4.1 KiB
GuruRMM — macOS installer missing + Cloudflare blocking install one-liner
Date: 2026-05-07
Tenant / Site: Main Office (WEST-MEADOW-9025)
Triggered by: Sylvia's Mac mini (Sylvias-Mini) install attempt failed
User
- User: Howard Enos (howard)
- Machine: Howard-Home
- Role: tech
Summary
While trying to enroll Sylvia's Mac mini in GuruRMM, two distinct issues surfaced. Both are server-side problems, not user error.
- The bootstrap one-liner (
curl -fsSL ... | sudo bash) returns 403 because Cloudflare Bot Fight Mode blocks barecurl/*user agents. This affects every platform, not just Mac — anyone running the documented install command on Linux/Windows/Mac is hitting the CF challenge page before the request ever reaches the GuruRMM server. - There is no macOS installer route on the server.
/install/<site>/{macos,darwin,mac,osx}all return 404. Onlylinuxandwindowsare implemented.
Reproduction
sylvia@Sylvias-Mini ~ % curl -fsSL 'https://rmm.azcomputerguru.com/install/WEST-MEADOW-9025/linux' | sudo bash
curl: (22) The requested URL returned error: 403
(she used /linux — wrong platform anyway, but the 403 is from Cloudflare, not GuruRMM)
Diagnosis from Howard-Home
$ curl -i https://rmm.azcomputerguru.com/install/WEST-MEADOW-9025/linux
HTTP/1.1 403 Forbidden
Server: cloudflare
Cf-Mitigated: challenge
...
With a normal browser UA, request reaches the server:
$ curl -A 'Mozilla/5.0 ... Safari/537.36' https://rmm.azcomputerguru.com/install/WEST-MEADOW-9025/linux
# GuruRMM Agent Installer
# Site: Main Office (WEST-MEADOW-9025)
HTTP 200
Platform enumeration (with browser UA so CF doesn't block):
| Path | Result |
|---|---|
/install/WEST-MEADOW-9025/linux |
200 (script) |
/install/WEST-MEADOW-9025/windows |
200 |
/install/WEST-MEADOW-9025/macos |
404 |
/install/WEST-MEADOW-9025/darwin |
404 |
/install/WEST-MEADOW-9025/mac |
404 |
/install/WEST-MEADOW-9025/osx |
404 |
/install/WEST-MEADOW-9025/apple |
404 |
Message for Mike
Two GuruRMM items for you:
1. Build the macOS agent + installer route (Sylvia is blocked)
Sylvia (Main Office / WEST-MEADOW-9025) needs an agent on her Mac mini. There is no macOS target today. Scope:
- Rust agent built for
aarch64-apple-darwin(Apple Silicon) andx86_64-apple-darwin(Intel) - Server route:
/install/<site>/macosreturning either a shell installer (parity with linux) or a signed.pkg - LaunchDaemon for service supervision (mac equivalent of the systemd unit on Linux)
- Apple Developer ID signing + notarization so Gatekeeper doesn't block install on a stock Mac. Without notarization, every user has to right-click→Open or pop System Settings → Privacy & Security to allow it. Painful at scale.
- Install path convention:
/usr/local/gururmm(or/opt/gururmmfor parity with Linux, but/usr/localis more macOS-native)
If notarization is too much work for v1, a shell-script installer that builds from a code-signed binary still works for mom-and-pop deployments, just expects user to right-click→Open the first time.
2. Cloudflare bot challenge is blocking the install one-liner
Independent of the macOS work, the Linux/Windows install commands documented in the dashboard don't work as written today. Bare curl is being challenged by CF. Three fixes (pick one):
- Server-side, recommended: Cloudflare WAF rule to skip bot fight mode on
(http.request.uri.path matches "^/install/"). That's the cleanest — install commands stay copy-pasteable. - Page Rule: Security Level "Essentially Off" for
/install/*. - Document the UA flag in the install command:
curl -fsSL -A 'Mozilla/5.0 ...'— but that's a bandage, every user hits it.
I'd go with the WAF skip. The endpoint already requires a valid site code so we're not exposing anything new by removing the bot check on it.
Howard follow-ups
- Sylvia's Mac mini: diagnose slowness / low-memory popups separately (this session) — not enrollment-related.
- Once Mike ships the macOS agent, return to Sylvia for enrollment.
Artifacts
None — diagnosis was all live curl probes, no persistent state.