Skip to main content
Jamf Nation, hosted by Jamf, is a dynamic and knowledgeable community of Apple-focused IT admins and Jamf Pro users. Join us in person, in October, for the annual Jamf Nation User Conference (JNUC) to discover new and better ways to manage Apple devices.
CCA Badge CCE Badge CJA Badge
25

Deploying Xcode 8 via Self-Service - a how-to

Posted: 9/15/16 at 9:56 AM by RobertHammen


Worked this out with @rtrouton based on both his installation script as well as the one located at cobbservations.wordpress.com

Wanted to offer Xcode 8 (requires OS X 10.11.5 or later) to our user population via Self Service.

Downloaded the Xcode 8 installation package from the App Store using the App Store Capture Methodology (yes, VPP would be better), described at:

https://derflounder.wordpress.com/2013/10/19/downloading-microsofts-remote-desktop-installer-package-from-the-app-store/

Added the 4.43GB installation package to the JSS, created a Self Service policy to install it, and used this script below (set to Run After) to handle all of the post-installation processing (so that users are not prompted for admin credentials). You may want to customize the script for your environment (we don't disable the Gatekeeper validation, and our users are already developers, nor do we have multiple versions of Xcode installed, so those line-items are disabled, but it's your call):

#!/bin/bash

# Accept EULA so there is no prompt

if [[ -e "/Applications/Xcode.app/Contents/Developer/usr/bin/xcodebuild" ]]; then
  "/Applications/Xcode.app/Contents/Developer/usr/bin/xcodebuild" -license accept
fi

# Just in case the xcodebuild command above fails to accept the EULA, set the license acceptance info 
# in /Library/Preferences/com.apple.dt.Xcode.plist. For more details on this, see Tim Sutton's post: 
# http://macops.ca/deploying-xcode-the-trick-with-accepting-license-agreements/

if [[ -e "/Applications/Xcode.app/Contents/Resources/LicenseInfo.plist" ]]; then

   xcode_version_number=`/usr/bin/defaults read "/Applications/Xcode.app/Contents/"Info CFBundleShortVersionString`
   xcode_build_number=`/usr/bin/defaults read "/Applications/Xcode.app/Contents/Resources/"LicenseInfo licenseID`
   xcode_license_type=`/usr/bin/defaults read "/Applications/Xcode.app/Contents/Resources/"LicenseInfo licenseType`

   if [[ "${xcode_license_type}" == "GM" ]]; then
       /usr/bin/defaults write "/Library/Preferences/"com.apple.dt.Xcode IDEXcodeVersionForAgreedToGMLicense "$xcode_version_number"
       /usr/bin/defaults write "/Library/Preferences/"com.apple.dt.Xcode IDELastGMLicenseAgreedTo "$xcode_build_number"
    else
       /usr/bin/defaults write "/Library/Preferences/"com.apple.dt.Xcode IDEXcodeVersionForAgreedToBetaLicense "$xcode_version_number"
       /usr/bin/defaults write "/Library/Preferences/"com.apple.dt.Xcode IDELastBetaLicenseAgreedTo "$xcode_build_number"
   fi       

fi

# DevToolsSecurity tool to change the authorization policies, such that a user who is a
# member of either the admin group or the _developer group does not need to enter an additional
# password to use the Apple-code-signed debugger or performance analysis tools.

/usr/sbin/DevToolsSecurity -enable

# Add all users to developer group, if they're not admins

/usr/sbin/dseditgroup -o edit -a everyone -t group _developer

# If you have multiple versions of Xcode installed, specify which one you want to be current.

/usr/bin/xcode-select --switch /Applications/Xcode.app

# Bypass Gatekeeper verification for Xcode, which can take awhile.

if [[ -e "/Applications/Xcode.app" ]]; then xattr -dr com.apple.quarantine /Applications/Xcode.app
fi

