krypted.com

Tiny Deathstars of Foulness

There’s a new MDM option to skip the privacy screen at setup for Mac. But, you can also skip that screen programmatically. Do so by sending a DidSeePrivacy boolean key into com.apple.SetupAssistant. This could be done via an MDM or through a simple defaults command, as follows: defaults write com.apple.SetupAssistant DidSeePrivacy -bool TRUE Note: Since writing this, Rich Trouton has published a script that includes the other options at https://github.com/rtrouton/rtrouton_scripts/tree/master/rtrouton_scripts/disable_apple_icloud_data_privacy_diagnostic_and_siri_pop_ups.

April 2nd, 2018

Posted In: Mac OS X

Tags: , ,

/etc/Sudoers is a file that controls what happens when you use sudo. /etc/sudo_lecture is a file that Apple includes in macOS that tells your users that what they’re about to do is dangerous. You can enable a lecture, which will be displayed each time sudo is invoked. To turn on the lecture option in sudo, open /etc/sudoers and add the following two lines (if they’re not already there):

Defaults lecture=always
Defaults lecture_file = “/etc/sudo_lecture”

Then save the file and edit /etc/sudo_lecture. Apple has kindly included the following
Warning: Improper use of the sudo command could lead to data loss or the deletion of important system files. Please double-check your typing when using sudo. Type “man sudo” for more information. To proceed, enter your password, or type Ctrl-C to abort.
Let’s change this to:
Hack the planet.

Now save and open a new Terminal screen. Run sudo bash and viola, you will get your new message. Enjoy.

April 1st, 2018

Posted In: Mac OS X, Mac Security

Tags: , , , , ,

Apple has published a new page that goes through all of the settings and commands available via MDM and explains many in much more detail. This is available at http://help.apple.com/deployment/mdm/. The new guide is a great addition to the work @Mosen has done at https://mosen.github.io/profiledocs/ in terms of explaining what each setting, command, and payload do. And let’s not forget the definitive MDM protocol reference guide, available at https://developer.apple.com/library/content/documentation/Miscellaneous/Reference/MobileDeviceManagementProtocolRef/1-Introduction/Introduction.html#//apple_ref/doc/uid/TP40017387-CH1-SW1

Overall, I’m excited to see so much information now available about MDM, including how to develop an MDM properly, what each setting does, and now what you should expect out of an MDM!

March 28th, 2018

Posted In: iPhone, Mac OS X, Mac OS X Server, Mac Security, Mass Deployment

Tags: , , ,

Hey, who knew that the developer documentation for Apple Business Manager would be made publicly available? It’s at https://beta.business.apple.com/static/docs/beta.pdf. Or if it gets taken down, at Apple Business Manager Documentation.

Note: I saw this pop up in like 4 different places. If anyone knows who I can attribute for realizing it was publicly available, please let me know so I can!

March 26th, 2018

Posted In: iPhone, Mac OS X

Tags: , ,

Homebrew is a package manager for macOS. You can use Homebrew to install command line packages on a Mac, provided someone has written a formulae, which is a simple Ruby script that walks through the process for installing all the little bits required for a piece of software.

Installing Homebrew is simple. Run the following command which is listed on the Homebrew homepage (not as root):
/usr/bin/ruby -e "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/master/install)"
This will install the macOS Command Line Tools from Xcode as well as create the following directories (if they’re not already present):
  • /usr/local/Cellar
  • /usr/local/Homebrew
  • /usr/local/Frameworks
  • /usr/local/opt
  • /usr/local/sbin
  • /usr/local/share/zsh
  • /usr/local/share/zsh/site-functions
  • /usr/local/var
Then the script will move all the required bits from https://github.com/Homebrew/brew to the correct locations. Once done, you can easily install a package if you know the name. For example, I do this on practically every new machine I configure for development:

brew install wget

This one is nice because the dependencies that get installed. And you get the latest versions. Let’s look at the version for wget:

wget -V

Next, let’s use brew to search for something: radius

brew search radius

You’ll see that there’s one item on the local taps: freeradius-server

Let’s install that:

brew install freeradius-server
Now, you’ll find that the bits that make freeradius work are located in /usr/local/Cellar/freeradius-server/3.0.16. If you later need to upgrade that package, use the upgrade verb.

brew upgrade freeradius-server

And finally, to update Homebrew to the latest version, run the update verb:

brew update

March 22nd, 2018

Posted In: bash, Mac OS X

The first step to moving services from macOS Server for pretty much all services is to check out the old settings. The second step is to probably ask if where you’re going to put the service is a good idea. For example, these days I prefer to run DHCP services on a network appliance such as a Synology. And so let’s look at how to do that. Here, we’ll use the serveradmin command to view the settings of the DHCP service:

