removed pkg from repo

docker label

.gitignore

@@ -9,4 +9,5 @@ scratch/
 *.app
 *.tbz
 
-
+# do include Installomator .pkg files
+#!Installomator-*.pkg

CHANGELOG.md

@@ -0,0 +1,48 @@
+## v0.5 - 2021-04-13
+
+- Major update and now with help from @Theile and @Isaac
+- Added additional `BLOCKING_PROCESS_ACTION` handlings
+- Added additional `NOTIFY=all`. Usuful if used in Self Service, as the user will be notified before download, before install as well as when it is done.
+- Added variable `LOGO` for icons i dialogs, use `LOGO=appstore` (or `jamf` or `mosyleb` or `mosylem` or `addigy`). It's also possible to set it to a direct path to a specific icon. Default is `appstore`. 
+- Added variable `INSTALL` that can be set to `INSTALL=force` if software needs to be installed even though latest version is already installed (it will be a reinstall).
+- Version control now included. The variable `appNewVersion` in a label can be used to tell what the latest version from the web is. If this is not given, version checking is done after download.
+- For a label that only installs a pkg without an app in it, a variable `packageID` can be used for version checking. 
+- Labels now sorted alphabetically, except for the Microsoft ones (that are at the end of the list). A bunch of new labels added, and lots of them have either been changed or improved (with `appNewVersion` og `packageID`).
+- If an app is asked to be closed down, it will now be opened again after the update.
+- If your MDM cannot call a script with parameters, the label can be set in the top of the script.
+- If your MDM is not Jamf Pro, and you need the script to be installed locally on your managed machines, then take a look at [Theiles fork](https://github.com/Theile/Installomator/). This fork can be called from the MDM using a small script.
+- Script `buildCaseStatement.sh` to help with creating labels have been improved.
+- Fixed a bug in a variable name that prevented updateTool to be used
+- added `type` variable for value `"updateronly"` if the label should only run an updater tool.
+
+
+## v0.4 - 2020-10-19
+
+- you can now set script variables as an argument in the form `VARIABLE=value`. More detail on this in the README file, 'Configuration from Arguments.' (#26, #50, #72, and #73)
+- change `downloadFromGit` to match file types better (#58)
+- implemented a workaround for changed behavior of `xpath` in Big Sur (#80)
+- added an option `prompt_user_then_kill` to `BLOCKING_PROCESS_ACTION` which will kill the process after the third unsuccessful attempt to quit (#78, thanks Patrick Atoon @raptor399)
+- added several new labels for total of 116
+
+
+## v0.3 - 2020-07-23
+
+- added several new labels for total of 98
+- removed the powershell labels, since the installer is not notarized
+- when run without any arguments, the script now lists all labels
+- changed how zips are expanded because this was broken on Mojave
+- improved logging in some statements
+- several more minor improvements
+
+
+## v0.2 - 2020-06-09
+
+- many fixes for broken URLs and other bugs
+- the `pkgInDmg` and `pkgInZip` now search for a pkg file in the archive in case the file name varies with the version
+- notification on successful installation can be suppressed with the `NOTIFY` variable
+- Apple signed installers and apps that don’t have a Team ID are verified correctly now
+improved logging
+- several new applications: count increased from 62 in 0.1 to 87 in 0.2
+
+
+## v0.1 - 2020-05-12

LICENSE

@@ -186,7 +186,7 @@
       same "printed page" as the copyright notice for easier
       identification within third-party archives.
 
-   Copyright 2018 Armin Briegel, Scripting OS X
+   Copyright 2020 Armin Briegel, Scripting OS X
 
    Licensed under the Apache License, Version 2.0 (the "License");
    you may not use this file except in compliance with the License.

