Tiny Deathstars of Foulness

Click for lightning. Merge-your-damn-self.


But if you commit with a well written message (and not just a period to get past a sanity check), I’m happy. Tom Hardy likes it when you tell me wtf.


November 29th, 2015

Posted In: Mac OS X, Mac OS X Server, Mac Security

Tags: , , , , , , , , ,

Leave a Comment

Screen Shot 2015-11-18 at 6.13.02 PM

Repair permissions was unceremoniously removed from OS X in El Capitan. This staple of the Mac gurus toolkit disappeared. There was no 21 gun salute, there was no flaming casket sent out to sea and there was no sweet, sweet wake to get drunk at. Instead, there was pain. There was pain, because when the button disappeared, the need did not. Need proof? If you haven’t yet run it, let’s check your system to verify the permissions of the standard packages:

sudo /usr/libexec/repair_packages --verify --standard-pkgs --volume /

In the above command, we used the repair_packages binary, which has not changed in awhile. We then feed that the –verify option and the –standard-pkgs option, finally providing the volume of the current boot volume using –volume followed by the /. Pretty straight forward. Assuming there’s something to repair, the below will actually run that repair operation:

sudo /usr/libexec/repair_packages --repair --standard-pkgs --volume /

Where’s the sweet, sweet button? The rest of the screen is so darn lonely without it.

Screen Shot 2015-11-18 at 6.13.02 PM

And now that you know the command, feel free to throw it in your self service. That way users can do it without opening terminal or using an admin password!

November 22nd, 2015

Posted In: Mac OS X, Mac OS X Server, Mass Deployment

Tags: , , , , ,


When I was doing a lot of hiring, the pool of Mac Admins was smaller. And it was in a way easier for me to recruit people, because I knew a lot of them. As the pool has grown and a lot of the talent has matured, keeping your finger on the pulse of the hiring market around Apple has become much more challenging. Also, I’ve recruited far more developers and marketing professionals than Apple engineers in the past couple of years. But, there are still a number of places that you can look to find good Mac and iOS engineers looking for a gig. Here’s a quick and dirty list (which can be used to find jobs as well, I suppose) of a few of the better places to look for people you might choose to try and hire:

