krypted.com

Tiny Deathstars of Foulness

There is a new service in macOS, called Tetherator. Tethered-caching is a script that allows you to easily and quickly interact with the tethered-caching service, which has a few kinda’ cool options. This is on a client, and really speeds up all that crazy provisioning stuff you do. It can also check for the presence of a macOS Caching Server and use that as a source for the cache. The tethered-caching script is located at /usr/bin/tethered-caching.

Before you do anything with the service, check the status. That’s done with the -s option (there’s also a -v option to get verbose):

tethered-caching -s

The results before activated should be as follows:

2017-02-28 10:44:45.730 AssetCacheTetheratorUtil[3665:182657] Tetherator is disabled: (no error)
2017-02-28 10:44:45.746 AssetCacheActivatorUtil[3666:182664] Built-in caching server can be activated.
2017-02-28 10:44:45.762 AssetCacheActivatorUtil[3667:182673] Built-in caching server is deactivated: (no error)

Then start the service using the -n option in tethered-caching, along with the IP range to be used:

tethered-caching -n 192.168.1.0

This sets the ListenRanges key in the plist and should result in an activation process that appears as follows:

Starting tethered caching…
2017-02-28 10:47:59.691 AssetCacheActivatorUtil[3848:192902] Built-in caching server can be activated.
2017-02-28 10:47:59.706 AssetCacheActivatorUtil[3849:192910] Built-in caching server is deactivated: (no error)
Filtering the log data using “subsystem == “com.apple.AssetCache” AND messageType == 16″
Timestamp (process)[PID]
2017-02-28 10:48:05.098735-0600 localhost AssetCache[2882]: [com.apple.AssetCache.builtin] Built-in Caching Server activated. Exiting to allow re-launch.
2017-02-28 10:48:05.207493-0600 localhost AssetCache[2882]: [com.apple.AssetCache.builtin] Built-in Caching Server shutting down (0)
2017-02-28 10:48:07.362926-0600 localhost AssetCache[3862]: [com.apple.AssetCache.builtin] Built-in Caching Server version 170 started
2017-03-02 10:45:53.753 AssetCacheTetheratorUtil[29283:2526186] Tetherator enabled.
Started tethered caching. To stop it, press control+c once.

At this point, you’re calling /usr/bin/AssetCacheLocatorUtil to register and then start /usr/libexec/AssetCache/AssetCache via /System/Library/Preferences/Logging/Subsystems/com.apple.AssetCacheServices.plist which defaults read nets:

{Activator = {};
"DEFAULT-OPTIONS" = {
"Default-Privacy-Setting" = Public;
"Enable-Oversize-Messages" = 1;
"Event-Log" = {
Enabled = Inherit;};
Level = {
Enable = Inherit;
Persist = Inherit;};
TTL = {Debug = 0;Default = 10;Info = 10;};};
Daemon = {};
Extensions = {};
Framework = {};
Tetherator = {};}

The AssetCache preferences can be seen by catting /Library/Preferences/com.apple.AssetCache.plist:

Activated = 0;
CacheLimit = 0;
DataPath = "/Library/Caches/com.apple.AssetCache";
LastConfigData = ;
LastConfigURL = "http://suconfig.apple.com/resource/registration/v1/config.plist";
LastPort = 50775;
ListenRanges = ({first = "192.168.1.1";last = "192.168.1.254";});
ListenRangesOnly = 1;
LocalSubnetsOnly = 0;
PeerLocalSubnetsOnly = 1;
Port = 0;
PublicRanges = automatic;
ReservedVolumeSpace = 2000000000;
SavedCacheDetails = {};
SavedCacheDetailsOrder = ("Mac Software","iOS Software","Apple TV Software",iCloud,Books,"iTunes U",Movies,Music,Other);
SavedCacheDetailsStrings = {All the language keys as arrays - which I cut out to truncate the contents of the plist read};
SavedCacheSize = 0;
ServerGUID = "C5F29418-6158-4D3B-9162-XXX";
Version = 1;

Note that in the above, the LastConfigData key is pulled at activation by curling http://suconfig.apple.com/resource/registration/v1/config.plist. I’ve truncated the key as it’s kinda’ long…

A simple command that will be pretty common is to increase the size of the cache. To do so, you’d just edit that CacheLimit key to be the number that you want the cache to be. In the following example, we’re writing the CacheLimit key into AssetCache.plist at 100 gigs:

defaults write /Library/Preferences/com.apple.AssetCache.plist CacheLimit -int 100000000000

There’s also com.apple.AssetCache.builtin.plist in /Library/LaunchDaemons which starts the builtin AssetCache, AssetCacheC, and CacheDelete service.

Once started, you will have a sqlite3 database called AssetInfo.db at /Library/Caches/com.apple.AssetCache. A basic structure of how data is stored includes the following tables:

  • ZAFFINITY with the following column: Z_PK INTEGER PRIMARY KEY, Z_ENT INTEGER, Z_OPT INTEGER, ZLASTSAVED TIMESTAMP, ZID VARCHAR
  • ZASSET with the following columns: Z_PK INTEGER PRIMARY KEY, Z_ENT INTEGER, Z_OPT INTEGER, ZMD5OFFSET INTEGER, ZTOTALBYTES INTEGER, ZCREATIONDATE TIMESTAMP, ZLASTACCESSED TIMESTAMP, ZCHECKSUM VARCHAR, ZGUID VARCHAR, ZINDEX VARCHAR, ZLASTMODIFIEDSTRING VARCHAR, ZNAMESPACE VARCHAR, ZURI VARCHAR, ZMD5CONTEXT BLOB
  • Z_METADATA with the following columns: Z_VERSION INTEGER PRIMARY KEY, Z_UUID VARCHAR(255), Z_PLIST BLOB
  • Z_MODELCACHE with just the Z_CONTENT column
  • TABLE Z_PRIMARYKEY with the following columns: Z_ENT INTEGER PRIMARY KEY, Z_NAME VARCHAR, Z_SUPER INTEGER, Z_MAX INTEGER

Once enabled, updates will be cached to the computer that the service is enabled on, metadata stored in the previously mentioned database, and then change ports and network ranges when needed.

March 27th, 2017

Posted In: Apple Configurator, Apple TV, Apple Watch, iPhone, JAMF, Mac OS X, Mac OS X Server, Mass Deployment, precache

Tags: , , ,

When using Apple Configurator, you can assign an existing supervision identity to be used with devices you place into supervision. To do so, first open Apple Configurator and click on Organizations.

Screen Shot 2015-10-26 at 5.05.48 PM

From Organizations, click on the plus sign (“+”).

Screen Shot 2015-10-26 at 5.05.51 PM

From the Create an Organization screen, click Next.

Screen Shot 2015-10-26 at 5.05.55 PM

When prompted to provide information about your organization, provide the name, phone, email, and/or address of the organization.

Screen Shot 2015-10-26 at 5.06.02 PM

If you are importing an identity, select “Choose an existing supervision identity” and click on Next.

Screen Shot 2015-10-26 at 5.06.06 PM

When prompted, click Choose to select the identity to use (e.g. exported from another instance of Apple Configurator or from Profile Manager).

Screen Shot 2015-10-26 at 5.06.20 PM

Click Choose when you’ve highlighted the appropriate certificate.

Screen Shot 2015-10-26 at 5.06.24 PM

Click Done.

August 23rd, 2016

Posted In: Apple Configurator, iPhone

Tags: , , , , ,

Looks like Sal et al posted a suite of Automator Actions to link the Casper Suite to Apple Configurator at https://configautomation.com/jamf-actions.html. In my limited tests so far they work pretty darn well!

Screen Shot 2016-07-14 at 12.09.27 PM

Some pretty cool things here, like having the JSS rename a mobile device when managed through Apple Configurator, having Apple Configurator instruct the JSS to remove a device from a group, clear passcodes, update inventory, and other common tasks involved in workflows when leveraging Apple Configurator for en masse device management. Good stuff!

July 14th, 2016

Posted In: Apple Configurator, iPhone, JAMF

Tags: , , , , , ,

The increase in the use and complexity of technological assets in the healthcare sector has been on the rise in the recent past. Healthcare practitioners have moved from recording data manually to keeping Electronic Health Records. This eases the accessibility and the availability of data to the health practitioners. Further, electronically stored data makes it possible for patients to receive high quality and error-free care, improve decision making process because medical history is available and also makes it possible to provide safer and more reliable information for medication. Despite, the numerous advantages that the use of technology in healthcare has, there is also a threat of patients data leakage that lingers around. According to a research by Garrison and Posey (2012), medical identity theft has far more consequences in comparison to the typical identity theft. In average, every medical theft case can cost $20,000, and represents a substantial privacy violation. For this reason and more, it is important for healthcare institutions to protect patient data by securing technological assets within the institution. This article will explore the different methods used to secure the technological assets, with an emphasis on mobile devices.

