Silent installs Using Meraki

cisco-meraki

*Just making clear that this post refers to the ‘legacy’ version of Meraki Systems Manager. There are some features of the paid version which make it a lot easier to install stuff remotely….

I’ve always known that we could install software with Meraki Systems Manager, but the need to pin the method down became a bit more urgent last month when our renewal for LogMeIn appeared. When I had first started using LogMeIn they had unlimited free clients, and you could pay for ‘Central’ to keep them all in nice groups. I wasn’t comfortable using a free tool so I paid for Central even though I didn’t really need it, about $200. Then the next year it was $249, no problem. Then this year all of a sudden it was $1200 but ‘discounted’ to $750. And there’s no longer any free clients.

So I needed a solution- there’s lots of them! Just have a quick look here. I eventually tested and bought ScreenConnect.

screenconnectLogo

But back to Meraki- it requires a flat package to have a direct download link and claims that it installs with root privileges. But it’s a bastard to get it to work. I’ve previously used it successfully with both DropBox and Google Drive hosting the files, but both of these now seem to obfuscate the download link which makes Meraki barf.

I put the files on my hosted VPS and checked the download link. All good. But Meraki still won’t install? Oh dear, you’ve been blocked by the Gatekeeper. I dislike Gatekeeper most of the time but this was doubly infuriating because I’d been able to get most of the machines under my care upgraded to Yosemite (which is a good thing) but it comes with Gatekeeper set to neuter every attempt to install software (which is bad). There’s no way to get ScreenConnect to install using a developer certificate because each of the installers is custom output for each client.

So, is there a way to turn Gatekeeper off remotely? Yes there is.

/usr/sbin/spctl –master-disable

And, is there a way to send this command to multiple machines at once? Oh yes. It’s under Systems Manager/ Monitor/ Command Line. Note- if you copy/ paste the text above you may have to check the double — when you execute the command, it doesn’t seem to copy correctly.

Now you might think this is a bit dangerous, turning off a security feature that prevents people from installing malware. Well, it doesn’t. All it does is make it a bit harder to install things and hopefully make you REALLY want to install that new widget. And you can turn it on again with

sudo spctl –master-enable

which sets it back to its strictest setting, and you can check check the status with

$ spctl –status

BUT- even if you forget, this insidious piece of Apple mind control will magically re enable itself after 30 days……. a Yosemite ‘feature’. Blurgh.

I also had some trouble with getting the silent install working on a couple of other machines, and looking at the logs saw that Terminal.app was trying to become the front most app, and the screen saver was denying it the pleasure. Disable the screen saver and it worked! I still have one remaining issue with a machine running Mac OS X Server v10.7.5 but  that may not get fixed as the machine is scheduled for an upgrade anyway.

And one more bit of weirdness- one machine attempted to install twice, and instead of failing it now has 2 icons in the menu bar.

I also had a recent issue where a server in Melbourne was acting wonky- could not get Meraki to reboot it, could not install software, it was just being cranky and unhelpful. It turns out that Meraki doesn’t work very well when the client machine is sitting at the login screen- it needs to be logged in for a bunch of these features to work. So, what to do?

Well, we found that we could get limited interaction with the command line, so we could download the ScreenConnect client with curl-

curl -O http:­//url.to/­screenconn­ect/Servic­emax.Clien­tSetup.pkg
and then to install the .pkg
sudo insta­ller -pkg “Serv­icemax.Cli­entSetup.p­kg” -targ­et /
Then I was able to use ScreenConnect to get to the login screen and take over the machine correctly.
The next issue we had was this- when you ask ScreenConnect to upgrade, it sends a file over to the client which is actually a ‘ReInstall’ script, and triggers it. But the 5.3 version requires Root privs to run, and one of the machines had no password set. Oops.
So I copied the path to the script and got Meraki to execute it (it executes everything as root). Another problem solved.