  • One of the best places to find someone is whatever site or email list appeals to the administrators of products you run. For example, this could be the Studio SysAdmins list if you’re in the film industry, JAMF Nation if you run the Casper Suite, or the Munki forums if you use Munki. If your target is to hire someone with a specific skillset, then looking where the people who have those skills lurk is never a terrible idea. Do be gentle there, though, and know what the protocol is for posting a job (e.g. many have specific threads for job and employee seekers). But nothing is as legitimate as flexing your knowledge of a product on the products own forums. This is more challenging if you’re looking for a generalist. There you likely have more people suitable, so opening your net to a job board isn’t terrible idea. I’d also include the Mac Enterprise email list, and all the Mac conferences. Having said that, protocol is important. For example, in my opinion, it is crass to actively recruit someone at a conference if their employer paid for them to be there. Grab a card, do it when you get home if you need to.
  • It’s cheap, it’s easy to post, and I see a lot more people using this site than I see for some of the larger sites. They do aggregate data from some of the larger sites, so a lot of candidates might start their searches there.
  • Craigslist. I’ve found some of my best employees on Craigslist. You get a lot more resumes that aren’t appropriate, so you’ll spend a little more time weeding through them. It’s the cheapest place to post a job, and you’ll spend more time vetting candidates, but it’s not a bad place if you’re looking for local generalist talent and have the time to spend.
  • is one of the oldest of the recruiting sites. It’s not a terrible place to post a job. You get fewer candidates than many other places, but they’re often more qualified than you might think. I do find you get people waaaaay outside your geography, which is always hard, especially for a smaller company who can’t pull the trigger on a Visa as quickly as they’d like to fill a vacancy.
  • CareerBuilder is similar to Monster, so most of the things there apply to it as well. Pick one of these sites, if you’re looking fora good generalist. If you have a specialty, you can search their resumes but aren’t likely to find a ton of candidates in the Apple space.
  • is another big job board.
  • LinkedIn. It’s the professional social network, right? I found many really good candidates. I got a response per maybe 10 messages I sent, and of those, most were qualified on paper at a minimum. It can take some time to sort through people, but do yourself a favor and get a Premium account. It will cost less than posting a job to many of the big sites, and you’ll have much better search and communication tools at your disposal! You can also post a job there, but it only amplifies by your social network, so you’ll need a good number of connections for this  to pan out well for you.
  • This site used to have more normal techie jobs. These days they’ve gone into more executive and management, which sometimes you’ll need to hire.
  • If you need interns, check out AfterCollege.
  • Peercisely. A peer-based job board that rewards referrals. ‘Cause referrals are the best way to find employees, after all!
  • is a great spot for hourly employees. Which most Mac engineers are not. But some are…
  • is one of the most important tools many potential employees have in their job hunting arsenal. And you can post your job there. Chances are, they’ll look you up there, btw, so review what the reviews on you say.
  • Superuser, stackoverflow, (you can post jobs to these), github (who wrote the cool projects you like or contributes to them), Twitter, etc. A good strategy I used was to Google for the answer to a question I had. Sometimes I’d pick a juicy trouble ticket from the previous week and copy the text and paste it into a browser. If someone answered that question, then I might very well want them on my team. This worked best when I was after employees who could live anywhere in the US or world. It’s harder when you need an onsite engineer.
  • Slack. It’s not often that something comes along and really changes an entire community. Launched maybe a year ago, the MacAdmins Slack channel, accessible at has become a great place to find talented Mac Admins, and see what else they have have posted previously!
  • Grow your own. I’m sure this isn’t what anyone who finds this post with a Google search is going to want to find. But consider giving someone on your team a chance to become a good Mac Admin. They may surprise you!
  • Finally, The community is still small enough that you can search for speakers at the various Mac Conferences and look into whether some of them are local to you. This is kinda’ funny, because they might not even remotely be the best talent, but they might – or they might know someone looking!

Screen Shot 2015-11-12 at 9.56.41 PM

Good luck. Good people make your company and you more successful. A bad hire has the opposite impact. Choose wisely! And if you found a job and think you have a good add, post a comment. I’m always interested in how people found their gigs!

November 18th, 2015

Posted In: Apple Configurator, iPhone, Mac OS X, Mac OS X Server, Mac Security

Tags: , ,


This is my 3,000th post on The past 3,000 posts have primarily been about OS X Server, Mac automation, Mac deployment, scripting, iOS deployments, troubleshooting, Xsan, Windows Servers, Exchange Server, Powershell, security, and other technical things that I have done in my career. I started the site in response to a request from my first publisher. But it took on a mind of its own. And I’m happy with the way it’s turned out.

My life has changed a lot over these past 11 years. I got married and then I got divorced. I now have a wonderful daughter. I became a partner and the Chief Technology Officer of 318 and helped to shape it into what was the largest provider of Apple services, I left Los Angeles and moved to Minnesota, left 318 to help start up a new MDM for small businesses at JAMF Software called Bushel, and now I have become the Consulting Engineering Manager at JAMF. In these 11 years, I have made a lot of friends along the way. Friends who helped me so much. I have written 14 more books, spoken at over a hundred conferences, watched the Apple community flourish, and watched the emergence of the Post-PC era.

In these 11 years, a lot has happened. Twitter and Facebook have emerged. Microsoft has hit hard times. Apple has risen like a phoenix from those dark ashes. Unix has proved a constant. Open Source has come into the Mac world. The Linux gurus are still waiting for Linux on the desktop to take over the world. Apps. iOS. iPad. Mobility. Android. Wearables. Less certifications. More admins. And you can see these trends in the traffic for the site. For example, the top post I’ve ever written is now a list of Fitbit badges. The second top post is a list of crosh commands. My list of my favorite hacking movies is the third top post. None of these have to do with scripting, Apple, or any of the articles that I’ve spent the most time writing.