# Install Mobile Device Packages so there is no prompt

if [[ -e "/Applications/Xcode.app/Contents/Resources/Packages/MobileDevice.pkg" ]]; then
  /usr/sbin/installer -dumplog -verbose -pkg "/Applications/Xcode.app/Contents/Resources/Packages/MobileDevice.pkg" -target /
fi

if [[ -e "/Applications/Xcode.app/Contents/Resources/Packages/MobileDeviceDevelopment.pkg" ]]; then
  /usr/sbin/installer -dumplog -verbose -pkg "/Applications/Xcode.app/Contents/Resources/Packages/MobileDeviceDevelopment.pkg" -target /
fi

# Install XcodeSystemResources.pkg so there is no prompt

if [[ -e "/Applications/Xcode.app/Contents/Resources/Packages/XcodeSystemResources.pkg" ]]; then
  /usr/sbin/installer -dumplog -verbose -pkg "/Applications/Xcode.app/Contents/Resources/Packages/XcodeSystemResources.pkg" -target /
fi

exit 0
25
CCA Badge CCE Badge CMA Badge

Posted: 9/15/16 at 11:35 AM by Echevarria

Awesome work gentleman. I'll try this out later today, you have made this request so much easier.
Muy bueno.

CCA Badge CCE Badge CMA Badge CUG Badge

Posted: 9/21/16 at 2:36 AM by donmontalvo

Wow...I may owe @RobertHammen a beer, and @rtrouton a Pepsi at JNUC2016...if they're going this year. :)

PS, any way to get the Additional Components installed without having to snapshoot? Thought the last two sections to install PKGs would eliminate that?


CCA Badge CCE Badge CJA Badge

Posted: 9/21/16 at 11:38 AM by RobertHammen

@donmontalvo Not seeing that. Are you sure the script is running? Because it should handle the licensing and install the components...

CCA Badge CCE Badge CMA Badge CUG Badge

Posted: 9/21/16 at 1:01 PM by donmontalvo

@RobertHammen hmm...I'll double check now, will shout back.

Posted: 10/27/16 at 9:21 PM by Byte

@donmontalvo @RobertHammen @rtrouton

I get the prompt when going to xcode - preferences - components and i try to download an ios simulator
What part of this script is actually covering this?
Im running versions 7.3.1, 8.0 and 8.1GMSeed
Help please

CCA Badge CCE Badge CJA Badge

Posted: 11/9/16 at 1:15 PM by RobertHammen

@MaCaDmIn82 Simulators are a different story.

Some of the info documented here is still relevant:

Tim Sutton's Blog

Basically, you can start the download on your Mac, and the downloads still go to:

~/Library/Caches/com.apple.dt.Xcode/Downloads

However, be aware:

1) the dmg files don't show up in the Finder, at least on my Mac (had to use Terminal)
2) after I mounted one of those dmg's, they also appeared empty/the pkg files had to be accessed/copied via Terminal

Might just be an anomaly on my Mac.

Anyway, you'd have to capture the .pkg files for the simulators, and install them/check where the files were actually installed - if in the Xcode app bundle itself, or in /Library, you're OK, but if in the ~/Library folder hierarchy, obviously you have a larger issue...

CCA Badge CCE Badge

Posted: 1/10/17 at 10:23 AM by dferrara

@RobertHammen Great work and thank you for sharing!

Posted: 1/31/17 at 1:17 PM by ctarbox

@RobertHammen... Newbie here. Just wanted to say I tested this approach and it worked flawlessy (El Cap 10.11.6/xCode 8.2.1).

And learning how to capture. pkg's from MAS was very helpful too.

Posted: 3/28/17 at 2:23 PM by baldiesrt

The debug menu is gone in Sierra.

Use this link instead of the one above to get the package from MAS
https://derflounder.wordpress.com/2015/11/19/downloading-installer-packages-from-the-mac-app-store-with-appstoreextract/

Posted: 3/29/17 at 10:06 AM by baldiesrt

Disregard!

Posted: 3/29/17 at 4:47 PM by jaz

Just out of interest, why not download Xcode directly from developer.apple.com?

