Distributing Enterprise Applications to macOS devices using MDM

Distributing Enterprise Applications to macOS devices using MDM

In an earlier blog post, Bennett described how to create and deploy VPP software packages to macOS and iOS devices using LANDESK Management Suite 2016.3 and later. You may have noticed a radio button in the console UI that, at the time, was ignored:

manifest-url-package

Yep, you can deploy your own software packages using LDMS MDM, not just those software applications available on the App Store.

If you select the Manifest URL button, you get some additional UI:

mdm-properties

The additional UI allows you to enter the URL of a manifest plist file, and the Bundle ID and version of the application being installed. This can seem pretty daunting. Thank goodness Apple has provided a web page documenting the requirements for software distribution via MDM. It’s a good read, and answers a lot of questions, but, at least for me, it didn’t get to the point of being able to create something I could distribute via MDM. But let me summarize:

To distribute software or other things (like fonts for example), you need:

  1. Create an installer package (a .pkg file) created with the productbuild command-line tool, and signed with the root certificate of your mdm solution.
  2. A manifest file in the form of a property list (.plist) which describes and points to the installer package in very specific ways (see the above link for a sample)
  3. A webshare, accessible from your intranet or the Internet. You can place the package and manifest file in a hidden directory or in any location that’s readable using https. It must be readable using https, and using a non-self-signed certificate, since Apple URL services will not connect via https to a server with a self-signed cert.

Once you have these three things, you can fill out the Manifest URL UI to create an LDMS package to distribute to enrolled macOS devices using MDM.

The installer package

Creating an installer package for an application you want to install can be as easy as running the command line tool product build. For example, to create an installer package on my external drive “Work” for Google Chrome, which is sitting in my Applications folder, the following terminal command will do the trick:

productbuild --component "/Applications/Google Chrome.app" "/Applications", "/Volumes/Work/Google Chrome.pkg" --sign identity-name

You will need to replace identity-name with the name of a valid signing certificate on your computer. If you have enrolled your macOS device in the LDMS MDM service, you can find the certificate for the MDM service in your system keychain. This is a valid signing certificate for deployment with our MDM solution.

The manifest file

If you read the Apple documentation (see above), you were given an example manifest file to fill out with our package-specific info (I’ve simplified this by removing some items that are not applicable to the LANDESK environment:

Sample macOS content manifest file for an application bundle
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">

<plist version="1.0">
     <dict>
         <key>items</key>
         <array>
              <dict>
                   <key>assets</key>
                   <array>
                       <dict>
                            <key>kind</key>
                            <string>software-package</string>
                            <key>md5-size</key>
                            <integer>10485760</integer>
                            <key>md5s</key>
                            <array>
                                 <string>41fa64bb7a7cae5a46bfb45821ac8b99</string>
                                 <string>51fa64bb7a7cae5a46bfb45821ac8b98</string>
                                 <string>61fa64bb7a7cae5a46bfb45821ac8b97</string>
                            </array>
                            <key>url</key>
                            <string>https://www.example.com/apps/myapp.pkg</string>
                       </dict>
                   </array>
                   <key>metadata</key>
                   <dict>
                       <key>bundle-identifier</key>
                       <string>com.example.myapp</string>
                       <key>bundle-version</key>
                       <string>1.0</string>
                       <key>items</key>
                       <array>
                            <dict>
                                 <key>bundle-identifier</key>
                                 <string>com.example.myapp-unique</string>
                                 <key>bundle-version</key>
                                 <string>1.7.4</string>
                            <dict>
                       </array>
                       <key>kind</key>
                       <string>software</string>
                       <key>sizeInBytes</key>
                       <string>26613453</string>
                       <key>title</key>
                       <string>Example My App Package</string>
                   </dict>
              </dict>
         </array>
     </dict>
</plist>

Things to know about if you are planning to do this by hand:

Once we have the package built as above, to fill out this manifest file, the application needs to know:

  1. The location of the the installer package on the https server. Replace “https://www.example.com/apps/myapp.pkg” with the actual name and location of the hosted package.
  2. The md5-hash of each 1 megabyte chunk of the installer package file. Replace the array of md5 hash (labeled “md5s” above) with the actual hashes.
  3. The bundle identifier and version of the application you are installing. Replace the strings labeled “bundle-identifier” and “bundle-version” above with those strings.
  4. The size in bytes of the application package. Replace the string labeled “sizeInBytes” above with this.

