Updated for MacAdmins Python 3 Recommended

README.md

@@ -1,9 +1,9 @@
 # safari_citrix_settings
-Get Safari to work btter with a Citrix portal using PyObjC, and open Citrix application shortcuts (.ica) open in Citrix Workspace automatically.
+Get Safari to work better with a Citrix and TGX portals, and open Citrix application shortcuts (.ica) open in Citrix Workspace automatically.
 
 ## Purpose:
-* ensure .ica is in (Safari) com.apple.DownloadAssessment download Safe category extensions,
-* ensure .ica is not in (Safari) com.apple.DownloadAssessment other category extensions
+* ensure .ica and .tgx are in (Safari) com.apple.DownloadAssessment download Safe category extensions,
+* ensure .ica and .tgx are in (Safari) com.apple.DownloadAssessment other category extensions
 * ensure Open safe downloads is enabled in com.apple.Safari (as is default)
 * ensure Citrix Workspace autoupdate is disabled
 
@@ -14,15 +14,18 @@ Get Safari to work btter with a Citrix portal using PyObjC, and open Citrix appl
 * Does not lock down settings like a configuration profile would, suitable for e.g. run-once to provide initial settings
 * Does not overwrite existing category lists of safe extensions, strives to be omnipotent
 * pkg is built using munkipkg which installs main script (safari_citrix_settings.py) in /Library/Management/
-* run munki_postinstall.sh from your software management solution to call the main script with full disk access permission, tested with VMWAre Workspace ONE 
+* run the content of munki_postinstall.sh from your software management solution to call the main script with full disk access permission, tested with VMWAre Workspace ONE
+
+## Dependencies
+* [MacAdmins Python Recommended](https://github.com/macadmins/python.git) (uses PyObjc CoreFoundation)
 
 ## Caveats:
 * In order to ensure Open Safe Downloads is enabled, this script needs to be run from an executable with full disk access because on recent systems Safari prefs are sandboxed and SIP is enabled by default.
 
 ## ToDo:
 - [x] tested on macOS v10.13 - v11.4 running the Python 2 version macOS shipped with
-- [ ] update to run on Python3 (macadmins/python)
-- [ ] No check yet if prefs were actually stored, future changes like sandboxing might cause issue.
+- [x] update to run on Python3 (MacAdmins/python recommended)
+- [ ] check if prefs were actually stored, future changes like sandboxing might cause issue.
 
 ## Thanks to:
 https://www.blackmanticore.com/1c569206754935dacb0dc6b89ca818b8
@@ -35,4 +38,4 @@ https://lapcatsoftware.com/articles/containers.html
 * Forget installed package
 > sudo pkgutil --forget no.datamind.munki.pkg.safari_citrix_settings
 * check if sandboxed Safari pref for open safe downloads was applied
-> defaults read ~/Library/Containers/com.apple.Safari/Data/Library/Preferences/com.apple.Safari.plist AutoOpenSafeDownloads
+> defaults read ~/Library/Containers/com.apple.Safari/Data/Library/Preferences/com.apple.Safari.plist AutoOpenSafeDownloads

build-info.plist

@@ -5,7 +5,7 @@
 	<key>distribution_style</key>
 	<false/>
 	<key>identifier</key>
-	<string>no.datamind.munki.pkg.safari_citrix_settings</string>
+	<string>no.datamind.munkipkg.safari_citrix_settings</string>
 	<key>install_location</key>
 	<string>/</string>
 	<key>name</key>
@@ -19,6 +19,6 @@
 	<key>suppress_bundle_relocation</key>
 	<true/>
 	<key>version</key>
-	<string>0.0.8</string>
+	<string>0.1.0</string>
 </dict>
 </plist>

munki_postinstall.sh

@@ -2,7 +2,7 @@
 
 ###########################      About this script      ##########################
 #                                                                                #
-#   safari_citrix_settings.py - (Munki)postinstall script                        #                                  #
+#   safari_citrix_settings.py - (Munki)postinstall script                        #
 #                                                                                #
 #   Purpose:                                                                     #
 #           call safari_citrix_settings.py script as console user                #
@@ -19,7 +19,7 @@
 #                                                                                #
 #                                                                                #
 #   Instructions                                                                 #
-#            designed to run by software management application                  #
+#            designed to run by software management application as console user  #
 #            such as VMware Workspace ONE, Munki                                 #
 #            MUST be run from process entitled to full disk access in order to   #
 #            write to sandboxed Safari settings                                  #
@@ -37,4 +37,4 @@ done
 # Thanks to Graham Pugh - copied from erase-install.sh
 current_user=$(/usr/sbin/scutil <<< "show State:/Users/ConsoleUser" | /usr/bin/awk -F': ' '/[[:space:]]+Name[[:space:]]:/ { if ( $2 != "loginwindow" ) { print $2 }}')
 
