Prevent "Slack wants to make changes"

lxfl
New Contributor II

Hi,

we're currently running our mac's with automatic install scripts via jamf.
Our users don't have admin privilegues.

When they update Slack (which is simply a new installation of the most recent client), it always shows the dialogue mentioned in the subject or attached screenshot on every app start, until someone types in admin creds.
If you click on cancel, the app still starts. But the pop-up on every start is still anoying.

I do get an output from terminal saying:

May 10 11:58:30 Slack[21065]: DEPRECATED USE in libdispatch client: dispatch source activated with no event handler set; set a breakpoint on _dispatch_bug_deprecated to debug
May 10 11:58:30 SecurityAgent[21094]: objc[21094]: Class TKTokenRefImpl is implemented in both /System/Library/Frameworks/Security.framework/Versions/A/Security (0x7fff9712afa8) and /System/Library/Frameworks/Security.framework/Versions/A/MachServices/SecurityAgent.bundle/Contents/MacOS/SecurityAgent (0x10522fce8). One of the two will be used. Which one is undefined.
May 10 11:58:30 SecurityAgent[21094]: objc[21094]: Class TKTokenRefCtkd is implemented in both /System/Library/Frameworks/Security.framework/Versions/A/Security (0x7fff9712afd0) and /System/Library/Frameworks/Security.framework/Versions/A/MachServices/SecurityAgent.bundle/Contents/MacOS/SecurityAgent (0x10522fd10). One of the two will be used. Which one is undefined.
May 10 11:58:31 SecurityAgent[21094]: DEPRECATED USE in libdispatch client: dispatch source activated with no event handler set; set a breakpoint on _dispatch_bug_deprecated to debug

No system.log output when i press cancel, neither when i enter the admin credentials.

Any ideas how i can fix that?

93ebeea5d3a44c8cbebeec9a0ac58da8

1 ACCEPTED SOLUTION

anverhousseini
Contributor II
Contributor II

I think the issue with this dialogue is the ownership of the Slack.app bundle. Just change the ownership to the current logged in user:

chown -R $(scutil <<< "show State:/Users/ConsoleUser" | awk -F': ' '/[[:space:]]+Name[[:space:]]:/ { if ( $2 != "loginwindow" ) { print $2 }}'):staff "/Applications/Slack.app"

You could add this snippet to your install script or as a postinstall script in a package.

View solution in original post

23 REPLIES 23

sshort
Valued Contributor

There was a big thread on this topic in the MacAdmins slack a week or so ago. Long story short: Slack doesn't offer admins deployment options for non-admin users.

krichard
New Contributor

Could you use the VPP version of Slack instead?

churcht
New Contributor III

The best way to do this is to implement this environment variable SLACK_NO_AUTO_UPDATES

Here is a script I'm working on this morning for this in my environment. Early tests show it working

#!/bin/sh
# Create PLIST file that sets an environment variable

file="/Library/LaunchDaemons/com.COMPANYNAME.disable-slack-auto-updates.plist"

echo "<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
  <key>Label</key>
  <string>com.COMPANYNAME.disable-slack-auto-updates</string>
  <key>ProgramArguments</key>
  <array>
    <string>/bin/launchctl</string>
    <string>setenv</string>
    <string>SLACK_NO_AUTO_UPDATES</string>
    <string>1</string>
  </array>
  <key>RunAtLoad</key>
  <true/>
</dict>
</plist>" > "$file"

exit 0

After you create the plist file on a test machine, you should log out and back in. Then try opening Slack and see if it gets rid of that annoying admin prompt.

You can also open terminal and type

env

to see if the environment variable is actually there

lxfl
New Contributor II

Hey @churcht ,

i tried to push it on my machine, did a relog afterwards, didn't work for me.
The env var is not set when i type in env.

Am i missing anything?
It created the plist-file with the right content.

oliverr
Contributor

It is also possible to package up the MAS version and deploy that. This will not display the admin prompts. Only downside is the MAS version does not allow remote screen sharing control and it would require re-packaging regularly.

