Deploy Custom Apps to Mac computers with Fleetsmith
Custom Apps is a powerful feature that lets you deploy any software your company uses through Fleetsmith. It provides a simple, script-free interface you can use to deploy any custom .pkg file, such as your own internal tools and apps that include a kernel extension.
Get the direct link to your custom package
The custom package (.pkg) file should be hosted on a cloud service where it can be accessed with a URL. Here are a few things to keep in mind when entering the URL to your hosted package:
After the Custom App is created, this URL can’t be changed.
URLs to custom packages normally end in .pkg.
The URL must be publicly accessible and visiting it should start an automatic download, not result in a landing “Click to download” page.
Confirm that the URL is correct before creating the Custom App. Fleetsmith doesn’t validate URLs, so an incorrect link could cause issues after the Custom App is deployed.
Find the SHA-256 hash
After you enter the URL of your custom package, you enter the SHA-256 hash, which Fleetsmith uses to ensure that the downloaded packages, are complete and can be trusted. The SHA-256 hash is unique for a given version of the package.
Note: <file> should be the path to the file location of the package you are deploying, such as /users/TestUser/Downloads/Customapp.pkg.
To obtain the SHA-256 binary hash for a package, use one of the following three commands (depending on which version of macOS you’re running):
shasum -a 256 <file>openssl sha -sha256 <file>openssl sha256 <file>For example:
836dc987bd6aa6551a94abb009f95f64cd570c0171afe6fcf0d53a84f730dbddCreate a Custom App
In the Fleetsmith Admin Console, navigate to Custom Apps in the sidebar, then select the + Custom App button.
Give your Custom App a name and, optionally, a description.
If your app isn’t already installed, upload your custom package to a cloud service where it can be accessed with a URL, then enter the URL and SHA-256 hash.
If your app requires system extensions or legacy kernel extensions, add those under Additional Settings.
If necessary, allow the app to access TCC-protected user and system resources without having macOS prompt users for approval in System Preferences by adding the appropriate details in Privacy Preferences.
Configure system extensions
If your Custom App uses a system extension, you can approve the team and bundle IDs that identify it in macOS so that your users don’t need to manually approve it in System Preferences. To do so, gather information on the system extension in the Terminal app.
Install the app on a test Mac, and approve the system extension in System Preferences > Security & Privacy.
Open the Terminal app, then run the following command:
systemextensionsctl listA list of the system extensions that are approved or pending approval will appear. Columns in this list provide the teamID (for example, EG7KH642X6) and bundleID (for example, com.domain.app-name) of the app’s system extensions. Note these values down for each system extension pertinent to the app.
Enter the values noted for your app’s system extension into the appropriate fields in Fleetsmith.
Configure kernel extensions
If your Custom App uses a kernel extension (kext), you can approve the team and bundle IDs that identify it in macOS so that your users don’t need to manually approve it in System Preferences. To do so, gather information on the kext in the Terminal app.
Install the app on a test Mac, and approve the kext from System Preferences > Security & Privacy.
Open the Terminal app, then run the following commands:
sudo sqlite3 /private/var/db/SystemPolicyConfiguration/KextPolicyselect * from kext_policy;A list of loaded kexts is shown, which include the team ID (for example, EG7KH642X6) and bundle ID (for example, com.domain.app-name). Note the values of the kext relevant to your Custom App (if the app requires multiple kexts there may be more than one bundle ID, or even team ID).
Press Control-D to exit sqlite3, then quit the Terminal app.
Configure privacy preferences
The Privacy Preferences Policy Control (PPPC) payload automatically approves data permission requests so that users aren’t prompted multiple times to approve apps requesting specific access. PPPC approval requires both a bundle ID and the code signature for the app you want to grant PPPC access to. A bundle ID commonly follows the format . Your app’s developer creates the bundle ID, so the format may vary. To configure these, gather information on your Custom App in the Terminal app.
Install the app on a test Mac
Open the Terminal app, then run the following command:
codesign --display -r- <path-to-file>Note: <path-to-file> should be the path to the file location of the app you are deploying, such as /users/John/Applications/My App.app.
Copy the text that appears. For example:
identifier "com.company.MyApp" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = EG1K16X2X6
Apps that have been approved with Fleetsmith don’t appear where they normally would (in System Preferences > Security & Privacy > Security > Full Disk Access). However, the PPPC policy found in the Profiles pane of System Preferences accurately reflects whether that app has been approved to have Full Disk Access.