That’s the first 3,000 posts. What’s next? 3,000 more posts? Documenting the unfolding of the Post-PC era? Documenting the rise and fall of more technologies? I will keep writing, that’s for sure. I will continue doing everything I can to help build out the Apple community. And I will enjoy it. I’ve learned a lot about writing along this path. But I have a lot more to learn.


The past 3,000 posts have mostly been technical in nature. I’ve shown few of my opinions, choosing to keep things how-to oriented and very technical. Sure, there’s the occasional movie trailer when I have a “squee” moment. But pretty technical, overall. I’ve been lucky to have been honored to speak at many conferences around the world. One thing I’ve noticed over the past few years is that when people ask me to speak at conferences, they ask me to speak about broader topics. They don’t want me doing a technical deep dive. People use the term thought leader. And while I don’t necessarily agree, maybe it’s time I step up and write more of those kinds of articles here and there.

I’ve learned so much from you these 11 years. But I feel like I’ve barely scratched the surface. I look forward to learning together over the course of the next 3,000 posts! Thank you for your support. Without it, I’d have probably stopped at 10 articles!

November 16th, 2015

Posted In: 318, Apps, Articles and Books, Bushel, Business, certifications, Mac OS X, Mac OS X Server, Mac Security, Mass Deployment, Microsoft Exchange Server, Minneapolis

Tags: , , , , ,


When you join a wireless network on a Mac, the information for that network is cached into the property list. You can access this information using the following command, constraining output to the LastConnected field and the next 7 lines:

<code>defaults read /Library/Preferences/SystemConfiguration/ | grep LastConnected -A 7</code>

November 11th, 2015

Posted In: Mac OS X, Mac OS X Server, Mac Security, Mass Deployment

Tags: , , , ,



I remember way back, long ago, before the iPad, and before the iPhone, Apple had official certification training for OS X Server. I think I got my first certification around 10.3. Over time, additional courses appeared. There was an Xsan course, there was an OS X Server course, and there were plans for more. At the height of the Apple certification program, you could get the following for a full on systems administration plethora of acronyms, including ACDT, ACTC, ACSA, and ACMA:


  • Mac OS X Support Essentials v10.6: Prometric #9L0-403, removed on May 31, 2012
  • Mac OS X Server Essentials v10.6: Prometric #9L0-510, removed on May 31, 2012
  • Mac OS X Directory Services v10.6 Prometric #9L0-624, removed on May 31, 2012
  • Mac OS X Deployment v10.6: Prometric #9L0-623, removed on May 31, 2012
  • Mac OS X Security & Mobility v10.6: Prometric #9L0-625, removed on May 31, 2012
  • Xsan 2 Administration: Prometric #9L0-622, removed on May 31, 2012
  • Final Cut Pro Level One: Prometric #9L0-827
  • Macintosh Service Certification Exam
  • OS X Yosemite Troubleshooting Exam


You could also go further and get an Apple Certified Trainer designation (ACT) and be able to teach these classes. Certifications aren’t everything, so it was certainly possible to get certified without having the skills, or to get l33t without getting the certs. However, they were a good guidepost for me when hiring and there were certain activities I engaged in with Apple that having the certifications was either required or extremely helpful.


But over time, Apple shifted its focus elsewhere. After the release of the iPad (and subsequent gangbuster sales of the product), the number of services and the viability of using some of those services in large environments (e.g. due to the death of the Xserve and Xserve RAID), have both decreased sharply. Meanwhile, the ease of use of the services has sharply increased. A simpler product required less training, so the ACSA went away. Additionally, Final Cut Server as a product was removed from Apple’s portfolio and so the ACMA certification disappeared. By 10.10, there were two courses for OS X and OS X Server (ACTC) and another for hardware that’s much more specific to hardware repair.


But as with the Highlander, for 10.11, there can be only one. OS X Server no longer has a course. So today, I’ll say adios, Server certs. I spent a lot of time on you. I will miss you. Or notsomuch. TBD. It’s a different world…


The book for the OS X Server 10.11/Server 5 course is still being made. I’ve heard it should be out in January. And I’ll keep writing articles and books about this stuff for as long as it’s viable. So there’s content. And I’m sure (like really sure) that there will be a third party that introduces a certification for OS X Server. So stay tuned for more on that! And be assured that the end of one era usually represents the beginning of a new era. Those on that boat to the new era usually do well!