All depends on your Apple Store availability. VPP is really the best option for Slack mass deployment currently.

churcht
New Contributor III

@lxfl I've seen it work, and I've seen it NOT work, which has only frustrated me. I haven't been able to devote enough time to playing around and understanding it completely.
So unfortunately, I don't have an answer for you. From what I can tell, as long as that environment variable is there, Slack behaves how you want it to. The issue is figuring out how to consistently get that environment variable onto the machine.

@oliverr I would love to use the MAS version, but we aren't there yet with Jamf. Hosting on-prem with a proxy, I have yet to win the case of allowing our JSS and Apple devices to talk nicely with Apple. But I agree with you.

SCADtom
New Contributor III

I tried churcht's script and it didn't work so I tried this:

Downloaded Slack from their website. Simple drag and drop to Applications folder after mounting the dmg. Ejected the dmg and launched the app. No notification for Slack to make changes. Signed in as a different user, still no alert. Packaged this with composer and deployed to the same test Mac. Notification returns.

Installed package that Composer saved to the desktop. Launched and notification returns.

Launched Composer and selected new & modified snapshot. Installed the previously created pkg. Launched Slack and completed the notification screen with a local admin username and password. Quit Slack and relaunched several time to see if I would be prompted again. I was not. Completed the Composer workflow and saved a dmg. Uploaded the dmg to Jamf Admin and checked FUT and FEU. Saved and added the dmg to my policy.
Triggered the policy from a test machine. Launched Slack and the notification returned. I noticed that when I launch Composer, I get the same notification. Is it possible that Composer is adding this to the install?

oliverr
Contributor

The prompt is a product of the Slack update framework. The MAS version does not use the same update mechanism.

Package up the MAS version with Composer and deploy it. The MAS version is free and does not check the MAS receipt anyway. Then when you’re ready to use VPP the Slack preferences will be in the correct location.

That’s how we do it.

oliverr
Contributor

Also Slack have just announced that they will stop supporting sharing control of your screen. So there is now no difference between the direct download version and the MAS version.

anverhousseini
Contributor II
Contributor II

I think the issue with this dialogue is the ownership of the Slack.app bundle. Just change the ownership to the current logged in user:

chown -R $(scutil <<< "show State:/Users/ConsoleUser" | awk -F': ' '/[[:space:]]+Name[[:space:]]:/ { if ( $2 != "loginwindow" ) { print $2 }}'):staff "/Applications/Slack.app"

You could add this snippet to your install script or as a postinstall script in a package.

View solution in original post

anverhousseini
Contributor II
Contributor II

I added the snippet to my install script:

#!/bin/bash

install_slack() {
  download=$(curl -s "https://downloads.slack-edge.com/mac_releases/releases.json" | jq -r '.[].url' | tail -1)
  echo "=> Download from '${download}'"
  curl -s "${download}" -o "/tmp/$(basename ${download})"
  echo "=> Install '$(basename ${download})' to '/Applications/Slack.app'"
  ditto -x -k "/tmp/$(basename ${download})" "/Applications/"
  rm -f "/tmp/$(basename ${download})"
}

assimilate_ownership() {
  echo "=> Assimilate ownership on '/Applications/Slack.app'"
  chown -R $(scutil <<< "show State:/Users/ConsoleUser" | awk -F': ' '/[[:space:]]+Name[[:space:]]:/ { if ( $2 != "loginwindow" ) { print $2 }}'):staff "/Applications/Slack.app"
}

if [ ! -s "/Applications/Slack.app" ]; then
  echo "=> Slack.app is not installed"
  install_slack
  assimilate_ownership
elif [ ! $(defaults read "/Applications/Slack.app/Contents/Info.plist" CFBundleShortVersionString) = $(curl -s "https://downloads.slack-edge.com/mac_releases/releases.json" | jq -r '.[].version' | tail -1) ]; then
  echo "=> Slack.app is installed but not current"
  install_slack
  assimilate_ownership
else
  echo "=> Slack.app is installed and current"
  assimilate_ownership
fi

This keeps Slack.app up-to-date and makes sure the ownership is correct. If there is new version and the script did not run yet it will update the application automatically.

lxfl
New Contributor II

@anverhousseini thanks for this hint! worked great!
I had the small issue that our machines don't have jq installed, but i replaced it with grep. Works like a charm!