/Applications/Server.app/Contents/ServerRoot/usr/sbin/serveradmin settings dhcp

The output is an array of subnets with different settings per subnet.

dhcp:static_maps = _empty_array
dhcp:subnets:_array_id:22217FF5-4DDB-4841-A731-EF5DA080E672:WINS_primary_server = ""
dhcp:subnets:_array_id:22217FF5-4DDB-4841-A731-EF5DA080E672:dhcp_router = "10.15.40.1"
dhcp:subnets:_array_id:22217FF5-4DDB-4841-A731-EF5DA080E672:WINS_secondary_server = ""
dhcp:subnets:_array_id:22217FF5-4DDB-4841-A731-EF5DA080E672:net_range_start = "10.15.40.2"
dhcp:subnets:_array_id:22217FF5-4DDB-4841-A731-EF5DA080E672:net_range_end = "10.15.43.253"
dhcp:subnets:_array_id:22217FF5-4DDB-4841-A731-EF5DA080E672:dhcp_domain_name = "clients.msp.jamfsw.corp"
dhcp:subnets:_array_id:22217FF5-4DDB-4841-A731-EF5DA080E672:dhcp_domain_name_server:_array_index:0 = "8.8.8.8"
dhcp:subnets:_array_id:22217FF5-4DDB-4841-A731-EF5DA080E672:dhcp_domain_name_server:_array_index:1 = "4.4.4.4"
dhcp:subnets:_array_id:22217FF5-4DDB-4841-A731-EF5DA080E672:lease_max = 36000
dhcp:subnets:_array_id:22217FF5-4DDB-4841-A731-EF5DA080E672:net_mask = "255.255.252.0"
dhcp:subnets:_array_id:22217FF5-4DDB-4841-A731-EF5DA080E672:dhcp_ldap_url = _empty_array
dhcp:subnets:_array_id:22217FF5-4DDB-4841-A731-EF5DA080E672:WINS_node_type = "NOT_SET"
dhcp:subnets:_array_id:22217FF5-4DDB-4841-A731-EF5DA080E672:dhcp_enabled = yes
dhcp:subnets:_array_id:22217FF5-4DDB-4841-A731-EF5DA080E672:WINS_NBDD_server = ""
dhcp:subnets:_array_id:22217FF5-4DDB-4841-A731-EF5DA080E672:net_address = "10.15.40.0"
dhcp:subnets:_array_id:22217FF5-4DDB-4841-A731-EF5DA080E672:WINS_scope_id = ""
dhcp:subnets:_array_id:22217FF5-4DDB-4841-A731-EF5DA080E672:selected_port_name = "en1"
dhcp:subnet_defaults:logVerbosity = "MEDIUM"
dhcp:subnet_defaults:routers:en0 = "10.15.40.1"
dhcp:subnet_defaults:WINS_node_type_list:_array_index:0 = "BROADCAST_B_NODE"
dhcp:subnet_defaults:WINS_node_type_list:_array_index:1 = "HYBRID_H_NODE"
dhcp:subnet_defaults:WINS_node_type_list:_array_index:2 = "NOT_SET"
dhcp:subnet_defaults:WINS_node_type_list:_array_index:3 = "PEER_P_NODE"
dhcp:subnet_defaults:WINS_node_type_list:_array_index:4 = "MIXED_M_NODE"
dhcp:subnet_defaults:WINS_node_type = "NOT_SET"
dhcp:subnet_defaults:dhcp_domain_name = "krypted.com"
dhcp:subnet_defaults:logVerbosityList:_array_index:0 = "LOW"
dhcp:subnet_defaults:logVerbosityList:_array_index:1 = "MEDIUM"
dhcp:subnet_defaults:logVerbosityList:_array_index:2 = "HIGH"
dhcp:subnet_defaults:dhcp_domain_name_server:_array_index:0 = "8.8.8.8"
dhcp:subnet_defaults:dhcp_domain_name_server:_array_index:1 = "4.4.4.4"
dhcp:subnet_defaults:selected_port_key = "en0"
dhcp:subnet_defaults:selected_port_key_list:_array_index:0 = "en0"
dhcp:subnet_defaults:selected_port_key_list:_array_index:1 = "bridge0"
dhcp:logging_level = "MEDIUM"


Next, we’ll setup a Synology NAS using the instructions found here:

Basic Synology NAS Setup

 Once you’ve setup your Synology NAS, you can install a dhcp server on it, if you need to provide those services. To get started, first open Control Panel and then find DHCP Server in the Control Panel sidebar. 


From here, click on the LAN port.

Because DHCP requires a subnet mask, and a pool of IP addresses that can be shared, the “Enable DHCP server” button will initially be greyed out. Click on the Edit button to define these.

Click on the checkbox for “Enable DHCP server” and enter the following settings:
  • Address lease time: The number of seconds the lease will be valid.
  • Primary DNS: The first DNS server provided to client computers.
  • Secondary DNS: The second DNS server provided to client computers.
  • Domain name: The automatic suffix applied to hostnames of clients (e.g. if you enter Synology in a web browser and this setting was krypted.com then you would be routed to Synology.krypted.com. 
  • Enable Web Proxy Automatic Discovery: provide a PAC file (using DHCP options)
  • URL: The PAC file.
  • Subnetlist: Here you add subnets, which we’ll describe next.

At the Create DHCP Subnet screen, you’ll be prompted for the following fields:

  • Start IP address: The first IP address in the pool that will be handed out.
  • End IP address: The last IP address in the pool that will be handed out (note that in my example, I’m handing out 192.168.55.40 to 192.168.55.50, so 11 addresses – make sure these don’t overlap with other devices that are already using addresses or with other DHCP pools or you will have sporadic device connectivity for some devices).
  • Netmask: The subnet mask to be given to devices along with their lease.
  • Gateway: The default gateway, or router for the network.
  • DHCP Options: I cover these in http://krypted.com/mac-os-x/replace-macos-server-dhcp-service-built-macos-dhcp-service/, but this list includes those supported on the Synology. 

Once your settings are configured, click Create. You’ll then see your pool configured. Click the OK button.

You’ll then see a list of subnets and settings. Click “Enable DHCP server” to start the service. 

Once started, click “Disable DHCP server” to stop the service or go back to the edit screen and click on the DHCP Clients tab to see what IP each client has been provided.

March 21st, 2018

Posted In: Mac OS X, Mac OS X Server

Tags: , , , , ,

View Your Old Settings

The first step to moving services from macOS Server for pretty much all services is to check out the old settings. The second step is to probably ask if where you’re going to put the service is a good idea. For example, these days I prefer to run DHCP services on a network appliance. But it can absolutely be run on a Mac. And so let’s look at how to do that. Here, we’ll use the serveradmin command to view the settings of the DHCP service:

/Applications/Server.app/Contents/ServerRoot/usr/sbin/serveradmin settings dhcp

The output is an array of subnets with different settings per subnet.

