Software Deployment Recipes (macOS)

The Software Deployment Recipes section for macOS offers a curated selection of recipes and guides to simplify the deployment of software and applications on your macOS devices. Explore best practices for automating software installations, customizing settings, and managing updates efficiently. Whether you're deploying apps across a single Mac or managing a fleet of devices, these recipes provide valuable insights into package creation, deployment methods, and utilizing macOS management tools. Enhance productivity, streamline software distribution, and maintain control over your macOS ecosystem with these tried-and-tested deployment recipes.

Amazon Kindle Deployment (macOS App)

Description

To create a Kindle.app Fileset, there is no need for Fileset Magic. Instead, drag-and-drop into a template Fileset will do it.

The Kindle App is also on the App Store, so you are able to use VPP.

These instructions will also work.

Ingredients

Directions

  1. Download and install Kindle.app on your FW Admin computer. You can do this through the App Store, but for easier updating we recommending visiting amazon.com (http://www.amazon.com/kindlemacdownload/ref=klp_mac ) and downloading the kindle app.dmg from there.
  2. Import the attached fileset ( Kindle-template.fileset.zip ) into FileWave Admin , and double-click it to open it.
  3. Drag the Kindle.app from your Applications folder into the Applications Folder in of the Fileset.
  4. You FileSet is ready to deploy !
  5. Important: If a user accidentally deletes / uninstalls the Kindle.app, it will not run again unless:
    • You deploy this app with FileWave Kiosk. This way if a user accidentally deletes  uninstalls the Kindle.app, he will have the option to make the app run through kicking on Uninstall and then again on Install on the Kiosk.
    • Otherwise the FW Admin will have send a "reinstall selected fileset" command to make the Kindle.app open again


Adobe Creative Cloud (macOS)

Description

In today's digital age, visual content plays a pivotal role in branding, marketing, and communication strategies for enterprises. Adobe Creative Cloud offers a robust suite of tools tailored for creative professionals, and its enterprise version brings forth additional functionalities to manage and streamline the creative workflow.

FileWave can help you in deploying and managing these Adobe Creative Cloud applications.

Ingredients

Directions

  1. Accessing the Admin Console:
    • To initiate the deployment process, administrators must log in to the Adobe Admin Console using their authorized credentials. The admin console provides a range of management options, including user provisioning, license management, and application deployment.
  2. Navigate to PackagesAdobeConsolePackages.png
  3. Creating Deployment Packages
    • Choose the proper platform, next to the search product bar; select Mac for macOS deployment
    • Within the admin console, administrators can create customized deployment packages for Adobe Creative Cloud applications. These packages include specific software, settings, and configurations tailored to the organization's needs.
    • Select Packages to customize managed installers or Pre-generated packages for pre-built installer ready for deploymentCustomizedManagedDeployments.png
  4. Selecting Applications
    • The admin can choose which Adobe applications to include in the deployment package based on the roles and responsibilities of different users within the organization. This flexibility ensures that each user has access to the tools they require for their tasks.
  5. Distributing Deployment Packages
    • Once the deployment package is configured, administrators can distribute it to users or groups within the organization. This can be achieved by downloading the installer created, then upload into FileWave Central via the New Desktop Fileset > Apple > PKG.
  6. Upload into FileWave Central using the New Desktop Fileset > Apple > PKG
  7. Assign to macOS device
  8. Update Model

Please Note: Adobe Creative Cloud Packager may be customized with settings for application updates directly from Adobe and custom install directory for Windows and macOS.

Audacity and Lame Deployment (macOS)

Description

Audacity is a great free, open source, cross-platform audio software for Mac OS, Windows, and Linux.

Ingredients

Directions

Audacity Application

The application is a simple drag-n-drop deployment

  1. Download the latest
  2. open the download and move the application to your applications folder
  3. Drag it form your application folder to your FileWave admin Fileset View
Lame 

The Lame libraries are an add-on best sent as a secondary fileset.

  1. Download the latest version of lame for Audacity
  2. uncompress the download and install
  3. Download the attached template fileset - Audacity Plugin - LAME-Template.fileset.zip
  4. Uncompress and import into FileWave Admin
  5. Replace the placeholder file with the ones from your system
 

image.png

Lame fileset before
 

image.png

Lame fileset after


Box Sync Deployment (macOS)

Description

Box Sync is a desktop sync application that keeps all your files safe and secure in the cloud, while having them available on your computer and accessible from anywhere, on any device with Box mobile apps. No matter how you work, Box Sync helps you keep your files organized, safe, and always in sync with your business.

Ingredients

Directions

  1. Create a new empty fileset (From the Fileset View : New Desktop Fileset > Empty : Type a Name > OK)
  2. With it selected: Click the Scripts item in the button bar
  3. Create a new activation script and name it.
  4. Paste the script below and edit
    The fileset is composed of a script that downloads the latest version of Box Sync from the Box CDN and executes the Install .app to install Box Sync.  It uses a bootstrapped provided by box that allows the installation from any user account.  Once the app is installed it configures itself for the customers account and prompts the customer to log into their Box Account.
#!/bin/bash
# Original Script by Bryson Tyrrell | bryson.tyrrell@gmail.com | http://twitter.com/bryson3gps
# Modified on December 16, 2015 by Gilbert Palau | Univision Desktop Engineering | gpalau@univision.net
#
# The BoxEdit components Box Local Com Server.app and Box Edit.app are launched via launch_app.sh code 
# added with permission of Elliot Jordan <elliot@lindegroup.com>
# launch_app was created on 02-10-2015 and last modified by Elliot Jordan on 02-27-2015  | v1.2
# Integrated on 12-18-2015 by Gilbert Palau | Univision Desktop Engineering | gpalau@univision.net
#
# Much thanks to Bryson, who figured out the command line to install from within the app...
# Install\ Box\ Tools.app/Contents/MacOS/Box\ Tools\ Installer -silent -local

policy="Box Edit 3.1.2"
loggertag="system-log-tag"
tmpdir="/tmp/"
downloadurl="https://e3.boxcdn.net/box-installers/boxedit/mac/currentrelease/BoxEditInstaller.dmg"
# Knock Knock... Who is there?
CURRENT_USER_LOGIN_PID=$(ps auxww | grep "/System/Library/CoreServices/loginwindow.app/Contents/MacOS/loginwindow" | grep "$CURRENT_USER" | grep -v "grep" | awk '{print $2}')
CURRENT_USER=$(python -c 'from SystemConfiguration import SCDynamicStoreCopyConsoleUser; import sys; username = (SCDynamicStoreCopyConsoleUser(None, None, None) or [None])[0]; username = [username,""][username in [u"loginwindow", None, u""]]; sys.stdout.write(username + "\n");')

# Download BoxEdit Package from EvilBox
				echo ""
				echo "Downloading Box Edit"
				webCheckSum=$(curl -sI $downloadurl | tr -d '\r' | awk '/Content-Length/ {print $2}')
				curl -fkS --progress-bar $downloadurl -o /$tmpdir/BoxEditInstaller.dmg
				# curl -fkS --progress-bar https://e3.boxcdn.net/box-installers/boxedit/mac/currentrelease/BoxEditInstaller.dmg -o /tmp/BoxEditInstaller.dmg
				fileCheckSum=$(cksum /$tmpdir/BoxEditInstaller.dmg | awk '{print $2}')
				if [ $webCheckSum -ne $fileCheckSum ]; then
						rm /$tmpdir/BoxEditInstaller.dmg
						echo "The file did not download properly, exiting..."
						exit 101
				fi
				echo "Mounting Box Edit DMG..."
				hdiutil attach -quiet /$tmpdir/BoxEditInstaller.dmg
				if [ $? -ne 0 ]; then
						rm /$tmpdir/BoxEditInstaller.dmg
						echo "The Box Edit DMG failed to mount properly, exiting..."
						exit 102
				fi
				cp -fR /Volumes/Box\ Tools\ Installer/Install\ Box\ Tools.app /$tmpdir/
				hdiutil eject -quiet /Volumes/Box\ Tools\ Installer/
				rm /$tmpdir/BoxEditInstaller.dmg
				echo "Running the Box Edit Installer app"
				# This is the golden goose... Thanks Bryson!
				/usr/bin/su $CURRENT_USER -c "/$tmpdir/Install\ Box\ Tools.app/Contents/MacOS/Box\ Tools\ Installer -silent -local"
				
echo "Finished"
exit 0


Comic Life Deployment (macOS Fileset Magic)

Description

A simple way to install Comic Life on macOS and record that it was registered. Ensure that you are properly licensed for the application.

Last tested with ComicLife 3.5.8

Ingredients

Directions

  1. Do Initial Fileset Magic capture
  2. Install ComicLife
    • unzip latest version
    • place into application folder
    • drag/import from the application folder
  3. Launch ComicLife 
    • Accept License
    • Select "Register"
    • Enter Org name
    • Enter Serial Number
  4. Close ComicLife
  5. Open it again 
    • This time it will ask about automatic updates and "staying in touch", I like to turn them off
  6. Close ComicLife again
  7. Do second Fileset Magic scan (capturing changes)
    • Make sure to move items to all users

image.png

 


 

image.png

 


 

image.png


 


CrowdStrike Falcon Protection (macOS)

Description

Needing to deploy to CrowdStrike Falcon antivirus to your macOS fleet? FileWave has you covered.

CrowdStrike's flagship product is called Falcon, which is a cloud-native platform that combines next-generation antivirus, endpoint detection and response (EDR), threat intelligence, and proactive threat hunting. Falcon aims to provide real-time visibility into endpoint activity, rapid threat detection, and automated response to security incidents.

Ingredients

Directions

Deploying the CrowdStrike Falcon to your devices

CrowdStrike deployment for macOS requires two Filesets: one TCC profile and the PKG installer. The TCC profile is dependent on which architecture your macOS fleet is, both are provided in this article for download. The PKG installer has two scripts that will execute with your CrowdStrike Falcon license and check for the TCC profile to be installed before CrowdStrike application.

Download the TCC profile

Note: Please download and verify the TCC profile for your macOS architecture. Below are screen shots of both Intel and Apple Silicon

Intel based macOS devices:

Falcon Profile for Intel.fileset.zip

Intel based TCC Profile

FalconProfileIntel.png

Apple Silicon based macOS devices:

Falcon profile for M1.fileset.zip

Apple Silicon based TCC Profile

FalconProfileAppleSilicon.png

Download the PKG installer

The PKG installer will have three components in the Fileset. Note the PKG installer, along with the two scripts: a requirement and activation script.

The Fileset included with the PKG installer is version 6.58.17102.0 of CrowdStrike for macOS Big Sur and beyond (This version will not install on macOS Catalina).

PKG - FalconSensorMacOS.MaverickGyr.fileset.zip

CrowdStrikeFilesetContents.png

CrowdStrike License

Customizing the Fileset with your CrowdStrike license is required. The Fileset has a License.sh script to edit and enter in your license code.