-sudo -u $current_user /Library/Management/safari_citrix_settings.py
+sudo -u $current_user /Library/Management/safari_citrix_settings.py

payload/Library/Management/safari_citrix_settings.py

@@ -1,6 +1,6 @@
-#!/usr/bin/python
+#!/Library/ManagedFrameworks/Python/Python3.framework/Versions/Current/bin/python3
 
-'''
+"""
 safari_citrix_settings.py
 
 Purpose:
@@ -22,26 +22,28 @@
     and SIP is enabled by default.
 
 ToDo:
-    No check yet if prefs were actually stored, future changes like sandboxing might cause issue.
+    check if prefs were actually stored, future changes like sandboxing might cause issue.
 
 Thanks to:
     https://www.blackmanticore.com/1c569206754935dacb0dc6b89ca818b8
     https://gist.github.com/gregneagle/010b369e86410a2f279ff8e980585c68
     https://gist.github.com/gregneagle/01c99322cf985e771827
     https://lapcatsoftware.com/articles/containers.html
-'''
+"""
 
 # import plistlib
 import os.path
 import sys
 import CoreFoundation
 from Foundation import NSMutableArray, NSMutableDictionary, NSHomeDirectory
 
+
 def setDownloadAssessmentCategory(extension, risk_category):
-    risk_categories = { 'LSRiskCategorySafe', 'LSRiskCategoryNeutral', 'LSRiskCategoryUnsafeExecutable', 'LSRiskCategoryMayContainUnsafeExecutable' }
+    risk_categories = {'LSRiskCategorySafe', 'LSRiskCategoryNeutral', 'LSRiskCategoryUnsafeExecutable',
+                       'LSRiskCategoryMayContainUnsafeExecutable'}
     for arisk_category in risk_categories:
         # read the dict with current category of safe extensions - gets an immutable return object
-        cur_risk_category = CoreFoundation.CFPreferencesCopyAppValue( arisk_category, "com.apple.DownloadAssessment")
+        cur_risk_category = CoreFoundation.CFPreferencesCopyAppValue(arisk_category, "com.apple.DownloadAssessment")
 
         if cur_risk_category:
             # copy immutable dict to new mutable one
@@ -60,33 +62,37 @@ def setDownloadAssessmentCategory(extension, risk_category):
         if arisk_category == risk_category:
             if not extension in my_risk_category['LSRiskCategoryExtensions']:
                 my_risk_category['LSRiskCategoryExtensions'].append(extension)
-                print 'Adding extension "%s" to risk category array "%s" of com.apple.DownloadAssessment' % (extension, risk_category)
+                print(
+                    f'Adding extension {extension} to risk category array {risk_category} of com.apple.DownloadAssessment')
             else:
-                print 'extension "%s" is already present in risk category array "%s" of com.apple.DownloadAssessment' % (extension, risk_category)
+                print(
+                    f'extension {extension} is already present in risk category array {risk_category} of com.apple.DownloadAssessment')
         else:
             # ensure the_extension is NOT in any of the remaining categories
             if extension in my_risk_category['LSRiskCategoryExtensions']:
                 my_risk_category['LSRiskCategoryExtensions'].remove(extension)
-                print 'Removing extension "%s" from risk category array "%s" of com.apple.DownloadAssessment' % (extension, arisk_category)
+                print(
+                    f'Removing extension {extension} from risk category array {arisk_category} of com.apple.DownloadAssessment')
             # save the changed preference
-        CoreFoundation.CFPreferencesSetAppValue(arisk_category, my_risk_category,  "com.apple.DownloadAssessment")
+        CoreFoundation.CFPreferencesSetAppValue(arisk_category, my_risk_category, "com.apple.DownloadAssessment")
     CoreFoundation.CFPreferencesAppSynchronize("com.apple.DownloadAssessment")
 