Labels.txt

@@ -1,58 +1,264 @@
 1password7
+8x8
+abstract
+adobebrackets
+adobeconnect
+adobereaderdc
+adobereaderdc-install
+adobereaderdc-update
+aircall
+airserver
+alfred
+amazonchime
+amazonworkspaces
+androidfiletransfer
+apparency
+appcleaner
+aquaskk
 atom
+autodmg
+autopkgr
 aviatrix
+awscli2
+awsvpnclient
+balenaetcher
+basecamp3
 bbedit
+bettertouchtool
+bitwarden
+blender
+bluejeans
+boxdrive
+brave
+cakebrew
+calibre
+camostudio
+camtasia
 citrixworkspace
+clevershare2
+code42
 coderunner
+cormorant
+cryptomator
 cyberduck
+dangerzone
+darktable
+dbeaverce
+debookee
 depnotify
 desktoppr
+detectxswift
+devonthink
+dialpad
 discord
+docker
 dropbox
+easeusdatarecoverywizard
+egnyte
+element
 eraseinstall
+etrecheck
+exelbanstats
+fantastical
+ferdi
+figma
 firefox
+firefox_da
+firefoxesr
+firefoxesrpkg
+firefoxpkg
+front
+fsmonitor
+gimp
 githubdesktop
+golang
 googlechrome
 googlechromepkg
+googledrive
+googledrivebackupandsync
 googledrivefilestream
+googleearth
+googlejapaneseinput
+gotomeeting
+gpgsuite
+gpgsync
 grandperspective
+gyazo
+gyazogif
 handbrake
+hazel
+hpeasyadmin
+hpeasystart
+hyper
+icons
+inkscape
+installomator_st
+installomator_theile
+intellijideace
+istatmenus
 iterm2
+jabradirect
+jamfconnect
+jamfmigrator
+jamfpppcutility
+jamfreenroller
+jetbrainsintellijidea
+jetbrainsintellijideace
+jetbrainsphpstorm
+jetbrainspycharm
+jetbrainspycharmce
+karabinerelements
+keepassxc
+keka
+keyboardmaestro
+klokki
+knockknock
+krisp
+krita
+lastpass
+launchbar
+lexarrecoverytool
+libreoffice
+loom
+lucifer
+lulu
+macfuse
 malwarebytes
+mattermost
+menumeters
 microsoftautoupdate
+microsoftcompanyportal
 microsoftdefenderatp
+microsoftedge
 microsoftedgeconsumerstable
 microsoftedgeenterprisestable
 microsoftexcel
+microsoftlicenseremovaltool
 microsoftoffice365
 microsoftofficebusinesspro
 microsoftonedrive
 microsoftonenote
 microsoftoutlook
 microsoftpowerpoint
+microsoftremotedesktop
 microsoftsharepointplugin
+microsoftskypeforbusiness
+microsoftteams
+microsoftvisualstudiocode
 microsoftword
+microsoftyammer
+miro
+musescore
 netnewswire
+nextcloud
+nomad
+nomadlogin
+notion
+nvivo
+obsidian
+odrive
+omnidisksweeper
 omnifocus3
+omnigraffle6
 omnigraffle7
+omnioutliner5
+omniplan3
+omniplan4
+omnipresence
+onionshare
+onlyofficedesktop
 openvpnconnect
+openvpnconnectv3
+opera
 pacifist
+pdfsam
+pitch
+plantronicshub
 plisteditpro
+postman
+prism9
 privileges
+proctortrack
+promiseutilityr
+pycharmce
+pymol
+r
+ramboxce
+rectangle
+redeye
 resiliosynchome
+retrobatch
+ricohpsprinters
+ringcentralapp
+ringcentralclassicapp
+ringcentralmeetings
+ringcentralphone
+rocket
+rocketchat
 royaltsx
+rstudio
+santa
+screamingfrogseospider
+sfsymbols
+shield
+sidekick
+signal
+silnite
+sizeup
+sketch
+skype
 slack
+snagit
+snagit2020
+snagit2021
+snapgeneviewer
 sonos
+sonoss1
+sonoss2
 sourcetree
 spotify
+sublimetext
 suspiciouspackage
+swiftruntimeforcommandlinetools
+tableaureader
+taskpaper
 teamviewer
+teamviewerhost
+teamviewerqs
+telegram
 textmate
 things
+thunderbird
+tigervnc
+toggltrack
+torbrowser
 tunnelbear
+tunnelblick
+umbrellaroamingclient
+universaltypeclient
+universaltypeclient
+vagrant
+vanilla
+veracrypt
+virtualbox
+viscosity
 visualstudiocode
+vivaldi
 vlc
+vmwarehorizonclient
+vscodium
 webexmeetings
 webexteams
 whatsapp
+wickrme
+wickrpro
+wireshark
+xeroxphaser7800
+xink
+yubikeymanagerqt
+zappy
 zoom
+zoomclient
+zulujdk11
+zulujdk13
+zulujdk15

README.md

@@ -4,6 +4,28 @@ _The one installer script to rule them all._
 
 ![](https://img.shields.io/github/v/release/scriptingosx/Installomator) ![](https://img.shields.io/github/downloads/scriptingosx/Installomator/latest/total) ![](https://img.shields.io/badge/macOS-10.14%2B-success) ![](https://img.shields.io/github/license/scriptingosx/Installomator)
 
+This script is in the "we find it useful, it is working for us" stage.
+
+Your production and deployment environment will be different, please test thoroughly before rolling it out to your production.
+
+I have put a lot of work into making it stable and safe, but I cannot - of course - make _any_ promises that it won't break in some not yet encountered edge case.
+
+## Support and Contributing
+
+Discussion, support and advice around Installomator happens in the `#installomator` channel in the [MacAdmins Slack](https:/macadmins.org). Go there for support questions.
+
+Do not create an issue just when you have a questions, but do file an issue or pull request for bugs or wrong behavior. When in doubt, ask in the above Slack channel.
+
+If you have added a new label, then please file a pull request. (and Thank you!)
+
+## More reading
+
+There are a few interesting post on Installomator on my weblog:
+
+- [Introducing Installomator](https://scriptingosx.com/2020/05/introducing-installomator/)
+- [Using Installomator with Jamf Pro](https://scriptingosx.com/2020/06/using-installomator-with-jamf-pro/) by Mischa van der Bent
+- [Using another MDM than Jamf and you might want a local installation](https://github.com/Theile/Installomator/) By Søren Theilgaard
+
 ## Background
 
 As a system engineer at [an Apple Authorized Enterprise Reseller](https://prowarehouse.nl), we manage a lot of Jamf instances.
@@ -12,23 +34,30 @@ Some of these instances are tightly managed, i.e. the versions of the operating
 
 Installomator was _not_ written for these kinds of deployment.
 
-If you are running this kind of deployment, you want [AutoPkg](https://github.com/autopkg/autopkg).
+If you are running this kind of deployment, you want to use [AutoPkg](https://github.com/autopkg/autopkg) and you can stop reading here.
 
 There are other kinds of deployments, though. In these deployments the management system is merely used to "get the user ready" as quickly as possible when they set up a new machine, and to offer software from a self service portal. In these deployments, system and software installations are 'latest version available' and updates are user driven (though we do want to nag them).
 