Editing the License.sh script

  1. Highlight your CrowdStrike PKG installer Fileset 
  2. Select Scripts to open the Script window.
  3. Highlight License.sh
  4. Click Edit
CrowdStrikeScripts1.png

Entering in your license code

  1. Highlight the ####### string and enter in your CrowdStrike License code
  2. Click OK to save
  3. Click OK to save again to save your license code for the CrowdStrike Fileset

CrowdStrikeScripts2.png

License code script
#!/bin/zsh

echo "License is being set"
/Applications/Falcon.app/Contents/Resources/falconctl license ##########
echo "License is set"

exit 0

 

Check for Falcon Profile

The Payload Identifiers are already set and entered. The below are step-by-step instructions to add your own Payload Bundle Identifier if needed.

Note: The Requirement script verifies that the CrowdStrike Falcon Profile is installed successfully BEFORE running the installation of CrowdStrike.

There are two entries for your profile identifiers: you may enter both the Intel and Apple Silicon as the script will check for either profile is installed successfully BEFORE running installation of CrowdStrike.

Editing the CheckForFalconProfile.sh

 

  1. Highlight your CrowdStrike PKG installer Fileset
  2. Select Scripts to open the Scripts window
  3. Highlight the CheckForFalconProfile.sh script
  4. Click Edit
CheckForFalconProfile1.png

Entering in your Intel and/or Apple Silicon Profile Identifier

 

  1. Highlight the string after profile_id="#####"
  2. Replace the ######, with your TCC profile Identifier.
  3. If not sure, open your Intel or Apple Silicon Profile and copy the Identifier.
  4. Click OK to save
  5. Click OK to save again to save your changes to the CrowdStrike Fileset

CheckForFalconProfile2.png

Check for Falcon profile script
#!/bin/zsh

profile_id="863BE372-D1FA-4082-85B2-3B8FE63797C5"
profile_id2="C1A6E28A-21EF-49C6-B85F-84E845731E22"

found_profile=$(profiles list all | awk -v search=$profile_id  '$0 ~ search {print $NF}')
found_profile2=$(profiles list all | awk -v search=$profile_id2  '$0 ~ search {print $NF}')

i=0
if [ -z $found_profile ]
then
        echo "Did not find $profile_id" 
        i=$((i+1))
fi

if [ -z $found_profile2 ]
then
        echo "Did not find $profile_id2"
        i=$((i+1))
fi

if [ $i = 2 ]
then
       echo "Both Profiles are missing"
       exit 1
fi
echo $missing
echo "Found installed profile: $profile_id or $profile_id2"
exit 0

 

CheckForFalconProfile3.png

Creating a Fileset Group

Keeping your Filesets organized is good practice, especially if there are multiple Filesets for software deployment. You may create a New Fileset Group, label it CrowdStrike Falcon (macOS 2023), and move all the Filesets you created into that Fileset Group. Then associate the Fileset Group labeled CrowdStrike Flacon (macOS 2023) to your devices versus individual Filesets.

Once all the Fileset and Profile have been created, you may associate the Fileset Group labeled CrowdStrike Falcon (macOS 2023) to a few devices as a test. This is to verify and confirm that the software is installed properly based on your license code configured.

Fileset recipe to block applications by name (macOS Script)

The Fileset will block the supplied list of applications on your macOS machines by running a script every 5 seconds on your client machines.

Step-by-step guide

Download, edit and associate the below Fileset. 

  1. Download the "macOS - Block Applications.fileset.zip" below.
    macOS - Block Applications.fileset.zip
  2. Import the "macOS - Block Applications.fileset" into the Filesets tab of the Filewave Admin. 
  3. Edit the Fileset to include the appropriate list of applications to block.

    Select the install_block_application.sh file and then Get Info


Edit the Executable > Launch Arguments to include the binary name of any app to be blocked, e.g Messages, FaceTime, and Keychain Access

  1. Associate the Fileset to a handful of test machines so you can see the behavior of the Fileset before mass deploying to all of your devices. 
  2. After that, you are Done!

Binary Names
To find the name of the binary to block, take a look at the application's contents. Every App has the same directory structure > ApplicationName.app/Contents/MacOS/ApplicationName, where ApplicationName is the binary to block, e.g.
FaceTime
/Applications/FaceTime.app/Contents/MacOS/FaceTime

Terminal
/Applications/Utilities/Terminal.app/Contents/MacOS/Terminal

If you are wanting to block an Application with a space in the name like Keychain Access, you will need to have quotes(") around the name. So you would add, "Keychain Access", to Executable > Launch Arguments.

Blocking Install macOS Apps

Install macOS Apps may be blocked by supplying the following Launch Argument in the Fileset:

osinstallersetupd

However, this will block all Install macOS Apps.  If you wish to block one installer, e.g Catalina, but have workflows that require earlier versions to install, consider the following Fileset example:

macOS - Block Applications Including macOS Install App.fileset.zip

Use this Fileset instead of the earlier one and supply all desired Apps to block as per below.

Inside the install_block_applications.sh script you will find a 'case' block.  This section should be edited to meet your requirements.  Current settings within the Fileset below.  

This will only allow the macOS Ventura Installer.app to run.  All other macOS Installer Apps will be prevented from running:

	case \$process_details in

		*"Ventura"*)
			log_me "Found: \$process_details"
			log_me "Nothning to do"
			;;
		*)
			block_me "osinstallersetupd"
			;;
	esac

 

Examples

Block Sonoma and Ventura, but allow any other installers

As well as allowing older installers than Ventura to run, this will also allow newer installers beyond Sonoma to run.

case \$process_details in

		*"Sonoma"*)
			block_me "osinstallersetupd"
			;;

		*"Ventura"*)
			block_me "osinstallersetupd"
			;;
		*)
			log_me "Found: \$process_details"
			log_me "Allowed.  Nothing to do"
			;;
 esac

Allow Ventura, block any other installers

Ventura and Monterey installers will be allowed to run, but all other installers, including newer ones, will be prevented.

case \$process_details in

		*"Ventura"*)
			log_me "Found: \$process_details"
			log_me "Allowed.  Nothing to do"
			;;
          *"Monterey"*)
			log_me "Found: \$process_details"
			log_me "Allowed.  Nothing to do"
			;;
		*)
            block_me "osinstallersetupd"
			;;
 esac


The following KB, has an alternate method for blocking just macOS Installation Apps, with user interaction:

macOS - Block Apple Install macOS Application

Firefox Configuration Recipe (macOS)

Description

After installing Firefox, some configuration may be desirable, examples may include:

Firefox Documentation
The details of the Fileset are based upon: Firefox Configuration
This is known to work with version 60, upwards. It may work with earlier versions, but testing on placement of files may vary with earlier versions. macOS may alternatively use a Configuration Profile (Firefox 64+, ESR 60.4+)

Ingredients

Directions

// Any comment. You must start the file with a comment!
pref("general.config.filename", "mozilla.cfg");
pref("general.config.obscure_value", 0);
// Any comment. You must start the file with a comment!
 
// Disable updater
lockPref("app.update.enabled", false);
lockPref("app.update.auto", false);
lockPref("app.update.mode", 0);
lockPref("app.update.service.enabled", false);
 
// Set Homepage and stop Mozilla startup pages
lockPref("browser.startup.firstrunSkipsHomepage", false);
pref("browser.startup.homepage","http://www.filewave.com");
lockPref("browser.startup.homepage_override.mstone", "ignore");
 
// Disable Privacy telemetry
lockPref("datareporting.policy.firstRunURL",);
lockPref("datareporting.healthreport.service.enabled", false);
lockPref("datareporting.healthreport.uploadEnabled", false);
lockPref("datareporting.policy.dataSubmissionEnabled", false);
lockPref("toolkit.telemetry.unified", false);

Preference Overview

Preference types can include: pref, defaultPref, lockPref, amongst others.  Details can be found at: https://support.mozilla.org/en-US/kb/customizing-firefox-using-autoconfig

pref

This is used to set a preference that can be overridden by the user, but on next launch of the application it will revert back to the setting within the configuration file

lockPref

A lockPref cannot be overridden by the user

defaultPref

This is used to set a preference that can be overridden by the user.  The user's setting will persist until the user resets them, at which point the defaultPref will be used on next launch of the application

Preference Names

Navigating to 'about:config' in the Firefox URL bar will list all possible preference names and their values and types.

Association

When associating, to ensure the configuration is installed with the Application, consider creating a Fileset Group:

Associating the 'Firefox' Fileset Group will ensure both the Application and Configuration are associated to devices.  

When there is an update to Firefox, replace the version in the Fileset Group with the latest version after testing.

Profile With macOS

A Configuration Profile may be delivered to macOS for Firefox management:

https://support.mozilla.org/en-US/kb/managing-policies-osx-desktops

The linked plist file, may be imported into the FileWave Profile Editor ('Upload File...') and then edited appropriately.

The key settings to focus on initially are:

Default values in the template will require editing:  EnterprisePoliciesEnabled should be enabled to allow management to take control.  RequestedLocales may require editing to meet the specific needs.

The template is preconfigured as:

To change from German to British for example:

These settings would enforce management for en-GB and en-US, whilst other English locales, e.g en-CA, en-AU would not be managed.  Instead, one locale of 'en' could be set to block all English locales.

Key Values
If EnterprisePoliciesEnabled is not set as true and a correct RequestedLocales is not included, management should not be expected.

If unsure which locale is in use, without management in place the 'about:config' URL may be used to view settings:

To ensure users may not circumvent management by changing the locale, enable 'BlockAboutConfig' (already set as TRUE in the template file)

Microsoft Defender Recipe (macOS)

Description

Example recipe for deploying Microsoft Defender.

Ingredients

The list is actually quite extensive, due to the necessary payloads:

Downloads:

See below directions for deployment before associating with devices.

Microsoft Defender PKG and deployment script are available through the M365 Defender portal; details in the Microsoft Deployment KB:

image.png

The 'MicrosoftDefenderATPOnboardingMacOs.sh' is built by Microsoft with the appropriate licence code embedded into the script, such that the download is personal to the logged in account, when downloading.

               <key>OrgId</key>
                <string>[licence code here]</string>

The 'OnboardingInfo' key also has this code burnt into its value.

Directions

Download all of the above provided Filesets.  Note the Kernel Extension should only be required for legacy devices.

Fileset Group

Create a Fileset Group in which to add each of these.

image.png

Profiles should be installed firsts.  The Installer Fileset has a requirement script to ensure Profiles are installed, before commencing with download and activation of the Installer.

The requirement script is designed to confirm ALL profiles are installed in advance, with the exception of the Kernel Extension, since this is legacy.  The Profile ID of the Kernel Extension may be added to the list within the Fileset.  If this is requirement, but are unsure how to approach this, just ask in either the Discord, Alliance or Slack FileWave forums.  Links available through the 'Resources' of the FileWave Website.

Installer: 'wdav.pkg'

The 'Microsoft Defender Installer macOS' Fileset requires the downloaded PKG.  Open the Fileset and drag the PKG into the same location as the '.placeholder' file; this placeholder file may be deleted.

image.png

image.png

Script: MicrosoftDefenderATPOnboardingMacOs.sh

Edit the text of the provided 'MicrosoftDefenderATPOnboardingMacOs.sh' file within the Fileset and paste in a copy of the script contents downloaded from Microsoft:

image.png

image.png

Profile Payload Values

The Profiles to manage the AutoUpdater and Notifications are configured with default values, consider confirming an internal desired process and adjust to match.