dhcp:static_maps = _empty_array
dhcp:subnets:_array_id:22217FF5-4DDB-4841-A731-EF5DA080E672:WINS_primary_server = ""
dhcp:subnets:_array_id:22217FF5-4DDB-4841-A731-EF5DA080E672:dhcp_router = "10.15.40.1"
dhcp:subnets:_array_id:22217FF5-4DDB-4841-A731-EF5DA080E672:WINS_secondary_server = ""
dhcp:subnets:_array_id:22217FF5-4DDB-4841-A731-EF5DA080E672:net_range_start = "10.15.40.2"
dhcp:subnets:_array_id:22217FF5-4DDB-4841-A731-EF5DA080E672:net_range_end = "10.15.43.253"
dhcp:subnets:_array_id:22217FF5-4DDB-4841-A731-EF5DA080E672:dhcp_domain_name = "clients.msp.jamfsw.corp"
dhcp:subnets:_array_id:22217FF5-4DDB-4841-A731-EF5DA080E672:dhcp_domain_name_server:_array_index:0 = "8.8.8.8"
dhcp:subnets:_array_id:22217FF5-4DDB-4841-A731-EF5DA080E672:dhcp_domain_name_server:_array_index:1 = "4.4.4.4"
dhcp:subnets:_array_id:22217FF5-4DDB-4841-A731-EF5DA080E672:lease_max = 36000
dhcp:subnets:_array_id:22217FF5-4DDB-4841-A731-EF5DA080E672:net_mask = "255.255.252.0"
dhcp:subnets:_array_id:22217FF5-4DDB-4841-A731-EF5DA080E672:dhcp_ldap_url = _empty_array
dhcp:subnets:_array_id:22217FF5-4DDB-4841-A731-EF5DA080E672:WINS_node_type = "NOT_SET"
dhcp:subnets:_array_id:22217FF5-4DDB-4841-A731-EF5DA080E672:dhcp_enabled = yes
dhcp:subnets:_array_id:22217FF5-4DDB-4841-A731-EF5DA080E672:WINS_NBDD_server = ""
dhcp:subnets:_array_id:22217FF5-4DDB-4841-A731-EF5DA080E672:net_address = "10.15.40.0"
dhcp:subnets:_array_id:22217FF5-4DDB-4841-A731-EF5DA080E672:WINS_scope_id = ""
dhcp:subnets:_array_id:22217FF5-4DDB-4841-A731-EF5DA080E672:selected_port_name = "en1"
dhcp:subnet_defaults:logVerbosity = "MEDIUM"
dhcp:subnet_defaults:routers:en0 = "10.15.40.1"
dhcp:subnet_defaults:WINS_node_type_list:_array_index:0 = "BROADCAST_B_NODE"
dhcp:subnet_defaults:WINS_node_type_list:_array_index:1 = "HYBRID_H_NODE"
dhcp:subnet_defaults:WINS_node_type_list:_array_index:2 = "NOT_SET"
dhcp:subnet_defaults:WINS_node_type_list:_array_index:3 = "PEER_P_NODE"
dhcp:subnet_defaults:WINS_node_type_list:_array_index:4 = "MIXED_M_NODE"
dhcp:subnet_defaults:WINS_node_type = "NOT_SET"
dhcp:subnet_defaults:dhcp_domain_name = "krypted.com"
dhcp:subnet_defaults:logVerbosityList:_array_index:0 = "LOW"
dhcp:subnet_defaults:logVerbosityList:_array_index:1 = "MEDIUM"
dhcp:subnet_defaults:logVerbosityList:_array_index:2 = "HIGH"
dhcp:subnet_defaults:dhcp_domain_name_server:_array_index:0 = "8.8.8.8"
dhcp:subnet_defaults:dhcp_domain_name_server:_array_index:1 = "4.4.4.4"
dhcp:subnet_defaults:selected_port_key = "en0"
dhcp:subnet_defaults:selected_port_key_list:_array_index:0 = "en0"
dhcp:subnet_defaults:selected_port_key_list:_array_index:1 = "bridge0"
dhcp:logging_level = "MEDIUM"

Configure DHCP Settings

The easy thing is to configure a DHCP server is using Internet Sharing from the Sharing System Preference pane. To do so, simply open System Preferences, click on Sharing and then Internet Sharing. But wait, where do you configure a scope, or the DNS Server or… The answer is “the command line” but don’t be put off by that. In this case I prefer it. 

Now, let’s go hacking around in your bootp.plist. This file is stored at /private/etc/bootpd.plist and you’ll need to sudo in order to edit the file. First, back it up. Next, let’s cat the file and cover a few basic examples of migrating the settings:

<?xml version=”1.0″ encoding=”UTF-8″?>
<!DOCTYPE plist PUBLIC “-//Apple//DTD PLIST 1.0//EN” “http://www.apple.com/DTDs/PropertyList-1.0.dtd”>
<plist version=”1.0″>
<dict>
<key>NetBoot</key>
<dict/>
<key>Subnets</key>
<array>
<dict>
<key>allocate</key>
<true/>
<key>dhcp_domain_name</key>
<string>krypted.com</string>
<key>dhcp_domain_name_server</key>
<array>
<string>8.8.8.8</string>
<string>4.4.4.4</string>
</array>
<key>dhcp_router</key>
<string>10.15.40.1</string>
<key>lease_max</key>
<integer>36000</integer>
<key>name</key>
<string>10.15.42/22 Wi-Fi</string>
<key>net_address</key>
<string>10.15.40.0</string>
<key>net_mask</key>
<string>255.255.252.0</string>
<key>net_range</key>
<array>
<string>10.15.40.2</string>
<string>10.15.43.253</string>
</array>
<key>selected_port_name</key>
<string>en1</string>
<key>uuid</key>
<string>22217FF5-4DDB-4841-A731-EF5DA080E672</string>
</dict>
</array>
<key>netboot_disabled</key>
<array>
<string>en8</string>
</array>
</dict>
</plist>

Let’s start with a simple example of copying the range from one of these to another. First, locate the net_range_startand the net_range_endkeys in your serveradmin output. Then find the net_range array in your bootp.plist. They’re the same in my two examples because the macOS Server app was just hacking the bootp.plist (OK it was doing more but that was the main thing it was doing). On a fresh new server you might have a very different plist, so you can borrow the above if ya’ need to. Replace the two values in the two strings with those in your server if needed. 

