Skip to main content
Jamf Nation, hosted by Jamf, is the largest Apple IT management community in the world. Dialog with your fellow IT professionals, gain insight about Apple device deployments, share best practices and bounce ideas off each other. Join the conversation.

Deploying Xcode 8 via Self-Service - a how-to

Worked this out with @rtrouton based on both his installation script as well as the one located at

Wanted to offer Xcode 8 (requires OS X 10.11.5 or later) to our user population via Self Service.

Downloaded the Xcode 8 installation package from the App Store using the App Store Capture Methodology (yes, VPP would be better), described at:

Added the 4.43GB installation package to the JSS, created a Self Service policy to install it, and used this script below (set to Run After) to handle all of the post-installation processing (so that users are not prompted for admin credentials). You may want to customize the script for your environment (we don't disable the Gatekeeper validation, and our users are already developers, nor do we have multiple versions of Xcode installed, so those line-items are disabled, but it's your call):


# Accept EULA so there is no prompt

if [[ -e "/Applications/" ]]; then
  "/Applications/" -license accept

# Just in case the xcodebuild command above fails to accept the EULA, set the license acceptance info 
# in /Library/Preferences/ For more details on this, see Tim Sutton's post: 

if [[ -e "/Applications/" ]]; then

   xcode_version_number=`/usr/bin/defaults read "/Applications/"Info CFBundleShortVersionString`
   xcode_build_number=`/usr/bin/defaults read "/Applications/"LicenseInfo licenseID`
   xcode_license_type=`/usr/bin/defaults read "/Applications/"LicenseInfo licenseType`

   if [[ "${xcode_license_type}" == "GM" ]]; then
       /usr/bin/defaults write "/Library/Preferences/" IDEXcodeVersionForAgreedToGMLicense "$xcode_version_number"
       /usr/bin/defaults write "/Library/Preferences/" IDELastGMLicenseAgreedTo "$xcode_build_number"
       /usr/bin/defaults write "/Library/Preferences/" IDEXcodeVersionForAgreedToBetaLicense "$xcode_version_number"
       /usr/bin/defaults write "/Library/Preferences/" IDELastBetaLicenseAgreedTo "$xcode_build_number"


# DevToolsSecurity tool to change the authorization policies, such that a user who is a
# member of either the admin group or the _developer group does not need to enter an additional
# password to use the Apple-code-signed debugger or performance analysis tools.

/usr/sbin/DevToolsSecurity -enable

# Add all users to developer group, if they're not admins

/usr/sbin/dseditgroup -o edit -a everyone -t group _developer

# If you have multiple versions of Xcode installed, specify which one you want to be current.

/usr/bin/xcode-select --switch /Applications/

# Bypass Gatekeeper verification for Xcode, which can take awhile.

if [[ -e "/Applications/" ]]; then xattr -dr /Applications/

# Install Mobile Device Packages so there is no prompt

if [[ -e "/Applications/" ]]; then
  /usr/sbin/installer -dumplog -verbose -pkg "/Applications/" -target /

if [[ -e "/Applications/" ]]; then
  /usr/sbin/installer -dumplog -verbose -pkg "/Applications/" -target /

# Install XcodeSystemResources.pkg so there is no prompt

if [[ -e "/Applications/" ]]; then
  /usr/sbin/installer -dumplog -verbose -pkg "/Applications/" -target /

exit 0
Like Comment
Order by:
SOLVED Posted: 9/15/16 at 11:35 AM by Echevarria

Awesome work gentleman. I'll try this out later today, you have made this request so much easier.
Muy bueno.

SOLVED Posted: 9/21/16 at 2:36 AM by donmontalvo

Wow...I may owe @RobertHammen a beer, and @rtrouton a Pepsi at JNUC2016...if they're going this year. :)

PS, any way to get the Additional Components installed without having to snapshoot? Thought the last two sections to install PKGs would eliminate that?

