Video Screencast Help

Apple File Types and Software Delivery for Macintosh

Created: 29 Oct 2008 • Updated: 29 Oct 2008 | 3 comments
Language Translations
dougj's picture
+2 2 Votes
Login to vote

Apple allows for distribution of applications in the following file types:

• App
• PKG, MPKG
• DMG
• Custom Installers
• TAR, TAR.GZ, GZ, ZIP, TAR.BZ2, BZ2

Symantec provides a method for distributing each of these file types using Software Delivery for Macintosh, with possible exceptions for some custom installers. Each method requires a bit of manual setup to create an appropriate distribution package. And, each may require a unique command line to install the software on client machines.

Each file type will be described below along with appropriate setup procedures and sample command lines.

Note: It is recommended that all distribution files and packages be compressed (zipped) on a client macintosh computer prior to copying it to the Notification Server package directory. Note that zipped archives are supported on Mac OS X 10.3 and higher. The reasons for compressing files prior to copying them to a Windows computer are:
  • Windows will not preserve executable bits of Unix, Linux and Macintosh files. If distribution files are not zipped or compressed, then an accompanying manifest file will be required to reset the executable bits when the files are distributed to the Macintosh clients. Symantec provides a utility to create file manifests. This is described in KB article# 38241.
  • Certain file formats are actually folders and the folder/path string for these, combined with their location on the NS, can easily exceed the 256 character limit imposed by Windows.
  • Files may have so called resource- and data-forks. These are hidden from users and are not preserved when copying from Mac to PC.

Please do not use the Stuffit application to create archives used by Altiris Software Delivery for Macintosh.

Note: It is not advisable to use the "OnLogon" and "OnLogoff" scheduling options for tasks that are anyway related to the user-context since we may discover a logon/logoff before or after the actual user context gets created or destroyed.

Important Security Note: Apple advises against launching any GUI application or program written in Apple Script from daemons running with the root privileges (this is the case of Altiris Agent). Once a GUI window is opened from a process running as root or an admin user, the context of the desktop switches to the root or admin user. Non-admin users could then gain admin privileges via the GUI.

App (application bundles)

Applications (.app files) are usually enclosed in a bundle. An application bundle is simply a well-formed directory structure that contains resources needed by the application, such as frameworks, images, localization strings, etc. They appear as a single file in Finder but are really directory structures when viewed from a terminal command line. Because these bundles are normally file packages, the term application package refers to an executable application bundle.

Applications can be copied directly from the Software Delivery package directory to the desired installation directory. It is recommended that app files be compressed or zipped to preserve the directory hierarchy and execution bits inherent in application bundles. Zipped archives are supported only for Mac OS X 10.3 and higher.

Sample Software Delivery command lines:

pkg-rollout -f Firefox.zip && cp -R Firefox.app /Applications/

Note that the .app file is being copied to the /Applications folder, not the .zip file. 'pkg-rollout' will uncompress the .ZIP file and the standard copy command is used to move the .app file/bundle to an appropriate location.

In many cases, apps are delivered by the software vendor in dmg files. To Create a compressed archive of an app from a .DMG file:

  1. Download the file to a local Macintosh computer.
  2. Open the .DMG file in Finder.
  3. Copy the app file from the dmg finder window to an temporary location/directory.
  4. Compress the app file. A copy of the original should appear with a .zip extension.
  5. Use the resulting archive/ZIP file in the software delivery package.

PKG and MPKG (Installation, Meta and Distribution Packages files)

A package is a directory that appears in the Finder as a single file. Packages contain a product or product component - the package's payload - to be installed on a computer, and the configuration information that determines where and how the product is to be installed. Packages have the extension .pkg or .mpkg. When a user double-clicks a package in a Finder window, the Installer application opens the package and walks the user through the installation process. In this document the term package refers to an installation package, not an application package (See the 'App' section, below). We are also referring to Apple .PKGs and .MPKGs (not the other Unix/Linux form of .PKG files).

PKG and MPKG software may be installed using the GUI Installer or with a command line "installer" built into the package. Symantec has created a utility to facilitate the distribution of packages, named pkg-rollout. Among other things, pkg-rollout tries to install pkg and mpkg files with the command line: "installer -pkg PackageName.pkg -target /".

The .PKG and .MPGK will automatically expand and be placed in the default locations specified by the .PKG or .MPKG.

