Hoping someone is monitoring this thread.
Until this is fixed, hopefully in 1.10.2, we are forced to expand the flat/signed PKG, comment out the last few lines in the postinstall script, flatten and resign. Then we deploy the PKG in a policy using the above commands to open as the current user.
Never a good idea to reverse engineer a vendor's PKG, so hoping 1.10.2 is released with the fix so we don't have to.