Homebrew is a package manager for macOS. You can use Homebrew to install command line packages on a Mac, provided someone has written a formulae, which is a simple Ruby script that walks through the process for installing all the little bits required for a piece of software.
Installing Homebrew is simple. Run the following command which is listed on the Homebrew homepage
(not as root):
/usr/bin/ruby -e "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/master/install)"
This will install the macOS Command Line Tools from Xcode as well as create the following directories (if they’re not already present):
Then the script will move all the required bits from https://github.com/Homebrew/brew to the correct locations. Once done, you can easily install a package if you know the name. For example, I do this on practically every new machine I configure for development:
brew install wget
This one is nice because the dependencies that get installed. And you get the latest versions. Let’s look at the version for wget:
Next, let’s use brew to search for something: radius
brew search radius
You’ll see that there’s one item on the local taps: freeradius-server
Let’s install that:
brew install freeradius-server
Now, you’ll find that the bits that make freeradius work are located in /usr/local/Cellar/freeradius-server/3.0.16. If you later need to upgrade that package, use the upgrade verb.
brew upgrade freeradius-server
And finally, to update Homebrew to the latest version, run the update verb:
krypted March 22nd, 2018
Posted In: bash, Mac OS X
The first step to moving services from macOS Server for pretty much all services is to check out the old settings. The second step is to probably ask if where you’re going to put the service is a good idea. For example, these days I prefer to run DHCP services on a network appliance such as a Synology. And so let’s look at how to do that. Here, we’ll use the serveradmin command to view the settings of the DHCP service:
/Applications/Server.app/Contents/ServerRoot/usr/sbin/serveradmin settings dhcp
The output is an array of subnets with different settings per subnet.
dhcp:static_maps = _empty_array
dhcp:subnets:_array_id:22217FF5-4DDB-4841-A731-EF5DA080E672:WINS_primary_server = ""
dhcp:subnets:_array_id:22217FF5-4DDB-4841-A731-EF5DA080E672:dhcp_router = "10.15.40.1"
dhcp:subnets:_array_id:22217FF5-4DDB-4841-A731-EF5DA080E672:WINS_secondary_server = ""
dhcp:subnets:_array_id:22217FF5-4DDB-4841-A731-EF5DA080E672:net_range_start = "10.15.40.2"
dhcp:subnets:_array_id:22217FF5-4DDB-4841-A731-EF5DA080E672:net_range_end = "10.15.43.253"
dhcp:subnets:_array_id:22217FF5-4DDB-4841-A731-EF5DA080E672:dhcp_domain_name = "clients.msp.jamfsw.corp"
dhcp:subnets:_array_id:22217FF5-4DDB-4841-A731-EF5DA080E672:dhcp_domain_name_server:_array_index:0 = "18.104.22.168"
dhcp:subnets:_array_id:22217FF5-4DDB-4841-A731-EF5DA080E672:dhcp_domain_name_server:_array_index:1 = "22.214.171.124"
dhcp:subnets:_array_id:22217FF5-4DDB-4841-A731-EF5DA080E672:lease_max = 36000
dhcp:subnets:_array_id:22217FF5-4DDB-4841-A731-EF5DA080E672:net_mask = "255.255.252.0"
dhcp:subnets:_array_id:22217FF5-4DDB-4841-A731-EF5DA080E672:dhcp_ldap_url = _empty_array
dhcp:subnets:_array_id:22217FF5-4DDB-4841-A731-EF5DA080E672:WINS_node_type = "NOT_SET"
dhcp:subnets:_array_id:22217FF5-4DDB-4841-A731-EF5DA080E672:dhcp_enabled = yes
dhcp:subnets:_array_id:22217FF5-4DDB-4841-A731-EF5DA080E672:WINS_NBDD_server = ""
dhcp:subnets:_array_id:22217FF5-4DDB-4841-A731-EF5DA080E672:net_address = "10.15.40.0"
dhcp:subnets:_array_id:22217FF5-4DDB-4841-A731-EF5DA080E672:WINS_scope_id = ""
dhcp:subnets:_array_id:22217FF5-4DDB-4841-A731-EF5DA080E672:selected_port_name = "en1"
dhcp:subnet_defaults:logVerbosity = "MEDIUM"
dhcp:subnet_defaults:routers:en0 = "10.15.40.1"
dhcp:subnet_defaults:WINS_node_type_list:_array_index:0 = "BROADCAST_B_NODE"
dhcp:subnet_defaults:WINS_node_type_list:_array_index:1 = "HYBRID_H_NODE"
dhcp:subnet_defaults:WINS_node_type_list:_array_index:2 = "NOT_SET"
dhcp:subnet_defaults:WINS_node_type_list:_array_index:3 = "PEER_P_NODE"
dhcp:subnet_defaults:WINS_node_type_list:_array_index:4 = "MIXED_M_NODE"
dhcp:subnet_defaults:WINS_node_type = "NOT_SET"
dhcp:subnet_defaults:dhcp_domain_name = "krypted.com"
dhcp:subnet_defaults:logVerbosityList:_array_index:0 = "LOW"
dhcp:subnet_defaults:logVerbosityList:_array_index:1 = "MEDIUM"
dhcp:subnet_defaults:logVerbosityList:_array_index:2 = "HIGH"
dhcp:subnet_defaults:dhcp_domain_name_server:_array_index:0 = "126.96.36.199"
dhcp:subnet_defaults:dhcp_domain_name_server:_array_index:1 = "188.8.131.52"
dhcp:subnet_defaults:selected_port_key = "en0"
dhcp:subnet_defaults:selected_port_key_list:_array_index:0 = "en0"
dhcp:subnet_defaults:selected_port_key_list:_array_index:1 = "bridge0"
dhcp:logging_level = "MEDIUM"
Next, we’ll setup a Synology NAS using the instructions found here:
Basic Synology NAS Setup
Once you’ve setup your Synology NAS, you can install a dhcp server on it, if you need to provide those services. To get started, first open Control Panel and then find DHCP Server in the Control Panel sidebar.
From here, click on the LAN port.
Because DHCP requires a subnet mask, and a pool of IP addresses that can be shared, the “Enable DHCP server” button will initially be greyed out. Click on the Edit button to define these.
Click on the checkbox for “Enable DHCP server” and enter the following settings:
- Address lease time: The number of seconds the lease will be valid.
- Primary DNS: The first DNS server provided to client computers.
- Secondary DNS: The second DNS server provided to client computers.
- Domain name: The automatic suffix applied to hostnames of clients (e.g. if you enter Synology in a web browser and this setting was krypted.com then you would be routed to Synology.krypted.com.
- Enable Web Proxy Automatic Discovery: provide a PAC file (using DHCP options)
- URL: The PAC file.
- Subnetlist: Here you add subnets, which we’ll describe next.
At the Create DHCP Subnet screen, you’ll be prompted for the following fields:
- Start IP address: The first IP address in the pool that will be handed out.
- End IP address: The last IP address in the pool that will be handed out (note that in my example, I’m handing out 192.168.55.40 to 192.168.55.50, so 11 addresses – make sure these don’t overlap with other devices that are already using addresses or with other DHCP pools or you will have sporadic device connectivity for some devices).
- Netmask: The subnet mask to be given to devices along with their lease.
- Gateway: The default gateway, or router for the network.
- DHCP Options: I cover these in http://krypted.com/mac-os-x/replace-macos-server-dhcp-service-built-macos-dhcp-service/, but this list includes those supported on the Synology.
Once your settings are configured, click Create. You’ll then see your pool configured. Click the OK button.
You’ll then see a list of subnets and settings. Click “Enable DHCP server” to start the service.
Once started, click “Disable DHCP server” to stop the service or go back to the edit screen and click on the DHCP Clients tab to see what IP each client has been provided.
krypted March 21st, 2018
Posted In: Mac OS X, Mac OS X Server
Apple, DHCP, hardware, macos server, move dhcp from Mac server to Synology nas, Servers
Leave a Comment
The WD MyCloud is a pretty single-purpose device. It’s a disk with a network interface, and as with Direct Attached Storage, the MyCloud Network Attached Storage is pretty easy to connect to.