-These are mostly 'user controlled' Macs and we mostly just want to assist the user in doing the right thing. And the right thing is (often) to install the latest versions and updates when they are available.
+These deployments are
 
-The Mac App Store and software pushed through the Mac App Store follow this approach. When you manage software through the App Store — whether it is on iOS or macOS — neither the MacAdmin nor the user get a choice of the application version. They will get the latest version.
+- user driven
+- low control
+- minimal maintenance effort
 
-In such deployments, keeping the installers hosted in your management system up to date is an extra burden that often feels unnecessary. Instead of downloading, re-packaging, uploading application installers to the management system, it is often easier to run a script which downloads the latest version directly from the vendor's servers and installs it.
+These are mostly 'user controlled' Macs and we (the admins) just want to assist the user in doing the right thing. And the right thing is (often) to install the latest versions and updates when they are available.
+
+The Mac App Store and software pushed through the Mac App Store follow this approach. When you manage and deploy software through the App Store — whether it is on iOS or macOS — neither the MacAdmin nor the user get a choice of the application version. They will get the latest version.
+
+In such deployments, keeping the installers hosted in your management system up to date is an extra burden. AutoPkg can, well, automate much of the download/re-package/upload/stage cycle, but it still requires oversight and maintenance. Instead of downloading, re-packaging, uploading application installers to the management system, it is often easier to run a script which downloads the latest version directly from the vendor's servers and installs it.
 
 There are obviously a few downsides to this approach:
 
 - when your fleet is mostly on site and many will install or update at the same time, they will reach out over the internet to the vendor's servers, possibly overwhelming your internet connection
 - when you download software from the internet, it should be verified to avoid man-in-the-middle or other injection attacks
-- there is no control over which version the clients get
+- there is no control over which version the clients get, you cannot "hold back" new versions for testing and approval workflows
+- some application downloads are gated behind logins or paywalls and cannot be automated this way
 
-Some of these disadvantages can be seen as advantages in different setups. When your fleet is mostly mobile and offsite, then downloading from vendor servers will relieve the inbound connection to your management server, or the data usage on your cloud server. Software vendors are pushing for subscriptions with continuous updates and feature releases, so moving the entire team to the latest versions quickly can make those available quickly. Also being on the latest release includes all current security patches.
+Some of these disadvantages can be seen as advantages in different setups. When your fleet is mostly mobile and offsite, then downloading from vendor servers will relieve the inbound connection to your management server, or the data usage on your management system's cloud server. Software vendors are pushing for subscriptions with continuous updates and feature releases, so moving the entire team to the latest versions quickly can make those available quickly. Also being on the latest release includes all current security patches.
 
 Because this is an attractive solution for _certain kinds_ of deployment, there are already many scripts out there that will download and install the latest version of a given software. And we have built and used quite a few in-house, as well. Most importantly, [William Smith has this script](https://gist.github.com/talkingmoose/a16ca849416ce5ce89316bacd75fc91a) which can be used to install several different Microsoft applications and bundles, because Microsoft has a nice unified URL scheme.
 
@@ -58,7 +87,7 @@ Installomator can work with the following common archive and installer types:
 
 When the download yields a pkg file, Installomator will run `installer` to install it on the current system. 
 
-Applications in dmgs or zips will be copied to `/Applications` and their owner will be set to the current user, so the install works like a standard drag'b drop installation.
+Applications in dmgs or zips will be copied to `/Applications` and their owner will be set to the current user, so the install works like a standard drag'n drop installation.
 
 (I consider it a disgrace, that Jamf, after nearly 20 years, _still_ cannot deal with 'drag'n drop installation dmgs' natively. It's not _that_ hard.)
 
@@ -74,29 +103,42 @@ When used to install software, Installomator has a single argument: the label or
 
 ```
 ./Installomator.sh firefox
+./Installomator.sh firefox LOGO=jamf BLOCKING_PROCESS_ACTION=tell_user_then_kill NOTIFY=all
 ```
 
 There is a debug mode and one other setting that can be controlled with variables in the code. This simplifies the actual use of the script from within a management system.
 
 ### Extensible
 
-As of this writing, Installomator knows how to download and install more than 50 different applications. You can add more by adding a block to the _long_ `case` statement starting on line 160. Some of them are more elaborate, but most of them just need this information:
+As of this writing, Installomator knows how to download and install more than 238 different applications. You can add more by adding a block to the _long_ `case` statement starting on line 758. Some of them are more elaborate, but most of them (just) need this information (not really "just" in this case, as we have to differentiate between arm64 and i386 versions for both `downloadURL` and `appNewVersion`):
 
 ```
-    googlechrome)
-        name="Google Chrome"
-        type="dmg"
+googlechrome)
+    name="Google Chrome"
+    type="dmg"
+    if [[ $(arch) != "i386" ]]; then
+        printlog "Architecture: arm64 (not i386)"
+        downloadURL="https://dl.google.com/chrome/mac/universal/stable/GGRO/googlechrome.dmg"
+        appNewVersion=$(curl -s https://omahaproxy.appspot.com/history | awk -F',' '/mac_arm64,stable/{print $3; exit}') # Credit: William Smith (@meck)
+    else
+        printlog "Architecture: i386"
         downloadURL="https://dl.google.com/chrome/mac/stable/GGRO/googlechrome.dmg"
-        expectedTeamID="EQHXZ8M8AV"
-        ;;
+        appNewVersion=$(curl -s https://omahaproxy.appspot.com/history | awk -F',' '/mac,stable/{print $3; exit}') # Credit: William Smith (@meck)
+    fi
+    expectedTeamID="EQHXZ8M8AV"
+    ;;
 ```
 
 When you know how to extract these pieces of information from the application and/or download, then you can add an application to Installomator.
 
+The script buildCaseStatement.sh can help with the label creation.
+
 ### Not specific to a management system
 
 I wrote this script mainly for use with Jamf Pro, because that is what we use. For testing, you can run the script interactively from the command line. However, I have tried to keep anything that is specific to Jamf optional, or so flexible that it will work anywhere. Even if it does not work with your management system 'out of the box,' the adaptations should be straightforward.
 
