Home > AutoPkg, Enterprise Connect, Mac administration > AutoPkg recipes for Apple Enterprise Connect

AutoPkg recipes for Apple Enterprise Connect

To help keep on top of software updates, I’ve been using AutoPkg in combination with AutoPkgr and JSSImporter for a while now to upload new software updates to Jamf Pro. However, I recently ran into a challenge when I wanted to build an AutoPkg recipe for Apple’s Enterprise Connect.

AutoPkg recipes usually rely on the vendor having a publicly accessible way to get downloads via HTTP or HTTPS. Apple does not have a publicly accessible download URL for Enterprise Connect and in fact discourages customers from sharing the download link. The fact that there was a download link meant that I could write AutoPkg recipes but at the same time I couldn’t include the URL needed to download the latest update as part of the recipe .

After some thinking and research into AutoPkg’s functionality, I found a way to create AutoPkg recipes for Enterprise Connect while at the same time not sharing Apple’s download URL. For more details, see below the jump.

The solution is to use an AutoPkg recipe override to store the download URL for Enterprise Connect. Recipe overrides are locally-stored files that allow you to change certain input variables in AutoPkg recipes.

Since the recipe overrides are stored locally on the Mac which is running AutoPkg and not shared with any other resources, Apple’s download URL for Enterprise Connect is only made available to the AutoPkg installation running on that specific Mac.

I have written AutoPkg recipes for Enterprise Connect, which are available from here:

https://github.com/autopkg/rtrouton-recipes/tree/master/EnterpriseConnect

By default, the EnterpriseConnect.download recipe contains a non-functional placeholder value and requires that placeholder value to be overridden before the recipe will work.

Screen Shot 2017 06 12 at 4 36 11 PM

To use the Enterprise Connect recipes, you will need to create a recipe override of the desired recipe and enter the URL Apple sends you into the DOWNLOAD_URL value of the override. Here’s an example using AutoPkgr and the EnterpriseConnect.jss recipe.

1. Launch AutoPkgr.

Screen Shot 2017 06 12 at 2 10 35 PM

2. If needed, add the rtrouton-recipes repo to AutoPkg.

3. Click on the Repos & Recipes tab and locate the EnterpriseConnect.jss recipe

4. Right-click on the EnterpriseConnect.jss recipe and select Create Override…

Screen Shot 2017 06 12 at 9 53 05 AM

 

5. Give the recipe override a unique name.

Screen Shot 2017 06 12 at 9 53 37 AM

6. Go to /Users/username_goes_here/Library/AutoPkg/RecipeOverrides and locate the newly-created recipe override file.

Screen Shot 2017 06 12 at 9 55 40 AM

7. Open the recipe override file file in a text editor and locate the DOWNLOAD_URL value.

Screen Shot 2017 06 12 at 9 58 55 AM

8. Change the DOWNLOAD_URL value of the override from the non-functional placeholder value to whatever the current download URL is for Enterprise Connect.

Screen Shot 2017 06 12 at 9 58 09 AM

When you run the recipe override using AutoPkg, it should use the Enterprise Connect’s current download URL in place of trying to use the non-functional placeholder value.

Note: The download.apple.com URL shown in the example above is also a placeholder. As I mentioned earlier, Apple discourages customers from sharing the download link.

Apple’s download URL for Enterprise Connect may change, so you will need to check and update the download URL as needed in the recipe override when you’re notified by Apple that a new Enterprise Connect version is now available.

  1. June 15, 2017 at 8:20 pm

    I had started playing around with making an AutoPkg recipe for this a while ago, but got stumped on the download link. I was thinking of just making a .pkg and .jss recipe and using –pkg to get it into my JSS, but that kinda belies the auto in AutoPkg. Will test this out shortly in my environment. Thanks for all your hard work.

  2. Samuel A. Litt
    July 11, 2017 at 10:09 pm

    How does one assure that AutoPkg recipes/payloads are comprised of legitimate contents? After all, it’s community driven; even the Linux community has had its issues where legitimate software payloads have been compromised. Using AutoPkg in conjunction with JAMF or similar agent-based MDM (Addigy, Panda, or Meraki System Manager) sidesteps Apple’s APNS requirement of code signing. Incidentally, Simple MDM can deploy user-generated .pkg installers, however, they must be signed with Apple Developer Account. At least in theory that’s how it is supposed to work. From a security standpoint, it sounds like AutoPkg in conjunction with JSS could be a recipe for disaster.

  3. Samuel A. Litt
    July 12, 2017 at 5:05 pm

    Thank you for the informative response. Seems like a lot of effort to make for something that is supposed to enhance efficiency/productivity. When thinking about all of the broken recipes (promises) with AutoPkg and the shift of onus/liability for the security of those packages onto the system administrator, it’s hard to rationalize as an effort worthy of undertaking. Just because you can do something doesn’t necessarily make it worth doing. In essence, a regression to the mean in consideration of the investment of effort compared to the risk to reward ratio. Between compliances and security, IT has a lot on its plate. When running IT as a business, all efforts need to be carefully vetted to determine if it is truly enterprise worthy otherwise, it’s a hobbyist pursuit.

  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: