Skip to Content
GuidesDeploy Determinate with MDM

Deploy Determinate with MDM

Most users should use the standard getting started guides for organizations or individuals.

  • Audience: IT administrators
  • Technical assumptions: JAMF, Mosyle, or a similar MDM provider for macOS

In this guide, you’ll create a “self-service” application that executes the script at the end of this article.

Security considerations

The script below behaves similarly to Installomator in that it validates the package before installing:

  • The package isn’t re-installed if there is no update.
  • The package is signed by our Apple Developer ID (X3JQ4VPJZ6).

A non-root user with administrative privileges needs to execute this script.

Handling updates

Re-run the installation script to update Determinate and Nix.

Uninstallation

To uninstall Determinate:

Uninstall Nix
sudo /nix/nix-installer uninstall

Installation script

install-via-mdm.sh
#!/bin/sh
 
set -eu
 
scratch=$(mktemp -p /tmp -d -t determinate.XXXXXXXXXX)
finish() {
  rm -rf "$scratch"
}
trap finish EXIT
 
realScratch=$(realpath "$scratch")
 
TEAM_ID="X3JQ4VPJZ6"
 
(pkgutil --pkg-info-plist systems.determinate.Determinate 2> /dev/null || true) > "$realScratch/installed.plist"
 
installedVersion=$(defaults read "$realScratch/installed.plist" pkg-version 2> /dev/null|| true)
 
downloadUrl=$(curl -w "%{url_effective}\n" -I -L -s -S https://install.determinate.systems/determinate-pkg/stable/Universal -o /dev/null)
currentlyReleased=$(echo "$downloadUrl" | cut -d/ -f4)
 
echo "Installed: ${installedVersion:-n/a}"
echo "Current release: $currentlyReleased"
 
if [ "$installedVersion" = "$currentlyReleased" ]; then
  echo "No update required."
  exit 0
fi
 
echo "Downloading from $downloadUrl"
 
curl \
  --proto '=https' \
  --tlsv1.2 \
  -sSf \
  -L "$downloadUrl" \
  -o "$realScratch/Determinate.pkg"
 
actualTeamId=$(spctl -a -vv -t install "$realScratch/Determinate.pkg" 2>&1 | awk -F '(' '/origin=/ {print $2 }' | tr -d '()')
 
echo "Expected team ID: $TEAM_ID"
echo "Actual team ID: $actualTeamId"
if [ "$actualTeamId" != "$TEAM_ID" ]; then
  echo "Team ID did not match."
  exit 1
fi
 
installer -verboseR -pkg "$realScratch/Determinate.pkg" -tgt "/"
 
echo "Complete"
Last updated on
Advanced installationEasy caching with Determinate CI