CCT Badge

Posted: 3/30/17 at 10:27 AM by dstranathan

It still requires a "hop" from a browser to the Mac App Store app (and an Apple ID etc). It's not a "direct" download, correct?

CCA Badge CCE Badge CJA Badge

Posted: 3/30/17 at 4:47 PM by RobertHammen

@jazzyj When I go to download Xcode from developer.apple.com it takes me right to the App Store to download. Previous versions on that site have a .XIP file which is significantly larger than the App Store .pkg file, and to which no native tools can use.

Posted: 4/12/17 at 9:02 AM by dfarnworth_barc

If you go to developer.apple.com, and click Downloads on the left then scroll to the bottom, there's a link saying: "Don't see what you're looking for? See more downloads", click that and you can download the XIP. Or the direct URL is https://developer.apple.com/download/more/

CCA Badge CCE Badge CMA Badge CUG Badge

Posted: 5/16/17 at 11:21 AM by donmontalvo

@dfarnworth_barc pretty sure you're thinking of older versions of Xcode being downloadable. New version will always direct you to App Store. [See correction below] Apple provides downloads for versions are provided so developers can run concurrent versions and use xcode-select to toggle between versions. Like when a developer needs to create something for an older iOS version that the new version of Xcode doesn't support iOS Simulators for that iOS version.

@RobertHammen My apologies, I forgot to circle back after testing. The only difference between this process and ours, we don't hijack Apple's App Store packages. Instead we allow App Store to install, and we grab it from there. This way we don't get in the way of the App Store process, and a proper _MASReceipt is present.

Pretty sure first launch prompted me, thinking back it may have been to install or update Command Line Tools. We ended up adding a line to the script to run /usr/bin/xcode-select --install, but I have to search through my notes.

We were packaging iOS Simulators but are trying to avoid having to deal with that madness (that's a lot of bits dude!)...we opened a ticket with AppleCare Enterprise Support to see if they've got a command line method to install so we don't have to reinvent the wheel.

Yea, admin rights would alleviate this, but we have to play by the rules. Admin rights where I'm employed requires a Security Exception. Queue in the occasional "You're not doing it my way, so you're doing it rong!" mantras...#rollsEyes

Not interested in being on the front page of <redacted> with the headline"Famous company hacked because IT Department was too cool to give a $#!+". My mom isn't famous, so being employable is a thing for most of us.

Posted: 5/16/17 at 11:27 AM by gregneagle

Xcode is still available for (non-App Store) download from the Apple Developer site. You need to be a registered developer.

CCA Badge CCE Badge CMA Badge CUG Badge

Posted: 5/16/17 at 11:37 AM by donmontalvo

@gregneagle hmmm...the 8.3.2 download link https://developer.apple.com/download/ takes us back to App Store.

Is there a hidden link you might want to share? :):):)

EDIT: I stand corrected: http://adcdownload.apple.com/Developer_Tools/Xcode_8.3.2/Xcode8.3.2.xip

Posted: 5/16/17 at 12:03 PM by Byte

@donmontalvo We were packaging iOS Simulators but are trying to avoid having to deal with that madness (that's a lot of bits dude!)...we opened a ticket with AppleCare Enterprise Support to see if they've got a command line method to install so we don't have to reinvent the wheel.

Let me know if you do get a response of some sort as I do it the manual way as well and no admin rights for my users
Would love to know if apple has a solution to this

Cheers

CCA Badge CJA Badge CMA Badge

Posted: 5/17/17 at 12:16 PM by franton

I solved the simulator issue by allowing the user to install them without admin rights. I've a highly modified script I run after Xcode deployment to make it all possible.

https://github.com/franton/Xcode-Scripts/blob/master/finalise.sh

CCT Badge CCA Badge CCE Badge

Posted: 5/18/17 at 11:52 AM by djdavetrouble

Thanks @franton great script, saved me a bit of time!