First, let’s look at connecting to the web interface via the menu item, where you can drag and drop files to the device. Once the device is configured, use the WD menu item to see your device. From there, click on the name of your device.
Alternatively, you could visit mycloud.com and sign into the web interface there.
In both cases, you’ll see a list of files and then in the sidebar, you’ll see those options to configure settings, add integrations, view active its, and view photos that are on the device.
From here, you can simply drag and drop files into the web page, just like with a box or dropbox account, but the files are stored on the device. Additionally, you can send a link to a file or folder. To do so, right-click on the object you wish to share and then click Share Link.
At the resulting screen, you’ll see a link. Click Copy to copy the link into your clipboard so you can paste it into an email.
You may also want other users to be able to log into your WD MyCloud. To allow them to do so, open Settings and click on Add User. Then provide the email address for the user and click on Send Invites.
Finally, you can also mount the drive directly to computers. To do so, click on “Connect to Server” (or Command-K) from the Finder.
At the Connect to Server screen, enter the address of the server and click Connect. If you don’t know the address and you’re on the local network of the device. Additionally, if you have the menu item installed, you’ll see the device in the sidebar of your Mac.
It’s worth noting that with the exception of the ability to share a link to a file or folder, the permissions on the device are pretty much wide open, as you can see below. Additionally, any files you bring into the device will end up with the same wide open permissions. And while you can change permissions on files, they’ll revert back. So if you will need more granular capabilities with file permissions, this might not be the device for you. This device is a very inexpensive way to do very small workgroups or home file sharing, but beyond that it could be too basic for a lot of business use cases. What I like about it though, is that it doesn’t pretend to be anything but what it is. And it does that very well, in a very easy-to-use way.
Now the MyCloud NAS comes with removable drives and a more robust interface. It’s still easy to use, but you can configure RAID levels, basic iSCSI functionality, and users. I still wouldn’t put this in front of large workgroups, but to replace a macOS Server for a small business, or as a basic NAS head, it’s a solid, easy-to-manage device.
krypted March 19th, 2018
Posted In: Mac OS X, Mac OS X Server, Network Infrastructure
Apple, configure sharing, file sharing, MAC, wd mycloud
Leave a Comment
macOS might be the easiest platform to install MySQL on. To do so, simply download the MySQL installation package from the MySQL Download site. I like to use the third link (the DMG).
Once downloaded, run the package. The package will ask you a few questions and you can easily just select the default choice during the installation process.
Once installed, you’ll be prompted that a temporary password has been used for your MySQL instance.
The password will get you in the first time, so you can change it. Once you have documented the password, open System Preferences and click on MySQL in the bottom row of System Preference Panes.
Click Start MySQL Server and then when prompted, authenticate to the system. If you’d like to do this programmatically and don’t need the System Preference pane, you can do so with homebrew. If you have homebrew installed, simply run the brew command with the install verb and mysql as the package:
brew install mysql
Whichever way you install SQL, once installed, you’ll want to set the root password to something other than the intuitionally difficult to remember password provided at install time. To do so, first connect to the mysql instance now running on your computer. As the tools are installed in /usr/local/mysql/bin, run the following:
/usr/local/mysql/bin/mysql -u root
Then, set the password using the ALTER statement along with the USER option and then the username followed by IDENTIFIED BY and ultimately the password, as follows:
ALTER USER 'root'@'localhost' IDENTIFIED BY
Once done, you’ll then be able to connect to mysql normally.
krypted March 18th, 2018
Posted In: Mac OS X, Mac OS X Server
Leave a Comment
Over the years, I’ve setup dozens of Synology Network Appliances for customers and friends. But I never thought of doing much writing in the NAS space, be it for ReadyNAS, Thecus, Buffalo, etc. The interfaces seemed to change too fast and my focus was always on the management and connectivity of Apple devices. Slowly, over the years, small business servers have gone from being something you could make a decent living to something that should probably be hosted in the cloud.