Sample Software Delivery command lines:

pkg-rollout -f GarageBand_202.pkg.zip
pkg-rollout -f MacOSXUpdateCombo10.3.9.pkg.zip && shutdown -r now

'pkg-rollout' will uncompress the file, traverse it, if necessary, and execute the 'installer' command.

Obviously you should take care on the second one. You are assuming that there are no users that would be upset by a forced reboot.

DMG (Disk images)

A disk image is a file-based enclosure that facilitates the transport of a directory structure. They are the preferred container for software products on Mac OS X. They allow you to group a set of files in a compact format that is easily handled by users. These enclosures are easily transported across a network because they appear as a single file. To access the contents of a disk image, a user double-clicks it in the Finder, which opens a standard Finder window showing the disk image's contents. Typically, they contain an 'app' file that can be dragged and copied to the Application directory. Compressed disk images allow you to use delivery vehicles-space-limited optical media or bandwidth-strapped networks-more efficiently.

It is recommended that the app file be copied out of the dmg file, compressed and included in the Software Delivery package directory rather than the dmg. Altiris provides for direct installation of app files but not apps within dmg files.

However, it is possible to distribute an application contained in a dmg file using a shell script and various OS X command line utilities.

  1. Create a shell script that does the following. The file must have macintosh line endings - not windows or unix.
    • hdiutil attach /<path to file>/<filename>.dmg
    • ditto -rsrc /Volumes/<app name>/ /Applications/
    • hdiutil info | grep -w '<mounted volume name>' | grep -v 'image' | awk '{ print $1 }' | xargs hdiutil detach
    • rm /<path to file>/<filename>.dmg
  2. Create a package and policy on the NS server that contains the dmg file and the above script, as described in KB# 24411.

Notes:

  • Change the name and paths accordingly to the actual file you are using. In the first line, change the file name; in the second line, modify the /Volumes/... path according to the path displayed by the package when it's mounted on the Mac. Make a test before creating the script to get the volume name of your .dmg file. Check lines 3 and 4 to meet the aforementioned requirements.
  • It is usually safe to use the \Users\Shared\ path to store temporary files.
  • If the .dmg package has a license screen with an Agree button, it will not mount automatically and installation in Mac OS Applications folder will fail.
  • To find the "<mounted volume name>", run "hdiutil info". The results will list a different section for each mounted dmg file. The line with the <mounted volume name> will begin with a /dev device name, the Apple HFS entry followed by the volume name of the dmg file. The results will also contain the dmg name on the image-path and image-alias entries, hence, the need for "grep -v 'image'".

Custom Installers

Adobe Reader is a good example of a custom installer. In order for Software Delivery for Macintosh to install these, the software vendor must provide a silent installation option. It is a good tradition to make it possible to run such installers silently. However, if the software vendor does not follow this tradition, there is nothing we can do in regards to delivery via Software Delivery Solution.

TAR, TAR.GZ, GZ, ZIP, TAR.BZ2, BZ2

Since any file can be tarred and zipped, please see the appropriate section for the file type being deployed, e.g., dmg, app, pkg or mpgk. 'pkg-rollout' can be used in the command line to uncompress and untar these files with appended commands to copy, install, etc. the remaining file.

Security Updates

To obtain security updates, you may run the Software Update utility. Rather than open the update, select the save or archive option. Once you have the file on a local Macintosh, it should be archived and copied to the NS as a new package. Do not use the Open command in the Software Update screen or you will not be able to save and archive the file. Note that you can tell if a package requires a reboot in the Software Update screen. If there is a gray triangle to the left of the application in the Software Update screen, a reboot will be required after installation of that file. In this case, the command line should end with ' && shutdown -r now' command.

Package-rollout Sample Command Lines

  • pkg-rollout -f GarageBand_202.pkg.zip
  • pkg-rollout -f MacOSXUpdateCombo10.3.9.pkg.zip && shutdown -r now
  • pkg-rollout -f Firefox.zip && cp -R Firefox.app /Applications/
  • pkg-rollout -f Adobe\ Reader\ 7.0.5\ Installer.zip && open Adobe\ Reader\ 7.0.5\ Installer.app
  • pkg-rollout -f WindowsMediaInstaller.bin.zip && open WindowsMediaInstaller.bin
  • -f specifies which file to rollout.
  • -nr means "non-recursive". Suppose that you have a package file, and you made an archive, then ran gzip on it; when it's deployed to the Mac clients, non-recursive mode will only run the first process of gunzipping the file, then stop. That means that you have to manually specify in the command line each process that you want to accomplish, including the final installation command. In recursive mode (the -nr parameter is not in the command line), pkg-rollout is smart enough to gunzip the file, unzip the archive, and execute the installation of the package without specifying each step of the process.

