Adding your organization's common tools or newly-installed items to a user's
Dock can minimize confusion for your colleagues, and is a common task for Mac
For those managing their fleet with Jamf Pro, the jamf binary includes a
modifyDock command which allows you to apply certain Dock modifications. It
isn't a fully-featured Dock management tool, but it does include enough
functionality to add new items to a user's Dock.
I was recently working on a project where I needed to conditionally add a Dock
item based on some scripted logic. I wanted to minimize external dependencies,
so I developed a method to leverage the jamf binary's built-in Dock management
capability and its -file flag to complete the task.
I'm a stickler for including icons for all policies available in Jamf Pro's Self
Service app. They help users find items in Self Service, and generally make the
app easier to use.
However, I don't like manually extracting icons from apps. It's easy enough with
a tool like SAP's Icons app, but if I'm automating package and
policy creation with AutoPkg, I should similarly be able to automate icon
At it's core, AppIconExtractor examines an app and exports its icon as a PNG
More technically, it reads the CFBundleIconFile property from an app's
Info.plist and saves that image as a PNG file at the path of your choice.
Additionally, ApplIconExtractor can create icon variations by compositing a
secondary image on top of the app's icon. This makes it simple to automatically
create a version of an icon with a destructive "red X" icon superimposed over
the app icon for use in uninstallation policies, or a version with an "update"
graphic for use in policies that update an app.
Hannes Juutilainen's VirusTotalAnalyzer is a fantastic AutoPkg
postprocessor. It automatically queries VirusTotal to analyze items
downloaded by AutoPkg and detect potential malware.
VirusTotalAnalyzer was designed to run as a postprocessor.
AutoPkg postprocessors allow you to add extra "steps" to an AutoPkg recipe at
runtime without modifying the recipe itself. By this convention,
VirusTotalAnalyzer scans files after all other recipe steps have completed. This
means a recipe cannot conditionally act on the VirusTotal scan results; the
query happens after the recipe has otherwise finished.
In practice, code signature verification, recipe trust
verification, and after-the-fact VirusTotal scanning offer strong
protections against malicious software. Most Mac admins also report "never"
seeing VirusTotal flag a vendor package; or if they have seen it, investigation
revealed a false positive.
However, many AutoPkg workflows directly upload or import software packages to a
Munki repository or Jamf Pro distribution point as part of a recipe run. If
VirusTotal engines flag an item, VirusTotalAnalyzer reports on the detection
after the item is already uploaded to your systems. Further, most
highly-automated AutoPkg workflows begin deploying the newly-uploaded software
to a test group (or all endpoints) as soon as the recipe completes.
You may require additional assurance that downloaded software is not flagged by
VirusTotal, and want to prevent any flagged files from being uploaded to your
software distribution points.
You can do this by using a custom recipe that runs VirusTotalAnalyzer as a
regular processor – instead of as a postprocessor – combined with the
StopProcessingIf processor. This allows you to terminate a recipe if VirusTotal
reports any hits before subsequent recipe steps upload an item to your