Help

Self Service, Mac App Store apps and admin credentials

DanJ_LRSFC
Contributor III

Posted on ‎03-06-2018 02:18 AM

We started making the free Apple apps from the Mac App Store available via VPP on our Self Service.

However we're finding that when users are trying to install these they are being prompted for admin credentials for "storedownloadd".

I found this thread which says I need to disable "Require admin password to install or update apps" in Configuration Profiles.

However if I disable that, won't that mean that users will then be able to install apps from other sources such as downloads or USB sticks?

Is there a way to monitor and/or block unauthorised app installations, while still retaining the ability to install VPP apps from Self Service?

Thanks,
Dan Jackson (Senior ITServices Technician).

0 Kudos
6 REPLIES 6

Hugonaut
Valued Contributor II

Posted on ‎03-06-2018 05:36 AM

Hello @DanJ_LRSFC

I'm not sure but I have some ideas. just fyi..
* (I have no experience w. Mac App Store Apps, I run Composer for all applications in our environment and then add that package to the Self Service & Limit Updates.) *

On a test machine, what happens if you delete StoreDownloadd & then download normally through self service with no changes elsewhere?

sudo rm -rf /System/Library/PrivateFrameworks/CommerceKit.framework/Versions/A/Resources/storedownloadd

have you tried this??

39edaeda98654605815a40cf29d907ac maybe modify these settings in security prefs pane
&
b/c JSS Acts as root you can put those apps in Self Service and then disable access the the App store so they are limited? Why are they getting this pop up if the stuff is from Self Service??

or

you could also use a script that runs on the machine as root to install or update from a repository instead of directly from the app stores, thus bypassing the need for a configuration profile entirely, as long as your repository is updated, they can run the policy/script from self service and its basically the same thing. This way, they cant technically install anything else themselves besides what you deem available

example

#!/bin/osascript

--Get From Repo
try

do shell script" curl FROMHere to /(WHATEVER-PATH-MAY-BE-TO/APPLICATION.pkg" user name "root" password "rootpass" with administrator privileges
on error errMsg number errNum
        display dialog "ERROR# CANT LOCATE REPO ETC" & errNum & ": " & errMsg
        quit
end try

-- Install

    try
        do shell script "installer -target / -pkg /(WHATEVER-PATH-MAY-BE-TO/APPLICATION.pkg" user name "root" password "rootpass" with administrator privileges
    on error errMsg number errNum
        display dialog "ERROR# CANT INSTALL ETC" & errNum & ": " & errMsg
        quit
    end try

--After Successful Install (Delete)

try
        do shell script "rm -rf /(WHATEVER-PATH-MAY-BE-TO/APPLICATION.pkg" user name "root" password "rootpass" with administrator privileges
    on error errMsg number errNum
        display dialog "ERROR# CANT DELETE ETC" & errNum & ": " & errMsg
        quit
    end try
________________
Looking for a Jamf Managed Service Provider? Look no further than Rocketman
________________


Virtual MacAdmins Monthly Meetup - First Friday, Every Month
0 Kudos

jcarr
Release Candidate Programs Tester

Posted on ‎03-06-2018 06:16 AM

@Hugonaut you may want to run this process by your legal team. I'm not a lawyer, nor do I play one on TV, but this may be in violation of the App Store terms and conditions and may be putting you out of license compliance. In any case, the VPP process makes it much easier to keep your apps up-to-date and keep your organization in license compliance.

@DanJ_LRSFC , have you considered just using the 'instal automatically' option for these apps? A license is consumed when you scope an app to a device, so making the app user installable doesn't necessarily help with the license budget.

Just my $0.02

0 Kudos

Hugonaut
Valued Contributor II

Posted on ‎03-06-2018 06:24 AM

@jcarr Thank you for the advice, I will look into the process. We certainly use up our licenses and pay for everything haha! No worries about that.

________________
Looking for a Jamf Managed Service Provider? Look no further than Rocketman
________________


Virtual MacAdmins Monthly Meetup - First Friday, Every Month
0 Kudos

DanJ_LRSFC
Contributor III

Posted on ‎03-06-2018 07:26 AM

@jcarr Ideally we'd prefer the apps only to be installed where they're needed, but because we don't get given that information, we wouldn't be able to set up something to install it on every Mac in room so-and-so or whatever. Hence the desire to provide it through Self Service.

@Hugonaut I haven't tried removing storedownloadd. Wouldn't that fail on OS X El Capitan due to System Integrity Protection? As it's in a /System path.

I don't have a problem with unticking "Require admin password to install or update apps" in Configuration Profiles but I'd need a way to keep on top of unauthorised app installations if I was to go ahead with that.

0 Kudos

blackholemac
Valued Contributor III

Posted on ‎03-06-2018 12:07 PM

@jcarr I'm not a lawyer either but pushing them out with a remote system after having it downloaded on a master is actually how Apple recommended getting Apple apps out to a fleet when the App Store first debuted.

This article at Apple covered the procedure (link still works but Apple notes that this is an archived article that is no longer updated): https://support.apple.com/en-us/HT201115

The act of packaging itself might violate some contract, but it's interesting that they actually used to recommend deploying this way before fancy new acronym tools were avaiable.

The technique still works but is ill-advised as Device-based VPP is so much better and Apple may start implementing receipt checking at any time on their apps. It only works now because they don't. We had to use it though because we used to have the AELP program where we would get one download code but a legal agreement saying to use it up to our licensed amount. It took some pain, but I finally got Apple to convert those old agreements to device-based licensing.

0 Kudos

DanJ_LRSFC
Contributor III

Posted on ‎03-14-2018 03:20 AM

Update:

I unticked "Require admin password to install or update apps" in Configuration Profiles and now users aren't prompted for admin credentials. However, what does happen is the Mac App Store comes up with "Cannot Connect to App Store".

Is this likely to be related to "Restrict App Store to MDM installed apps and software updates"? As we have that ticked as well.

EDIT: actually never mind, there was an issue with that particular Mac.

0 Kudos