krypted.com

Tiny Deathstars of Foulness

When you push a certificate out in a profile, the certificate is statically stored on a Mac. If you are delivering a certificate over the air and in a device profile that is seperate from the MDM payload then the Active Directory Certificate payload can enable automatic certificate renewals. You can enable automatic renewals with a defaults command (or manage the preference domain via MDM) using the following command:

defaults write /Library/Preferences/com.apple.mdm-client AutoRenewCertificatesEnabled -bool YES
Note: Because they’re already dymanic and all, SCEP payloads cannot be automatically renewed.

October 5th, 2017

Posted In: Mac OS X

Tags: , , , ,

One Comment

Below is my pesentation from MacSysAdmin, if you’re into such things.
MSA_2017

October 4th, 2017

Posted In: Mac OS X, public speaking

Leave a Comment

You can easily disable password hints in macOS by opening the System Preferences, clicking on the “Users & Groups” System Preference pane and then clicking on Login Options. From there, uncheck the box for “Show password hints”


You can also disable this feature using the com.apple.loginwindow defaults domain. Send the following through a script to do so:

defaults write com.apple.loginwindow RetriesUntilHint -int 0

October 4th, 2017

Posted In: Mac OS X

Tags: , ,

Leave a Comment

The following is a list of application bundles that come pre-installed with macOS that are protected by SIP:
/Applications/App Store.app
/Applications/Automator.app
/Applications/Calculator.app
/Applications/Calendar.app
/Applications/Chess.app
/Applications/Contacts.app
/Applications/DVD Player.app
/Applications/Dashboard.app
/Applications/Dictionary.app
/Applications/FaceTime.app
/Applications/Font Book.app
/Applications/Game Center.app
/Applications/Image Capture.app
/Applications/Launchpad.app
/Applications/Mail.app
/Applications/Maps.app
/Applications/Messages.app
/Applications/Mission Control.app
/Applications/Notes.app
/Applications/Photo Booth.app
/Applications/Photos.app
/Applications/Preview.app
/Applications/QuickTime Player.app
/Applications/Reminders.app
/Applications/Safari.app
/Applications/Siri.app
/Applications/Stickies.app
/Applications/System Preferences.app
/Applications/TextEdit.app
/Applications/Time Machine.app
/Applications/Utilities
/Applications/iBooks.app
/Applications/iTunes.app
/Applications/Utilities/Activity Monitor.app
/Applications/Utilities/AirPort Utility.app
/Applications/Utilities/Audio MIDI Setup.app
/Applications/Utilities/Bluetooth File Exchange.app
/Applications/Utilities/Boot Camp Assistant.app
/Applications/Utilities/ColorSync Utility.app
/Applications/Utilities/Console.app
/Applications/Utilities/Digital Color Meter.app
/Applications/Utilities/Disk Utility.app
/Applications/Utilities/Grab.app
/Applications/Utilities/Grapher.app
/Applications/Utilities/Keychain Access.app
/Applications/Utilities/Migration Assistant.app
/Applications/Utilities/Script Editor.app
/Applications/Utilities/System Information.app
/Applications/Utilities/Terminal.app
/Applications/Utilities/VoiceOver Utility.app
/Applications/Utilities/X11.app
Note: Files located in /System, /usr, /bin, and /sbin are recursively protected as well.

