Applixure Mac Agent mass-deployment considerations

This article contains further instructions and guidance for deploying Applixure Agent for Mac for multiple Mac computers using suitable Mobile Device Management or software distribution tool such as JAMF, Mosyle, Fleetsmith etc.

Please note that if you are intending to install Applixure Mac Agent only to a few computers, Applixure recommends using the original Mac Agent installation disk image (DMG file) directly instead of following the instructions outlined in this article.

 

Note: Old version of this document gave instructions of creating self-contained wrapper PKG file, this method is now superseded and we don't generally recommend re-packaging the Agent.

 

Background

By default, installer for Applixure Mac Agent is provided as a disk image file, identifiable by the DMG extension. This DMG file must first be mounted on each target Mac computer, and after successful mounting the actual installer - in macOS installer's PKG format - must be run from the mounted volume at /Volumes/Applixure.

As part of the installation, Mac Agent installer has to figure out into which Applixure Environment the Agent must report its data to. With DMG file generated for the environment -specific download, Applixure includes this information inside the disk image as a hidden file called .environment_init. Without environment id, Applixure Agent cannot be installed on a machine.

Apple's current guidelines regarding software distribution into MacOS requires that all installer packages are digitally signed and then notarized against the Apple's servers, otherwise MacOS refuses to run the package. For these signing and notarization reasons Applixure is not able to customize the contents of PKG installer file itself with the environment information and therefore, when doing mass-deployment of Applixure Mac Agent using software distribution tool, this environment information must also be somehow carried with the PKG file.

For this reason, Applixure Mac Agent installer now employs multiple tactics and checks for existence of environment id, some of which might not be deployable with the tool of your choice and so you might need additional preparations according the choices available. In majority of cases, however, the PKG file downloaded as part of Mac Agent Deployment Kit should work as-is in any product capable of doing custom application (PKG) installations.

 

Downloading Deployment Kit

In the Applixure Agent download page, there is now new download option for Mac Agent in mass-deployment scenarios:

mac-massdeployment-zip.png

This will download a ZIP file containing files suitable to be used in mass deployment scenario of the Mac Agent, instead of using the DMG file that is more suitable for manual one-by-one installations of the Agent.

The kit contains the same PKG installer packages that are included in the DMG as well, but the installation PKG has been renamed so that it contains the environment id as part of its filename (such as InstallApplixureAgent.81e0403e-436d-4cd2-8f7c-4733bd3f4742.pkg).

The installer will try to find out the correct id using following steps:

 

1. Detection from the filename

If your deployment tool is able to deliver and execute the PKG file on a target Mac machines as-is, that is, it will NOT rename the PKG file on the target machine after downloading it there, the installation procedure finds the environment id from its own package's filename directly. Note that the PKG file must be named exactly as presented above, coming from the ZIP file.

 

Detection from the external file

If however your distribution tool will not preserve the PKG filename as-is on the client, you can provide additional initialization file to be found by installer.

In the kit, there exists an additional file called environment_init that you will need to distribute to the Mac devices alongside the PKG file. If the init file is located in the same directory from where the PKG is run, installation script will use the environment_init file as the source for environment information. With more simple MDM tools, this might not be feasible option as custom application installations are run from random directories determined by MDM tool at installation time but you have this option to give environment information to PKG file in case you are doing some custom delivery where you can control the files on the target machine, such as with scripting.

 

Detection from the PKG itself

As additional source of information about environment id to use, PKG file delivered within the ZIP file has been modified to contain the id as additional data to PKG file itself. This additional data should not disturb the signature of the package or its notarization status, and will pass through all delivery mechanism that do not try to make any change to the PKG file itself content-wise - which should be virtually 100% of them. However, any attempts at repackaging of the Applixure Agent found from the PKG itself will likely destroy the information which is why we cannot recommend any repackaging.

If PKG is passed as-is to the device, installation procedure should be able to find the environment id as a last resort from the package itself (after filename or external initialization file, in that order).

 

Upgrade scenarios

In case of upgrading Mac Agent version on the target devices with the newer installation package, the package will automatically read the existing installations environment information and use that, if none of the methods described above result environment id being read from somewhere else first.

 

Configuration Policy files for Full Disk Access

In addition to installer and uninstaller files, deployment kit for Macs also include .mobileconfig files for enabling Full Disk Access to the Applixure Mac Agent in managed device scenarios.

While Applixure Agent is able to operate on the target machines without having Full Disk Access being granted to it (in non-managed device scenarios, this is something that each user or admin has to do individually on each machine), but not having that privilege might limit the scope of data that Applixure Mac Agent is able to report from the machines.

For this reason, ready-made configuration files are provided both as signed (Applixure Agent Permissions-signed.mobileconfig) and non-signed (Applixure Agent Permissions.mobileconfig) forms to distribute this privilege though the MDM system to the devices. Please refer to your MDM system's documentation on how to deliver custom policy files using these files as source, as appropriate.

 

 

 

Have more questions? Submit a request

0 Comments

Please sign in to leave a comment.
Powered by Zendesk