The 'AcknowledgedDataCollectionPolicy' key prevents a user notification pop-up from showing.  Recommendation is to leave this value as set.

All other profile payload values should be correct at the time of writing, however, Microsoft may make changes over time which could require alteration of one or more of these.

Details pertaining to the contents of the payloads may be viewed in Microsoft's Defender Policies documentation; scroll down past the initial unnecessary information until you reach Step 4.

Assign to Devices

By way of either a 'Deployment' or 'Association' within FileWave, assign the Fileset to one or more test devices and once happy expand this to more devices.

image.png

Additional Information

The requirement script within the Installer Fileset is designed to ensure all profiles are in place before downloading and commencing with the installation.  Script output from the Client Info > Fileset Status displays logged information.

Example:

First time the script ran, the Profiles were not yet installed.  On next run profiles were installed and the requirement script exited with a value of 0.

Script Log:
----------------------- HEADER - Date: (Mon Sep 25 2023) - Time: (13:36:40) -----------------------
Set to match all profile IDs

Looking for profile: ml1063.local.5b1e7237-2773-4d3a-9627-361c4dd8a9b0.Configuration.5b1e7237-2773-4d3a-9627-361c4dd8a9b0
Profile found: FALSE

Looking for profile: ml1063.local.bd9007c3-41d6-45bb-a2bf-774ec901e4c2.Configuration.bd9007c3-41d6-45bb-a2bf-774ec901e4c2
Profile found: FALSE

Looking for profile: ml1063.local.7f249c3c-f79a-48cf-952c-dd178a00a5a6.Configuration.7f249c3c-f79a-48cf-952c-dd178a00a5a6
Profile found: FALSE

Looking for profile: ml1063.local.f68916cf-c1e0-47e2-a73c-700678267fe8.Configuration.f68916cf-c1e0-47e2-a73c-700678267fe8
Profile found: FALSE

Looking for profile: ml1063.local.4726b0a7-4f74-4369-8aeb-2450e4f0f935.Configuration.4726b0a7-4f74-4369-8aeb-2450e4f0f935
Profile found: FALSE
Only found 0 profiles from the supplied list of 5

----------------------- FOOTER - Date: (Mon Sep 25 2023) - Time: (13:36:41) - Exit code: (1) -----------------------

----------------------- HEADER - Date: (Mon Sep 25 2023) - Time: (13:39:31) -----------------------
Set to match all profile IDs

Looking for profile: ml1063.local.5b1e7237-2773-4d3a-9627-361c4dd8a9b0.Configuration.5b1e7237-2773-4d3a-9627-361c4dd8a9b0
Profile found: TRUE

Looking for profile: ml1063.local.bd9007c3-41d6-45bb-a2bf-774ec901e4c2.Configuration.bd9007c3-41d6-45bb-a2bf-774ec901e4c2
Profile found: TRUE

Looking for profile: ml1063.local.7f249c3c-f79a-48cf-952c-dd178a00a5a6.Configuration.7f249c3c-f79a-48cf-952c-dd178a00a5a6
Profile found: TRUE

Looking for profile: ml1063.local.f68916cf-c1e0-47e2-a73c-700678267fe8.Configuration.f68916cf-c1e0-47e2-a73c-700678267fe8
Profile found: TRUE

Looking for profile: ml1063.local.4726b0a7-4f74-4369-8aeb-2450e4f0f935.Configuration.4726b0a7-4f74-4369-8aeb-2450e4f0f935
Profile found: TRUE
All profiles found.  Exiting 0

----------------------- FOOTER - Date: (Mon Sep 25 2023) - Time: (13:39:33) - Exit code: (0) -----------------------

Subsequently, the Fileset downloaded and activated:

Client Log:
2023-09-25 13:39:34.758|main|INFO|CLIENT|about to downloadAllFileset files for Fileset MicroSoft Defender Installer macOS Installer Included, ID 736320, revision ID 736320
2023-09-25 13:39:35.697|main|INFO|CLIENT|Downloading Fileset MicroSoft Defender Installer macOS Installer Included, ID 736320, revision ID 736320
2023-09-25 14:03:49.650|main|INFO|CLIENT|finished downloadFileset files for Fileset MicroSoft Defender Installer macOS Installer Included, ID 736320, revision ID 736320
2023-09-25 14:03:50.285|main|INFO|CLIENT|Create all folders of fileset ID Fileset MicroSoft Defender Installer macOS Installer Included, ID 736320, revision ID 736320, version 4
2023-09-25 14:03:50.289|main|INFO|CLIENT|Activate all files of Fileset MicroSoft Defender Installer macOS Installer Included, ID 736320, revision ID 736320, version 4
2023-09-25 14:03:50.465|main|INFO|CLIENT|Done activating all 4 files of Fileset MicroSoft Defender Installer macOS Installer Included, ID 736320, revision ID 736320, version 4

Homebrew Deployment (macOS Script)

Description

Homebrew, or also known as simply Brew is the missing package manager for macOS (or Linux), Homebrew is able to install many tools that do not have another installer. Quite a lot of Linux based tools have a Homebrew install. This article will guide you through installing it using FileWave.

Actually, not just Brew, but we will also install:

Ingredients

macOS Brew Fileset
FileWave Download.png

Directions

  1. Unzip the download and drag the Fileset into the FileWave Central > Filesets view, into a Fileset group of choice.
  2. Associate with a test device and Update Model
  3. After all is well with the test, consider expanding this to a larger quantity of devices

Activation Script

The Activation Script will choose a version of the possible Apple Command Line tools and proceed to download and instal those tools.

Apple Command Line tools are a requirement and will be installed first.  

The Activation Script will use the newest version of the Command Line tools found, when ran.  It is possible to overrule this behaviour by supplying a desired version as a Launch Argument.

Example:

To instal version 13.2 Command Line tools, select the Activation Script: 'instal_apple_cl.sh' from within the Fileset and from the 'Get Info' view, edit the Executable Launch Arguments, as below:

image.png

Software Updates may be large in size.  This can slow down the installation as well as use high bandwidth.   A 'Wait for' as 'Infinite' could easily be required.

Post Activation Script

The Fileset will attempt to instal Brew with the currently logged in user.  If this current user does not have an ID greater than 500, the script will attempt to instal with an Admin user on the device.  The script log should report the user that was configured for Brew.  Consider altering the script if a different behaviour is desired.  

This user shall also be added to the macOS developer group.

Below are the sections of script that defines the user and also adds that user to the development group:

current_user=$(stat -f%Su /dev/console)

# ....

# If user is below uid 500 should we abort or pick a user.  Picking an admin user for now
if [ $(id -u $current_user) -lt 501 ]
then
	echo "No 500 user.  Picking a local admin user"
	current_user=$(/usr/bin/dscl . -read /Groups/admin GroupMembership | awk '{print $NF}')
fi

echo "Configuring user ${current_user}..."

# Add them as a developer
is_developer=$(groups $current_user | awk '/ _developer / ')
if [ ! $is_developer ]
then
	echo "Adding user $current_user to _developer group"
	/usr/sbin/dseditgroup -o edit -a "$current_user" -t user _developer
fi

Brew/Cask installations may also be large in size.  The same considerations as the Activation Script would therefore also be likely.  Additionally, the Fileset will double check there are no further updates and if so, those shall also be installed.

Uninstall

If you want to remove Brew, the best way is likely these scripted methods  because you are probably just fixing a single machine when you remove Brew, but you could also use curl to fetch the unisntall.sh and put it in the Fileset if you want to uninstall when you remove the Association to the Fileset.

/bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/HEAD/uninstall.sh)"

If you want to run the Homebrew uninstaller non-interactively, you can use:

NONINTERACTIVE=1 /bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/HEAD/uninstall.sh)"

Download the uninstall script and run /bin/bash uninstall.sh --help to view more uninstall options.

iBooks Author Deployment (macOS App)

Description

Member of iTunes U? Need to get iBooks Author out to your staff? We can do that.

Ingredients

Directions

  1. Log onto the FileWave server with FileWave Admin as an account that has permissions to create Filesets.
  2. With FileWave Admin running, drag and drop the installed iBooks Author.app from the Application folder onto the FileWave Admin window while in the Filesets view is formost.
  3. Now go to the Associations window to assign who gets the software.
  4. Update the FileWave Server Model.

Notes

Other comments and details


Installomator - The one installer script to rule them all (macOS PKG)

Description

This article delves into the application of Installomator, a shell script, in combination with FileWave for the maintenance of macOS applications. Installomator supports the downloading and installation of over 450 different applications, operating directly from the vendor's public URLs. This approach is compared with the use of AutoPkg, a tool that provides more stringent control over versioning, testing, and release management.

Installomator can be a valuable tool when deploying the latest publicly available version of an application is the goal. It verifies the authenticity and validity of each download, though it's not a fully automated solution. For certain applications like Chrome, Zoom, and Microsoft Office, their update processes may be better managed via a config profile. Additionally, attention may be needed for built-in auto update prompts of other apps.

A key characteristic of Installomator is its handling of versioning. Instead of installing only when the downloaded version is newer, Installomator initiates installation if the version numbers differ. This is due to the complexities in determining which version number is higher. For instance, if Installomator downloads version 4 after a vendor has released version 5 due to a URL change, it will attempt to install version 4 because the version numbers differ.

Ingredients

Directions

Deploying Installomator on all your Macs

Installomator operates by taking a 'label' parameter representing the application to be installed. It generally only installs an application if the latest version is newer than the installed version, though exceptions exist, emphasizing the importance of thorough testing. It's deployed via a single FileWave Fileset, with numerous configuration options to improve user experience and system stability. These include user notifications upon completion, the closing of the app prior to installation, prompts before closing the app, and the ability to re-launch the app post-update if it was initially open. Installomator does not interact with App Store applications except to replace them with non-App Store versions if desired. See Configuration Options further down for how to customize the operation of the script.

Installing Installomator

  1. Download the PKG for SwiftDialog and install the PKG as a FileSet.
  2. Download the PKG for Installomator from Releases · Installomator/Installomator (github.com) install the PKG as a FileSet. This will place the script file to /usr/local/Installomator/Installomator.sh

PKG Filesets are easy to make. You can start by dragging and dropping the PKG on the Filesets window in FileWave Central or use our example here: PKG - Installomator.fileset.zip

Identifying an App to install

Run Installomator by itself in Terminal and get the full list of apps it can install:

/usr/local/Installomator/Installomator.sh

This is the output of that command:

jlevitsk — -zsh — 81×22 2023-07-22 at 12.45.48 PM.jpg

Or run Installomator in Terminal with grep to filter the results:

/usr/local/Installomator/Installomator.sh | grep -i bbedit

This is the output of that command:

jlevitsk — -zsh — 88×8 2023-07-22 at 12.48.33 PM.jpg

Installing an App

At this point you have installed both swiftDialog and Installomator. For the next steps here is an example BBEdit - Installomator.fileset.zip to look at while you follow along.

