Software Deployment Recipes (macOS)

The Software Deployment Recipes section for macOS offers a curated selection of recipes and guides to simplify the deployment of software and applications on your macOS devices. Explore best practices for automating software installations, customizing settings, and managing updates efficiently. Whether you're deploying apps across a single Mac or managing a fleet of devices, these recipes provide valuable insights into package creation, deployment methods, and utilizing macOS management tools. Enhance productivity, streamline software distribution, and maintain control over your macOS ecosystem with these tried-and-tested deployment recipes.

Amazon Kindle Deployment (macOS App)
Audacity and Lame Deployment (macOS)
Box Sync Deployment (macOS)
Comic Life Deployment (macOS Fileset Magic)
CrowdStrike Falcon Protection (macOS)
Fileset recipe to block applications by name (macOS Script)
Firefox Configuration Recipe (macOS)
Microsoft Defender Recipe (macOS)
Homebrew Deployment (macOS Script)
iBooks Author Deployment (macOS App)
Installomator - The one installer script to rule them all (macOS PKG)
Lightspeed Smart Agent Deployment (macOS 2023)
Lightspeed Smart Agent Deployment (macOS v2.3.1+ using Certificate Manager)
Microsoft Office Deployment (macOS)
SentinelOne Deployment (macOS)
Microsoft Skype Deployment (macOS App)
PaperCut recipe (macOS)
Parallels Desktop for Mac Business Edition Deployment (macOS)
Renew - A tool to get users to reboot periodically (macOS Script)
swiftDialog Deployment (macOS PKG)
VMware Carbon Black Cloud sensor recipe (macOS)
Wacom Tablet Deployment (macOS Fileset Magic)
XCreds - Log in to your Mac with your Cloud Password (macOS PKG)
Google Chrome (macOS)

Google Chrome Configuration recipe (macOS)
Google Chrome Managed (macOS)
Google Chrome Extension Management (macos)
Google Chrome Install Recipe (macOS)

Amazon Kindle Deployment (macOS App)

Description

To create a Kindle.app Fileset, there is no need for Fileset Magic. Instead, drag-and-drop into a template Fileset will do it.

The Kindle App is also on the App Store, so you are able to use VPP.

These instructions will also work.

Ingredients

FW Admin
(Other tools, features, and applications that will be needed)

Directions

Download and install Kindle.app on your FW Admin computer. You can do this through the App Store, but for easier updating we recommending visiting amazon.com (http://www.amazon.com/kindlemacdownload/ref=klp_mac ) and downloading the kindle app.dmg from there.
Import the attached fileset ( Kindle-template.fileset.zip ) into FileWave Admin , and double-click it to open it.
Drag the Kindle.app from your Applications folder into the Applications Folder in of the Fileset.
You FileSet is ready to deploy !
Important: If a user accidentally deletes / uninstalls the Kindle.app, it will not run again unless:
- You deploy this app with FileWave Kiosk. This way if a user accidentally deletes – uninstalls the Kindle.app, he will have the option to make the app run through kicking on Uninstall and then again on Install on the Kiosk.
- Otherwise the FW Admin will have send a "reinstall selected fileset" command to make the Kindle.app open again

Audacity and Lame Deployment (macOS)

Description

Audacity is a great free, open source, cross-platform audio software for Mac OS, Windows, and Linux.

Ingredients

FW Central
Latest version from Audacity (https://www.audacityteam.org/download/)
Latest version of Lame for Audacity (https://lame.buanzo.org/)

Directions

Audacity Application

The application is a simple drag-n-drop deployment

Download the latest
open the download and move the application to your applications folder
Drag it form your application folder to your FileWave admin Fileset View

Lame

The Lame libraries are an add-on best sent as a secondary fileset.

Download the latest version of lame for Audacity
uncompress the download and install
Download the attached template fileset - Audacity Plugin - LAME-Template.fileset.zip
Uncompress and import into FileWave Admin
Replace the placeholder file with the ones from your system



Lame fileset before



Lame fileset after

Box Sync Deployment (macOS)

Description

Box Sync is a desktop sync application that keeps all your files safe and secure in the cloud, while having them available on your computer and accessible from anywhere, on any device with Box mobile apps. No matter how you work, Box Sync helps you keep your files organized, safe, and always in sync with your business.

Ingredients

FW Central
(Other tools, features, and applications that will be needed)

Directions

Create a new empty fileset (From the Fileset View : New Desktop Fileset > Empty : Type a Name > OK)
With it selected: Click the Scripts item in the button bar
Create a new activation script and name it.
Paste the script below and edit
The fileset is composed of a script that downloads the latest version of Box Sync from the Box CDN and executes the Install .app to install Box Sync. It uses a bootstrapped provided by box that allows the installation from any user account. Once the app is installed it configures itself for the customers account and prompts the customer to log into their Box Account.

#!/bin/bash
# Original Script by Bryson Tyrrell | bryson.tyrrell@gmail.com | http://twitter.com/bryson3gps
# Modified on December 16, 2015 by Gilbert Palau | Univision Desktop Engineering | gpalau@univision.net
#
# The BoxEdit components Box Local Com Server.app and Box Edit.app are launched via launch_app.sh code 
# added with permission of Elliot Jordan <elliot@lindegroup.com>
# launch_app was created on 02-10-2015 and last modified by Elliot Jordan on 02-27-2015  | v1.2
# Integrated on 12-18-2015 by Gilbert Palau | Univision Desktop Engineering | gpalau@univision.net
#
# Much thanks to Bryson, who figured out the command line to install from within the app...
# Install\ Box\ Tools.app/Contents/MacOS/Box\ Tools\ Installer -silent -local

policy="Box Edit 3.1.2"
loggertag="system-log-tag"
tmpdir="/tmp/"
downloadurl="https://e3.boxcdn.net/box-installers/boxedit/mac/currentrelease/BoxEditInstaller.dmg"
# Knock Knock... Who is there?
CURRENT_USER_LOGIN_PID=$(ps auxww | grep "/System/Library/CoreServices/loginwindow.app/Contents/MacOS/loginwindow" | grep "$CURRENT_USER" | grep -v "grep" | awk '{print $2}')
CURRENT_USER=$(python -c 'from SystemConfiguration import SCDynamicStoreCopyConsoleUser; import sys; username = (SCDynamicStoreCopyConsoleUser(None, None, None) or [None])[0]; username = [username,""][username in [u"loginwindow", None, u""]]; sys.stdout.write(username + "\n");')

# Download BoxEdit Package from EvilBox
				echo ""
				echo "Downloading Box Edit"
				webCheckSum=$(curl -sI $downloadurl | tr -d '\r' | awk '/Content-Length/ {print $2}')
				curl -fkS --progress-bar $downloadurl -o /$tmpdir/BoxEditInstaller.dmg
				# curl -fkS --progress-bar https://e3.boxcdn.net/box-installers/boxedit/mac/currentrelease/BoxEditInstaller.dmg -o /tmp/BoxEditInstaller.dmg
				fileCheckSum=$(cksum /$tmpdir/BoxEditInstaller.dmg | awk '{print $2}')
				if [ $webCheckSum -ne $fileCheckSum ]; then
						rm /$tmpdir/BoxEditInstaller.dmg
						echo "The file did not download properly, exiting..."
						exit 101
				fi
				echo "Mounting Box Edit DMG..."
				hdiutil attach -quiet /$tmpdir/BoxEditInstaller.dmg
				if [ $? -ne 0 ]; then
						rm /$tmpdir/BoxEditInstaller.dmg
						echo "The Box Edit DMG failed to mount properly, exiting..."
						exit 102
				fi
				cp -fR /Volumes/Box\ Tools\ Installer/Install\ Box\ Tools.app /$tmpdir/
				hdiutil eject -quiet /Volumes/Box\ Tools\ Installer/
				rm /$tmpdir/BoxEditInstaller.dmg
				echo "Running the Box Edit Installer app"
				# This is the golden goose... Thanks Bryson!
				/usr/bin/su $CURRENT_USER -c "/$tmpdir/Install\ Box\ Tools.app/Contents/MacOS/Box\ Tools\ Installer -silent -local"
				
echo "Finished"
exit 0

Comic Life Deployment (macOS Fileset Magic)

Description

A simple way to install Comic Life on macOS and record that it was registered. Ensure that you are properly licensed for the application.

