Tiny Deathstars of Foulness

Exchange Online and Exchange 2010-2016 can block a device from accessing ActiveSync using a policy. To do so, first grab a list of all operating systems you’d like to block. To do so, first check which ones are out there using the Get-ActiveSyncDevice command, and looking at devicetype, deviceos, and deviceuseragent. This can be found using the following command:

Get-ActiveSyncDevice | select devicetype,deviceos,deviceuseragent

The command will show each of the operating systems that have accessed the server, including the user agent. You can block access based on each of these. In the following command, we’ll block one that our server found that’s now out of date:

New-ActiveSyncDeviceAccessRule -Characteristic DeviceOS -QueryString "iOS 8.1 12A369" -AccessLevel Block

To see all blocked devices, use

Get-ActiveSyncDeviceAccessRule | where {$_.AccessLevel -eq 'Block'}

If you mistakenly block a device, remove the block by copying it into your clipboard and then pasting into a Remove-ActiveSyncDeviceAccessRule commandlet:

Remove-ActiveSyncDeviceAccessRule -Characteristic DeviceOS -QueryString "iOS 8.1 12A369" -AccessLevel Block

Or to remove all the policies:

Get-ActiveSyncDeviceAccessRule | Remove-ActiveSyncDeviceAccessRule

May 25th, 2016

Posted In: iPhone, Microsoft Exchange Server

Tags: , , , ,

Leave a Comment

A number of systems require you to use complex characters in passwords and passcodes. Here is a list of characters that can be used, along with the name and the associated unicode:

  •    (Space) U+0020
  • ! (Exclamation) U+0021
  • ” (Double quotes) U+0022
  • # (Number sign) U+0023
  • $ (Dollar sign) U+0024
  • % (Percent) U+0025
  • & (Ampersand) U+0026
  • ‘  (Single quotes) U+0027
  • ( (Left parenthesis) U+0028
  • ) (Right parenthesis) U+0029
  • * (Asterisk) U+002A
  • + (Plus) U+002B
  • , (Comma) U+002C
  • – (Minus sign) U+002D
  • . (Period) U+002E
  • / (Slash) U+002F
  • : (Colon) U+003A
  • ; (Semicolon) U+003B
  • < (Less than sign) U+003C (not allowed in all systems)
  • = (Equal sign) U+003D
  • > (Greater than sign) U+003E (not allowed in all systems)
  • ? (Question) U+003F
  • @ (At sign) U+0040
  • [ (Left bracket) U+005B
  • \ (Backslash) U+005C
  • ] (Right bracket) U+005D
  • ^ (Caret) U+005E
  • _ (Underscore) U+005F
  • ` (Backtick) U+0060
  • { (Left curly bracket/brace) U+007B
  • | (Vertical bar) U+007C
  • } (Right curly bracket/brace) U+007D
  • ~ (Tilde) U+007E

April 29th, 2016

Posted In: iPhone, Mac OS X, Mac OS X Server, Mac Security, Mass Deployment

Tags: , , , , , , , , ,

Precache, available at, is a script that populates the cache on an OS X Caching server for Apple updates. The initial release supported iOS. The script now also supports caching the latest update for an AppleTV. To use that, there’s no need to include an argument for AppleTV. Instead, you would simply  run the script followed by the model identifier, as follows:

sudo python AppleTV5,4

Screen Shot 2016-04-27 at 1.30.17 PM

April 28th, 2016

Posted In: Apple TV, iPhone, Mac OS X, Mac OS X Server, precache

Tags: , , , ,

April 26th, 2016

Posted In: Apple TV, iPhone, Mac OS X, Mac OS X Server, Mac Security, MacAdmins Podcast

Tags: , , , , , , ,

A little while back, I did a little writeup on how the OS X Caching Server caches updates at The goal was to reverse engineer parts of how it worked for a couple of different reasons. The first was to get updates for devices to cache to my caching server prior to 15 people coming in before it’s cached and having caching it down on their own.

