krypted.com

Tiny Deathstars of Foulness

A number of systems require you to use complex characters in passwords and passcodes. Here is a list of characters that can be used, along with the name and the associated unicode:

  •    (Space) U+0020
  • ! (Exclamation) U+0021
  • ” (Double quotes) U+0022
  • # (Number sign) U+0023
  • $ (Dollar sign) U+0024
  • % (Percent) U+0025
  • & (Ampersand) U+0026
  • ‘  (Single quotes) U+0027
  • ( (Left parenthesis) U+0028
  • ) (Right parenthesis) U+0029
  • * (Asterisk) U+002A
  • + (Plus) U+002B
  • , (Comma) U+002C
  • – (Minus sign) U+002D
  • . (Period) U+002E
  • / (Slash) U+002F
  • : (Colon) U+003A
  • ; (Semicolon) U+003B
  • < (Less than sign) U+003C (not allowed in all systems)
  • = (Equal sign) U+003D
  • > (Greater than sign) U+003E (not allowed in all systems)
  • ? (Question) U+003F
  • @ (At sign) U+0040
  • [ (Left bracket) U+005B
  • \ (Backslash) U+005C
  • ] (Right bracket) U+005D
  • ^ (Caret) U+005E
  • _ (Underscore) U+005F
  • ` (Backtick) U+0060
  • { (Left curly bracket/brace) U+007B
  • | (Vertical bar) U+007C
  • } (Right curly bracket/brace) U+007D
  • ~ (Tilde) U+007E

April 29th, 2016

Posted In: iPhone, Mac OS X, Mac OS X Server, Mac Security, Mass Deployment

Tags: , , , , , , , , ,

Leave a Comment

Precache, available at https://github.com/krypted/precache, is a script that populates the cache on an OS X Caching server for Apple updates. The initial release supported iOS. The script now also supports caching the latest update for an AppleTV. To use that, there’s no need to include an argument for AppleTV. Instead, you would simply  run the script followed by the model identifier, as follows:

sudo python precache.py AppleTV5,4

Screen Shot 2016-04-27 at 1.30.17 PM

April 28th, 2016

Posted In: Apple TV, iPhone, Mac OS X, Mac OS X Server, precache

Tags: , , , ,

Leave a Comment

AppleTVs automatically update. They do so using a process similar to how iOS updates, but instead of looking at the feed I posted in http://krypted.com/mac-security/how-the-os-x-caching-server-caches-updates/, they look at http://mesu.apple.com/assets/tv/com_apple_MobileAsset_SoftwareUpdate/com_apple_MobileAsset_SoftwareUpdate.xml.

The AppleTV feed is similar to that available for iOS updates, with each dictionary having roughly the same data:

<key>ActualMinimumSystemPartition</key>
<integer>1482</integer>
<key>Build</key>
<string>13Y6234</string>
<key>InstallationSize</key>
<string>0</string>
<key>MinimumSystemPartition</key>
<integer>1534</integer>
<key>OSVersion</key>
<string>9.2</string>
<key>ReleaseType</key>
<string>Beta</string>
<key>SUDocumentationID</key>
<string>PreRelease</string>
<key>SUInstallTonightEnabled</key>
<true/>
<key>SUMultiPassEnabled</key>
<true/>
<key>SUProductSystemName</key>
<string>iOS</string>
<key>SUPublisher</key>
<string>Apple Inc.</string>
<key>SupportedDeviceModels</key>
<array>
<string>J42dAP</string>
</array>
<key>SupportedDevices</key>
<array>
<string>AppleTV5,3</string>
</array>
<key>SystemPartitionPadding</key>
<dict>
<key>1024</key>
<integer>1280</integer>
<key>128</key>
<integer>1280</integer>
<key>16</key>
<integer>160</integer>
<key>256</key>
<integer>1280</integer>
<key>32</key>
<integer>320</integer>
<key>512</key>
<integer>1280</integer>
<key>64</key>
<integer>640</integer>
<key>768</key>
<integer>1280</integer>
<key>8</key>
<integer>80</integer>
</dict>
<key>_CompressionAlgorithm</key>
<string>zip</string>
<key>_DownloadSize</key>
<integer>856434408</integer>
<key>_EventRecordingServiceURL</key>
<string>https://xp.apple.com/report</string>
<key>_IsZipStreamable</key>
<true/>
<key>_Measurement</key>
<data>cm8k41In38EOJEj20IwJp5Suskw=</data>
<key>_MeasurementAlgorithm</key>
<string>SHA-1</string>
<key>_UnarchivedSize</key>
<integer>3438532888</integer>
<key>__AssetDefaultGarbageCollectionBehavior</key>
<string>NeverCollected</string>
<key>__BaseURL</key>
<string>
http://appldnld.apple.com/tvOS9.2//031-53364-20160321-7C5E21F2-E7B5-11E5-89F7-525CBD379832/
</string>
<key>__CanUseLocalCacheServer</key>
<true/>
<key>__RelativePath</key>
<string>
com_apple_MobileAsset_SoftwareUpdate/f58f4b324a9c717ea57b0cee063473a99d9e9e92.zip
</string>
To construct a URL to a zip, you would then simply merge the _BaseURL and the _RelativePath to the asset from the feed for a given model, in the above example, ending up with the following URL to manually download tvOS 9.2 for AppleTV 5,3:
http://appldnld.apple.com/tvOS9.2//031-53364-20160321-7C5E21F2-E7B5-11E5-89F7-525CBD379832/com_apple_MobileAsset_SoftwareUpdate/f58f4b324a9c717ea57b0cee063473a99d9e9e92.zip
BTW, Applednld is load balanced between 17.253.29.201 and 17.253.29.202, both within Apple’s Class C.
You don’t need two / characters in the path, but if you take the same process from my earlier post, you end up with
http://10.1.1.2:55491/tvOS9.2/031-53364-20160321-7C5E21F2-E7B5-11E5-89F7-525CBD379832/f58f4b324a9c717ea57b0cee063473a99d9e9e92.zip?source=appldnld.apple.com