+Not all MDMs can include the full script, for those MDMs it might be more useful to install it on the client machines, and run it from there. See [Using another MDM than Jamf and you might want a local installation](https://github.com/Theile/Installomator/) By Søren Theilgaard.
+
 ### No dependencies
 
 The script started out as a pure `sh` script, and when I needed arrays I 'switched' to `zsh`, because that is what [we can rely on being in macOS for the foreseeable future](https://scriptingosx.com/zsh). There are quite a few places where using python would have been easier and safer, but with the python 2 run-time being deprecated, that would have added a requirement for a Python 3 run-time to be installed. XML and JSON parsing would have been better with a tool like [scout](https://github.com/ABridoux/scout) or [jq](https://stedolan.github.io/jq/), but those would again require additional installations on the client before the script can run.
@@ -113,22 +155,26 @@ The argument can be `version` or `longversion` which will print the script's ver
 
 ```
 > ./Installomator.sh version
-0.1
+2021-03-28 10:03:42 version ################## Start Installomator v. 0.5.0
+2021-03-28 10:03:42 version ################## version
+2021-03-28 10:03:42 version 0.5.0
 > ./Installomator.sh longversion
-Installomater: version 0.1 (20200506)
+2021-03-28 10:04:16 longversion ################## Start Installomator v. 0.5.0
+2021-03-28 10:04:16 longversion ################## longversion
+2021-03-28 10:04:16 longversion Installomater: version 0.5.0 (2021-03-28)
 ```
 
 Other than the version arguments, the argument can be any of the labels listed in the Labels.txt file. Each of the labels will download and install the latest version of the application, or suite of applications. Since the script will have to run the `installer` command or copy the application to the `/Applications` folder, it will have to be run as root.
 
 ```
-> sudo ./Installomator.sh desktoppr
+> sudo ./Installomator.sh desktoppr DEBUG=0
 ```
 
 (Since Jamf Pro always provides the mount point, computer name, and user name as the first three arguments for policy scripts, the script will use argument `$4` when there are more than three arguments.)
 
 ### Debug mode
 
-There is a variable named `DEBUG` which is set in line 21 of the script. When `DEBUG` is set to `1` (default) no actions that wousld actually modify the current system are taken. This is useful for testing most of the actions in the script, but obviously not all of them.
+There is a variable named `DEBUG` which is set in line 21 of the script. When `DEBUG` is set to `1` (default) no actions that would actually modify the current system are taken. This is useful for testing most of the actions in the script, but obviously not all of them.
 
 Also when the `DEBUG` variable is `1`, downloaded archives and extracted files will be written to the script's directory, rather than a temporary directory, which can make debugging easier.
 
@@ -138,14 +184,17 @@ _Always remember_ to change the `DEBUG` variable to `0` when deploying.
 
 In Jamf Pro, create a new 'Script' and paste the contents of `Installomator.sh` into the 'Script Contents' area. Under 'Options' you can change the parameter label for argument 4 to 'Application Label.'
 
+Remember to set `DEBUG` to `0`.
+
 Then you can use the Installomator script in a policy and choose the application to install by setting the label for argument 4.
 
 ## What it does
 
 When it runs with a known label, the script will perform the following:
 
-- when the application is running, prompt the user to quit or cancel
+- Check the version installed with the version online. Only continue if it's different
 - download the latest version from the vendor
+- when the application is running, prompt the user to quit or cancel
 - dmg or zip archives:
     - extract the application and copy it to /Applications
     - change the owner of the application to the current user
@@ -171,14 +220,51 @@ Debug mode is useful to test the download and verification process without havin
 
 The `BLOCKING_PROCESS_ACTION` variable controls the behavior of the script when it finds a blocking process running.
 
-There are four options:
+There are eight options:
 
-- `ignore`:       continue even when blocking processes are found
-- `silent_fail`:  exit script without prompt or installation
-- `prompt_user`:  show a user dialog for each blocking process found abort after three attempts to quit
-- `kill`:         kill process without prompting or giving the user a chance to save
+- `ignore`: continue even when blocking processes are found.
+- `silent_fail`: exit script without prompt or installation.
+- `prompt_user`: (default) show a user dialog for each blocking process found abort after three attempts to quit (only if user accepts to quit the apps, otherwise the update is cancelled).
+- `prompt_user_then_kill`: show a user dialog for each blocking process found, attempt to quit two times, kill the process finally.
+- `prompt_user_loop`: Like prompt-user, but clicking "Not Now", will just wait an hour, and then it will ask again.
+- `tell_user`: User will be showed a notification about the important update, but user is only allowed to quit and continue, and then we ask the app to quit.
+- `tell_user_then_kill`: Show dialog 2 times, and if the quitting fails, the blocking processes will be killed.
+- `kill`: kill process without prompting or giving the user a chance to save.
 
-The default is `prompt_user`.
+If any process was closed, Installomator will try to open the app again, after the update process is done. 
+
+### Notification
+
+The `NOTIFY` variable controls the notifications shown to the user. As of now, there are three options:
+
+- `success`:   (default) notify the user after a successful install
+- `silent`:    no notifications
+- `all`:       all notifications (great for Self Service installation)
+
+### Logo
+
+The `LOGO` variable is used for the icon shown in dialog boxes. There are these options:
+
+- `appstore`:    Icon is Apple App Store (default)
+- `jamf`:        JAMF Pro
+- `mosyleb`:     Mosyle Business
+- `mosylem`:     Mosyle Manager (Education)
+- `addigy`:      Addigy
+Path can also be set in the command call, and if file exists, it will be used, like `LOGO="/System/Applications/App\ Store.app/Contents/Resources/AppIcon.icns"` (spaces are escaped).
+
+### Install behavior (force installation)
+
+Since we now make a version checking, and only installs the software if the version is different, an `INSTALL` variable can be used to force the installation:
+
+- ``:            When not set, software is only installed if it is newer/different in version (default)
+- `force`:       Install even if it’s the same version
+
+### Re-opening of closed app
+
+The `REOPEN` can be used to prevent the reopening of a closed app
+
+- `yes`:   (default) app will be reopened if it was closed
+- `no`:    app not reopened
 
