"Installer" would like to administer your computer

phansen
New Contributor

I'm trying to make Panopto 7.0.0 available on Self Service, however, it always seems to error out at the very end. After digging through some logs, I found that the installer should prompt the user with the message in the title (due to Mojave's "enhanced" security) and that is were Jamf is calling the error. Is there a way to get this to work through Self Service? I have tried to script a better installation for the Panopto package but I can't seem to get it to actually function correctly afterwards (in-app upload always breaks). Any help would be much appreciated.

1 ACCEPTED SOLUTION

neil_martin83
Contributor II

This is down to the installer package creating a user account using dscl which gets intercepted by PPPC/TCC. FWIW Panopto is the only app I know of that creates its own user account to do stuff in the background (upload video) - highly peculiar. Anyway...

Props to macdude22 on the Slack who came up with this script that does the needful before you install the package (so run it in the same policy as a Before action):

https://macadmins.slack.com/files/U08E367K8/FLXDADVAS/fix_panopto.sh

View solution in original post

19 REPLIES 19

neil_martin83
Contributor II

This is down to the installer package creating a user account using dscl which gets intercepted by PPPC/TCC. FWIW Panopto is the only app I know of that creates its own user account to do stuff in the background (upload video) - highly peculiar. Anyway...

Props to macdude22 on the Slack who came up with this script that does the needful before you install the package (so run it in the same policy as a Before action):

https://macadmins.slack.com/files/U08E367K8/FLXDADVAS/fix_panopto.sh

phansen
New Contributor

That worked perfectly!! Thank you!

mmcchesney
New Contributor II

Thanks worked for MacOS 10.14.6 did not work on my Catalina Beta 10.15 (19A546d) test machine.

pchimombe
New Contributor III

@mmcchesney have you had any luck with Panopto and Catalina?

raghdasi
New Contributor III

@mmcchesney i am having issue with Panopto and like to know if you found any solution for it. Using PPPC to Allow the Screen Capture in Security and Privacy doesn't work and it is only Deny can be selected and that is stopping us to deploy the the application to our staff as it need admin authentication to add[Allow] Screen Capture in Security and Privacy.

tcandela
Valued Contributor II

@raghdasi @mmcchesney @neil.martin83 did you guys ever figure out the Panopto installation issue via Self Service?

Panopto version 7.2.0

i'm testing on mojave (did not use the script the neil.martin provided), when i run it via SS i get a popup that says 'FAILED TO GET THE REQUIRED PERMISSION. RERUN THE INSTALLER AND ALLOW REQUESTED OPERATION'

is this message what that script is supposed to take care of?

tcandela
Valued Contributor II

I just was able to succesfully install Panopto 7.2.0 by adding that script to run 'before' the Panopto pkg. From the Panopto help web page for mac instructions i see the following information for 10.14 Mojave (see picture). So this is what the script takes care of from displaying?

now what about macOS 10.15 Catalina?

I wonder if 10.13 will install Panopto via self service without the script?

![optional image ALT text](
fbb073a238c348fcb3779fb4b9177210
)

tcandela
Valued Contributor II

I believe the script is removing the SERVER that my organization has setup when the installer installs. Now i have to enter the server information when it should be setup already.

neil_martin83
Contributor II

I'm afraid I haven't tested with Catalina and I'm not deploying it where I work now.

I would say the best option is to push back to the vendor's support and get them to fix their package so it can accomplish what it needs to do without running a script calling commands that don't have permission due to PPPC. I know they are aware of folks who need to mass-deploy it, but can't.

I believe the script is removing the SERVER that my organization has setup when the installer installs. Now i have to enter the server information when it should be setup already.

It doesn't. This is set in the package's filename when you download it from Panopto (the postinstall derives your server address from that). If you rename the package, then it won't set your server.

Alternatively, (with a proper Apple-native method) you can set it in a Configuration Profile, like this one, for example:

https://github.com/neilmartin83/configuration_profiles/blob/master/Panopto%20-%20Defaults.mobileconf...

tcandela
Valued Contributor II

@neil.martin83 Yes I had a feeling it was probably because I change the package name when I downloaded it from our organization.

I mentioned it to our support to contact the vendor

neil_martin83
Contributor II

@tcandela aye, sadly, pushing back to the vendors is really the only way to get this stuff fixed, vs hacking our own unsupported solutions.

tcandela
Valued Contributor II

@neil.martin83 yeah, i don't like adding scripts to hack with getting packages like this installed

tcandela
Valued Contributor II

@neil.martin83 have you ever used that application called Packages to make mac packages?

With Panopto installed on the system with Packages installed, simply run the Packages application, choose the applications folder in the user interface, choose the installed Panopto and build the package.

Im going to try this and test out the resulting pkg on each macOS 10.13 thru 10.15

neil_martin83
Contributor II

@tcandela Panopto requires the hidden user account its package postinstall script creates, as the app uses this for background uploading when the user logs out etc. Because of that, repackaging the app by itself won't work.

tcandela
Valued Contributor II

@neil.martin83 so if a second user logs in to a computer with Panopto installed does it work the same as it does for the original user who logged in an installed it?

neil_martin83
Contributor II

@tcandela If you install the original package, yes. I was describing the behaviour where the installer creates a user account called panopto_upload, which the app requires to work.

simonjones
New Contributor

Hi all,

FYI we have had the same issue, apparently work was done to make the web based version work for this, which is how we use it. I don't know if this was work done specifically for my company or a wider implementation, but might be worth trying this if you still get issues.

Good luck!

wakco
Contributor

I'm wondering if anyone thought about trying:

/usr/local/bin/jamf createAccount -username panopto_upload -realname panopto_upload -home /var/panopto -shell /sbin/nologin -hiddenUser

Before installing, because that works for me.

micmil
New Contributor II

I know I'm necroing this thread, but I had to give kudos to wakco for this suggestion. I've been pulling my hair out trying to get user creation to work with secure token on OS 10.15 & 11 with no luck. sysadminctl now requires "Terminal" to have access to control your computer, but simply granting access via PPPC doesn't work. There's some other component that's actually requesting access but I can't figure out exactly what that is. The simple solution was to use the jamf binary to create the account, then use sysadminctl to enable the secure token. Bam, easy and no security popups because jamf binary already has a profile allowing access.