krypted.com

Tiny Deathstars of Foulness

ACES Conference will be held May 9th to 10th of 2018, just as the ground is fully thawing out in the home of the Wire, Baltimore, Maryland. It’ll be real. It’ll be fun. It’ll be real fun. And after taking the 2017 conference off, I’ll be back there in 2018 to join in the fun. Now I just need to finish my book on consulting before then (I’m like half way there, and winters in Minnesota give a lot of writing opportunities)…

September 20th, 2017

Posted In: Consulting

Tags: , , , , ,

Leave a Comment

September 19th, 2017

Posted In: MacAdmins Podcast

Tags: , , , , ,

Leave a Comment

Startup profiles configure profiles to install at the next boot, rather than immediately. Useful in a number of scenarios. Use the -s to define a startup profile and take note that if it fails, the profile will attempt to install at each subsequent reboot until installed. To use the command, simply add a -s then the -F for the profile and the -f to automatically confirm, as follows (and I like to throw in a -v usually for good measure):

profiles -s -F /Profiles/SuperAwesome.mobileconfig -f -v

And that’s it. Nice and easy and you now have profiles that only activate when a computer is started up.

September 15th, 2017

Posted In: Mac OS X

Tags: , , , , ,

Leave a Comment

The command to create and tear down an Open Directory environment is slapconfig. When you disable Open Directory from the Server app you aren’t actually removing users. To do so, you’d use slapconfig along with the -destroyldapserver. When run, you get a little insight into what’s happening behind the scenes. This results in the following:

bash-3.2# sudo slapconfig -destroyldapserver

The logs are as follows:

