Monday, November 14, 2016

VPP & OS X Device Assignment

After having struggled for quite some time, here's what I found out when deploying VPP apps to clients running OS X or macOS using device bases assignment.

In this case we were using OS X 10.11.6 El Capitan.

This means that the apps are assigned to the device and not to the user.

One thing that was especially irritating was that we often had a dialog popping up:

«storedownloadd is trying to install new software.
Type an administrator's name and password to allow this.»

The problem is: we are deploying the software to client whose users are not administrators.

So, what's the solution?

Well, thing is, there are several players to the game.

In order to have VPP apps being installed to your computer, you need:

  1. A working VPP deployment system
  2. Correct settings in Restriction Profiles applied to the clients
  3. Correct settings in the App Store PrefPane being used by the clients software update mechanism.

1. Working VPP

Actually I found this to be the easiest of all.

We use FileWave to deploy our apps, but the problems we were having were independent of any special software.

2. Restriction Profiles

In order to really understand what's going on if you deploy VPP apps to the device, you need to know this: The apps being installed from VPP are actually being installed by the user currently logged in.

This means this:
  • The local user has to be able to install apps.
  • The user has to be able to use the app store
  • A non admin user has to be able to install apps
  • If no-one is logged in, apps are not being installed
If we look at a restriction profile, this is what we see:

In here there are two points:
One is: «Require admin password to install or update apps».
This has to be turned of because otherwise only admins are able to install apps.
Remember VPP is using the current user to install the apps which might not be an admin user.
This would make this dialog mentioned above to pop up and the app would not be installed correctly.

3. App Store Settings

In the App Store Pref Pane there are two things that need to be set correctly.
It should look something like this:
Two of these points seem to be affecting the deployment of VPP apps:
First we need to enable 'Automatically check for updates' in order to get the mechanism to work.
Second, the item 'Install app updates' has to be enabled.

The reason for this seems to be that the software deploying an app to a device seems to actually be assigning a license to the device, the installation all updates of the app itself are being done via App Store. So if we close down the app store for a client, it won't be able to download and install any apps.

I used a script to remove any previously configured settings to the app store and configure them as required. The script looks like this:


# Configure app store to only download critical system updates and vpp apps

# Information taken from:

# Switch off Software update schedule
/usr/sbin/softwareupdate  --schedule off

# Remove App Store Preferences
/usr/bin/defaults delete /Library/Preferences/

# Remove Softwareupdate Preferences
/usr/bin/defaults delete /Library/Preferences/

# Enable automatic update checking
/usr/bin/defaults write /Library/Preferences/ AutomaticCheckEnabled -bool YES

# Disables automatic update download
/usr/bin/defaults write /Library/Preferences/ AutomaticDownload -bool NO

# Enable automatic Configuration Data
/usr/bin/defaults write /Library/Preferences/ ConfigDataInstall -bool YES

# Enable critical updates
/usr/bin/defaults write /Library/Preferences/ CriticalUpdateInstall -bool YES

# Disable App restart
/usr/bin/defaults write /Library/Preferences/ AutoUpdateRestartRequired -bool NO

# Disable app updates
/usr/bin/defaults write /Library/Preferences/ AutoUpdate -bool YES

# Switch off Software update schedule
/usr/sbin/softwareupdate  --schedule on

exit 0
Deploying this script to my clients configured the correct settings.

Now deploying VPP apps to OS X devices is working correctly.