Admin permission at install

57 views
Skip to first unread message

TNPAPA

unread,
May 28, 2025, 11:45:23 AMMay 28
to tunnelblick-discuss
Has anyone ever figured out a way to have an MDM, in my case Mosyle, install Tunnelblick so it does not ask for admin permission to launch first time or after any updates.  I have to constantly log into our remote workers Macs to put in my admin credentials so they can work.

Tunnelblick Developer

unread,
May 28, 2025, 11:47:52 AMMay 28
to tunnelblick-discuss

TNPAPA

unread,
May 28, 2025, 12:09:27 PMMay 28
to tunnelblick-discuss
Installing the program is not the problem, Mosyle does that just fine.  It's when you first launch it or anytime the App or the OS updates it again asks for Admin permissions to run.

Tunnelblick Developer

unread,
May 28, 2025, 12:58:52 PMMay 28
to tunnelblick-discuss
Installing Tunnelblick properly requires the use of its imbedded "install" program. In a managed environment "installer" must be run by the management software.

Other application management programs install Tunnelblick properly and don't have the problems you describe.Two examples are Homebrew and Munki.

Absent some other program interfering, Mosyle isn't installing or updating Tunnelblick properly. 



TNPAPA

unread,
May 28, 2025, 1:08:36 PMMay 28
to tunnelblick-discuss
so maybe the issue is that Mosyle downloads the entire dmg file and then executes the installer from that. Your command line looks for the app itself and not the dmg.

Tunnelblick Developer

unread,
May 28, 2025, 1:19:33 PMMay 28
to tunnelblick-discuss
No, running installer directly on the opened .dmg works fine. Either they aren't doing that, or they're doing something else wrong. (Or some other software is interfering, but that's unlikely.)

TNPAPA

unread,
May 28, 2025, 1:23:25 PMMay 28
to tunnelblick-discuss
The installer runs, the app opens but it asks for admin permission on the first run and at other times after any kind of system updates. Once I put I my credentials its good for awhile but I get two to three users a week telling me I need to remote into their machines and re-auth it.
Screenshot 2025-05-28 at 12.21.09 PM.png

Tunnelblick Developer

unread,
May 28, 2025, 2:04:30 PMMay 28
to tunnelblick-discuss
What makes you think the installer was run?

The installer itself does not launch Tunnelblick, so if Tunnelblick launches after "running the installer",  it wasn't the installer that was run, it was the app.

I just mounted a disk image of Tunnelblick 8.0 on a fresh install of macOS 14.3.2 and ran

    sudo /Volumes/Tunnelblick/Tunnelblick.app/Contents/Resources/installer 259

and the next launch of Tunnelblick did not ask for an admin password.

TNPAPA

unread,
May 28, 2025, 2:06:27 PMMay 28
to tunnelblick-discuss
I think the installer was run because the app is in the Applications folder, the daemon is installed and the Application Support files are in place.

Tunnelblick Developer

unread,
May 28, 2025, 2:15:05 PMMay 28
to tunnelblick-discuss
That doesn't mean the installer was run. They probably copied the app to /Applications, and put stuff in /Library/Application Support/Tunnelblick themselves. That's the wrong way to do it.

To repeat: The installer wasn't run, because if it had been run you wouldn't be getting the Admin password request.


TNPAPA

unread,
May 28, 2025, 2:16:15 PMMay 28
to tunnelblick-discuss
Ok, I am writing a custom install script for Mosyle to execute.  Lets see what that does.

TNPAPA

unread,
May 28, 2025, 2:48:43 PMMay 28
to tunnelblick-discuss
I think this has solved it.  Installer ran and app launched without asking for permission.

TNPAPA

unread,
May 28, 2025, 3:03:27 PMMay 28
to tunnelblick-discuss
So, Will I have to go into each machine and manually delete the old files before running the new installer? Or can I install on top of the existing install?

Tunnelblick Developer

unread,
May 28, 2025, 3:19:49 PMMay 28
to tunnelblick-discuss
What do you mean by "old files"?

TNPAPA

unread,
May 28, 2025, 3:21:27 PMMay 28
to tunnelblick-discuss
The original install that Mosyle did that has issues. The app and all its support files.

Tunnelblick Developer

unread,
May 28, 2025, 4:08:27 PMMay 28
to tunnelblick-discuss

You can run  sudo... installer 259 . on top of an existing Tunnelblick install; it will "update" an existing installation. It will repair permissions and make sure everything is as it expects, which should clean up Mosyle's mess. But if Mosyle screwed up in one thing, they could have screwed up in other things, too, so you'll just have to try it out.

Reply all
Reply to author
Forward
0 new messages