Distributing Enterprise Applications to macOS devices using MDM

Distributing Enterprise Applications to macOS devices using MDM

In an earlier blog post, Bennett described how to create and deploy VPP software packages to macOS and iOS devices using LANDESK Management Suite 2016.3 and later. You may have noticed a radio button in the console UI that, at the time, was ignored:

manifest-url-package

Yep, you can deploy your own software packages using LDMS MDM, not just those software applications available on the App Store.

If you select the Manifest URL button, you get some additional UI:

mdm-properties

The additional UI allows you to enter the URL of a manifest plist file, and the Bundle ID and version of the application being installed. This can seem pretty daunting. Thank goodness Apple has provided a web page documenting the requirements for software distribution via MDM. It’s a good read, and answers a lot of questions, but, at least for me, it didn’t get to the point of being able to create something I could distribute via MDM. But let me summarize:

To distribute software or other things (like fonts for example), you need:

  1. Create an installer package (a .pkg file) created with the productbuild command-line tool, and signed with the root certificate of your mdm solution.
  2. A manifest file in the form of a property list (.plist) which describes and points to the installer package in very specific ways (see the above link for a sample)
  3. A webshare, accessible from your intranet or the Internet. You can place the package and manifest file in a hidden directory or in any location that’s readable using https. It must be readable using https, and using a non-self-signed certificate, since Apple URL services will not connect via https to a server with a self-signed cert.

Once you have these three things, you can fill out the Manifest URL UI to create an LDMS package to distribute to enrolled macOS devices using MDM.

The installer package

Creating an installer package for an application you want to install can be as easy as running the command line tool product build. For example, to create an installer package on my external drive “Work” for Google Chrome, which is sitting in my Applications folder, the following terminal command will do the trick:

productbuild --component "/Applications/Google Chrome.app" "/Applications", "/Volumes/Work/Google Chrome.pkg" --sign identity-name

You will need to replace identity-name with the name of a valid signing certificate on your computer. If you have enrolled your macOS device in the LDMS MDM service, you can find the certificate for the MDM service in your system keychain. This is a valid signing certificate for deployment with our MDM solution.

The manifest file

If you read the Apple documentation (see above), you were given an example manifest file to fill out with our package-specific info (I’ve simplified this by removing some items that are not applicable to the LANDESK environment:

Sample macOS content manifest file for an application bundle
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">

<plist version="1.0">
     <dict>
         <key>items</key>
         <array>
              <dict>
                   <key>assets</key>
                   <array>
                       <dict>
                            <key>kind</key>
                            <string>software-package</string>
                            <key>md5-size</key>
                            <integer>10485760</integer>
                            <key>md5s</key>
                            <array>
                                 <string>41fa64bb7a7cae5a46bfb45821ac8b99</string>
                                 <string>51fa64bb7a7cae5a46bfb45821ac8b98</string>
                                 <string>61fa64bb7a7cae5a46bfb45821ac8b97</string>
                            </array>
                            <key>url</key>
                            <string>https://www.example.com/apps/myapp.pkg</string>
                       </dict>
                   </array>
                   <key>metadata</key>
                   <dict>
                       <key>bundle-identifier</key>
                       <string>com.example.myapp</string>
                       <key>bundle-version</key>
                       <string>1.0</string>
                       <key>items</key>
                       <array>
                            <dict>
                                 <key>bundle-identifier</key>
                                 <string>com.example.myapp-unique</string>
                                 <key>bundle-version</key>
                                 <string>1.7.4</string>
                            <dict>
                       </array>
                       <key>kind</key>
                       <string>software</string>
                       <key>sizeInBytes</key>
                       <string>26613453</string>
                       <key>title</key>
                       <string>Example My App Package</string>
                   </dict>
              </dict>
         </array>
     </dict>
</plist>

Things to know about if you are planning to do this by hand:

Once we have the package built as above, to fill out this manifest file, the application needs to know:

  1. The location of the the installer package on the https server. Replace “https://www.example.com/apps/myapp.pkg” with the actual name and location of the hosted package.
  2. The md5-hash of each 1 megabyte chunk of the installer package file. Replace the array of md5 hash (labeled “md5s” above) with the actual hashes.
  3. The bundle identifier and version of the application you are installing. Replace the strings labeled “bundle-identifier” and “bundle-version” above with those strings.
  4. The size in bytes of the application package. Replace the string labeled “sizeInBytes” above with this.

When the manifest file (“something.plist”) has been successfully created, it needs to be moved to the same server that is actually serving the installer package. Best practice is probably to place both the manifest plist file and the installer package file in a directory appropriately named on the https server. So, for example, if our application was named “Example.app”, we might have Example.pkg and manifest.plist files sitting on the server in a directory named “Example”.

The LDMS Manifest Package UI

Once we have the package and manifest file build correctly and hosted on our https server of choice, filling out the LDMS Manifest Package UI is pretty simple. I paste the manifest file url into a web browser, load it up, and copy and paste the bundle id and version into the LDMS Manifest Package UI, along with the manifest file url.