2017-09-09 20:59:31 +0000 slapconfig -destroyldapserver 2017-09-09 20:59:31 +0000 Deleting Cert Authority related data 2017-09-09 20:59:31 +0000 Removed directory at path /var/root/Library/Application Support/Certificate Authority/krypted Open Directory Certificate Authority. 2017-09-09 20:59:31 +0000 command: /usr/sbin/xscertadmin add –reason 5 –issuer krypted Open Directory Certificate Authority –serial 1339109282 2017-09-09 20:59:51 +0000 Could not find matching identity in system keychain 2017-09-09 20:59:51 +0000 command: /bin/launchctl unload -w /System/Library/LaunchDaemons/com.apple.xscertd.plist 2017-09-09 20:59:51 +0000 command: /bin/launchctl unload -w /System/Library/LaunchDaemons/com.apple.xscertd-helper.plist 2017-09-09 20:59:51 +0000 command: /bin/launchctl unload -w /System/Library/LaunchDaemons/com.apple.xscertadmin.plist 2017-09-09 20:59:51 +0000 Stopping LDAP server (slapd) 2017-09-09 20:59:53 +0000 Stopping password server 2017-09-09 20:59:56 +0000 Removed all service principals from keytab for realm MACOSSERVER.KRYPTED.COM 2017-09-09 20:59:56 +0000 Removed file at path /var/db/openldap/openldap-data/entryCSN.bdb. 2017-09-09 20:59:56 +0000 Removed file at path /var/db/openldap/openldap-data/apple-config-realname.bdb. 2017-09-09 20:59:56 +0000 Removed file at path /var/db/openldap/openldap-data/memberUid.bdb. 2017-09-09 20:59:56 +0000 Removed file at path /var/db/openldap/openldap-data/__db.004. 2017-09-09 20:59:56 +0000 Removed file at path /var/db/openldap/openldap-data/__db.003. 2017-09-09 20:59:56 +0000 Removed file at path /var/db/openldap/openldap-data/apple-hwuuid.bdb. 2017-09-09 20:59:56 +0000 Removed file at path /var/db/openldap/openldap-data/entryUUID.bdb. 2017-09-09 20:59:56 +0000 Removed file at path /var/db/openldap/openldap-data/dn2id.bdb. 2017-09-09 20:59:56 +0000 Removed file at path /var/db/openldap/openldap-data/apple-group-memberguid.bdb. 2017-09-09 20:59:56 +0000 Removed file at path /var/db/openldap/openldap-data/sn.bdb. 2017-09-09 20:59:56 +0000 Removed file at path /var/db/openldap/openldap-data/__db.002. 2017-09-09 20:59:56 +0000 Removed file at path /var/db/openldap/openldap-data/__db.005. 2017-09-09 20:59:56 +0000 Removed file at path /var/db/openldap/openldap-data/uid.bdb. 2017-09-09 20:59:56 +0000 Removed file at path /var/db/openldap/openldap-data/objectClass.bdb. 2017-09-09 20:59:56 +0000 Removed file at path /var/db/openldap/openldap-data/macAddress.bdb. 2017-09-09 20:59:56 +0000 Removed file at path /var/db/openldap/openldap-data/apple-group-nestedgroup.bdb. 2017-09-09 20:59:56 +0000 Removed file at path /var/db/openldap/openldap-data/log.0000000001. 2017-09-09 20:59:56 +0000 Removed file at path /var/db/openldap/openldap-data/ipHostNumber.bdb. 2017-09-09 20:59:56 +0000 Removed file at path /var/db/openldap/openldap-data/ou.bdb. 2017-09-09 20:59:56 +0000 Removed file at path /var/db/openldap/openldap-data/givenName.bdb. 2017-09-09 20:59:56 +0000 Removed file at path /var/db/openldap/openldap-data/uidNumber.bdb. 2017-09-09 20:59:56 +0000 Removed file at path /var/db/openldap/openldap-data/apple-generateduid.bdb. 2017-09-09 20:59:56 +0000 Removed file at path /var/db/openldap/openldap-data/id2entry.bdb. 2017-09-09 20:59:56 +0000 Removed file at path /var/db/openldap/openldap-data/DB_CONFIG. 2017-09-09 20:59:56 +0000 Removed file at path /var/db/openldap/openldap-data/mail.bdb. 2017-09-09 20:59:56 +0000 Removed file at path /var/db/openldap/openldap-data/__db.006. 2017-09-09 20:59:56 +0000 Removed file at path /var/db/openldap/openldap-data/__db.001. 2017-09-09 20:59:56 +0000 Removed file at path /var/db/openldap/openldap-data/apple-group-realname.bdb. 2017-09-09 20:59:56 +0000 Removed file at path /var/db/openldap/openldap-data/cn.bdb. 2017-09-09 20:59:56 +0000 Removed file at path /var/db/openldap/openldap-data/gidNumber.bdb. 2017-09-09 20:59:56 +0000 Removed file at path /var/db/openldap/openldap-data/altSecurityIdentities.bdb. 2017-09-09 20:59:56 +0000 Removed file at path /var/db/openldap/authdata/entryCSN.bdb. 2017-09-09 20:59:56 +0000 Removed file at path /var/db/openldap/authdata/__db.004. 2017-09-09 20:59:56 +0000 Removed file at path /var/db/openldap/authdata/__db.003. 2017-09-09 20:59:56 +0000 Removed file at path /var/db/openldap/authdata/entryUUID.bdb. 2017-09-09 20:59:56 +0000 Removed file at path /var/db/openldap/authdata/dn2id.bdb. 2017-09-09 20:59:56 +0000 Removed file at path /var/db/openldap/authdata/__db.002. 2017-09-09 20:59:56 +0000 Removed file at path /var/db/openldap/authdata/__db.005. 2017-09-09 20:59:56 +0000 Removed file at path /var/db/openldap/authdata/objectClass.bdb. 2017-09-09 20:59:56 +0000 Removed file at path /var/db/openldap/authdata/authGUID.bdb. 2017-09-09 20:59:56 +0000 Removed file at path /var/db/openldap/authdata/log.0000000001. 2017-09-09 20:59:56 +0000 Removed file at path /var/db/openldap/authdata/id2entry.bdb. 2017-09-09 20:59:56 +0000 Removed file at path /var/db/openldap/authdata/DB_CONFIG. 2017-09-09 20:59:56 +0000 Removed file at path /var/db/openldap/authdata/__db.006. 2017-09-09 20:59:56 +0000 Removed file at path /var/db/openldap/authdata/__db.001. 2017-09-09 20:59:56 +0000 Removed file at path /var/db/openldap/authdata/draft-krbPrincipalAliases.bdb. 2017-09-09 20:59:56 +0000 Removed file at path /var/db/openldap/authdata/draft-krbPrincipalName.bdb. 2017-09-09 20:59:56 +0000 Removed file at path /var/db/openldap/authdata/alock. 2017-09-09 20:59:56 +0000 Removed directory at path /var/db/openldap/authdata. 2017-09-09 20:59:56 +0000 Removed file at path /etc/openldap/slapd_macosxserver.conf. 2017-09-09 20:59:56 +0000 Removed file at path /etc/openldap/slapd.conf. 2017-09-09 20:59:56 +0000 Removed file at path /etc/openldap/rootDSE.ldif. 2017-09-09 20:59:56 +0000 Removed file at path /var/db/dslocal/nodes/Default/groups/com.apple.access_dsproxy.plist. 2017-09-09 20:59:56 +0000 Removed directory at path /etc/openldap/slapd.d/cn=config. 2017-09-09 20:59:56 +0000 Removed file at path /etc/openldap/slapd.d/cn=config.ldif. 2017-09-09 20:59:56 +0000 Removed directory at path /etc/openldap/slapd.d. 2017-09-09 20:59:56 +0000 Removed directory at path /etc/openldap/slapd.d.backup/cn=config. 2017-09-09 20:59:56 +0000 Removed file at path /etc/openldap/slapd.d.backup/cn=config.ldif. 2017-09-09 20:59:56 +0000 Removed directory at path /etc/openldap/slapd.d.backup. 2017-09-09 20:59:59 +0000 Stopping password server 2017-09-09 20:59:59 +0000 Removed file at path /etc/ntp_opendirectory.conf. 2017-09-09 20:59:59 +0000 Removed file at path /Library/Preferences/com.apple.openldap.plist.