October 2nd, 2017

Posted In: Mac OS X, Mac Security

Tags: , , ,

The macOS High Sierra update has netted a few weird upgrades where I had to start over, restore, or boot into safe mode (e.g. if you DEP a device that forces encryption in Sierra and then gets into a loop after a High Sierra update is started). So I’ve been using modifier keys more than usual. The following startup modifier keys are available in macOS High Sierra:
  • Alt or Option key: Access Mac Startup Manager, which allows you to select a wireless network and then choose which volume you want to boot to.
  • C: Mostly legacy, boots to volumes on a CD, DVD, or USB drive.
  • Command-Option-P-R: Resets the parameter RAM (or PRAM for short).
  • Command-Option-R: Same as Recovery Mode, but over the Internet.
  • Command-R: Boots into the macOS Recovery Mode, useful when doing an internet restore or using Disk Utility to repair a volume.
  • Command-S: Enables Single User Mode.
  • Command-V: Boots into Verbose Mode, so you see a log of everything during the startup process.
  • D: Diagnostics mode starts up using Apple Hardware Test or Apple Diagnostics utility, for checking the hardware of your system.
  • Option-D: Load Diagnostics tools over the Internet.
  • Eject key, F12, or mouse/trackpad button: Ejects any removable media inserted.
  • N: NetBoot attempts to boot to a NetBoot volume on a network.
  • Option-N: NetBoot automatically to the default boot image
  • Shift:  Safe Boot verifies the startup disk and repairs directory issues, disables user fonts and clears the cache for them, only loads required kernel extensions and clears the cache for them, clears system caches, and disables startup and login items.
  • T: Target Disk Mode, which sets the system as a disk that can then be mounted on another system (if FileVault encrypted, you may need to enter a password to mount the volumes on the disk).
  • X: Boot to a macOS startup disk when otherwise booting to a Windows partition or startup manager.

October 1st, 2017

Posted In: Mac OS X

High Sierra sees the Caching service moved out of macOS Server and into the client macOS. This means administrators no longer need to run the Server app on caching servers. Given the fact that the Caching service only stores volatile data easily recreated by caching updates again, there’s no need to back the service up, and it doesn’t interact with users or groups, so it’s easily divested from the rest of the Server services.

And the setup of the Caching service has never been easier. To do so, first open System Preferences and click on the Sharing System Preferences pane.

From here, click on the checkbox for Content Caching to start the service.

At the Content Caching panel, the service will say “Content Caching: On” once it’s running. Here, you can disable the “Cache iCloud content” option, which will disable the caching of user data supplied for iCloud (everything in here is encrypted, by the way). You can also choose to share the Internet Connection, which will create a wireless network that iOS devices can join to pull content. 

Click Options. Here, you can see how much storage is being used and limit the amount used. 

defaults read /Library/Preferences/com.apple.AssetCache.plist

Which returns the following configurable options:

Activated = 1;
CacheLimit = 0; DataPath = “/Library/Application Support/Apple/AssetCache/Data”; LastConfigData = <BIGLONGCRAZYSTRING>; LastConfigURL = “http://suconfig.apple.com/resource/registration/v1/config.plist”; LastPort = 56452; LastRegOrFlush = “2017-09-11 16:32:56 +0000”; LocalSubnetsOnly = 1; PeerLocalSubnetsOnly = 1; Port = 0; Region = 263755EFEF1C5DA178E82754D20D47B6; ReservedVolumeSpace = 2000000000; SavedCacheDetails = {
SavedCacheSize = 0;
ServerGUID = “EB531594-B51E-4F6A-80B9-35081B924629”;
Version = 1;}

This means that all those settings that you used to see in the GUI are still there, you just access them via the command line, by sending defaults commands. For example, 

defaults write /Library/Preferences/com.apple.AssetCache.plist CacheLimit -int 20000000000

You can

AssetCacheManagerUtil status

Which returns something similar to the following:

2017-09-11 11:49:37.427 AssetCacheManagerUtil[23957:564981] Built-in caching server status: {
Activated = 1;
Active = 1;
CacheDetails = {
iCloud = 4958643;
“iOS Software” = 936182434;};
CacheFree = 472585174016;
CacheLimit = 0;
CacheStatus = OK;
CacheUsed = 941141077;
Parents = ();
Peers = ();
PersonalCacheFree = 472585174016;
PersonalCacheLimit = 0;
PersonalCacheUsed = 4958643;
Port = 56452;
PrivateAddresses = (“192.168.104.196”);
PublicAddress = “38.126.164.226”;
RegistrationStatus = 1;
RestrictedMedia = 0;
ServerGUID = “EB531594-B51E-4F6A-80B9-35081B924629”;
StartupStatus = OK;
TotalBytesDropped = 0;
TotalBytesImported = 4958643;
TotalBytesReturnedToChildren = 0;
TotalBytesReturnedToClients = 166627405;
TotalBytesReturnedToPeers = 0;
TotalBytesStoredFromOrigin = 166627405;
TotalBytesStoredFromParents = 0;
TotalBytesStoredFromPeers = 0;

