2 Replies Latest reply on Aug 15, 2009 6:28 AM by shodges

    general confusion over Macs and LD

    Rookie

      Hi...

       

      I'm trying to get up to speed on the Mac LD client and am feeling rather dumb with my attempts.  Perhaps I am too used to the way LD works with Windows and the Mac client just works differently....

       

      The first task I'm attempting is to patch Office 2008 to SP1.  With Windows we use compliance patching, so I would normally put the patch into our custom group.  As far as I can tell, the Mac client doesn't do compliance patching, though I could be wrong about that.

       

      We can live without compliance patching as long as there's a reasonable way to distribute the patch.  So I tried the next most obvious method -- I located the patch in Security and Patch Management, right clicked, and chose 'Repair...'.  I created the task as a policy and then changed it to a policy-supported push, which we generally prefer.  When I attempt to run the scheduled task, it fails with the error:

       

      Processing package : Mac Office 2008 12.1.0

      Discovery response indicates that the machine was of type MACX, the current package can only be sent to a Windows machine.

       

      I'm not sure why it thinks the package is for Windows.  I note that the distribution package it creates shows a command line of

       

      "%LDMS_CLIENT_DIR%\vulscan.exe" /repair "vulnerability=OFFICE-2008-1201" /agentbehavior=-1

       

      which does seem to indicate that Security and Patch Management sets things up to work with Windows.

       

      OK, if SPM doesn't work with Mac I can always just set up the packages and tasks manually.  So I created a Mac distribution package using the Office 2008 SP1 disk image -- office2008-1210updateen.-1i9Ow.dmg.  This got farther than the other attempt -- the LD console shows the task as successful, and LANDesk.log on the Mac client shows normal activity:

       

      Tue Aug 11 11:17:13 2009 [00134] sdclient : sdclient start parameters

      Tue Aug 11 11:17:13 2009 [00134] sdclient : /usr/LANDesk/common/sdclient

      Tue Aug 11 11:17:13 2009 [00134] sdclient : -package

      Tue Aug 11 11:17:13 2009 [00134] sdclient : http://[our core]/ldlogon/patch/office2008-1210updateen.-1i9Ow.dmg

      Tue Aug 11 11:17:13 2009 [00134] sdclient : -hash

      Tue Aug 11 11:17:13 2009 [00134] sdclient : hzXUd1ziPyvyZuHTULsEbg==

      Tue Aug 11 11:17:13 2009 [00134] sdclient : -showui

      Tue Aug 11 11:17:13 2009 [00134] sdclient : sdclient end of parameters

      Tue Aug 11 11:17:13 2009 [00134] sdclient : File Download: "http://[our core]/ldlogon/patch/office2008-1210updateen.-1i9Ow.dmg" -hash hzXUd1ziPyvyZuHTULsEbg==

      Tue Aug 11 11:17:23 2009 [00134] sdclient : Hash Passed: hzXUd1ziPyvyZuHTULsEbg==

      Tue Aug 11 11:17:23 2009 [00134] sdclient : Hash Passed: hzXUd1ziPyvyZuHTULsEbg==

      Tue Aug 11 11:17:23 2009 [00134] sdclient : execute: 'echo "Y" | /usr/bin/hdiutil attach -mount required -noidme -nobrowse -plist '/Library/Application Support/LANDesk/sdcache/office2008-1210updateen.-1i9Ow.dmg''

      Tue Aug 11 11:17:25 2009 [00134] sdclient : execute.ccpp:ExecuteInstaller:CheckSpaceForInstall is ok!

      Tue Aug 11 11:17:26 2009 [00134] sdclient : execute: '/usr/bin/open '/Volumes/Office 2008 SP1 Update (12.1.0)/Office 2008 SP1 Update (12.1.0).mpkg'' result=0

      Tue Aug 11 11:17:26 2009 [00134] sdclient : execute: 'hdiutil eject '/dev/disk1s2''

      Tue Aug 11 11:17:26 2009 [00134] sdclient : EC: execute: '<null>' rval=1

       

      Unfortunately the patch never seems to be applied.  (I did verify that my method works with Firefox distribution -- so that seems to narrow the issue to something specific with the Office SP1 installer.)  When I log into the Mac GUI, I see the SP1 disk image mounted but the patch is not applied...