 Next, find the dhcp_routersetting for that subnet and match it to the same in the bootp.plist. Then, the net_mask. These are all that are required for DHCP to work (technically, the router isn’t required, but it’s super-weird on Apple stuff when there’s not a router, so it’s best to have one when possible. If you need WINS, domain names, DNS Servers, etc, simply repeat the process. You can also copy and paste the code block between the <dict> sections if you need multiple subnets. Or you could move the service to a network appliance more capable, if needed.

The settings for bootp  include the following, many of which can be seen in the above output:
  • dhcp_enabled – Used to enable dhcp for each network interface. Replace the <false/> immediately below with <array> <string>en0</string> </array>. For additional entries, duplice the string line and enter each from ifconfig that you’d like to use dhcp on.
  • bootp_enabled – This can be left as Disabled or set to an array of the adapters that should be enabled if you wish to use the bootp protocol in addition to dhcp. Note that the server can do both bootp and dhcp simultaneously.
  • allocate – Use the allocate key for each subnet in the Subnets array to enable each subnet once the service is enabled.
  • Subnets – Use this array to create additional scopes or subnets that you will be serving up DHCP for. To do so, copy the entry in the array and paste it immediately below the existing entry. The entry is a dictionary so copy all of the data between and including the <dict> and </dict> immediately after the <array> entry for the subnet itself.
  • lease_max and lease_min – Set these integers to the time for a client to retain its dhcp lease
  • name – If there are multiple subnet entries, this should be unique and reference a friendly name for the subnet itself.
  • net_address – The first octets of the subnet followed by a 0. For example, assuming a /24 and 172.16.25 as the first three octets the entry would be 172.16.25.0.
  • net_mask – The subnet mask clients should have
  • net_range – The first entry should have the first IP in the range and the last should have the last IP in the range. For example, in the following example the addressing is 172.16.25.2 to 172.16.25.253.
  • dhcp_domain_name_server – There should be a string for each DNS server supplied by dhcp in this array
  • dhcp_domain_search – Each domain in the domain search field should be suppled in a string within this array, if one is needed. If not, feel free to delete the key and the array if this isn’t needed.
  • dhcp_router – This entry should contain the router or default gateway used for clients on the subnet, if there is one. If not, you can delete the key and following string entries.

Configure DHCP Reservations

To configure reservations, use the /etc/bootptab file. This file should have a column for the name of a computer, the hardware type (1), the hwaddr (the MAC address) and ipaddr for the desired IP address of each entry:

%%
# hostname hwtype hwaddr ipaddr bootfile
a.pretendco.com 1 00:00:00:aa:bb:cc 172.16.25.25
b.pretendco.com 1 00:00:00:aa:bb:cc 172.16.25.29

Starting and Stopping the Service

Once everything is configured, fire it up using the following command:

sudo /bin/launchctl load -w /System/Library/LaunchDaemons/bootps.plist

And terminate using the following command:

sudo /bin/launchctl unload -w /System/Library/LaunchDaemons/bootps.plist

Once configured, configure the service to start automatically. To do so, open /System/Library/LaunchDaemons/bootps.plist. Here, just change the Disabled key to False, by changing the word True in line 6 to False.

Troubleshooting: Inspect Leases on Clients

I did an article some time ago about how DHCP leases work. Once you have clients using the DHCP server, you can also renew and view their leases from the command line, which does not usually show you a new lease in the GUI immediately. To reset the DHCP lease from the command line, use ipconfig:

ipconfig set en0 BOOTP
ipconfig set en0 DHCP


If the information is displayed on the screen, then it has to be stored somewhere, right? When your system sends an acceptance for a lease, the leases are then stored in /var/db/dhcpclient/leases. These are stored in standard property list form using the interface, followed by the MAC address of the interface followed by .plist. For example, if your MAC address is en0-1,10:9a:cc:ab:5d:ac then the lease would cat as follows:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>IPAddress</key>
<string>192.168.210.94</string>
<key>LeaseLength</key>
<integer>86400</integer>
<key>LeaseStartDate</key>
<date>2018-02-31T15:36:59Z</date>
<key>PacketData</key>
<data>
AgEGAMHrfCMAAAAAAAAAAMCo0l4AAAAAAAAAABCa3atdrAAAAAAAAAAAAAD/AAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAA/wAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABjglNjNQEFNgTAqNIBAQT///8A
MwQAAVGANAEDAwTAqNIBBghEV02CRFdIgv8AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
</data>
<key>RouterHardwareAddress</key>
<data>
AAaxLwVA
</data>
<key>RouterIPAddress</key>
<string>192.168.210.1</string>
</dict>
</plist>

The keys in this file make it easier to script figuring out a few things about your active leases, such as when they’re going to expire, when the lease was accepted or even whether or not the system has a lease (especially when it shouldn’t have a lease). But they can cause misreporting. If the information seems “stuck” in the System Preferences pane you can then rm the dhcp lease file.

