Zoom Update is requiring Admin Credentials in Self Service

timgep
New Contributor II

My MacOS users are reporting that the latest Zoom 4.6.10 is requiring Administrator Credentials when they are trying to install it from Self Service.
I had deployed 4.6.9 in a similar manner, and I did not have this problem.

29 REPLIES 29

AdamCraig
Contributor III

I downloaded the package directly from the URL from https://zoom.us/client/4.6.20041.0408/ZoomInstallerIT.pkg and deployed it without issue.
when do they get the admin prompt?

timgep
New Contributor II

I got the package from https://zoom.us/client/latest/Zoom.pkg. I believe your link is for the IT version. They are prompted for credentials during the install out of Self Service.

chrislandreth
New Contributor II

@timgep you will want to use the IT version for Self Service. You can get the latest verion at https://zoom.us/client/latest/ZoomInstallerIT.pkg

If you want to push any settings there are some details about the plist at: https://support.zoom.us/hc/en-us/articles/115001799006-Mass-Deployment-with-Preconfigured-Settings-f...

Chris_Hafner
Valued Contributor II

For what it's worth, I've pushed both packages, both by automated policy AND self-service and have had no issues.

fnieves43
New Contributor II

During the release of the IT pkg you need to make a custom .plist file with the configuration to allow users to update through the client and push it along with that pkg. By default this is disabled.

talkingmoose
Moderator
Moderator

I've made a custom settings manifest for Zoom for anyone needing an easy way to set and maintain Zoom preferences. To use it:

  1. Copy the JSON Schema manifest here to your clipboard.
  2. In Jamf Pro, navigate to Computers > Configuration Profiles and click the New button to create a new profile. Name it something like "Zoom Settings".
  3. In the list of payloads in the middle, scroll down to the Application & Custom Settings payload and click the Configure button.
  4. Choose Creation Method > Configure settings. Source > Custom Schema. Preference Domain: us.zoom.config.
  5. Paste the manifest into the Custom Schema field at the bottom of the window.
  6. Click the Properties tab.

You should see a list of about 50 manageable settings including a setting for autoupdate, which is disabled by default.

15771de307ec4e18a5cf36bd2fbc1fa7

jhuls
Contributor III

@talkingmoose Nice...thanks!

timgep
New Contributor II

@talkingmoose. Thank you for your well-written solution. Unfortunately it did not solve my problem. I set scope for the configuration policy, and see that it was pushed out to many of the users. I asked one of the users who received the configuration profile to run Zoom. She was asked if she wanted to update it, and it stopped to ask for admin credentials for the installer.
I am a new IT admin at my school. I am wondering if there might be a more general policy that is enforcing this? We are seeing something similar on our CatalinaOS upgrade. Thanks again Talkingmoose.

AdamCraig
Contributor III

@timgep Zoom came out with another new update yesterday. So whenever there is a new version then users will be promted for credentials to install that new version.
You'll need to update your installer again from https://zoom.us/client/latest/ZoomInstallerIT.pkg

You'll want to scope the policy to users that have zoom installed and exclude users with the version you are installing or newer using smart groups. I use the patch management feature to help with this scoping.
809fd02308084f6d905150b60e26a018

dtmille2
Contributor III

Anyone know how to install the updates without requiring the user to download the "smart virtual background package" again?

timgep
New Contributor II

Thanks again for all of your responses. With your help I was able to do a Band-Aid solution, which was to put the Zoom for ITAdmin version into Self Service, and my users are able to install that OK without admin credentials. With this approach, I will have to keep uploading the updates to Self Service as they come in. I tried setting the ZAutoUpdate parameter to True in a custom Configureation Profile, and that did not work. Edited ZAutoUpdate to True with a Plist editor and re-installed the ZoomforITAdmins, and the update still does not work, in that the user has to provide Admin credentials as part of the install.
I searched around the other Config Profiles (especially enrollment) to see if the "Require admin password to install or update apps" restriction was set. It was not. Is it true that in MacOS that a package always requires admin credentials to install?
Thanks again,
Tim

celliott147
New Contributor II

I found this script:

