# GuruRMM — macOS installer missing + Cloudflare blocking install one-liner **Date:** 2026-05-07 **Tenant / Site:** Main Office (`WEST-MEADOW-9025`) **Triggered by:** Sylvia's Mac mini (`Sylvias-Mini`) install attempt failed ## User - **User:** Howard Enos (howard) - **Machine:** Howard-Home - **Role:** tech ## Summary While trying to enroll Sylvia's Mac mini in GuruRMM, two distinct issues surfaced. Both are server-side problems, not user error. 1. The bootstrap one-liner (`curl -fsSL ... | sudo bash`) returns 403 because Cloudflare Bot Fight Mode blocks bare `curl/*` user agents. This affects every platform, not just Mac — anyone running the documented install command on Linux/Windows/Mac is hitting the CF challenge page before the request ever reaches the GuruRMM server. 2. There is no macOS installer route on the server. `/install//{macos,darwin,mac,osx}` all return 404. Only `linux` and `windows` are implemented. ## Reproduction ``` sylvia@Sylvias-Mini ~ % curl -fsSL 'https://rmm.azcomputerguru.com/install/WEST-MEADOW-9025/linux' | sudo bash curl: (22) The requested URL returned error: 403 ``` (she used `/linux` — wrong platform anyway, but the 403 is from Cloudflare, not GuruRMM) ### Diagnosis from Howard-Home ``` $ curl -i https://rmm.azcomputerguru.com/install/WEST-MEADOW-9025/linux HTTP/1.1 403 Forbidden Server: cloudflare Cf-Mitigated: challenge ... ``` With a normal browser UA, request reaches the server: ``` $ curl -A 'Mozilla/5.0 ... Safari/537.36' https://rmm.azcomputerguru.com/install/WEST-MEADOW-9025/linux # GuruRMM Agent Installer # Site: Main Office (WEST-MEADOW-9025) HTTP 200 ``` Platform enumeration (with browser UA so CF doesn't block): | Path | Result | |------|--------| | `/install/WEST-MEADOW-9025/linux` | 200 (script) | | `/install/WEST-MEADOW-9025/windows` | 200 | | `/install/WEST-MEADOW-9025/macos` | 404 | | `/install/WEST-MEADOW-9025/darwin` | 404 | | `/install/WEST-MEADOW-9025/mac` | 404 | | `/install/WEST-MEADOW-9025/osx` | 404 | | `/install/WEST-MEADOW-9025/apple` | 404 | ## Message for Mike Two GuruRMM items for you: ### 1. Build the macOS agent + installer route (Sylvia is blocked) Sylvia (Main Office / `WEST-MEADOW-9025`) needs an agent on her Mac mini. There is no macOS target today. Scope: - Rust agent built for `aarch64-apple-darwin` (Apple Silicon) and `x86_64-apple-darwin` (Intel) - Server route: `/install//macos` returning either a shell installer (parity with linux) or a signed `.pkg` - LaunchDaemon for service supervision (mac equivalent of the systemd unit on Linux) - Apple Developer ID signing + notarization so Gatekeeper doesn't block install on a stock Mac. Without notarization, every user has to right-click→Open or pop System Settings → Privacy & Security to allow it. Painful at scale. - Install path convention: `/usr/local/gururmm` (or `/opt/gururmm` for parity with Linux, but `/usr/local` is more macOS-native) If notarization is too much work for v1, a shell-script installer that builds from a code-signed binary still works for mom-and-pop deployments, just expects user to right-click→Open the first time. ### 2. Cloudflare bot challenge is blocking the install one-liner Independent of the macOS work, the Linux/Windows install commands documented in the dashboard don't work as written today. Bare `curl` is being challenged by CF. Three fixes (pick one): - **Server-side, recommended:** Cloudflare WAF rule to skip bot fight mode on `(http.request.uri.path matches "^/install/")`. That's the cleanest — install commands stay copy-pasteable. - Page Rule: Security Level "Essentially Off" for `/install/*`. - Document the UA flag in the install command: `curl -fsSL -A 'Mozilla/5.0 ...'` — but that's a bandage, every user hits it. I'd go with the WAF skip. The endpoint already requires a valid site code so we're not exposing anything new by removing the bot check on it. ## Howard follow-ups - [ ] Sylvia's Mac mini: diagnose slowness / low-memory popups separately (this session) — not enrollment-related. - [ ] Once Mike ships the macOS agent, return to Sylvia for enrollment. ## Artifacts None — diagnosis was all live curl probes, no persistent state.