Profile delivered via Munki won't install at login window on Yosemite

[Brandon Kerns]

So, the scenario is that we deliver a configuration profile via Munki to machine at the time of the initial setup. Munki delivers the profile and then the profiles command is used to install it, which usually takes place at the login screen during bootstrap mode. This has always worked just fine, including in DP versions of Yosemite. However, in the Yosemite final version the profile install fails when installed at the login window. Verbose on the command yields the following:

profiles: verbose mode ON

profiles install profile /Library/Management/Profiles/Base_Machine_Policy.mobileconfig for user: (null)

profiles install for file:'/Library/Management/Profiles/Base_Machine_Policy.mobileconfig' and user:'root' returned 101 (The operation couldn’t be completed. (ProfileDomainPluginController error 101.))

profiles: returned error: 101

fail

Logging in with ANY interactive session and running the same package via MSU installs the profile just fine. Since the login window activity takes place as root, I logged into the root account and confirmed that the profile install fails under the root account with the same error. The same actions on a Mavericks machine are successful. If I log in as myself and sudo with the same command it works properly.

Short recap version - it seems that using the profiles command to install a configuration profile (system) under the root account does not work in Yosemite final.

Just thought I'd throw it out there as a heads up, and to see if anyone has suggestions!

[zack.m...@bsd7.org]

What flags are you using? I'm working on a custom profile installer pkginfo myself (had one, but way to many IF's to be reliable). Can I see your script?

[Brandon Kerns]

The package is nothing more than a DMG containing the .mobileconfig file. Munki copies it into place using the built in items to copy, and then a postinstall script runs the following command:

profiles -I -F "/Library/Management/Profiles/Base_Machine_Policy.mobileconfig"

Of course, I added -v to get the output from the first post, but thats pretty much it.

[Nick McSpadden]

I'm testing it again right now, but I see similar things in my logs, yet the profiles ended up installed.  I'm running my 10.10 deployment in a VM again to be sure.

--
You received this message because you are subscribed to the Google Groups "munki-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to munki-dev+...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--
--

Nick McSpadden

Client Systems Manager

Schools of the Sacred Heart, San Francisco

[zack.m...@bsd7.org]

Starting too look like a potential bug of OS X maybe? Did running profiles -P show that they were in fact installed?

[Nick McSpadden]

Just tried it again and here's what I see in install.log, from a profile packaged up with Tim Sutton's "make-profile-pkg":

Oct 22 13:18:40 Mac.local installd[580]: ./postinstall: profiles: verbose mode ON

Oct 22 13:18:40 Mac.local installd[580]: ./postinstall: profiles install profile /Library/Profiles/SalFaculty.mobileconfig for user: (null)

Oct 22 13:18:40 Mac.local installd[580]: ./postinstall: profiles install for file:'/Library/Profiles/SalFaculty.mobileconfig' and user:'root' returned 0 ((null))

Oct 22 13:18:40 Mac.local installd[580]: ./postinstall: pass

And yet, lo and behold:

Mac-000c29e73f66:~ admin$ sudo profiles -P

_computerlevel[1] attribute: profileIdentifier: org.sacredsf.sal.faculty

Also shows up as expected in System Preferences.

Whatever the error was, it didn't seem to cause an actual problem.

[Gregory Neagle]

On Oct 22, 2014, at 2:24 PM, Nick McSpadden <nick.mc...@sacredsf.org> wrote:

Just tried it again and here's what I see in install.log, from a profile packaged up with Tim Sutton's "make-profile-pkg":

Oct 22 13:18:40 Mac.local installd[580]: ./postinstall: profiles: verbose mode ON

Oct 22 13:18:40 Mac.local installd[580]: ./postinstall: profiles install profile /Library/Profiles/SalFaculty.mobileconfig for user: (null)

Oct 22 13:18:40 Mac.local installd[580]: ./postinstall: profiles install for file:'/Library/Profiles/SalFaculty.mobileconfig' and user:'root' returned 0 ((null))

Oct 22 13:18:40 Mac.local installd[580]: ./postinstall: pass

And yet, lo and behold:

Mac-000c29e73f66:~ admin$ sudo profiles -P

_computerlevel[1] attribute: profileIdentifier: org.sacredsf.sal.faculty

Also shows up as expected in System Preferences.

