Allow manual Download of the App (without Store) for macOS

[Lukas-UAUX]

Hi,

although some institutions may already be using Apple VPP and an MDM solution I think it would be a huge help if the macOS App could also be downloaded / deployed manually. Using personal Apple IDs is most likely not possible (GDPR and/or other regulations)...

We for example have a decentralized IT structure where not all departments have access to the full blown MDM to deploy Store-Apps and have to rely distributing .dmg/.pkg Packages.

If the App can already be downloaded I would be very happy if some one could point me to the correct download site. I have not been able to find one myself...

[efef]

Hi,

I am not sure this is doable. We either need to deploy the App via Appstore Or build the App for a specific UUID. I recall this is because we are using Network Extension, this is only available when we use the right authorization. Maybe @roop can shine a light on this.

[roop]

There's supposed to be a way to distribute it outside of the App Store -- by packaging the Network Extension as a System Extension. On first launch, the app is supposed to prompt for enabling its System Extension -- there might be a restart involved as well.

I explored that option earlier for a few days but couldn't get it working. I can try it again and spend more time on it to figure it out.

[MUAS-Marcus]

Hello,

as the main IT-department of a big university we would like to join this request. To my knowledge there isn't any established MDM-solution for Apple campus-wide yet, we are just now in the process of establishing it for select use-cases. Using personalized Apple IDs for downloading ist not always possible and usually not permitted.

Thank you

[FlorisHendriks]

Hi,

A workaround could be that you use a script to extract the pkg file from the App Store which can be found here. You can then redistribute the pkg file to deploy it on other devices.

[roop]

@Lukas-UAUX @MUAS-Marcus: We're still working on making this installable through a .dmg / .pkg file. I have a couple of questions on this:

1. It looks like installation using a .dmg / .pkg requires "admin" privileges (because the installed app has to reside in /Applications, and the user should go to System Settings and enable the app to install system software). "admin" privileges might also be required for updating the app to a newer version. Is this compatible with your usage scenarios?

2. We were considering Homebrew Cask as a possible way to distribute the app. Is that acceptable? Do you think the users will be able to install / update by using command-line commands?

Thanks.

[Lukas-UAUX]

1. Would be perfectly fine, any software that needs low level system functions needs admin privileges anyway and munki/jamf or similar local distribution methods have no problem with that.
2. If someone already uses Homebrew it could be a nice addition to 1) - but not as an alternative

[jeroenleenarts]

Homebrew is an easy bolt on addition when there is a proper installer available.

When doing manual install, make sure to have an update mechanism as well. Sparkle is great for that. It is the one that provide the familiar update mechanism for out of store apps. https://github.com/sparkle-project/Sparkle

[jeroenleenarts]

Do note that VPN through a Tunnel Extension onlyworks for Appstore apps. Not for a notarized app it seems. So and out of store deployment is not an option. https://developer.apple.com/documentation/technotes/tn3134-network-extension-provider-deployment

VPN as system extensions do work. But I think the Mac app uses a network extension.

Thoughts @efef or @roop

[Lukas-UAUX]

Looking at tunneblicks documentation that depends if eduVPN uses tun or still tap. Only for tap an extension is needed at all. And OpenVPN Connect also doesn't use one... Is it the Wireguard part that actually needs it?

[roop]

@Lukas-UAUX: Thanks for clarifying. That was helpful.

eduVPN uses TUN for both OpenVPN and WireGuard. According to Apple's documentation, the recommended way to implement TUN tunnels in macOS is by using an App Extension (for Mac App Store distribution), or a System Extension (for outside-of-Mac-App-Store distribution). I don't know what Tunnelblick does. OpenVPN Connect might have special permissions from Apple, but I'm not sure about it.

I have a few more questions about updating the app after it's installed.

Let's assume we have .dmg / .pkg files served from an eduVPN web server for multiple versions of eduVPN. A user has version 1 installed, and version 2 is made available as a .dmg / .pkg in the web server. How do you see app updates happening?

• (a) User clicks "Update" button in the app and follows UI prompts -- the app takes care of updating itself (user needs to be an "admin")
• (b) User runs "brew cask upgrade" (user needs to be an "admin")
• (c) The IT team downloads the .dmg / .pkg and distributes it to the user's machine, maybe using munki / jamf / some other automation (user might have to be an "admin", to enable loading the system extension in System Settings)

Questions:

1. For your usage scenarios, which of these are possible, and which is preferable?
2. For (c), is there a way to authenticate the downloaded .dmg / .pkg as the correct one by verifying a cryptographic signature like minisign? (Like running a custom script, and if it fails, abort the install.)

[roop]

@jeroenleenarts I'm working on modifying the app to bundle the tunnel extension as a System Extension to enable out-of-Mac-App-Store distribution (Developer ID distribution, notarized). I did consider Sparkle -- that discussion is happening in #499, but before discussing that, I'm hoping to get some clarity on the usage scenarios for updates from @Lukas-UAUX.

[Lukas-UAUX]

We have a very decentralized IT-Structure, while my department can use VPP to distribute the App, another one uses Munki and another one has no Apple device management at all but also no company Apple ID.

As both the IT and a 'non managed' user with admin rights could both just download the new dmg/pkg and install/update it either via a deployment system or by hand with a users admin permissions I don't think much more that a 'naging' window that proposes a new version (that can be disabled) is truly needed.

Although it would be very comfortable for the user if the app could be updated with just one click and entering admin credentials. (IT still would download and install the new version via deplyoment).

Personally I prefer MacPorts before Homebrew because the latter ignores security - but I don't think there would be a large user base for any of those two.

A Verification could just be done with the code signing utility - as the App is already signed with the Developer ID - minisign would be redundant or?

[roop]

@Lukas-UAUX Thanks for your comments. We'll first get the pkg installable working and worry about updates later on.

[ShadowJonathan]

What's the blocker for distributing eduVPN/LetsConnect via homebrew? @jwijenbergh told me the issue would be to distribute the Network Extension alongside the app, is there anything in homebrew that would facilitate that? I imagine this'd be a solved problem over there

[roop]

@ShadowJonathan The issue is indeed the distribution of Network Extensions. It nees to be signed by Apple to work, which means it either needs to be App Store-distributed, or made into a System Extension and notarized. Network Extension apps cannot be distributed through homebrew.