       

      To track the issue further, I manually executed the command from the log:

       

      /usr/bin/open '/Volumes/Office 2008 SP1 Update (12.1.0)/Office 2008 SP1 Update (12.1.0).mpkg'

       

      The installer runs and stops at the prompt:

       

      "This package contains a program that determines if the software can be installed.  Are you sure you want to continue?"

       

      So it seems like this causes the installation not to proceed automatically.  I wonder if there's some way to avoid that prompt?

       

      I guess I'm really asking 3 things:

       

      -is it true the compliance patching can't be done with Mac clients?

       

      -is it true that creating patch tasks through Security and Patch manager does not work with Macs?

       

      -is there some way to have LD run the Office service pack so that it doesn't stop at the prompt mentioned above?

       

      As a side commentary:  I've spent quite a bit of time exploring the Mac client.  There does not seem to be very good documentation to explain how the Mac client works and how it differs from the Windows client -- or am I missing something?  Seems like a BKM would be useful for this.

       

      Thanks very much!

       

      -steve

       

      P.S.  I know there has been much discussion already about Office 2008, but I don't see anything directly comparable.  Forgive me if I've overlooked something.

      P.P.S.  I'm working with OSX 10.5.8, core version 8.8.0.249, and mac LD client 8.8.0.291.

        • 1. Re: general confusion over Macs and LD
          Apprentice

          I'm not sure if compliance patching works with Macs, but SPM in general does. I'm not sure why that Office patch wanted to target PC's, but I did have that once with a Symantec AV definitions patch and I reported it to LD support and they fixed the definition on their end and I redownloaded it.

           

          Looking at your log from the SD task, it is using "open" instead of the "installer" command. The reason for this is because you likely select a delivery method that requires user input. I think it's called "user-controlled installation". This would cause the installer to open on the users screen. If the machine was sitting at the login window, the installer.app would open behind the loginwindow and wouldn't install.

           

          Just change your delivery method to be a silent one and it should work fine.

           

          One problem with the Office updaters for Mac, is they will shut down any running Office apps on the machine without warning. However, it will still prompt the user to save any unsaved changes. You could modify the package to change that behaviour, but then you're updating a running app which isn't great either.

          • 2. Re: general confusion over Macs and LD
            Rookie

            Thanks Patrick...

             

            Your "open" versus "installer" insight was very helpful.  I changed the delivery method to make sure it operated in the background, and that worked.

             

            As for the issue with the Office patch targeting PCs, that remains an open issue, I think.  Does anyone from the Landesk Mac group read these comments?  And if so could you please verify that the patch in question is targeted correctly?

             

            One other issue:  it seems that ldpatch does not run unless someone is logged into the Mac GUI.  When ldpatch runs without someone logged in (either via ldcron or manually from the command line) it does not appear to run; when I run ldpatch from the command line (via ssh, without being logged into the GUI), LANDesk.log shows several errors that seem to indicate that it needs a GUI, like "Untrusted apps are not allowed to connect to or launch Window Server before login".  I am told by someone from LD that indeed ldpatch does depend on a Window service:

             

            "What happens is that the Windows Service is not loaded when no user is logged into the machine.  The code actually depends on this because when it was developed a GUI is actually displayed (for ldpatch) but it is outside the display area.  To the user it looks like there is no GUI but there really is.  It is unknown why it was developed this way.  I will need to submit an enhancement to get this changed."

             

            This is a problem for Macs that may be logged into only occasionally or where logins are very brief (as is the case sometimes with lab computers).  Because of this problem, I'm noticing that ldpatch may never have a chance to run; therefore I never get proper vulnerability information reported back to the core, and I can't target Macs properly based on vulnerability information.

             

            If this is a correct description of the problem, there's not much to be done about this until an enhancement is completed, as the above quote mentions.  I'm including it here mainly in case it's useful for others, but also in case I've misunderstood the situation.

             

            Thanks again Patrick.

             

            -steve