krypted.com

Tiny Deathstars of Foulness

From Anthony Reimer:

The MacDeployment Conference in Calgary, Alberta, Canada has extended the “early bird” registration rate through this Thursday. Only CAD$179+GST gets you a 2-day conference with a diverse speaker group from across North America. (One day rate also available.) For more information and to register, go to http://macdeployment.ca

May 25th, 2017

Posted In: Mac OS X, public speaking

Tags: ,

Leave a Comment

May 24th, 2017

Posted In: Mac OS X

Leave a Comment

Over the users I’ve written a good bit about pushing a workload off to a virtual machine sitting in a data center somewhere. The Google CloudPlatform has matured a lot and I haven’t really gotten around to writing about it. So… It’s worth going into their SDK and what it looks like from a shell using some quick examples.

For starters, you’ll need an account with Google Cloud Platform, at cloud.google.com and you’ll want to go ahead and login to the interface, which is pretty self-explanatory (although at first you might have to hunt a little for some of the more finely grained features, like zoning virtual instances.

The SDK

The SDK will include the gcloud command, which you’ll use to perform most tasks in the Google CloudPlatform. To install the SDK, go to https://cloud.google.com/sdk/downloads and download the appropriate version for your computer. If you’re on a mac, most likely the x86_64 version.

Next, move the downloaded folder to a permanent location and run the install.sh inside it, which will kindly offer to add gcloud to your path.

./install.sh

Welcome to the Google Cloud SDK!
To help improve the quality of this product, we collect anonymized usage data
and anonymized stacktraces when crashes are encountered; additional information
is available at <https://cloud.google.com/sdk/usage-statistics>. You may choose
to opt out of this collection now (by choosing ‘N’ at the below prompt), or at
any time in the future by running the following command:
gcloud config set disable_usage_reporting true
Do you want to help improve the Google Cloud SDK (Y/n)?  y
Modify profile to update your $PATH and enable shell command
completion?
Do you want to continue (Y/n)?  y
The Google Cloud SDK installer will now prompt you to update an rc
file to bring the Google Cloud CLIs into your environment.
Enter a path to an rc file to update, or leave blank to use
[/Users/charlesedge/.bash_profile]:
Backing up [/Users/charlesedge/.bash_profile] to [/Users/charlesedge/.bash_profile.backup].
[/Users/charlesedge/.bash_profile] has been updated.
==> Start a new shell for the changes to take effect.
For more information on how to get started, please visit:
https://cloud.google.com/sdk/docs/quickstarts

Inside that bin folder, you’ll find the gcloud python script, which once installed, you can then run. Next, you’ll need to run the init, which links it to your CloudPlatform account via oauth. To do so, run gcloud with the init verb, which will step you through the process:

gcloud init

Welcome! This command will take you through the configuration of gcloud.
Your current configuration has been set to: [default]
You can skip diagnostics next time by using the following flag:
gcloud init –skip-diagnostics

Network diagnostic detects and fixes local network connection issues.
Checking network connection…done.
Reachability Check passed.
Network diagnostic (1/1 checks) passed.

You must log in to continue. Would you like to log in (Y/n)? y

If you say yes in the above screen, your browser will then prompt you with a standard Google oauth screen where you’ll need to click Allow.

Now go back to Terminal and pick a “Project” (when you set up billing the default was created for you):

Pick cloud project to use:
[1] seventh-capsule-138123
[2] Create a new project
Please enter numeric choice or text value (must exactly match list
item):
1

The Command Line

Next, we’re gonna’ create a VM. There are several tables that lay out machine types. Let’s start by listing any instances we might have:

gcloud compute instances list

Listed 0 items.

Note: If you have a lot of these you can use  --regexp to filter them quickly.

Then let’s pick a machine type. A description of machine types can be found at https://cloud.google.com/compute/docs/machine-types. And an image. Images can be seen using the compute command with images and then list, as follows:

gcloud compute images list

Now, let’s use that table from earlier and make a custom machine using an ubuntu uri, a –custom-cpu and a –custom-memory:

gcloud compute instances create krypted1 –image https://www.googleapis.com/compute/v1/projects/ubuntu-os-cloud/global/images/ubuntu-1610-yakkety-v20170502 –custom-cpu 2 –custom-memory 5

You’ll then see that your VM is up, running, and… has an IP:

Created [https://www.googleapis.com/compute/v1/projects/seventh-capsule-138523/zones/us-central1-a/instances/krypted1].
NAME ZONE MACHINE_TYPE PREEMPTIBLE INTERNAL_IP EXTERNAL_IP STATUS
krypted1 us-central1-a custom (2 vCPU, 5.00 GiB) 10.128.0.2 104.154.169.65 RUNNING

Now let’s SSH in:

gcloud compute ssh krypted1

This creates ssh keys, adds you to the hosts and SSH’s you into a machine. So viola. You’re done. Oh wait, you don’t want to leave it running forever. After all, you’re paying by the minute… So let’s list your instances:

gcloud compute instances list

Then let’s stop the one we just created:

gcloud compute instances stop krypted1

And if you’d like, tear it down:

gcloud compute instances delete krypted1

Overall, super logical, very easy to use, and lovely command line environment. Fast, highly configurable VMs. Fun times!

