Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

New Optional Key: Pre-warm .apps on macOS Sonoma #1180

Open
erikng opened this issue Jun 21, 2023 · 6 comments
Open

New Optional Key: Pre-warm .apps on macOS Sonoma #1180

erikng opened this issue Jun 21, 2023 · 6 comments
Labels
Feature Request

Comments

@erikng
Copy link
Contributor

erikng commented Jun 21, 2023 

/usr/bin/gktool is a new command line tool to assess Gatekeeper Policy on applications. gktool can be called to pre-warm the system cache so users do not see the ‘Verifying…’ dialog on first launch of an application. (109793778)

Apple now has a tool we can use to pre-warm applications and reduce this popup on launches. This might be a desirable feature for admins to have this as an automated post-install action for any .apps.

<key>PreWarm</key>
<true/>

For other .pkg based installations, it would be up to the admin to write a custom script or this could be an array of .app paths

<key>PreWarmPaths</key>
<array>
  <string>/Applications/Foo.app</string>
  <string>/Applications/Bar.app</string>
</array>

This second option could be added to autopkg munki recipes and is my preferred method.
@gregneagle
Copy link
Contributor

I’d need to understand this more. Does it have to be run in a user context? Does it potentially take a long time to run? Have you done a proof-of-concept with postinstall_scripts?

@erikng
Copy link
Contributor Author

erikng commented Jun 21, 2023

Good questions, I have zero answers for you. I saw it in the beta 2 developer notes just now and thought it was really cool.

@erikng
Copy link
Contributor Author

erikng commented Jun 21, 2023

Perhaps @nmcspadden will have answers as he said he would try it out.

@vmiller
Copy link

vmiller commented Jun 23, 2023

I was able to do some testing with this new binary. As @gregneagle suggested, it can be leveraged in a postinstall_script without any modifications to Munki code.

To answer Greg's questions :

  • in my testing it did not need to be run in a user context and could be run as root
  • While I didn't time it, it appears to take the same amount of time as the "verifying" dialog the user would see on first run. The larger the app the longer it takes (either the user gui or the gktool binary

If others are reading this and interested in testing it for themselves, here is a sample postinstall_script :

    <key>postinstall_script</key>
    <string>#!/bin/sh

if [ -f /usr/bin/gktool ]
then
    /usr/bin/gktool scan /Applications/Foo.app
fi</string>

@vmiller
Copy link

vmiller commented Jun 26, 2023

I verified that this also works with no user logged in (munki installing at the login window)

@gregneagle
Copy link
Contributor

The fact that it takes time to run (and I assume the tool doesn't return until it's finished) would lead to some tradeoffs here. if a user is interacting with Managed Software Center and it's installing multiple things, the user now has to wait for these scans to complete before MSC finishes. If it's scanning an app the user doesn't really care about right now, like, say Xcode, but that user really wants the new Zoom to install, now the user is annoyed. I think some thought and discussion will need to happen before any modifications to Munki can be made.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Feature Request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@gregneagle @vmiller @erikng