When the manifest file (“something.plist”) has been successfully created, it needs to be moved to the same server that is actually serving the installer package. Best practice is probably to place both the manifest plist file and the installer package file in a directory appropriately named on the https server. So, for example, if our application was named “Example.app”, we might have Example.pkg and manifest.plist files sitting on the server in a directory named “Example”.

The LDMS Manifest Package UI

Once we have the package and manifest file build correctly and hosted on our https server of choice, filling out the LDMS Manifest Package UI is pretty simple. I paste the manifest file url into a web browser, load it up, and copy and paste the bundle id and version into the LDMS Manifest Package UI, along with the manifest file url.

Conclusion

Well, there you go, you now have all of the information you need to be able to build your own manifest distribution packages for the LDMS MDM solution. I can vouch for these instructions, as they have allowed me to attain nearly a 25% success rate manually setting things up. I’m sure you can do even better…

But we couldn’t get anywhere getting our own work done without starting to automate some of the pieces of this task, and at this point we’ve managed to produce an early version of an app we’re calling Manifester, which you can point at an application bundle, or a directory with an application bundle, put in your signing cert, and have it create a directory with an installer package and manifest file in it that you can just copy to the correct location on your https server:

manifester

Manifester will create a .manifestation folder which you then upload to the location on your https webshare that you specified in the Manifester UI.

manifest-output

Manifester currently supports creating manifest distribution for macOS applications. We will be enhancing it as we get time to support other file types (probably fonts will be first). It should be available through the LANDESK Community site soon after the first of the year.

 

 

 

Assigning DEP Enabled Devices to an Apple MDM Server

The Holy Grail

Zero-touch configuration for IT, the holy grail of device management!  This is the promise of a DEP enabled device.  Just buy it and turn it on, it’ll pull down your designated management profile once the device has an established Internet connection and all of the associated settings and applications assigned will be deployed to the device.

Easy, right?  For the most part, yes it is.  All you need to do is make sure your DEP enabled devices, purchased from Apple or from an authorized DEP reseller, are associated with an Apple MDM server.  In turn, that Apple MDM server needs to be configured with your MDM management service.  To configure LANDESK as your preferred MDM server, see my previous blog post.

Today’s discussion will simply focus on getting those Apple devices enrolled with Apple’s MDM server.  While the process only takes a few minutes, it is a required step for that zero-touch configuration; so don’t skip it.

Adding an Apple Device to an Apple MDM Server

  1. Browse to https://deploy.apple.com from your browser of choice deplogin
  2. Provide your Apple ID associated with your DEP account – enroll with Apple here if you have not yet performed this step
  3. Provide your two-factor authentication verification code; this is required by Apple for DEP management2factor
  4. From the menu bar on the left, select Manage Devices
  5. Select your desired radio button to add devices by Serial Number, Order Number or via a CSV Uploadserialnumber-assign
  6. Select the action Assign to Server under Step 2 and find your appropriate server from the drop down list and hit OKassign-complete

And that’s it.  Now when you unbox your shiny new Apple device, whether it be an iOS or macOS device, once it has an Internet connection (the touch part in the zero-touch process 🙂 ), it’ll pull down the assigned profile from your MDM server.  Then, anytime the device is reset, the process will re-enage, ensuring that device always has your MDM profile assigned.

How to Customize and Silently Deploy Cisco AnyConnect 4.x

If you’re an existing 3.x consumer of Cisco AnyConnect you may be surprised when you load up the 4.x installer and find your users have a plethora of additional features; like Web Security, System Scan, Roaming Security and AMP Enabler.ciscoanyconnect-all

If these are features you’re planning on using, great, you’re all set.  If you were just hoping to leverage the VPN, well, all is not lost.  You can easily customize the installer, providing it a set of instructions indicating what modules you want installed and what modules you want blocked – and it’s all done via a simple PLIST file.