 ### Adding applications/label blocks
 
@@ -187,12 +273,12 @@ The default is `prompt_user`.
 The script requires four pieces of information to download and install an application:
 
 ```
-    spotify)
-        name="Spotify"
-        type="dmg"
-        downloadURL="https://download.scdn.co/Spotify.dmg"
-        expectedTeamID="2FNC3A47ZF"
-        ;;
+spotify)
+    name="Spotify"
+    type="dmg"
+    downloadURL="https://download.scdn.co/Spotify.dmg"
+    expectedTeamID="2FNC3A47ZF"
+    ;;
 ```
 
 The four required variables are
@@ -204,13 +290,25 @@ The display name of the installed application without the `.app` extensions.
 The type of installation. Possible values:
      - `dmg`: application in disk image file (drag'n drop installation)
      - `pkg`: flat pkg download
-     - `zip`: application in zip archive (`zip` or `tbz` extension)
+     - `zip`: application in zip archive (`zip` extension)
+     - `tbz`: application in tbz archive (`tbz` extension)
      - `pkgInDmg`: a pkg file inside a disk image
      - `pkgInZip`: a pkg file inside a zip
+     - `appInDmgInZip`: an app in a dmg file that has been zip'ed
 
 - `downloadURL`:
 The URL from which to download the archive.
 The URL can be generated by a series of commands, for example when you need to parse an xml file for the latest URL. (See `bbedit`, `desktoppr`, or `omnigraffle` for examples.)
+Sometimes version differs between Intel and Apple Silicon versions. (See `brave`,  `obsidian`, `omnidisksweeper`, or `notion`).
+
+- `appNewVersion` (optional, but recommended):
+Version of the downloaded software.
+If given, it will be compared to installed version, to see if download is different.
+It does not check for newer or not, only different.
+Not always easy to figure out how to make this. Sometimes this is listed on the downloads page, sometimes in other places. And how can we isolate it in a genral manner? (See `abstract`, `bbedit`, `brave`, `desktoppr`, `googlechrome`, or `omnidisksweeper`).
+
+- `packageID` (optional, but recommended for pkgs without an app)
+This variable is for pkg bundle IDs. Very usefull if a pkg only install command line tools, or the like that does not install an app. (See label `desktoppr`, `golang`, `installomator_st`, `odrive`, or `teamviewerhost`).
 
 - `expectedTeamID`:
 The 10-character Developer Team ID with which the application or pkg is signed and notarized.
@@ -220,7 +318,7 @@ The 10-character Developer Team ID with which the application or pkg is signed a
    - Applications (in dmgs or zips)
      `spctl -a -vv /Applications/BBEdit.app`
 
-   - Pkgs
+   - Installation Packages (pkg)
      `spctl -a -vv -t install ~/Downloads/desktoppr-0.2.pkg`
 
 
@@ -235,6 +333,7 @@ Depending on the application or pkg there are a few more variables you can or ne
 - `appName`: (optional)
   File name of the app bundle in the dmg to verify and copy (include the `.app`).
   When not given, the `appName` is set to `$name.app`.
+  This is also the name of the app that will get reopned, if we closed any `blockingProcesses` (see further down)
 
 - `targetDir`: (optional)
   dmg or zip:
@@ -267,4 +366,72 @@ Depending on the application or pkg there are a few more variables you can or ne
 - `updateToolRunAsCurrentUser`:
   When this variable is set (any value), `$updateTool` will be run as the current user. Default is unset and 
 
