I'm trying to install a private Chrome extension on OS X by modifying Chrome policies. I was able to do this successfully on Windows by editing the relevant HKEY_LOCAL_MACHINE registry, but on OS X I'm having problems.
Using the following commands, the policies show up in chrome://policy but have a "recommended" level instead of "mandatory" on Windows.
defaults write com.google.Chrome ExtensionInstallSources -array "http://install-url.com/*"
defaults write com.google.Chrome ExtensionInstallWhitelist -array "chrome-extension-id"
Whenever I attempt to install the extension, Chrome instead just downloads the file and presents a message that Apps, Scripts, and Extensions cannot be installed from this Website.
Any help would be greatly appreciated!
This is an old post, but it came up in a google search and there wasn't an answer here.
The answer to this question after some troubleshooting is as follows:
The file that contains policies that are Recommended is
~/Library/Preferences/com.google.Chrome.plist
The commands you posted would modify this file if run in the user context
In order to have Mandatory you need to have your Mac managed, by say JAMF or Munki. Once your Mac is managed you can use plists in
/Library/Managed Preferences/
&
/Library/Managed Preferences/$user
Effectively this moves com.google.Chrome.plist from the user context to the machine context. HKCU vs HKLM
The documentation here talks about this more under Debugging
https://www.chromium.org/administrators/mac-quick-start
For Mac, the policies for the extension are given in Configuring Apps and Extensions by Policy.
As stated:
The policies for the extension can be configured via MCX preferences for the com.google.Chrome.extensions.gihmafigllmhbppdfjnfecimiohcljba bundle, or for the org.chromium.Chromium.extensions.gihmafigllmhbppdfjnfecimiohcljba bundle if using Chromium.
The complete configuration procedure can be found in the given documentation.
Related
Actually my requirement is an enterprise installation of Chrome Extension automatically over 1000s of Windows machines.
I tried to install manually in my machine. I have setup the update_url in registry but I am not finding it in Chrome://extensions. For which I found around Stackoverflow that the local installation of extensions is prohibited, rather the package has to come through Web Store.
Well, so I am tried to follow, Installation of Extensions automatically, in Chrome Development Guide
# https://docs.google.com/document/d/1iu6I0MhyrvyS5h5re5ai8RSVO2sYx2gWI4Zk4Tp6fgc/edit#heading=h.op2l1nosq8x7
Which suggested to use Chrome for Business and directed me to the link
# https://enterprise.google.com/chrome/chrome-browser/
But the bundle is not installing. It is throwing error as attached
Chrome Bundle installation error
Please help me
- Install Chrome bundle
- or Install extension automatically (other than through Web Store)
I do not believe that an enterprise install is a requirement.
However, AFAIK you can't set policies in the local registry - those will be ignored. Don't quote me on that though..
Computer must be joined to a Windows domain.
Configuration needs to come from domain policies as described in ExtensionInstallForcelist.
You can check whether this policy is loaded from chrome://policy
Note that you haven't provided a snippet of your registry with the setting.
I'm afraid that errors with the installer (especially so generic-sounding) are off-topic here; you can try other StackExchange sites:
Super User (for installation errors)
Server Fault (for deployment questions)
How can I create a single installer package for an OS X binary as well as a few configuration and script files?
Final folders should look like this:
Any help would be appreciated. Thanks.
Installers are great if you want various things to be placed in different spots – app here, documentation there, support files over here, etc. They're also great for providing configurability of the installation experience (optional extras), or hand-holding for an unusual type of installation that the user might not otherwise understand, or extra work (configuration scripts, permissions modifications, authentication, compatibility checking, etc.) that need to run during the installation process. There is nothing wrong with installers, contrary to the answer from #d00dle, although there is also nothing wrong with distributing your app through the App Store, or as a dmg.
For setting up your own installers, I highly recommend a program called Packages (http://s.sudre.free.fr/Software/Packages/about.html). I am in no way connected to it, but I use it to build the installer for an app that I work on. It greatly smoothes the process of making a complex installer, and has an excellent GUI interface.
There's also macOS Installer Builder, which is a CLI you can use to create an installer wizard for your .pkg: https://github.com/KosalaHerath/macos-installer-builder
macOS does not normally use installers. Applications are packaged in app containers with the extension .app. This container is "executable" but you're also able to dig in and see what is inside. This is also the format distributed through App Store.
You can create .pkg or .dmg "installers" if necessary, however this is clearly not something apple aims to be standard. I would advise to use the .app pattern and any scripts needed should be self contained and executed on first run.
You can use .dmg to distribute your application outside of App Store (this is still fairly normal).
macOS also includes a terminal program called productbuild that builds a product archive for the macOS Installer or the Mac App Store. Enter man productbuild into the Terminal on a Mac for the manual page.
The short version: is it possible to delete helper tools which were set up by the app (SMJobBless() etc.) when the app is deleted? If so, how?
The long version:
The Mac app we are developing unfortunately requires admin privileges to perform an occasional operation, and it also requires a background task to be live for other apps' plugins to connect to even when the app itself isn't running (this one can be unprivileged). The app will be signed with a Developer ID certificate, and distributed only outside the App Store.
We'd like the app to be a "good citizen" as far as possible, also on uninstall.
For the background task, we're using a login item, created using SMLoginItemSetEnabled(). This isn't amazing, because XPC messaging doesn't seem to work (we're using CFMessagePort instead - alternative suggestions welcome), but if the user deletes the app, the login item at least doesn't get loaded anymore on next login. I suspect there's still a trace of it somewhere in the system, but the executable inside the .app bundle is used, and when that disappears, the login item no longer runs.
