- Jamf Nation Community
- Products
- Jamf Pro
- Re: Unable to allow unidentified apps using JAMF P...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Unable to allow unidentified apps using JAMF Pro
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 01-27-2023 04:29 AM
Hi Everyone
I am facing issues with Pulse Secure in macOS Ventura. Hostchecker.app is blocked by macOS as it is not from an identified developer. Any Idea how this can be allowed as this is causing SAML authentications to fail.
Message in system Settings: "HostChecker.app" was blocked from use because it is not from an identified developer.
Error: "HostChecker.app" is damaged and can't be opened. You should move it to the Bin.
9 REPLIES 9
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 01-27-2023 07:01 AM
There aren't enough details to say for certain, but I would posit that one of a couple of things is happening:
- The version of Pulse Secure isn't compatible with macOS Ventura
- How the app is being packaged/distributed is triggering the OS-level scanning tools to think the .app has been tampered with
It's possible to clear a quarantine flag which allows unsigned apps to run, but I'd push on the vendor for a signed app since this requirement has been present for years. If it's just blocked because the app is unsigned, running xattr -dr com.apple.quarantine /path/to/app should enable it to open. If the app is "damaged" I'd look more at packaging/distribution.
Reply
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 01-29-2023 11:27 PM
- The version of Pulse Secure isn't compatible with macOS Ventura - It is compatible with macOS Ventura
- How the app is being packaged/distributed is triggering the OS-level scanning tools to think the .app has been tampered with - It is vendor provided pkg, however host checker is downloaded from the website at runtime to authenticate with SAML. xattr -dr com.apple.quarantine /path/to/app surprisingly is not working on Ventura. I don't get any error but it's still providing the same error.
If I Approve the app from privacy and security under system settings, it seems to work.
But I can't allow it using JAMF pro config profiles.
I have tried to package it using composer and then deploy on the machine but it still does not work and provides the same error.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 01-27-2023 10:01 AM
How are you distributing Pulse Secure? I'm not familiar with it. I looked up the deployment procedure. The first thing I found was how to do it with AirWatch. If there's an app you're trying to distribute, and they don't make it available as a deployable package you may need to make one of your own using Composer. I have done that for a few different apps. If you need to distribute packages during PreStage they need to be signed.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 01-27-2023 10:24 AM
Pulse Secure lists versions on their web site KB that should be compatible with the signed/notarized requirements of macOS. I would recommend opening a support ticket with Pulse Secure if a later version is failing a check. If you're using an older version on a later OS, given what this tool does, it will most likely not work the way you want, even if you try to over-ride some of the security checks.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 01-27-2023 11:01 AM
The app you are deploying is not notarized and gatekeeper is eating it. The applications developer simply needs to notarize the app. Sometimes you can do some shenanigans with xattr to whitelist the app, but you will need to do this every time you update the app. If the developer wants to make a macOS app, they need to make it right and one of those things is to notarize the application.
Safely open apps on your Mac - Apple Support
TL;DR
Unless you are breaking the bundle signature this is a problem between Pulse Secure and Apple and how to notarize an application.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 01-27-2023 11:03 AM
You definitely should not disable any macOS security settings to make this thing work.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 01-28-2023 11:53 AM
If you are using the latest agent and having these issues, I would recommend pushing back on Ivanti to address notarization of their app.
Another option if you really want to go this route, is to try to whitelist it in GateKeeper using the following code:
xattr -d com.apple.quarantine "/path/to/application"Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 01-29-2023 11:29 PM
Tried this, does not work on Ventura.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 01-30-2023 08:10 AM
If it's a dynamically downloaded hostchecker, the app and path will change every time. Push on the vendor to properly sign their app.
