krypted.com

Tiny Deathstars of Foulness

I originally wrote this back in 2015 as an article for troubleshooting APNs traffic on a Profile Manager server. But it turns out that troubleshooting push notification communications between macOS Server and Apple’s Push Notification is basically the same as troubleshooting the apsd client on macOS. Basically, we’re gonna’ put the APNs daemon, apsd, into debug mode. To enable APNS debug logging, run these commands:

defaults write /Library/Preferences/com.apple.apsd APSLogLevel -int 7
defaults write /Library/Preferences/com.apple.apsd APSWriteLogs -bool TRUE
killall apsd

Then use tail -f to watch the apsd.log file at /Library/Logs/apsd.log. Be wary, as this can fill up your system. So to disable, use these commands:

defaults write /Library/Preferences/com.apple.apsd APSWriteLogs -bool FALSE
defaults delete /Library/Preferences/com.apple.apsd APSLogLevel
killall apsd

February 9th, 2017

Posted In: Mac OS X, Mac OS X Server, Mass Deployment

Tags: , , , ,

As promised, here’s the slide deck from my talk at MacAD.UK in London. Enjoy!

MacADUK_MDM_2017

February 7th, 2017

Posted In: Mac OS X, Mac OS X Server, Mac Security, Mass Deployment

When you’re regression testing, you frequently just don’t want any delays for scripts unless you intentionally sleep your scripts. By default Safari has an internal delay that I’d totally forgotten about. So if your GUI scripts (yes, I know, yuck) are taking too long to run, check this out and see if it helps:

defaults write com.apple.Safari WebKitInitialTimedLayoutDelay 0

With a script I was recently working on, this made the thing take about an hour less. Might help for your stuffs, might not.

If not, to undo:

defaults delete com.apple.Safari WebKitInitialTimedLayoutDelay

Enjoy.

February 1st, 2017

Posted In: Mac OS X Server, Mac Security

Tags: , , , , , , , ,

The codesign command is used to sign apps and check the signature of apps. Apps need to be signed more and more and more these days. So, you might need to loop through your apps and verify that they’re signed. You might also choose to stop trusting given signing authorities if one is compromised. To check signing authorities, you can use

codesign -dv --verbose=4 /Applications/Firefox.app/ 2>&1 | sed -n '/Authority/p'

The options in the above command:

  • -d is used to display information about the app (as opposed to a -s which would actually sign the app)
  • -v increases the verbosity level (without the v’s we won’t see the signing “Authority”)
  • –verbose=4 indicates the level of verbosity
  • 2>&1 redirects stderr to stdout
  • /Applications/Firefox.app/ – the path to the app we’re checking (or signing if you’re signing)

Then we pipe the output into a simple sed and get the signing chain. Or don’t. For example, if you’re scripting don’t forget a sanity check for whether an object isn’t signed. For example, if we just run the following for a non-signed app:

codesign -dv --verbose=4 /Applications/Utilities/XQuartz.app/

The output would be as follows:

/Applications/Utilities/XQuartz.app/: code object is not signed at all

January 12th, 2017

Posted In: Apps, Mac OS X, Mac OS X Server

Tags: , , , , , , ,

OS X Server stores most logs in files that are in the /Library/Logs/ProfileManager directory. Logs are split up between php, devicemgrd.log, scep_helper.log, servermgr_devicemgr.log, profilemanager.log and others. In my experience, if there’s a lot of errors at first, or if the service doesn’t work, just reformat and start over. But, once a server is in production, you don’t want to re-enroll devices after you do that. So, as with all good error prodding, start with the logs to troubleshoot.

By default the logs can appear a bit anemic. You can enable more information by increasing the logging level. Here, we’ll shoot it up to 6, which can be done with the following command:

sudo debugDeviceMgr 6

Debug levels go all the way to 9, but at that point things get… Noisy. And to turn it back off, use:

sudo debugDeviceMgr 1

Basically, this command sets the required services in /Applications/Server.app/Contents/ServerRoot/System/Library/LaunchDaemons/ to debug mode as well as /Applications/Server.app/Contents/ServerRoot/usr/share/devicemgr/config/com.apple.DeviceManagement.postgres-debug.plist and /Applications/Server.app/Contents/ServerRoot/usr/share/devicemgr/config/com.apple.DeviceManagement.postgres.plist to configure debug mode. In other words, it touches a lot of services. And given how chatty some can be, only leave logging levels higher than I’d say 2 in the event of short-term troubleshooting.

December 29th, 2016

Posted In: Mac OS X, Mac OS X Server, Mac Security, Mass Deployment

Tags: , , , , , , ,

So fun!

December 28th, 2016

Posted In: Mac OS X, Mac OS X Server, Mac Security, MacAdmins Podcast, public speaking

Apple recently introduced a laptop with the same fingerprint technology found in an iPhone as well as a T-1 chip to take the sapphire Touch ID sensor information and store it securely, non-reversibly(ish), on the machine. OS X 10.12 now comes with a tool that can manage the fingerprints, stored as keys, on the device. The bioutil command is simple to use, with a few options that are mostly useful for enabling different features of the new technology.

