Deploying Octory

What you will learn in this tutorial

Preparing the source folder and building the package

After the Octory.plist file has been created and configured, there are other steps to perform before building the the Octory deployment package that includes the material used with your configuration.

  1. Copy the latest version of Octory.app into /Build&Deploy/payload/Library/Application Support/Octory

  2. Copy the folder HelperInstall (version 1.0.1 on the website) into /Build&Deploy/payload/Library/Application Support/Octory
    In this example, it has been renamed HelperInstall for cosmetic purpose.

  3. Rename the postinstall.sh script removing the .sh at the end, otherwise it won’t be included in the deployment package.
    a. Open /Applications/Utilities/Terminal.app
    b. Browse to the folder /Build&Deploy/scripts and run the following command

    mv postinstall.sh postinstall
  4. Edit postinstall to add these two lines that will be used to call the installHelper.sh:

    cd "/Library/Application Support/Octory/HelperInstall"
    ./installHelper.sh

    This is what you must read in postinstall.

    #!/bin/bash
    # Load the LaunchAgent which makes Octory re-appear when terminated by the user
    
    loggedInUser=$( echo "show State:/Users/ConsoleUser" | scutil | awk '/Name :/ && ! /loginwindow/ { print $3 }' )
    loggedInUID=`id -u ${loggedInUser}`
    
    if [[ ${loggedInUID} -gt 500 ]]; then
        echo "Launching Octory for user ${loggedInUID}…"
        sudo -u \#${loggedInUID} launchctl enable gui/${loggedInUID}/com.amaris.octory.launch
        sudo -u \#${loggedInUID} launchctl bootstrap gui/${loggedInUID}/ /Library/LaunchAgents/com.amaris.octory.launch.plist
        sudo -u \#${loggedInUID} launchctl kickstart gui/${loggedInUID}/com.amaris.octory.launch
    fi
    
    cd "/Library/Application Support/Octory/HelperInstall"
    ./installHelper.sh
    

  5. Finally, make sure to apply the right permissions before packaging. Then run the following.

    sudo chown -R root:wheel /Build&Deploy
    sudo chmod -R 755 /Build&Deploy
    

Here is what the Build&Deploy folder may look like once ready.

Please note that terminationScript.sh is mandatory to prevent Octory from relaunching when quitted.

  1. Now you are ready to build the Octory installation package.
    a. Open /Applications/Utilities/Terminal.app
    b. Browse to the folder Build&Deploy.
    c. Run the following command sudo ./build_pkg.sh
    d. You will get as a result a pkg file based on this name template: OctoryInstaller-yyyymmddhhmm.pkg

If you don’t need to sign your package, you can use it as is. If you plan to install Octory during the PreStage enrollment, you must sign it using a certificate.


Creating the signed certificate (if necessary)

Two options are available to you:
- Use a certificate signed by your Jamf Pro instance’s Certificate Authority.
- Use your Apple Developper ID.

We will dive into both options right now.


Create a certificate that only Mac computers enrolled with your Jamf Pro will trust

  1. Open /Applications/Utilities/Keychain Access.app

  2. Go to the Keychain Access menu, choose Certificate Assistant, then choose Request a Certificate From a Certificate Authority.

  3. In the Certificate Information window, in the User Email Address field, enter an organizational email address.

  4. In the Common Name field, enter your organization’s name.

  5. Select “Saved to Disk”.

  6. Click Continue.

  7. In the Save As dialog, optionally change the destination (this guide uses Desktop as an example) then click Save.

  8. In the Conclusion message, click Done. A private key is automatically generated and saved in your login keychain.

  9. Open the file you just created and copy the overall text.

  10. With a web browser, log in to your Jamf Pro web interface. Navigate to Set → Global Management → PKI Certificates and click on Management Certificate Template.

  11. Click Create Certificate from CSR and paste your clipboard inside the CSR field.

  12. Click the menu for Certificate Type then choose Web Server Certificate, then click Save

  13. Your browser automatically downloads a newly signed certificate to the browser’s default location. For this guide, the default location is your Downloads folder. Your browser might display a wait status indicator indefinitely. After the certificate is downloaded, you can safely close the browser window or navigate to a different page.

  14. In the Finder, navigate to the folder that contains the newly signed certificate and open it. In the following example, the file is in the Downloads folder, and its name reflects your organization’s name, and has the “.pem” suffix (though pem historically stands for Privacy-enhanced Electronic Mail, you won’t be using this certificate for mail).

  15. If you’re prompted to add the certificate to a keychain, select your login keychain, then click Add.

  16. In Keychain Access, in the lower-left corner, click My Certificates. To confirm that the certificate you just imported is displayed with the private key, select the certificate and click the disclosure triangle. Note: At this point your Mac is the only place where your private key is stored.

  17. Finally, if you used your Mac to create the Certificate Signing Request (CSR) is enrolled in your Jamf Pro instance, your Mac trusts the Jamf Pro Certificate Authority (CA), which signed your CSR, so that Mac trusts the new certificate. If your Mac is not enrolled with your Jamf Pro instance, you need to configure your Mac to trust the certificate so that Composer can use the certificate.
    To do this:
    a. Double-click the certificate you just imported.
    b. Click the disclosure triangle next to Trust, click the menu next to “When using this certificate” and choose “Always Trust.”
    c. Choose File → Close to close the certificate window* then at the “You are making changes to your Certificate Trust Settings” dialog, provide your credentials to allow the update.


    d. Confirm that the certificate is displayed with “This certificate is marked as trusted for this account.”


Use your Developer ID Installer certificate

  1. Double-click your Developer ID Installer file

  2. In the dialog that appears from Keychain Access, leave Keychain set to “login”, then click Add.

    If you already had Keychain Access open with your System keychain selected, you might need to use the following workaround to use your login keychain instead: Open Keychain Access, in the upper-left corner of Keychain Access, select your login keychain, then quit Keychain Access.

  3. In the dialog, enter the password that protects the .p12 file, then click Add.

  4. To confirm your certificate and private key are imported, in the lower-left corner select My Certificates, then click the disclosure triangle for your certificate.


Sign the package

Command-line

Run the following, replacing the CERTIFICATE_ID value by the string between brackets in your certificate name. For example: 1A2B3C4D5E.

productsign --sign "[CERTIFICATE_ID]" \
~/Desktop/example.pkg ~/Desktop/signed-example.pkg

Composer

  1. Open Composer and enter your login password if requested. If Composer shows the Snapshot window, click Cancel.

  2. Click on the Composer menu → Preferences → Packaging.

  3. Check “Sign with”, and select from the drop-down menu the certificate you added in the Keychain in the previous chapter. In the example is certificate from option A. Then click Save.

  4. Drag and drop the OctoryInstaller-yyyymmddhhmm.pkg under the Packages section of Composer.

  5. Click on the package name in Composer then Convert to Source

  6. Select the source that bears the same name as your package. Then Build as PKG.

  7. Save the new OctoryInstaller-yyyymmddhhmm.pkg in a different place than the original.


Upload the package to your MDM (Jamf example)

  1. Upload OctoryInstaller-yyyymmddhhmm.pkg into Jamf with the method of your choice : through the console or Jamf Admin.

  2. Use OctoryInstaller-yyyymmddhhmm.pkg in a PreStage Enrollment as an Enrollment Packages payload.
    Make sure Cloud Distribution Point (null) is selected.

Author

Pascal Olivier - Amaris macOS Expert

Email