Admin permission at install

[TNPAPA]

Has anyone ever figured out a way to have an MDM, in my case Mosyle, install Tunnelblick so it does not ask for admin permission to launch first time or after any updates.  I have to constantly log into our remote workers Macs to put in my admin credentials so they can work.

[Tunnelblick Developer]

Yes. See https://tunnelblick.net/cInstallFromCommandLine.html

[TNPAPA]

Installing the program is not the problem, Mosyle does that just fine.  It's when you first launch it or anytime the App or the OS updates it again asks for Admin permissions to run.

[Tunnelblick Developer]

Installing Tunnelblick properly requires the use of its imbedded "install" program. In a managed environment "installer" must be run by the management software.

Other application management programs install Tunnelblick properly and don't have the problems you describe.Two examples are Homebrew and Munki.

Absent some other program interfering, Mosyle isn't installing or updating Tunnelblick properly. 

Talk to them, and tell them about https://tunnelblick.net/cInstallFromCommandLine.html

[TNPAPA]

so maybe the issue is that Mosyle downloads the entire dmg file and then executes the installer from that. Your command line looks for the app itself and not the dmg.

[Tunnelblick Developer]

No, running installer directly on the opened .dmg works fine. Either they aren't doing that, or they're doing something else wrong. (Or some other software is interfering, but that's unlikely.)

[TNPAPA]

The installer runs, the app opens but it asks for admin permission on the first run and at other times after any kind of system updates. Once I put I my credentials its good for awhile but I get two to three users a week telling me I need to remote into their machines and re-auth it.

[Tunnelblick Developer]

What makes you think the installer was run?

The installer itself does not launch Tunnelblick, so if Tunnelblick launches after "running the installer",  it wasn't the installer that was run, it was the app.

I just mounted a disk image of Tunnelblick 8.0 on a fresh install of macOS 14.3.2 and ran

    sudo /Volumes/Tunnelblick/Tunnelblick.app/Contents/Resources/installer 259

and the next launch of Tunnelblick did not ask for an admin password.

[TNPAPA]

I think the installer was run because the app is in the Applications folder, the daemon is installed and the Application Support files are in place.

[Tunnelblick Developer]

That doesn't mean the installer was run. They probably copied the app to /Applications, and put stuff in /Library/Application Support/Tunnelblick themselves. That's the wrong way to do it.

To repeat: The installer wasn't run, because if it had been run you wouldn't be getting the Admin password request.

[TNPAPA]

Ok, I am writing a custom install script for Mosyle to execute.  Lets see what that does.

[TNPAPA]

I think this has solved it.  Installer ran and app launched without asking for permission.

[TNPAPA]

So, Will I have to go into each machine and manually delete the old files before running the new installer? Or can I install on top of the existing install?

[Tunnelblick Developer]

What do you mean by "old files"?

[TNPAPA]

The original install that Mosyle did that has issues. The app and all its support files.

[Tunnelblick Developer]

You can run  sudo... installer 259 . on top of an existing Tunnelblick install; it will "update" an existing installation. It will repair permissions and make sure everything is as it expects, which should clean up Mosyle's mess. But if Mosyle screwed up in one thing, they could have screwed up in other things, too, so you'll just have to try it out.