Note: If the RouterIPAddress cannot be reached, the lease will be delayed in processing, causing the lease to appear to take a long time to be obtained even though it’s looping to hopefully find a more appropriate lease with a RouterIPAddress that can be reached.

For anyone who uses a shell script to reset their IP address, I recommend using the following as the full script, rather than the two lines most commonly used (where $leasefile is the name of your lease file):

ipconfig set en0 BOOTP
ipconfig set en0 DHCP
rm /var/db/dhcpclient/leases/$leasefile


Being the nerd I am, I called mine ipcfg.exe and end with an echo of the IP:

ipconfig getifaddr en0

Finally, a very effective way I’ve seen people reset leases that are seriously stuck is to swap locations and then swap back. Let’s say your users generally use the “Automatic” location and you have one called “TEMP”. You can use the scselect command to see locations and switch between them. So to switch to TEMP, we would simply:

scselect TEMP

And then to select Automatic again:

scselect Automatic

Now be careful with this last little tidbit. As if you have TEMP and don’t have any interfaces active and are running remotely then you might have some walking (or driving) around to do…

Configure DHCP Options

The DHCP Service also has a number of DHCP options available; most notably the options available in the GUI. But what about options that aren’t available in the GUI, such as NTP. Well, using /etc/bootpd.plist, the same file we used to define servers allowed to relay, you can also define other options. These begin with the following keys that can be added into your property list:
  • dhcp_time_offset (option 2)
  • dhcp_router (option 3)
  • dhcp_domain_name_server (option 6)
  • dhcp_domain_name (option 15)
  • dhcp_network_time_protocol_servers (option 42)
  • dhcp_nb_over_tcpip_name_server (option 44)
  • dhcp_nb__over_tcpip_dgram_dist_server (option 45)
  • dhcp_nb_over_tcpip_node_type (option 46)
  • dhcp_nb_over_tcpip_scope (option 47)
  • dhcp_smtp_server (option 69)
  • dhcp_pop3_server (option 70)
  • dhcp_nntp_server (option 71)
  • dhcp_ldap_url (option 95)
  • dhcp_netinfo_server_address (option 112)
  • dhcp_netinfo_server_tag (option 113)
  • dhcp_url (option 114)
  • dhcp_domain_search (option 119)
  • dhcp_proxy_auto_discovery_url (option 252)
But you can also add options by their numerical identifier. To add them, add the following into your /etc/bootpd.plist file and then restart the DHCP service:

<string>dhcp_option_120</string> <data> 192.168.210.7 </data>

In the above, you’d replace the option 120 (SIP) with the option you wish to use. Numbers correspond to options as follows:
0 – Pad
1 – Subnet Mask
3 – Router
4 – Time Server
5 – Name Server
6 – Domain Name Server
7 – Log Server
8 Quote Server
9 – LPR Server
10 – Impress Server
11 – Resource Location Server
12 – Host Name
13 – Boot File Size
14 – Merit Dump File
15 – Domain Name
16 – Swap Server
17 – Root Path
18 – Extensions Path
19 – IP Forwarding
20 – WAN Source Routing
21 – Policy Filter
22 – Maximum Datagram Reassembly Size
23 – Default IP Time-to-live
24 – Path MTU Aging Timeout
25 – Path MTU Plateau Table
26 – Interface MTU
27 – All Subnets are Local
28 – Broadcast Address
29 – Perform Mask Discovery
30 – Mask supplier
31 – Perform router discovery
32 – Router solicitation address
33 – Static routing table
34 – Trailer encapsulation.
35 – ARP cache timeout
36 – Ethernet encapsulation
37 – Default TCP TTL
38 – TCP keep alive interval
39 – TCP keep alive garbage
40 – Network Information Service Domain
41 – Network Information Servers
42 – NTP servers
43 – Vendor specific information
44 – NetBIOS over TCP/IP name server
45 – NetBIOS over TCP/IP Datagram Distribution Server
46 – NetBIOS over TCP/IP Node Type
47 – NetBIOS over TCP/IP Scope
48 – X Window System Font Server
49 – X Window System Display Manager
50 – Requested IP Address
51 – IP address lease time
52 – Option overload
53 – DHCP message type
54 – Server identifier
55 – Parameter request list
56 – Message
57 – Maximum DHCP message size
58 – Renew time value
59 – Rebinding time value
60 – Class-identifier
61 – Client-identifier
62 – NetWare over IP Domain Name
63 – NetWare over IP information
64 – Network Information Service Domain
65 – Network Information Service Servers
66 – TFTP server name
67 – Bootfile name
68 – Mobile IP Home Agent
69 – Simple Mail Transport Protocol Server
70 – Post Office Protocol Server
71 – Network News Transport Protocol Server
72 – Default World Wide Web Server
73 – Default Finger Server
74 – Default Internet Relay Chat Server
77 – User Class Information
78 – SLP Directory Agent
79 – SLP Service Scope
80 – Rapid Commit
81 – Fully Qualified Domain Name
82 – Relay Agent Information
83 – Internet Storage Name Service
85 – NDS servers
86 – NDS tree name
87 – NDS context
88 – BCMCS Controller Domain Name list
89 – BCMCS Controller IPv4 address list
90 – Authentication
91 – Client Last Transaction Time
92 – Associated IP
93 – Client System Architecture Type
94 – Client Network Interface Identifier
95 – LDAP, Lightweight Directory Access Protocol
97 – Client Machine Identifier
98 – Open Group User Authentication
100 – IEEE 1003.1 TZ String
101 – Reference to the TZ Database
112 – NetInfo Parent Server Address
113 – NetInfo Parent Server Tag
114- URL
116 – Auto-Configure
117 – Name Service Search
118 – Subnet Selection
119 – DNS domain search list
120 – SIP Servers DHCP Option
121 – Classless Static Route Option
123 – GeoConfiguration
124 – Vendor-Identifying Vendor Class
125 – Vendor-Identifying Vendor Specific
128 – TFPT Server IP address
129 – Call Server IP address
130 – Discrimination string
131 – Remote statistics server IP address
132 – 802.1P VLAN ID
133 – 802.1Q L2 Priority
134 – Diffserv Code Point
135 – HTTP Proxy for phone-specific applications
136 – PANA Authentication Agent
139 – IPv4 MoS
140 – IPv4 Fully Qualified Domain Name MoS
150 – TFTP server address
176 – IP Telephone
220 – Subnet Allocation
221 – Virtual Subnet Selection
252 – Proxy auto-discovery
254 – Private use
255 – End
And that’s it. This whole thing can take 5-10 minutes. In fact, if you were using macOS Server then just backup your bootp.plist and copy it to another machine, assuming the network interface (en0, en1, etc) hasn’t changed. Or change it if it has. But, for all the other weird stuff that was in the UI (or even the stuff that was never in the UI), here’s a pretty lengthy explanation of how to manage all of it from the command line. Building a GUI to configure these wouldn’t be that hard either, assuming you have bootp built into the Mac for awhile (and I think you need it for Internet sharing). Oh, that reminds me, Internet sharing is likely to overwrite any custom settings, so once you hack the plist, don’t go back to System Preferences-based management.

March 20th, 2018

Posted In: Mac OS X, Mac OS X Server

Tags: , , , , , , , , , ,

The WD MyCloud is a pretty single-purpose device. It’s a disk with a network interface, and as with Direct Attached Storage, the MyCloud Network Attached Storage is pretty easy to connect to.

First, let’s look at connecting to the web interface via the menu item, where you can drag and drop files to the device. Once the device is configured, use the WD menu item to see your device. From there, click on the name of your device.

Alternatively, you could visit mycloud.com and sign into the web interface there. 

In both cases, you’ll see a list of files and then in the sidebar, you’ll see those options to configure settings, add integrations, view active its, and view photos that are on the device. 


From here, you can simply drag and drop files into the web page, just like with a box or dropbox account, but the files are stored on the device. Additionally, you can send a link to a file or folder. To do so, right-click on the object you wish to share and then click Share Link.

At the resulting screen, you’ll see a link. Click Copy to copy the link into your clipboard so you can paste it into an email.

You may also want other users to be able to log into your WD MyCloud. To allow them to do so, open Settings and click on Add User. Then provide the email address for the user and click on Send Invites.

Finally, you can also mount  the drive directly to computers. To do so, click on “Connect to Server” (or Command-K) from the Finder.