CCA Badge CCE Badge CMA Badge CUG Badge

Posted: 5/18/17 at 3:03 PM by donmontalvo

Using the collaborative script(s) on this forum..here is what we got from Apple regarding iOS Simulators requiring admin rights:

Hello Don, I reviewed the script you provided and, because "everyone" is being added to the developer group, you can modify the authorizations database to allow developers to install Apple provided software by running the following command: sudo security authorizationdb write system.install.apple-software authenticate-developer System Integrity Protection(SIP) will not prevent you from performing this task. Please note that the combination of adding everyone to the _developer group and allowing any member of _developer to install Apple provided software means that any user can install Apple provided software. If that presents a concern, you'll need to modify your script to add specific users to _developer instead of adding everyone. Please let me know if you have additional questions. Regards, XXXXXXXX

Basically added these two commands to @RobertHammen's excellent and quite useful script:

# Install Command Line Tools.

if [[ /usr/bin/xcode-select ]]; then
    /usr/bin/xcode-select --install
fi

# Allow any member of _developer to install Apple provided software.

/usr/bin/security authorizationdb write system.install.apple-software authenticate-developer
CCA Badge CCE Badge CMA Badge CUG Badge

Posted: 6/9/17 at 5:04 PM by donmontalvo

@MaCaDmIn82 confirmed two things today.

First, this command, added to @RobertHammen's script, as per AppleCare Enterprise Support, does indeed enable non-admin developers to install iOS Simulators without prompting for admin rights. #fistPump:

/usr/bin/security authorizationdb write system.install.apple-software authenticate-developer

Confirmed that deplying non-App Store copy of Apple Xcode 8.3.2, and following it up with the Command Line Tools for that same version, available from the https://developer.apple.com/download/more/ site did the trick.

Install is silent, whether someone is logged on to the Mac or not...and whether the user has admin rights or not.

Just in time for the weekend!
Don

Posted: 6/10/17 at 10:39 AM by gregneagle

this command, added to @RobertHammen's script, as per AppleCare Enterprise Support, does indeed enable non-admin developers to install iOS Simulators without prompting for admin rights. #fistPump:
/usr/bin/security authorizationdb write system.install.apple-software authenticate-developer

Pretty sure this allows anyone in the developer group (and since you've added everyone to the developer group, allows everyone) to install anything from softwareupdate without prompting for admin rights (system.install.apple-software). That might be acceptable, but make sure you understand the ramifications. It may also allow the install of other "apple-software" from other sources.

CCA Badge CCE Badge CMA Badge CUG Badge

Posted: 6/10/17 at 12:53 PM by donmontalvo

@gregneagle understood, and agreed. The AppleCare Engineer explained that would happen. We discussed risk, support, etc.

Two options for VPP deployment of Xcode. Apple's suggestion that elevates rights for install of Apple related stuff, or Local Admin Privileges (user requests security exception) that elevates rights across the board. We can provide most of the automation as a policy that user has to trigger through Self Service, but there is a hole.

If we deploy non-AppStore version of Xcode, we can add Command Line tools, and all the settings/suppression, to the payload. This should cover all prompts, but we are still getting a prompt due to only one of three additional required component packages installing (strange; looking into it). Same hole as VPP method.

Our intent is to provide deployment via VPP plus one Self Service policy, which results in user getting the limited elevated rights as suggested by Apple.

Or to deployment the old way, by deploying non-AppStore version, plus Command Line Tools, plus the script that gives user limited elevated rights as suggested by Apple.

The third option would be user can either submit a request for a security exception (to get Local Admin Privileges), or call Help Desk each time he/she gets a prompt.

Its good to know Apple is taking these admin prompts seriously, hopefully they'll do something soon so we won't have to jump through so many hoops to deploy their software. :)

CCA Badge CJA Badge CMA Badge

Posted: 6/10/17 at 12:57 PM by franton

@gregneagle @donmontalvo I can't go into too much detail (work NDA etc) but I've been facing this exact problem. I've tested a couple of the privilege escalation tools (avecto being the big one) only to find they don't actually work with Xcode.

I hit on the authorisation db change because our users are not admin, and being able to install Apple updates is actually a big concern of our CISO dept: namely they want the OS patched and I don't care if users do it, or my system implementation does it :)