Last tested with ComicLife 3.5.8

Ingredients

FW Central / Fileset Magic
ComicLife app (http://plasq.com/apps/comiclife/)

Directions

Do Initial Fileset Magic capture
Install ComicLife
- unzip latest version
- place into application folder
- drag/import from the application folder
Launch ComicLife
- Accept License
- Select "Register"
- Enter Org name
- Enter Serial Number
Close ComicLife
Open it again
- This time it will ask about automatic updates and "staying in touch", I like to turn them off
Close ComicLife again
Do second Fileset Magic scan (capturing changes)
- Make sure to move items to all users

CrowdStrike Falcon Protection (macOS)

Description

Needing to deploy to CrowdStrike Falcon antivirus to your macOS fleet? FileWave has you covered.

CrowdStrike's flagship product is called Falcon, which is a cloud-native platform that combines next-generation antivirus, endpoint detection and response (EDR), threat intelligence, and proactive threat hunting. Falcon aims to provide real-time visibility into endpoint activity, rapid threat detection, and automated response to security incidents.

Ingredients

FileWave Admin Central
CrowdStrike Falcon Profile (Intel or Apple Silicon)
CrowdStrike PKG installer
CrowdStrike License code

Directions

Deploying the CrowdStrike Falcon to your devices

CrowdStrike deployment for macOS requires two Filesets: one TCC profile and the PKG installer. The TCC profile is dependent on which architecture your macOS fleet is, both are provided in this article for download. The PKG installer has two scripts that will execute with your CrowdStrike Falcon license and check for the TCC profile to be installed before CrowdStrike application.

Download the TCC profile

Note: Please download and verify the TCC profile for your macOS architecture. Below are screen shots of both Intel and Apple Silicon

Intel based macOS devices:

Falcon Profile for Intel.fileset.zip

Intel based TCC Profile

Apple Silicon based macOS devices:

Falcon profile for M1.fileset.zip

Apple Silicon based TCC Profile

$FalconProfileAppleSilicon.png$

Download the PKG installer

The PKG installer will have three components in the Fileset. Note the PKG installer, along with the two scripts: a requirement and activation script.

The Fileset included with the PKG installer is version 6.58.17102.0 of CrowdStrike for macOS Big Sur and beyond (This version will not install on macOS Catalina).

PKG - FalconSensorMacOS.MaverickGyr.fileset.zip

CrowdStrike License

Customizing the Fileset with your CrowdStrike license is required. The Fileset has a License.sh script to edit and enter in your license code.

Editing the License.sh script

Highlight your CrowdStrike PKG installer Fileset
Select Scripts to open the Script window.
Highlight License.sh
Click Edit

Entering in your license code

Highlight the ####### string and enter in your CrowdStrike License code
Click OK to save
Click OK to save again to save your license code for the CrowdStrike Fileset

License code script

#!/bin/zsh

echo "License is being set"
/Applications/Falcon.app/Contents/Resources/falconctl license ##########
echo "License is set"

exit 0

Check for Falcon Profile

The Payload Identifiers are already set and entered. The below are step-by-step instructions to add your own Payload Bundle Identifier if needed.

Note: The Requirement script verifies that the CrowdStrike Falcon Profile is installed successfully BEFORE running the installation of CrowdStrike.

There are two entries for your profile identifiers: you may enter both the Intel and Apple Silicon as the script will check for either profile is installed successfully BEFORE running installation of CrowdStrike.

Editing the CheckForFalconProfile.sh

Highlight your CrowdStrike PKG installer Fileset
Select Scripts to open the Scripts window
Highlight the CheckForFalconProfile.sh script
Click Edit

Entering in your Intel and/or Apple Silicon Profile Identifier

Highlight the string after profile_id="#####"
Replace the ######, with your TCC profile Identifier.
If not sure, open your Intel or Apple Silicon Profile and copy the Identifier.
Click OK to save
Click OK to save again to save your changes to the CrowdStrike Fileset

Check for Falcon profile script

#!/bin/zsh

profile_id="863BE372-D1FA-4082-85B2-3B8FE63797C5"
profile_id2="C1A6E28A-21EF-49C6-B85F-84E845731E22"

found_profile=$(profiles list all | awk -v search=$profile_id  '$0 ~ search {print $NF}')
found_profile2=$(profiles list all | awk -v search=$profile_id2  '$0 ~ search {print $NF}')

i=0
if [ -z $found_profile ]
then
        echo "Did not find $profile_id" 
        i=$((i+1))
fi

if [ -z $found_profile2 ]
then
        echo "Did not find $profile_id2"
        i=$((i+1))
fi

if [ $i = 2 ]
then
       echo "Both Profiles are missing"
       exit 1
fi
echo $missing
echo "Found installed profile: $profile_id or $profile_id2"
exit 0

Creating a Fileset Group

Keeping your Filesets organized is good practice, especially if there are multiple Filesets for software deployment. You may create a New Fileset Group, label it CrowdStrike Falcon (macOS 2023), and move all the Filesets you created into that Fileset Group. Then associate the Fileset Group labeled CrowdStrike Flacon (macOS 2023) to your devices versus individual Filesets.

Once all the Fileset and Profile have been created, you may associate the Fileset Group labeled CrowdStrike Falcon (macOS 2023) to a few devices as a test. This is to verify and confirm that the software is installed properly based on your license code configured.

CrowdStrike Falcon Protection (Windows EXE)

Fileset recipe to block applications by name (macOS Script)

The Fileset will block the supplied list of applications on your macOS machines by running a script every 5 seconds on your client machines.

Step-by-step guide

Download, edit and associate the below Fileset.

Download the "macOS - Block Applications.fileset.zip" below.
macOS - Block Applications.fileset.zip
Import the "macOS - Block Applications.fileset" into the Filesets tab of the Filewave Admin.
Edit the Fileset to include the appropriate list of applications to block.

Select the install_block_application.sh file and then Get Info

Edit the Executable > Launch Arguments to include the binary name of any app to be blocked, e.g Messages, FaceTime, and Keychain Access

Associate the Fileset to a handful of test machines so you can see the behavior of the Fileset before mass deploying to all of your devices.
After that, you are Done!

Binary Names
To find the name of the binary to block, take a look at the application's contents. Every App has the same directory structure > ApplicationName.app/Contents/MacOS/ApplicationName, where ApplicationName is the binary to block, e.g.
FaceTime
/Applications/FaceTime.app/Contents/MacOS/FaceTime

Terminal
/Applications/Utilities/Terminal.app/Contents/MacOS/Terminal

If you are wanting to block an Application with a space in the name like Keychain Access, you will need to have quotes(") around the name. So you would add, "Keychain Access", to Executable > Launch Arguments.

Blocking Install macOS Apps

Install macOS Apps may be blocked by supplying the following Launch Argument in the Fileset:

osinstallersetupd

However, this will block all Install macOS Apps. If you wish to block one installer, e.g Catalina, but have workflows that require earlier versions to install, consider the following Fileset example:

macOS - Block Applications Including macOS Install App.fileset.zip

Use this Fileset instead of the earlier one and supply all desired Apps to block as per below.

Inside the install_block_applications.sh script you will find a 'case' block. This section should be edited to meet your requirements. Current settings within the Fileset below.

This will only allow the macOS Ventura Installer.app to run. All other macOS Installer Apps will be prevented from running:

	case \$process_details in

		*"Ventura"*)
			log_me "Found: \$process_details"
			log_me "Nothning to do"
			;;
		*)
			block_me "osinstallersetupd"
			;;
	esac

Examples

Block Sonoma and Ventura, but allow any other installers

As well as allowing older installers than Ventura to run, this will also allow newer installers beyond Sonoma to run.

case \$process_details in

		*"Sonoma"*)
			block_me "osinstallersetupd"
			;;

		*"Ventura"*)
			block_me "osinstallersetupd"
			;;
		*)
			log_me "Found: \$process_details"
			log_me "Allowed.  Nothing to do"
			;;
 esac

Allow Ventura, block any other installers

Ventura and Monterey installers will be allowed to run, but all other installers, including newer ones, will be prevented.

case \$process_details in

		*"Ventura"*)
			log_me "Found: \$process_details"
			log_me "Allowed.  Nothing to do"
			;;
          *"Monterey"*)
			log_me "Found: \$process_details"
			log_me "Allowed.  Nothing to do"
			;;
		*)
            block_me "osinstallersetupd"
			;;
 esac

The following KB, has an alternate method for blocking just macOS Installation Apps, with user interaction:

macOS - Block Apple Install macOS Application

Firefox Configuration Recipe (macOS)

Description

After installing Firefox, some configuration may be desirable, examples may include:

Block auto updates
Set home page
Disable Mozilla First Run Pages

Firefox Documentation
The details of the Fileset are based upon: Firefox Configuration
This is known to work with version 60, upwards. It may work with earlier versions, but testing on placement of files may vary with earlier versions. macOS may alternatively use a Configuration Profile (Firefox 64+, ESR 60.4+)

Ingredients

FW Admin
Firefox installer application already as a Fileset
The provided configuration Fileset:FirefoxConfig.fileset.zip

Directions

Download the Fileset zip file, expand and drag into FileWave > Filesets
Two files are present in the Fileset.