You can also use AssetCacheManagerUtil to manage tasks previously built into the Server app. To see the available options, simply run the command:

bash-3.2# /usr/bin/AssetCacheManagerUtil

Which would show the following:

Options are:
-a|–all show all events
-j|–json print results in JSON
-l|–linger don’t exit
2017-09-11 11:57:30.066 AssetCacheManagerUtil[24213:569932] Commands are:
activate
deactivate
isActivated
canActivate
flushCache
flushPersonalCache
flushSharedCache
status
settings
reloadSettings
moveCacheTo path
absorbCacheFrom path read-only|and-destroy

As such, to enable the server:

bash-3.2# /usr/bin/AssetCacheManagerUtil activate 

To disable the server

bash-3.2# /usr/bin/AssetCacheManagerUtil deactivate

To check if the server can be activated

bash-3.2# /usr/bin/AssetCacheManagerUtil canActivate

To flush the cache of assets on the server:

bash-3.2# /usr/bin/AssetCacheManagerUtil flushCache 

To reload settings if you make any changes:

bash-3.2# /usr/bin/AssetCacheManagerUtil reloadSettings

To move the database

/usr/bin/AssetCacheManagerUtil moveCacheTo "/Volumes/SONY/Library/Application Support/Apple/AssetCache/Data"

Finally, if you’d like to see the caching server your client system is using, you can run the following command:

/usr/bin/AssetCacheLocatorUtil 2>&1 | grep guid | awk '{print$4}' | sed 's/^\(.*\):.*$/\1/' | uniq

And if you use Jamf Pro and would like to use this as an extension attribute, that’s posted here: https://github.com/krypted/cachecheck. I didn’t do any of the if/then there, as I’d usually just do that on the JSS.

Note: To see how AssetCache interacts with Tetherator, see Tethered Caching of iOS Assets from macOS 10.12.4.

September 28th, 2017

Posted In: Mac OS X, Mac OS X Server

Tags: , , , , , ,

A bootable installer is one of the fastest ways to install a Mac. Rather than copy the installer to a local drive you can run it right off a USB disk (or Thunderbolt if you dare). Such a little USB drive would be similar to the sticks that came with the older MacBook Air, when we were all still sitting around wondering how you would ever install the OS on a computer with no optical media or Ethernet otherwise. Luckily, Apple loves us. To make a bootable USB/flash drive of High Sierra like the one that used to come with the MacBook Air, first name the USB drive. I’ll use hsinstall for the purposes of this article. The format should be Mac OS Extended Journaled, although the new system drive will be apfs on the target volume. The installer is called Install macOS Sierra and is by default located in the /Applications directory. Inside the app bundle, there’s a new binary called createinstallmedia (nested in Contents/Resources). Using this binary you can create an installation drive (similar to what we used to do with InstallESD). To do so, specify the –volume to create the drive on (note that the target volume will be erased), the path of the “Install macOS High Sierra” app bundle and then we’re going to select –nointeraction so it just runs through the whole thing

/Applications/Install\ macOS\High\ Sierra.app/Contents/Resources/createinstallmedia --volume /Volumes/hsinstall --applicationpath /Applications/Install\ macOS\ High\ Sierra.app --nointeraction

Note: You’ll need to elevate your privileges for this to run.

Once run you’ll see that it erases the disk, copies the Installation materials (InstallESX, etc) and then makes the drive bootable, as follows:

Erasing Disk: 0%... 10%... 20%... 100%... Copying installer files to disk... Copy complete. Making disk bootable... Copying boot files... Copy complete.

Then you can either select the new volume in the Startup Disk System Preference pane or boot the computer holding down the option key to select the new volume.

Note: If you can do this on a system with a solid state drive it will be  faster. Although this took 17 minutes last I ran it even then so be patient for the files to copy.