+### Configuration from Arguments
+
+You can provide a configuration variable, such as `DEBUG` or `NOTIFY` as an argument in the form `VAR=value`. For example:
+
+```
+./Installomator.sh desktoppr DEBUG=0 NOTIFY=silent
+```
+
+Providing variables this way will override any variables set in the script.
+
+You can even provide _all_ the variables necessary for download and installation. Of course, without a label the argument parsing will fail, so I created a special label `valuesfromarguments` which only checks if the four required values are present:
+
+```
+./Installomator.sh name=desktoppr type=pkg downloadURL=https://github.com/scriptingosx/desktoppr/releases/download/v0.3/desktoppr-0.3.pkg expectedTeamID=JME5BW3F3R valuesfromarguments
+```
+
+The order of the variables and label is not relevant. But, when you provide more than one label, all but the _last_ label will be ignored.
+
+Providing all the variables this way might be useful for certain downloads that have a customized URL for each vendor/customer (like customized TeamView or Watchman Monitoring) or are local downloads.
+
+
+## Frequently Asked Questions
+
+### What if the latest version of the app is already installed?
+
+Short answer: Installomator will re-download and re-install the latest over the existing installation.
+
+Longer answer:
+
+Installomator will try to find a currently installed app to log the version. When Installomator finds an existing app (any version) and the `updateTool` variable is set, then Installomator will _not_ download and install, but run the `updateTool` instead.
+
+However, there is no simple generic method to actually determine the latest version of an application or installer.
+
+We deploy Installomator usually for user initiated installations from Self Service, so re-installs don't really 'hurt' and may be a useful troubleshooting step.
+
+When you want to have automated installations, you can use smart groups based on the app version to limit excessive re-installations.
+
+### Why don't you just use `autopkg install`?
+
+Short answer: `autopkg` is not designed or suited for this kind of workflow
+
+Long answer:
+
+The motivation to not re-invent the wheel and use and existing tool is understandable. However, `autopkg` was not designed with this use case in mind and has a few significant downsides.
+
+First, you would have to deploy and manage autopkg on all the clients. But to do its work, `autopkg` requires recipes. So, you have to install, and update the recipe repos on the client, as well. For security reasons, you _really_ should only run trusted recipes, so you need to install and update your personal recipe overrides as well.
+
+The recipes you use are probably spread across multiple community provided recipe-repos, so we have `autopkg` itself, several recipe-repos, and your overrides that we need to manage, each of which may need to be updated at any time.
+
+The community recipe-repos contain several recipes for different applications. When you add a recipe-repo for an app you want, you will also install all the other recipes from that repo.
+
+The `autopkg install` does _not_ require root or even administrative privileges. _Any_ user (even standard users) on the system can now install any of the random recipes that came with the community repos.
+
+To prevent users installing random apps from the community repos, you can curate your own recipe-repo from the community repos and push that to the clients. At this point, you are managing autopkg, your curated repo, your recipe overrides on the clients and handling the additional work of curating and updating your recipe-repo and the overrides.
+
+In addition, a really savvy user (or a malicious attacker) could build their own recipe and run it using the pre-installed `autopkg` you installed.
+
+And then consider what your CISO department (if you have one) would say about the `autopkgserver` and `autopkginstalld` daemons running on all the clients...
+
+At this point it would be easier to use AutoPkg the way it was intended: on a single admin Mac, and let it upload the pkgs to your management system, which deploys them. Each tool is doing what it is designed for.
+
+Please don't misunderstand this as me saying that AutoPkg is a bad or poorly designed tool. AutoPkg is amazing, powerful, and useful. The [Scripting OS X recipe-repo](https://github.com/autopkg/scriptingosx-recipes) is one of the older repos. AutoPkg is valuable tool to help admins with many apps that cannot be automated with tools like Installomator, and with deployment strategies that require more control.
+
+But it is not suited as a client install automation tool.
+
+### Why don't you just use brew?
+
+Read the explanation for `autopkg`, pretty much the same applies for `brew`, i.e. while it is useful on a single Mac, it is a un-manageable mess when you think about deploying and managing on a fleet of computers.
 

buildCaseStatement.sh

@@ -18,22 +18,131 @@ if ! cd "$tmpDir"; then
     exit 1
 fi
 
-# download the dmg
+# download the URL
 echo "Downloading $downloadURL"
-if ! curl --location --fail --silent "$downloadURL" --remote-header-name --remote-name; then
+<<<<<<< HEAD
+<<<<<<< Updated upstream
+if ! archivePath=$(curl -fsL "$downloadURL" --remote-header-name --remote-name -w "%{filename_effective}"); then
+=======
+if ! downloadOut="$(curl -fsL "$downloadURL" --remote-header-name --remote-name -w "%{filename_effective}\n%{url_effective}\n")"; then
+>>>>>>> Stashed changes
+=======
+if ! downloadOut="$(curl -fsL "$downloadURL" --remote-header-name --remote-name -w "%{filename_effective}\n%{url_effective}\n")"; then
+>>>>>>> 4932ea6a3186d902d88c9bb5a3774c6ff81b1608
     echo "error downloading $downloadURL"
     exit 2
 fi
 
-archivePath=$(find $tmpDir -print )
+xpath() {
+    # the xpath tool changes in Big Sur and now requires the `-e` option
+    if [[ $(sw_vers -buildVersion) > "20A" ]]; then
+        /usr/bin/xpath -e $@
+        # alternative: switch to xmllint (which is not perl)
+        #xmllint --xpath $@ -
+    else
+        /usr/bin/xpath $@
+    fi
+}
+
+<<<<<<< HEAD
+<<<<<<< Updated upstream
+#archivePath=$(find $tmpDir -print )
+echo "archivePath: $archivePath"
 archiveName=${archivePath##*/}
+echo "archiveName: $archiveName"
+=======
+pkgInvestigation() {
+    echo "Package found"
+    teamID=$(spctl -a -vv -t install "$archiveName" 2>&1 | awk '/origin=/ {print $NF }' | tr -d '()' )
+    echo "For PKGs it's advised to find packageID for version checking"
+    
+    pkgutil --expand "$pkgPath" "$archiveName"_pkg
+    cat "$archiveName"_pkg/Distribution | xpath '//installer-gui-script/pkg-ref[@id][@version]' 2>/dev/null
+    packageID="$(cat "$archiveName"_pkg/Distribution | xpath '//installer-gui-script/pkg-ref[@id][@version]' 2>/dev/null | tr ' ' '\n' | grep -i "id" | cut -d \" -f 2)"
+    rm -r "$archiveName"_pkg
+    echo "$packageID"
+    echo "Above is the possible packageIDs that can be used, and the correct one is probably one of those with a version number. More investigation might be needed to figure out correct packageID if several are displayed."
+}
+appInvestigation() {
+    appName=${appPath##*/}
+
+    # verify with spctl
+    echo "Verifying: $appPath"
+    if ! teamID=$(spctl -a -vv "$appPath" 2>&1 | awk '/origin=/ {print $NF }'  | tr -d '()' ); then
+        echo "Error verifying $appPath"
+        exit 4
+    fi
+}
+echo "downloadOut: ${downloadOut}"
+archiveTempName=$( echo "${downloadOut}" | head -1 )
+echo "archiveTempName: $archiveTempName"
+archivePath=$( echo "${downloadOut}" | tail -1 )
+echo "archivePath: $archivePath"
+archiveName=${archivePath##*/}
+echo "archiveName: $archiveName"
+mv $archiveTempName $archiveName
+>>>>>>> Stashed changes
+=======
+pkgInvestigation() {
+    echo "Package found"
+    teamID=$(spctl -a -vv -t install "$archiveName" 2>&1 | awk '/origin=/ {print $NF }' | tr -d '()' )
+    echo "For PKGs it's advised to find packageID for version checking"
+    
+    pkgutil --expand "$pkgPath" "$archiveName"_pkg
+    cat "$archiveName"_pkg/Distribution | xpath '//installer-gui-script/pkg-ref[@id][@version]' 2>/dev/null
+    packageID="$(cat "$archiveName"_pkg/Distribution | xpath '//installer-gui-script/pkg-ref[@id][@version]' 2>/dev/null | tr ' ' '\n' | grep -i "id" | cut -d \" -f 2)"
+    rm -r "$archiveName"_pkg
+    echo "$packageID"
+    echo "Above is the possible packageIDs that can be used, and the correct one is probably one of those with a version number. More investigation might be needed to figure out correct packageID if several are displayed."
+}
+appInvestigation() {
+    appName=${appPath##*/}
+
+    # verify with spctl
+    echo "Verifying: $appPath"
+    if ! teamID=$(spctl -a -vv "$appPath" 2>&1 | awk '/origin=/ {print $NF }'  | tr -d '()' ); then
+        echo "Error verifying $appPath"
+        exit 4
+    fi
+}
+echo "downloadOut: ${downloadOut}"
+archiveTempName=$( echo "${downloadOut}" | head -1 )
+echo "archiveTempName: $archiveTempName"
+archivePath=$( echo "${downloadOut}" | tail -1 )
+echo "archivePath: $archivePath"
+archiveName=${archivePath##*/}
+echo "archiveName: $archiveName"
+mv $archiveTempName $archiveName
+>>>>>>> 4932ea6a3186d902d88c9bb5a3774c6ff81b1608
 name=${archiveName%.*}
+echo "name: $name"
 archiveExt=${archiveName##*.}
+echo "archiveExt: $archiveExt"
 identifier=$(echo $name | tr '[:upper:]' '[:lower:]')
+echo "identifier: $identifier"
 