The autoconfig.js file specifies the file to be used for configuration. In this Fileset the name of the file has been set to 'mozilla.cfg':

// Any comment. You must start the file with a comment!
pref("general.config.filename", "mozilla.cfg");
pref("general.config.obscure_value", 0);

To specify any desired settings, edit the mozilla.cfg file. The provided file is designed to prevent Firefox updates, disable privacy telemetry, disable the first run Mozilla home pages and set the user's homepage:

// Any comment. You must start the file with a comment!
 
// Disable updater
lockPref("app.update.enabled", false);
lockPref("app.update.auto", false);
lockPref("app.update.mode", 0);
lockPref("app.update.service.enabled", false);
 
// Set Homepage and stop Mozilla startup pages
lockPref("browser.startup.firstrunSkipsHomepage", false);
pref("browser.startup.homepage","http://www.filewave.com");
lockPref("browser.startup.homepage_override.mstone", "ignore");
 
// Disable Privacy telemetry
lockPref("datareporting.policy.firstRunURL",);
lockPref("datareporting.healthreport.service.enabled", false);
lockPref("datareporting.healthreport.uploadEnabled", false);
lockPref("datareporting.policy.dataSubmissionEnabled", false);
lockPref("toolkit.telemetry.unified", false);

Preference Overview

Preference types can include: pref, defaultPref, lockPref, amongst others. Details can be found at: https://support.mozilla.org/en-US/kb/customizing-firefox-using-autoconfig

pref

This is used to set a preference that can be overridden by the user, but on next launch of the application it will revert back to the setting within the configuration file

lockPref

A lockPref cannot be overridden by the user

defaultPref

This is used to set a preference that can be overridden by the user. The user's setting will persist until the user resets them, at which point the defaultPref will be used on next launch of the application

Preference Names

Navigating to 'about:config' in the Firefox URL bar will list all possible preference names and their values and types.

Association

When associating, to ensure the configuration is installed with the Application, consider creating a Fileset Group:

Associating the 'Firefox' Fileset Group will ensure both the Application and Configuration are associated to devices.

When there is an update to Firefox, replace the version in the Fileset Group with the latest version after testing.

Profile With macOS

A Configuration Profile may be delivered to macOS for Firefox management:

https://support.mozilla.org/en-US/kb/managing-policies-osx-desktops

The linked plist file, may be imported into the FileWave Profile Editor ('Upload File...') and then edited appropriately.

The key settings to focus on initially are:

EnterprisePoliciesEnabled
RequestedLocales

Default values in the template will require editing: EnterprisePoliciesEnabled should be enabled to allow management to take control. RequestedLocales may require editing to meet the specific needs.

The template is preconfigured as:

de
en-US

To change from German to British for example:

These settings would enforce management for en-GB and en-US, whilst other English locales, e.g en-CA, en-AU would not be managed. Instead, one locale of 'en' could be set to block all English locales.

Key Values
If EnterprisePoliciesEnabled is not set as true and a correct RequestedLocales is not included, management should not be expected.

If unsure which locale is in use, without management in place the 'about:config' URL may be used to view settings:

To ensure users may not circumvent management by changing the locale, enable 'BlockAboutConfig' (already set as TRUE in the template file)

Firefox Configuration Recipe (Windows)

Microsoft Defender Recipe (macOS)

Description

Example recipe for deploying Microsoft Defender.

Ingredients

The list is actually quite extensive, due to the necessary payloads:

Microsoft Defender PKG
Deployment Script: MicrosoftDefenderATPOnboardingMacOs.sh
Below provided Fileset
Profiles for:
- Web Content Filter
- TCC allowances
- Notifications
- Data Acceptance & Autoupdater
- System and Kernel Extensions

Downloads:

See below directions for deployment before associating with devices.

Microsoft Defender PKG and deployment script are available through the M365 Defender portal; details in the Microsoft Deployment KB:

The 'MicrosoftDefenderATPOnboardingMacOs.sh' is built by Microsoft with the appropriate licence code embedded into the script, such that the download is personal to the logged in account, when downloading.

               <key>OrgId</key>
                <string>[licence code here]</string>

The 'OnboardingInfo' key also has this code burnt into its value.

Directions

Download all of the above provided Filesets. Note the Kernel Extension should only be required for legacy devices.

Fileset Group

Create a Fileset Group in which to add each of these.

Profiles should be installed firsts. The Installer Fileset has a requirement script to ensure Profiles are installed, before commencing with download and activation of the Installer.

The requirement script is designed to confirm ALL profiles are installed in advance, with the exception of the Kernel Extension, since this is legacy. The Profile ID of the Kernel Extension may be added to the list within the Fileset. If this is requirement, but are unsure how to approach this, just ask in either the Discord, Alliance or Slack FileWave forums. Links available through the 'Resources' of the FileWave Website.

Installer: 'wdav.pkg'

The 'Microsoft Defender Installer macOS' Fileset requires the downloaded PKG. Open the Fileset and drag the PKG into the same location as the '.placeholder' file; this placeholder file may be deleted.

Script: MicrosoftDefenderATPOnboardingMacOs.sh

Edit the text of the provided 'MicrosoftDefenderATPOnboardingMacOs.sh' file within the Fileset and paste in a copy of the script contents downloaded from Microsoft:

Profile Payload Values

The Profiles to manage the AutoUpdater and Notifications are configured with default values, consider confirming an internal desired process and adjust to match.

The 'AcknowledgedDataCollectionPolicy' key prevents a user notification pop-up from showing. Recommendation is to leave this value as set.

All other profile payload values should be correct at the time of writing, however, Microsoft may make changes over time which could require alteration of one or more of these.

Details pertaining to the contents of the payloads may be viewed in Microsoft's Defender Policies documentation; scroll down past the initial unnecessary information until you reach Step 4.

Assign to Devices

By way of either a 'Deployment' or 'Association' within FileWave, assign the Fileset to one or more test devices and once happy expand this to more devices.

Additional Information

The requirement script within the Installer Fileset is designed to ensure all profiles are in place before downloading and commencing with the installation. Script output from the Client Info > Fileset Status displays logged information.

Example:

First time the script ran, the Profiles were not yet installed. On next run profiles were installed and the requirement script exited with a value of 0.