September 28th, 2017

Posted In: Mac OS X

Tags: , , , ,

The first thing you’ll want to do on any server is setup the networking for the computer. To do this, open the System Preferences and click on Network. You usually want to use a wired Ethernet connection on a server, but in this case we’ll be using Wi-Fi. Here, click on the Wi-Fi interface and then click on the Advanced… button.

At the setup screen for the interface, provide a good static IP address. Your network administrator can provide this fairly easily. Here, make sure you have an IP address and a subnet mask. Since we need to install the Server app from the Mac App Store, and that’s on the Internet, you’ll also need to include a gateway, which provides access to the Internet and using the DNS tab, the name servers for your Internet Service Provider (ISP).
 
Once you have provided a static IP address, verify that you can route to the Internet (e.g. open Safari and visit a website). Provided you can, the first step to installing macOS Server onto High Sierra is to download the Server app from the Mac App Store. To do so, open the App Store app and search for Server. In the available apps, you’ll see the Server app from Apple. Here, click on Buy and let the app download. That was pretty easy, right. Well, the fun has just gotten started. Next, open the app.

When you first open the Server app, you’ll see the Server screen. Here, you can click on the following options:
  • Other Mac: Shows a list of Macs with the Server app that can be remotely configured. Choosing another system does not complete the setup process on the system you’re working on at the moment.
  • Cancel: Stops the Server app setup assistant and closes the Server App.
  • Continue: Continues installing the Server app on the computer you are using.
  • Help: Brings up the macOS Server manual.
 

Click Continue to setup macOS Server on the machine you’re currently using. You’ll then be prompted for the licensing agreement from Apple. Here, check the box to “Use Apple services to determine this server’s Internet reachability” and click on Agree (assuming of course that you agree to Apple’s terms in the license agreement).

Installing macOS Server must be done with elevated privileges. At the prompt, enter the credentials for an account with administrative access and click on the Allow button.

The services are then configured as needed and the command line tools are made accessible. This can take some time, so be patient. When the app is finished with the automation portion of the configuration, you will be placed into the Server app for the first time. Your first order of business is to make sure that the host names are good on the computer. Here, first check the Host Name. If the name doesn’t resolve properly (forward and reverse) then you will likely have problems with the server at some point. Therefore, go ahead and click on Edit Host Name… Here, enter the fully qualified address that the server should have. In the DNS article, we’ll look at configuring a good DNS server, but for now, keep in mind that you’ll want your DNS record that points to the server to match what you enter here. And users will use this address to access your server, so use something that is easy to communicate verbally, when needed.

 
At the Change Host Name screen, click Next. At the “Accessing your Server” screen, click on Internet and then click on the Next button.



At the “Connecting to your Server” screen, provide the Computer Name and the Host Name. The Computer Name is what you will see when you connect to the server over Bonjour and what will be listed in the Sharing System Preference pane. The Host Name is the fully qualified host name (fqdn) of the computer. I usually like to take the computer name and put it in front of the domain name. For example, in the following screen, I have osxserver as the name of the computer and osxserver.krypted.com as the host name.



Once you have entered the names, click on the Finish button. You are then prompted to Change Host Name. Click on Change Host Name at this screen.

Next, let’s open Terminal and run changeip with the -checkhostname option, to verify that the IP and hostname match:

sudo changeip -checkhostname


Provided that the IP address and hostname match, you’ll see the following response.

sudirserv:success = “success”

If the IP address and hostname do not match, then you might want to consider enabling the DNS server and configuring a record for the server. But at this point, you’ve finished setting up the initial server and are ready to start configuring whatever options you will need on the server.

September 28th, 2017

Posted In: Mac OS X, Mac OS X Server, Mac Security, Mass Deployment

Tags: , , , , ,

In order to use the Apple Volume Purchase Program (VPP), you will need an MDM solution (Profile Manager, Jamf Pro, MobileIron, Meraki, FileWave, etc). The same program is used for device-based VPP or user-based VPP. There are two programs, which is meant to simplify the experience of setting up an MDM solution and long-term maintenance. The first is the traditional VPP account, available to companies and other non-educational environments that have a DUNS number. The second is the newer Apple School Manager, for educational institutions.

