More App Store tips for admins

Continuing the tech ramble about how to keep the App Store from your users…

So, I figured out the two ways the App Store icon is added to the dock:

1. Existing users on an upgraded system are affected by this file: /Library/Preferences/com.apple.dockfixup

Looking at the add-app key inside contains the answer:

<key>add-app</key>
<array>
<dict>
<key>path</key>
<string>/Applications/App Store.app</string>
<key>after</key>
<string>begin</string>
</dict>
</array>

We can rid ourselves of  this behavior with defaults:

defaults delete /Library/Preferences/com.apple.dockfixup add-app

However, if you try to use a loginhook to remove the icon, it will not take effect unitl the second login, sine the loginhook runs before Apple’s dockfixup is applied.

The solution to a user never seeing it (and avoiding calls about it) is to use a daemon that runs at system startup and deletes the entry in the plist before it is ever used.

Save as /Library/LaunchDaemon/com.brunerd.dockfixer.plist (or whatever you wish):

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>Label</key>
<string>com.sts.dockfixup</string>
<key>ProgramArguments</key>
<array>
<string>defaults</string>
<string>delete</string>
<string>/Library/Preferences/com.apple.dockfixup</string>
<string>add-app</string>
</array>
<key>RunAtLoad</key>
<true/>
</dict>
</plist>

You could call another script, check for add-app’s presence, but having this run everytime, insures that despite OS updates and reversions of files your user will never have App Store added to their Docks.

2. Suppressing App Store in new user accounts is affected by Dock.app’s default.plist:
/System/Library/CoreServices/Dock.app/Contents/Resources/English.lproj/default.plist

But just deleting this and not com.apple.fixup.plist will not do what you want since fixup will still run, you must delete both. Altering that is the perfect job for removeitemfromdock… if only it worked with a supplied path… now it does! So after installing and downloading you can run this command to alter the default dock:

sudo /sbin/removeitemfromdock -f /System/Library/CoreServices/Dock.app/Contents/Resources/English.lproj/default.plist /Applications/App\ Store.app/

You could make this another Daemon or just have the daemon call an external script, your choice, I can’t do all the work for you :)

App Store tips and tricks for sysadmins

App Store Tips, Tricks, and Hacks for the SysAdmin

App Store, oh, App Store, like all Apple products you are made first for consumers and in time maybe you will be ready for corporate deployment, but for now, here’s some tips for the Mac IT worker needs to wrangle this beast.

Firstly, the App Store, if you’ve noticed, requires admin rights to download and install apps. Not just because it installs to /Applications (it could be ~/Applications if it wanted to…) But most likely due to the new location of the receipts folder in /var/db/receipts. Up until version 10.6 it was /Library/Receipts and this would have made it possible to use the domain system that was the simple genius of OS X, where things can live in /System/Library, /Library, or ~/Library and when the system couldn’t find a pref or support file in one domain it would look in the next. Fonts are a great example of this in action, why didn’t they think it was a good idea for receipts is anyone’s guess. But since there is no way to make an analogous folder structure of /var/db/receipts in a user’s home folder, much less have the system recognize there are receipts there, the App store is not “Standard User” compatible.

Disabling Execution and hiding the App Store with Unix Permissions:

#hide it
sudo chflags hidden /Applications/App\ Store.app/

#keep it from executing for anyone other than root (since it is ownership is root:wheel)
sudo chmod o-x /Applications/App\ Store.app/Contents/MacOS/App\ Store

#to let admin users execute, next change group ownership of executable
sudo chgrp admin /Applications/App\ Store.app/Contents/MacOS/App\ Store

#OR keep anyone from executing it
sudo chmod ugo-x /Applications/App\ Store.app/Contents/MacOS/App\ Store

Keeping the icon from populating the Dock is more troublesome, since Apple has changed this from 10.5, previous versions, it was a matter of altering /System/Library/User\ Template/English.lproj/Library/Preferences/com.apple.dock.plist but this no longer exists. I am searching for where this information is pulled… but in the meantime you could use a utility like RemoveItemFromDock to run for a user when they log in (note: a new user will not have a com.apple.dock.plist file until their first login, this makes it tricky for login scripts on first login…) I had a good lead in /Library/Preferences/com.apple.dockfixup.plist but removing the add-app entry that contains the path to the App Store did not help… wah wah.

Well, so you hidden the App Store, restricted it running, but what can your sneaky users do?

They can buy an App Store app on their home computer and then simply copy it to their work laptop. The app will prompt them to authorize it with their AppleID, boom, done, no problem for a Standard User. However, they will not get updates on the computer, since there is no receipt of its installation, this would need to be done manually. User bringing in paid apps to a work computer creates a quandary for admins who run app inventory on computers (especially if it’s for license compliance)! From my attempts at pruning and tinkering with the Parental controls MCX values in the user’s records there didn’t  seem to be a way to wildcard the white or blacklist, however it is promising that there is a boolean key call appStore that shows up. But for now enabling “Limit Applications” setting involves explicit approval for EVERY app they want to run that’s not on the whitelist, and personally I don’t care if you want to run Primate Plunge to waste time during conference calls – you and I will probably be saner for it. :)

Bottomline MCX doesn’t seem to have a straightforward way to deal with this now that doesn’t involve more admin overhead using Parental Controls.

Perhaps though, you don’t care what your user intalls from the App Store but you care enough that they are still Standard Users, well here’s the hack and slash way to enable them to use the app store…

How to Allow Standard Users to Run the App Store*

*Disclaimer: !!!WARNING!!! Security settings are changed with this action!!!! HACK AT YOUR OWN RISK !!!!!

#Make the App store an SUID binary so it runs as root *

sudo chmod +s /Applications/App\ Store.app/Contents/MacOS/App\ Store

#Change rights in /etc/authorization to allow system.privilege.setugid_appkit right by anyone* **

sudo cp /etc/authorization /etc/authorization.saved
sudo cp /etc/authorization /etc/authorization.plist
sudo defaults write /etc/authorization rights -dict-add system.privilege.setugid_appkit '<dict><key>rule</key><string>allow</string></dict>'
sudo plutil -convert xml1 /etc/authorization.plist
sudo sudo chmod go+r /etc/authorization.plist
sudo mv /etc/authorization.plist /etc/authorization

There you go, your standard users can now install App Store apps.

*Disclaimer: !!!WARNING!!! Security settings are changed with this action!!!! HACK AT YOUR OWN RISK !!!!!

** When you Google this, you’ll find this is the same solution I found for using Flip4Mac with Compressor as a standard user. I just love reusable code ;)

I hope you learned something and even better I hope you might have some insight to add that I’ve missed, please send in your comments, thanks!

Putting it all back the way it was before we started messing around

sudo chmod u=rwx,go=rx /Applications/App\ Store.app/Contents/MacOS/App\ Store
sudo chown root:wheel  /Applications/App\ Store.app/Contents/MacOS/App\ Store
sudo chflags nohidden /Applications/App\ Store.app/
mv /etc/authorization.saved /etc/authorization

Update: My removeitemfromdock script seems to have been thrown by a loop by changes to the dock plist, just like I had to work around Dashboard when it was itroduced to the Dock in a new way. Update to come…

Update-2: removeitemfromdock now works like a charm, my Dashboard hack was taking for granted that Dashboard is not always at position 0 after the Finder, so when App Store snuck in behind, it was getting skipped, now there are some robust kludges to deal with Dashboard’s non standard dock entry