The BBEdit example is a very simple Fileset containing 3 scripts, and that's all. 

The scripts are fairly simple and listed below:

check_installomator.sh 
#!/bin/zsh
# Checks every 2 minutes for Installomator to be present. 
# Add the contents of your script below:

if [ -f "/usr/local/Installomator/Installomator.sh" ]; then
	exit 0
else
	echo "Could not find Installomator"
	exit 1
fi
install.sh

 

#!/bin/zsh
# Remember to change the properties for both install.sh and verify.sh
# to have the right app label since it is passed to the script from properties. 

/usr/local/Installomator/Installomator.sh $1 NOTIFY_DIALOG=1 NOTIFY=success LOGO=/usr/local/sbin/FileWave.app/Contents/Resources/fwGUI.app/Contents/Resources/kiosk.icns
verify.sh
#!/bin/zsh
# Remember to change the properties for both install.sh and verify.sh
# to have the right app label since it is passed to the script from properties. 

/usr/local/Installomator/Installomator.sh $1 NOTIFY_DIALOG=1 NOTIFY=success LOGO=/usr/local/sbin/FileWave.app/Contents/Resources/fwGUI.app/Contents/Resources/kiosk.icns

In our example both install.sh and verify.sh are identical but they don't have to be depending on your needs. 

image.png

 

image.png

 

So now you may be wondering about where "bbedit" is since that label is the label we want to use? Highlight the BBEdit Fileset in your admin console and click the Scripts button in the toolbar. Now right click on install.sh and pick Properties. The dialog will look like the one here. You'll want to change bbedit to whatever app you want this to install. Do the same exact thing for verify.sh.

Configuration Options

In our example, we pass the LOGO parameter to the script. This action assigns a FileWave logo to the script, derived from the FileWave Kiosk icon file located on a device with FileWave installed. You can also pass additional parameters to further refine Installomator's behavior. This is covered in greater detail at the following link: Configuration and Variables · Installomator/Installomator Wiki (github.com) One setting you may want to change is NOTIFY=success to be NOTIFY=all if you are using Kiosk to allow someone to install apps. 

What it looks like

To install an app this way you simply Associate the swiftDialog Fileset, Installomator Fileset, and BBEdit - Installomator.fileset.zip Filesets and you should see it install. 

Be careful as some apps/labels may install even if the app is already on the latest version

Depending on what dialogs you have enabled you may show status messages like the below. We recommend not editing the Installomator script itself but rather pass the options as parameters in your Filesets. 

Using_Installomator_to_support_3rd_party_apps_-_Mac (2).pdf 2023-07-22 at 1.25.57 PM.jpg

Using_Installomator_to_support_3rd_party_apps_-_Mac (2).pdf 2023-07-22 at 1.27.01 PM.jpg

You should now be able to deploy anything that Installomator supports. Just remember that this tool is designed to always keep things up to date which can be a good or bad thing for you depending on your use case.

Troubleshooting

You will be able to see what the Fileset is doing by leveraging the Fileset logs. All 3 of the scripts will log to /var/log/fwcld/<fileset_id>where <fileset_id> is the same as the ID you see in FileWave for the Fileset. 

image.png

You may also be able to use FileWave Central to right click on the log and view it, but the log on the machine when testing is most simple and will exist 100% of the time. 

image.png

Digging Deeper

The choice between Installomator and AutoPkg ultimately hinges on your administrative preferences and needs. Installomator, with its ability to streamline the download and installation of different versions of applications, serves as a viable option when the goal is to deploy the latest publicly available versions. However, it requires careful management, especially considering its approach to version comparison and updates. On the other hand, AutoPkg presents a viable alternative for those seeking a more tightly controlled release process, offering thorough testing, versioning, and release management.

Lightspeed Smart Agent Deployment (macOS 2023)

Description

Need to deploy Lightspeed Smart Agent along with your configurations. FileWave has got you covered in this step-by-step guide to creating the required Filesets to deploy to your macOS devices. Be sure that you have access to your administrative account on relay.school.com.

If you are using the new method with Lightspeed Certificate Manager please review:
Lightspeed Smart Agent Deployment (macOS v2.3.1+ using Certificate Manager)

Ingredients

Web Content Filter - In creating a Web Content Filter within FileWave Central it changes the UDID and is unsuccessful in deployment. The issue can be resolved by re-creating the Web Content Filter in FileWave Anywhere as a workaround. The issue should be resolved in the next release. See Known Issues

Download Lightspeed Relay Filter Agent

  1. Login to your Lightspeed Filter account at relay.school.com

    1. Navigate to Settings > Software

    2. Choose Lightspeed Filter

    3. Select the Mac tab

    4. Select the version of the Relay Filter Agent by clicking on the download icon

    5. Place the downloaded SmartAgent.dmg into your Downloads Folder

Download the macOS deploy script

  1. Download the mac_deploy.sh script, found here: mac_deploy.sh

  2. Place the downloaded mac_deploy.sh script into your Downloads

  3. Unzip the downloaded mac_deploy.sh script

  4. Open Terminal to run the script

    # enter as root
    $ sudo -s
    # nagivate to your Downloads folder
    $ cd ~/Downloads
    # run the script to create three files on the Desktop
    $ ./mac_deploy.sh
  5. Once the script has been executed, it has created three files on your Desktop; ca.cer, deploymont.zip and SmartAgent.pkg

Note: Be sure both SmartAgent.dmg and mac_deploy.sh are in the same directory, i.e. Downloads folder for the mac_deploy script to successfully create the deployment files and certificate.

Create the Configuration Profile

  1. Open FileWave Central or FileWave Anywhere

  2. Navigate to Filesets > Select New Desktop Fileset > Click on Profile

  3. Enter the name of the Profile: General > Name: Lightspeed Agent Profile

    FileWaveLightspeed1.png

  4. Select Certificates payload to add your ca.cer certificate

    FileWaveLightspeed2.png

  5. Navigate to System Extension Policy payload, add and enter in the following:

    1. Click + to add Allowed Team Identifiers:
      Team Identifier:  ZAGTUU2342

    2. Click + to add Allowed System Extensions:

      1st Allowed System Extensions:  com.lightspeedsystems.network-agent

      Enter add 2nd Allowed System Extensions with comma after 1st Allowed System Extensions

      2nd Allowed System Extensions: com.lightspeedsystems.network-agent.network-extension

    3. Click + to add Allowed System Extension Types and check box for Network:

      Team Identifier:  ZAGTUU2342

      FileWaveLightspeed3.png

  6. Navigate to Web Content Filter and enter in the following:

    1. Filter Name: Lightspeed Agent

    2. Identifier: com.lightspeedsystems.network-agent 

    3. Filter Options: Socket Traffic Only

    4. Socket Filter Bundle Identifier: com.lightspeedsystems.network-agent.network-extension 

    5. Socket Filter Designated Requirement: anchor apple generic and identifier "com.lightspeedsystems.network-agent.network-extension" and (certificate leaf[field.1.2.840.113635.100.6.1.9] /* exists / or certificate 1[field.1.2.840.113635.100.6.2.6] / exists / and certificate leaf[field.1.2.840.113635.100.6.1.13] / exists */ and certificate leaf[subject.OU] = ZAGTUU2342)

      FileWaveLightspeed4.png

  7. The completed configuration profile will have three payloads; these include: Certificates, System Extension Policy and Web Content Filter

    FileWaveLightspeed5.png

Editing the Install script

  1. Download and unzip the Install script, found here: install_lightspeed.sh

  2. Open the install.sh in TextEdit or compatible Text Editor, for example Sublime Text

  3. Enter in your URL to the hosted file in line 3 of the Install Script; between the quotes, where it says, “Your FQHN HERE to the deployment.zip”

    FileWaveLightspeed6.png

  4. Save the changes to the install.sh script

Note: The deployment.zip file created on the desktop must be hosted for the deployment to succeed. (This can be accomplished with Google Drive (may use Google Drive Direct Link Generator), Microsoft OneDrive, Amazon S3, etc.) Be sure the deployment.zip file is accessible for the install.sh script to downloaded successfully, otherwise this will not complete the installation of the Lightspeed Filter.

Import the Smart Agent PKG

  1. Navigate to Filesets > Create New Desktop Fileset > Select MSI / PKG

  2. Navigate to your downloaded SmartAgent.pkg to upload into the Fileset

  3. Please wait a few moments for the PKG installer to upload into your FileWave server

    FileWaveLightspeed13.png

  4. After successfully uploading, highlight the Fileset > Select Properties

  5. Under the Requirements tab, check the box Platform and check macOS only, then under System Version and checkboxes only for macOS 12.x and 13.x

    FileWaveLightspeed14.png

  6. Click OK to save

Note: If all of your devices are not on macOS 12 or greater, you will want to set the Requirements for the Fileset for macOS 12 and above

Editing the Smart Agent PKG Fileset

  1. Highlight the newly created Fileset with your Smart Agent PKG
  2. Click on Script in the menu to open Script dialogue window
  3. Highlight Requirement Scripts and click on the Create buttonLightspeedSmartAgentPKG.png
  4. Label script, check_LS.sh
  5. Copy and paste the entire check profile script below:

    #!/bin/zsh
    
    found_profile=""
    
    while [ $# -gt 0 ]
    do
    	found_profile=$(profiles list all | awk -v search=$1  '$0 ~ search {print $NF}')
    	if [ ! -z $found_profile ]
    	then
    		echo "Found installed profile: $found_profile"
    		exit 0
    	else
    		echo "Did not find $1" 
    	fi
    	shift
    done
     
    exit 1
  6. Click OK to save the script
  7. Highlight the check_LS.sh and right-click to select Properties

    LightspeedSmartAgentPKG2.png

  8. Select the Executable tab, under the Launch Arguments tab, click on the + button to add your Lightspeed Agent Profile’s Identifier (found by double-clicking on your Lightspeed Agent Profile)LightspeedSmartAgentPKG3.png
  9. Click OK to Apply to save changes
  10. Close out Properties of the Requirement Script
  11. Click OK to save changes to Smart Agent PKG Fileset

Creating the Installation Fileset

  1. Navigate to Filesets > Create New Desktop Fileset > Empty Fileset > label Lightspeed Install Script

  2. Click on Script in the menu to open the Script dialogue window
  3. Highlight Activation Scripts and click on the Create button

    FileWaveLightspeedScript2.png

  4. Label script, install_lightspeed.sh

  5. Copy and paste the entire install.sh script that you saved your URL to hosted file from previous step on Editing the Install Script.
    FileWaveLightspeedScript3.png

  1. Click OK to save script

  2. Highlight Requirement Scripts and click on Create button
  3. Label script, check_LS_profile.sh
  4. Copy and paste the entire check profile script below:

#!/bin/zsh

found_profile=""

while [ $# -gt 0 ]
do
	found_profile=$(profiles list all | awk -v search=$1  '$0 ~ search {print $NF}')
	if [ ! -z $found_profile ]
	then
		echo "Found installed profile: $found_profile"
		exit 0
	else
		echo "Did not find $1" 
	fi
	shift
done
 
exit 1
  1. Click OK to save the script

  2. Highlight the check_LS_profile.sh and right-click to select Properties

    FileWaveLightspeed10.png

  1. Select the Executable tab, under the Launch Arguments tab, click on the + button to add your Lightspeed Agent Profile’s Identifier (found by double-clicking on your Lightspeed Agent Profile)
    FileWaveLightspeed11.png
  1. Click Apply to save changes

  2. Close out Properties of the Requirement Script

  3. Click OK to save changes to Lightspeed Installation Fileset

Note: This Requirement scripts verifies that the Lightspeed Agent Profile is installed successfully BEFORE running the installation of Lightspeed.