April 27th, 2016

Posted In: Apple TV, Mac OS X, Mac OS X Server, Mac Security

Tags: , , , , , , , , ,

Leave a Comment

April 26th, 2016

Posted In: Apple TV, iPhone, Mac OS X, Mac OS X Server, Mac Security, MacAdmins Podcast

Tags: , , , , , , ,

Leave a Comment

A little while back, I did a little writeup on how the OS X Caching Server caches updates at http://krypted.com/mac-security/how-the-os-x-caching-server-caches-updates/. The goal was to reverse engineer parts of how it worked for a couple of different reasons. The first was to get updates for devices to cache to my caching server prior to 15 people coming in before it’s cached and having caching it down on their own.

So here’s a little script I call precache. It’s a little script that can be used to cache available Apple updates into an OS X Server that is running the Caching Service. To use, run the script followed by the name of the model. For example, for an iPad 2,1, you would use the following syntax:

sudo python precache.py iPad2,1

To eliminate beta operating systems from your precache,use the –no-beta argument:

sudo python precache.py iPad2,1 --no-beta

I’ll probably add some other little things nee and there, this pretty much is what it is and isn’t likely to become much more. Unless someone has a good idea or forks it and adds it. Which would be cool. Enjoy.

Screen Shot 2016-04-24 at 12.24.23 PM

April 25th, 2016

Posted In: iPhone, Mac OS X, Mac OS X Server, Mac Security

Tags: , , , , ,

Leave a Comment

I do a lot of testing on MacBook Airs and the latest MacBooks. Neither have a built-in Ethernet port and I try not to travel with one. But, when you enable the Caching Server service in OS X on a machine without an active Ethernet connection, the AssetCache will report an error of the following:

Wireless portable computer not supported

The cause is pretty obvious, but bypassable because of how the sanity check was built. Simply run the following:

sudo serveradmin settings caching:Interface = en0

Now try again. Enjoy.

PS: Since people always jump on the article where I talk about how to do things that shouldn’t be done in production, I mostly use this for testing. Don’t do it in production… And if you enjoy being judgmental about things, please feel free to find something constructive to do with your time, like write up how to do something that everyone else can judge you harshly for…

April 23rd, 2016

Posted In: iPhone, Mac OS X, Mac OS X Server, Mac Security, Mass Deployment

One Comment

Apple School Manager is a portal used to create classes, import students, manage Managed Apple IDs, and link all these things together. You can use a Student Information System (SIS) to create these classes, import students, etc. But, only if you have a SIS with an API that Apple links to. If you don’t, you’ll need to import data using csv files. And you’ll need to import four csv files: Classes, Instructors, Staff, and of course Students.