Let’s get started by enabling the unlock option, using the -r option to see if Touch ID is enabled for the current user and -s to check the system as well:

bioutil -r -s

Now let’s enable Touch ID to be able to unlock the system, with -u (provided it’s not already enabled):

bioutil -u

If you’ll be using ApplePay, also use -a (on a per-user basis):

bioutil -a

Next, let’s enables Touch ID to unlock the system for the current user:

bioutil -w -u 1

This user will obviously need to provide their fingerprint in order to use Touch ID. Once done, let’s see how many fingerprints they’ve registered using the -c option (which checks for the number of fingerprints registered by the currently enrolled user):

bioutil -c

Now let’s delete all fingerprints for the current user (note that they’re not reversible so you can’t actually look at the contents):

bioutil -p

Next, we’ll use sudo to remove all fingerprints for all users (since we’re crossing from user land, we’ll need to provide a password):

sudo bioutil -p -s

Instead, we could have targeted just deleting the fingerprints that had been registered for user 1024, using -s and -d together, followed by the actual UID (which also requires sudo – as with all -s option combos):

sudo bioutil -s -d 1024

Now let’s disable Touch ID for the computer, using -w to write a config, and that -u from earlier, setting it to 0 for off:

sudo bioutil -w -s -u 0

And viola, you’re managing the thing. Throw these in an Extension Attribute or in Munki and you’re managing/checking/knowing/reporting/all the thingsings! Enjoy!

December 16th, 2016

Posted In: Mac OS X, Mac OS X Server, Mac Security

Tags: , , , , , ,

The last JamfNation User Conference, or JNUC for short, was far and away the biggest and best. It was packed though, and given the year-over-year increase in people attending, the conference is being moved to the Hyatt Regency in downtown Minneapolis.

For more information on or to early-bird register for JNUC 2017, visit the official JNUC page.

screen-shot-2016-12-14-at-9-59-38-am

I’ll certainly be there, and I look forward to seeing all of you again and meeting all the newcomers this year, as well as getting a recording going of the MacAdmins Podcast while we’re all together!

December 11th, 2016

Posted In: JAMF, Mac OS X, Mac OS X Server, Mac Security, MacAdmins Podcast

One of the first things we do when we setup a new macOS Caching Server is to check the logs to see if it’s actually serving content. You can view thee logs at /Library/Server/Caching/Logs/Debug.log. In the log, when a Caching Server has registered for your network, you’ll see a line that begins with the following:

Got request for host = http://swcdn.apple.com/

This above means that the server actually got a request (as it says) and that the request is for an asset at swcdn.apple.com (followed by the actual package path). Once found, the server caches the asset, which starts with the following:

Initializing asset handler for http://swcdn.apple.com/

The path would then match the same asset along with a path=(followed by the path to the asset on your server).

You’ll then see some information and ultimately a list of the number of bytes served from the cache, as well as the number of downloads. If that sits at 0 the server isn’t really doing anything…

November 16th, 2016

Posted In: Mac OS X Server

Tags: , , , ,

Given the increased reliance on XML in scripts and exchanging data, a number of different solutions leverage XML traversal options to get all the things done. We frequently use path to bring a file into a script or program, or accept input from STDIN. The most basic task that we then perform is simply selecting an item from that file or STDIN and then variabalizing it. One common tool that we use here is Path. XPath calls these objects nodes, and uses path expressions to select these nodes. A path expression is the path along the xml input that is followed to find a piece of data.

There are some pretty standard wildcards the can be used with xpath, where node() watches any node, * matches any element node, @* matches any attribute node, helping to constrain output.

Supported expressions include:

  • node: This is a text input that identifies the name of a node to start a relative search from – for example site would select all nodes in a structure with the name site
  • . Identifies the current node (kinda’ like pwd in a shell)
  • .. Starts at the parent of the current node – for example,
  • / Starts traversal from the root node – for example, /computer would select any nodes that falls underneath
  • /computer meaning that these are absolute paths
  • // Identifies the nodes in an XML structure that match a selection wherever they may be – for example
  • //computer would select all nodes that contain //computer and search for other expressions below those that you may identify such as: ‘xpath //computer/general/mac_address’
  • //* Selects everything
  • //computer/* Selects all the child element nodes of everything that starts with computer
  • @ Select an attribute in an XML structure – for example ‘xpath //computer/general/@’
  • [1] This predicate selects the first item (or whatever number is identified, so xpath
  • //computer[3]/general/mac_address would return with the mac address of the third computer
  • [@PATTERN] Constrains found sets, so ‘xpath //computer/general/[@mac_address]’ identifies all computers with an actual mac_address attribute
  • //[@PATTERN=VALUE] Constrains a found set to all items where the attribute contains the value, so ‘xpath //computer/general/[@mac_address=00]’ identifies all computers with an actual mac_address attribute that has the value of 00
  • //[@*] Selects only items with something in an attribute (non-null), so ‘xpath //computer/general/[@mac_address=@*] (btw, rather than use an =, you can use > or <)
  • | creates compound matches. So ‘xpath //computer/general/mac_address | //computer/general/name’ would grab the mac_address and name of every computer
  • [last()] Identifies the last item, so ‘xpath //computer[last()]/general/mac_address’ would return the last computer’s mac address
  • [last()-2] placing a negative number after the parenthesis identifies descending orders from the end of a found set – for example, //computer[last()-2] Selects the second to last computer

Overall, as you can see xpath really makes traversing XML structures simple. Other tools and languages have their own ways, but most are similar in syntax.

November 15th, 2016

Posted In: Mac OS X, Mac OS X Server, Ubuntu

Tags: , , , , ,

« Previous PageNext Page »