krypted.com

Tiny Deathstars of Foulness

My latest Huffington Post article, called 20 Constants In Software Development is up. It starts out like this:

There are so many things I wish people had told me when I was in school, or earlier in my career. Things that aren’t variable between organizations you work with, or even teams you work in. So I thought I’d jot a few down of these for software development teams (if only to prove that no, despite what product managers say, you aren’t crazy). So here goes:

  1. A project will never have enough people to build all the features you want. Period.
  2. Less features means fewer defects.
  3. As a software project nears completion the amount of work remaining rises in proportion to how many hacks and shortcuts you took.
Read more…

December 11th, 2017

Posted In: Articles and Books, Programming

Tags: , , ,

Leave a Comment

December 9th, 2017

Posted In: MacAdmins Podcast

Tags: ,

Leave a Comment

I stepped a little outside of the business and tech sphere and published an article on… sexual misconduct and partisanship. If it’s you’re kinda’ thing, it starts out like:

I’m a tech writer. I write about #nerdstuff. As a rule, I don’t write about politics. But this isn’t political. This is about sexual harassment and assault, something we should have zero tolerance for in our politics.

To read more, click here

December 8th, 2017

Posted In: Articles and Books

Leave a Comment

macOS 10.13 brings changes to sysadminctl. You know those dscl scripts we used to use to create users? No longer supposed to be necessary (luckily they do still work). Now you can create a user with a one-liner, and do other forms of user management, such as enabling FileVault for a given user, or managing the guest accounts. However, you can’t do these tasks as root or via sudo. You have to do so with other admin accounts per Apple kbase HT208171 (in fact, this article has been in my queue waiting for that issue to be fixed – but keep in mind I’m not prefacing these with sudo in the below commands). In the below command, we’ll pass the -addUser option and then use -fullName to fill in the displayed name of the user, -password to send a password to the account and -hint so we can get a password hint into that attribute:

sysadminctl -addUser krypted2 -fullName "Charles Edge" -password testinguser -hint hi

The result would be as follows:

No clear text password or interactive option was specified (adduser, change/reset password will not allow user to use FDE) !
Creating user record…
Assigning UID: 503
Creating home directory at /Users/krypted2


Notice that in the above, the system automatically selected a home directory and UID. We could have passed those as well, using Now let’s use dscl to view the user we just created:

dscl . -read /Users/krypted2

Here’s a snippet of the dscl output:

NFSHomeDirectory: /Users/krypted2
Password: ********
Picture: /Library/User Pictures/Fun/Ying-Yang.png
PrimaryGroupID: 20
RealName: Charles Edge
RecordName: krypted2
RecordType: dsRecTypeStandard:Users
UniqueID: 503
UserShell: /bin/bash


Notice that the above is not the whole record you’d typically find with dscl. But if it were, you would not have the AuthenticationAuthority attribute. To see if it can unlock FileVault we can use the -secureTokenStatus operator built into sysadminctl. Simply pass the RecordName and you’ll get an indication if it’s on or off:

sysadminctl -secureTokenStatus krypted2

The response should be as follows:

Secure token is ENABLED for user Charles Edge

To just get the ENABLED response we’ll just use awk to grab that position (also note that we have to redirect stderr to stdout):

sysadminctl -secureTokenStatus charles.edge 2>&1 | awk '{print$7}'

We could append the AuthenticationAuthority attribute with dscl, as we would need a SecureToken. To get a SecureToken, we’ll use the -secureTokenOn verb:

sysadminctl -secureTokenOn krypted mysupersecretpassword

To disable, we’ll use -secureTokenOff

sysadminctl -secureTokenOff krypted mysupersecretpassword

Given that we like to rotate management passwords, we can do so using-resetPasswordFor which takes a username and a password as -newPassword and -passwordHint respectively:

sysadminctl -resetPasswordFor krypted -newPassword newsupersecretpassword -passwordHint "That was then this is now"

Note: In the above, we quoted the hint, which is supplied using the -passwordHint option. If it was one word we wouldn’t have needed to do so. 

