- Jamf Nation Community
- Products
- Jamf Pro
- Jamf Policy Fails Locally But Succeeds Remotely
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 10-31-2023 08:02 AM
Hello all you friendly Jamf admins! I've got a problem that's stumping me and my colleague, hoping somebody here can shed some light.
Recently (starting last week), I have begun encountering an issue where running sudo jamf policy produces unexpected results. When run locally, policies will fail. They attempt to run, and produce the following output, using Firefox as an example:
Installing Firefox ESR 115.4.0...
Installation failed. The installer reported: installer: Package name is Firefox
installer: Upgrading at base path /
installer: The upgrade failed. (The Installer encountered an error that caused the installation of fail. Contact the software manufacturer for assistance. An unexpected error occurred while moving files to the final destination.)
This occurs with both Chrome and Firefox, both of which I recently packaged. This occurs with both Patch Management Policies and regular Policies. I created the packages in Composer from my Applications folder, with 755 root:wheel permissions, the same way I have for all previous packages I've made. These just recently started to fail. Older packages still successfully install. I haven't changed any settings in Jamf Pro or Composer.
What's really throwing us for a loop is that if I SSH into these machines and run a policy update, the packages install with no problem. It's just running the command locally that it fails. I'm logged in with the same account in both places, a local admin.
The install.log mentions that the failing packages aren't signed:
trust evaluation failed: Error Domain=PKInstallErrorDomain Code =101 "The package "Firefox _ESR_115.4.0.pkg" is not signed."
but I've never signed these packages before and they worked just fine.
If this rings a bell for anyone that's encountered this before and could point me in the right direction, I would be very grateful. Thanks!
--
AGE QVOD AGIS
AGE QVOD AGIS
Solved! Go to Solution.
1 ACCEPTED SOLUTION
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 11-13-2023 08:56 AM
Okay, I've figured out what this was. Wasn't Jamf at all, was my stupid mistake.
System Settings > Privacy & Security > App Management > Terminal was toggled off. Once I turned that on, all those packages started to work.
I wasn't aware of this setting until one of my colleagues pointed it out to me. Leaving this here as a monument to my own silliness, and in case any future folks run into this.
Thanks everyone for your ideas and help tracking this down!
--
AGE QVOD AGIS
AGE QVOD AGIS
15 REPLIES 15
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 10-31-2023 08:30 AM
Are there any scripts (postinstall, postinstall, etc) included in these packages? Or are they just dropping the .app into Applications?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 10-31-2023 08:35 AM
Just dropping the .app into Applications, no scripts at all.
--
AGE QVOD AGIS
AGE QVOD AGIS
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 10-31-2023 10:43 AM
Any odd characters in the package name? It doesn't look like it from what you posted, but I'm just spitballing.
What about if you run the package locally? Like double click the pkg in the Finder and install it that way? Anything to note in any messages from Installer.app? I can't think of what would cause a pkg to fail to install in one of those scenarios, but not the other. Sounds like its the same account, same privileges. They should work the same way. Odd.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-31-2023 10:46 AM - edited 10-31-2023 10:47 AM
Negative, shouldn't be anything strange. I've also redownloaded this from Google/Mozilla and repackaged it 3 different times, even tried it as a .DMG, thinking maybe it got corrupted or something. No joy.
--
AGE QVOD AGIS
AGE QVOD AGIS
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 10-31-2023 11:37 AM
What Applications directory are you dumping the source files in to? Any random chance its ~/Applications?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 10-31-2023 11:40 AM
I'm not 100% sure I understand the question - I'm pulling the .app from my /Applications folder into Composer, packaging, and dumping the package into ~/Desktop/Packages. Not sure if that's what you're asking; if not, please let me know and I can provide more details. Thanks!
--
AGE QVOD AGIS
AGE QVOD AGIS
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 10-31-2023 11:44 AM
MacOS has more than one Applications directory. You have the typical one that most people use which is /Applications. However, macOS also has a /user/{profile}/Applications directory.
For science: What happens if you put Chrome or Firefox into a different directory?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 11-01-2023 07:45 AM
I am able to successfully deploy Chrome to ~/Applications by packaging as a .dmg and selecting the Fill Existing User Home Directories option. So it's objecting to writing these packages to /Applications.
--
AGE QVOD AGIS
AGE QVOD AGIS
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 11-01-2023 05:57 AM
I assume you're repackaging because you're in a field that requires the application be verified first before deploying? I would download Suspicious Package and see what's truly inside the package
FYI the error you're running into when running locally is Gatekeeper because the package isn't signed. If repackaging is necessary then I'd either sign it Jamf Pro or get an Apple Developer account and create an installer cert.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 11-01-2023 06:01 AM
That's correct - our Security team has specified all packages must be downloaded, verified, and repackaged. Not ideal, but that's the directive.
What's odd is we've never had to sign these packages before, and we've been doing this process since we stood up our Jamf Pro environment 3 years ago. Not sure why that would have changed since I haven't installed any updates to Jamf Pro (on prem).
--
AGE QVOD AGIS
AGE QVOD AGIS
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 11-01-2023 06:11 AM
I only sign the packages that I have attached to my prestage enrollment profiles but otherwise you shouldn't really need to if it's being installed by a policy.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 11-01-2023 07:49 AM
That's what I was thinking - we've never had to sign these before, and old packages that aren't signed still successfully install.
--
AGE QVOD AGIS
AGE QVOD AGIS
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 11-01-2023 08:08 AM
Same here. I had briefly signed packages I was building at one point, but stopped doing it because it requires that the packages be updated (rebuilt) once the certificate expires, which if you're using a basic dev account I believe is once a year. Otherwise packages with expired certificates fail to install.
I can understand why it's done in some environments, but for us, Jamf Pro is already our trusted source, so we trust the packages that we've vetted and added to our distribution point. Signing them seems like an extra unnecessary step.
I still can't quite understand what's going on for you here though. The installs should be working in both instances. It's puzzling that they are failing one way but not the other. Have you opened a ticket with Jamf on this to see if they might be able to help you track down the cause?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 11-02-2023 06:37 AM
I hadn't when I opened this thread, but I have now. If they're able to track this down, I'll let everyone know!
--
AGE QVOD AGIS
AGE QVOD AGIS
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 11-13-2023 08:56 AM
Okay, I've figured out what this was. Wasn't Jamf at all, was my stupid mistake.
System Settings > Privacy & Security > App Management > Terminal was toggled off. Once I turned that on, all those packages started to work.
I wasn't aware of this setting until one of my colleagues pointed it out to me. Leaving this here as a monument to my own silliness, and in case any future folks run into this.
Thanks everyone for your ideas and help tracking this down!
--
AGE QVOD AGIS
AGE QVOD AGIS
