Hey guys,
I'm wondering if anyone found a solution for this yet.
We have environments where Xcode needs to be run without granting admin privileges. We used to manage this with creating a custom Xcode installer. The contents are the following:
- Xcode downloaded from the developer portal
- CLI tools downloaded from the developer portal
- enable devtoolsecurity to make Xcode work without being an admin
- a postinstall script which runs the following actions: Agree license agreement, install the "additional required components" that Xcode wants to install when first launched
#!/bin/sh
defaults write /Library/Preferences/com.apple.dt.Xcode.plist IDELastGMLicenseAgreedTo -string "EA1327"
defaults write /Library/Preferences/com.apple.dt.Xcode.plist IDEXcodeVersionForAgreedToGMLicense -string "7.2"
installer -pkg /Applications/Xcode.app/Contents/Resources/Packages/MobileDevice.pkg -target /
installer -pkg /Applications/Xcode.app/Contents/Resources/Packages/MobileDeviceDevelopment.pkg -target /
This works perfectly for 10.10 or below, but no more for 10.11.
The bad boy why this doesn't work is SIP. The MobileDevice.pkg and MobileDeviceDevelopment.pkg packages want to write in /System/Library, which are SIP protected locations.
But now comes the really weird thing:
When I execute the installer -pkg command manually from the terminal, the packages install fine and Xcode will work.
When the packages are installed via GUI (double-clicking installer files) they are also installing fine.
The packages are signed with the Apple software update signing certificate, which is the reason why they can be installed in SIP protected locations. I assume that a postinstall script or JSS policy calls the installer packages a bit different that a GUI or Terminal trigger.
What I have tried to install the packages and DIDN'T work:
- postinstall script in the Xcode installer
- AppleScript call to install the packages (do shell script with administrator privileges)
- a JSS policy that is called in the postinstall script
- a Self Service policy manually executed
What DID work:
- manually installing the packages via GUI
- manually installing via Terminal
I have no idea how to deal this. Is anyone in a similar situation and the more important question: what am I missing here and what is the magic trick?
Michael