#!/bin/sh
#####################################################################################################
#
# ABOUT THIS PROGRAM
#
# NAME
#       ZoomInstall.sh -- Installs or updates Zoom
#
# SYNOPSIS
#       sudo ZoomInstall.sh
#
####################################################################################################
#
# HISTORY
#
#       Version: 1.0
#
#       - Shannon Johnson, 28.9.2018
#       (Adapted from the FirefoxInstall.sh script by Joe Farage, 18.03.2015)
#
####################################################################################################
# Script to download and install Zoom.
# Only works on Intel systems.
#

# Set preferences - set to anything besides "true" to disable
hdvideo="true"
ssodefault=""
ssohost=""


# choose language (en-US, fr, de)
lang=""
# CHECK TO SEE IF A VALUE WAS PASSED IN PARAMETER 1 AND, IF SO, ASSIGN TO "lang"
if [ "$4" != "" ] && [ "$lang" == "" ]; then
        lang=$4
else 
        lang="en-US"
fi

pkgfile="ZoomInstallerIT.pkg"
plistfile="us.zoom.config.plist"
logfile="/Library/Logs/ZoomInstallScript.log"

# Are we running on Intel?
if [ '`/usr/bin/uname -p`'="i386" -o '`/usr/bin/uname -p`'="x86_64" ]; then
        ## Get OS version and adjust for use with the URL string
        OSvers_URL=$( sw_vers -productVersion | sed 's/[.]/_/g' )

        ## Set the User Agent string for use with curl
        userAgent="Mozilla/5.0 (Macintosh; Intel Mac OS X ${OSvers_URL}) AppleWebKit/535.6.2 (KHTML, like Gecko) Version/5.2 Safari/535.6.2"

        # Get the latest version of Reader available from Zoom page.
        latestver=`/usr/bin/curl -s -A "$userAgent" https://zoom.us/download | grep 'ZoomInstallerIT.pkg' | awk -F'/' '{print $3}'`
        echo "Latest Version is: $latestver"

        # Get the version number of the currently-installed Zoom, if any.
        if [ -e "/Applications/zoom.us.app" ]; then
                currentinstalledver=`/usr/bin/defaults read /Applications/zoom.us.app/Contents/Info CFBundleShortVersionString`
                echo "Current installed version is: $currentinstalledver"
                if [ ${latestver} = ${currentinstalledver} ]; then
                        echo "Zoom is current. Exiting"
                        exit 0
                fi
        else
                currentinstalledver="none"
                echo "Zoom is not installed"
        fi

        url="https://zoom.us/client/${latestver}/ZoomInstallerIT.pkg"

        echo "Latest version of the URL is: $url"
        echo "`date`: Download URL: $url" >> ${logfile}

        # Compare the two versions, if they are different or Zoom is not present then download and install the new version.
        if [ "${currentinstalledver}" != "${latestver}" ]; then

                # Construct the plist file for preferences
                echo "<?xml version="1.0" encoding="UTF-8"?>
                 <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
                 <plist version="1.0">
                 <dict>
                        <key>nogoogle</key>
                        <string>1</string>
                        <key>nofacebook</key>
                        <string>1</string>
                        <key>ZDisableVideo</key>
                        <true/>
                        <key>ZAutoJoinVoip</key>
                        <true/>
                        <key>ZDualMonitorOn</key>
                        <true/>" >> /tmp/${plistfile}

                if [ "${ssohost}" != "" ]; then
                        echo "
                        <key>ZAutoSSOLogin</key>
                        <true/>
                        <key>ZSSOHost</key>
                        <string>$ssohost</string>" >> /tmp/${plistfile}
                fi

                echo "<key>ZAutoFullScreenWhenViewShare</key>
                        <true/>
                        <key>ZAutoFitWhenViewShare</key>
                        <true/>" >> /tmp/${plistfile}

                if [ "${hdvideo}" == "true" ]; then
                        echo "<key>ZUse720PByDefault</key>
                        <true/>" >> /tmp/${plistfile}
                else
                        echo "<key>ZUse720PByDefault</key>
                        <false/>" >> /tmp/${plistfile}
                fi

                echo "<key>ZRemoteControlAllApp</key>
                        <true/>
                </dict>
                </plist>" >> /tmp/${plistfile}