When all completed, the Fileset contents will include your Smart Agent PKG, Lightspeed Install and Profile.LightspeedSmartAgentPKG4.png

LightspeedInstallationFileset.png

Creating Fileset Group for your Lightspeed Filter Agent Filesets

Keeping your Filesets organized is good practice, especially if there are multiple Filesets for software deployment. You may create a New Fileset Group, label it Lightspeed Filter Agent (macOS 2023), and move all the Filesets you created into that Fileset Group. Then you may associate the Fileset Group labeled Lightspeed Filter Agent (macOS 2023) to your devices versus individual Filesets.

LightspeedDeployment.png

Once all the Filesets and Profile have been created, you may associate the Fileset Group labeled Lightspeed Filter Agent macOS 2023 to a few devices as a test. This is to verify and confirm that the filter is installed and filtering properly based on your configurations. For best practice, always test a few devices before mass deployment.

Lightspeed Smart Filter Deployment (iOS 2023)

Needing to deploy Lightspeed for iOS devices? Review the KB article here: Lightspeed Smart Filter Deployment (iOS 2023).

Lightspeed Smart Filter Deployment (macOS v2.3.1+ using Certificate Manager)

Needing to deploy Lightspeed for macOS using Certificate Manager? Review the KB article here: Lightspeed Smart Filter Deployment using Certificate Manager.

Lightspeed Smart Agent Deployment (macOS v2.3.1+ using Certificate Manager)

Description

Need to deploy the latest version of Lightspeed Smart Agent version 2.3.1 along with your configurations. FileWave has got you covered in this step-by-step guide to creating the required Filesets to deploy to your macOS devices. Be sure that you have access to your administrative account in Lightspeed Filter app.

This KB article involves using the new Lightspeed Certificate Manager method. If using the version below v2.3.1 please review KB article here: Lightspeed Smart Agent Deployment (macOS 2023)

The new method involves using LightSpeed Certificate Manager. Certificate Manager leverages a cloud-based system to generate and monitor certificates and expiration, automatically pushing new certificate files to devices in the background (without disruption!) to ensure they always are current. In addition, Lightspeed is also leveraging root certificates for the trusting process, meaning that instead of repeatedly needing to re-trust the certificates every time they update - you now only need to trust the first time.

Note: You must use the MacOS Filter Agent 2.3.1+ to use Certificate Manager

Ingredients

Web Content Filter - A bug (FW-12629) exists which prevents the Filter Order being set. 

Download Lightspeed Relay Filter Agent for macOS

  1. Login to your Lightspeed Filter account

    1. Navigate to Settings > Software

    2. Choose Lightspeed Filter

    3. Select the Mac tab

    4. Select the version of the Relay Filter Agent by clicking on the download icon

    5. Place the downloaded Relay Filter Agent PKG into your Downloads Folder

LightSpeedmacOSFilter.png

Generating the Certificate using Certificate Manager

  1. Navigate to your Settings > Certificates within Lightspeed Filter account
  2. Click Set Up to generate the certificate
  3. Label your Organization name and enter in your number of active days for your certificate
  4. Click Save to continue
  5. Allow several minutes for the Certificate Manager to generate
  6. Click to download and confirm trust certificate
  7. Do not proceed with checking the two Acknowledgements boxes, until the certificate, content filter AND agent have been installed on your devices

Lightspeed has noted the importance of order of operations; until you have downloaded and trusted the certificate AND installed the agent on your devices, then you may proceed to complete the two Acknowledgement boxes in the macOS Certificate Confirmation step.

Filesets

Fileset Group

Create a Fileset Group to hold the Filesets to be included.  At the end it will look something like the below image.

LSAgentv2.3.1+Group.png

Configuration Profiles

Network Settings

The profile contains 2 payloads: System Extension Policy and Web Content Filter.  

System Extension Policy
  1. Click + to add Allowed Team Identifiers:
    Team Identifier:  ZAGTUU2342

  2. Click + to add Allowed System Extensions:

    1st Allowed System Extensions:  com.lightspeedsystems.network-agent

    Enter add 2nd Allowed System Extensions with a comma after the 1st Allowed System Extensions

    2nd Allowed System Extensions: com.lightspeedsystems.network-agent.network-extension

  3. Click + to add Allowed System Extension Types and check box for Network:

    Team Identifier:  ZAGTUU2342

Screenshot 2024-05-20 at 2.47.24 PM.png

Web Content Filter
  1. Filter Name: Lightspeed Agent

  2. Identifier: com.lightspeedsystems.network-agent 

  3. Filter Order: Firewall (currently unable to be set as of FileWave 15.3.1)

  4. Socket Filter Bundle Identifier: com.lightspeedsystems.network-agent.network-extension 

  5. Socket Filter Designated Requirement: anchor apple generic and identifier "com.lightspeedsystems.network-agent.network-extension" and (certificate leaf[field.1.2.840.113635.100.6.1.9] /* exists / or certificate 1[field.1.2.840.113635.100.6.2.6] / exists / and certificate leaf[field.1.2.840.113635.100.6.1.13] / exists */ and certificate leaf[subject.OU] = ZAGTUU2342)

  6. Username/Password: Sometimes the Username and Password fields are ‘included” automatically. Do not include them.
    Screenshot 2024-05-20 at 2.53.42 PM.png

Web Content Filter - A bug (FW-12629) exists which prevents the Filter Order being set. 

Certificate Payload
  1. Create a new Profile within the Fileset Group folder
  2. Select Certificates and Configure
  3. Upload the above generated certificate into this Profile

FileWaveLightspeed2.png

Lightspeed Agent Installer

The provided Fileset includes a script to instal the above downloaded PKG file.

Lightspeed Agent Installer v2.3.1+.fileset.zip

  1. Drag the Fileset into the FileWave Central Fileset Group Folder created above.

  2. Edit the Fileset
  3. Place the downloaded SmartAgent.pkg file into the same location as the .placeholder file
  4. The .placeholder file may be deleted

image.png

The name of the PKG is important.  The installation script is expecting a file called SmartAgent.pkg.  Rename if required.

The check_for_profile.sh script ensures the Profile is installed before the PKG.  This script relies upon the Profile ID of the supplied Profile.

The Fileset has a Reboot setting configured to allow the Filter Network Content applied.

Assignment

Assign the Fileset Group, either as a Deployment or an Association with one or more test devices.  Once satisfied, consider assigning to all required devices.

Once that you have installed the agent and trusted the root certificate on your devices, go back to your Lightspeed Account and navigate to Settings > Certificates. Check the two acknowledgement boxes and click Save.

Requirement Script to check your Profile Identifier

The Fileset Script is designed to check for the presence of Profiles prior to installing the PKG.  The provided Profile ID is already of consideration, however the newly generated Certificate Profile cannot be, since the ID cannot be known in advance.  Both Profiles should instal at the same time, it is therefore arguably not required to be included in this consideration.  However, for completeness, the Generated ID of the Certificate Profile could also be added.

Bundle ID

First, the Bundle ID of the newly created Profile needs to be copied.

  1. Open the Certificate Profile
  2. Highlight the Bundle ID and choose to copy

image.png

Script Info

  1. Open the Lightspeed Agent Installer Fileset
  2. Select the 'check_for_profile.sh' and choose Get Info
  3. Select the Executable tab
  4. Add a Launch Argument and paste or replace the current Launch Arguments with your copied Bundle ID

image.png

Uninstall Fileset

The Fileset to uninstall Lightspeed Smart Agent v2.3.1+ from of your macOS devices. Included in the Fileset is a script that will execute and remove the LS Smart Agent. Please note this script only removes the Smart Agent, it does not remove the LS certificate or log files from the agent.

LightSpeed Agent Uninstaller v2.3.1+.fileset.zip

You may download and import into FileWave. You may then create a Fileset Group and include the LightSpeed Agent Uninstaller.

LSAgentv2.3.1+Group.png

Related Content

Needing to deploy Lightspeed for iOS devices? Review the KB article here: Lightspeed Smart Filter Deployment (iOS 2023).

Needing to deploy Lightspeed for non-Certificate Manager? Review the KB article here: Lightspeed Smart Filter Deployment (macOS 2023)

Microsoft Office Deployment (macOS)

What

Deploying Microsoft Office for macOS with FileWave is the process of pushing out Microsoft Office for macOS software to a large number of macOS devices using FileWave's Unified Endpoint Management (UEM) tool. FileWave is a software management tool that allows IT administrators to manage and deploy software applications to various devices, including macOS, Windows, iOS, iPadOS, tvOS, Chrome, and Android devices.

When/Why

You would need to deploy Microsoft Office for macOS with FileWave if you have a large number of macOS devices that need to have Microsoft Office installed. Deploying Microsoft Office for macOS with FileWave allows you to save time and effort, as you can push out the software to multiple devices at once, rather than having to install it manually on each individual device. Additionally, deploying Microsoft Office for macOS with FileWave ensures that all devices have the same version of Microsoft Office and the same settings.

How

To deploy Microsoft Office for macOS with FileWave, you can follow the guides provided by Microsoft. The deployment guide for Office for Mac is located here: https://learn.microsoft.com/en-us/deployoffice/mac/deployment-guide-for-office-for-mac. The guide provides step-by-step instructions for deploying Microsoft Office for macOS using various methods. In addition to the Microsoft deployment guide, you can use FileWave to push out the PKGs and settings needed to install and configure Microsoft Office for macOS.

SentinelOne Deployment (macOS)

Description

SentinelOne is a cybersecurity company that specializes in endpoint security and threat intelligence. They provide a platform for autonomous endpoint protection that uses AI and machine learning to prevent, detect, and respond to a wide range of security threats, including malware, ransomware, and other cyberattacks.

This recipe will guide on how to setup and deploy to your macOS devices.

Ingredients

Directions

Creating the Installation Fileset:

  1. Download and upload SentinelOne profiles to FileWave Central
  2. Create a new Empty Fileset
  3. In the Fileset, create a new folder under /usr/local/etc/FileWaveInstallers/ called SentinelOne and drop the PKG in.
  4. Create a plain text file, named com.sentinelone.registration-token, and copy only your Site/Group Token

    Screenshot 2025-01-15 at 11.22.14 AM.png


  5. Import the token file into the same SentinelOne folder as the PKG

    Make sure the token file ownership is set to root:staff. You can change the ownership by selecting the file > Get Info > Ownership

  6. The "com.sentinelone.registration-token" plaintext file must also be extension-less in the fileset and will not work if the file has a .txt extension at the end of the file name.  If your filename ends in a ".txt" this can be removed/edited by right-clicking on the file in the fileset > "Rename".