Before starting to buy apps and associating those apps from an MDM solution, there are a few things you should know. The first is that your organization can have multiple VPP tokens or Apple School Manager tokens, and you can hierarchically manage apps this way. The second is that each token should only be installed on one MDM solution or server (if you have multiple instances of the same solution). Therefore, if you’re going to have multiple servers or solutions for managing apps, keep in mind to buy apps for groups based on the VPP account that will be associated with devices for each solution. Also, note that the traditional deployment mechanism of VPP is user, or Apple ID-based VPP apps. Here, you associate an Apple ID to a VPP account from an MDM and then the administrator sends apps to devices based via the MDM solution. And this is still an option.

In 10.11 and up, we got device-based VPP. Here, you can send apps to devices even if they don’t have Apple IDs associated to the device, and you can send apps automatically, meaning they will not require user interaction. This makes VPP multi-tenant and great for school labs, or shared-use Macs and iOS devices. But this article isn’t about the fine print details of the new VPP. Instead, this article is about making Profile Manager work with your new VPP token. Before you get started, know that when you install your vpptoken, if it’s in use by another MDM, Profile Manager will unlicensed all apps with your other MDM. To get started, log into your VPP account. Once logged in, click on your account email address and then select Account Summary.
vpp1

Then, click on the Download Token link and your token will be downloaded to your ~/Downloads (or wherever you download stuff).

vpp2
Once you have your token, open the Server app and click on the Profile Manager service.

 

Click on the checkbox for Volume Purchase Program.

 

At the VPP Managed Distribution screen, drag the .vpptoken file downloaded earlier into the screen. Then click on Continue. The VPP code email address will appear in the screen. Click Done. Back at the profile manager screen, you should then see that the checkbox is filled and you can now setup Profile Manager. The rest of the configuration of Profile Manager is covered in a previous article. Note: The account used to configure the VPP information is not tracked in any serveradmin settings.

September 28th, 2017

Posted In: Mac OS X, Mac OS X Server, Mass Deployment

Tags: , , , ,

By default, macOS now updates apps that are distributed through the Mac App Store (MAS). Server running on macOS High Sierra is really just the Server app, sitting on the App Store, installed on a standard Mac. If the Server app is upgraded automatically, you will potentially experience some adverse side effects, especially if the app is running on a Metadata Controller for Xsan, runs Open Directory, or a major release of the Server app ships. Additionally, if you are prompted to install a beta version on a production system, you could end up with issues. Therefore, in this article we’re going to disable these otherwise sweet features of macOS.

To get started, first open the System Preferences. From there, click on the App Store System Preference pane.



From the App Store System Preference pane, uncheck the following boxes:
  • Automatically Check For Updates: Unchecking this box disables the download in the background option and the installation of app updates.
  • Automatically Download Apps Purchased on Other Macs: If you buy an upgrade, you could accidentally install that upgrade on production servers you don’t intend to install the upgrade on.
Once disabled, you’ll need to keep on top of updates in the App Store manually. My recommendation is still to create an image of your server before each update. If you see the field, click Change for “Your computer is set to receive beta software updates” and then click Do Not Receive Beta Software Releases.

 

You can also set these from the command line. To disable automatic app store updates:

defaults write /Library/Preferences/com.apple.commerce AutoUpdate -bool FALSE

To disable automatic macOS updates:

defaults write /Library/Preferences/com.apple.commerce AutoUpdateRestartRequired -bool FALSE

And to disable automatic Software Update update checks:

defaults write /Library/Preferences/com.apple.SoftwareUpdate AutomaticCheckEnabled -bool FALSE

Overall, be careful with automatic updates. I like leaving checking enabled so when I sit down at the console of a server I get prompted to update; however, I don’t want servers updating and restarting unless I tell them to, after I’ve performed a comprehensive regression test on the updates.

September 27th, 2017

Posted In: Mac OS X, Mac OS X Server

Tags: , ,

Next Page »