Script Log:

----------------------- HEADER - Date: (Mon Sep 25 2023) - Time: (13:36:40) -----------------------
Set to match all profile IDs

Looking for profile: ml1063.local.5b1e7237-2773-4d3a-9627-361c4dd8a9b0.Configuration.5b1e7237-2773-4d3a-9627-361c4dd8a9b0
Profile found: FALSE

Looking for profile: ml1063.local.bd9007c3-41d6-45bb-a2bf-774ec901e4c2.Configuration.bd9007c3-41d6-45bb-a2bf-774ec901e4c2
Profile found: FALSE

Looking for profile: ml1063.local.7f249c3c-f79a-48cf-952c-dd178a00a5a6.Configuration.7f249c3c-f79a-48cf-952c-dd178a00a5a6
Profile found: FALSE

Looking for profile: ml1063.local.f68916cf-c1e0-47e2-a73c-700678267fe8.Configuration.f68916cf-c1e0-47e2-a73c-700678267fe8
Profile found: FALSE

Looking for profile: ml1063.local.4726b0a7-4f74-4369-8aeb-2450e4f0f935.Configuration.4726b0a7-4f74-4369-8aeb-2450e4f0f935
Profile found: FALSE
Only found 0 profiles from the supplied list of 5

----------------------- FOOTER - Date: (Mon Sep 25 2023) - Time: (13:36:41) - Exit code: (1) -----------------------

----------------------- HEADER - Date: (Mon Sep 25 2023) - Time: (13:39:31) -----------------------
Set to match all profile IDs

Looking for profile: ml1063.local.5b1e7237-2773-4d3a-9627-361c4dd8a9b0.Configuration.5b1e7237-2773-4d3a-9627-361c4dd8a9b0
Profile found: TRUE

Looking for profile: ml1063.local.bd9007c3-41d6-45bb-a2bf-774ec901e4c2.Configuration.bd9007c3-41d6-45bb-a2bf-774ec901e4c2
Profile found: TRUE

Looking for profile: ml1063.local.7f249c3c-f79a-48cf-952c-dd178a00a5a6.Configuration.7f249c3c-f79a-48cf-952c-dd178a00a5a6
Profile found: TRUE

Looking for profile: ml1063.local.f68916cf-c1e0-47e2-a73c-700678267fe8.Configuration.f68916cf-c1e0-47e2-a73c-700678267fe8
Profile found: TRUE

Looking for profile: ml1063.local.4726b0a7-4f74-4369-8aeb-2450e4f0f935.Configuration.4726b0a7-4f74-4369-8aeb-2450e4f0f935
Profile found: TRUE
All profiles found.  Exiting 0

----------------------- FOOTER - Date: (Mon Sep 25 2023) - Time: (13:39:33) - Exit code: (0) -----------------------

Subsequently, the Fileset downloaded and activated:

Client Log:

2023-09-25 13:39:34.758|main|INFO|CLIENT|about to downloadAllFileset files for Fileset MicroSoft Defender Installer macOS Installer Included, ID 736320, revision ID 736320
2023-09-25 13:39:35.697|main|INFO|CLIENT|Downloading Fileset MicroSoft Defender Installer macOS Installer Included, ID 736320, revision ID 736320
2023-09-25 14:03:49.650|main|INFO|CLIENT|finished downloadFileset files for Fileset MicroSoft Defender Installer macOS Installer Included, ID 736320, revision ID 736320
2023-09-25 14:03:50.285|main|INFO|CLIENT|Create all folders of fileset ID Fileset MicroSoft Defender Installer macOS Installer Included, ID 736320, revision ID 736320, version 4
2023-09-25 14:03:50.289|main|INFO|CLIENT|Activate all files of Fileset MicroSoft Defender Installer macOS Installer Included, ID 736320, revision ID 736320, version 4
2023-09-25 14:03:50.465|main|INFO|CLIENT|Done activating all 4 files of Fileset MicroSoft Defender Installer macOS Installer Included, ID 736320, revision ID 736320, version 4

Homebrew Deployment (macOS Script)

Description

Homebrew, or also known as simply Brew is the missing package manager for macOS (or Linux), Homebrew is able to install many tools that do not have another installer. Quite a lot of Linux based tools have a Homebrew install. This article will guide you through installing it using FileWave.

Actually, not just Brew, but we will also install:

Apple Command Line Tools
Brew
Cask

Ingredients

FileWave Central
Attached Fileset

macOS Brew Fileset

Directions

Unzip the download and drag the Fileset into the FileWave Central > Filesets view, into a Fileset group of choice.
Associate with a test device and Update Model
After all is well with the test, consider expanding this to a larger quantity of devices

Activation Script

The Activation Script will choose a version of the possible Apple Command Line tools and proceed to download and instal those tools.

Apple Command Line tools are a requirement and will be installed first.

The Activation Script will use the newest version of the Command Line tools found, when ran. It is possible to overrule this behaviour by supplying a desired version as a Launch Argument.

Example:

To instal version 13.2 Command Line tools, select the Activation Script: 'instal_apple_cl.sh' from within the Fileset and from the 'Get Info' view, edit the Executable Launch Arguments, as below:

Software Updates may be large in size. This can slow down the installation as well as use high bandwidth. A 'Wait for' as 'Infinite' could easily be required.

Post Activation Script

The Fileset will attempt to instal Brew with the currently logged in user. If this current user does not have an ID greater than 500, the script will attempt to instal with an Admin user on the device. The script log should report the user that was configured for Brew. Consider altering the script if a different behaviour is desired.

This user shall also be added to the macOS developer group.

Below are the sections of script that defines the user and also adds that user to the development group:

current_user=$(stat -f%Su /dev/console)

# ....

# If user is below uid 500 should we abort or pick a user.  Picking an admin user for now
if [ $(id -u $current_user) -lt 501 ]
then
	echo "No 500 user.  Picking a local admin user"
	current_user=$(/usr/bin/dscl . -read /Groups/admin GroupMembership | awk '{print $NF}')
fi

echo "Configuring user ${current_user}..."

# Add them as a developer
is_developer=$(groups $current_user | awk '/ _developer / ')
if [ ! $is_developer ]
then
	echo "Adding user $current_user to _developer group"
	/usr/sbin/dseditgroup -o edit -a "$current_user" -t user _developer
fi

Brew/Cask installations may also be large in size. The same considerations as the Activation Script would therefore also be likely. Additionally, the Fileset will double check there are no further updates and if so, those shall also be installed.

Uninstall

If you want to remove Brew, the best way is likely these scripted methods because you are probably just fixing a single machine when you remove Brew, but you could also use curl to fetch the unisntall.sh and put it in the Fileset if you want to uninstall when you remove the Association to the Fileset.

/bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/HEAD/uninstall.sh)"

If you want to run the Homebrew uninstaller non-interactively, you can use:

NONINTERACTIVE=1 /bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/HEAD/uninstall.sh)"

Download the uninstall script and run /bin/bash uninstall.sh --help to view more uninstall options.

iBooks Author Deployment (macOS App)

Description

Member of iTunes U? Need to get iBooks Author out to your staff? We can do that.

Ingredients

FW Central
10.7 (Lion) or higher
iBooks Author.app already installed

Directions

Log onto the FileWave server with FileWave Admin as an account that has permissions to create Filesets.
With FileWave Admin running, drag and drop the installed iBooks Author.app from the Application folder onto the FileWave Admin window while in the Filesets view is formost.
Now go to the Associations window to assign who gets the software.
Update the FileWave Server Model.

Notes

Other comments and details

Installomator - The one installer script to rule them all (macOS PKG)

Description

This article delves into the application of Installomator, a shell script, in combination with FileWave for the maintenance of macOS applications. Installomator supports the downloading and installation of over 450 different applications, operating directly from the vendor's public URLs. This approach is compared with the use of AutoPkg, a tool that provides more stringent control over versioning, testing, and release management.

Installomator can be a valuable tool when deploying the latest publicly available version of an application is the goal. It verifies the authenticity and validity of each download, though it's not a fully automated solution. For certain applications like Chrome, Zoom, and Microsoft Office, their update processes may be better managed via a config profile. Additionally, attention may be needed for built-in auto update prompts of other apps.

A key characteristic of Installomator is its handling of versioning. Instead of installing only when the downloaded version is newer, Installomator initiates installation if the version numbers differ. This is due to the complexities in determining which version number is higher. For instance, if Installomator downloads version 4 after a vendor has released version 5 due to a URL change, it will attempt to install version 4 because the version numbers differ.

Ingredients

FW Admin
swiftDialog - Deploying swiftDialog via FileWave (macOS PKG)
Installomator - Releases · Installomator/Installomator (github.com)

Directions

Deploying Installomator on all your Macs

Installomator operates by taking a 'label' parameter representing the application to be installed. It generally only installs an application if the latest version is newer than the installed version, though exceptions exist, emphasizing the importance of thorough testing. It's deployed via a single FileWave Fileset, with numerous configuration options to improve user experience and system stability. These include user notifications upon completion, the closing of the app prior to installation, prompts before closing the app, and the ability to re-launch the app post-update if it was initially open. Installomator does not interact with App Store applications except to replace them with non-App Store versions if desired. See Configuration Options further down for how to customize the operation of the script.