Unless you have a design requirement that just can’t work in the cloud. And for that, there are a ton of options. Today we’ll cover the basic setup of a Synology to fill one of those options. Synology has a number of models. There are those that have multiple drive bays that allow you to run a RAID 50 and there are those with just two drive bays, that allow you to run RAID 1, or 0. But most have a similar, and sleek setup process. Start by putting all the drives in the bays and then powering up your device.
When the device comes online, plug in your Ethernet cable (preferably to a gig or 10gig interface) and then open your web browser and go to http://find.synology.com
. You’ll see a pretty basic screen with details about the device. Click Connect.
When prompted, click Set Up.
When prompted, install the latest security updates (note: you want to do this before you start sending sensitive credentials over the wire. It’s fast. )
This is important. Those drives you put in that Synology were empty, right? ‘Cause if you proceed here, they better be. Or they will be after. If they are empty, check the box and click OK.
At the “Create your administrator account” screen enter the hostname you want to be given to your server, a username, password, password a second time to make sure, and blood type. Wait, blood type goes on the next screen, so click Next.
Sike! No blood type required. At the superfluous Congratulations screen, click next again!
At the maintenance window, select a time that the device can install updates and reboot. Also, it’s a good idea to check both of the boxes at the bottom – S.M.A.R.T. tests don’t always save you from catastrophic data loss, but it does save you way more than if you don’t use it. And bad sector warnings aren’t good either. Click Next.
A QuickConnect account allows you to access your server remotely. That’s a great thing to have. If you have one, provide it here; otherwise, give Synology an email address and password and they’ll make it simple to manage your device remotely (which includes grabbing files off it when you’re at work, etc).
Copy that link (although it’s kinda’ easy to remember as it’s QuickConnect.to/<DEVICENAME>).
I’m ok skipping the recommended packages, as I like to have more control of what’s installed on my devices, but if you’re just going to use a Synology as a basic file or Time Machine server and want as few steps as possible here, click Install.
That’s it, click OK to be donezo.
When you finally get into the main screen, notice that it’s kinda’ like a stripped down KDE interface. The main two things to know are Control Panel and Package Center. If you skipped installing some of the packages in the previous step, you’ll do that in Package Center. But first, let’s check out the global device settings by clicking on Control Panel.
At the Control Panel, the main things most users will want to do first are manage accounts and addresses (if you’re going to connect client computers to a file server, for example, you’re gonna’ want a static IP). So let’s click Network to configure a network interface.
The General tab is for configuring your default gateway, upstream name servers, etc. Click Network Interface so we can enter a static address for a LAN interface. But before you do, take note that the Traffic Control tab provides the ability to do some basic traffic shaping if this box is going to run multiple services.
Let’s click on the LAN interface.
Here, you can enter the IP, subnet mask, gateway, and name server. Make sure the IP doesn’t overlap with an existing device or with a DHCP pool. I won’t go into configuring a Synology for VLAN tagging or to be a first class citizen on an 802.1x network, but note that both of those options are available here. Click OK to save your changes.
You didn’t pay good money for this thing for no reason. So next, let’s close these screens and go back to the main screen. Open Package Center.
As you can see, there are a ton more services here than, for example, the built-in services on a macOS Server. And it’s as easy as clicking on the Install button to get started with each.
krypted March 15th, 2018
Posted In: Network Infrastructure
configuration, nas, setup, static ip, Synology
Leave a Comment
Export macOS Server Data
We’re not going to import this, as it only takes a few seconds to configure new settings. Additionally, if you have outstanding services built on macOS Server, you might be able to pull this off without touching client systems. First, let’s grab which protocols are enabled, running the following from Terminal:
sudo serveradmin settings vpn:Servers:com.apple.ppp.pptp:enabled
sudo serveradmin settings vpn:Servers:com.apple.ppp.l2tp:enabled
Next, we’ll get the the IP ranges used so we can mimic those (or change them) in the new service:
sudo serveradmin settings vpn:Servers:com.apple.ppp.pptp:IPv4:DestAddressRanges
Now let’s grab the DNS servers handed out so those can be recreated:
sudo serveradmin settings vpn:Servers:com.apple.ppp.pptp:DNS:OfferedServerAddresses:_array_index
sudo serveradmin settings vpn:Servers:com.apple.ppp.l2tp:DNS:OfferedServerAddresses:_array_index
Finally, if you’re using L2TP, let’s grab the shared secret:
sudo serveradmin settings vpn:Servers:com.apple.ppp.l2tp:L2TP:IPSecSharedSecretValue
Once we have all of this information, we can configure the new server using the same settings. At this point, you can decide whether you want to dismantle the old server and setup a new one on the same IP address, or whether you’d rather just change your port forwards on your router/firewall.
