Proxyman HelperTool for non admin install

[jamesrodgersFL17]

Proxyman HelperTool for non admin users

We are working on deploying Proxyman and we are a NON-ADMIN environment. We are running into issues installing the helper tool because users do not have the admin privileges required to install the Helper Tool.

The package I created has the Helper Tool Included

However, when users first launch the proxyman app, they are prompted to install the Helper Tool – even though it is already installed… Any suggestions?

I was wondering if you could include a command line flag for proxyman that would install the Helper Tool? Proxyman Proxy Helper Tool - Proxyman Documentation.

Why this feature/change is important?

This would allows to leverage the Jamf Binary to install the Helper Tool rather than using a GUI prompt for admin creds.

To support large-scale non-admin environments.

[NghiaTranUIT]

I was wondering if you could include a command line flag for proxyman that would install the Helper Tool?

I'm not sure what you mean 🤔 You mean to install the Helper Tool by using the CLI, for example: $ /Applications/Proxyman.app/Contents/MacOS/proxyman-cli install-helper-tool ?

[jamesrodgersFL17]

Yes, that is exactly what I am looking for @NghiaTranUIT

[NghiaTranUIT]

However, when users first launch the proxyman app, they are prompted to install the Helper Tool – even though it is already installed… Any suggestions?

I'm not sure how can you install the Helper Tool before launching the app? Proxyman does a series of check to make sure the Helper Tool is legit.

For example:

• Check the helper tools exist in the system
• Try to connect and validate the signature

If either one of check is failed, it might show the Helper Tool GUI to override it.

[NghiaTranUIT]

Yes, that is exactly what I am looking for @NghiaTranUIT

Then, I guess you might need the sudo too.

$ sudo /Applications/Proxyman.app/Contents/MacOS/proxyman-cli install-helper-tool

[jamesrodgersFL17]

Yes sudo would likely be required. However, we can run "sudo /Applications/Proxyman.app/Contents/MacOS/proxyman-cli install-helper-tool" using the Jamf binary (which runs as root).

[jamesrodgersFL17]

What signature does it look to validate?

[jamesrodgersFL17]

Here is a screen shot of the pkg I created that includes the HelperTool.

[NghiaTranUIT]

I've checked the code: If the com.proxyman.NSProxy.HelperTool exists, then Proxyman will check whether or not the helper tool is actually installed on the system.

You can find it in System Setting -> General -> Login Item -> Proxyman -> Verify it's switched ON too.

---

I guess, your approach doesn't install into the system, it just copies to the folder. Thus, it doesn't meet the criteria of Proxyman.

[jamesrodgersFL17]

I did install the Helper Tool (locally), then packaged the helper tool - so the com.proxyman.NSProxy.HelperTool does exist (/Library/PrivilegedHelperTools/com.proxyman.NSProxy.HelperTool) and I also deploy a config profile that automatically enables the login item. See:

Do you have any suggestions on how we can make this a successful deployment, knowing that users do not have admin?

[NghiaTranUIT]

I did install the Helper Tool (locally)

Can you elaborate on it ? How can you install the helper tool in the PrivilegedHelperTools folder and into the system without using Proxyman GUI ?

When you install the helper tool and run it on a non-admin user, does it on the same User?

If you install the Helper Tool with a admin user, then using Proxyman under non-admin users, I'm afraid that Proxyman doesn't have permission to communicate with the Helper Tool.

[jamesrodgersFL17]

Yeah of course. I would install the helper tool locally on my Mac (via the Proxyman app) via an admin account. I then copied that HelperTool file and placed it into a pkg alongside the Proxyman.app (above composer image). I then installed that pkg (app and helperTool) onto another Macs.

Even though the HelperTool was present on other Macs, it still prompted users to install the helper tool. The users are unable to install the helper tool via the proxyman app because they don't have admin rights.

If you could add a install-helper-tool flag/argument into the proxyman-cli that would help solve this problem for MDM deployment.