The first method is limiting access to the electronic health records to only a few individuals. According to Gajanayake et al.(2014) suggests that there are different models of limiting access to the records. The first step is to ask for authentication, this will prompt them to verify their identity. This could be achieved by giving the authorized individuals unique passwords for identification and also by performing biometric scans of the individuals. This step will eliminate the possibility of unauthorized access to the technological access. The second step is to limit the type of information that one is supposed to access. This could be made possible using certain access models. Examples of models that have been proposed include Discretionary Access Control (DAC),Mandatory Access Control (MAC) and Role Based Access Control (RBAC). The DAC restricts access to certain commands such as’ write’, ‘read’ and ‘execute.MAC controls access by assigning information different levels of security levels. RBAC is based on the rights and permission that depend on the roles of an individual. These models normally apply to the security of electronic data. Other assets such as the hardware could be protected physically by limiting authorization to their storage rooms and also limit the location in which they are expected to be used at. Limiting access ensures that those that are not authorized to access the information are locked out of the database.Hence, this is an important strategy in protecting patients’ data.

The second method is through carrying out regular audits on the electronic system and the individuals handling the technological assets. Audit controls record and examine the activities that involve access and use of the patients’ data. This can be integrated into the Electronic Health Record (EHR) system or used to monitor the physical movements of the individuals that have access to the records. In addition, HIPAA requires that all health institutions that use the EHR system should run audit trails and have the necessary documentation of the same (Hoofman & Podgurski,2007). Some of the information collected during audits includes the listing of the content, duration and the user. This can be recorded in form of audit logs which makes it easy to identify any inconsistencies in the system (Dekker &Etalle ,2007). Further, monitoring of the area where the hardware have been placed for used should be done. This can achieve by use of recorded video, which monitors the activities of individuals who use the system. This can also be audited regularly and any inconsistencies noted (Ozair et al., 2005) Carrying out audits of the technology assets of the healthcare institution will help to monitor the daily use of the system which will enable the identification of any abnormal activities that may endanger patients’ data.

The third method is the setting up of policies and standards that safeguard the patients’ data. These policies may vary from one institution to another. For instance, the employees should be prohibited against sharing their passwords and ID and they should always log out their accounts after accessing the system. The authorized individuals would also be properly trained about these so that they are aware of their importance. In addition, these policies should be accompanied by consequences which will impact the users. This will ensure that they follow the policies to the letter. The set of policies and standards are to ensure uniformity in the protection of patients’ data (Ozair et al., 2005).

The fourth method that could be implemented to protect patients’ information is through the application of various security measures to the software and the hardware. The software can be protected through encryption of data, using firewalls and antivirus software’s to prevent hackers from accessing the data. Intrusion detection software can also be integrated into the system. These measures will protect the data from individuals who intend on hacking into the system online and accessing information for malicious purposes. The hardware could be protected by placing security guards at different stations where patients’ data is stored so that he ensures that no unauthorized person gets access to the area or no one tampers with the system or steals it. This step will ensure that the hardware is kept safe from intruders and people with malicious intent.

Protecting patient data starts with the software systems that house the data. The databases that warehouse patient data must be limited to only those who need access and access to each record must be logged and routinely audited at a minimum. Data should only reside where necessary. This means that data should not be stored on devices, at rest. For Apple devices, device management tools such as the Casper Suite from JAMF Software both help to keep end users from moving data out of the software that provides access patient data, and in the case of inadvertent leakage of data onto unprotected parts of devices, devices should be locked or wiped in case of the device falling outside the control of a care giver. Finally, the integrity of devices must be maintained, so jailbroken devices should not be used, and devices and software on devices should always be kept up-to-date, and strong security policies should be enforced, including automatic lock of unattended devices and strong password or pin code policies applied.

In summary, the protection of patients’ data in this technological era should be given a priority. In consideration of the frequency and losses that are experienced due to leakage or loss of private patients’ information, more should be invested in maintaining privacy and confidentiality of data. This can be achieved through controlling access to the electronic data and the gadgets that hold it, carrying out regular audits on the access of the system, creating policies and procedures that ensure that data is secures and finally through, putting in security measures that guard against loss and leakage of the information. All these measures will aid in alleviating the risk of patients’ data and maintaining their privacy and confidentiality which is the main agenda.

REFERENCES

Dekker, M. A. C., & Etalle, S. (2007). Audit-based access control for electronic health records.Electronic Notes in Theoretical Computer Science,168, 221-236.