Conclusion

Well, there you go, you now have all of the information you need to be able to build your own manifest distribution packages for the LDMS MDM solution. I can vouch for these instructions, as they have allowed me to attain nearly a 25% success rate manually setting things up. I’m sure you can do even better…

But we couldn’t get anywhere getting our own work done without starting to automate some of the pieces of this task, and at this point we’ve managed to produce an early version of an app we’re calling Manifester, which you can point at an application bundle, or a directory with an application bundle, put in your signing cert, and have it create a directory with an installer package and manifest file in it that you can just copy to the correct location on your https server:

manifester

Manifester will create a .manifestation folder which you then upload to the location on your https webshare that you specified in the Manifester UI.

manifest-output

Manifester currently supports creating manifest distribution for macOS applications. We will be enhancing it as we get time to support other file types (probably fonts will be first). It should be available through the LANDESK Community site soon after the first of the year.

 

 

 

Create and Deploy a VPP Software Package to a macOS or iOS Device

Creating and deploying a VPP software package to either a macOS or iOS device is a very simple process within LANDESK Management Suite 2016.3.  See the instructions below or watch the short video vignettes to be off and racing down the VPP software distribution track.

macOS VPP Package Creation and Deployment

  1. Open the LANDESK Management Suite Console
  2. Navigate to the top menu bar, select Tools > Distribution > Distribution Packages.
  3. In the lower left menu tree, highlight My Packages or Public Packages from within the Distribution Packages window
  4. On the Distribution menu bar, press the New Package button and select Macintosh > Macintosh MDM macmdmbutton
  5. Give the package a name
  6. Press the arrow button surrounded by the blue circle next to your Token alias mdmpackagecreation
  7. Highlight the desired VPP app and hit the Select button – note only macOS apps will display in this window mdmpackage
  8. Save the package
  9. Right click on the resultant package and select Create Scheduled Task(s)…
  10. Add one or more macOS devices that have been enrolled with MDM
  11. Start the task

 

iOS VPP Package Creation and Deployment

The iOS package creation is nearly identical, so I won’t include screenshots in these steps.

  1. Open the LANDESK Management Suite Console
  2. Navigate to the top menu bar, select Tools > Distribution > Distribution Packages.
  3. In the lower left menu tree, highlight My Packages or Public Packages from within the Distribution Packages window
  4. On the Distribution menu bar, press the New Package button and select Mobile > iOS
  5. Give the package a name
  6. Select the VPP radio button in the right hand pane, select the appropriate token alias if you have more than one VPP token and then click the arrow within the blue circle
  7. Press the arrow button surrounded by the blue circle next to your Token alias
  8. Highlight the desired VPP app and hit the Select button – note only iOS apps will display in this window
  9. Save the package
  10. Right click on the resultant package and select Create Scheduled Task(s)…
  11. Add one or more iOS devices that have been enrolled with MDM
  12. Start the task

Import Apple’s VPP Token into LANDESK Management Suite

With the release of 2016.3, LANDESK Management Suite supports deploying Volume Purchased Applications (VPP) directly within the LANDESK Management Suite console.

To configure LANDESK Management Suite, you need to download your VPP token and import it into the Software Distribution tool.  The directions below will you walk you through each step of this process.

Part 1 – Download Your Token from Apple

  1. Browse to https://vpp.itunes.apple.com/ and login to your appropriate store; either the Business or Education store
  2. Login with your appropriate Apple ID
  3. Press the dropdown button with your appleID at the top right corner and select Account Summary vpptokendownload1
  4. Once on the Account Summary page, click the Download Token link from the Managed Distribution sectionvpptokendownload2

Part 2 – Import your VPP Token into LANDESK Management Suite

  1. Launch the LANDESK Management Suite Console
  2. Go to Tools > Distribution > Distribution Packages and select the second to last icon from the menu bar titled Volume Purchase Program Configuration vpptokenconfig
  3. Click on the Add VPP Token button at the bottom right
  4. Provide an appropriate alias token name.  Since you can import more than one token, make sure your alias helps you identify the difference between your tokens
  5. Click on the ellipsis to import your token you downloaded from Apple’s site
  6. Click the add button vpptokenconfig2

Part 3 – Review Your Purchases and See Available Licenses

You should automatically see all of your purchases and available licenses after clicking the Add button.  If at any point in the future you need to see where you stand, you can open the Volume Purchase Program Configuration utility in SWD or check your Software License Monitoring as all VPP token information is imported into SLM. VPPTokenConfig3.png

How to Distribute Mac App Store Apps with LANDESK Management Suite

Introduction

Installing an OS X application purchased with a VPP token can require a lot of man power. Due to digital rights management, Apple ID’s and user agreements, it’s not easy to just deploy an application as can be done for an application you have the installer for. This whitepaper will discuss how an application installer found in the Mac App Store (MAS) can be captured and used to deploy to your OS X devices.

Overview

The LANDESK Management Suite Mac agent is capable of supporting many different package types, such as dmg, pkg, mpkg, shell scripts, a simple .app, mobileconfig and even .workflow scripts built within Automator.  While this flexibility works in most scenarios, you’ll notice that it requires access to the install files.  If a developer only releases their application via the Mac App Store, such as the iWork suite developed by Apple.  However, with a little bit of work, you can capture the installers from the Mac App Store and subsequently push those applications out.