SOLVED Posted: 9/21/16 at 11:38 AM by RobertHammen

@donmontalvo Not seeing that. Are you sure the script is running? Because it should handle the licensing and install the components...

SOLVED Posted: 9/21/16 at 1:01 PM by donmontalvo

@RobertHammen hmm...I'll double check now, will shout back.

SOLVED Posted: 10/27/16 at 9:21 PM by Byte

@donmontalvo @RobertHammen @rtrouton

I get the prompt when going to xcode - preferences - components and i try to download an ios simulator
What part of this script is actually covering this?
Im running versions 7.3.1, 8.0 and 8.1GMSeed
Help please

SOLVED Posted: 11/9/16 at 1:15 PM by RobertHammen

@MaCaDmIn82 Simulators are a different story.

Some of the info documented here is still relevant:

Tim Sutton's Blog

Basically, you can start the download on your Mac, and the downloads still go to:


However, be aware:

1) the dmg files don't show up in the Finder, at least on my Mac (had to use Terminal)
2) after I mounted one of those dmg's, they also appeared empty/the pkg files had to be accessed/copied via Terminal

Might just be an anomaly on my Mac.

Anyway, you'd have to capture the .pkg files for the simulators, and install them/check where the files were actually installed - if in the Xcode app bundle itself, or in /Library, you're OK, but if in the ~/Library folder hierarchy, obviously you have a larger issue...

SOLVED Posted: 1/10/17 at 10:23 AM by dferrara

@RobertHammen Great work and thank you for sharing!

SOLVED Posted: 1/31/17 at 1:17 PM by ctarbox

@RobertHammen... Newbie here. Just wanted to say I tested this approach and it worked flawlessy (El Cap 10.11.6/xCode 8.2.1).

And learning how to capture. pkg's from MAS was very helpful too.

SOLVED Posted: 3/28/17 at 2:23 PM by baldiesrt

The debug menu is gone in Sierra.

Use this link instead of the one above to get the package from MAS

SOLVED Posted: 3/29/17 at 10:06 AM by baldiesrt


SOLVED Posted: 3/29/17 at 4:47 PM by jaz

Just out of interest, why not download Xcode directly from

SOLVED Posted: 3/30/17 at 10:27 AM by dstranathan

It still requires a "hop" from a browser to the Mac App Store app (and an Apple ID etc). It's not a "direct" download, correct?

SOLVED Posted: 3/30/17 at 4:47 PM by RobertHammen

@jazzyj When I go to download Xcode from it takes me right to the App Store to download. Previous versions on that site have a .XIP file which is significantly larger than the App Store .pkg file, and to which no native tools can use.

SOLVED Posted: 4/12/17 at 9:02 AM by dfarnworth_barc

If you go to, and click Downloads on the left then scroll to the bottom, there's a link saying: "Don't see what you're looking for? See more downloads", click that and you can download the XIP. Or the direct URL is

SOLVED Posted: 5/16/17 at 11:21 AM by donmontalvo

@dfarnworth_barc pretty sure you're thinking of older versions of Xcode being downloadable. New version will always direct you to App Store. [See correction below] Apple provides downloads for versions are provided so developers can run concurrent versions and use xcode-select to toggle between versions. Like when a developer needs to create something for an older iOS version that the new version of Xcode doesn't support iOS Simulators for that iOS version.

@RobertHammen My apologies, I forgot to circle back after testing. The only difference between this process and ours, we don't hijack Apple's App Store packages. Instead we allow App Store to install, and we grab it from there. This way we don't get in the way of the App Store process, and a proper _MASReceipt is present.

Pretty sure first launch prompted me, thinking back it may have been to install or update Command Line Tools. We ended up adding a line to the script to run /usr/bin/xcode-select --install, but I have to search through my notes.

We were packaging iOS Simulators but are trying to avoid having to deal with that madness (that's a lot of bits dude!)...we opened a ticket with AppleCare Enterprise Support to see if they've got a command line method to install so we don't have to reinvent the wheel.

