foigus' Notes

Mostly OS X Admin Related

Distributing DPS Desktop Tools for InDesign CC 2014 with Munki

Adobe’s Digital Publishing Suite (DPS) is a group of add-on tools and services that facilitates tablet publications.  Let’s examine distributing the desktop software portion of these tools, “DPS Desktop Tools for InDesign CC 2014”, with Munki.

Red Herrings
It turns out DPS Desktop Tools for InDesign CC 2014 (hereafter referred to as DPS Desktop Tools) is surprisingly difficult to deploy.  Reviewing over the options:

  • Repackaging is generally considered harmful.  Attempting to collect the products of an installation and reproduce the intention of the original installer is difficult.  Although my organization is repackaging DPS Desktop Tools for InDesign CS6 (and I know others are as well) I wanted to avoid this if possible with DPS Desktop Tools for InDesign CC 2014.
  • Creative Cloud Packager (CCP) (and its predecessor, Adobe Application Manager Enterprise Edition (AAMEE)) intentionally block DPS Desktop Tools updates.  This is because DPS Desktop Tools’ “inclusion [in a CCP package] results in a much higher rate of failure of the deployment package“.  Sometimes DPS Desktop Tools accidentally sneaks into a CCP package, but the results are failure-prone.
  • Command-line (CLI) installation per the Adobe support article for installing DPS Desktop Tools mentions “Enter[ing] administrator credentials when prompted”, which means a non-administrator can’t install the software.  Also, per the support article CLI installation requires “…that client or user is logged in..”, complicating distribution.
  • CLI installation with administrative rights isn’t mentioned in the Adobe support article for installing DPS Desktop Tools.  It turns out this isn’t because it was forgotten–instead CLI installation with administrative rights (e.g. “sudo”) leads to no authentication prompt, but also leads to a near-guaranteed installation hang.  Earlier versions of the Adobe support article for DPS Desktop Tools mentioned “sudo”, implying there was more flexibility during installation, but this appears to either be in error or installation with “sudo” stopped working at some point.
  • CLI installation with the bsexec hack, used when a command needs to run in a different context than the current context, is a possible option.  Munki uses it to install some Adobe software, but my testing results appeared to show that installation via the bsexec hack fails regardless of whether a user is logged in or not.

Given all the above, deployment of DPS Desktop Tools appears to be a dead subject.  Repackaging must be the only way…

Accidental Installation
…Luckily, no one had written up the above information when I examined deploying DPS Desktop Tools via Munki.  I downloaded the installer, munkiimported it, and it worked.  Like my CC 2014 CCP pkgs, I set the RestartAction for the DPS Desktop Tools installer pkginfo to “RequireLogout”, so these installations took place at the Login Window.

However when I compared notes with other colleagues, those who had attempted to install DPS Desktop Tools had varied levels of success.  Usually the result of DPS Desktop Tools installation was a collegiate computer lab worth of failed installations and hung computers.  Further testing led me to discover that DPS Desktop Tools worked at the Login Window if run by Munki automatically, but not when installed by running “managedsoftwareupdate –installonly” or “managedsoftwareupdate –auto” via SSH.

Not wishing to spend large amounts of time tracking down random installation failures, I engaged Adobe support to help determine a reproducible way to install DPS Desktop Tools.  Through some gracious help examining why Munki inadvertently works (sometimes), it was determined that if the following conditions were met that DPS Desktop Tools could be reliably installed:

  • A user was logged into OS X during the installation (following the requirements of the support article)
  • A LaunchDaemon performed the installation (mimicking Munki’s use of a LaunchDaemon handling installation duties)

Adobe support provided with an unsupported installation method that installed a LaunchDaemon and used it to install DPS Desktop Tools.