I’ve included the entire example PLIST I used to block everything but the VPN as well as the installer script for LANDESK on my GitHub site here.

Let’s discuss the PLIST first.  Here is an example of one of the dictionary objects found in the PLIST file, in this case it is for the VPN feature.

 <dict>
    <key>attributeSetting</key>
    <integer>1</integer>
    <key>choiceAttribute</key>
    <string>selected</string>
    <key>choiceIdentifier</key>
    <string>choice_vpn</string>
 </dict>

Basically we have a dictionary of values that define the module and tell the installer of whether it should be installed by setting the Integer value to 1.  If you want to block the given module, set the integer value to 0.  Look at the string value to figure out what module you’re enabling or disabling.

You shouldn’t need to adjust any of the other settings.  So go ahead and download the example PLIST file I have on my GitHub site and finish customizing it for your environment.  My PLIST file has everything disabled  outside of the VPN.  If you were to manually install the application, you’d see the window below.  manualinstallciscooptions

Now that you have your PLIST ready to go, you need to save it as ‘ChoiceChangesCiscoAnyConnect.plist’ so it can be properly referenced in our installer script.  If you save it as something else, just make sure you make the appropriate change in your installer script.

OK, we’re now ready to create the installer script.  For simplicity, I’m going to build my installer script to do both the downloading of the AnyConnect package file, the PLIST file we just created and then it’ll kick off the installer – all using SDClient so I can take advantage of the bandwidth and throttling settings.

The entire installer script is pasted below.  In your environment, you’ll likely only need to change the plistFilePath and packageFilePath variables.  The script copies everything to a folder titled CiscoAnyConnect inside of sdcache.  I  purposely chose to put everything in the sdcache folder as the script doesn’t purge anything when finished, letting the standard sdcache cleanup process take care of that at the appropriate time.

Once you have your paths set, you should be ready to go.  You’ll notice that SDClient is used, with several arguments, to download the files.  The -noinstall argument is quite obvious, it tells SDClient to just download and not do anything else.  The -package is telling SDClient where to obtain the file and the -destdir argument is telling SDClient where to copy the file to.

/Library/Application\ Support/LANDesk/bin/sdclient -noinstall -package "$packageToCopy" -destdir "$destinationLocation"

As mentioned before, the script copies down the PLIST file and the Cisco installer.  If you have a DMG version of the Cisco Installer, just mount it on a Mac and copy out the AnyConnect.pkg from the DMG.  I copied mine directly to my standard SWD file share.

Then the scripts wraps up by executing the AnyConnect.pkg installer with a few arguments as well.  We tell macOS we want it to run a pkg intsaller and point to where that file is.  In my example, it’s in the /Library/Application Support/LANDesk/sdcache/CiscoAnyConnect folder.  I leave the -target path empty, basically letting the installer put where it’s designed to.  I then add the flag -applyChoiceChangesXML so that it knows customization is to be performed and I supply the path to that name/file.

installer -pkg "$destinationLocation"/"$packageName" -target / -applyChoiceChangesXML "$destinationLocation"/"$plistName"

And that’s it.  You now have everything you need to deploy your package.  Save out your installer script, I named mine ciscoAnyConnect4.3Deploy.sh but you can name yours whatever you want.

As always, once saved, make sure you give the script the execution permissions by opening Terminal and running:

sudo chmod +x /path/to/script.sh

Now copy your installer script to your LANDESK SWD file share.  I used the same path for my script, PLIST file and AnyConnect.pkg installer.

Once you’ve copied up your script, you just need to create your LANDESK Mac package so you can target and silently deploy Cisco AnyConnect with all of your customizations.