September 14th, 2017

Posted In: Mac OS X Server

Tags: , , , , ,

Leave a Comment

September 14th, 2017

Posted In: Uncategorized

Leave a Comment

My latest @Inc article is now online at 

https://www.inc.com/charles-edge/complacency-is-a-curse-heres-how-to-avoid-it.html. This piece focuses on what to do when things are going really good in an organization: more work! 

It starts a little like this:

Running a company can be really hard. But when everything lines up just right, you hit a stride.

The business feels like a well-oiled machine and almost seems to run itself. This is true not just for startup entrepreneurs but also for people who lead departments in larger organizations.

But of course, business is never really easy. Just when you’re riding the wave, a crash always lurks up ahead.

So if you’re fortunate enough to be in a positive place with your business, understand that this is the very time to become uncomfortable and take a hard look at every aspect of the operation.

A business should always be thinking about how to reinvent, even when the revenue is rolling in and morale is high.

September 13th, 2017

Posted In: Articles and Books, Business

Tags: , ,

Leave a Comment

Jamf Pro 9.101 Now Available

 

Jamf is proud to announce zero-day support for macOS High Sierra, iOS 11, and tvOS 11 with the release of Jamf Pro 9.101. In addition to compatibility for all of Apple’s fall operating systems, Jamf Pro 9.101 also includes new features that include the latest payloads, restrictions and MDM commands.

Highlights of what’s new:

macOS High Sierra

  • Zero-touch provisioning of Mac devices with the Apple File System (APFS)
  • Cisco Fast Lane quality of service (QoS) support for apps
  • New security settings and configurations
  • New restrictions, including the ability to defer software updates for up to 90 days

iOS 11

  • An MDM command to upgrade non-DEP supervised devices to iOS 11
  • New restrictions, including AirPrint, manual VPN settings and systems app deletion

tvOS 11

  • Defining Home screen layout on an Apple TV
  • Showing or hiding specific tvOS apps
  • Restricting tvOS media content and ability to modify device name
  • Setting passwords for Apple TV devices to share automatically to specific iPads

Healthcare Listener enhancements and more

In addition to providing pre zero-day support for Apple’s upcoming operating systems, Jamf Pro 9.101 extends the power of the Healthcare Listener to add support for tvOS by making the remote wipe command available for Apple TV devices. Further, Jamf Pro 9.101 includes a new API for Lost Mode, new settings for re-enrollment, and security enhancements for the deployment of in-house iOS apps.

Next steps:

You can download Jamf Pro 9.101 through Jamf Nation in the “My Assets” page. If you’re using a hosted version at jamfcloud.com, the upgrade will be done automatically. If you regularly schedule your upgrade, please contact your Account Representative, Rachel Kjos, at rachel.kjos@jamf.com to schedule your upgrade.

For more information on this release, download the release notes. If you have any questions about this release or anything else, please do not hesitate to reach out.


Download Jamf Pro 9.101 now

September 12th, 2017

Posted In: JAMF

Leave a Comment

DNS is DNS. And named is named. Except in macOS Server. Sometimes. The configuration files for the DNS services in macOS Server are stored in /Library/Server/named. This represents a faux root of named configuration data, similar to how that configuration data is stored in /var/named on most other platforms. Having the data in /Library/Server/ makes it more portable across systems.

The current version of BIND is BIND 9.9.7-P3 (Extended Support Version). This has been the case for a number of macOS Server versions, and can easily be located by doing a cat of the /Library/Server/named/.version file. 

Traditionally, you would edit this configuration data by simply editing the configuration files, and that’s absolutely still an option. In macOS Server 5.2 (for Sierra), a new command is available at /Applications/Server.app/Contents/ServerRoot/System/Library/PrivateFrameworks/DNSManager.framework called dnsconfig. The dnsconfig command appears simple at first. However, the options available are actually far more complicated than they initially appear.

The verbs available include:
  • help: show help information
  • list: show the contents of configurations and zone files
  • add: create records and zones
  • delete: remove records and zones
To view data available in the service, use the list verb. Options available when using the list verb include:
  • –acl: show ACLs
  • –view: show BIND view data
  • –zone: show domains configured in the service
  • –rr: show resource records
  • –rrtype: show types of resource records
For example, let’s say you have a domain called pretendco.lan and you would like to view information about that zone. You could use the dnsconfig command along with the list verb and then the –zone option and the domain name:

/Applications/Server.app/Contents/ServerRoot/System/Library/PrivateFrameworks/DNSManager.framework/dnsconfig list --zone=pretendco.lan

The output would show you information about the listed zone, usually including View data:

Views: com.apple.ServerAdmin.DNS.public Zones: pretendco.lan Options: allow-transfer: none allow-update: none

To see a specific record, use the –rr option, followed by = and then the fqdn, so to see ecserver.pretendco.lan:

/Applications/Server.app/Contents/ServerRoot/System/Library/PrivateFrameworks/DNSManager.framework/dnsconfig list --rr=ecserver.pretendco.lan

By default views are enabled and a view called com.apple.ServerAdmin.DNS.public is created when the DNS server first starts up. You can create other views to control what different requests from different subnets see; however, even if you don’t create any views, you’ll need to add the –view option followed by the name of the view (–view=com.apple.ServerAdmin.DNS.public) to any records that you want to create. To create a record, use the add verb. You can add a view (–view), a zone (–zone) or a record (–rr). Let’s start by adding a record to the pretendco.lan from our previous example. In this case we’ll add an A record called www that points to the IP address of 192.168.210.201:

/Applications/Server.app/Contents/ServerRoot/System/Library/PrivateFrameworks/DNSManager.framework/dnsconfig add --view=com.apple.ServerAdmin.DNS.public --zone=pretendco.lan --rr=www A 192.168.210.201

You can add a zone, by providing the –view to add the zone to and not providing a –rr option. Let’s add krypted.lan:

/Applications/Server.app/Contents/ServerRoot/System/Library/PrivateFrameworks/DNSManager.framework/dnsconfig add --view=com.apple.ServerAdmin.DNS.public --zone=krypted.lan

Use the delete verb to remove the data just created:

/Applications/Server.app/Contents/ServerRoot/System/Library/PrivateFrameworks/DNSManager.framework/dnsconfig delete --view=com.apple.ServerAdmin.DNS.public --zone=krypted.lan


Or to delete that one www record earlier, just swap the add with a delete:

/Applications/Server.app/Contents/ServerRoot/System/Library/PrivateFrameworks/DNSManager.framework/dnsconfig delete --view=com.apple.ServerAdmin.DNS.public --zone=pretendco.lan --rr=www A 192.168.210.201

Exit codes would be “Zone krypted.lan removed.” and “Removed 1 resource record.” respectively for the two commands. You can also use the –option option when creating objects, along with the following options (each taken as a value followed by an =, with this information taken by the help page):
  • allow-transfer Takes one or more address match list entry. Address match list entries consist of any of these forms: IP addresses, Subnets or Keywords.
  • allow-recursion Takes one or more address match list entry.
  • allow-update Takes one or more address match list entry.
  • allow-query Takes one or more address match list entry.
  • allow-query-cache Takes one or more address match list entry.
  • forwarders Takes one or more IP addresses, e.g. 10.1.1.1
  • directory Takes a directory path
  • tkey-gssapi-credential Takes a kerberos service principal
  • tkey-domain Takes a kerberos realm
  • update-policy Takes one complete update-policy entry where you can grant or deny various matched objects and specify the dentity of the user/machine that is allowed/disallowed to update.. You can also identify match-type (Type of match to be used in evaulating the entry) and match-name (Name used to match) as well as rr-types (Resource record types that can be updated)
Overall, this command is one of the best I’ve seen for managing DNS in a long time. It shows a commitment to continuing to make the service better, when you add records or remove them you can instantly refresh the Server app and see the updates. It’s clear a lot of work went into this and it’s a great tool for when you’re imaging systems and want to create records back on a server or when you’re trying to script the creation of a bulk list of records (e.g. from a cached file from a downed host). It also makes working with Views as easy as I’ve seen it in most platforms and is overall a breeze to work with as compared to using the serveradmin command to populate objects so the GUI doesn’t break when you update records by hitting files directly.