 
-
 def main():
     # ensure .ica is in Safari category for Safe download extensions
     setDownloadAssessmentCategory('ica', 'LSRiskCategorySafe')
+    # ensure .tgx is in Safari category for Safe download extensions
+    setDownloadAssessmentCategory('tgx', 'LSRiskCategorySafe')
     # for testing:
-    #setDownloadAssessmentCategory('zip', 'LSRiskCategoryNeutral')
+    # setDownloadAssessmentCategory('zip', 'LSRiskCategoryNeutral')
 
     # ensure Citrix Workspace AutoUpdate is set to manual
-    cur_citrix_autoupdate = CoreFoundation.CFPreferencesCopyAppValue( "AutoUpdateState", "com.citrix.receiver.nomas" )
+    cur_citrix_autoupdate = CoreFoundation.CFPreferencesCopyAppValue("AutoUpdateState", "com.citrix.receiver.nomas")
     if not cur_citrix_autoupdate == "Manual":
-        CoreFoundation.CFPreferencesSetAppValue( "AutoUpdateState", "Manual", "com.citrix.receiver.nomas" )
-        print 'Citrix preference com.citrix.receiver.nomas AutoUpdateState set to Manual'
+        CoreFoundation.CFPreferencesSetAppValue("AutoUpdateState", "Manual", "com.citrix.receiver.nomas")
+        print('Citrix preference com.citrix.receiver.nomas AutoUpdateState set to Manual')
     else:
-        print 'Citrix preference com.citrix.receiver.nomas AutoUpdateState already set to Manual'
+        print('Citrix preference com.citrix.receiver.nomas AutoUpdateState already set to Manual')
 
     # ensure AutoOpenSafeDownloads is on for com.apple.Safari
     # test if Safari version is Sandboxed by checking for container
@@ -95,30 +101,31 @@ def main():
     if os.path.isdir(homeDirectory + "/Library/Containers/com.apple.Safari"):
         app_ID = homeDirectory + "/Library/Containers/com.apple.Safari/Data/Library/Preferences/com.apple.Safari"
         safari_prefs_path = app_ID + ".plist"
-        # test if script has access, SIP will limit access to container contents, must run from app with full disk access priviledge
+        # test if script has access, SIP will limit access to container contents, must run from app with full disk
+        # access privilege
         if os.access(safari_prefs_path, os.W_OK):
-            print 'Access OK to sandboxed Safari prefs at' + safari_prefs_path
+            print(f'Access OK to sandboxed Safari prefs at {safari_prefs_path}')
         else:
-            sys.exit('No access to sandboxed Safari prefs at' + safari_prefs_path + ' - bailing out')
+            sys.exit(f'No access to sandboxed Safari prefs at {safari_prefs_path} - bailing out')
     else:
         # must be old version - not sandboxed yet
         app_ID = 'com.apple.Safari'
         safari_prefs_path = homeDirectory + "/Library/Preferences/" + app_ID + ".plist"
-    cur_open_safe_downloads = CoreFoundation.CFPreferencesCopyAppValue( "AutoOpenSafeDownloads", app_ID )
+    cur_open_safe_downloads = CoreFoundation.CFPreferencesCopyAppValue("AutoOpenSafeDownloads", app_ID)
     if cur_open_safe_downloads is None:
-        print 'Open safe Downloads for Safari prefs key AutoOpenSafeDownloads key is not present in ' + safari_prefs_path + ' - it defaults to True so that''s OK'
+        print(
+            f'Open safe Downloads for Safari prefs key AutoOpenSafeDownloads key is not present in {safari_prefs_path} - it defaults to True so that''s OK')
     else:
         if not cur_open_safe_downloads:
-            print 'Open safe Downloads is not enabled in ' + safari_prefs_path
-            CoreFoundation.CFPreferencesSetAppValue( "AutoOpenSafeDownloads", True, app_ID )
-            CoreFoundation.CFPreferencesAppSynchronize( app_ID )
-            print 'Open safe Downloads is now set to True for Safari in ' + safari_prefs_path
+            print(f'Open safe Downloads is not enabled in {safari_prefs_path}')
+            CoreFoundation.CFPreferencesSetAppValue("AutoOpenSafeDownloads", True, app_ID)
+            CoreFoundation.CFPreferencesAppSynchronize(app_ID)
+            print(f'Open safe Downloads is now set to True for Safari in {safari_prefs_path}')
         else:
-            print 'Open safe Downloads for Safari already enabled in ' + safari_prefs_path
+            print(f'Open safe Downloads for Safari already enabled in {safari_prefs_path}')
 
     sys.exit(0)
 
 
-
 if __name__ == '__main__':
     main()