Setting up Installation via Munki
The first step is to give Munki the ability to determine whether a user is logged in.  This is necessary since Munki normally attempts to install software when the computer is at the Login Window, but I’m specifically trying to prevent this behavior.  My solution was to write an Admin Provided Condition that checked to see if a user was logged in (further information regarding writing an Admin Provided Condition is available at Tim Sutton’s blog, in the article “Keeping your OS X VM guest tools current with Munki” under the heading “Writing an admin-provided condition”).  Leaning on a suggestion from Michael Lynn in ##osx-server IRC regarding the most appropriate way to determine if a user is logged in, I created this Admin Provided Condition:

#!/bin/bash

plistLocation=/Library/Managed\ Installs/ConditionalItems

#Verify a user is logged in
loggedInUser=`python -c 'from SystemConfiguration import SCDynamicStoreCopyConsoleUser; import sys; username = (SCDynamicStoreCopyConsoleUser(None, None, None) or [None])[0]; username = [username,""][username in [u"loginwindow", None, u""]]; sys.stdout.write(username + "\n");'`

if [ ! -z "${loggedInUser}" ]
then
  defaults write "${plistLocation}" isUserLoggedIn -bool true
else
  defaults write "${plistLocation}" isUserLoggedIn -bool false
fi

This script needs to be installed here (note only the directory is important–the script name itself could be anything):

/usr/local/munki/conditions/isUserLoggedInCondition.sh

Each time managedsoftwareupdate runs, the above script will be executed and the result of testing whether or not a user is logged in will be available for evaluation as a Conditional Item.  Thus adding an installable_condition such as the following to a Munki Installer Item’s pkginfo will detect whether a user is logged in*:

<key>installable_condition</key>
<string>isUserLoggedIn == TRUE</string>

Being Extra, Extra, Extra Sure a User is Logged In
*But will the installable_condition guarantee a user is logged in during installation?  Certainly the installable_condition works to prevent installation attempts when no one is logged in, but Managed Software Center collects all pending Installer Items and installs them together.  If one Installer Item requires a logout or a restart (i.e. its pkginfo declares a “RestartAction” of “RequireLogout”, “RequireRestart”, or “RequireShutdown”), Managed Software Center will log the user out and perform all installations at the Login Window.  This will make the DPS Desktop Tools installation fail, so additional checks are necessary to ensure a user is still logged in when DPS Desktop Tools installation occurs.  I added these additional checks in three places: the preinstall_script in the DPS Desktop Tools pkginfo and the preflight and postflight scripts for the DPS Desktop Tools pkg itself.  For the preinstall_script and the DPS Desktop Tools package preflight script:

#!/bin/bash

#If a user isn't logged in, fail
loggedInUser=`python -c 'from SystemConfiguration import SCDynamicStoreCopyConsoleUser; import sys; username = (SCDynamicStoreCopyConsoleUser(None, None, None) or [None])[0]; username = [username,""][username in [u"loginwindow", None, u""]]; sys.stdout.write(username + "\n");'`

if [ -z "${loggedInUser}" ]
then
  exit 1
fi

exit 0

The postflight script will be covered below.

Package Work
The structure of the DPS Desktop Tools installation package is the following:

  • Preflight
    • Verifies a user is logged in
  • Payloads
    • DPS Desktop Tools dmg
      /Users/Shared/AdobeDigitalPublishingPatch-CC2014-32.0.0.dmg
    • LaunchD job
      /Users/Shared/com.organization.dpsinstaller.plist
    • LaunchD-run installation script
      /Users/Shared/installDPS.sh
  • Postflight
    • Verifies a user is logged in
    • Loads LaunchD job and waits for the job to exit
      • LaunchD job runs DPS installation script
        • Mounts dmg
        • Installs DPS
        • Unmounts dmg
        • Unloads LaunchD job via launchctl unload
    • Deletes LaunchD-run installation script
    • Deletes LaunchD job file
    • Deletes DPS Desktop Tools dmg

The pieces of this installation:

  • Preflight (same as noted earlier, but here it is again)
    #!/bin/bash
    
    #If a user isn't logged in, fail
    loggedInUser=`python -c 'from SystemConfiguration import SCDynamicStoreCopyConsoleUser; import sys; username = (SCDynamicStoreCopyConsoleUser(None, None, None) or [None])[0]; username = [username,""][username in [u"loginwindow", None, u""]]; sys.stdout.write(username + "\n");'`
    