[NghiaTranUIT]

I guess it's not technically possible.

Proxyman main app is using SMJobBless to install the Helper Tool into the system.

The documentation shows that it requires some config in the app plist file. However, the proxyman-cli is not an app, it's a binary, so there is no plist file.

---

I try to install the Helper Tool, and could not get it work. The error is Error: Error Domain=CFErrorDomainLaunchd Code=4 "(null)"

[NghiaTranUIT]

Does it work for you 🤔

$ sudo /Applications/Proxyman.app/Contents/MacOS/proxyman-cli install-helper-tool

will launch the main app -> auto-install the Helper Tool (Require permission) -> Close when it is done.

[jamesrodgersFL17]

Thanks for looking into that, is there any other solutions using cli that we could look into? Or possibly a separate download/pkg that could be made available that installs the helper tool?

I did want to call out Docker Desktop has --install-privileged-components /Applications/Docker.app/Contents/MacOS/Docker --install-privileged-components

Is that similar to what were trying to accomplish with this?

https://community.jamf.com/t5/jamf-pro/how-to-package-a-docker-installer-that-does-not-request-admin/m-p/199657#

[NghiaTranUIT]

Nice. It could be a solution because it launches the main app to install the helper tool. I'm looking on it now 👍

[NghiaTranUIT]

@jamesrodgersFL17 it's working now. You can try this Beta build: https://download.proxyman.io/beta/Proxyman_4.11.0_install_helper_tool_with_arguments.dmg

1. Open this DMG -> Drag to the Application folder
2. sudo /Applications/Proxyman.app/Contents/MacOS/proxyman --install-privileged-components (Must use sudo)
3. Enter password if need
4. Done ✅

I confirmed that the helper tool was installed successfully and Proxyman can communicate properly 👍

[jamesrodgersFL17]

@NghiaTranUIT,

Just downloaded the Beta and it tested out the new flag. Worked as expected, and we were able to get past our hurdle. Thank you so much for the help with making this possible, glad this could get implemented from an MDM side.

[NghiaTranUIT]

Awesome. Let's try to use this beta build for a while. If everything is okay, I will include this change to the next release 👍

[nhelke]

Thank you. This seems to work well, although it is slightly surprising for users that the app appears starts-up on install and it did require them to press the "install helper" button.

More concerning from an infosec perspective after successfully installing the helper completely independently and without requiring admin privy, users might continue to use this instance of Proxyman which runs as root for some time. It seems ill advised to run Proxyman given that it attempts to process arbitrary and potentially adversarial content.

Would it be viable to make sudo /Applications/Proxyman.app/Contents/MacOS/proxyman --install-privileged-components install the helper without user interaction (other than their choice to install Proxyman in the first place) and ideally furthermore Proxyman would show no UI and exit as soon as the helper was successfully installed, so that users would then manually launch Proxyman as themselves and not use it while it runs as root.

[jamesrodgersFL17]

@NghiaTranUIT, is there a target version for this enhancement?

[NghiaTranUIT]

Would it be viable to make sudo /Applications/Proxyman.app/Contents/MacOS/proxyman --install-privileged-components install the helper without user interaction (other than their choice to install Proxyman in the first place)

It's technically hard to achieve because the Heler Tool requires a lot of configs to define who the parent is, and some configs are impossible for the Command Line, which is not an app bundle.

@NghiaTranUIT, is there a target version for this enhancement? @jamesrodgersFL17 , it's already included on the latest build 4.12.0 👍

[nhelke]

It's technically hard to achieve because the Heler Tool requires a lot of configs to define who the parent is, and some configs are impossible for the Command Line, which is not an app bundle.

I appreciate this difficulty. But what if the actual app simply chose not to show UI, install the helper and exit as soon as the helper is installed iff run with the above flag. I am not proposing a separate CLI tool.

My problem is that I find users continuing to use proxyman running as root, not appreciating that MDM launched the app at install time as root with the flag.