Hoffman, S., & Podgurski, A. (2007). Securing the HIPAA security rule. Journal of Internet Law, Spring, 06-26.

Garrison, C. P., & Guy Posey, O. (2012). MEDICAL IDENTITY THEFT: CONSEQUENCES, FREQUENCY, AND THE IMPLICATION OF ELECTRONIC HEALTH RECORDS AND DATA BREACHES. International Journal of Social Health Information Management5(11).

Gajanayake, R., Iannella, R., & Sahama, T. (2014). Privacy oriented access control for electronic health records. electronic Journal of Health Informatics8(2), 15.

Ozair, F. F., Jamshed, N., Sharma, A., & Aggarwal, P. (2015). Ethical issues in electronic health records: A general overview. Perspectives in clinical research6(2), 73.

 

June 29th, 2016

Posted In: Apple Configurator, Business, iPhone, Mac OS X, Mac OS X Server, Small Business

Tags: , , , , ,

An hour into my first Reddit AMA with some super-excellent JAMFs!

AMA w/ Charles Edge and the Apple management experts at JAMF Software from macsysadmin

June 24th, 2016

Posted In: Apple Configurator, Articles and Books, Business, iPhone, JAMF, Mac OS X, Mac OS X Server, Mac Security, Mass Deployment

Tags: ,

Last week, I gave a presentation on criteria for evaluating partners, managing revenue streams and partner channel programs. The presentation, given on May 4th, is available below.

Screen Shot 2016-05-09 at 3.26.00 PM

The file is ACES_Partners

 

May 12th, 2016

Posted In: Active Directory, Apple Configurator, Bushel

Tags: , , , , ,

Apple Configurator 2 is a great tool. But you need to debug things from time to time. This might mean that a profile is misconfigured and not installing, or that a device can’t perform a task you are sending it to be performed. This is about the time that you need to enable some debug logs. To do so, quit Apple Configurator and then write a string of ALL into the ACULogLevel key in ~/Library/Containers/com.apple.configurator.ui/Data/Library/Preferences/com.apple.configurator.ui.plist:

defaults write ~/Library/Containers/com.apple.configurator.ui/Data/Library/Preferences/com.apple.configurator.ui.plist ACULogLevel -string ALL

To disable, quit Apple Configurator and then delete that ACULogLevel key:

defaults delete ~/Library/Containers/com.apple.configurator.ui/Data/Library/Preferences/com.apple.configurator.ui.plist ACULogLevel

April 19th, 2016

Posted In: Apple Configurator, iPhone

Tags: , , , , ,

The Caching Server in OS X is a little bit of a black box. But, it’s not all that complicated, compared to some things in the IT world. I’d previously written about command line management of the service itself here. When you enable the caching service, the server registers itself as a valid Caching Server. Nearby devices then lookup the closest update server with Apple and register with that update server using a GUID:

/Applications/Server.app/Contents/ServerRoot/usr/sbin/serveradmin settings caching:ServerGUID

Then, each time the device looks for an update, it does so against http://mesu.apple.com/assets/com_apple_MobileAsset_SoftwareUpdate/com_apple_MobileAsset_SoftwareUpdate.xml using the device model. Noticed this with this line in my proxy logs:

"GET http://mesu.apple.com/assets/com_apple_MobileAsset_SoftwareUpdate/com_apple_MobileAsset_SoftwareUpdate.xml HTTP/1.1" 200 - "-" "MobileAsset/1.0"

Let’s say that the device is an iPad 2,7, then the following information is used for the update, with a URL of http://appldnld.apple.com/iOS9.3.1/031-56322-20160331-F8B29F9E-F68D-11E5-AF11-0744ED25FABD/com_apple_MobileAsset_SoftwareUpdate/1c02ea51b4d2d50b04526c4ec29780b8e02dfe76.zip, which is created using the _BaseURL string followed by the _RelativePath string:

<dict>
<key>ActualMinimumSystemPartition</key>
<integer>1965</integer>
<key>Build</key>
<string>13E6238</string>
<key>InstallationSize</key>
<string>0</string>
<key>MinimumSystemPartition</key>
<integer>2017</integer>
<key>OSVersion</key>
<string>9.3.1</string>
<key>ReleaseType</key>
<string>Beta</string>
<key>SUDocumentationID</key>
<string>iOS931GM</string>
<key>SUInstallTonightEnabled</key>
<true/>
<key>SUMultiPassEnabled</key>
<true/>
<key>SUProductSystemName</key>
<string>iOS</string>
<key>SUPublisher</key>
<string>Apple Inc.</string>
<key>SupportedDeviceModels</key>
<array>
<string>P107AP</string>
</array>
<key>SupportedDevices</key>
<array>
<string>iPad2,7</string>
</array>
<key>SystemPartitionPadding</key>
<dict>
<key>1024</key>
<integer>1280</integer>
<key>128</key>
<integer>1280</integer>
<key>16</key>
<integer>160</integer>
<key>256</key>
<integer>1280</integer>
<key>32</key>
<integer>320</integer>
<key>512</key>
<integer>1280</integer>
<key>64</key>
<integer>640</integer>
<key>768</key>
<integer>1280</integer>
<key>8</key>
<integer>80</integer>
</dict>
<key>_CompressionAlgorithm</key>
<string>zip</string>
<key>_DownloadSize</key>
<integer>1164239508</integer>
<key>_EventRecordingServiceURL</key>
<string>https://xp.apple.com/report</string>
<key>_IsZipStreamable</key>
<true/>
<key>_Measurement</key>
<data>Rfrw7jNYWH8xNS67pXoq7NEhpUI=</data>
<key>_MeasurementAlgorithm</key>
<string>SHA-1</string>
<key>_UnarchivedSize</key>
<integer>1235575808</integer>
<key>__AssetDefaultGarbageCollectionBehavior</key>
<string>NeverCollected</string>
<key>__BaseURL</key>
<string>
http://appldnld.apple.com/iOS9.3.1/031-56322-20160331-F8B29F9E-F68D-11E5-AF11-0744ED25FABD/
</string>
<key>__CanUseLocalCacheServer</key>
<true/>
<key>__QueuingServiceURL</key>
<string>https://ns.itunes.apple.com/nowserving</string>
<key>__RelativePath</key>
<string>
com_apple_MobileAsset_SoftwareUpdate/1c02ea51b4d2d50b04526c4ec29780b8e02dfe76.zip
</string>
</dict>

You can then use these dictionaries to assemble this path for all items in the dictionary with “iPad 2,7” in the SupportedDevices key. You can also choose to assemble this path for all items with the OSVersion of a given string, such as 9.3.1 in this case. You could curl these updates down to a client, or request them through the caching service, which would cache them to the Caching Server, using the IP of the server (e.g. 10.1.1.2) http://10.1.1.2:55491/iOS9.3.1/031-56322-20160331-F8B29F9E-F68D-11E5-AF11-0744ED25FABD/1c02ea51b4d2d50b04526c4ec29780b8e02dfe76.zip?source=appldnld.apple.com

Found the above URL using a reverse proxy. This URL is generated based on an http request to the IP address of the caching service, followed by the port. The port is derived using the serveradmin command and query the settings for caching:Port as follows:

/Applications/Server.app/Contents/ServerRoot/usr/sbin/serveradmin settings caching:Port

In this example, the URL is then

http://10.1.1.2:55491/

But the URL then splits the _BaseURL into two parts, taking appldnld.apple.com from the URL and appending ?source=appldnld.apple.com. So without the update, the URL would be the following:

http://10.1.1.2:55491?source=appldnld.apple.com

OK, so now we’ll pop the other part of that _BaseURL in there:

http://10.1.1.2:55491/iOS9.3.1/031-56322-20160331-F8B29F9E-F68D-11E5-AF11-0744ED25FABD?source=appldnld.apple.com

And then there’s one more step, which is throw the zip in there:

http://10.1.1.2:55491/iOS9.3.1/031-56322-20160331-F8B29F9E-F68D-11E5-AF11-0744ED25FABD/1c02ea51b4d2d50b04526c4ec29780b8e02dfe76.zip?source=appldnld.apple.com

Viola. Curl that and the caching server will download that update and make it ready for clients to access. Everything is hashed and secure in the directory listed using this command:

/Applications/Server.app/Contents/ServerRoot/usr/sbin/serveradmin settings caching:DataPath

April 18th, 2016

Posted In: Apple Configurator, Mac OS X, Mac OS X Server, Mac Security

Tags: , , , , , , ,

Below is a listing of all the profile payloads that you see listed when using the Profile Manager web interface as well as their corresponding keys in the mobileconfig files. You can use these to generate profile keys programmatically:

Distribution Type:
Automatic Push
Manual Download

Organization: PayloadOrganization
Description: PayloadDisplayName
Automatically Remove Profile: PayloadRemovalDisallowed
Payload scope: User or computer
——
Identification