    if [ -z "${loggedInUser}" ]
    then
      exit 1
    fi
    
    exit 0
  • DPS Desktop Tools installer dmg
  • LaunchD job
    <?xml version="1.0" encoding="UTF-8"?>
    <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
    <plist version="1.0">
    <dict>
      <key>Label</key>
      <string>com.organization.dpsinstaller</string>
      <key>ProgramArguments</key>
      <array>
        <string>/Users/Shared/installDPS.sh</string>
      </array>
      <key>RunAtLoad</key>
      <true/>
    </dict>
    </plist>
  • Installation script run by LaunchD job
    #!/bin/bash
    
    pathToDmg=/Users/Shared/AdobeDigitalPublishingPatch-CC2014-32.0.0.dmg
    volumeName=AdobeDigitalPublishingCC2014-AdobeUpdate
    pathToAdobePatchInstaller=/AdobeDigitalPublishingCC2014-AdobeUpdate/AdobePatchInstaller.app/Contents/MacOS/AdobePatchInstaller
    pathToLaunchDJob=/Users/Shared/com.organization.dpsinstaller.plist
    
    #Mount the dmg
    /usr/bin/hdiutil attach "${pathToDmg}" -nobrowse
    
    #Install the update
    #It would be great to collect the exit status, but AdobePatchInstaller appears
    #to always exit 0
    /Volumes/"${volumeName}${pathToAdobePatchInstaller}" --mode=silent --skipProcessCheck=1
    
    #Eject the dmg
    /usr/bin/hdiutil detach /Volumes/"${volumeName}"
    
    #Unload the LaunchDaemon
    /bin/launchctl unload "${pathToLaunchDJob}"
  • Postflight (Note that since the postflight script runs after the package payloads have been installed, the postflight script goes through extra cleanup steps to remove those payloads if the check for a logged-in user fails)
    #!/bin/bash
    
    #Paths to important files
    pathToDPSInstallScript=/Users/Shared/installDPS.sh
    pathToLaunchDJob=/Users/Shared/com.organization.dpsinstaller.plist
    pathToDmg=/Users/Shared/AdobeDigitalPublishingPatch-CC2014-32.0.0.dmg
    
    loggedInUser=`python -c 'from SystemConfiguration import SCDynamicStoreCopyConsoleUser; import sys; username = (SCDynamicStoreCopyConsoleUser(None, None, None) or [None])[0]; username = [username,""][username in [u"loginwindow", None, u""]]; sys.stdout.write(username + "\n");'`
    
    #If a user isn't logged in, delete the payloads of the pkg and fail
    if [ -z "${loggedInUser}" ]
    then
      /bin/rm "${pathToDPSInstallScript}"
      /bin/rm "${pathToLaunchDJob}"
      /bin/rm "${pathToDmg}"
      exit 1
    fi
    
    #Determine the name of the LaunchD job
    launchDJobName=`/usr/bin/basename "${pathToLaunchDJob}" .plist`
    
    #Load the LaunchDaemon
    /bin/launchctl load "${pathToLaunchDJob}"
    
    #Wait for the LaunchDaemon to exit
    sleep 5
    while /bin/launchctl list | /usr/bin/grep -wq "${launchDJobName}"
    do
      sleep 5
    done
    
    #Delete the payloads of the pkg
    /bin/rm "${pathToDPSInstallScript}"
    /bin/rm "${pathToLaunchDJob}"
    /bin/rm "${pathToDmg}"
    
    #Exit cleanly. How else can we exit? The DPS installer does not exit with a status
    exit 0

Uninstallation
As discussed in my Distributing Adobe CC 2014 via Munki post, I’d like uninstallers for my Adobe CC 2014 applications.  In my testing, DPS Desktop Tools installs one InDesign plugin (/Applications/Adobe InDesign CC 2014/Plug-Ins/Graphics/Digital Publishing.InDesignPlugin) and two applications (/Applications/DPS App Builder.app and /Applications/Adobe/Adobe Content Viewer.app).  My testing also revealed that uninstalling InDesign CC 2014 removes the plugin, but leaves the applications installed.  Assuming I’m never going to remove the DPS Desktop Tools without also subsequently removing InDesign, a postuninstall_script of the following is sufficient:

#!/bin/bash

#Delete DPS App Builder and Adobe Content Viewer
/bin/rm -rf /Applications/DPS\ App\ Builder.app
/bin/rm -rf /Applications/Adobe/Adobe\ Content\ Viewer.app

exit 0

If removal of just DPS Desktop Tools is desired, it may be possible to add /Applications/Adobe InDesign CC 2014/Plug-Ins/Graphics/Digital Publishing.InDesignPlugin to the above list of files to delete, however this is untested so your mileage may vary.

