-MacBook-Air installer[1260]: Configuring volume "Macintosh HD"
2022-01-24 09:56:56-05 Techs-MacBook-Air installer[1260]: Preparing disk for local booted install.
2022-01-24 09:56:56-05 Techs-MacBook-Air installer[1260]: Free space on "Macintosh HD": 100 GB (99995295744 bytes).
2022-01-24 09:56:56-05 Techs-MacBook-Air installer[1260]: Create temporary directory "/var/folders/zz/zyxvpxvq6csfxvn_n0000000000000/T//Install.12608JxGE1"
2022-01-24 09:56:56-05 Techs-MacBook-Air installer[1260]: IFPKInstallElement (1 packages)
2022-01-24 09:56:56-05 Techs-MacBook-Air installer[1260]: Current Path: /usr/sbin/installer
2022-01-24 09:56:56-05 Techs-MacBook-Air installer[1260]: Current Path: /bin/bash
2022-01-24 09:56:56-05 Techs-MacBook-Air installer[1260]: Current Path: /usr/local/jamf/bin/jamf
2022-01-24 09:56:56-05 Techs-MacBook-Air installd[728]: PackageKit: Adding client PKInstallDaemonClient pid=1260, uid=0 (/usr/sbin/installer)
2022-01-24 09:56:56-05 Techs-MacBook-Air installer[1260]: PackageKit: Enqueuing install with framework-specified quality of service (utility)
2022-01-24 09:56:56-05 Techs-MacBook-Air installd[728]: PackageKit: ----- Begin install -----
2022-01-24 09:56:56-05 Techs-MacBook-Air installd[728]: PackageKit: request=PKInstallRequest <1 packages, destination=/>
2022-01-24 09:56:56-05 Techs-MacBook-Air installd[728]: PackageKit: packages=(
"PKLeopardPackage <id=blender3x64, version=1, url=file:///Library/Application%20Support/JAMF/Downloads/Blender_3_x64.pkg#payload.pkg>"
)
2022-01-24 09:56:56-05 Techs-MacBook-Air installd[728]: PackageKit: Set reponsibility for install to 1175
2022-01-24 09:56:57-05 Techs-MacBook-Air installd[728]: PackageKit: Will do receipt-based obsoleting for package identifier blender3x64 (prefix path=)
2022-01-24 09:56:59-05 Techs-MacBook-Air installd[728]: PackageKit: Extracting file:///Library/Application%20Support/JAMF/Downloads/Blender_3_x64.pkg#payload.pkg (destination=/Library/InstallerSandboxes/.PKInstallSandboxManager/B79EC00C-33FE-431F-8044-2D047C67DC65.activeSandbox/Root, uid=0)
2022-01-24 09:57:17-05 Techs-MacBook-Air installd[728]: PackageKit: prevent user idle system sleep
2022-01-24 09:57:17-05 Techs-MacBook-Air installd[728]: PackageKit: suspending backupd
2022-01-24 09:57:17-05 Techs-MacBook-Air installd[728]: PackageKit: Using trashcan path /var/folders/zz/zyxvpxvq6csfxvn_n0000000000000/T/PKInstallSandboxTrash/B79EC00C-33FE-431F-8044-2D047C67DC65.sandboxTrash for sandbox /Library/InstallerSandboxes/.PKInstallSandboxManager/B79EC00C-33FE-431F-8044-2D047C67DC65.activeSandbox
2022-01-24 09:57:17-05 Techs-MacBook-Air suhelperd[665]: Verifying package at path: /Library/Updates/002-23748/SecUpd2021-007Catalina.RecoveryHDUpdate.pkg
2022-01-24 09:57:17-05 Techs-MacBook-Air install_monitor[1264]: Temporarily excluding: /Applications, /Library, /System, /bin, /private, /sbin, /usr
2022-01-24 09:57:17-05 Techs-MacBook-Air installd[728]: PackageKit: Shoving /Library/InstallerSandboxes/.PKInstallSandboxManager/B79EC00C-33FE-431F-8044-2D047C67DC65.activeSandbox/Root (1 items) to /
2022-01-24 09:57:18-05 Techs-MacBook-Air installd[728]: PackageKit: Writing receipt for blender3x64 to /
2022-01-24 09:57:18-05 Techs-MacBook-Air installd[728]: PackageKit: Touched bundle /Applications/Blender_3_x64.app
2022-01-24 09:57:18-05 Techs-MacBook-Air installd[728]: Installed "Blender_3_x64" ()
2022-01-24 09:57:18-05 Techs-MacBook-Air install_monitor[1264]: Re-included: /Applications, /Library, /System, /bin, /private, /sbin, /usr
2022-01-24 09:57:18-05 Techs-MacBook-Air suhelperd[665]: Verifying package at path: /Library/Updates/002-23748/BridgeOSUpdateCustomer.pkg
2022-01-24 09:57:18-05 Techs-MacBook-Air installd[728]: PackageKit: releasing backupd
2022-01-24 09:57:18-05 Techs-MacBook-Air installd[728]: PackageKit: allow user idle system sleep
2022-01-24 09:57:18-05 Techs-MacBook-Air installd[728]: PackageKit: Cleared responsibility for install from 1260.
2022-01-24 09:57:18-05 Techs-MacBook-Air installd[728]: PackageKit: ----- End install -----
2022-01-24 09:57:18-05 Techs-MacBook-Air installd[728]: PackageKit: 21.8s elapsed install time
2022-01-24 09:57:18-05 Techs-MacBook-Air installd[728]: PackageKit: Running idle tasks
2022-01-24 09:57:18-05 Techs-MacBook-Air installd[728]: PackageKit: Done with sandbox removals
2022-01-24 09:57:18-05 Techs-MacBook-Air installer[1260]: PackageKit: Registered bundle file:///Applications/Blender_3_x64.app/ for uid 0
2022-01-24 09:57:18-05 Techs-MacBook-Air installd[728]: PackageKit: Removing client PKInstallDaemonClient pid=1260, uid=0 (/usr/sbin/installer)
2022-01-24 09:57:19-05 Techs-MacBook-Air installer[1260]: Running install actions
2022-01-24 09:57:19-05 Techs-MacBook-Air installer[1260]: Removing temporary directory "/var/folders/zz/zyxvpxvq6csfxvn_n0000000000000/T//Install.12608JxGE1"
2022-01-24 09:57:19-05 Techs-MacBook-Air installer[1260]: Finalize disk "Macintosh HD"
2022-01-24 09:57:19-05 Techs-MacBook-Air installer[1260]: Notifying system of updated components
2022-01-24 09:57:19-05 Techs-MacBook-Air installer[1260]:
2022-01-24 09:57:19-05 Techs-MacBook-Air installer[1260]: **** Summary Information ****
2022-01-24 09:57:19-05 Techs-MacBook-Air installer[1260]: Operation Elapsed time
2022-01-24 09:57:19-05 Techs-MacBook-Air installer[1260]: -----------------------------
2022-01-24 09:57:19-05 Techs-MacBook-Air installer[1260]: disk 0.03 seconds
2022-01-24 09:57:19-05 Techs-MacBook-Air installer[1260]: script 0.00 seconds
2022-01-24 09:57:19-05 Techs-MacBook-Air installer[1260]: zero 0.01 seconds
2022-01-24 09:57:19-05 Techs-MacBook-Air installer[1260]: install 23.17 seconds
2022-01-24 09:57:19-05 Techs-MacBook-Air installer[1260]: -total- 23.22 seconds
2022-01-24 09:57:19-05 Techs-MacBook-Air installer[1260]:
Solved! Go to Solution.
01-24-2022 07:34 AM - edited 11-09-2022 01:44 PM
You're correct that packages from policies and Self Service install as root, but... the files within the package can have differing permissions. Under sources select the appropriate file(.app extension) and verify its permissions. If you dragged a file from your source machine's applications folder or used snapshotting then some of the files probably have you(your username) as the owner. Change the owner to root and the group to wheel. The mode readout should be 775. Also click on the gear and select the first option to ensure the permissions are recursive to the other files in the bundle.
01-24-2022 07:34 AM - edited 11-09-2022 01:44 PM
You're correct that packages from policies and Self Service install as root, but... the files within the package can have differing permissions. Under sources select the appropriate file(.app extension) and verify its permissions. If you dragged a file from your source machine's applications folder or used snapshotting then some of the files probably have you(your username) as the owner. Change the owner to root and the group to wheel. The mode readout should be 775. Also click on the gear and select the first option to ensure the permissions are recursive to the other files in the bundle.
Posted on 01-24-2022 07:38 AM
You don't need to use a certificate to sign installer packages that are deployed from Jamf. If deployed via MDM, whether recurring checkin or via self service, installs performed by the MDM can apply even if the package is unsigned. Where signing comes into play is if you are distributing the installer not via MDM.
You will want to check the permissions that are on the application in composer. like @mainelysteve mentioned
Posted on 01-24-2022 07:45 AM
Thank you both for your input. I learn a little more each time I come here! This definitely sounds like where the issue is stemming from. I am new to Composer, so finding out there are some additional settings I need to check doesn't surprise me.
You are correct regarding the origin of the app package. I generally place it in my Applications folder because I discovered early on that if I wanted the app to install to that location on the client machine, I had to put it into the correct folder to begin with. As I understand there's another way to approach this using a sandbox method?
Thanks again!
Keith
Posted on 01-24-2022 07:51 AM
Yes, Composer is putting the files in the respective directories as shown in the composer application when you build the package (including the specified permissions for those files and folders).
Unless I am modifying the installer, need to configure something additionally, etc, if the software manufacturer distributes a pkg file, I often use the installer provided and upload that to jamf if it makes sense for that scenario.
Also, a lot of times, I use autopkg to make packages for me for items that only are distributed via a dmg. Here's a JNUC talk with more on that topic: https://www.youtube.com/watch?v=CPFSA4OOuOQ
Posted on 01-24-2022 07:54 AM
I'll be sure to take a look at that video. Thanks again for your input and help!
Keith