/usr/bin/curl -s 'https://downloads.slack-edge.com/mac_releases/releases.json' | grep -o "[0-9].[0-9].[0-9]" | tail -1

SCADtom
New Contributor III

Thanks anverhousseini, I deployed your script with the package and that worked. Now I just need to figure out how make it work for any user on our lab Macs.

anverhousseini
Contributor II
Contributor II

@SCADtom You could run the ownership change on every login with a policy. So it doesn't matter which user is logged in.

shaquir
Contributor III

Here is a the Slack script that I use in my environment.
I recreated the Slack install script without the jq dependency. It will update Slack if it's not on the latest version and it fixes the ownership issue. Any future updates can be on my Github here.

I also added option to stop Slack from running if "kill" is passed in parameter 4

Edited 8/1/19 to address copy issues and point to Slack's RSS feed for latest version

Special thanks to @owen.pragel and @anverhousseini for their scripts

#!/bin/bash
##  Created by Shaquir Tannis on 6/12/19
##  Great help from Ian Davidson @iancd addressing Slack's version changes
##  Thanks to owen.pragel and anverhousseini from JamfNation
#### Edited 7/19/19 to address Slack releases.json removal
#### Edited 8/1/19 to address copy issues and point to Slack's RSS feed for latest version

#To kill Slack, Input "kill" in Parameter 4 
killSlack="$4"

#Find latest Slack version / Pulls Version from Slack for Mac download page
currentSlackVersion=$(/usr/bin/curl -sL 'https://slack.com/release-notes/mac/rss' | grep -o "Slack-[0-9].[0-9].[0-9]"  | cut -c 7-11 | head -n 1)

#Install Slack function
install_slack() {

#Slack download variables
slackDownloadUrl=$(curl "https://slack.com/ssb/download-osx" -s -L -I -o /dev/null -w '%{url_effective}')
dmgName=$(printf "%s" "${slackDownloadUrl[@]}" | sed 's@.*/@@')
slackDmgPath="/tmp/$dmgName"


#Kills slack if "kill" in Parameter 4 
if [ "$killSlack" = "kill" ];
then
pkill Slack*
fi

#Begin Download

#Downloads latest version of Slack
curl -L -o "$slackDmgPath" "$slackDownloadUrl"

#Mounts the .dmg
hdiutil attach -nobrowse $slackDmgPath

#Checks if Slack is still running
if pgrep '[S]lack' && [ "$killSlack" != "kill" ]; then
    printf "Error: Slack is currently running!
"

elif pgrep '[S]lack' && [ "$killSlack" = "kill" ]; then
    pkill Slack*
    sleep 10
    if pgrep '[S]lack' && [ "$killSlack" != "kill" ]; then
        printf "Error: Slack is still running!  Please try again later.
"
        exit 409
    fi
fi

# Remove the existing Application
    rm -rf /Applications/Slack.app

#Copy the update app into applications folder
    ditto -rsrc /Volumes/Slack*/Slack.app /Applications/Slack.app

#Unmount and eject dmg
    mountName=$(diskutil list | grep Slack | awk '{ print $3 }')
    umount -f /Volumes/Slack*/
    diskutil eject $mountName

#Clean up /tmp download
    rm -rf "$slackDmgPath"
}

#Fix Slack ownership function
assimilate_ownership() {
    echo "=> Assimilate ownership on '/Applications/Slack.app'"
    chown -R $(scutil <<< "show State:/Users/ConsoleUser" | awk -F': ' '/[[:space:]]+Name[[:space:]]:/ { if ( $2 != "loginwindow" ) { print $2 }}'):staff "/Applications/Slack.app"
}

#Check if Slack is installed
if [ ! -d "/Applications/Slack.app" ]; then
    echo "=> Slack.app is not installed"
    install_slack
    assimilate_ownership