Many schools will already have this data in Active Directory or another LDAP-based solution. Here, we’ll look at getting the information out of Active Directory and into csv. The LDIFDE utility exports and imports objects from and to Active Directory using the ldif format, which is kinda’ like csv when it gets really drunk and can’t stay on one line. Luckily, ldif can’t drive. Actually, each attribute/field is on a line (which allows for arrays) and an empty line starts the next record. Which can make for a pretty messy looking file the first time you look at one. The csvde command can be used to export data into the csv format instead. In it’s simplest form the ldifde command can be used to export Active Directory objects just using a -f option to specify the location (the working directory that we’re running the ldifde command from if using powershell to do so or remove .\ if using a standard command prompt):

ldifde -f .\ADExport.ldf

This exports all attributes of all objects, which overlap with many in a target Active Directory and so can’t be imported. Therefore, you have to limit the scope of what you’re exporting, which you can do in a few ways. The first is to only export a given OU (in this case called Students, but you could do one for Teachers, one for each grade, etc). To limit, you’ll define a dn with a -d flag followed by the actual dn of the OU you’re exporting and then you’d add a -p for subtree. In the following example we’ll export all of the objects from the sales OU to the StudentsOUExport.ldf file:

ldifde -d "OU=Students,DC=krypted,DC=local" -p subtree -f .\StudentsOUExport.ldf

Once you have the ldif file, you’ll want to convert it from ldif to csv. Some apps to do so:

Once you have the file in csv form, you can import it using the Apple School Manager web interface.

April 22nd, 2016

Posted In: Articles and Books, iPhone, Mac OS X, Mac OS X Server, Mac Security

Tags: , , ,

Leave a Comment

You can find the version of the Server app that an OS X Server is running using the serveradmin command. To do so, run the serveradmin command followed by the -version option:

sudo /Applications/Server.app/Contents/ServerRoot/usr/sbin/serveradmin --version

The output would be as follows:

Version 15S5127

April 21st, 2016

Posted In: Mac OS X, Mac OS X Server, Mac Security

Tags: , , ,

Leave a Comment

There are a lot of scripts stored on github. And you can run them directly by curling them into bash. To do so, you’ll need a link to the raw script (using the github page with the URL of the script brings in all the cruft, so you’ll need to find the raw text). To grab that, click on the page with the script and then right-click  on Raw, as seen here:

Screen Shot 2016-04-16 at 11.21.48 PM

Then, throw out a bash command followed by < and then the URL you just copied into your clipboard in parenthesis:

bash <(curl -Ls https://github.com/krypted/resetsoftwareupdate/raw/master/resetsoftwareupdate.sh)

April 20th, 2016

Posted In: Mac OS X, Mac OS X Server, Mac Security, Ubuntu, Unix

Tags: , , , ,

3 Comments

The Caching Server in OS X is a little bit of a black box. But, it’s not all that complicated, compared to some things in the IT world. I’d previously written about command line management of the service itself here. When you enable the caching service, the server registers itself as a valid Caching Server. Nearby devices then lookup the closest update server with Apple and register with that update server using a GUID:

/Applications/Server.app/Contents/ServerRoot/usr/sbin/serveradmin settings caching:ServerGUID

Then, each time the device looks for an update, it does so against http://mesu.apple.com/assets/com_apple_MobileAsset_SoftwareUpdate/com_apple_MobileAsset_SoftwareUpdate.xml using the device model. Noticed this with this line in my proxy logs:

"GET http://mesu.apple.com/assets/com_apple_MobileAsset_SoftwareUpdate/com_apple_MobileAsset_SoftwareUpdate.xml HTTP/1.1" 200 - "-" "MobileAsset/1.0"

Let’s say that the device is an iPad 2,7, then the following information is used for the update, with a URL of http://appldnld.apple.com/iOS9.3.1/031-56322-20160331-F8B29F9E-F68D-11E5-AF11-0744ED25FABD/com_apple_MobileAsset_SoftwareUpdate/1c02ea51b4d2d50b04526c4ec29780b8e02dfe76.zip, which is created using the _BaseURL string followed by the _RelativePath string:

<dict>
<key>ActualMinimumSystemPartition</key>
<integer>1965</integer>
<key>Build</key>
<string>13E6238</string>
<key>InstallationSize</key>
<string>0</string>
<key>MinimumSystemPartition</key>
<integer>2017</integer>
<key>OSVersion</key>
<string>9.3.1</string>
<key>ReleaseType</key>
<string>Beta</string>
<key>SUDocumentationID</key>
<string>iOS931GM</string>
<key>SUInstallTonightEnabled</key>
<true/>
<key>SUMultiPassEnabled</key>
<true/>
<key>SUProductSystemName</key>
<string>iOS</string>
<key>SUPublisher</key>
<string>Apple Inc.</string>
<key>SupportedDeviceModels</key>
<array>
<string>P107AP</string>
</array>
<key>SupportedDevices</key>
<array>
<string>iPad2,7</string>
</array>
<key>SystemPartitionPadding</key>
<dict>
<key>1024</key>
<integer>1280</integer>
<key>128</key>
<integer>1280</integer>
<key>16</key>
<integer>160</integer>
<key>256</key>
<integer>1280</integer>
<key>32</key>
<integer>320</integer>
<key>512</key>
<integer>1280</integer>
<key>64</key>
<integer>640</integer>
<key>768</key>
<integer>1280</integer>
<key>8</key>
<integer>80</integer>
</dict>
<key>_CompressionAlgorithm</key>
<string>zip</string>
<key>_DownloadSize</key>
<integer>1164239508</integer>
<key>_EventRecordingServiceURL</key>
<string>https://xp.apple.com/report</string>
<key>_IsZipStreamable</key>
<true/>
<key>_Measurement</key>
<data>Rfrw7jNYWH8xNS67pXoq7NEhpUI=</data>
<key>_MeasurementAlgorithm</key>
<string>SHA-1</string>
<key>_UnarchivedSize</key>
<integer>1235575808</integer>
<key>__AssetDefaultGarbageCollectionBehavior</key>
<string>NeverCollected</string>
<key>__BaseURL</key>
<string>
http://appldnld.apple.com/iOS9.3.1/031-56322-20160331-F8B29F9E-F68D-11E5-AF11-0744ED25FABD/
</string>
<key>__CanUseLocalCacheServer</key>
<true/>
<key>__QueuingServiceURL</key>
<string>https://ns.itunes.apple.com/nowserving</string>
<key>__RelativePath</key>
<string>
com_apple_MobileAsset_SoftwareUpdate/1c02ea51b4d2d50b04526c4ec29780b8e02dfe76.zip
</string>
</dict>

You can then use these dictionaries to assemble this path for all items in the dictionary with “iPad 2,7” in the SupportedDevices key. You can also choose to assemble this path for all items with the OSVersion of a given string, such as 9.3.1 in this case. You could curl these updates down to a client, or request them through the caching service, which would cache them to the Caching Server, using the IP of the server (e.g. 10.1.1.2) http://10.1.1.2:55491/iOS9.3.1/031-56322-20160331-F8B29F9E-F68D-11E5-AF11-0744ED25FABD/1c02ea51b4d2d50b04526c4ec29780b8e02dfe76.zip?source=appldnld.apple.com

Found the above URL using a reverse proxy. This URL is generated based on an http request to the IP address of the caching service, followed by the port. The port is derived using the serveradmin command and query the settings for caching:Port as follows:

/Applications/Server.app/Contents/ServerRoot/usr/sbin/serveradmin settings caching:Port

In this example, the URL is then

http://10.1.1.2:55491/

But the URL then splits the _BaseURL into two parts, taking appldnld.apple.com from the URL and appending ?source=appldnld.apple.com. So without the update, the URL would be the following:

http://10.1.1.2:55491?source=appldnld.apple.com

OK, so now we’ll pop the other part of that _BaseURL in there:

http://10.1.1.2:55491/iOS9.3.1/031-56322-20160331-F8B29F9E-F68D-11E5-AF11-0744ED25FABD?source=appldnld.apple.com

And then there’s one more step, which is throw the zip in there:

http://10.1.1.2:55491/iOS9.3.1/031-56322-20160331-F8B29F9E-F68D-11E5-AF11-0744ED25FABD/1c02ea51b4d2d50b04526c4ec29780b8e02dfe76.zip?source=appldnld.apple.com

Viola. Curl that and the caching server will download that update and make it ready for clients to access. Everything is hashed and secure in the directory listed using this command:

/Applications/Server.app/Contents/ServerRoot/usr/sbin/serveradmin settings caching:DataPath

April 18th, 2016

Posted In: Apple Configurator, Mac OS X, Mac OS X Server, Mac Security

Tags: , , , , , , ,

Leave a Comment

Next Page »