    Screenshot 2025-01-15 at 11.50.34 AM.png


    Now we need to create a script to install SentinelOne, using the token to register.

  7. In Admin, select the SentinelOne Fileset and then select 'Scripts' in the toolbar
  8. Create a new Activation Script, and paste the following. You will need to change the name of the PKG to what you have uploaded.
     
    sudo /usr/sbin/installer -pkg /usr/local/etc/FileWaveInstallers/SentinelOne/SentinelAgent_XXXX.pkg -target /

    Video: Creating the Install Script

    You're all set with the Installer! Now we need to import the Profiles.


Importing Profiles

Profile Metadata shown below

  1. Download the profiles attached to this article: SentinelOne_Profiles.zip
  2. Unzip the download and import the profiles
    Video: Importing Profiles
Now deploy all Profiles first and then the Installer. SentinelOne will install with all permissions necessary.


Profile Metadata

Service Management Profile

Service Management Profile

SentinelOne_ServiceManagementProfile.png

Privacy Control Configuration Profile

TCC Profile

SentinelOne_TCCProfile01.pngSentinelOne_TCCProfile02.png

Network System Extension Profile

Team Identifier: 4AYE5J54KN

Allowed System Extensions: com.sentinelone.network-monitoring

System Extension Profile

SentinelOne_SystemExtensionProfile.png

Web Content Filter Profile

Network Filter Profile

SentinelOne_WebContentFilterProfile.png

Microsoft Skype Deployment (macOS App)

Description

Skype is a self-contained application and so deployment is as simple and getting it into the Applications folder.

Ingredients

Directions

  1. Downloaded the latest DMG of Skype
  2. Mount and drag into your Applications folder (Don't open it)
  3. Drag it into the Filesets windows / or import it


PaperCut recipe (macOS)

Description

Needing to deploy the PaperCut Print Deploy client to a macOS client managed by FileWave? FileWave has you covered!

Ingredients

Directions

Converting the DMG to a PKG installer

You will need access to your PaperCut NG/MG server configurations. 

  1. Log in to your PaperCut NG/MF server, for example, https://print-server.example.net:9192/admin.
  2. Click Enable Printing > Print Deploy. The Print Deploy page is displayed.
  3. Next to Download clients, click the macOS button at the bottom of the page.
  4. Save the .dmg file to your Documents folder.
  5. Look at the filename and check that the hostname between the square brackets is correct, for example, pc-print-deploy-client[print-server.company.lan].dmg.
  6. Double-click the .dmg file and copy PaperCut Print Deploy Client.pkg to the Desktop.

Creating .plist file to configure your MDM macOS clients

The PaperCut Print Deploy Client can use a .plist file to set its server address. You can share and deploy these files in many different ways, such as with a .mobileconfig file, a file-copy command, or a scripted file creation on the client. For our recipe, we are just going to deploy the .plist to the proper directory along with our .pkg.

Note: The .plist file needs to be in proper format. The PaperCut client will not function with your desired configurations if this is not saved in the correct format.

To create the .plist file:

  1. Open a terminal and issue the following command: 
    defaults write ~/Documents/com.papercut.printdeploy.client server_host hostname

  2. Replace the word ‘hostname’ with the FQDN or IP address from the ‘.dmg’, for example, print-server.company.lan

  3. Convert the .plist file with the following command:
    /usr/bin/plutil -convert xml1 ~/Documents/com.papercut.printdeploy.client.plist
    This will ensure that the file can be read correctly.

  4. Verify the contents of the new .plist with the following command:
    defaults read ~/Documents/com.papercut.printdeploy.client.plist
    The output should be:

    macOS:Documents localadmin$ defaults read ~/Documents/com.papercut.printdeploy.client.plist
    {
    "server\_host" = "print-server.company.lan";
    }
    macOS:Documents localadmin$

Creating the Fileset

  1. Open FileWave Central
  2. Select the PKG installer Fileset
  3. Upload the PKG installer
  4. Open Fileset Contents and uncheck 'Hide unused folders'
  5. Navigate to Library > Preferences
  6. Upload the .plist file to Library/Managed Preferences/
  7. Close to save the Fileset

PaperCutFilesetContents.png

Note: if no directory for /Library/Preferences/ is found, you may create the directory and upload the .plist file as shown above.

Be sure the .plist file has the proper formatting and that the .plist file is in the correct directory. If the .plist file is found, the PaperCut Print Deploy client should honor the file's settings.

Always, test deployment to a few test machines. This ensures your configurations for PaperCut are correct and ready for your macOS production fleet.

Parallels Desktop for Mac Business Edition Deployment (macOS)

Description

Creating a FileSet for Mass rollout of Parallels Desktop for Mac Business Edition Version 10

Ingredients

Directions

  1. Follow the directions at http://kb.parallels.com/en/120093 to create a pkg for mass deployment of parallels
  2. Import the Parallels Desktop Autodeploy.pkg that you equipped with the Data in the first step into FileWave Admin
  3. Import the attached file ( script - activate parallels desktop.fileset.zip ) , open it and edit the content of the script within. In the line /usr/local/bin/prlsrvctl install-license -k XXXXXX-XXXXXX-XXXXXX-XXXXXX-XXXXXX replace XXXXXX-XXXXXX-XXXXXX-XXXXXX-XXXXXX with your license key , save your changes and close the fileset.
  4. Deploy both the PKG fileset and the script fileset to your test client. Make sure the PKG fileset has a higher priority than the script fileset - the attached script fileset is preset to lowest priority per default.


Renew - A tool to get users to reboot periodically (macOS Script)

Description

For remote tools to work reliably, and for security patches to be properly installed, users need to restart their workstations regularly. But we all get focused on our day-to-day, and taking 10 minutes to restart our workstations just gets pushed to the back-burner. SecondSonConsulting developed Renew to encourage users to restart their workstations on a regular basis, and the timing can be customized to the environment. This tool can be delivered via MDM, or other methods, but then is self-sustaining, running locally without any other tool controlling it. For the safety of their work, it will never restart the computer without the user’s consent.

Ingredients

Directions

  1. Install SwiftDialog v2.0 or later: swiftDialog Deployment (macOS PKG)
  2. Install the latest Renew PKG from their Releases page as a PKG Fileset. Here is an example: PKG - Renew.fileset.zip
  3. Deploy a config profile. This can be done most easily by using iMazing Profile Editor (free) which has a template for Renew's options. 

Note that you can not edit the profile in the FileWave profile editor. It will not display the custom payload. 

Renew Configuration 2023-07-30 at 8.52.58 PM.jpg

Additional Recommended Steps

  1. Use the OptionalArguments profile keys to make Renew look and function right for your environment.
  2. For macOS Ventura+ compatibility, create a BackgroundItems MDM profile and enforce the LaunchAgent Label ID: com.secondsonconsulting.renewwith an example here: Profile - Renew LaunchAgent.fileset.zip

Examples

Notification Mode Default User Experience

Renew Notification Example Image

Normal Mode Default User Experience

Renew Normal Example Image

Aggressive Mode Default User Experience

Renew Aggressive Example Image

Custom Fields Design Example Image

SwiftDialog allows a high degree of customization, and Renew allows you to continue to easily take advantage of that. This is an example of how you can customize the user experience to suit your branding and taste.

This example uses a banner image tailored to the window size, and the following OptionalArgument in the configuration file.

<key>AdditionalDialogOptions</key>

<string>--width 300 --height 350 --messagefont size=15 --position topright --ontop --messagealignment centre</string>

Renew Customized Example Image

swiftDialog Deployment (macOS PKG)

Description

This article provides instructions on how to deploy swiftDialog using FileWave. swiftDialog is a simple utility for macOS that allows shell scripts to display GUI dialogs. swiftDialog is beneficial when you want to provide interactive user feedback or collect user input during a shell script's execution. By deploying swiftDialog via FileWave, administrators can efficiently distribute this utility across all managed macOS devices.

Ingredients

Directions

 

Deploying swiftDialog to your Macs using FileWave

  1. Download the swiftDialog PKG from: Releases · bartreardon/swiftDialog (github.com)
  2. Create a new PKG fileset in FileWave and import the swiftDialog PKG. See the example: PKG - swiftDialog.fileset.zip
    • "New Desktop Fileset" was picked and then PKG and then the PKG select.
    • On Properties for the Fileset I made it work on macOS 11.x and higher.  Newer versions of swiftDialog may require macOS 12.x or higher so consider that.
    • Additionally the script below was added to set the notification icon to be a FileWave icon. You'll see in our example Fileset that it has this as a Preflight Script. When the icon is in place before the PKG it allows the custom icon to be used.

      #!/bin/zsh
      
      if [ -f "/usr/local/sbin/FileWave.app/Contents/Resources/fwGUI.app/Contents/Resources/kiosk.icns" ]
      then
          mkdir -p "/Library/Application Support/Dialog/"
          sips -s format png /usr/local/sbin/FileWave.app/Contents/Resources/fwGUI.app/Contents/Resources/kiosk.icns --out "/Library/Application Support/Dialog/Dialog.png"
      else
          echo "File not found: /usr/local/sbin/FileWave.app/Contents/Resources/fwGUI.app/Contents/Resources/kiosk.icns"
      fi
      
      exit 0
      
  3. Dowload Profile - swiftDialog - Enable Notifications.fileset.zip if you want to ensure swiftDialog notifications will be seen.
  4. Assign both swiftDialog and the swiftDialog Enable Notifications Filesets to your target macOS devices.

VMware Carbon Black Cloud sensor recipe (macOS)

Description

VMware Carbon Black is a powerful endpoint protection solution that plays a critical role in an organization's cybersecurity strategy. Deploying Carbon Black via the installer package through the admin console is a strategic approach that ensures consistent, efficient, and effective endpoint security. By mastering this deployment process, organizations can enhance their cybersecurity posture, mitigate threats proactively, and protect their digital assets in an increasingly dangerous digital landscape.

This guide will help you create a Fileset and deploy the application along with the required profiles.

Ingredients

Downloads

VMware CBCloud Profiles.zip
VMware Carbon Black Cloud.fileset.zip

Directions

Please note this recipe includes Carbon Black Cloud sensor (CB Defense) version 3.7.4.53. This version is supported on MacOS 11.0 and newer.

Downloading and extracting the MDM profiles and installers

You will first want to grab and download your VMware installations and profiles. The .dmg will need to be mounted first and then extract the necessary components from this file.

Once the .dmg has been mounted you will see the contents listed. Below is the CBCloud Install.pkg and doc folder containing the required MDM profiles.

VMwareCBCSensor01.png

The required MDM profiles and unattended script for the Fileset deployed are found in the docs folder within the mounted .dmg.

Extract the MDM profiles. These MDM profiles will be uploaded into FileWave Central. Below are the configurations for the three MDM profiles:

Kernel Extension Policy

VMwareCBCSensor02.png

Web Content Filter Policy

VMwareCBCSensor03.png

MDM Profiles Configurations

If you do not have the VMware Carbon Black Cloud .dmg, you may create the Profiles with the following.

VMware CCB macOS version 3.8+ introduces Approving the System Extension

Approve System Extension

For the Allowed System Extension, please enter in the following:

System Extension Policy

Specify the Apple Team ID and System Extension bundle Identifier in your Allowed System Extension configuration profile:

  • System Extension Types: Allowed System Extensions
  • Apple Team ID: 7AGZNQ2S2T
  • System Extension Bundle ID: com.vmware.carbonblack.cloud.se-agent.extensionVmware CCB System Extension.png

Kernel Extension Policy

For the Kernel Approval profile, please enter in the TeamID and BundleID:

Apple Team ID: 7AGZNQ2S2T

KEXT Bundle ID: com.carbonblack.defense.kext

Kernel Extension Policy: The recommended way to deliver this configuration is through
the provided MDM-KEXT-reboot-command.xml. FileWave has the Rebuild Kernel Cache command by highlighting the MDM client, right-clicking Restart (Supported MDM devices), checking the box for Rebuild Kernel Cache, and entering in the Kernel file path:

/Library/Extensions/CbDefenceSensor.kext

Kernel Rebuild Cache

RebuildKernelCache.png

The following will need to be entered for each of the BundleIDs along with Code Requirements and Services to set.

TCC metadata

The fields should be completed exactly as follows. Please copy and paste for accuracy.
1]
Identifier: com.vmware.carbonblack.cloud.daemon

Identifier Type should be set to: Bundle ID

Code Requirement: identifier "com.vmware.carbonblack.cloud.daemon" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "7AGZNQ2S2T"

App or Service should be set to: SystemPolicyAllFiles

Access should be set to: Allow

2]
Identifier: com.vmware.carbonblack.cloud.se-agent.extension

Identifier Type should be set to: Bundle ID

Code Requirement: identifier "com.vmware.carbonblack.cloud.se-agent.extension" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "7AGZNQ2S2T

App or Service should be set to: SystemPolicyAllFiles

Access should be set to: Allow

3]
Identifier: com.vmware.carbonblack.cloud.osqueryi

Identifier Type should be set to: Bundle ID

Code Requirement: identifier "com.vmware.carbonblack.cloud.osqueryi" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "7AGZNQ2S2T"


App or Service should be set to: SystemPolicyAllFiles

Access should be set to: Allow

4]
Identifier: com.vmware.carbonblack.cloud.uninstall

Identifier Type should be set to: Bundle ID

Code Requirement: identifier "com.vmware.carbonblack.cloud.uninstall" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "7AGZNQ2S2T"


App or Service should be set to: SystemPolicyAllFiles

Access should be set to: Allow

5]
Identifier: com.vmware.carbonblack.cloud.uninstallerui

Identifier Type should be set to: Bundle ID

Code Requirement: identifier "com.vmware.carbonblack.cloud.uninstallerui" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "7AGZNQ2S2T"


App or Service should be set to: SystemPolicyAllFiles

Access should be set to: Allow

Web Content Filter Policy

The following will need to be entered to create the web content filter manually.

Web Content Filter Policy

The fields should be completed exactly as follows. Please copy and paste for accuracy.

In the General payload:

Payload Scope should be set to: System

In the Web Content Filter payload:

Filter Type: Plug-In

Plug-In Bundle ID: com.vmware.carbonblack.cloud.se-agent

Check Enable Socket Filtering

Filter Data Provider System Extension Bundle ID (macOS): com.vmware.carbonblack.cloud.se-agent.extension

 Filter Data Provider Designated Requirement (macOS): identifier "com.vmware.carbonblack.cloud.se-agent.extension" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "7AGZNQ2S2T"

Check Enable Packet Filtering (macOS)

Filter Packet Provider System Extension Bundle ID (macOS): com.vmware.carbonblack.cloud.se-agent.extension

Filter Packet Provider Designated Requirement (macOS): identifier "com.vmware.carbonblack.cloud.se-agent.extension" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "7AGZNQ2S2T"

Creating the VMware Carbon Black Cloud Fileset

You may download and upload the VMware Carbon Black Cloud Fileset into your FileWave Admin. You should see four items listed in the Fileset Contents:

  1. CBCloud Install.pkg
  2. check_for_profiles.sh script
  3. cbcloud_install_unattended.sh script
  4. install_VMware_CBCloud.sh script
  5. uninstall_VMware_CBCloud.sh script

Verification Settings: VMware CBCloud client will get updates from the CBCloud server. If your organization allows, be sure to change the verification settings from 'Self-Healing' to 'Ignore at Verify' for the Fileset.

vmwarecbcloudfileset.png

VMware CBCloud install script

You will need to modify and add your company code to the install_VMware_CBCloud.sh script.

  1. Highlight the Fileset and click on Scripts (FW Central menu)
  2. Highlight Activation Scripts, install_VMware_CBCloud.sh
  3. Click on Edit to open the script
  4. Enter your company code, i.e. #######
  5. Click OK to save
  6. Click OK to save your changes


VMwareCompanyCode01.png

 

 

 

 

 

VMwareCompanyCode02.png

Check for Profiles requirement script

You will need to modify and add your profile bundle IDs to the requirement script.

  1. Highlight the Fileset and on Scripts (FW Central menu)
  2. Highlight Requirement Scripts, check_for_profiles.sh
  3. Right-click and select properties
  4. Select and click on the Launch Arguments tab
  5. Enter in your three profile bundle IDs 
  6. Click 'Apply' to save your changes
  7. Select and click on the Environment Variables tab
  8. Confirm the all_or_one variables string is set to 'all'
  9. Click 'Apply' to save your changes, if not saved
  10. Close the script properties window
  11. Click OK to save your changes to the requirement script


 

Requirementscript.png

LaunchArugments.png EnvironmentVariables.png

Vmware uninstall script

This is optional and not required!

If you have a company code to allow uninstallation of the VMware Carbon sensor, you may enter your code into the script under:

uninstall_Vmware_CBCloud.sh
#!/bin/bash

#Logging uninstallation
exec 1>>/var/log/fwcld.log
exec 2>>/var/log/fwcld.log

#Uninstalling VMware CBCloud sensor
# There are two command line options:
# -c <CODE> If specified by the policy active on the endpoint, this option and uninstall code will be required.
# -y Skips the interactive prompt to confirm that uninstallation is desired. Recommended for unattended uninstall.

/Applications/VMware\ Carbon\ Black\ Cloud/uninstall.bundle/Contents/MacOS/uninstall -c <CompanyCodeHere> -y

exit 0

 

To make the changes in the Fileset:

  1. Highlight the Fileset and click on Scripts (FW Central menu)
  2. Highlight Pre-Uninstallation Scripts, uninstall_VMware_CBCloud.sh
  3. Click on Edit to open the script
  4. Enter in your company code, i.e. #######
  5. Click OK to save
  6. Click OK to save your changes
Uninstallscript.png

 

 

 

Uninstallscript02.png

Fileset Group

Once the Fileset and Profiles have been created, the best practice is to create a Fileset group. Organizing and keeping multiple profiles and Filesets within the same group for the same application and its configurations is great management and organization.

Profiles should be installed first.  The VMware Carbon Black Cloud Fileset has a requirement script to ensure profiles are installed, before commencing with download and activation of the Fileset.

VMware CCB FS Group.png

Remember to always test Fileset to a few devices before mass deployment.

Wacom Tablet Deployment (macOS Fileset Magic)

Description

Installing the Wacom intuos drivers

Last tested with WacomTablet 6.3.30

Ingredients

Directions

  1. Do a Fileset Magic capture
    • In /priviate/var/ the only thing you need is the db/receipts folder
  2. Select the fileset and add a script attribute
    • Create a post-flight script  macOS
      #!/bin/bash
      launchctl load /Library/LaunchAgents/com.wacom.wacomtablet.plist
      launchctl start com.wacom.wacomtablet
      launchctl load /Library/LaunchAgents/com.wacom.DataStoreMgr.plist
      launchctl start com.wacom.DataStoreMgr
      
  3. Save the fileset and deploy

If 10.13 or greater you will also need to send a profile to allow the kernel extension: User Approved MDM Enrollment (macOS)


XCreds - Log in to your Mac with your Cloud Password (macOS PKG)

Description

XCreds supercharges your Mac login window. Use your Azure, Google Cloud, Okta or any OpenID Connect password to log in to your Mac. XCreds verifies the password with your identity provider and saves the tokens to the user keychain for validation that the cloud password is in sync with the local password. Perfect. This article will show you how to use it with FileWave. 

This article will give you as much detail as possible to help you get started, but this is incredibly easy software to deploy and configure and we'll show you how below.

Ingredients

Directions

XCreds has two components:

Example Login Window:

image.png

Both the security agent and the app share keychain items in the user’s keychain to keep track of the current local password and the tokens from the cloud provider. Both items prompt the user with a web view to authenticate to their cloud provider, verify login was successful and then update both the local password and user keychain passwords as needed.

Features

  • Login Window log in to OIDC provider
  • Support for Azure, Google Cloud, Okta and any OIDC provider
  • Initial account provisioning
  • WiFi Login Window configuration
  • Restart and shutdown from Login Window
  • Profile manifest available for easy configuration
  • Local password update with IdP password
  • Prompt for IdP password when changed
  • Login Keychain password updating
  • Customizable preferences
  • Easy deployment
  • Uses OpenID Connect
  • Attractive and pleasing menu icon
  • Easy configuration with profile / MDM
  • Profile Manifest for Profile Creator Support
  • Two-Factor and Multi-Factor support
  • New username and password window
  • Able to create a user as an admin using group member preference
  • Kerberos ticket
  • Switch to login window at screensaver
  • Reset keychain
  • Most preferences are now able to be overridden
  • Added shake to the password field

Getting Started

You'll want to review their Pricing ( https://twocanoes.com/products/mac/xcreds/#pricing ) but it's very reasonable and you can download the software and get started for free. 

IdP Microsoft Entra (Azure) Okta Google
Vendor Specific Instructions Microsoft Setup Okta Setup Google Setup
Example Plist Microsoft Plist Okta Plist Google Setup

Installing with FileWave

Example, pre-created Fileset:

The provided Fileset includes:

Steps

PKG Fileset

Create a new Fileset Group for XCreds and then either:

  1. Add the provided Fileset into this group
  2. Download the latest version of XCreds PKG and drag this into the XCreds Fileset Group

If the second option is actioned, the provided uninstaller will not be included, but could be added, based upon the details shown below in the uninstaller section.

IdP Configuration
Profile Creation

Download ProfileCreator App and the twocanoes manifest from the Profile Creator page:

On the computer running Profile Creator, add the manifest to the following user location:

~/Library/Application\ Support/ProfilePayloads/Manifests/ManagedPreferencesApplications/com.twocanoes.xcreds.plist

Run Profile Creator and add any items required from the chosen IdP settings, for example: Client ID, DiscoveryURL, etc. and save.

image.png

 For Microsoft DiscoveryURL, edit the plist, replacing 'common' with the Directory (Tenant) ID if available. For example:  discoveryURL = https://login.microsoftonline.com/5c3864d2-38e9-5555-8888-621b9d17fd46/.well-known/openid-configuration

This Profile may now be used to create a Profile Fileset.  Do so, by dragging this mobileconfig file to the same XCreds Fileset Group where the XCreds PKG Fileset resides.  For example:

image.png

The contents of the XCreds payload are beyond the scope of the FileWave interface.  Once imported to FileWave, the Payload may not be edited directly within FileWave.  Any attempt to view the Payload will fail to show the XCreds portion of the Payload; ensure to Cancel and not save if opened.  For the same reason, it is not possible to duplicate this Fileset either.  Any editing should be handled within Profile Creator and the Payload re-uploaded to FileWave.

Testing

The Fileset Group may now be associated with one or more test devices, as seen fit.  Use the above details for the licence file during testing.

Once tested and all is good, the scope of association may be increased and once purchased, the licence details should be pushed as another Profile.  This may also be added to the same XCreds Fileset Group

Uninstalling

Below is from their website, but this is incorporated in to the Fileset that is on this article as well so you can simply break the association and it will uninstall.

  1. To remove XCreds Login, restore the backup security agent rules and remove the launch agent, run: sudo /Applications/XCreds.app/Contents/Resources/xcreds_login.sh -r
  2. Drag the XCreds app to the trash.

Support

The twocanoes Software Knowledge Base is located at https://twocanoes.com/knowledge-base/ but you can also chat on our FileWave Discord Server with other customers as well. Please join the XCreds channel on MacAdmins Slack for any questions you have directly for twocanoes. Paid support is also available from twocanoes Software.



Google Chrome (macOS)

Google Chrome (macOS)

Google Chrome Configuration recipe (macOS)

Description

After installing Chrome, some configuration may be desirable, examples may include:

The below shows configuration for macOS.  For Windows you may wish to consider GPO: Manage Chrome updates (Windows)

Ingredients

macOS

FileWave Download.png

Directions

  1. Download the Fileset zip file, expand and drag both the Fileset and Configuration Profile into FileWave > Filesets
  2. The 'Google Chrome Ksadmin' contains 'ksadmin.sh' script which configures ksadmin to allow silently disabling Chrome updates
  3. The Configuration Profile has example setups that may require editing, e.g Welcome and Home Page; replacing www.filewave.com

Preference Names
A list of policies can be found at: Chrome Enterprise policy list

Association

When associating, to ensure the configuration is installed with the Application, consider creating a Fileset Group:

image.png

Associating the 'Google Chrome Managed' Fileset Group will ensure Application and Configuration are associated to devices.  

image.png

When there is an update to Google Chrome, replace the version in the Fileset Group with the latest version, after testing, and re-instal Google Chrome Ksadmin

Controlling Updates

Updates may be managed with the use of additional configuration that may be added to the Fileset Group.

The following profile contains:

<key>updatePolicies</key>
<dict>
  <key>com.google.Chrome</key>
  <dict>
    <key>UpdateDefault</key>
    <integer>3</integer>
  </dict>
</dict>

Download: Chrome Preferences Keystone.mobileconfig

Edit the profile integer to match the desired experience:

Setting Description
0 Turns on auto-updates. Updates are always applied when detected by Google Software Update. This is the default value.
1 Updates are installed only from the scheduled update checks. Manual update checks will not install updates.
2 Turns off auto-updates. This stops Google Software Update automatically updating all users to the latest stable version of Chrome. Updates are only applied when the user manually checks for updates. For example, on the chrome://help page or by running the CheckForUpdatesNow.command utility.
3 Updates are never applied.

Add the 'mobileconfig' file as a Custom Settings Configuration Profile Payload

Google Software Management
Other Google software may also be managed with this process. Please read Manage Chrome updates (Mac) for full details of management options.

Google Chrome (macOS)

Google Chrome Managed (macOS)

Description

Chrome can be managed using methods outlined in the KB: Google Chrome Configuration Recipe (mac0S)

However, from the Google Admin Console, it is possible to create a Management Token, push the token to devices and then control the browser experience within Google's Cloud management.

The Chrome Browser Management Token can be used on macOS, Windows, Android and iOS.

Ingredients

macOS

FileWave Download.png

Directions

Google

Google have their own KB on this topic: Enroll cloud-managed Chrome browsers

  1. From the Chrome Browser view in the Google Admin console, use the 'kebab' (vertical ellipsis) to copy the token

image.png

FileWave

  1. Download the above provided Fileset zip file, expand and drag into FileWave > Filesets
  2. Open the Profile for editing and access the Custom Settings Payload
  3. Edit the CloudManagementEnrollmentToken String, entering the token from the Google Admin console

image.png

Association

When associating, to ensure the configuration is installed with the Application, consider creating a Fileset Group:

image.png

Assigning the 'Google Chrome Management Token' Fileset Group will ensure Application and Configuration are associated to devices.  Below is an example using Deployments:

image.png

When there is an update to Google Chrome, replace the version in the Fileset Group with the latest version  (after testing) or add a new Fileset Revision if desired.

Google Chrome (macOS)

Google Chrome Extension Management (macos)

Description

Chrome Extensions, like ClassSpaces, can be managed via FileWave on multiple device types.

If the Chrome browser is already managed using Google Admin Console, then all management may be applied to devices via the Google Admin Console.  It is though possible to apply the management of Chrome to macOS and Windows devices via FileWave also.

Ingredients

↓ macOS

macOS

Drag the download Profile into the Admin Console, associate to test devices and deploy once tested.

Contents of Profile:

Dict {
    PayloadDisplayName = Google Chrome Classspaces
    PayloadScope = System
    PayloadType = Configuration
    PayloadRemovalDisallowed = false
    ConsentText = Dict {
        default = 
    }
    PayloadContent = Array {
        Dict {
            PayloadVersion = 1
            PayloadDisplayName = Custom: (com.google.Chrome)
            PayloadType = com.apple.ManagedClient.preferences
            PayloadContent = Dict {
                com.google.Chrome = Dict {
                    Forced = Array {
                        Dict {
                            mcx_preference_settings = Dict {
                                ExtensionSettings = Dict {
                                    * = Dict {
                                        installation_mode = blocked
                                    }
                                    obeophmpnnhboefjagnpbllfbbaeodnn = Dict {
                                        installation_mode = force_installed
                                        update_url = https://clients2.google.com/service/update2/crx
                                        comment = Classspaces
                                    }
                                }
                            }
                        }
                    }
                }
            }
            PayloadEnabled = true
            PayloadIdentifier = ml1063.lan.c7256e52-e8f0-4b6b-b48d-5ec98c03ff8a.com.apple.ManagedClient.preferences.87789162-48a1-42bf-b444-ff6567a9e7f0
            PayloadUUID = 87789162-48a1-42bf-b444-ff6567a9e7f0
        }
    }
    PayloadIdentifier = ml1063.lan.c7256e52-e8f0-4b6b-b48d-5ec98c03ff8a.Configuration.c7256e52-e8f0-4b6b-b48d-5ec98c03ff8a
    PayloadVersion = 1
    PayloadUUID = c7256e52-e8f0-4b6b-b48d-5ec98c03ff8a
}

Notes

As part of the example, an additional key has been added to block all other extensions.  Remove or edit as desired

If Chrome is already open, the settings will not be applied until after the browser has been restarted

Google Chrome (macOS)

Google Chrome Install Recipe (macOS)

Description

Installation of Chrome or any app that simply goes in /Applications can be fairly simple to do with a Fileset, but if the application is presented as a PKG that does other things besides simply copying a file to /Applications, then this can be a good example of how to accomplish the install. Note that this Fileset also will download the latest Google Chrome at install time, so depending on your use case, this may not be a good solution. An alternative would be to put the PKG inside of the FileSet and use the same script to install it or make a PKG-based FileSet in FileWave. There are many roads to success. This example will show several features of Filesets for teaching purposes.

Ingredients

FileWave Download.png

Directions

  1. Download the Chrome Fileset zip file, expand and drag the Fileset into FileWave > Filesets
  2. Create an Association between the Fileset and one or more macOS systems
  3. See Chrome installed on them.

What does this Fileset do?

The Fileset is entirely 2 scripts. If you highlight the Fileset in the Native Admin and pick the Scripts button in the toolbar you can edit the 2 scripts. The first is the Activation Script. This will create a directory in /private/tmp/ and download Chrome to it. It will install and then delete the installer from that folder. Because of the way this works you may want to make this script a little fancier with error handling, but the below works and is a good starting point. You will also see that it logs what it is doing to /Library/Libgs/GoogleCrhomeInstallScript.log so that you can review the date and time that events happened.

#!/bin/zsh

pkgfile="GoogleChrome.pkg"
logfile="/Library/Logs/GoogleChromeInstallScript.log"
url='https://dl.google.com/chrome/mac/stable/gcem/GoogleChrome.pkg'

/bin/echo "--" >> ${logfile}
/bin/echo "`date`: Downloading latest version." >> ${logfile}
mkdir /private/tmp/chrome_install/
/usr/bin/curl -s -o /private/tmp/chrome_install/${pkgfile} ${url}

/bin/echo "`date`: Installing..." >> ${logfile}
/usr/sbin/installer -pkg /private/tmp/chrome_install/GoogleChrome.pkg -target /

/bin/sleep 5

/bin/echo "`date`: Deleting package installer." >> ${logfile}
/bin/rm -rf /private/tmp/chrome_install

exit 0

Note that in these days of Intel vs. Apple Silicon you may want to add something to behave differently depending on which processor is present below is an easy way in scripting to do this;

if [[ $(uname -p) == 'arm' ]]; then
  echo M1
else
  echo Intel
fi

The second script is for when you remove the Association for the Fileset. It will kill Chrome if it is running and then delete it from /Applications. If you don’t want this behavior then just remove that script from the Fileset.

#!/bin/zsh

logfile="/Library/Logs/GoogleChromeInstallScript.log"

/bin/echo "--" >> ${logfile}
/bin/echo "`date`: Removing Google Chrome." >> ${logfile}

killall Google\ Chrome

rm -rf "/Applications/Google Chrome.app"

exit 0

For Requirements, I set it for macOS and only the most recent versions since (1) Anything below macOS 10.14.x is insecure to use, and (2) I don’t know that Chrome will work well on older macOS, but adjust this to your needs.

image.png

For Delete Files, I have it purging the download files so that when the Fileset activates, the folder is clear every time.

image.png

On the Kiosk tab, I set this to Applications and put a description in. Using a Kiosk Association is a great way to make an application installable by non-admins and they can even uninstall it if they aren’t using it any more.

image.png

So with this example, you can see how you might create a scripted install of an application and handle uninstall of it as well. Keep in mind you don’t have to do this exactly as I did, and these concepts can be applied to other applications.

After installing Chrome, some configuration may be desirable, examples may include:
* Block auto updates
* Set home page
* Disable Welcome Page
This article discusses configuration options: Google Chrome Configuration Recipe