 if [ "$archiveExt" = "pkg" ]; then
+<<<<<<< HEAD
+<<<<<<< Updated upstream
+    echo "Package found"
     teamID=$(spctl -a -vv -t install "$archiveName" 2>&1 | awk '/origin=/ {print $NF }' | tr -d '()' )
+    echo "For PKGs it's advised to find packageID for version checking"
+    pkgutil --expand "$archiveName" "$archiveName"_pkg
+    cat "$archiveName"_pkg/Distribution | xpath '//installer-gui-script/pkg-ref[@id][@version]' 2>/dev/null
+    packageID="$(cat "$archiveName"_pkg/Distribution | xpath '//installer-gui-script/pkg-ref[@id][@version]' 2>/dev/null | tr ' ' '\n' | grep -i "id" | cut -d \" -f 2)"
+    rm -r "$archiveName"_pkg
+    echo "$packageID"
+    echo "Above is the possible packageIDs that can be used, and the correct one is probably one of those with a version number. More investigation might be needed to figure out correct packageID if several are displayed."
+=======
+    pkgPath="$archiveName"
+    pkgInvestigation
+>>>>>>> Stashed changes
+=======
+    pkgPath="$archiveName"
+    pkgInvestigation
+>>>>>>> 4932ea6a3186d902d88c9bb5a3774c6ff81b1608
 elif [ "$archiveExt" = "dmg" ]; then
+    echo "Diskimage found"
     # mount the dmg
     echo "Mounting $archiveName"
     if ! dmgmount=$(echo "Y"$'\n' | hdiutil attach "$archiveName" -nobrowse -readonly | tail -n 1 | cut -c 54- ); then
@@ -41,50 +150,66 @@ elif [ "$archiveExt" = "dmg" ]; then
         exit 3
     fi
     echo "Mounted: $dmgmount"
-    # check if app exists
     
+    # check if app og pkg exists
     appPath=$(find "$dmgmount" -name "*.app" -maxdepth 1 -print )
-    appName=${appPath##*/}
-
-    # verify with spctl
-    echo "Verifying: $appPath"
-    if ! teamID=$(spctl -a -vv "$appPath" 2>&1 | awk '/origin=/ {print $NF }'  | tr -d '()' ); then
-        echo "Error verifying $appPath"
-        exit 4
+    pkgPath=$(find "$dmgmount" -name "*.pkg" -maxdepth 1 -print )
+    
+    if [[ $appPath != "" ]]; then
+        appInvestigation
+    elif [[ $pkgPath != "" ]]; then
+        archiveExt="pkgInDmg"
+        pkgInvestigation
     fi
     
     hdiutil detach "$dmgmount"
 elif [ "$archiveExt" = "zip" ] || [ "$archiveExt" = "tbz" ]; then
+    echo "Compressed file found"
     # unzip the archive
     tar -xf "$archiveName"
     
-    # check if app exists
+    # check if app og pkg exists
     appPath=$(find "$tmpDir" -name "*.app" -maxdepth 2 -print )
-    appName=${appPath##*/}
-    # verify with spctl
-    echo "Verifying: $appPath"
-    if ! teamID=$(spctl -a -vv "$appPath" 2>&1 | awk '/origin=/ {print $NF }'  | tr -d '()' ); then
-        echo "Error verifying $appPath"
-        exit 4
+    pkgPath=$(find "$tmpDir" -name "*.pkg" -maxdepth 2 -print )
+    
+    if [[ $appPath != "" ]]; then
+        appInvestigation
+    elif [[ $pkgPath != "" ]]; then
+        archiveExt="pkgInZip"
+        pkgInvestigation
     fi
 