May 18th, 2017

Posted In: cloud, Mac OS X, Ubuntu, Unix

Tags: , , , , , , ,

Leave a Comment

Builtin commands are always kinda’ interesting. At first glance, it’s hard to know which commands are builtins. Luckily, there’s a command that I rarely use, called… command. If you run command with the -V flag it will tell you if the command is a builtin:

command -V cd

cd is a shell builtin

If you run a command that isn’t a builtin

command -V ls

ls is /bin/ls

Some builtins are in /bin (like echo). But not all builtins are in /bin. Some are in /usr/bin (like cd). Information about how to use builtins is built into the help command rather than standalone man pages. So, if you do help followed by the name of a command, you’ll get information about the command, and sometimes how to use the command:

help cd

cd: cd [-L|-P] [dir]
Change the current directory to DIR. The variable $HOME is the
default DIR. The variable CDPATH defines the search path for
the directory containing DIR. Alternative directory names in CDPATH
are separated by a colon (:). A null directory name is the same as
the current directory, i.e. `.’. If DIR begins with a slash (/),
then CDPATH is not used. If the directory is not found, and the
shell option `cdable_vars’ is set, then try the word as a variable
name. If that variable has a value, then cd to the value of that
variable. The -P option says to use the physical directory structure
instead of following symbolic links; the -L option forces symbolic links
to be followed.

There are also commands not in a path, which can be found using the which command:

which dsconfigad

/usr/sbin/dsconfigad

May 6th, 2017

Posted In: bash, Mac OS X

Tags: , , , ,

If you’re in need of MDM in Japanese or German, Jamf Now shipped support for those languages last week. To switch languages, click on your name once logged in, and then click on the language you would like to use.

Enjoy.

May 1st, 2017

Posted In: iPhone, Mac OS X, Mac OS X Server, Mac Security, Mass Deployment

Tags: , , ,

I mentioned mdmclient when I gave the talk on the inner workings of Mobile Device Management, or MDM. There, I spent a lot of time on APNs and profiles, but just kinda’ spoke about mdmclient in terms of it being the agent that runs on macOS to provide mdm parity for the Mac. The mdmclient binary is located at /usr/libexec/mdmclient and provides pretty limited access to see how the Mac reacts to and interprets information coming from a device management provider.

I had been meaning to do a write-up on mdmclient and document what it can do since it first shipped. But as luck would have it, @Mosen on the Slacks beat me to the punch with a fantastic resource at https://mosen.github.io/profiledocs/troubleshooting/mdmclient.html. So here I’d like to focus on just 3 examples of using mdmclient. The first is to see what insight an MDM has to the applications installed (whether that information is actually committed to a database somewhere or not) using QueryInstalledApps:

/usr/libexec/mdmclient QueryInstalledApps

Here, we can see an array output of each bundle installed:

{BundleSize = 27457223;
Identifier = “com.hipchat.HipChat”;
Name = HipChat;
ShortVersion = “3.1.6”;
Version = “3.1.6”;}

Now, we can end up with duplicates, and so focus on just the unique Identifier keys, as follows:

/usr/libexec/mdmclient QueryInstalledApps | grep Identifier | uniq

The second iteration is to see installed profiles. The most basic of these, is to see user profiles, which can be obtained using QueryInstalledProfiles, as follows:

/usr/libexec/mdmclient QueryInstalledProfiles

Now, I could see using the profiles command with the -L option that I have a profile to configure office365 on my machine:

profiles -L

charlesedge[1] attribute: profileIdentifier: com.jamfsw.office365.a5f0e328-ea86-11e3-a26c-6476bab5f328
There are 1 user configuration profiles installed for ‘charlesedge’

So to see what that same information looks like, when queried from an MDM solution:
/usr/libexec/mdmclient QueryInstalledProfiles

QueryInstalledProfiles then returns:

({HasRemovalPasscode = 0;
IsEncrypted = 0;
PayloadContent = (
{PayloadDisplayName = “Charles Edge’s Office 365”;
PayloadIdentifier = “com.jamfsw.office365.a5f0e328-ea86-11e3-a26c-6476bab5f328.exchange.a5f2ccd9-ea86-11e3-b1e0-6476bab5f328”;
PayloadType = “com.apple.ews.account”;
PayloadUUID = “a5f2ccd9-ea86-11e3-b1e0-6476bab5f328”;
PayloadVersion = 1;});
PayloadDescription = “This will configure your Office 365 account for your Mac.”;
PayloadDisplayName = “Charles Edge’s Office 365”;
PayloadIdentifier = “com.jamfsw.office365.a5f0e328-ea86-11e3-a26c-6476bab5f328”;
PayloadOrganization = “JAMF Software”;
PayloadRemovalDisallowed = 0;
PayloadUUID = “a5f0e328-ea86-11e3-a26c-6476bab5f328”;
PayloadVersion = 1;
SignerCertificates = ();})

You can then take action based on this type of information, allow you to either fill a database for agent-based management, or simply take action if something is missing, etc.