So here’s a little script I call precache. It’s a little script that can be used to cache available Apple updates into an OS X Server that is running the Caching Service. To use, run the script followed by the name of the model. For example, for an iPad 2,1, you would use the following syntax:

sudo python iPad2,1

To eliminate beta operating systems from your precache,use the –no-beta argument:

sudo python iPad2,1 --no-beta

I’ll probably add some other little things nee and there, this pretty much is what it is and isn’t likely to become much more. Unless someone has a good idea or forks it and adds it. Which would be cool. Enjoy.

Screen Shot 2016-04-24 at 12.24.23 PM

April 25th, 2016

Posted In: iPhone, Mac OS X, Mac OS X Server, Mac Security

Tags: , , , , ,

I do a lot of testing on MacBook Airs and the latest MacBooks. Neither have a built-in Ethernet port and I try not to travel with one. But, when you enable the Caching Server service in OS X on a machine without an active Ethernet connection, the AssetCache will report an error of the following:

Wireless portable computer not supported

The cause is pretty obvious, but bypassable because of how the sanity check was built. Simply run the following:

sudo serveradmin settings caching:Interface = en0

Now try again. Enjoy.

PS: Since people always jump on the article where I talk about how to do things that shouldn’t be done in production, I mostly use this for testing. Don’t do it in production… And if you enjoy being judgmental about things, please feel free to find something constructive to do with your time, like write up how to do something that everyone else can judge you harshly for…

April 23rd, 2016

Posted In: iPhone, Mac OS X, Mac OS X Server, Mac Security, Mass Deployment

Apple School Manager is a portal used to create classes, import students, manage Managed Apple IDs, and link all these things together. You can use a Student Information System (SIS) to create these classes, import students, etc. But, only if you have a SIS with an API that Apple links to. If you don’t, you’ll need to import data using csv files. And you’ll need to import four csv files: Classes, Instructors, Staff, and of course Students.

Many schools will already have this data in Active Directory or another LDAP-based solution. Here, we’ll look at getting the information out of Active Directory and into csv. The LDIFDE utility exports and imports objects from and to Active Directory using the ldif format, which is kinda’ like csv when it gets really drunk and can’t stay on one line. Luckily, ldif can’t drive. Actually, each attribute/field is on a line (which allows for arrays) and an empty line starts the next record. Which can make for a pretty messy looking file the first time you look at one. The csvde command can be used to export data into the csv format instead. In it’s simplest form the ldifde command can be used to export Active Directory objects just using a -f option to specify the location (the working directory that we’re running the ldifde command from if using powershell to do so or remove .\ if using a standard command prompt):

ldifde -f .\ADExport.ldf

This exports all attributes of all objects, which overlap with many in a target Active Directory and so can’t be imported. Therefore, you have to limit the scope of what you’re exporting, which you can do in a few ways. The first is to only export a given OU (in this case called Students, but you could do one for Teachers, one for each grade, etc). To limit, you’ll define a dn with a -d flag followed by the actual dn of the OU you’re exporting and then you’d add a -p for subtree. In the following example we’ll export all of the objects from the sales OU to the StudentsOUExport.ldf file:

ldifde -d "OU=Students,DC=krypted,DC=local" -p subtree -f .\StudentsOUExport.ldf

Once you have the ldif file, you’ll want to convert it from ldif to csv. Some apps to do so:

Once you have the file in csv form, you can import it using the Apple School Manager web interface.