User Display Name:
Email address: EmailAddress
User Name: FullName
Password: Password
User Enters Password: AuthMethod
Prompt: Prompt
Prompt Message: PromptMessage
———
Restrictions (com.apple.applicationaccess.new)

Preferences tab:

Restrict Items in System Preferences: familyControlsEnabled
Allow array: EnabledPreferencePanes with each identified in a string for its domain:
EnabledPreferencePanes

com.apple.preferences.users
com.apple.preference.general
com.apple.preference.universalaccess
com.apple.preferences.appstore
com.apple.preferences.softwareupdate
com.apple.preferences.Bluetooth
com.apple.preference.digihub.discs
com.apple.preference.datetime
com.apple.preference.desktopscreeneffect
com.apple.preference.displays
com.apple.preference.dock
com.apple.preference.energysaver
com.apple.preferences.extensions
com.apple.prefpanel.fibrechannel
com.apple.preferences.icloud
com.apple.preference.ink
com.apple.preferences.internetaccounts
com.apple.preference.keyboard
com.apple.Localization
com.apple.preference.expose
com.apple.preference.mouse
com.apple.preference.network
com.apple.preference.notifications
com.apple.preferences.parentalcontrols
com.apple.preference.printfax
com.apple.preferences.configurationprofiles
com.apple.preference.security
com.apple.preferences.sharing
com.apple.preference.sound
com.apple.preference.speech
com.apple.preference.spotlight
com.apple.preference.startupdisk
com.apple.prefs.backup
com.apple.preference.trackpad

Apps tab:
Allow use of Game Center: GKFeatureGameCenterAllowed
Allow multiplayer gaming: GKFeatureMultiplayerGamingAllowed
Allow adding Game Center friends: GKFeatureAddingGameCenterFriendsAllowed
Allow Game Center account modification: GKFeatureAccountModificationAllowed
Allow App Store app adoption: restrict-store-disable-app-adoption
Allow Safari AutoFill: safariAllowAutoFill
Require admin password to install or update apps: restrict-store-require-admin-to-install
Restrict App Store to MDM installed apps and software updates: SHKAllowedShareServices
Restrict which apps are allowed to launch
Allow Apps: whiteListEnabled
Paths to apps: whitelist array
Allow Folders: pathWhiteList
Disallow Folders: pathBlackList

Widgets tab:
Dashboard Widget Restrictions payload:
Enable: whiteListEnabled
Array of enabled objects: whitelist

Media tab: Edit Mount-Controls in Restrictions payload
AirDrop: DisableAirDrop
Internal Disks: harddisk-internal
External Disks: harddisk-external
Disk Images: disk-image
DVD-RAM: dvdram
CDs & CD-ROMs: blankcd
DVDs: blankdvd
Eject at Logout: logout-eject

Sharing:
Edit the SHKAllowedShareServices array of services. Simply remove service to edit the array.

Functionality:
Lock Desktop Picture: locked
Path to picture: override-picture-path
Allow use of camera:
Allow iCloud Documents & Data: allowCloudDocumentSync
Allow use of iCloud Password for Local Accounts: DisableUsingiCloudPassword
Allow Spotlight Suggestions: allowSpotlightInternetResults

———
Messages (for Jabber, not AIM)

Account Description: JabberAccountDescription
Account Type: Sets com.apple.jabber.account payload
Account Name: JabberUserName
Password: JabberPassword
Server Address: JabberHostName
Server Port: JabberPort
Use SSL: JabberUseSSL
Use Kerberos v5: JabberAuthKerberos

———
AD Certificate (alacarte.adcert)

Description: Description
Certificate Server: CertServer
Certificate Authority: CertificateAuthority
Certificate Template: CertTemplate
Certificate Expiration Notification Threshold: CertificateRenewalTimeInterval
Prompt for credentials: PromptForCredentials
Username: UserName
Password: Password
Allow access to all apps: AllowAllAppsAccess
Allow export from keychain: KeyIsExtractable
Hidden setting: CertificateAcquisitionMechanism (set to RPC)
———
Login Items
Apps: AutoLaunchedApplicationDictionary-managed, AutoLaunchedApplicationDictionary-managed
Items: com.apple.loginitems.managed
Authenticated Network Mounts: MCX-NetworkHomeDirectoryItem
Add network home share point: AuthenticateAsLoginUserShortName
User may press Shift to keep items from opening: DisableLoginItemsSuppression

———
Mobility

Account Creation tab
Create mobile account when user logs in to network account: com.apple.cachedaccounts.CreatePHDAtLogin
com.apple.cachedaccounts.CreateAtLogin
Require confirmation before creating mobile account: cachedaccounts.WarnOnCreate.allowNever
Show “Don’t ask me again” checkbox: com.apple.cachedaccounts.WarnOnCreate
Create home using: userPicksExternalVolume
Encrypt contents with FileVault: cachedaccounts.create.encrypt (cachedaccounts.create.encrypt.requireMasterPassword requires a master password)
Restrict size: cachedaccounts.create.maxSize
Fixed size: cachedaccounts.create.maxSize.fixedSize
Percent: cachedaccounts.create.maxSize.percentOfNetworkHome
Home folder location:cachedaccounts.create.location

Account Expiry tab
Delete mobile accounts: cachedaccounts.expiry.delete.disusedSeconds
Delete only after successful sync: cachedaccounts.expiry.cond.successfulSync

Rules tab
Preferences Sync subtab
Sync at login: syncPreferencesAtLogin
Sync at logout: syncPreferencesAtLogout
Sync in background: syncPreferencesInBackground
Sync manually: syncPreferencesAtSyncNow
Sync Folders: syncedPrefFolders-managed
Skip Items: excludedPrefItems-managed
Merge with user’s settings: replaceUserPrefSyncList

Home Sync sub tab: Mobility: Home Sync (com.apple.homesync)
Sync at login: syncBackgroundSetAtLogin
Sync at logout: syncBackgroundSetAtLogout
Sync in background: periodicSyncOn
Sync manually: syncBackgroundSetAtSyncNow
Sync Folders: replaceUserSyncList
Skip Items: excludedItems-managed
Merge with user’s settings: replaceUserSyncList

Options sub tab
Sync in the background: syncPreferencesInBackground
Sync time: syncPeriodSeconds
Show status in menu bar:HomeSync.menu
———
Dock
Dock Size: tilesize (followed by an integer)
Magnification: magnification
Position: orientation
Minimize using: mineffect
Animate opening apps: launchanim
Automatically hide and show the Dock: autohide
Show indicator lights for open apps: show-process-indicators
Dock Apps: static-apps

Dock Items

Merge with User’s Dock:
Add other folders:MCXDockSpecialFolders
My Apps: AddDockMCXMyApplicationsFolder
Documents: AddDockMCXDocumentsFolder
Network Home: AddDockMCXOriginalNetworkHomeFolder

———
Printing
Printer List: UserPrinterList, each has the following:
DeviceURI: Path of the printer
DisplayName: Name of printer
Location: Location in printer description
Model: Model of printer
PrinterLocked: Whether the printer is uninstallable
PPDURL: Path to the Printer driver file

Default Printer: DefaultPrinter
Allow user to modify printer list
Allow printers that connect directly to user’s computer
Require an administrator password: RequireAdminToAddPrinters
Only show managed printers: ShowOnlyManagedPrinters
Print page footer (user name and date): PrintFooter
Include MAC address: PrintMACAddress
Font Name: FooterFontName
Font Size: FooterFontSize

———
Parental Controls
Content Filtering: useContentFilter
Disable use of Dictation
Hide profanity in Dictionary and Dictation
Trying to limit access to adult websites
Allowing access to the following websites only
Enable URL white list:
Allow URLs: filterWhitelist (each url is stored in an item in the array
Deny URLs: filterBlacklist

Time Limits
Enforce Allowances: allowancesActive, limits-list, allowancesActive
Weekday Allowances: com.apple.familycontrols.timelimits.computer, timeLimitSeconds
Weekend Allowances: com.apple.familycontrols.timelimits.computer, timeLimitSeconds
Enforce Limits: familyControlsEnabled
Sunday through Thursday: each day has an entry in the array
Sunday: start and end string, each listing a time
Monday: start and end string, each listing a time
Tuesday: start and end string, each listing a time
Wednesday: start and end string, each listing a time
Thursday: start and end string, each listing a time
Friday through Saturday
Friday : start and end string, each listing a time
Saturday: start and end string, each listing a time
—————
Accessibility
Vision
Enable Zoom via ScrollWheel: closeViewScrollWheelToggle
Enable Zoom via Keyboard: closeViewHotkeysEnabled
Maximum Zoom: closeViewFarPoint
Minimum Zoom: closeViewNearPoint
Show preview rectangle when zoomed out: closeViewShowPreview
Smooth images: closeViewSmoothImages
Invert colors: whiteOnBlack
Use grayscale: grayscale
Enhance Contrast: contrast
Cursor size: mouseDriverCursorSize
Enable VoiceOver: voiceOverOnOffKey