#If Slack version is not current install set permissions
elif [ "$currentSlackVersion" != `defaults read "/Applications/Slack.app/Contents/Info.plist" "CFBundleShortVersionString"` ]; then
    install_slack
    assimilate_ownership

#If Slack is installed and up to date just adjust permissions
elif [ -d "/Applications/Slack.app" ]; then
        localSlackVersion=$(defaults read "/Applications/Slack.app/Contents/Info.plist" "CFBundleShortVersionString")
        if [ "$currentSlackVersion" = "$localSlackVersion" ]; then
            printf "Slack is already up-to-date. Version: %s" "$localSlackVersion"      
assimilate_ownership            
            exit 0
    fi
fi

mburchett-zymer
New Contributor II

Fantastic script, shaquir. Works like a charm!

rqomsiya
Contributor III

Note that in version 4.0+ of Slack app you can now block updates via config profile.

dmaestre
Release Candidate Programs Tester

I was having these issues too -- the scripts above weren't working for me either. So as a fail-safe I decided to re-package using composer and changed the permissions on the application to "everyone" RWX -- When it installed and ran the "chown -R scutil....." command via a script after. Now the user is able to update w/o admin rights.

AdamCraig
Contributor III

@shaquir version 4.10 broke this script due to currentSlackVersion=$(/usr/bin/curl -sL 'https://slack.com/release-notes/mac/rss' | grep -o "Slack-[0-9].[0-9][0-9].[0-9]" | cut -c 7-11 | head -n 1) Should be replaced by:
currentSlackVersion=$(/usr/bin/curl -sL 'https://slack.com/release-notes/mac/rss' | grep -Eo "Slack-[0-9]{1,}.[0-9]{1,}.[0-9]{1,}" | cut -c 7-15 | head -n 1)
That means version 4.10.10, 5.0.0, and 10.10.10 would all work if/when those version number formats happen.

JminD
New Contributor II

So oddly enough I tried implementing this as a self service app for my users. I used @shaquir as a base and made the edits that @strayer mentioned. The issue that I'm running into is when this runs it does not update to the latest version. Instead, once my users launch Slack it prompts them that a newer version exists and they should update. When they click yes to continue they're met with the credential window where their credentials wont work because they're not local admins. Any possible fix for this?

cavan_lang
New Contributor

Found a simple and easy solution to this problem. We stopped using the VPP version of Slack as its too unreliable as to when Slack actually updates on users machines. So we switched to Jamf Patch Management. (If anyone hasnt seen this yet, id recommend checking them out. We use tramscloud, a reseller of Jamf that has a layer on top that automates Patch Management for you. (www.tramscloud.co.uk)

I tried re-permissioning the Slack.app application in the Applications folder so the user was the owner, but sadly this did not work.

Back to the point. The command that Slack (https://slack.com/intl/en-gb/help/articles/360035635174-Deploy-Slack-for-macOS) recommends only works if the entry already exists in the plist file.

Slacks Recommendation: defaults write Users/$USER/Library/Preferences/com.tinyspeck.slackmacgap.plist SlackNoAutoUpdates -bool YES

Our Script: plutil -insert SlackNoAutoUpdates -bool YES /Users/$USER/Library/Preferences/com.tinyspeck.slackmacgap.plist
then defaults read /Users/$USER/Library/Preferences/com.tinyspeck.slackmacgap.plist

This inserts the SlackNoAutoUpdates string into the plist file and then reloads it so you do not have to restart for the plist to start working.

rluna
New Contributor II

We use this configuration profile to deploy the default settings for Slack
fd53519fb8884f70b971e05477c9c3e5

lennyvaknine43
New Contributor

Here is my addition in case it helps anyone. Support for m1 arch and modifying currentSlackVersion

#!/bin/bash
##  Created by Shaquir Tannis on 6/12/19
##  Great help from Ian Davidson @iancd addressing Slack's version changes
##  Thanks to owen.pragel and anverhousseini from JamfNation
#### Edited 7/19/19 to address Slack releases.json removal
#### Edited 8/1/19 to address copy issues and point to Slack's RSS feed for latest version
##### Edited 11/2/21 to add support for arm / m1 arch and double digit versioning from currentSlackVersion

