chilcote / outset

Automatically process packages, profiles, and scripts during boot, login, or on demand.
572 stars 58 forks source link

Outset 3.0.1 unable to deploy Apple Mobile Configuration Profiles (Big Sur) #82

Open dsafford opened 4 years ago

dsafford commented 4 years ago

Summary: Starting in MacOS Big Sur 11.0.1, Outset is unable to deploy Apple Mobile Config Profiles. They no longer appear in System Preferences > Profiles. These are important when configuring systems for MDM deployment (for example JAMF).

Steps to reproduce: Place a Mobile Config Profile in Boot-Once. Using Outset 3.0.1 and Python 3.7.9 (attempted with 3.8 & 3.6 as well). Run Outset.

Expected results: After Running the above mentioned configuration, your configuration profile should show up in Profiles within System Preferences. You then should be able to approve, or interact with the profile. However no profile appears there.

Actual results: After running the above configuration, no profiles will appear in Profiles within System Preferences. This is true for boot-once , login-once , or any other Outset folder. This ceased to function in the below mentioned version of MacOS and current build of Outset 3.0.1

OS Version: MacOS Big Sur 11.0.1

Application version: Outset 3.0.1 Python 3.7.9

macprince commented 4 years ago

This behavior is expected. As of Big Sur, the profiles command line tool (which outset currently uses when a profile is found in one of its folders) can no longer install profiles. Profiles must be installed manually through the Profiles preference pane or through an MDM.

arubdesu commented 4 years ago

This is a reasonable thing to open an issue about, Apple clearly stated it wouldn't work silently and even then a GUI prompt being triggered as the root user can't be approved... I wouldn't expect this map to userspace in any supportable way, even if I can imagine it being humanly possible to adapt it to work with maybe login- frequencies on 11+. For myself, I'm writing it off as not a worthwhile thing to try to massage into working anywhere, at least for my environment, but, as they say, patches accepted! I'm going to find time to deactivate this altogether on Big Sur with helpful-enough error output (so admins can write it off/clean up any lingering profiles), since I touched/cleaned up platform detection most recently. My impression is Joe is waiting on me for that to cut a tag/release, so I'll try to prioritize it.

Cetartiodactyla commented 3 years ago

For user-scope profiles, could you simply use the open command for a semi-automatic approach?

gregneagle commented 3 years ago

Not really. Try it yourself and observe the behavior!

gregneagle commented 3 years ago

What I see: System Preferences starts to launch, then quits, then a notification appears:

image

If I were a user not expecting this, I would just ignore it, or maybe call the Help Desk to ask what this notification was all about. I for one do not want to train users to agree to do whatever unexpected prompts ask them to do.

gregneagle commented 3 years ago

Worse, if you click the notification, it goes away, and nothing else happens. The user is expected to open System Preferences and navigate to the Profiles preference pane. If they do that fairly soon after getting the notification, they might notice something like this at the top of the pane:

image

If then they actually click the Install button the profile might then be installed as long as it does not require authentication...

Cetartiodactyla commented 3 years ago

That’s true. Even worse, the "Downloaded" section only seems to hold one item at a time.

gregneagle commented 3 years ago

Yikes. I hadn't tried attempting to install multiple profiles this way. Yes, that's even worse.

chilcote commented 3 years ago

you might be better off copying them to the the user's desktop and having them double click each. Of course, the correct way (per Apple's rules) is to use MDM for this. Automating an entirely interactive process will lead to tears, imo.