Installing Installomator

Download the PKG for SwiftDialog and install the PKG as a FileSet.
Download the PKG for Installomator from Releases · Installomator/Installomator (github.com) install the PKG as a FileSet. This will place the script file to /usr/local/Installomator/Installomator.sh

PKG Filesets are easy to make. You can start by dragging and dropping the PKG on the Filesets window in FileWave Central or use our example here: PKG - Installomator.fileset.zip

Identifying an App to install

Run Installomator by itself in Terminal and get the full list of apps it can install:

/usr/local/Installomator/Installomator.sh

This is the output of that command:

Or run Installomator in Terminal with grep to filter the results:

/usr/local/Installomator/Installomator.sh | grep -i bbedit

This is the output of that command:

Installing an App

At this point you have installed both swiftDialog and Installomator. For the next steps here is an example BBEdit - Installomator.fileset.zip to look at while you follow along.

The BBEdit example is a very simple Fileset containing 3 scripts, and that's all.

The scripts are fairly simple and listed below:

check_installomator.sh

#!/bin/zsh
# Checks every 2 minutes for Installomator to be present. 
# Add the contents of your script below:

if [ -f "/usr/local/Installomator/Installomator.sh" ]; then
	exit 0
else
	echo "Could not find Installomator"
	exit 1
fi

install.sh

#!/bin/zsh
# Remember to change the properties for both install.sh and verify.sh
# to have the right app label since it is passed to the script from properties. 

/usr/local/Installomator/Installomator.sh $1 NOTIFY_DIALOG=1 NOTIFY=success LOGO=/usr/local/sbin/FileWave.app/Contents/Resources/fwGUI.app/Contents/Resources/kiosk.icns

verify.sh

#!/bin/zsh
# Remember to change the properties for both install.sh and verify.sh
# to have the right app label since it is passed to the script from properties. 

/usr/local/Installomator/Installomator.sh $1 NOTIFY_DIALOG=1 NOTIFY=success LOGO=/usr/local/sbin/FileWave.app/Contents/Resources/fwGUI.app/Contents/Resources/kiosk.icns

In our example both install.sh and verify.sh are identical but they don't have to be depending on your needs.

So now you may be wondering about where "bbedit" is since that label is the label we want to use? Highlight the BBEdit Fileset in your admin console and click the Scripts button in the toolbar. Now right click on install.sh and pick Properties. The dialog will look like the one here. You'll want to change bbedit to whatever app you want this to install. Do the same exact thing for verify.sh.

Configuration Options

In our example, we pass the LOGO parameter to the script. This action assigns a FileWave logo to the script, derived from the FileWave Kiosk icon file located on a device with FileWave installed. You can also pass additional parameters to further refine Installomator's behavior. This is covered in greater detail at the following link: Configuration and Variables · Installomator/Installomator Wiki (github.com) One setting you may want to change is NOTIFY=success to be NOTIFY=all if you are using Kiosk to allow someone to install apps.

What it looks like

To install an app this way you simply Associate the swiftDialog Fileset, Installomator Fileset, and BBEdit - Installomator.fileset.zip Filesets and you should see it install.

Be careful as some apps/labels may install even if the app is already on the latest version

Depending on what dialogs you have enabled you may show status messages like the below. We recommend not editing the Installomator script itself but rather pass the options as parameters in your Filesets.

You should now be able to deploy anything that Installomator supports. Just remember that this tool is designed to always keep things up to date which can be a good or bad thing for you depending on your use case.

Troubleshooting

You will be able to see what the Fileset is doing by leveraging the Fileset logs. All 3 of the scripts will log to /var/log/fwcld/<fileset_id>where <fileset_id> is the same as the ID you see in FileWave for the Fileset.

You may also be able to use FileWave Central to right click on the log and view it, but the log on the machine when testing is most simple and will exist 100% of the time.

Installomator GitHub - Installomator official GitHub page
Deploying swiftDialog via FileWave (macOS PKG)
AutoPkgr with FileWave - Information on the AutoPkg tool
Training Day 2022 Presentation - Using_Installomator_to_support_3rd_party_apps_-_Mac.pdf

Digging Deeper

The choice between Installomator and AutoPkg ultimately hinges on your administrative preferences and needs. Installomator, with its ability to streamline the download and installation of different versions of applications, serves as a viable option when the goal is to deploy the latest publicly available versions. However, it requires careful management, especially considering its approach to version comparison and updates. On the other hand, AutoPkg presents a viable alternative for those seeking a more tightly controlled release process, offering thorough testing, versioning, and release management.

Lightspeed Smart Agent Deployment (macOS 2023)

Description

Need to deploy Lightspeed Smart Agent along with your configurations. FileWave has got you covered in this step-by-step guide to creating the required Filesets to deploy to your macOS devices. Be sure that you have access to your administrative account on relay.school.com.

If you are using the new method with Lightspeed Certificate Manager please review:
Lightspeed Smart Agent Deployment (macOS v2.3.1+ using Certificate Manager)

Ingredients

FileWave Central
Lightspeed Smart Agent DMG installer
Lightspeed Smart Agent PKG installer
Lightspeed mac deploy script
Lightspeed install script
Lightspeed certificate

Web Content Filter - In creating a Web Content Filter within FileWave Central it changes the UDID and is unsuccessful in deployment. The issue can be resolved by re-creating the Web Content Filter in FileWave Anywhere as a workaround. The issue should be resolved in the next release. See Known Issues

Download Lightspeed Relay Filter Agent

Download the macOS deploy script

Download the mac_deploy.sh script, found here: mac_deploy.sh
Place the downloaded mac_deploy.sh script into your Downloads
Unzip the downloaded mac_deploy.sh script

Open Terminal to run the script

# enter as root
$ sudo -s
# nagivate to your Downloads folder
$ cd ~/Downloads
# run the script to create three files on the Desktop
$ ./mac_deploy.sh

Once the script has been executed, it has created three files on your Desktop; ca.cer, deploymont.zip and SmartAgent.pkg

Note: Be sure both SmartAgent.dmg and mac_deploy.sh are in the same directory, i.e. Downloads folder for the mac_deploy script to successfully create the deployment files and certificate.

Create the Configuration Profile

Open FileWave Central or FileWave Anywhere
Navigate to Filesets > Select New Desktop Fileset > Click on Profile
Enter the name of the Profile: General > Name: Lightspeed Agent Profile
Select Certificates payload to add your ca.cer certificate
Navigate to System Extension Policy payload, add and enter in the following:
1. Click + to add Allowed Team Identifiers:
  Team Identifier: ZAGTUU2342
2. Click + to add Allowed System Extensions:
  
  1st Allowed System Extensions: com.lightspeedsystems.network-agent
  
  Enter add 2nd Allowed System Extensions with comma after 1st Allowed System Extensions
  
  2nd Allowed System Extensions: com.lightspeedsystems.network-agent.network-extension
3. Click + to add Allowed System Extension Types and check box for Network:
  
  Team Identifier: ZAGTUU2342
Navigate to Web Content Filter and enter in the following:
1. Filter Name: Lightspeed Agent
2. Identifier: com.lightspeedsystems.network-agent
3. Filter Options: Socket Traffic Only
4. Socket Filter Bundle Identifier: com.lightspeedsystems.network-agent.network-extension
5. Socket Filter Designated Requirement: anchor apple generic and identifier "com.lightspeedsystems.network-agent.network-extension" and (certificate leaf[field.1.2.840.113635.100.6.1.9] /* exists / or certificate 1[field.1.2.840.113635.100.6.2.6] / exists / and certificate leaf[field.1.2.840.113635.100.6.1.13] / exists */ and certificate leaf[subject.OU] = ZAGTUU2342)
  
  $FileWaveLightspeed4.png$
The completed configuration profile will have three payloads; these include: Certificates, System Extension Policy and Web Content Filter

Editing the Install script

Download and unzip the Install script, found here: install_lightspeed.sh
Open the install.sh in TextEdit or compatible Text Editor, for example Sublime Text
Enter in your URL to the hosted file in line 3 of the Install Script; between the quotes, where it says, “Your FQHN HERE to the deployment.zip”
Save the changes to the install.sh script

Note: The deployment.zip file created on the desktop must be hosted for the deployment to succeed. (This can be accomplished with Google Drive (may use Google Drive Direct Link Generator), Microsoft OneDrive, Amazon S3, etc.) Be sure the deployment.zip file is accessible for the install.sh script to downloaded successfully, otherwise this will not complete the installation of the Lightspeed Filter.

