Leaving it as is.

SplunkForwarder folder and contents within are owned by root and wheel

Applications Folder is owned by root and admin

Sorry, no I did not find a solution, the requirement changed, and we shifted gears.

I'd love to know as well. I've been banging my head against a wall with this, off and on, for a couple of months now. It's insane to me how impossible it is to find any solutions online (never mind this forum), and Splunk clearly doesn't care to address it.

How exactly are we to do quiet deployments of UF to a fleet of Macs managed by MDM? As it stands, the DMG is out (too much user interaction required, which apparently can't be suppressed), and the .tgz also requires a combination of scripting, permissions changes, possibly creation of a new user, setting environment variables, and moving config files into place.

Can I do this myself? Sure, but why should I have to? Even with the leverage of $GIGANTIC_FEDERAL_AGENCY, Splunk doesn't care to help us.

Godspeed to us all, I guess.

Hi dkv21210,

Are you using JAMF as your MDM?

Yes, I am. Previously, with an older version, we just used Jamf Composer watch the file system, then did the manual .pkg installed (user interaction and all), put in our settings files, then had Composer create the package. I really don't want to keep having to do that kind of sloppy install, but it's beginning to look like we may have to.

So, I was able to get it to silently deploy and it seems to be working as intended 

I built the package using Composer, making sure to set the proper R-W-X, Owner, and Group permissions for /Applications/SplunkForwarder

Then added the deploymentclient.conf file within the /Applications/SplunkForwarder/etc/system/local directory before building the package.

Then for my policy I added that package, and for the silent install I added a script which contains:

#!/bin/sh

#Accept Splunk Licenses

/Applications/SplunkForwarder/bin/splunk start --accept-license --auto-ports --no-prompt --answer-yes

# Enable boot start

/Applications/SplunkForwarder/bin/splunk enable boot-start

#Hide the folder

chflags hidden /Applications/SplunkForwarder

Although, I do notice that notifications are still enabled. I created a config profile that mutes Critical Alerts and Notifications for Bundle ID: aplt

Tested it once, seemed to work, but I'd like to test again on a fresh machine to verify.

Update, configuration profile works, no notifications are seen from the users perspective and workstation is added into Splunk 

I'm still working on this; I've made some progress on doing the .tar file install and tweaking it, but I'm getting these two alerts (see attached images) whenever I log in to the user account. Have you found a workaround (assuming you've seen this)?

Hey DK,

Build the PKG, then open terminal and run the command

sudo xattr -rd com.apple.quarantine /path/to/the.pkg 

This will remove the com.apple.quarantine attribute and stop the computer from checking it for malicious software. The -d option deletes the noted attribute and the -r option acts recursively.

If you would like to check which attributes the .PKG has on it, then run the command:

xattr -r /path/to/the.pkg

Hope this helps

Perfect! Thanks for the tip.