Before we configure any VPN services, let’s talk about ports. The following ports need to be opened per The Official iVPN Help Docs
(these are likely already open if you’re using a macOS Server to provide VPN services):
- PPTP: TCP port 1723
- L2TP: UDP ports 1701, 4500 and 500
- Enable VPN pass-through on the firewall of the server and client if needed
There are a number of ways to get a VPN Server installed on macOS. One would be to install openvpn:
sudo port -v install openvpn2
OpenVPN has a lot of sweet options, which you can read about at openvpn.net
One of the other tools Apple mentioned is SoftEther. I decided not to cover it here because it uses Wine. And I’m not a fan of Wine.
Or Use iVPN
That will require some work to get dependencies and some working with files and network settings. Another option would be to install iVPN from here, on the Mac App Store
. You can install it manually as well, and if you do, you’ll need to pay separately through PayPal, which is what we’ll cover here.
Once installed, if you purchased the license separately, use the Enter Manually button to provide it.
At the Registration screen, make sure the name, email, and serial are entered exactly as you see them in the email you received.
At the Thank You screen, click OK.
At the EULA screen, click Accept assuming you accept the license agreement.Configure iVPN
At the main screen, you’ll have a few options, which we’ll unpack here:
- Use Directory Server: Allows you to use an LDAP or Active Directory connection to provide username and passwords to the service.
- Use custom accounts: Allows you to manually enter accounts to provide username and passwords for clients to connect to the
- Shared Secret: The secret, or a second factor used with L2TP connection.
- Allow 40-bit encryption keys: Allows clients to use lower levels of encryption. Let’s not do this.
- IP Address Range: The beginning and ending IP that will be manually handed out to client computers. When configuring the range, take care not to enter a range of addresses in use by any other DHCP services on your network or you will end up with conflicts.
- Basic DNS: Allows you to configure a primary and second DNS server to send to clients via DHCP when they connect to the VPN interface.
- Advanced DNS: Allows you to configure DNS servers as well as Search Domains.
- Configure Static Routes: Allows you to specify the interface and netmask used to access a given IP.
- Export Configuration Profile: Exports a configuration profile. When imported into a Mac or iOS device, that profile automatically configures the connection to the PPTP or L2TP service you’ve setup.
- VPN Host Name: Used for the configuration profile so a client system can easily find the server w
If you configure Directory Authentication, you’ll get prompted that it might be buggy. Click OK here.
The Directory Authentication screen allows you to choose which directory services to make available to PPTP or L2TP. If the system hasn’t been authenticated to a directory server, do so using the Users & Groups” System Preference pane.
Once you’ve chosen your directory service configuration, if you require a third DNS server, click on Advanced DNS and then enter it, or any necessary search-domains. Click Done when you’re finished.
Click the log button in the upper left-hand side to see the logs for the service. This is super-helpful when you start troubleshooting client connections or if the daemon stops for no good reason (other than the fact that you’re still running a VPN service on macOS Server and so the socket can’t bind to the appropriate network port).
Finally, you can also create a static route. Static routing provides a manually-configured routing entry, rather than information from a dynamic routing traffic, which means you can fix issues where a client can’t access a given IP because it’s using an incorrect network interface to access an IP.
Once everything is configure, let’s enter the publicly accessible IP address or DNS name of the server. Client computers that install the profile will then have their connection to the server automatically configured and will be able to test the connection.Configure Clients
If you configured the new server exactly as the old one and just forwarded ports to the new host, you might not have to do anything, assuming you’re using the same username and password store (like a directory service) on the back-end. If you didn’t, you can setup new interfaces with a profile. If you pushed out an old profile to configure those, I’d recommend removing it first if any settings need to change. To configure clients, we’ll install the new profile. When you open the profile on a client system (just double-click it to open it), you’ll see the Install dialog box. Here, click on Continue.