November 10th, 2015

Posted In: certifications, Mac OS X, Mac OS X Server

Tags: , , , ,

Leave a Comment

I’ve written a number of articles on automating MDM enrollments using Apple Configurator in the past. In Apple Configurator 2, there are some new options that make the process much easier than it’s ever been in the past. To get started, let’s open Apple Configurator 2 and click on a Blueprint we’d like to apply to devices being prepared during a mass iPad or iPhone enrollment through Apple Configurator. Control-click on the Blueprint to set up for automated enrollment and click on the Prepare button.

Screen Shot 2015-11-03 at 11.18.02 PM

At the Organization screen, select the organization you’d like to enroll your device in and click on the Next button.

Screen Shot 2015-11-03 at 6.32.56 PM

At the Server screen, select to enroll in an MDM server.

Screen Shot 2015-11-03 at 6.33.00 PM

At the Define an MDM Server screen, type the name of a server and click Next.

Screen Shot 2015-11-03 at 11.17.22 PM

The server is then located and provided the Apple Configurator 2 system can communicate with the server, you’ll get a choice of the MDM service to enroll into. Select the certificate and click Next.

Screen Shot 2015-11-03 at 11.17.27 PM

At the Supervise Devices screen, select whether you’d like to supervise devices enrolled using Apple Configurator 2. Click Next.

Screen Shot 2015-11-03 at 11.17.32 PM

At the Configure iOS Setup Assistant screen, choose whether to skip some screens during the initial configuration of the device and click on Prepare.

Screen Shot 2015-11-03 at 11.17.38 PM

Now, during the preparation in Apple Configurator, you’ll be able to enroll iOS devices into Profile Manager (or another MDM) en masse.

Additionally, the traditional method of enrollment (Configurator 1) still works. Here, you’d download a trust profile, done using the name in the upper right corner of the Profile Manager interface and then choosing Download Trust Profile.

Screen Shot 2015-11-03 at 11.06.17 PM

You’ll also need the Enrollment Profile, accessed using the plus sign (+) in the lower left corner of the screen and choosing Enrollment Profile.

Screen Shot 2015-11-03 at 11.06.27 PM

The two are then added to the Profiles of a blueprint in Apple Configurator 2. You can also use the Settings for a device group to set placeholders for devices so they’re automatically assigned to a group during mass enrollments like this.

Screen Shot 2015-11-03 at 11.07.09 PM


Overall the options in Apple Configurator 2 with Profile Manager or another MDM are way easier to use than in previous versions. I think a lot of new administrators will be able to easily get used to this workflow. Enjoy!



November 4th, 2015

Posted In: Apple Configurator, iPhone, Mac OS X Server, Mass Deployment

Tags: , , , , , , , , , ,

There are a couple of parts to this article. The first is to describe the server command, stored in /Applications/ The description of the command by Brad Chapman was so eloquently put on this JAMF Nation post that I’m just gonna’ paste it in here:

So … I just installed Server 5.0.x tonight on my Mac Mini running Yosemite (10.10.5). There was a question that came up during JNUC about upgrading Server and having a way to accept the license agreement without going through the GUI.

So for shits and giggles I tried:

server setup

It’s not documented. And lo and behold, I got the prompt to accept the license agreement just like you do with Xcode.

Post your trip reports here! Can this be automated?

tardis:~ chapman$ sudo server setup
To use server, you must agree to the terms of the software license agreement.

Press Return to view the software license agreement.