Additionally, you can manage bind in a variety of other ways. There are global settings exposed with the bind -v command:

bind -v


Which returns something similar to the following:

set bind-tty-special-chars on
set blink-matching-paren on
set byte-oriented off
set completion-ignore-case off
set convert-meta off
set disable-completion off
set enable-keypad off
set expand-tilde off
set history-preserve-point off
set horizontal-scroll-mode off
set input-meta on
set mark-directories on
set mark-modified-lines off
set mark-symlinked-directories off
set match-hidden-files on
set meta-flag on
set output-meta on
set page-completions on
set prefer-visible-bell on
set print-completions-horizontally off
set show-all-if-ambiguous off
set show-all-if-unmodified off
set visible-stats off
set bell-style audible
set comment-begin #
set completion-query-items 100
set editing-mode emacs
set keymap emacs

September 10th, 2017

Posted In: Mac OS X Server

Tags: , , , , , , , , , , , ,

Leave a Comment

Server comes with a command called RoomsAdminTool located at /Applications/Server.app/Contents/ServerRoot/usr/bin/RoomsAdminTool. This tool can list available rooms using a -l flag:

RoomsAdminTool -l

You can also create new rooms, using the following format, where krypted is the name of the room, the persistent option means the room is, er, persistent. The description option indicates a description used for the room.

RoomsAdminTool -n krypted -c persistent yes description "This room is for friends of krypted only”

To then delete the room, use the -d option:

RoomsAdminTool -n krypted -d

Add the -v to do it all verbosely. There are lots of other options as well, as follows (from the man page): Valid Configuration Keys and Values:
KEYVALID VALUESDESCRIPTION
descriptionstringA short description for the room
passwordstringDefine a password for room entry. An empty string implies no password required.
membersOnlyyes | noOnly room members are allowed to enter the room.
subjectLockedyes | noAre non-moderators and non-admins prevented from setting the room subject
logFormatDisabled | Text | XHTMLDisable room logging, or enable it using Text or XHTML.
maxUsersinteger; 0 for unlimitedSet the maximum allowed occupants for the room.
moderatedyes | no Make the room "moderated".
nonAnonymousyes | noIf "yes", only moderators/owners can discover occupants' real JIDs.
persistentyes | noPersistent rooms stay open until they are explicitly destroyed and their configuration survives service restarts, unlike non-persistent rooms.
privateMessagesAllowedyes | no Whether or not occupants can exchange private messages within the room.
roomPublicyes | no Defines whether the room be discovered by anyone
subjectstringSet a room subject/topic
usersCanInviteyes | no Defines whether occupants can invite other users to enter the room
addOwnervalid JabberIDMake the specified user a room owner (ex.: admin@krypted.com). Rooms can have multiple owners.
removeOwnervalid JabberIDRemove the specified user from the room owner list
addAdminvalid JabberIDMake the specified user a room admin
removeAdminvalid JabberIDRemove the specified user from the room admin list
addMembervalid JabberIDMake the specified user a room member
removeMembervalid JabberIDRemove the specified user from the room member list
addOutcastvalid JabberIDMake the specified user a room outcast (banned from public rooms)
removeOutcastvalid JabberIDRemove the specified user from the room outcast list
Ultimately, if you’d like to do Student Information System (SIS) integration, or wait for an AD/OD group and then programmatically generate rooms, this is how you’d do it. Also, it’s worth noting that Messages (and so Jabber if you’re running your own server) is a very basic instant messaging tool. There are more modern ways of interacting with others these days, including Slack and Confluence. Additionally, the Messages app can just use the phone number of people to let address books become a way of managing groups you’d like to message. These do not require a dedicated server, but most strategies will require a monthly fee that’s typically per-user.

September 9th, 2017

Posted In: Mac OS X Server

Tags: , , , , ,

Leave a Comment

By default, screenshots are pretty big on a retina display on a High Sierra machine. Like about 4 times the size they should be. I haven’t found a defaults key I can use yet to reduce them, so I’ve been using this little screenshotting app called RetinaCapture, available at https://gumroad.com/l/retinacapture. Basically, when you’re running it, you just open it up and click on the Window button. There, you can select a window to screenshot.
Screen Shot 2015-09-24 at 8.37.33 AM
Once you’ve selected the window, you’ll be prompted to save it somewhere with a name.

Screen Shot 2015-09-24 at 8.38.00 AM

I don’t love having to use any 3rd party apps for my screenshotting workflow. In fact, it bugs the crap out of me. Screens get resized by publishers for books and so I’m really only using this for my site. But, hopefully it helps someone else along the way. Happy screenshotting!

September 8th, 2017

Posted In: Mac OS X, Mass Deployment

Tags: , ,

2 Comments

Next Page »