#To kill Slack, Input "kill" in Parameter 4 
killSlack="$4"

#Find latest Slack version / Pulls Version from Slack for Mac download page
#fixed latest for double digit middle 11/2/21
currentSlackVersion=$(/usr/bin/curl -sL 'https://slack.com/release-notes/mac/rss' | grep -o "Slack-[0-9]\.[0-9][0-9]\.[0-9]" | cut -c 7-12 | head -n 1)

#Install Slack function
install_slack() {

#Slack download variables
archType="$(/usr/bin/arch)"
if [ $archType == "i386" ]; then
    echo "**** Intel System ****"
    slackDownloadUrl=$(curl "https://slack.com/ssb/download-osx" -s -L -I -o /dev/null -w '%{url_effective}')
elif [ $archType == "arm64" ]; then
    echo "**** arm System ****"
    slackDownloadUrl=$(curl "https://slack.com/ssb/download-osx-silicon" -s -L -I -o /dev/null -w '%{url_effective}')
else
    echo "**** Unknown Architecture ****"
fi
dmgName=$(printf "%s" "${slackDownloadUrl[@]}" | sed 's@.*/@@')
slackDmgPath="/Users/Shared/$dmgName"


#Kills slack if "kill" in Parameter 4 
if [ "$killSlack" = "kill" ];
then
pkill Slack*
fi

#Begin Download

#Downloads latest version of Slack
curl -L -o "$slackDmgPath" "$slackDownloadUrl"

#Mounts the .dmg
hdiutil attach -nobrowse $slackDmgPath

#Checks if Slack is still running
if pgrep '[S]lack' && [ "$killSlack" != "kill" ]; then
    printf "Error: Slack is currently running!\n"

elif pgrep '[S]lack' && [ "$killSlack" = "kill" ]; then
    pkill Slack*
    sleep 10
    if pgrep '[S]lack' && [ "$killSlack" != "kill" ]; then
        printf "Error: Slack is still running!  Please try again later.\n"
        exit 409
    fi
fi

# Remove the existing Application
    rm -rf /Applications/Slack.app

#Copy the update app into applications folder
    ditto -rsrc /Volumes/Slack*/Slack.app /Applications/Slack.app

#Unmount and eject dmg
    mountName=$(diskutil list | grep Slack | awk '{ print $3 }')
    umount -f /Volumes/Slack*/
    if [ -z "$mountName" ]; then
        echo "nothing to unmount"
    else
        echo "unmounting $mountName"
        diskutil eject $mountName
    fi

#Clean up /tmp download
    rm -rf "$slackDmgPath"
}

#Fix Slack ownership function
assimilate_ownership() {
    echo "=> Assimilate ownership on '/Applications/Slack.app'"
    chown -R $(scutil <<< "show State:/Users/ConsoleUser" | awk -F': ' '/[[:space:]]+Name[[:space:]]:/ { if ( $2 != "loginwindow" ) { print $2 }}'):staff "/Applications/Slack.app"
}

#Check if Slack is installed
if [ ! -d "/Applications/Slack.app" ]; then
    echo "=> Slack.app is not installed"
    install_slack
    assimilate_ownership

#If Slack version is not current install set permissions
elif [ "$currentSlackVersion" != `defaults read "/Applications/Slack.app/Contents/Info.plist" "CFBundleShortVersionString"` ]; then
    install_slack
    assimilate_ownership

#If Slack is installed and up to date just adjust permissions
elif [ -d "/Applications/Slack.app" ]; then
        localSlackVersion=$(defaults read "/Applications/Slack.app/Contents/Info.plist" "CFBundleShortVersionString")
        if [ "$currentSlackVersion" = "$localSlackVersion" ]; then
            printf "Slack is already up-to-date. Version: %s" "$localSlackVersion"      
assimilate_ownership            
            exit 0
    fi
fi