Hearing
Flash the screen when an alert occurs: flashScreen
Play stereo audio as mono: stereoAsMono

Interacting
Enable Sticky Keys: stickyKey
Beep when a modifier key is set: stickyKeyBeepOnModifier
Display pressed keys on screen: stickyKeyShowWindow
Enable Slow Keys: slowKey
Use click key sounds: slowKeyBeepOn
Acceptance delay: slowKeyDelay
Enable Mouse Keys: mouseDriver
Initial delay: mouseDriverInitialDelay
Maximum speed: mouseDriverMaxSpeed
Ignore built-in trackpad: mouseDriverIgnoreTrackpad

Finder
Preferences tab
Use Simple Finder: InterfaceLevel
Show Hard disks on the desktop: ShowHardDrivesOnDesktop
Show External disks on the desktop: ShowExternalHardDrivesOnDesktop
Show CDs, DVDs and iPods on the desktop: ShowRemovableMediaOnDesktop
Show Connected servers on the desktop: ShowMountedServersOnDesktop
Show warning before emptying the Trash: WarnOnEmptyTrash

Commands tab
Connect to Server: ProhibitConnectTo
Eject: ProhibitEject
Burn Disc: ProhibitBurn
Go to Folder: ProhibitGoToFolder
Restart: RestartDisabledWhileLoggedIn
Shut Down: ShutDownDisabledWhileLoggedIn

Proxies
Enable Web Proxy: HTTPEnable
Web Proxy URL: HTTPProxy
Web Proxy Port Number: HTTPPort
Enable Secure Web Proxy: HTTPSEnable
Secure Web Proxy URL: HTTPSProxy
Secure Web Proxy Port Number: HTTPSPort
Enable FTP Proxy: FTPEnable
Secure FTP Proxy URL: FTPProxy
Secure FTP Proxy Port Number: FTPPort
Enable SOCKS Proxy: SOCKSEnable
Secure SOCKS Proxy URL: SOCKSProxy
Secure SOCKS Proxy Port Number: SOCKSPortNumber
Enable Streaming Proxy (RTSP): RTSPEnable
Secure Streaming Proxy URL: RTSPProxy
Secure Streaming Proxy Port Number RTSPPort
Enable Gopher Proxy: GopherEable
Secure Gopher Proxy URL: GopherProxy
Secure Gopher Proxy Port Number: GopherPort
Exceptions: array called Exceptions
Use Passive FTP Mode (PASV): FTPPassive
Enable Automatic Configuration: ProxyAutoConfigEnabled
Automatic Proxy Configuration URL: ProxyAutoConfigURLString

Custom Profiles

February 19th, 2016

Posted In: Apple Configurator, iPhone, Mac OS X, Mac OS X Server, Mac Security

Tags:

Previously, I covered how to Programmatically Obtain Recent Wi-Fi Networks On A Mac. But, here I’m gonna’ go a step further and look at how to extract the password for a network as well. The two are stored in different locations. The recent networks are in the /Library/Preferences/SystemConfiguration/com.apple.airport.preferences defaults domain. If you pull one of those, then you can use the security command to extract the password itself.

security find-generic-password -ga "Krypted Home"

The output is as follows, showing everything that is tracked about this network in the keychain.

keychain: "/Library/Keychains/System.keychain"
class: "genp"
attributes:
0x00000007 <blob>="Krypted Home"
0x00000008 <blob>=<NULL>
"acct"<blob>="Krypted Home"
"cdat"<timedate>=0x32303135313230373135313731375A00 "20151207151717Z\000"
"crtr"<uint32>=<NULL>
"cusi"<sint32>=<NULL>
"desc"<blob>="AirPort network password"
"gena"<blob>=<NULL>
"icmt"<blob>=<NULL>
"invi"<sint32>=<NULL>
"mdat"<timedate>=0x32303135313230373135313731375A00 "20151207151717Z\000"
"nega"<sint32>=<NULL>
"prot"<blob>=<NULL>
"scrp"<sint32>=<NULL>
"svce"<blob>="AirPort"
"type"<uint32>=<NULL>
password: "test"

You can constrain the output with awk and grep so that you’d only see the password as the output of the command. Then, you can feed it back into other objects, like a new .mobileconfig.

December 11th, 2015

Posted In: Apple Configurator, Mac OS X, Mac OS X Server, Mac Security, Mass Deployment

Tags: , , , , , ,

Next Page »