Import the Smart Agent PKG

Navigate to Filesets > Create New Desktop Fileset > Select MSI / PKG
Navigate to your downloaded SmartAgent.pkg to upload into the Fileset
Please wait a few moments for the PKG installer to upload into your FileWave server
After successfully uploading, highlight the Fileset > Select Properties
Under the Requirements tab, check the box Platform and check macOS only, then under System Version and checkboxes only for macOS 12.x and 13.x
Click OK to save

Note: If all of your devices are not on macOS 12 or greater, you will want to set the Requirements for the Fileset for macOS 12 and above

Editing the Smart Agent PKG Fileset

Highlight the newly created Fileset with your Smart Agent PKG
Click on Script in the menu to open Script dialogue window
Highlight Requirement Scripts and click on the Create button
Label script, check_LS.sh

Copy and paste the entire check profile script below:

#!/bin/zsh

found_profile=""

while [ $# -gt 0 ]
do
	found_profile=$(profiles list all | awk -v search=$1  '$0 ~ search {print $NF}')
	if [ ! -z $found_profile ]
	then
		echo "Found installed profile: $found_profile"
		exit 0
	else
		echo "Did not find $1" 
	fi
	shift
done
 
exit 1

Click OK to save the script
Highlight the check_LS.sh and right-click to select Properties
Select the Executable tab, under the Launch Arguments tab, click on the + button to add your Lightspeed Agent Profile’s Identifier (found by double-clicking on your Lightspeed Agent Profile)
Click OK to Apply to save changes
Close out Properties of the Requirement Script
Click OK to save changes to Smart Agent PKG Fileset

Creating the Installation Fileset

Navigate to Filesets > Create New Desktop Fileset > Empty Fileset > label Lightspeed Install Script
Click on Script in the menu to open the Script dialogue window
Highlight Activation Scripts and click on the Create button
Label script, install_lightspeed.sh
Copy and paste the entire install.sh script that you saved your URL to hosted file from previous step on Editing the Install Script.

Click OK to save script
Highlight Requirement Scripts and click on Create button
Label script, check_LS_profile.sh
Copy and paste the entire check profile script below:

#!/bin/zsh

found_profile=""

while [ $# -gt 0 ]
do
	found_profile=$(profiles list all | awk -v search=$1  '$0 ~ search {print $NF}')
	if [ ! -z $found_profile ]
	then
		echo "Found installed profile: $found_profile"
		exit 0
	else
		echo "Did not find $1" 
	fi
	shift
done
 
exit 1

Click OK to save the script
Highlight the check_LS_profile.sh and right-click to select Properties

Select the Executable tab, under the Launch Arguments tab, click on the + button to add your Lightspeed Agent Profile’s Identifier (found by double-clicking on your Lightspeed Agent Profile)

Click Apply to save changes
Close out Properties of the Requirement Script
Click OK to save changes to Lightspeed Installation Fileset

Note: This Requirement scripts verifies that the Lightspeed Agent Profile is installed successfully BEFORE running the installation of Lightspeed.

When all completed, the Fileset contents will include your Smart Agent PKG, Lightspeed Install and Profile.

Creating Fileset Group for your Lightspeed Filter Agent Filesets

Keeping your Filesets organized is good practice, especially if there are multiple Filesets for software deployment. You may create a New Fileset Group, label it Lightspeed Filter Agent (macOS 2023), and move all the Filesets you created into that Fileset Group. Then you may associate the Fileset Group labeled Lightspeed Filter Agent (macOS 2023) to your devices versus individual Filesets.

Once all the Filesets and Profile have been created, you may associate the Fileset Group labeled Lightspeed Filter Agent macOS 2023 to a few devices as a test. This is to verify and confirm that the filter is installed and filtering properly based on your configurations. For best practice, always test a few devices before mass deployment.

Lightspeed Smart Filter Deployment (iOS 2023)

Needing to deploy Lightspeed for iOS devices? Review the KB article here: Lightspeed Smart Filter Deployment (iOS 2023).

Lightspeed Smart Filter Deployment (macOS v2.3.1+ using Certificate Manager)

Needing to deploy Lightspeed for macOS using Certificate Manager? Review the KB article here: Lightspeed Smart Filter Deployment using Certificate Manager.

Lightspeed Smart Agent Deployment (macOS v2.3.1+ using Certificate Manager)

Description

Need to deploy the latest version of Lightspeed Smart Agent version 2.3.1 along with your configurations. FileWave has got you covered in this step-by-step guide to creating the required Filesets to deploy to your macOS devices. Be sure that you have access to your administrative account in Lightspeed Filter app.

This KB article involves using the new Lightspeed Certificate Manager method. If using the version below v2.3.1 please review KB article here: Lightspeed Smart Agent Deployment (macOS 2023)

The new method involves using LightSpeed Certificate Manager. Certificate Manager leverages a cloud-based system to generate and monitor certificates and expiration, automatically pushing new certificate files to devices in the background (without disruption!) to ensure they always are current. In addition, Lightspeed is also leveraging root certificates for the trusting process, meaning that instead of repeatedly needing to re-trust the certificates every time they update - you now only need to trust the first time.

Note: You must use the MacOS Filter Agent 2.3.1+ to use Certificate Manager

Ingredients

FileWave Central
Lightspeed Relay Filter Agent PKG installer (version 2.3.1)
Lightspeed Root Certificate
Supplied Fileset and Profile

Web Content Filter - A bug (FW-12629) exists which prevents the Filter Order being set.

Download Lightspeed Relay Filter Agent for macOS

Generating the Certificate using Certificate Manager

Navigate to your Settings > Certificates within Lightspeed Filter account
Click Set Up to generate the certificate
Label your Organization name and enter in your number of active days for your certificate
Click Save to continue
Allow several minutes for the Certificate Manager to generate
Click to download and confirm trust certificate
Do not proceed with checking the two Acknowledgements boxes, until the certificate, content filter AND agent have been installed on your devices

Lightspeed has noted the importance of order of operations; until you have downloaded and trusted the certificate AND installed the agent on your devices, then you may proceed to complete the two Acknowledgement boxes in the macOS Certificate Confirmation step.

Filesets

Fileset Group

Create a Fileset Group to hold the Filesets to be included. At the end it will look something like the below image.

Configuration Profiles

Network Settings

The profile contains 2 payloads: System Extension Policy and Web Content Filter.

System Extension Policy

Click + to add Allowed Team Identifiers:
Team Identifier: ZAGTUU2342
Click + to add Allowed System Extensions:

1st Allowed System Extensions: com.lightspeedsystems.network-agent

Enter add 2nd Allowed System Extensions with a comma after the 1st Allowed System Extensions

2nd Allowed System Extensions: com.lightspeedsystems.network-agent.network-extension
Click + to add Allowed System Extension Types and check box for Network:

Team Identifier: ZAGTUU2342

Web Content Filter

Filter Name: Lightspeed Agent
Identifier: com.lightspeedsystems.network-agent
Filter Order: Firewall (currently unable to be set as of FileWave 15.3.1)
Socket Filter Bundle Identifier: com.lightspeedsystems.network-agent.network-extension
Socket Filter Designated Requirement: anchor apple generic and identifier "com.lightspeedsystems.network-agent.network-extension" and (certificate leaf[field.1.2.840.113635.100.6.1.9] /* exists / or certificate 1[field.1.2.840.113635.100.6.2.6] / exists / and certificate leaf[field.1.2.840.113635.100.6.1.13] / exists */ and certificate leaf[subject.OU] = ZAGTUU2342)
Username/Password: Sometimes the Username and Password fields are ‘included” automatically. Do not include them.

Web Content Filter - A bug (FW-12629) exists which prevents the Filter Order being set.

Certificate Payload

Create a new Profile within the Fileset Group folder
Select Certificates and Configure
Upload the above generated certificate into this Profile

Lightspeed Agent Installer

The provided Fileset includes a script to instal the above downloaded PKG file.

Lightspeed Agent Installer v2.3.1+.fileset.zip

Drag the Fileset into the FileWave Central Fileset Group Folder created above.
Edit the Fileset
Place the downloaded SmartAgent.pkg file into the same location as the .placeholder file
The .placeholder file may be deleted

The name of the PKG is important. The installation script is expecting a file called SmartAgent.pkg. Rename if required.

The check_for_profile.sh script ensures the Profile is installed before the PKG. This script relies upon the Profile ID of the supplied Profile.

