azcomputerguru/claudetools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
main
claudetools/session-logs/2026-05-07-howard-gururmm-macos-installer-and-cf-bot-block.md
Howard Enos 935b6995e5 sync: auto-sync from HOWARD-HOME at 2026-05-08 19:53:03 
Author: Howard Enos
Machine: HOWARD-HOME
Timestamp: 2026-05-08 19:53:03
2026-05-08 19:53:06 -07:00

93 lines
4.1 KiB
Markdown
Raw Permalink Blame History

# GuruRMM — macOS installer missing + Cloudflare blocking install one-liner
**Date:** 2026-05-07
**Tenant / Site:** Main Office (`WEST-MEADOW-9025`)
**Triggered by:** Sylvia's Mac mini (`Sylvias-Mini`) install attempt failed
## User
- **User:** Howard Enos (howard)
- **Machine:** Howard-Home
- **Role:** tech
## Summary
While trying to enroll Sylvia's Mac mini in GuruRMM, two distinct issues surfaced. Both are server-side problems, not user error.
1. The bootstrap one-liner (`curl -fsSL ... | sudo bash`) returns 403 because Cloudflare Bot Fight Mode blocks bare `curl/*` user agents. This affects every platform, not just Mac — anyone running the documented install command on Linux/Windows/Mac is hitting the CF challenge page before the request ever reaches the GuruRMM server.
2. There is no macOS installer route on the server. `/install/<site>/{macos,darwin,mac,osx}` all return 404. Only `linux` and `windows` are implemented.
## Reproduction
```
sylvia@Sylvias-Mini ~ % curl -fsSL 'https://rmm.azcomputerguru.com/install/WEST-MEADOW-9025/linux' | sudo bash
curl: (22) The requested URL returned error: 403
```
(she used `/linux` — wrong platform anyway, but the 403 is from Cloudflare, not GuruRMM)
### Diagnosis from Howard-Home
```
$ curl -i https://rmm.azcomputerguru.com/install/WEST-MEADOW-9025/linux
HTTP/1.1 403 Forbidden
Server: cloudflare
Cf-Mitigated: challenge
...
```
With a normal browser UA, request reaches the server:
```
$ curl -A 'Mozilla/5.0 ... Safari/537.36' https://rmm.azcomputerguru.com/install/WEST-MEADOW-9025/linux
# GuruRMM Agent Installer
# Site: Main Office (WEST-MEADOW-9025)
HTTP 200
```
Platform enumeration (with browser UA so CF doesn't block):
| Path | Result |
|------|--------|
| `/install/WEST-MEADOW-9025/linux` | 200 (script) |
| `/install/WEST-MEADOW-9025/windows` | 200 |
| `/install/WEST-MEADOW-9025/macos` | 404 |
| `/install/WEST-MEADOW-9025/darwin` | 404 |
| `/install/WEST-MEADOW-9025/mac` | 404 |
| `/install/WEST-MEADOW-9025/osx` | 404 |
| `/install/WEST-MEADOW-9025/apple` | 404 |
## Message for Mike
Two GuruRMM items for you:
### 1. Build the macOS agent + installer route (Sylvia is blocked)
Sylvia (Main Office / `WEST-MEADOW-9025`) needs an agent on her Mac mini. There is no macOS target today. Scope:
- Rust agent built for `aarch64-apple-darwin` (Apple Silicon) and `x86_64-apple-darwin` (Intel)
- Server route: `/install/<site>/macos` returning either a shell installer (parity with linux) or a signed `.pkg`
- LaunchDaemon for service supervision (mac equivalent of the systemd unit on Linux)
- Apple Developer ID signing + notarization so Gatekeeper doesn't block install on a stock Mac. Without notarization, every user has to right-click→Open or pop System Settings → Privacy & Security to allow it. Painful at scale.
- Install path convention: `/usr/local/gururmm` (or `/opt/gururmm` for parity with Linux, but `/usr/local` is more macOS-native)
If notarization is too much work for v1, a shell-script installer that builds from a code-signed binary still works for mom-and-pop deployments, just expects user to right-click→Open the first time.
### 2. Cloudflare bot challenge is blocking the install one-liner
Independent of the macOS work, the Linux/Windows install commands documented in the dashboard don't work as written today. Bare `curl` is being challenged by CF. Three fixes (pick one):
- **Server-side, recommended:** Cloudflare WAF rule to skip bot fight mode on `(http.request.uri.path matches "^/install/")`. That's the cleanest — install commands stay copy-pasteable.
- Page Rule: Security Level "Essentially Off" for `/install/*`.
- Document the UA flag in the install command: `curl -fsSL -A 'Mozilla/5.0 ...'` — but that's a bandage, every user hits it.
I'd go with the WAF skip. The endpoint already requires a valid site code so we're not exposing anything new by removing the bot check on it.
## Howard follow-ups
- [ ] Sylvia's Mac mini: diagnose slowness / low-memory popups separately (this session) — not enrollment-related.
- [ ] Once Mike ships the macOS agent, return to Sylvia for enrollment.
## Artifacts
None — diagnosis was all live curl probes, no persistent state.
Reference in New Issue View Git Blame Copy Permalink