14 Aug Convert the Ivanti macOS Agent into an MDM Ready PKG
Did you purchase one of those new MacBook Pros with 32 GBs of RAM only to find out that you cannot use Ivanti Provisioning to prep it for your environment? If you did, it’s likely you’re not the only one.
The T2 chip employed in the iMac Pros and the new MacBook Pros prevent the machines from being able to use NetInstall. Therefore, provisioning is no longer an option in the way you’re thinking. However, not all is lost. If using DEP (if you’re not, you need to be), you can bootstrap the installation of the Ivanti Mac Agent on the heels of the device’s enrollment through MDM.
Then, once the full Ivanti agent is installed, you can kick of a shortened provisioning process to tackle just your system configuration items.
The instructions below will walk you through the process of converting your standard Ivanti Mac Agent DMG installer into a usable MDM package with an associated manifest file. While I’ve done what I could to automate much of this process, you are going to need a Mac, an Apple Developer Account, a valid Developer ID signing certificate, a custom script I wrote, and an HTTPS file share that has a valid end-entity certificate.
Apple Developer Account
Creating a developer account may prove to be more problematic than you’d hope for. If just building an individual account, it’s not so bad. However, if you’d like to sign up as an organization (which I do recommend) you’re going to need your D-U-N-S Number, a Legal Entity Status, Legal Binding Authority and a Website. Please see https://developer.apple.com/programs/enroll/ for further details and enroll.
Creating a Developer ID Certificate
OK, hopefully you made it through part one unscathed. Now, grab the Mac that will become the official and only machine that with the private key to sign your package files. We’ll continue by creating a certificate request for your Developer ID certificate. You need this specific Developer ID certificate as it allows you to distribute your Ivanti agent outside of the Mac App Store.
- Launch the application Keychain Access.
- From the file menu, select Keychain Access > Certificate Assistant > Request a Certificate From a Certificate Authority.
- Enter your developer account email address.
- Enter any common name of your choice (i.e. Nine41 Developer ID Cert).
- Re-enter your developer account email address for the CA Email Address.
- Change the radio button to Saved to Disk.
- Press Continue.
- Save the resultant CertificateSigningRequest.certSigningRequest to your desktop.
- Click the Done button.
- Open a web browser and sign into https://developer.apple.com/account/ with your developer account ID.
- On the left-hand pane, press on the Certificates, IDs & Profiles button.
- Change the dropdown in the upper-left corner from iOS, tvOS, watchOS to macOS.
- Highlight the All button under Certificates.
- Click the + button at the top-right to create a new certificate.
- Select the Developer ID radio buttonfrom the Production section.
- Select the Developer ID Installer radio button.Note: You may need to elevate your account permissions to perform this action.
- Click Continue on the Create CSR page. This was done with steps one through nine above.
- Press the Choose File button and upload the CertificateSigningRequest.certSigningRequest file from step eight.
- Press the Download button to acquire your new Developer ID certificate.
- Press the Done button and you may close your browser.
- Double-click on the certificate and install it to Keychain Access. The Developer ID certificate should now display in the My Certificates section.
- Make note of your Developer ID Number in the title within parentheses (i.e. 3rd Party Mac Developer Installer: Nine41 Consulting LLC (M941ABC4AB)).
As mentioned above, this machine will be the only machine you can use to sign your PKG files, so keep track of the machine if you’ve used a VM.
Convert Your Ivanti Agent DMG to a PKG File
Alright, now that you have your Developer ID certificate, we need to create a PKG file that is deployable over MDM. Currently, Ivanti’s Mac Agent is built as a DMG, so we need to convert it to a PKG file and build a manifest file to deploy it through Ivanti’s MDM.
I’ve built some scripts that will convert the DMG to a PKG and build the manifest file for you. You simply need to update the manifest file with your HTTPS server URL.
- Open a web browser and download your Ivanti Mac Agent from your Core Server (i.e. http://coreserver.domain.com/ldlogon/mac/.
- If the DMG mounted, unmount it.
- Open a second tab in your browser and download my agent conversion scripts from GitHub.
Note: Please use these scripts at your own risk. Test and validate in your own environment. These scripts have not been validated by Ivanti nor will Nine41 be responsible for any adverse behavior.
- Extract the Nine41 MDM Mac Agent zip folder to your Desktop.