Yea, admin rights would alleviate this, but we have to play by the rules. Admin rights where I'm employed requires a Security Exception. Queue in the occasional "You're not doing it my way, so you're doing it rong!" mantras...#rollsEyes

Not interested in being on the front page of <redacted> with the headline"Famous company hacked because IT Department was too cool to give a $#!+". My mom isn't famous, so being employable is a thing for most of us.

SOLVED Posted: 5/16/17 at 11:27 AM by gregneagle

Xcode is still available for (non-App Store) download from the Apple Developer site. You need to be a registered developer.

SOLVED Posted: 5/16/17 at 11:37 AM by donmontalvo

@gregneagle hmmm...the 8.3.2 download link takes us back to App Store.

Is there a hidden link you might want to share? :):):)

EDIT: I stand corrected:

SOLVED Posted: 5/16/17 at 12:03 PM by Byte

@donmontalvo We were packaging iOS Simulators but are trying to avoid having to deal with that madness (that's a lot of bits dude!)...we opened a ticket with AppleCare Enterprise Support to see if they've got a command line method to install so we don't have to reinvent the wheel.

Let me know if you do get a response of some sort as I do it the manual way as well and no admin rights for my users
Would love to know if apple has a solution to this


SOLVED Posted: 5/17/17 at 12:16 PM by franton

I solved the simulator issue by allowing the user to install them without admin rights. I've a highly modified script I run after Xcode deployment to make it all possible.

SOLVED Posted: 5/18/17 at 11:52 AM by djdavetrouble

Thanks @franton great script, saved me a bit of time!

SOLVED Posted: 5/18/17 at 3:03 PM by donmontalvo

Using the collaborative script(s) on this is what we got from Apple regarding iOS Simulators requiring admin rights:

Hello Don, I reviewed the script you provided and, because "everyone" is being added to the developer group, you can modify the authorizations database to allow developers to install Apple provided software by running the following command: sudo security authorizationdb write authenticate-developer System Integrity Protection(SIP) will not prevent you from performing this task. Please note that the combination of adding everyone to the _developer group and allowing any member of _developer to install Apple provided software means that any user can install Apple provided software. If that presents a concern, you'll need to modify your script to add specific users to _developer instead of adding everyone. Please let me know if you have additional questions. Regards, XXXXXXXX

Basically added these two commands to @RobertHammen's excellent and quite useful script:

# Install Command Line Tools.

if [[ /usr/bin/xcode-select ]]; then
    /usr/bin/xcode-select --install

# Allow any member of _developer to install Apple provided software.

/usr/bin/security authorizationdb write authenticate-developer
SOLVED Posted: 6/9/17 at 5:04 PM by donmontalvo

@MaCaDmIn82 confirmed two things today.

First, this command, added to @RobertHammen's script, as per AppleCare Enterprise Support, does indeed enable non-admin developers to install iOS Simulators without prompting for admin rights. #fistPump:

/usr/bin/security authorizationdb write authenticate-developer

Confirmed that deplying non-App Store copy of Apple Xcode 8.3.2, and following it up with the Command Line Tools for that same version, available from the site did the trick.

Install is silent, whether someone is logged on to the Mac or not...and whether the user has admin rights or not.

Just in time for the weekend!

SOLVED Posted: 6/10/17 at 10:39 AM by gregneagle
this command, added to @RobertHammen's script, as per AppleCare Enterprise Support, does indeed enable non-admin developers to install iOS Simulators without prompting for admin rights. #fistPump:
/usr/bin/security authorizationdb write authenticate-developer

Pretty sure this allows anyone in the developer group (and since you've added everyone to the developer group, allows everyone) to install anything from softwareupdate without prompting for admin rights ( That might be acceptable, but make sure you understand the ramifications. It may also allow the install of other "apple-software" from other sources.