April 22nd, 2016

Posted In: Articles and Books, iPhone, Mac OS X, Mac OS X Server, Mac Security

Tags: , , ,

Apple Configurator 2 is a great tool. But you need to debug things from time to time. This might mean that a profile is misconfigured and not installing, or that a device can’t perform a task you are sending it to be performed. This is about the time that you need to enable some debug logs. To do so, quit Apple Configurator and then write a string of ALL into the ACULogLevel key in ~/Library/Containers/

defaults write ~/Library/Containers/ ACULogLevel -string ALL

To disable, quit Apple Configurator and then delete that ACULogLevel key:

defaults delete ~/Library/Containers/ ACULogLevel

April 19th, 2016

Posted In: Apple Configurator, iPhone

Tags: , , , , ,

Casper 9.9 has shipped! After the most thorough of testing and field enablement, JAMF has shipped Casper 9.9, with tons of new awesomeness for iOS 9.3. You now have the ability to do Lost Mode, which allows you to see where a lost device is, and allows your users the peace of mind that their privacy is protected by informing them that administrators looked at the location of a device (and you can assign a custom Lost Mode message, for example providing a reward for the return of a lost device). You can also manage a number of Notification Center features. You now have the ability to use the Classroom App in conjunction with education device deployments. You now have the ability to unlock new, great payloads, such as placing badges where you want them on a home screen. You can also now use the B2B App Store with Casper. And for the first time, you also have the ability to show and hide apps!

And cool new features aren’t limited to iOS. Casper can also now manage Active Directory bindings with DEP devices using the Active Directory/LDAP payloads, streamlining those workflows in a more supportable fashion. And manage user account types. This brings us closer and closer to true zero-touch deployments. And lots of issues are resolved that make your installation (e.g. detecting Java versions) and management (e.g. some cool new screens) more and more stable and user friendly with each release!

So log into JAMF Nation, and check out Casper 9.9 in your testing environment, and unlock all the new coolness. 🙂

Screen Shot 2016-03-31 at 11.04.27 AM

March 31st, 2016

Posted In: iPhone, JAMF, Mac OS X, Mac OS X Server, Mac Security, Mass Deployment

Tags: , , , , ,

When I was speaking at MacADUK, I asked Tom Bridge about starting a podcast. He’s got a great voice, and I thought he’d be a great co-host. Before we were able to get to that when we got home, Adam Codega, independently of the conversation I’d had with Tom, dropped a note on Twitter to see who else might be interested in doing a Podcast. A few people responded that they’d be interested in also jumping in on a new Podcast. Over the next few weeks, decisions were made that the podcast would be hosted as a part of, the format, the hosting location, and lots of other really cool stuff. And some of us got together and recorded the first episode. And then, last night, we recorded the second episode just in time to get that into editorial before Episode 1 is released.

And soooooo, episode 1 is out! It includes Tom Bridge, Emil Kausalik, Adam Codega, and myself. We also have an interview with some of the organizers from the Penn State Mac Admins conference, which I wasn’t able to sit in on, but find just fantastic. And Tom did some of the editing. Aaron Lippincott (@dials-Mavis) did a lot of work on the mastering and deserves lots of credit there (he made everyone sound way betterer). And John Kitzmiller did a lot of work on the domain and website and DNS type of stuff, as well as helping with hosting of the podcast assets as well. And Adam’s done a lot of work on the back end linking things together, so a great team effort.

The next episode also features Pepijn Bruienne and Marcus Ransom (who I lovingly decided we should call the He-Man of the Mac Universe) and covers the latest iOS 9.3 release, as well as some information about the Classroom app. So stay tuned for that, but click below to give the episode a listen, or find on iTunes once it appears (and I’ll post a link to that once we can).

Overall, I’m really stoked to get this thing going, and that the group has built a great system for future episodes, that should be sustainable for many, many episodes. I’m also really stoked to be able to get to work with this specific group – I’m a big fan of everyone, and I look forward to many episodes to come! So follow on Twitter at @MacAdmPodcast and feel free to let us know if you’ve done something awesome and we should mention it or interview you!

Episode 1: It Begins

Screen Shot 2016-03-28 at 10.39.29 AM

March 28th, 2016

Posted In: iPhone, Mac OS X, Mac OS X Server, Mac Security, Mass Deployment, Network Infrastructure, personal

Tags: , , , , , ,

Next Page »