Next, let’s check guest access. You can have guest enabled for logging in, afp, or smb. To check if guest is enabled for one of these use the -guestAccount, -afpGuestAccess, or -smbGuestAccess options. Each has an on, off, and status verb that can be used to manage that account type. So for example, if you wanted to check the status of the guest account, you could use -guestAccount as follows (also note that we have to redirect stderr to stdout):

sysadminctl -guestAccount status 2>&1 | awk '{print$5}'

To then disable if it isn’t already disabled:

sysadminctl -guestAccount Off

You can also use sysadminctl to do a quick check of the encryption state of the boot volume using the -filesystem option (although there’s no on and off verb for this option just yet):

bash-3.2# sysadminctl -filesystem status

2017-12-07 10:37:26.401 sysadminctl[8534:466661] Boot volume CS FDE: NO

2017-12-07 10:37:26.434 sysadminctl[8534:466661] Boot volume APFS FDE: YES

The help page is as follows:

Usage: sysadminctl [[interactive] || [-adminUser -adminPassword ]] -deleteUser [-secure || -keepHome] -newPassword -oldPassword [-passwordHint ] -resetPasswordFor -newPassword [-passwordHint ] -addUser [-fullName ] [-UID ] [-shell ] [-password ] [-hint ] [-home ] [-admin] [-picture ] -secureTokenStatus -secureTokenOn -password -secureTokenOff -password -guestAccount -afpGuestAccess -smbGuestAccess -automaticTime -filesystem status Pass '-' instead of password in commands above to request prompt.

Why should you switch to sysadminctl for scripts? Entitlements and I’m sure this is how mdmclient will pass management commands in the future… Why should you not? You can’t run most of it as root…

December 7th, 2017

Posted In: Mac OS X, Mac Security, Mass Deployment

Tags: , , ,

Leave a Comment

December 5th, 2017

Posted In: MacAdmins Podcast

Leave a Comment

My latest piece on Inc.com was 6 Ways to Win Friends and Influence People as a New Manager
It starts a bit like:

Call it the New Sheriff in Town Syndrome.

You’re a new manager at an established company or your own startup. You think of yourself as a fixer, so you quickly set out to implement changes or new processes, often bringing in ideas from your old company.

Whoops.

While making improvements should be the goal of any manager, you need to be careful. It’s easy to come across as over-aggressive and disruptive, and you could end up alienating many of your colleagues.

To read more…

December 1st, 2017

Posted In: Articles and Books, Small Business

Tags: , , ,

Leave a Comment

My latest article is now available on Huffington Post. It goes a bit like this:

Source code is a collection of computer commands and comments written in a programming language, like Java, C or Swift. When compiled, the raw source code is then no longer human readable but runs very efficiently. Because compiled code isn’t easily disassembled, people cannot create their own versions of the software.

That Was Then…

Once upon a time, organizations needed a copy of source code, in case a software vendor went out of business. Software vendors didn’t want to give up source code, but no one can ever guarantee they won’t go out of business. So much like putting funds into an account in a real estate deal, this allowed organizations to trust that they could get access to source for mission critical apps in the event that the software vendor went under. I remember working with one such organization back in the 90s.

To read more, click here…

November 30th, 2017

Posted In: Articles and Books

Tags: , ,

Leave a Comment

What do you do when iTunes launches with an error that a file is missing? Reinstall it. But if it isn’t in the Mac App Store, how do you do that?

Easy peasy. Go to https://www.apple.com/itunes/download/ provide an email address and click on download. Once downloaded, run the package installer and you’re done. 

November 20th, 2017

Posted In: Mac OS X

November 19th, 2017

Posted In: JAMF, MacAdmins Podcast

Tags: , , , ,


mactech2017pdf

November 16th, 2017

Posted In: public speaking

Tags:

Next Page »