The Fileset has a Reboot setting configured to allow the Filter Network Content applied.

Assignment

Assign the Fileset Group, either as a Deployment or an Association with one or more test devices. Once satisfied, consider assigning to all required devices.

Once that you have installed the agent and trusted the root certificate on your devices, go back to your Lightspeed Account and navigate to Settings > Certificates. Check the two acknowledgement boxes and click Save.

Requirement Script to check your Profile Identifier

The Fileset Script is designed to check for the presence of Profiles prior to installing the PKG. The provided Profile ID is already of consideration, however the newly generated Certificate Profile cannot be, since the ID cannot be known in advance. Both Profiles should instal at the same time, it is therefore arguably not required to be included in this consideration. However, for completeness, the Generated ID of the Certificate Profile could also be added.

Bundle ID

First, the Bundle ID of the newly created Profile needs to be copied.

Open the Certificate Profile
Highlight the Bundle ID and choose to copy

Script Info

Open the Lightspeed Agent Installer Fileset
Select the 'check_for_profile.sh' and choose Get Info
Select the Executable tab
Add a Launch Argument and paste or replace the current Launch Arguments with your copied Bundle ID

Uninstall Fileset

The Fileset to uninstall Lightspeed Smart Agent v2.3.1+ from of your macOS devices. Included in the Fileset is a script that will execute and remove the LS Smart Agent. Please note this script only removes the Smart Agent, it does not remove the LS certificate or log files from the agent.

LightSpeed Agent Uninstaller v2.3.1+.fileset.zip

You may download and import into FileWave. You may then create a Fileset Group and include the LightSpeed Agent Uninstaller.

Microsoft Office Deployment (macOS)

What

Deploying Microsoft Office for macOS with FileWave is the process of pushing out Microsoft Office for macOS software to a large number of macOS devices using FileWave's Unified Endpoint Management (UEM) tool. FileWave is a software management tool that allows IT administrators to manage and deploy software applications to various devices, including macOS, Windows, iOS, iPadOS, tvOS, Chrome, and Android devices.

When/Why

You would need to deploy Microsoft Office for macOS with FileWave if you have a large number of macOS devices that need to have Microsoft Office installed. Deploying Microsoft Office for macOS with FileWave allows you to save time and effort, as you can push out the software to multiple devices at once, rather than having to install it manually on each individual device. Additionally, deploying Microsoft Office for macOS with FileWave ensures that all devices have the same version of Microsoft Office and the same settings.

How

To deploy Microsoft Office for macOS with FileWave, you can follow the guides provided by Microsoft. The deployment guide for Office for Mac is located here: https://learn.microsoft.com/en-us/deployoffice/mac/deployment-guide-for-office-for-mac. The guide provides step-by-step instructions for deploying Microsoft Office for macOS using various methods. In addition to the Microsoft deployment guide, you can use FileWave to push out the PKGs and settings needed to install and configure Microsoft Office for macOS.

SentinelOne Deployment (macOS)

Description

SentinelOne is a cybersecurity company that specializes in endpoint security and threat intelligence. They provide a platform for autonomous endpoint protection that uses AI and machine learning to prevent, detect, and respond to a wide range of security threats, including malware, ransomware, and other cyberattacks.

This recipe will guide on how to setup and deploy to your macOS devices.

Ingredients

FileWave Central
SentinelOne_Profiles.zip
SentinelOne PKG installer
SentinelOne Group/Site Token

Directions

Creating the Installation Fileset:

Download and upload SentinelOne profiles to FileWave Central
Create a new Empty Fileset
In the Fileset, create a new folder under /usr/local/etc/FileWaveInstallers/ called SentinelOne and drop the PKG in.
Create a plain text file, named com.sentinelone.registration-token, and copy only your Site/Group Token
Import the token file into the same SentinelOne folder as the PKG
Make sure the token file ownership is set to root:staff. You can change the ownership by selecting the file > Get Info > Ownership

Now we need to create a script to install SentinelOne, using the token to register.
In Admin, select the SentinelOne Fileset and then select 'Scripts' in the toolbar
Create a new Activation Script, and paste the following. You will need to change the name of the PKG to what you have uploaded.
```
sudo /usr/sbin/installer -pkg /usr/local/etc/FileWaveInstallers/SentinelOne/SentinelAgent_XXXX.pkg -target /
```
Video: Creating the Install Script

You're all set with the Installer! Now we need to import the Profiles.

Importing Profiles

Profile Metadata shown below

Download the profiles attached to this article: SentinelOne_Profiles.zip
Unzip the download and import the profiles
Video: Importing Profiles

Now deploy all Profiles first and then the Installer. SentinelOne will install with all permissions necessary.

Profile Metadata

Service Management Profile

Privacy Control Configuration Profile

TCC Profile

Network System Extension Profile

Team Identifier: 4AYE5J54KN

Allowed System Extensions: com.sentinelone.network-monitoring

System Extension Profile

Web Content Filter Profile

Network Filter Profile

$SentinelOne_WebContentFilterProfile.png$

SentinelOne Support

Microsoft Skype Deployment (macOS App)

Description

Skype is a self-contained application and so deployment is as simple and getting it into the Applications folder.

Ingredients

Latest Skype ( https://www.skype.com/en/get-skype/ )

Directions

Downloaded the latest DMG of Skype
Mount and drag into your Applications folder (Don't open it)
Drag it into the Filesets windows / or import it

PaperCut recipe (macOS)

Description

Needing to deploy the PaperCut Print Deploy client to a macOS client managed by FileWave? FileWave has you covered!

Ingredients

FW Central
PaperCut PKG installer
.plist configuration file
MDM managed macOS clients

Directions

Converting the DMG to a PKG installer

You will need access to your PaperCut NG/MG server configurations.

Log in to your PaperCut NG/MF server, for example, https://print-server.example.net:9192/admin.
Click Enable Printing > Print Deploy. The Print Deploy page is displayed.
Next to Download clients, click the macOS button at the bottom of the page.
Save the .dmg file to your Documents folder.
Look at the filename and check that the hostname between the square brackets is correct, for example, pc-print-deploy-client[print-server.company.lan].dmg.
Double-click the .dmg file and copy PaperCut Print Deploy Client.pkg to the Desktop.

Creating .plist file to configure your MDM macOS clients

The PaperCut Print Deploy Client can use a .plist file to set its server address. You can share and deploy these files in many different ways, such as with a .mobileconfig file, a file-copy command, or a scripted file creation on the client. For our recipe, we are just going to deploy the .plist to the proper directory along with our .pkg.

Note: The .plist file needs to be in proper format. The PaperCut client will not function with your desired configurations if this is not saved in the correct format.

To create the .plist file:

Open a terminal and issue the following command:
defaults write ~/Documents/com.papercut.printdeploy.client server_host hostname
Replace the word ‘hostname’ with the FQDN or IP address from the ‘.dmg’, for example, print-server.company.lan
Convert the .plist file with the following command:
/usr/bin/plutil -convert xml1 ~/Documents/com.papercut.printdeploy.client.plist
This will ensure that the file can be read correctly.

Verify the contents of the new .plist with the following command:
defaults read ~/Documents/com.papercut.printdeploy.client.plist
The output should be:

macOS:Documents localadmin$ defaults read ~/Documents/com.papercut.printdeploy.client.plist
{
"server\_host" = "print-server.company.lan";
}
macOS:Documents localadmin$

Creating the Fileset

Open FileWave Central
Select the PKG installer Fileset
Upload the PKG installer
Open Fileset Contents and uncheck 'Hide unused folders'
Navigate to Library > Preferences
Upload the .plist file to Library/Managed Preferences/
Close to save the Fileset

Note: if no directory for /Library/Preferences/ is found, you may create the directory and upload the .plist file as shown above.

Be sure the .plist file has the proper formatting and that the .plist file is in the correct directory. If the .plist file is found, the PaperCut Print Deploy client should honor the file's settings.

Always, test deployment to a few test machines. This ensures your configurations for PaperCut are correct and ready for your macOS production fleet.