Pre-Requisites

The LANDESK administrator will need to have access to an OS X device that has purchased the application that is intended to be distributed, yet that does not have the application currently installed.  A VM set aside just for downloading Apps may be an efficient method for the ongoing software distribution.

Note: Ensure you have adequate license coverage via a VPP purchase prior to distributing your application.

Enable Debug Mode for the Mac App Store (MAS)

When an application is downloaded from the MAS, the installer file is downloaded, executed and then promptly removed.  By enabling debug mode for the MAS, we can create a link to the downloaded installer(s) allowing for future use on more than just the machine currently downloading the app.

  1. Quit the Mac App Store if currently opened
  2. Open Terminal and run the command ‘defaults write com.apple.appstore ShowDebugMenu -bool true’

EnableDebug.png

Note: To disable debug mode, use the following command: ‘defaults write com.apple.appstore ShowDebugMenu -bool false’

Download the Installer for the App to Patched

Once the debug mode is enabled, it will be possible to capture the download installer file for later use in patching.

  1. Launch the App Store App (notice you should now have a Debug menu item) and navigate to the Purchased tab.  Sign in if prompted.
  2. Select the app to be patched and click Install
  3. Once the install process shows visible progress in the download process, hit the pause button
  4. From the Debug menu, select the option Show Download Folder
  5. Finder will open and you’ll need to navigate inside the com.apple.appstore folder
  6. Locate the folder with a string of numbers, this should be your app, and navigate inside of it

RandomNameAppStoreApp.png

You now need to create a hard link between the randomly named download to a file name and path of where to store the installer.  You’ll do this by opening Terminal and use the ‘ln’ command followed by the path of the installer from the Mac App Store and then the path to where you want to save your copy of the installer that won’t be deleted as soon as . The easiest way to enter the path of the randomly named installer is to drag and drop it into terminal after typing ‘ln’

  1. Launch Terminal and type ln /path/to/macappstore.pkg /path/to/savedinstaller.pkgHardLink.png
  2. Return to the Mac App Store purchased tab and resume the download
  3. When the installation for your app finishes, you’ll have a signed installer from Apple to use to update your fleet of Mac devices

Automating for Multiple Concurrent Downloads

If the manual linking process described above seems a bit burdensome when in need of downloading many applications, Max Schlapfer has created a script to not only automate the creation of the hard links, but it also has the capability to download multiple files at once.  To download Max’s AppStoreExtract script, see https://github.com/maxschlapfer.  These next steps are not requisite, if you have all of the installers you desire, skip to the next section.

Note: You do not need the Debug mode enabled for the Mac App Store, as outlined above, for this script to work.

  1. Download Max’s script from Github and extract it to a folder location of choice
  2. Open terminal and execute the script by typing in ‘./path/to/script/AppStoreExtract.sh’ and hitting Return
    1. Note: Do not run this script as root.                                                                                                        AppStoreScriptWaiting.png
  3. Launch the App Store App and navigate to the Purchased tab.  Sign in if prompted.
  4. Click Install on all of the Apps you want to create installers for and wait for them to complete the install process
  5. When the installation process has finished, return to the Terminal window and hit any key to finish the script.  When asked to finalize the packages, type Y.TerminalAppStoreExtractProcess.png
  6. The script will name the output files according the product and version and then convert them to DMG files and store them in the /Users/Shared/AppStore_Packages folderOutputAppStoreExtract.png

Creating LANDESK Management Suite Mac Packages

Now that you have the installers downloaded from the Mac App Store, creating the LANDESK Mac package is the easy part.  You just need to copy all of the installers you’ve created to your package share.  If you have a .pkg file, make sure you zip it prior to copying into a Windows file share.  If you have dmg files, you can copy those directly to your package location.

  1. Open the LANDESK Console
  2. Navigate to the top menu bar, select Tools > Distribution > Distribution Packages.
  3. In the lower left menu tree, highlight My Packages or Public Packages from within the Distribution Packages window
  4. On the Distribution menu bar, press the New Package button and select New Macintosh Package.
  5. Give the package a name
  6. Provide a description as well as any metadata information desired                PackageProperties.png
  7. Set the primary file to the zip or dmg  file you previously transferred to your software distribution folder
  8. Fill out the Metadata details if desired, specifically supplying a logo so it shows up properly in the portal
  9. Save the package

Creating a Scheduled Mac Software Distribution Task

  1. Right click on the Mac software distribution package created and select Create Scheduled Task
  2. From the network view, select and drag the desired machine(s), user(s) or query(ies) and drop them onto the task
  3. Now, right click on the task and select properties
  4. Set the desired Task type under Task Settings as to whether you want a push, a policy or a hybrid of the two types in a policy-supported push
  5. Set the radio button in the Portal Settings to either Recommended or Optional if you desire to put the package into Workspaces.  If you’d like to automatically deploy the app, select Run automatically
  6. Change the Reboot Settings or Distribution and Patch settings if desired
  7. Set the schedule task settings with the appropriate start time