                # Download and install new version
                /bin/echo "`date`: Current Zoom version: ${currentinstalledver}" >> ${logfile}
                /bin/echo "`date`: Available Zoom version: ${latestver}" >> ${logfile}
                /bin/echo "`date`: Downloading newer version." >> ${logfile}
                /usr/bin/curl -L -o /tmp/${pkgfile} ${url}
                /bin/echo "`date`: Installing PKG..." >> ${logfile}
                /usr/sbin/installer -allowUntrusted -pkg /tmp/${pkgfile} -target /

                /bin/sleep 10
                /bin/echo "`date`: Deleting downloaded PKG." >> ${logfile}
                /bin/rm /tmp/${pkgfile}

                #double check to see if the new version got updated
                newlyinstalledver=`/usr/bin/defaults read /Applications/zoom.us.app/Contents/Info CFBundleShortVersionString`
        if [ "${latestver}" = "${newlyinstalledver}" ]; then
                /bin/echo "`date`: SUCCESS: Zoom has been updated to version ${newlyinstalledver}" >> ${logfile}
                # /Library/Application Support/JAMF/bin/jamfHelper.app/Contents/MacOS/jamfHelper -windowType hud -title "Zoom Installed" -description "Zoom has been updated." &
        else
                /bin/echo "`date`: ERROR: Zoom update unsuccessful, version remains at ${currentinstalledver}." >> ${logfile}
                /bin/echo "--" >> ${logfile}
                        exit 1
                fi

        # If Zoom is up to date already, just log it and exit.
        else
                /bin/echo "`date`: Zoom is already up to date, running ${currentinstalledver}." >> ${logfile}
        /bin/echo "--" >> ${logfile}
        fi      
else
        /bin/echo "`date`: ERROR: This script is for Intel Macs only." >> ${logfile}
fi

exit 0

It's doing the trick for us.

karthiklh44
New Contributor

@celliott147 Hi there, I have tried the script you posted but it failed to install. Do i have to change anything in the script you shared ?

timgep
New Contributor II

Again, thanks for the replies. The Zoom for IT Admins version is what ultimately solved it for me, I really don't know why. Jamf Support gave me another tip to put the package into Patch Manager. It works well. I have now pushed out versions 4.6.11 and 4.6.12 (today) automatically. I don't do any configuring of the settings. Keep It Simple, but it works. Thanks again.

celliott147
New Contributor II

Hi @karthiklh44 I've only had issues when using it to try to install Zoom. I haven't had any issues updating. I used the script as is.

yholland
New Contributor II

Hi @timgep

What The Zoom for IT Admin version will do differently? Will it automatically check for updates and install them? Can you walk me through your solution?

bmcdade
Contributor

Looking to see if anyone else knows the difference between the normal Zoom installer and the IT admin version other than that it's 15mb larger on the latest 5.0.3 version. I also had a user have to authorize Zoom in the System Prefs, thought it might be a Version 5.0.x issue.