 fi
 
 echo
-echo "    $identifier)"
-echo "        name=\"$name\""
-echo "        type=\"$archiveExt\""
-echo "        downloadURL=\"$downloadURL\""
-echo "        expectedTeamID=\"$teamID\""
-if [ -n "$appName" ] && [ "$appName" != "${name}.app" ]; then
-echo "        appName=\"$appName\""
+<<<<<<< HEAD
+<<<<<<< Updated upstream
+echo "appNewVersion is often difficult to find. Can sometimes be found in the filename, but also on a web page."
+=======
+echo "appNewVersion is often difficult to find. Can sometimes be found in the filename, but also on a web page. See archivePath above if link contains information about this."
+>>>>>>> Stashed changes
+=======
+echo "appNewVersion is often difficult to find. Can sometimes be found in the filename, but also on a web page. See archivePath above if link contains information about this."
+>>>>>>> 4932ea6a3186d902d88c9bb5a3774c6ff81b1608
+echo
+echo "$identifier)"
+echo "    name=\"$name\""
+echo "    type=\"$archiveExt\""
+if [ "$packageID" != "" ]; then
+echo "    packageID=\"$packageID\""
 fi
-echo "        ;;"
-echo 
+echo "    downloadURL=\"$downloadURL\""
+echo "    appNewVersion=\"\""
+echo "    expectedTeamID=\"$teamID\""
+if [ -n "$appName" ] && [ "$appName" != "${name}.app" ]; then
+echo "    appName=\"$appName\""
+fi
+echo "    ;;"
+echo
 
 #if [ -e "${tmpDir}" ]; then
 #    #echo "deleting tmp dir"
 #    rm -rf "${tmpDir}"
 #fi
 
-exit 0
+exit 0

buildInstallomatorPkg.sh

@@ -0,0 +1,118 @@
+#!/bin/zsh
+
+# buildInstallomatorPkg.sh
+
+# this script will create a pkg installer that places the Installomator.sh
+# script file in /usr/local/Installomator/Installomator.sh
+
+# this is for use with MDM systems that require the tools to be local
+
+export PATH=/usr/bin:/bin:/usr/sbin:/sbin
+
+pkgname="Installomator"
+version="0.5"
+identifier="com.scriptingosx.${pkgname}"
+install_location="/usr/local/Installomator/"
+signature="Developer ID Installer: Armin Briegel (JME5BW3F3R)"
+dev_team="JME5BW3F3R" # asc-provider
+dev_account="developer@scriptingosx.com"
+dev_keychain_label="Developer-altool"
+
+
+scriptfolder=$(dirname "$0")
+projectfolder=$(mktemp -d)
+payloadfolder="${projectfolder}/payload"
+
+# MARK: functions
+requeststatus() { # $1: requestUUID
+    requestUUID=${1?:"need a request UUID"}
+    req_status=$(xcrun altool --notarization-info "$requestUUID" \
+                          --username "$dev_account" \
+                          --password "@keychain:$dev_keychain_label" 2>&1 | awk -F ': ' '/Status:/ { print $2; }' )
+    echo "$req_status"
+}
+
+notarizefile() { # $1: path to file to notarize, $2: identifier
+    filepath=${1:?"need a filepath"}
+    identifier=${2:?"need an identifier"}
+    
+    # upload file
+    echo "## uploading $filepath for notarization"
+    requestUUID=$(xcrun altool --notarize-app \
+                               --primary-bundle-id "$identifier" \
+                               --username "$dev_account" \
+                               --password "@keychain:$dev_keychain_label" \
+                               --asc-provider "$dev_team" \
+                               --file "$filepath" 2>&1 | awk '/RequestUUID/ { print $NF; }')
+                               
+    echo "Notarization RequestUUID: $requestUUID"
+    
+    if [[ $requestUUID == "" ]]; then 
+        echo "could not upload for notarization"
+        exit 1
+    fi
+        
+    # wait for status to be not "in progress" any more
+    request_status="in progress"
+    while [[ "$request_status" == "in progress" ]]; do
+        echo -n "waiting... "
+        sleep 10
+        request_status=$(requeststatus "$requestUUID")
+        echo "$request_status"
+    done
+    
+    if [[ $request_status != "success" ]]; then
+        echo "## could not notarize $filepath"
+        xcrun altool --notarization-info "$requestUUID" \
+                     --username "$dev_account" \
+                     --password "@keychain:$dev_keychain_label"
+        exit 1
+    fi
+    
+}
+
+# MARK: main code starts here
+
+# create a projectfolder with a payload folder
+if [[ ! -d "${payloadfolder}" ]]; then
+    mkdir -p "${payloadfolder}"
+fi
+
+# copy the script file
+cp ${scriptfolder}/Installomator.sh ${payloadfolder}
+chmod 755 ${payloadfolder}/Installomator.sh
+
+# set the DEBUG variable to 0
+sed -i '' -e 's/^DEBUG=1$/DEBUG=0/g' ${payloadfolder}/Installomator.sh
+
+# build the component package
+pkgpath="${scriptfolder}/${pkgname}.pkg"
+
+pkgbuild --root "${projectfolder}/payload" \
+         --identifier "${identifier}" \
+         --version "${version}" \
+         --install-location "${install_location}" \
+         "${pkgpath}"
+
+
+# build the product archive
+
+productpath="${scriptfolder}/${pkgname}-${version}.pkg"
+
+productbuild --package "${pkgpath}" \
+             --version "${version}" \
+             --identifier "${identifier}" \
+             --sign "${signature}" \
+             "${productpath}"
+
+# clean up project folder
+rm -Rf "${projectfolder}"
+
+# upload for notarization
+notarizefile "$productpath" "$identifier"
+
+# staple result
+echo "## Stapling $productpath"
+xcrun stapler staple "$productpath"
+
+exit 0