Miscellaneous Topics
Applicability to other versions of DPS Desktop Tools
All of the testing here has been specific to the InDesign CC 2014 version of DPS Desktop Tools.  It’s unknown whether other versions of DPS Desktop Tools for InDesign CC or InDesign CS6 will encounter the same issues or if the same techniques will solve those issues.

DPS Desktop Tools as an optional_install
It may be tempting to add DPS Desktop Tools as an optional_install and forgo the preceding steps forcing installation only when a user is logged in.  However remember that once a user adds an optional_install, that updated versions of the Installer Item may be installed at any time the pkginfo allows.  So even if DPS Desktop Tools is just an optional_install, remember to follow the rest of the steps to prevent installation when a user isn’t logged in.

blocking_applications
The DPS Desktop Installer offers a list of blocking applications inside the mounted installer dmg:

/Volumes/AdobeDigitalPublishingCC2014-AdobeUpdate/AdobeDigitalPublishingCC2014-AdobeUpdate/payloads/UpdateManifest.xml

in the ConflictingProcesses section.  This list includes the following applications:

  • Adobe Content Viewer*
  • Adobe InDesign CS*
  • Creative Cloud Connection*
  • DPS App Builder*
  • InDesign CS*
  • InDesign*
  • Viewer Builder*

The asterisks (which are presumably wildcards) are part of the original list, implying that different software versions such as InDesign CS4 or InDesign CS5 could potentially interfere with a DPS Desktop Tools installation.  Also note that Munki’s blocking_applications currently does not support wildcards to match running applications.  It’s up to you to create a list of blocking_applications appropriate for your environment.

autoremove
In the spirit of my earlier post about Distributing Adobe CC 2014 via Munki, I set AutoRemove to “true” in the DPS Desktop Tools pkginfo.

installs Array
To help Munki intelligently examine the current installation of DPS Desktop Tools, an installs array is necessary.  This command when run against a computer with DPS Desktop Tools installed will generate an installs array for the three items installed:

makepkginfo -f /Applications/DPS App Builder.app -f /Applications/Adobe/Adobe Content Viewer.app -f /Applications/Adobe InDesign CC 2014/Plug-Ins/Graphics/Digital Publishing.InDesignPlugin

Copy the installs array and paste it into the pkginfo for DPS Desktop Tools.

update_for
If it’s desired to automatically install DPS Desktop Tools following every InDesign CC 2014 installation, make DPS Desktop Tools an update_for InDesign CC 2014.

requires
Since we’ve made DPS Desktop Tools dependent on an Admin Provided Condition, let’s require that Admin Provided condition.  I added the Installer Item “IsUserLoggedInCondition” to the “requires” array in the pkginfo for DPS Desktop Tools.

unattended_install
In order to get the best chance DPS Desktop Tools will be installed (since I’d prefer not to ask the user’s permission unless a blocking_application is running), I set unattended_install to true in the pkginfo for DPS Desktop Tools.