Whatever the error was, it didn't seem to cause an actual problem.

Not sure there is even an error there. Traditionally UNIX tools return 0 to indicate success.

[Nick McSpadden]

I did *not* see any occurrences of what the OP saw, though - 

returned 101 (The operation couldn’t be completed. (ProfileDomainPluginController error 101.))

Brandon's issue is something else, and it may be related to the script or something else.  Brandon, have you tried using make-profile-pkg for your profiles? https://github.com/timsutton/make-profile-pkg

--
You received this message because you are subscribed to the Google Groups "munki-dev" group.

To unsubscribe from this group and stop receiving emails from it, send an email to munki-dev+...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Brandon Kerns]

Nick - 

Yah, I agree that looks like a normal success entry in the log. From what I can see the "user: null" portion is normal for the root account, just not the following where the error is returned.

This was installing from the login window with no interactive user logged in, correct?

[Brandon Kerns]

Zack - 

Running -P after the failure confirms that no profiles are installed.

[Nick McSpadden]

Correct, this is run during the initial Munki bootstrap at the login window.

Would you be willing to post your profile somewhere to test?

--

You received this message because you are subscribed to the Google Groups "munki-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to munki-dev+...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Brandon Kerns]

Interesting. To answer your previous question, I have not tried make-profile-pkg. The profile being used here was created with Profile Manager, so thats one possibility. But still curious that it fails with nobody logged in, but the same file installs successfully if the same command is executed with a user logged in... 

I'm out of the office for the day now, but I'll send you a copy of the profile when I get into the office in the morning! Thanks for being willing to help!

[Brandon Kerns]

Just wanted to check in, as I have discovered that it looks like, as Nick was wondering, it is some setting within the profile itself that Yosemite is not liking. I configured a super-basic profile (just 1 setting) and delivered it the same way and it installed successfully. So now its just down to figuring out what it isn't liking in my existing profile!

Thanks everyone for the help and advice.

[Brandon Kerns]

It was the VPN payload in the profile that it wasn't liking...

[Kristian Botnen]

Hi,

I have the same problem with my profile (which contains my VPN config). Did you manage to find a solution for the VPN payload part of your profile?

- K -

[Mike Wright]

Late to the party with this one, but we are seeing the same issue with our munki deployed VPN payload on newly built Yosemite machines when installed at the login window.  When installed in an active console session it works as normal..

Has anyone found a solution? 

Mike

[Gregory Neagle]

On Apr 24, 2015, at 7:34 AM, Mike Wright <Mikewr...@GOOGLEMAIL.COM> wrote:

Late to the party with this one, but we are seeing the same issue with our munki deployed VPN payload on newly built Yosemite machines when installed at the login window.  When installed in an active console session it works as normal..

Has anyone found a solution? 

I see this as well. Munki doesn’t have a solution for you — you’ll need to script something. (And file a bug report with Apple!)

-Greg

Mike

On Thursday, 4 December 2014 13:20:18 UTC, Kristian Botnen wrote:

Hi,

I have the same problem with my profile (which contains my VPN config). Did you manage to find a solution for the VPN payload part of your profile?

- K -

On Thursday, October 23, 2014 7:27:49 PM UTC+2, Brandon Kerns wrote:

It was the VPN payload in the profile that it wasn't liking...

[Mike Wright]

 "Munki doesn’t have a solution for you"

A rare bird.

"you’ll need to script something. (And file a bug report with Apple!)"

I'll figure something out - I suppose I could get the profile to only install in an interactive session, or figure out why it has a problem with the profile all of a sudden anyway.

Either way, I'll file a bug report.

Thanks,

Mike

--
You received this message because you are subscribed to a topic in the Google Groups "munki-dev" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/munki-dev/_eBD0_yll3w/unsubscribe.
To unsubscribe from this group and all its topics, send an email to munki-dev+...@googlegroups.com.