---insert license agreement here---

Do you agree to the terms of the software license agreement? (y/N) y

Administrator access is required to set up OS X Server on this Mac. Type an administrator's user name and password to allow this.
User name: chapman

Initializing setup...
Getting server state...
Getting host names...
Writing server settings...
Configuring Service Authentication...
Creating certificates...
Getting certificates...
Renewing certificate...
Enabling server password hashes for local users...
Creating service principals...
Initializing certificates...
Preparing services...
Preparing Caching service...
Preparing Calendar service...
Preparing Profile Manager service...
Preparing File Sharing service...
Preparing Software Update service...
Preparing Messages service...
Preparing Mail service...
Preparing Web service...
Preparing Calendar service...
Preparing Wiki service...
Preparing Calendar service...
Preparing Profile Manager service...
Initializing Wiki...
Initializing Mail...
Initializing VPN...
Initializing Xcode...
Enabling autobuddy for local accounts...
Updating admin password policy...
Checking DNS Configuration...
Reading DNS configuration...
Completing setup...

server encountered errors during setup:

Unknown error
tardis:~ chapman$

I don’t know what the ‘unknown error’ was.

The error is pretty much typical. I rarely see a server that doesn’t spawn some kind of error, and most errors will throw this. Oh well. The only option that he didn’t mention that isn’t meant for internal use is help, which doesn’t even indicate setup as a verb. Now, here’s where it gets fun. This is cute, but if you’re scripting  a full server setup, you’ll want to bust out a little expect script here. I’m gonna’ put the username and password in cleartext here, to keep the script readable:

set timeout 300
spawn server setup
expect "Press Return to view the software license agreement." { send \r }
expect "Do you agree to the terms of the software license agreement? (y/N)" { send "y\r" }
expect "User name:" { send "MYADMINUSERNAME\r" }
expect "Password:" { send "MYPASSWORD\r" }

Obviously, you would replace MYADMINUSERNAME with your admin username and MYPASSWORD with your password. But basically, drop the on a machine, run this, and you’re good to go. Now, hypothetically, if you’re spinning up a Caching server (e.g. if you’re building out 100 caching servers, this might come in handy), then you could use the commands described in this article I wrote earlier.

October 28th, 2015

Posted In: Mac OS X Server, Mass Deployment

Tags: , , , , , , , , , ,

I had a very interesting debate with someone the other day. The debate was around the Total Cost of Ownership of an app on a desktop computer. Let’s say that you have a $5 app. Now let’s say that in order to package that app up and test it for end user deployment, that the cost to your organization is about $400. That’s going to seem high if you just look at it as a number. But when you consider that it takes time to customize an app package so that end user data is preserved and end users aren’t prompted a dozen times, then it takes time to test that package (thus my continued interest in crowdsourced automated regression testing these days), and then it takes time to deploy that package, potentially with rollbacks and customer issues when done en masse, $400 might end up being very low for some software titles and very high for others.

The debate. I’ve been on a lot of deployments with 25,000 or more users/devices. And something that always comes up is “OMG how can people have this much software out there?” One deployment, the customer estimated that there were about 20 apps on their 10,000 devices and there ended up being well over 1,000. This was OS X, not iOS. On iOS it’s a much easier conversation. But on OS X and Windows, a lot more work must go into preparing apps for deployments. In OS X, users can be a bit more irritable about tampering with systems, so extra care must be taken to not bug users when you deploy software. In most software titles for Windows, you have more patches. It ends up being a similar amount of time to manage your Definitive Software Library (DSL) for each. Now let’s say that for your 1,000 apps, you spend $400 per app to manage that, per patch, with around 4 patches per year as a round average number. This means that each unique application title ultimately costs you $1,600 to own (not including logistical concerns around chasing down licensing, the cost of the initial app, and any services attached to apps). For 1,000 apps, you could be looking at $1.6 Million dollars just to keep your repository up-to-date.

Scale helps. In Casper, we’re working on “Patch Management” as a feature. This is why. At 318, I worked with my team to get the open source AutoPKG linked to our Casper environments so we could have a tool that used recipes to automatically import known software into our Casper servers. We could then have a release management process around regression testing the software and ultimately releasing it to users for UAT and then to the full compliment of users, or in waves. Let’s say that implementing such a tool saves you 25% of your time. Well, in the previous example, you’re now down to $1.2 Million dollars worth of labor to manage your DSL.