Creating LANDESK Management Suite Mac Packages

  1. Open the LANDESK Console
  2. Navigate to the top menu bar, select Tools > Distribution > Distribution Packages.
  3. In the lower left menu tree, highlight My Packages or Public Packages from within the Distribution Packages window
  4. On the Distribution menu bar, press the New Package button and select New Macintosh Agent package.
  5. Give the package a name
  6. Provide a description as well as any metadata information desired
  7. Set the primary file to the script file you previously transferred to your package share
  8. Fill out the Metadata details if desired, specifically supplying a logo so it shows up properly in the portal
  9. Save the package

Creating a Scheduled Mac Software Distribution Task

  1. Right click on the Mac software distribution package created and select Create Scheduled Task
  2. From the network view, select and drag the desired machine(s), user(s) or query(ies) and drop them onto the task
  3. Now, right click on the task and select properties
  4. Set the desired Task type under Task Settings as to whether you want a push, a policy or a hybrid of the two types in a policy-supported push
  5. Set the radio button in the Portal Settings to either Recommended or Optional if you desire to put the package into Workspaces.  If you’d like to automatically deploy the app, select Run automatically
  6. Change the Reboot Settings or Distribution and Patch settings if desired
  7. Set the schedule task settings with the appropriate start time

PLIST File

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<array>
 <dict>
 <key>attributeSetting</key>
 <integer>1</integer>
 <key>choiceAttribute</key>
 <string>selected</string>
 <key>choiceIdentifier</key>
 <string>choice_vpn</string>
 </dict>
 <dict>
 <key>attributeSetting</key>
 <integer>0</integer>
 <key>choiceAttribute</key>
 <string>selected</string>
 <key>choiceIdentifier</key>
 <string>choice_websecurity</string>
 </dict>
 <dict>
 <key>attributeSetting</key>
 <integer>0</integer>
 <key>choiceAttribute</key>
 <string>selected</string>
 <key>choiceIdentifier</key>
 <string>choice_fireamp</string>
 </dict>
 <dict>
 <key>attributeSetting</key>
 <integer>0</integer>
 <key>choiceAttribute</key>
 <string>selected</string>
 <key>choiceIdentifier</key>
 <string>choice_dart</string>
 </dict>
 <dict>
 <key>attributeSetting</key>
 <integer>0</integer>
 <key>choiceAttribute</key>
 <string>selected</string>
 <key>choiceIdentifier</key>
 <string>choice_posture</string>
 </dict>
 <dict>
 <key>attributeSetting</key>
 <integer>0</integer>
 <key>choiceAttribute</key>
 <string>selected</string>
 <key>choiceIdentifier</key>
 <string>choice_iseposture</string>
 </dict>
 <dict>
 <key>attributeSetting</key>
 <integer>0</integer>
 <key>choiceAttribute</key>
 <string>selected</string>
 <key>choiceIdentifier</key>
 <string>choice_nvm</string>
 </dict>
 <dict>
 <key>attributeSetting</key>
 <integer>0</integer>
 <key>choiceAttribute</key>
 <string>selected</string>
 <key>choiceIdentifier</key>
 <string>choice_umbrella</string>
 </dict>
</array>
</plist>

Installer Script

#!/bin/sh

# ciscoAnyConnect4.3Deploy.sh
# Created by Bennett Norton on 11/30/16.


#File to copy
#change this to match your hosted path, it needs to be http
plistName="ChoiceChangesCiscoAnyConnect.plist"
packageName="AnyConnect.pkg"
plistFilePath="http://yourFileShareServer/Path/To/PLIST"
packageFilePath="http://yourFileShareServer/Path/To/CiscoAnyConnect"
packageToCopy="$packageFilePath"/"$packageName"
plistToCopy="$plistFilePath"/"$plistName"

#Location to copy file to
#change this to match your destination path
destinationLocation='/Library/Application\ Support/LANDesk/sdcache/CiscoAnyConnect'

#Check to see if destination exists and if not, create it
if [ ! -d "$destinationLocation" ]; then
echo "Location doesn't exist. Creating directory"
mkdir $destinationLocation
echo "$destinationLocation created"
fi

#Download and execute command
#You shouldn't need to make any changes here
#-noinstall ensure the package does not get executed when downloaded
#-package is the source url path
#-destdir is the destination url path
/Library/Application\ Support/LANDesk/bin/sdclient -noinstall -package "$packageToCopy" -destdir "$destinationLocation"
/Library/Application\ Support/LANDesk/bin/sdclient -noinstall -package "$plistToCopy" -destdir "$destinationLocation"
installer -pkg "$destinationLocation"/"$packageName" -target / -applyChoiceChangesXML "$destinationLocation"/"$plistName"