Example pkginfo
For review, here’s the entire pkginfo for the DPS Desktop Tools package created above:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
  <key>_metadata</key>
  <dict>
    <key>created_by</key>
    <string>admin</string>
    <key>creation_date</key>
    <date>2014-11-03T21:04:48Z</date>
    <key>munki_version</key>
    <string>2.0.0.2212</string>
    <key>os_version</key>
    <string>10.9.5</string>
  </dict>
  <key>autoremove</key>
  <true/>
  <key>catalogs</key>
  <array>
    <string>production</string>
  </array>
  <key>category</key>
  <string>Productivity</string>
  <key>description</key>
  <string>Digital publishing tools for InDesign CC 2014</string>
  <key>developer</key>
  <string>Adobe</string>
  <key>display_name</key>
  <string>DPS Desktop Tools CC2014</string>
  <key>installed_size</key>
  <integer>77825</integer>
  <key>installer_item_hash</key>
  <string>e5b30f7a5eee2470ad80b17149bd8f1df2f3225afdcf7b3427e3cf53fad1cbfd</string>
  <key>installer_item_location</key>
  <string>apps/adobe/DPS Desktop Tools CC2014-32.0.0.pkg</string>
  <key>installer_item_size</key>
  <integer>77645</integer>
  <key>minimum_os_version</key>
  <string>10.5.0</string>
  <key>name</key>
  <string>DPSDesktopToolsCC2014</string>
  <key>receipts</key>
  <array>
    <dict>
      <key>installed_size</key>
      <integer>77825</integer>
      <key>packageid</key>
      <string>com.organization.DPSDesktopToolsCC2014</string>
      <key>version</key>
      <string>32.0.0</string>
    </dict>
  </array>
  <key>uninstall_method</key>
  <string>removepackages</string>
  <key>uninstallable</key>
  <true/>
  <key>version</key>
  <string>32.0.0</string>
  <key>installs</key>
  <array>
    <dict>
      <key>CFBundleShortVersionString</key>
      <string>3.2.0</string>
      <key>path</key>
      <string>/Applications/DPS App Builder.app</string>
      <key>type</key>
      <string>application</string>
    </dict>
    <dict>
      <key>CFBundleShortVersionString</key>
      <string>3.4.3</string>
      <key>path</key>
      <string>/Applications/Adobe/Adobe Content Viewer.app</string>
      <key>type</key>
      <string>application</string>
    </dict>
    <dict>
      <key>CFBundleShortVersionString</key>
      <string>10.0.10.32</string>
      <key>path</key>
      <string>/Applications/Adobe InDesign CC 2014/Plug-Ins/Graphics/Digital Publishing.InDesignPlugin</string>
      <key>type</key>
      <string>bundle</string>
    </dict>
  </array>
  <key>blocking_applications</key>
  <array>
    <string>DPS App Builder</string>
    <string>Adobe Content Viewer</string>
    <string>Adobe InDesign CC 2014</string>
    <string>Creative Cloud Connection</string>
    <string>Adobe InDesign CS6</string>
    <string>Viewer Builder</string>
  </array>
  <key>preinstall_script</key>
  <string>#!/bin/bash

#If a user isn't logged in, fail
loggedInUser=`python -c 'from SystemConfiguration import SCDynamicStoreCopyConsoleUser; import sys; username = (SCDynamicStoreCopyConsoleUser(None, None, None) or [None])[0]; username = [username,""][username in [u"loginwindow", None, u""]]; sys.stdout.write(username + "\n");'`

if [ -z "${loggedInUser}" ]
then
   exit 1
fi

exit 0</string>
  <key>postuninstall_script</key>
  <string>#!/bin/bash

#Delete DPS App Builder and Adobe Content Viewer
/bin/rm -rf /Applications/DPS\ App\ Builder.app
/bin/rm -rf /Applications/Adobe/Adobe\ Content\ Viewer.app

exit 0</string>
  <key>installable_condition</key>
  <string>isUserLoggedIn == TRUE</string>
  <key>update_for</key>
  <array>
    <string>InDesignCC2014</string>
  </array>
  <key>requires</key>
  <array>
    <string>IsUserLoggedInCondition</string>
  </array>
  <key>unattended_install</key>
  <true/>
</dict>
</plist>

Epilogue
A technique like this should be avoided unless there’s no other way to get the software installed.  One possible issue would be that unless it’s the last installation in a chain of installations, adding an additional requirement to have a user logged in could have unusual effects with software installation dependencies (e.g. what happens if a piece of software that requires a restart depends on a piece of software that requires a user to be logged in?).  Not installing software at the Login Window is working against the design of Munki.

This is considerable effort to install a piece of software, and while it certainly seems to work there might be other issues I haven’t encountered yet.  If DPS Desktop Tools installation is something your organization is dependent on, you may wish to consider contacting your Adobe representative and sharing your opinions regarding the difficulty of installing DPS Desktop Tools.

Advertisements

One response to “Distributing DPS Desktop Tools for InDesign CC 2014 with Munki

  1. Pingback: VPN Profiles at loginwindow under Yosemite | SWY's technical notes

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: