Mass deployement modified pkg GLPI Agent for Mac (x86/M1)

[hakito73]

Documentation

Yes, I read it

Solution search

Not applicable

Professional support

I still have but want a public following to help the community

Is your help request related to a problem?

No

Expected behavior

I expect to sign the modified pkg to outpass the security prompt

Actions you've considered

I modified the pkg of the mac GLPI Agent, but since I modified I encounter a problem of signature (logical since I modified)

Additional context

Hi,

I want to share some feedback about a mass deploiment of the GLPI agent and how it is going.

Currently im my company there's no real inventory tracker for the mac user (arround 400/600 mac laptop). FusionInventory was kinda not really working as expected. Recently I found that you had a fork of fusionIventory and also working for M1/x86 which is awesome :) !

But here is the problem : When I launch the standard pkg I have to put a conf file etc and then do some terminal cmd to launch GLPI and force an inventory. Which is not really worth when you have a lot of mac computers. So I have unpackaged the pkg files and tryed some modifications and then I added somethings into the postinstall script which put the conf files with my servers and all the setup I want.

And It's working VERY WELL ! I don't even have to do any sudo cmdto start the service.

But as expected since I modified the pkg a security prompt open after I try to install the pkg. I have to manually accept inside the commmand center the installation of the pkg. And that's the main "problem".

I don't have enough knowledge with GitHub and dev to outpass this problem.

Do you think we could have a feature who could add the server and the feature we want to inside the postscript installer which will allow us to download a installer with the conf we want to add ?

PS : Thanks for the amazing job you made on GLPI agent and all the documentations you made, I took a lot of pleasure reading and conf the GLPI Agent :)

[g-bougard]

Hi @hakito73

if you have a GLPI subscription, can you also open a ticket or ask your professional GLPI partner to do so linking this issue ? Thank you.

I understand you had to modify the pkg, but indeed this breaks the official signature we add when building the package. This is why you the security prompt.

The normal process to install GLPI Agent on MacOSX is to install the pkg, then install a dedicated configuration under /Applications/GLPI-Agent/etc/conf.d and restart the agent. Having a dedicated conf there involves future upgrade will be transparent as this conf will be preserved.

Do you think you can adapt your process following this advice ?

You didn't talk about how you're making mass deployment. Are you using any specific product ?

Actually, I'm not sure how it would be possible to tune the installation process to be able to configure the agent during the installation. Maybe a perl or whatever installer like the unix one could be a solution.

[hakito73]

I won't be able to adapt the system for a mass deployement. I use Ivanti as MDM but it's kinda tricky. That's why I want to includ the conf into the installer.

If it was for 10 mac it would be okay to deal with it but because it's a mass deployement this is really tricky. I won't be able to add the conf files after. And even after it require to restart the service with su etc.

The problem is the mass deploiement less action I need to perform better it is. Because I'm very limited it's easy to push push a pkg. But add a files / and do some su into 400-600 computer it's nearly impossible.

For the mass deploiment I use Ivanti MDM for mac to push the pkg.

[g-bougard]

I'm not aware of Ivanti MDM for mac features. Is it possible to just push a file (the required configuration) to all you MAC or can you only install pkg files ?

Eventually wouldn it be possible for you to create a simple pkg which could embed the official pkg, the required conf and your own post-install script ?

Also, if you have an Apple developer account or can create one, it should be easy to notarize your own pkg, even if you modify one like the GLPI Agent one.

[hakito73]

For the first question Ivanti in my opinion is a very bad MDM and I'm very limited I can't push files etc in a proper way (lot of failure ) and this is why I want to implemant a modify pkg files. Because if they d'ont have the correct conf then the services won't start and it's a problem becaus I won't be able to start it or su into 400/600 with the MDM.

This is why I absolutely want to use only one pkg.

I was thinking about the Apple developer account also but my knowledge is limited. Since your pkg is signed maybe when I will notaurize it he won't sign it again. But I need to test this.

My second option is to do a fork into gitlab (sourcing your github) and add the conf I want to and then package it for mac.

[g-bougard]

Afaik, notarize again a pkg will just replace the current signing with your own. So your test should show you this is not an issue.

Forking the project or editing the pkg looks the same imho.

Anyway it seems nothing is possible on the agent side if you just need a custom pkg. I though eventually searching for a configuration file during the post-install but if you're limited with file deployment this won't help you.

[g-bougard]

Closing as we can do nothing in your case on agent side. You'll have to deal yourself with this issue. Feel free to share your experience here anyway ;-)

[wongchun]

@hakito73 i would like to create a custome pkg for the mass deployment, is that possible i can learn from that from you? many thanks!

[hakito73]

Hello, I'm returning after a year because I had forgotten about starting this thread. I've successfully completed the task and am willing to document the entire process, detailing how I achieved it. @g-bougard (and @wongchun) you might want to include my comprehensive explanation in your documentation. This would be beneficial for companies looking to create a custom GLPI Agent package that integrates the correct configuration without needing post-install modifications for every GLPI-agent deployed on macOS.

[g-bougard]

Hello, I'm returning after a year because I had forgotten about starting this thread. I've successfully completed the task and am willing to document the entire process, detailing how I achieved it. @g-bougard (and @wongchun) you might want to include my comprehensive explanation in your documentation. This would be beneficial for companies looking to create a custom GLPI Agent package that integrates the correct configuration without needing post-install modifications for every GLPI-agent deployed on macOS.

Hi @hakito73

any such contribution would be very appreciated. You can eventually contribute to the online documentation project by proposing a PR or I'll modify it myself if you want to put your details here.

[wongchun]

Hello, I'm returning after a year because I had forgotten about starting this thread. I've successfully completed the task and am willing to document the entire process, detailing how I achieved it. @g-bougard (and @wongchun) you might want to include my comprehensive explanation in your documentation. This would be beneficial for companies looking to create a custom GLPI Agent package that integrates the correct configuration without needing post-install modifications for every GLPI-agent deployed on macOS.

Hi @hakito73 , sure thanks, would like to get your share and many thanks for the sharing first

[edwinsyn]

Hey @hakito73 , I'm interested in your upcoming documentation of how you achieved the task. Do you have the documentation published somewhere?

[rtty88]

any updates here please for such a problem @hakito73
THANKS