Chris_Hafner
Valued Contributor II

So far as I know, it's all down to the ability to configure via plist during install. Someone feel free to correct me if I've missed something. Also @timgep This feels like there's something broken that you want to chase down with your original deploy attempt. Either a permissions issue on the .pkg or an old school device signature error. Successful deployment of the standard zoom.pkg doesn't require anything special. Dump in JAMF Pro Admin and deploy. Something.

beeboo
Contributor

maybe the zoom for IT locks down and looks for specifically the plist? not sure, but ive been deploying every version from a script so that all i change is the policy to reflect the version.

tested all the way to 5.0.1 though 5.0.2 just came out.

no issues this way, i write the PLIST to tmp since thats where the PKG installer goes.
another thread referenced that zoom can read managed and also /library/preferences, but this has worked for us without issue and a tiny PLIST would prove little to increase time for script and itll guarantee the right settings are pushed regardless of MDM being broken on a machine or not.

stmpl10
New Contributor II

@fnieves43 Using Composer, how do you include the plist file with the IT pkg?

beeboo
Contributor

https://support.zoom.us/hc/en-us/articles/115001799006-Mass-Deployment-with-Preconfigured-Settings-for-Mac

Once the .plist file is complete, it will need to be named us.zoom.config.plist. When deploying, as long as this file is in the same folder as the ZoomInstallerIT.pkg, the installation will automatically put the .plist file into the /Library/Preferences folder.

Should be "/Library/Preferences"

stmpl10
New Contributor II

@beeboo Thank you - I'm a windows guys learning the Mac world so my confusion comes on how to include the plist file in the same folder as ZoomInstallerIT.pkg when deploying with Jamf Pro & Cloud DP? Do I put them together using Composer or is it somehow configured in policy?

beeboo
Contributor

@stmpl10 you would open composer, do a snapshot, install zoomIT pkg (should go to /Applications) then copy over the golden version of the PLIST if you want to deploy to /Library/Preferences.

once completed, finish your snapshot, delete superfluous stuff like /opt/ or whatever you dont need.

you should only be deploying the APP itself and the PLIST.

root:wheel as owner

save as PKG

upload PKG to JSS

created policy with the PKG in JSS

deploy to test user to see and then it should be good.

rwinfie
Contributor

If you are using this script make sure you edit the installed version line to check for CFBundleVersion and not CFBundleShortVersionString as you will get a mismatch everytime and the script will continue to install the same version from the web each time and never fail as already on the current version.

Also unless you change the install directory for zoom , to the user area , it seems you will always need admin as the users will not have access to Modify the contents of /Applications the autoupdate flag is only used for the client to view the updates and has no bearing on if it can be installed without admin or not

cvangorp
New Contributor III

@talkingmoose Does your json config for Zoom work with only the zoomit pkg or will it work with both? Just looking into this option -
Thanks!

talkingmoose
Moderator
Moderator

@cvangorp, my understanding from other discussions here (I haven't personally tested) is that configuration profiles only work with the Zoom IT package.

bgibson55
New Contributor

@talkingmoose , I just wanted to add my thanks for the Zoom JSON manifest. The installation of the ZoomIT package (5.2.1) I deployed this morning is working as expected with my configured settings on macOS Catalina.

cbd4s
Contributor II

Same experience as @timgep mentioned. ZoomInstallerIT520.pkg deployed with /Library/Preferences/us.zoom.config.plist that has ZAutoUpdate set to True. User gets Update Zoom notification "To avoid problems caused by this version of macOS, please update Zoom to the version compatible with your device." User also has the Update to the version compatible with your device banner in the app and Update button for user to click. However, Update basically downloads the install file zoom_x9.pkg into the hidden /var/folders and its installation still requires admin privilege. This does not match Zoom's documentation: Allow updates through the client by users.

cbd4s
Contributor II

After some further testing, we most likely will be using the jamf new policy deferral function for managing Zoom updates instead of the app's autoupdate feature (which doesn't seem to work without admin privilege) or the patch management policies.

So it will be one single ongoing check-in policy to deploy the latest ZoominstallerIT package with the deferral duration set to 1 day. The users will get the prompt when the policy runs to start the installation now, in 1 hour, 2 hours, 4 hours or 1 day. The target will exclude the machines already got the latest versions we deploy so the policy should only run once on each machine. For the ongoing maintenance, this means there will be only two things to be updated: the package in the policy and the zoom-latest-installed smart group criterial application version number. No flushing log, No patch management, No forced application quit or sudden interruption to the user's Zoom meeting.