SOLVED Posted: 6/10/17 at 12:53 PM by donmontalvo

@gregneagle understood, and agreed. The AppleCare Engineer explained that would happen. We discussed risk, support, etc.

Two options for VPP deployment of Xcode. Apple's suggestion that elevates rights for install of Apple related stuff, or Local Admin Privileges (user requests security exception) that elevates rights across the board. We can provide most of the automation as a policy that user has to trigger through Self Service, but there is a hole.

If we deploy non-AppStore version of Xcode, we can add Command Line tools, and all the settings/suppression, to the payload. This should cover all prompts, but we are still getting a prompt due to only one of three additional required component packages installing (strange; looking into it). Same hole as VPP method.

Our intent is to provide deployment via VPP plus one Self Service policy, which results in user getting the limited elevated rights as suggested by Apple.

Or to deployment the old way, by deploying non-AppStore version, plus Command Line Tools, plus the script that gives user limited elevated rights as suggested by Apple.

The third option would be user can either submit a request for a security exception (to get Local Admin Privileges), or call Help Desk each time he/she gets a prompt.

Its good to know Apple is taking these admin prompts seriously, hopefully they'll do something soon so we won't have to jump through so many hoops to deploy their software. :)

SOLVED Posted: 6/10/17 at 12:57 PM by franton

@gregneagle @donmontalvo I can't go into too much detail (work NDA etc) but I've been facing this exact problem. I've tested a couple of the privilege escalation tools (avecto being the big one) only to find they don't actually work with Xcode.

I hit on the authorisation db change because our users are not admin, and being able to install Apple updates is actually a big concern of our CISO dept: namely they want the OS patched and I don't care if users do it, or my system implementation does it :)

SOLVED Posted: 8/24/17 at 1:22 PM by gshackney

Question to @franton @donmontalvo @RobertHammen ,
Lets say this was not done through self service, would this script then have to be run per user at login? Or could we run the bulk of the script once and just have users added to the developer group at login? Since all the users are not logged in yet, my question is the script adding any user created after the script is run to the developers group or does this have to happen as they login and get created?

Gabe Shackney
Princeton Public Schools

SOLVED Posted: 8/24/17 at 1:23 PM by franton

Nope, you run this exactly once. Nothing user specific in my script.

SOLVED Posted: 8/24/17 at 9:28 PM by donmontalvo


@franton will we see you at this year's JNUC?

SOLVED Posted: 8/24/17 at 11:43 PM by franton

October 26th, 11:30am in the Greenway Ballroom. I'm the Smart Card talk :D

SOLVED Posted: 4/4/18 at 8:39 PM by eng

I wrote a tool today that should help others to download and ultimately install Xcode simulators via pkg installations. It's called "makexcodesimulators".

This has only been tested with Xcode 9.3 but it should theoretically work on older versions. Hope it helps.


SOLVED Posted: 4/5/18 at 2:36 AM by franton

@eng that's very nice. nice work! I ended up approaching things from a different angle and I now include this code with my org's finalisation script. It allows non admin users to install the same products by themselves. I have not found any adverse effects from this ... yet.

# alter authorisation database to allow installation of apple components without admin rights
security authorizationdb read > /tmp/xcode.plist
defaults write /tmp/xcode.plist rule -array authenticate-session-owner-or-admin
security authorizationdb write < /tmp/xcode.plist
SOLVED Posted: 4/5/18 at 7:40 AM by eng

Our users are admins, but we have "build servers" to test our apps prior to release.

We needed something that could be fully automated and unfortunately I had to figure out what it is that Xcode was doing.

This tool will parse out all of the simulators available for your version of Xcode and allow you to download them. After it downloads, it wraps the original Apple installed with productbuild using the customLocation key to allow the package to properly install. But the original package still has its signing certificates in case Apple is validating this somewhere else.

I imagine Apple uses relative links because they have changed the install path three times now, but my hope is the current folder is now the permanent one (/Library/Developer/continue/long/path)