QueryInstalledProfiles covers user profiles. To see system, you’ll need installedProfiles:

/usr/libexec/mdmclient installedProfiles | grep "Profile Name"

Run without the grep for a considerably more verbose amount of information.

Finally, let’s look at one more piece of information, which is the hash for the iTunes Store. That’s a point I’ve made a number of times, that the iTunes account email address is never provided to an MDM, once associated to a device or user on a device. Instead, there’s a hash of the account. These are important with VPP, as it allows for reversing (according to the MDM) which users have claimed which apps, or which users are using a given app, as well as how many devices they’re accessing those from. To see a hash, as an MDM sees it:

/usr/libexec/mdmclient QueryAppInstallation | grep iTunesStoreAccountHash

There’s a lot more you can do here, and I’m sure we’ll see a lot more over time. However, the work from @mosen combined with the opening up of the documentation on profiles and the mdm protocol helps to shed some light on how things work under the hood, and how we can use these features to provide greater programatic management for the Mac.

For example, to grab that iTuneshash from earlier, as a Jamf extension attribute you could use the following: https://github.com/krypted/ituneshash/blob/master/ituneshash.sh

April 28th, 2017

Posted In: Mac OS X, Mac OS X Server, Mac Security

Tags: , , , , , , ,

Here’s a new extension attribute at https://github.com/krypted/ituneshash/blob/master/ituneshash.sh for grabbing the hash ID used for iTunes Store accounts, useful with VPP:

#!/bin/sh
#
#
#
#Jamf Pro Extension Attribute to return the App Store Account Hash for iTunes
#Note that the return is null if one is not found
#
#
result=`/usr/libexec/mdmclient QueryAppInstallation | grep iTunesStoreAccountHash | sed '/.*\"\(.*\)\".*/ s//\1/g'`
echo "<result>$result</result>"

The output is something like:

<result>oBSmAAAa0nUAAACBHe5AaALlNBg=</result>

Which would bring the string into Jamf Pro

April 26th, 2017

Posted In: JAMF, Mac OS X, Mac OS X Server, Mac Security

Tags: , , , ,

MySQL usually pulls settings from a my.cnf file. However, you can end up with settings in include files, which can be defined in the my.cnf using the following directives:

include /home/mydir/myopt.cnf
includedir /home/mydir

Because of this, and the fact that you might not have access to all locations of .cnf files on a filesystem, you can also grab them using the SHOW VARIABLES option within SQL, obtained by

/usr/local/mysql/bin/mysql -uroot -p mypassword -e "SHOW VARIABLES;" > /tmp/SQLSettings.txt

In the above command, -uroot defines we’ll be accessing with the root user, -p defines the password (listed as mypassword) and the -e defines that we want to execute a command and then quit. We then use > to dump the output into the defined file.

April 21st, 2017

Posted In: Mac OS X, SQL

Tags: , , ,

10.12.4 gives us a new option to recheck enrollment via DEP! You can now use the -N flag to recheck a DEP configuration and, if a computer is not enrolled in the correct listing, move the enrollment. This should makes of r an ability to move devices between server, change the URL string in an enrollment profile, and recheck for the removal of an enrollment profile.

To use the option, simply run profiles with the -N option (with elevated privileges):

sudo profiles -N

For the Mac, there are a lot of ways to programmatically handle enrollment, so this is a nice new feature, but not a game changer. But, while not yet available in iOS, if the same functionality could be had with, say, a MDM command, then you would be able to migrate iOS devices between MDMs, provided you already put the data in place so policies ran as expected.

April 18th, 2017

Posted In: Mac OS X, Mac OS X Server, Mac Security

There’s a macOS tool called AssetCacheLocatorUtil located at /usr/bin/AssetCacheLocatorUtil. The output is in… stderr. Because stderr is so fun to work with (note that sed -i only works with stdin). So, to update the caching server(s) you are using and only print the IP address of those, you’d do the following:

/usr/bin/AssetCacheLocatorUtil 2>&1 | grep guid | awk '{print$4}' | sed 's/^\(.*\):.*$/\1/' | uniq

If you use Jamf Pro and would like to use this as an extension attribute, that’s posted here: https://github.com/krypted/cachecheck. I didn’t do any of the if/then there, as I’d usually just do that on the JSS.

April 17th, 2017

Posted In: Mac OS X, Mac Security, Mass Deployment, Network Infrastructure, precache

Tags: , , , , , , , , , ,

Next Page »