Software Delivery for Macintosh Setup Procedures

Following is an example of creating an Altiris Software Delivery package with the application Firefox

.

On the Macintosh Client:

  1. Download Firefox from http://www.mozilla.com/.
  2. Drag the Firefox application to the Applications folder as directed.
  3. Open the Terminal application (Applications > Utilities > Terminal) and run the following commands:
    • cd /Applications
    • tar cvf Firefox.zip Firefox.app/
  4. Go back to the Finder and connect to your Notification Server. This can be done by choosing the menu item Go > Connect to Server.
  5. Then type in smb://<nsserver>/nscap and click Connect.
  6. You will be prompted for your credentials and once entered you will have the volume mounted on your computer.
  7. Now open up NSCAP and create a new folder called "Firefox" under the Bin/Mac folder.
  8. Drag Firefox.zip from the Applications folder on your computer to this new "Firefox" folder.

On the Notification Server Console:

Create the package:

  1. Go to Resources tab > Resources > Software Management > Software Delivery Packages > Macintosh.
  2. Right-click on the Macintosh node and then click New > Macintosh Package.
  3. Fill in the information as you want it to show up.
  4. Add the package by clicking the Browse button and selecting the FireFox folder (<drive letter>:\Program Files\Altiris\Notification Server\NSCap\bin\mac\FireFox).
  5. Click on the Programs tab.
  6. Click the New button.
  7. Fill in the Name and Description fields as you want them to show up.
  8. Fill in the Command Line field with: pkg-rollout -f Firefox.zip && cp -R Firefox.app /Applications/
  9. Click Apply and Update Distribution Points. You can close this window.

Creating the task

Now that you have the Package created, you can create a task that distributes it.

  1. Go to Tasks tab > Software Management > Software Delivery > Macintosh > Software Delivery Tasks.
  2. Right-click on the Software Delivery Tasks node and select New > Macintosh Software Delivery Task.
  3. Fill in the Name and Description fields any way you want.
  4. Click the Select the package link and choose the Firefox 1.5 package
  5. Click OK. This should automatically fill in "Install Firefox" in the Program Name field as well (but if not, select the "Install Firefox" program from the drop-down).
  6. Click Select a collection and select Collections > Computer Collections > Macintosh Computers > All Macintosh Computers with Agent 6.1 SP1 (you could also choose Collections > Computer Collections > Macintosh Computers > Mac OS X > Macintosh OS X 10.2, but this particular package should work with the other operating systems as well).
  7. Click OK.
  8. If you like the default schedule ([x] Run as soon as computer is notified (only runs once)) then go ahead and enable the task and then click Apply.

The task can now be deployed to the target computers.

Comments 3 CommentsJump to latest comment

Joseph Swenson's picture

Could we get an update to this document for NS 7? 

+1
Login to vote
matthew.hartman@us-resources.com's picture

I concur.  Please provide updated information for v7.

0
Login to vote
donmontalvo's picture

This is incorrect:

Important Security Note: Apple advises against launching any GUI application or program written in Apple Script from daemons running with the root privileges (this is the case of Altiris Agent). Once a GUI window is opened from a process running as root or an admin user, the context of the desktop switches to the root or admin user. Non-admin users could then gain admin privileges via the GUI.

Non-admin users would simply get an error along the lines: "You don't have rights to that folder".

If the target computer is at the Login Window, there used to be an issue where pushing a PKG containg an embedded AppleScript would toss up the root user's home directory behind the Login Window which was a moot issue as you couldn't click on it anyway, and is even more a moot point as this issue does not occur anymore.

Here is an example where we alerted Citrix of this issue. Their dev team embedded an AppleScript to prompt the user on whether to install Safari plug-ins. Note the login window and right behind it the root user's home directory (which you could not select - so not really a security issue). Imagine the thrill of dispatching armies of Mac techs to "touch" each of 1,800 Macs:

The bottom line, if you read through Apple's developer documentation, is you should always strive to create a zero-touch PKG installer that never prompts the user for anything. If any prompts are needed, it should be at the launch of Installer.app and not mid-way through the install process. With that said, since this KB is so outdated, I'm not sure if this process is still valid...in any case, it would be great to see this KB updated.

Don Montalvo

0
Login to vote