- Open the create createIvantiAgentPKG.sh found within the folder with a text editor.
- Add your Developer ID Number from step 22 above into the developerInstallerCert variable (i.e. developerInstallerCert=”M941ABC4AB”).
- Set your appropriate Agent Version (2018.1 is 188.8.131.52, 2018.1 SU1 is 184.108.40.206).
- If desired, change the bundle identifier to something you prefer.
- Save the script.
- Open a Terminal prompt.
- Set execute permissions on the script (chmod 755 /path/to/createIvantiAgentPKG.sh).
- Change directories within Terminal to the Nine41 MDM Mac Agent folder (i.e. cd ~/Desktop/Nine41\ MDM\ Mac\ Agent/). Note: It is critical you change your directory path to be inside the Nine41 MDM Mac Agent folder. If you don’t do this, the script will fail to write the pkg to the correct location.
- Run the script and point it to your agent by typing ./createIvantiAgentPKG.sh followed by the path to your agent (i.e. ./createIvantiAgentPKG.sh ~/Downloads/Production\ macOS\ Agent.dmg).
- Upon completion, you should have an Agent folder within your main Nine41 MDM Mac Agent folder with two files, the IvantiMacAgentMDMReady.pkg and the manifest.plist. If you open the manifest.plist file with a text editor, you should see an md5s array with hash values that match the output of your Terminal window. The sizeInBytes key should also match. These two items are critical, spend the time now to do a quick review.
- While you have the manifest file, you also need to update the URL string to match that of your HTTPS share. This HTTPS server needs to be accessible from anywhere and needs to have a valid certificate that can be verified by the device.
- Copy the Agent folder and files to your HTTPS share (ensuring the path matches that of your manifest.plist URL string).
Create a Macintosh MDM Manifest Package and Deploy
To deploy the agent to an MDM enrolled Mac, we need to build a Macintosh MDM Manifest package with the data we stamped into the pkgbuild process.
- Open the Ivanti Management Console from either a Remote Console or the Core Server.
- Select either My Packages or Public packages from the menu tree.
- Press the New button (green circle with the white plus symbol).
- Select Macintosh > Macintosh MDM.
- Label the package (i.e. Agent MDM Manifest)
- Select the Manifest URL radio button.
- Enter the URL to your manifest.plist file (i.e. https://yourHTTPSServer/Agent/manifest.plist)
- Enter the Bundle ID as com.ivanti.macOS.agent unless you changed it in step eight in the previous section.
- Enter the Agent Version (2018.1 is 220.127.116.11, 2018.1 SU1 is 18.104.22.168).
- Click Save.
- Right-click on the package and select Create Scheduled Task.
- Right-click on the scheduled task and select Properties.
- Target your MDM enrolled Mac(s).
- Set your Task Type under Task Settings to Push.
- Schedule your Task.
- Click Save.
Troubleshooting on the Client
Troubleshooting MDM tasks can be a bit cumbersome. Included in the scripts folder are two commands that when run from Terminal, will tell you a great deal about the MDM task itself. If your agent doesn’t show up as installed within a couple of minutes of the task saying successful on the core, you may need to start the two Terminal commands and start your task again to try and catch the error.
- Command 1: log stream –info –debug –predicate ‘processImagePath contains “mdmclient” OR processImagePath contains “storedownloadd”‘
- Command 2: log stream –info –debug –predicate ‘subsystem contains “com.apple.ManagedClient.cloudconfigurationd”‘
Also, you can look at the /tmp folder to see if the agent files are getting copied down. If you see them there, you can begin to look at the /Library/Application Support/LANDesk folder for additional details. Another useful command to run would be the Ivanti client output log: log show –predicate ‘processImagePath contains “LANDesk”‘ –debug –info –last 1d >> ~/Desktop/Landesk.log. However, this output will only be valuable if the agent is installing to some degree.
Once you have the agent successfully installed, you can perform any and all of your standard tasks, including sending down a provisioning task that just contains the System Configuration actions. In a future blog, I’ll write about how you can kick off provisioning on the tails of a successful agent install so you can have the machine pre-targeted or select the provisioning template right from the desktop. In the meantime, enjoy that new MacBook Pro. And, if you need help, we do consulting work, don’t be afraid to reach out.