Because the profile isn’t signed, you’ll then get prompted again (note: you can sign the profile using another tool, like an MDM or Apple Configurator). Click Continue.
Then enter the username that will be used to connect to the VPN and click the Install button.
The Profile can then be viewed and manually removed if needed.
Click on the new iVPN entry in the Network System Preference pane. Here, you can enable
Now that it’s easy, let’s click the VPN icon in the menu bar and then click on Connect iVPN to test the connection.
Once clients can connect, you can use the iVPN icon in the menu bar to monitor the status of clients.
krypted March 14th, 2018
Posted In: Mac OS X, Mac OS X Server, Mac Security
hoot, Ivpn, l2tp, MAC, macos server, pptp, server, vpn
Next Page »
Hey look, there’s a new category on the Jamf Marketplace, available at https://marketplace.jamf.com/apps/#category=AppConfig,
selecting the AppConfig category. The new AppConfig category gives administrators of any MDM that supports AppConfig access to a set of apps that support AppConfig. If you have an app that isn’t listed here, feel free to let me know.
What does this mean? Well, AppConfig is a way of sending data into an app. App config allows a customer to deploy settings into applications on iOS devices in much the same way that settings can be sent into a Mac app via the defaults command. This means an end user could get an app installed on their device from the iOS App Store, a custom app, or a B2B app and that app would have any settings the user might need to connect to servers or configure the experience.
So what is Managed App Config? At it’s most basic, you identify a label and a value in XML and send it to an iOS device that’s running iOS 7 or later (e.g. via Jamf 9 and up). The vendor who makes the app has to basically define what those settings are. Which brings up an interesting problem never fully addressed with defaults domains: standardization and ease-of-use (although MCX was close). AppConfig.org
is a consortium of MDM vendors and software vendors that maintain the emerging AppConfig standards around Managed App Config (within the confines of what Apple gives vendors) and then makes a feed of settings for apps that conform to those standards. Jamf is a founding member of Appconfig.org, along with MobileIron and AirWatch. Examples of what you could put into the AppConfig.org feed include
- Enabling certain features of apps
- Server URLs
- Logos (if they’re pulled dynamically)
- Text labels
- Language packs
To see a list of apps that are available, check out http://www.appconfig.org.
Managed App Config options are set by vendors at compile time within the code and then the XML sent with the app is parsed by the app at installation time. If you’re a software vendor who wants to get started with AppConfig, check out the Spec Creator from Jamf Research or get in touch with the developer relations team from any MDM vendor.
If you’re a customer of an app and would like to leverage Managed App Config and your vendor isn’t listed on the appconfig.org site, get in touch with them, as this is the future of app management and chances are that you won’t be the only organization looking to unlock this type of feature.
Let’s look at how this actually works. The Managed App Config options per supported app are available on a feed. The feed is available at http://d2e3kgnhdeg083.cloudfront.net. Here, as follows, you’ll see a list of all of the apps supported.
You can then copy the path for an app, such as com.adobe.Adobe-Reaser/1/appconfig.xml and append it to the end of the URL to get the feed for that specific app. You can test this using http://d2e3kgnhdeg083.cloudfront.net/com.adobe.Adobe-Reader/1/appconfig.xml to see output as follows.
Here, note that most of these fields are key value pairs defined by Adobe (in this example at least). You can enable or disable features of Adobe Reader using these keys. The same is true with a tool like Box that might want a more granular collection of settings than a feature like Managed Open In.
Once you have the XML, you can then copy it to the clipboard and paste it into the App Configuration tab of an app, as follows.
Finally, Apple has sample code available at https://developer.apple.com/library/content/samplecode/sc2279/Introduction/Intro.html.
krypted March 13th, 2018
Posted In: iPhone, JAMF
appconfig.org, Apple, automated configuration, configure apps, defaults, ios, managed app config, xml