For the occasional operation requiring admin rights, we've got a privileged helper tool which our app installs using SMJobBless(), and which implements a named XPC service, so the task spins up on demand when it receives a message from the main app. This is what Apple recommends and describes in its Even Better Authorization Sample.
The helper executable is copied to /Library/PrivilegedHelperTools/ by SMJobBless(), and the embedded launchd.plist ends up in /Library/LaunchDaemons/. Even though the OS has the information on which app "owns" the helper, it doesn't seem to uninstall it when the user deletes the app. Apple's sample is silent on uninstalling, other than the uninstall.sh script which is apparently intended to be used during development only. We don't need this helper while the app isn't running, so installing it as a full-blown launch daemon is slightly overkill, but we'd also like to avoid repeatedly annoying the user with the password prompt too. Besides, Apple advises against other forms of running code with admin privileges than SMJobBless() these days - for example SMJobSubmit() is marked deprecated.
So how do we clean up after ourselves?
I've found SMJobRemove(), but (a) when would we call that in our case - you can't run code on .app bundle deletion, or can you? and (b) it doesn't actually seem to clean up.
The only 2 things I can think of are not terribly satisfying:
Some kind of uninstaller app or script. But that seems pretty ugly too.
Don't worry about it and just leave a mess behind when the user deletes our app.
Update:
There have been some changes in this area with macOS 13.0 Ventura; there's an introduction to the new mechanism in the WWDC22 session 'What’s new in privacy'. The new SMAppService APIs support automatic cleanup for daemons, agents and login items. Unfortunately you'll of course still have to find a workaround for any older macOS versions you support.
Original answer:
There has been a similar question on the Apple Developer Forums at https://forums.developer.apple.com/thread/66821 - the recommendation by Apple is a manual uninstall mechanism, and consuming as few resources as possible if the user does not do this.
Apple DTS staff further recommended implementing a self-uninstall mechanism in the privileged launch daemon, to be triggered from the app via XPC. This is what we're going with.
I think the only solution you have right now is to use the uninstall shell code that you mentioned in order to physically remove the privileged helper from disk or to build an uninstaller for it. Either way you will have to ask the user to enter his/her password. This what all installers / uninstallers that require privileged access to the system do, and for a very good reason. That's why I avoid like the plague to use privileged helpers, but I understand that sometimes you really have to. I don't think it is good that you leave such a helper in the user's system, because it will reload next time the user starts up the computer.
I just checked ServiceManagement.h header and they state that SMJobRemove will be replaced by an API that will be made available through libxpc in the future. (Sometimes you really need to go to the headers to get extra info that the documentation does not give you.) Hopefully this promised replacement will uninstall it for us. However, I'd file a bug report and ask for that enhancement.
One solution you could consider is to include an uninstaller script or program in your .app bundle.
You can then pass the path of this small tool to your helper tool (via IPC) and have the execute the the uninstaller, thereby deleting itself. You will have to be careful that components are removed in the right order but it can be made to work.
You're correct that Apple does not provide an API to uninstall a helper tool installed with SMJobBless nor do they do so automatically. As for why macOS doesn't automatically do an uninstall, my educated guess is because macOS fundamentally doesn't have a unified concept of "install". While it's convention for apps to be located in /Applications (and a few other locations), it's perfectly valid for apps to be located and run from anywhere on the system including external drives and network drives. For example should macOS uninstall helper tools when apps disappear because the drive they're on is disconnected?
In terms of how to uninstall, doing so requires root permission and so realistically have the helper tool itself do the uninstall is the easiest option. You can have your app via XPC tell the helper to uninstall itself. Here's an example in Swift of how to do this; it's part of SwiftAuthorizationSample. The basic idea is:
Use the launchctl command line tool to unload the helper tool
Delete the helper tool executable
Delete the helper tool launchd plist
But there's a bit of additional complexity involved because launchctl won't let you unload a running process.
I have noticed that some applications after installation open a window and ask for user's password. It says that the application needs system.privilege.admin. I was trying to figure out what exactly this means. The application itself seems to be running in user mode. Then why does it ask for the password? Can anyone please help?
Most Mac installations put the program into the Applications folder. By default this is not writable to users. Under the hood the installer is basically doing a sudo so that it can write the files to Applications.
In addition many mac apps have a preferences file in the system library. This will aso require admin privilege to write.
Finally, the application may register what kinds of files it can open. E.g. pdf files can be opened by Preview or Acrobat Reader, or Acrobat distiller. The system needs to keep track of which apps can do what.
I am trying to create an installer for a Internet Plugin on Mac OS X with PackageMaker. I'm not picky about the tool I use, but it needs to be free. It'd be nice if I could do everything I want with PackageMaker because CMake/CPack supports PackageMaker and the project (build with FireBreath) is built with CMake.
The problem I am running into is that I am only installing the plugin for the current user -- in ~/Library/Internet Plugins -- but the installer still insists on asking for the admin password! I have heard that you can turn this off as long as you don't need to target versions of Mac OS previous to 10.5, but I can't find any way to do this.
Am I missing something? Is there a different tool I should use? Any help would be appreciated!
The fact that your installer asks for admin password might be because of some actions you have in your installation process, for example if you have actions to kill web browsers.
When I built my first installers for my (also firebreath) plugin, installing inside the user's directory, it was not asking for admin password. After I added actions to stop Safari and Firebreath, then my installer started asking for admin password.