Generic steps for how to deploy PaperCut

Parallels Desktop for Mac Business Edition Deployment (macOS)

Description

Creating a FileSet for Mass rollout of Parallels Desktop for Mac Business Edition Version 10

Ingredients

FW Central
Attached Script FileSet - script - activate parallels desktop.fileset.zip
Resources available from Parallels.com

Directions

Follow the directions at http://kb.parallels.com/en/120093 to create a pkg for mass deployment of parallels
Import the Parallels Desktop Autodeploy.pkg that you equipped with the Data in the first step into FileWave Admin
Import the attached file ( script - activate parallels desktop.fileset.zip ) , open it and edit the content of the script within. In the line /usr/local/bin/prlsrvctl install-license -k XXXXXX-XXXXXX-XXXXXX-XXXXXX-XXXXXX replace XXXXXX-XXXXXX-XXXXXX-XXXXXX-XXXXXX with your license key , save your changes and close the fileset.
Deploy both the PKG fileset and the script fileset to your test client. Make sure the PKG fileset has a higher priority than the script fileset - the attached script fileset is preset to lowest priority per default.

Renew - A tool to get users to reboot periodically (macOS Script)

Description

For remote tools to work reliably, and for security patches to be properly installed, users need to restart their workstations regularly. But we all get focused on our day-to-day, and taking 10 minutes to restart our workstations just gets pushed to the back-burner. SecondSonConsulting developed Renew to encourage users to restart their workstations on a regular basis, and the timing can be customized to the environment. This tool can be delivered via MDM, or other methods, but then is self-sustaining, running locally without any other tool controlling it. For the safety of their work, it will never restart the computer without the user’s consent.

Ingredients

FW Central
swiftDialog Deployment (macOS PKG)
Renew PKG - https://github.com/SecondSonConsulting/Renew/releases

Directions

Install SwiftDialog v2.0 or later: swiftDialog Deployment (macOS PKG)
Install the latest Renew PKG from their Releases page as a PKG Fileset. Here is an example: PKG - Renew.fileset.zip
Deploy a config profile. This can be done most easily by using iMazing Profile Editor (free) which has a template for Renew's options.
- Save the profile and then drag and drop it in FileWave Central to make a Profile Fileset. An Example Profile from iMazing is here: Renew Configuration.mobileconfig and the Fileset made from it is here: Profile - Renew Configuration.fileset.zip

Note that you can not edit the profile in the FileWave profile editor. It will not display the custom payload.

Use the OptionalArguments profile keys to make Renew look and function right for your environment.
For macOS Ventura+ compatibility, create a BackgroundItems MDM profile and enforce the LaunchAgent Label ID: com.secondsonconsulting.renewwith an example here: Profile - Renew LaunchAgent.fileset.zip

Examples

Notification Mode Default User Experience

Normal Mode Default User Experience

Aggressive Mode Default User Experience

Custom Fields Design Example Image

SwiftDialog allows a high degree of customization, and Renew allows you to continue to easily take advantage of that. This is an example of how you can customize the user experience to suit your branding and taste.

This example uses a banner image tailored to the window size, and the following OptionalArgument in the configuration file.

<key>AdditionalDialogOptions</key>

<string>--width 300 --height 350 --messagefont size=15 --position topright --ontop --messagealignment centre</string>

swiftDialog Deployment (macOS PKG)

Description

This article provides instructions on how to deploy swiftDialog using FileWave. swiftDialog is a simple utility for macOS that allows shell scripts to display GUI dialogs. swiftDialog is beneficial when you want to provide interactive user feedback or collect user input during a shell script's execution. By deploying swiftDialog via FileWave, administrators can efficiently distribute this utility across all managed macOS devices.

Ingredients

FW Admin
swiftDialog PKG - Releases · bartreardon/swiftDialog (github.com)
Example PKG Fileset - PKG - swiftDialog.fileset.zip
Profile Fileset to enable notifications for swiftDialog - Profile - swiftDialog - Enable Notifications.fileset.zip

Directions

Deploying swiftDialog to your Macs using FileWave

Download the swiftDialog PKG from: Releases · bartreardon/swiftDialog (github.com)
Create a new PKG fileset in FileWave and import the swiftDialog PKG. See the example: PKG - swiftDialog.fileset.zip
- "New Desktop Fileset" was picked and then PKG and then the PKG select.
- On Properties for the Fileset I made it work on macOS 11.x and higher. Newer versions of swiftDialog may require macOS 12.x or higher so consider that.
- Additionally the script below was added to set the notification icon to be a FileWave icon. You'll see in our example Fileset that it has this as a Preflight Script. When the icon is in place before the PKG it allows the custom icon to be used.
```
#!/bin/zsh

if [ -f "/usr/local/sbin/FileWave.app/Contents/Resources/fwGUI.app/Contents/Resources/kiosk.icns" ]
then
    mkdir -p "/Library/Application Support/Dialog/"
    sips -s format png /usr/local/sbin/FileWave.app/Contents/Resources/fwGUI.app/Contents/Resources/kiosk.icns --out "/Library/Application Support/Dialog/Dialog.png"
else
    echo "File not found: /usr/local/sbin/FileWave.app/Contents/Resources/fwGUI.app/Contents/Resources/kiosk.icns"
fi

exit 0
```
Dowload Profile - swiftDialog - Enable Notifications.fileset.zip if you want to ensure swiftDialog notifications will be seen.
Assign both swiftDialog and the swiftDialog Enable Notifications Filesets to your target macOS devices.

VMware Carbon Black Cloud sensor recipe (macOS)

Description

VMware Carbon Black is a powerful endpoint protection solution that plays a critical role in an organization's cybersecurity strategy. Deploying Carbon Black via the installer package through the admin console is a strategic approach that ensures consistent, efficient, and effective endpoint security. By mastering this deployment process, organizations can enhance their cybersecurity posture, mitigate threats proactively, and protect their digital assets in an increasingly dangerous digital landscape.

This guide will help you create a Fileset and deploy the application along with the required profiles.

Ingredients

FileWave Central
VMware Carbon Black Cloud dmg
VMware CBC license code
VMware CBC uninstaller code
System Extension mobile configuration
Network Extension Web Content Filter mobile configuration
TCC Privacy Policy mobile configuration

Downloads

VMware CBCloud Profiles.zip
VMware Carbon Black Cloud.fileset.zip

Directions

Please note this recipe includes Carbon Black Cloud sensor (CB Defense) version 3.7.4.53. This version is supported on MacOS 11.0 and newer.

Downloading and extracting the MDM profiles and installers

You will first want to grab and download your VMware installations and profiles. The .dmg will need to be mounted first and then extract the necessary components from this file.

Once the .dmg has been mounted you will see the contents listed. Below is the CBCloud Install.pkg and doc folder containing the required MDM profiles.

The required MDM profiles and unattended script for the Fileset deployed are found in the docs folder within the mounted .dmg.

Extract the MDM profiles. These MDM profiles will be uploaded into FileWave Central. Below are the configurations for the three MDM profiles:

Kernel Extension Policy

Web Content Filter Policy

MDM Profiles Configurations

If you do not have the VMware Carbon Black Cloud .dmg, you may create the Profiles with the following.

VMware CCB macOS version 3.8+ introduces Approving the System Extension

Approve System Extension

For the Allowed System Extension, please enter in the following:

System Extension Policy

Specify the Apple Team ID and System Extension bundle Identifier in your Allowed System Extension configuration profile:

System Extension Types: Allowed System Extensions
Apple Team ID: 7AGZNQ2S2T
System Extension Bundle ID: com.vmware.carbonblack.cloud.se-agent.extension

Kernel Extension Policy

For the Kernel Approval profile, please enter in the TeamID and BundleID:

Apple Team ID: 7AGZNQ2S2T

KEXT Bundle ID: com.carbonblack.defense.kext

Kernel Extension Policy: The recommended way to deliver this configuration is through
the provided MDM-KEXT-reboot-command.xml. FileWave has the Rebuild Kernel Cache command by highlighting the MDM client, right-clicking Restart (Supported MDM devices), checking the box for Rebuild Kernel Cache, and entering in the Kernel file path:

/Library/Extensions/CbDefenceSensor.kext

Kernel Rebuild Cache

The following will need to be entered for each of the BundleIDs along with Code Requirements and Services to set.

TCC metadata

The fields should be completed exactly as follows. Please copy and paste for accuracy.
1]
Identifier: com.vmware.carbonblack.cloud.daemon

Identifier Type should be set to: Bundle ID

Code Requirement: identifier "com.vmware.carbonblack.cloud.daemon" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "7AGZNQ2S2T"

App or Service should be set to: SystemPolicyAllFiles