Politics doesn’t help. Now let’s say that you are faced with not having the staff to deliver all that time to manage all those software titles in your DSL. Well, bummer. I guess you’re going to have to look for the least distributed software titles and remove them from the list of apps users can have. There are many, many apps that only one person uses. As your compliment of machines grows, the distribution of apps with less than 5 people using them displays as a hockey stick. But, each app could end up saving 5-50% of an actual humans time. And in my experience, some of these smaller distributed apps can be the most hyper-focused on a job-specific need. Some apps are absolutely frivolous. But we’re not talking about people asking you to support Angry Birds on their computers, we’re talking about business machines. Unless you work for Rovio…

You don’t have to own it all. Or do you? If you deploy an app, do you have to support it as well? If you give users admin passwords, they can deploy their own apps and you don’t have to package some of those random apps. But if you let users deploy their own apps, how do you make sure you aren’t opening your company up to the risk that the app deployed is actually owned and properly licensed? And if the user gets a new machine, how do you give them that app? If all apps were distributed through an App Store (be it Apple’s Mac App Store, etc) then this would be tracked in an MDM solution. While it would be nice for administrators who have a lot of machines to manage, that would seem draconian to developers. But doesn’t it look more and more like the future?

Understanding your users is key. I’ve seen many environments where administrators took an accounting of what apps people used and then surveyed users to ask if they actually used many of the less obvious apps in their environments. After doing so, between 20 and 50 percent of apps were no longer needed. Of those, a few percent ended up coming back, because users didn’t take the survey or didn’t think to mention the app in the survey and forgot about it until a few months later when that quarterly process they use the app for came back around. I’ve also seen workflows where a slightly more expensive app that did the task of 3 or 4 smaller apps could be used. The cost to license the new apps was justified by offsetting the cost of packaging, distribution and testing. In all of these environments, chargebacks for software AND the associated management caused a business analyst within a group to redefine requirements and find a better way. A packaging administrator cannot fully understand the needs of every user in a large organization; but a business analyst charged with helping a smaller group can get innovative and cut costs while providing even more value to end users.

Is the Mac a Mobile device? All of this comes into focus because on a call, someone said that managing Macs had been marketed as similar to managing iOS devices. No. That’s not the case. Some of the same tools are use, which help to simplify management. And the focus is on empowering users rather than limiting users. The work that we do in packaging is just to provide a better user experience. However, when I speak to organizations on technical requirements and integrating services, I often ask “what is the workflow for Windows?” For example, NetBoot. I always ask “what do you do for PXE-booting,” which helps set the stage for my next question “can we get an IP helper, just like the one you created for PXE?” When you frame a request in a way that there’s a historical analogy, administrators more easily understand the intent, technology, and desired end state. While imaging a computer in the Post-PC era may be arguably dead technology, it still serves some troubleshooting purposes and so cannot be fully discounted. And if you disagree with that, the analogy still holds true for other technologies, such as defining MIME types for a server that’s distributing .ipa files.

So in conclusion, the arguments here are supporting a very basic question: how do you calculate the ROI of an app that is distributed to only a few users, and whether the ROI is greater than the productivity or creativity gain that the app provides. Obviously, the answer is “it depends” which is not a basic answer. However, you can take these questions and derive whether containment makes sense for your organization or not. Chances are, you can remove a good chunk of apps that are deployed in your environment. And then you can focus on packaging and support of the remaining apps. Of the successful large-scale deployments I’ve worked on, this has been an absolute pre-requisite to getting to the point where they can support machines with one tech/engineer per more than 1,000 systems. Now don’t even get me started on virtualization of these apps…

October 27th, 2015

Posted In: Mac OS X, Mac OS X Server, Mac Security, Mass Deployment

Tags: , , , ,

The planning for ACES Conference 2016 seems to be in full gear. I’ve been slated to speak not on JAMF or Bushel stuff, but on my time in the Apple Consultants Network (ACN) community. One of the biggest challenges we had as we grew, was to responsibly pick vendors that matched with our customer requirements while also allowing us to scale efficiently. If you’re an ACN, this is a great conference for you. Check it out at!

Screen Shot 2015-10-22 at 11.10.36 PM

October 26th, 2015

Posted In: Consulting, Mac OS X, Mac OS X Server, Mac Security, Mass Deployment

Tags: , , , , , ,

Next Page »