At the Connect to Server screen, enter the address of the server and click Connect. If you don’t know the address and you’re on the local network of the device. Additionally, if you have the menu item installed, you’ll see the device in the sidebar of your Mac. 

It’s worth noting that with the exception of the ability to share a link to a file or folder, the permissions on the device are pretty much wide open, as you can see below. Additionally, any files you bring into the device will end up with the same wide open permissions. And while you can change permissions on files, they’ll revert back. So if you will need more granular capabilities with file permissions, this might not be the device for you. This device is a very inexpensive way to do very small workgroups or home file sharing, but beyond that it could be too basic for a lot of business use cases. What I like about it though, is that it doesn’t pretend to be anything but what it is. And it does that very well, in a very easy-to-use way.

Now the MyCloud NAS comes with removable drives and a more robust interface. It’s still easy to use, but you can configure RAID levels, basic iSCSI functionality, and users. I still wouldn’t put this in front of large workgroups, but to replace a macOS Server for a small business, or as a basic NAS head, it’s a solid, easy-to-manage device.

March 19th, 2018

Posted In: Mac OS X, Mac OS X Server, Network Infrastructure

Tags: , , , ,

macOS might be the easiest platform to install MySQL on. To do so, simply download the MySQL installation package from the MySQL Download site. I like to use the third link (the DMG).

Screen Shot 2016-02-13 at 10.26.11 PM

Once downloaded, run the package. The package will ask you a few questions and you can easily just select the default choice during the installation process.

Screen Shot 2016-02-13 at 10.26.04 PM

Once installed, you’ll be prompted that a temporary password has been used for your MySQL instance.
Screen Shot 2016-02-13 at 10.26.52 PM

The password will get you in the first time, so you can change it. Once you have documented the password, open System Preferences and click on MySQL in the bottom row of System Preference Panes.


Screen Shot 2016-02-13 at 10.27.34 PM

Click Start MySQL Server and then when prompted, authenticate to the system. If you’d like to do this programmatically and don’t need the System Preference pane, you can do so with homebrew. If you have homebrew installed, simply run the brew command with the install verb and mysql as the package:

brew install mysql

Whichever way you install SQL, once installed, you’ll want to set the root password to something other than the intuitionally difficult to remember password provided at install time. To do so, first connect to the mysql instance now running on your computer. As the tools are installed in /usr/local/mysql/bin, run the following:

/usr/local/mysql/bin/mysql -u root

Then, set the password using the ALTER statement along with the USER option and then the username followed by IDENTIFIED BY and ultimately the password, as follows:

ALTER USER 'root'@'localhost' IDENTIFIED BY
'mysupersecretpassword';


Once done, you’ll then be able to connect to mysql normally.

March 18th, 2018

Posted In: Mac OS X, Mac OS X Server

Tags: ,

Export macOS Server Data
We’re not going to import this, as it only takes a few seconds to configure new settings. Additionally, if you have outstanding services built on macOS Server, you might be able to pull this off without touching client systems. First, let’s grab  which protocols are enabled, running the following from Terminal:

sudo serveradmin settings vpn:Servers:com.apple.ppp.pptp:enabled

sudo serveradmin settings vpn:Servers:com.apple.ppp.l2tp:enabled

Next, we’ll get the the IP ranges used so we can mimic those (or change them) in the new service:

sudo serveradmin settings vpn:Servers:com.apple.ppp.pptp:IPv4:DestAddressRanges

Now let’s grab the DNS servers handed out so those can be recreated:

sudo serveradmin settings vpn:Servers:com.apple.ppp.pptp:DNS:OfferedServerAddresses:_array_index
sudo serveradmin settings vpn:Servers:com.apple.ppp.l2tp:DNS:OfferedServerAddresses:_array_index

Finally, if you’re using L2TP, let’s grab the shared secret:

sudo serveradmin settings vpn:Servers:com.apple.ppp.l2tp:L2TP:IPSecSharedSecretValue

Once we have all of this information, we can configure the new server using the same settings. At this point, you can decide whether you want to dismantle the old server and setup a new one on the same IP address, or whether you’d rather just change your port forwards on your router/firewall.

Ports

Before we configure any VPN services, let’s talk about ports. The following ports need to be opened per The Official iVPN Help Docs (these are likely already open if you’re using a macOS Server to provide VPN services):
  • PPTP: TCP port 1723
  • L2TP: UDP ports 1701, 4500 and 500
  • Enable VPN pass-through on the firewall of the server and client if needed

openvpn
There are a number of ways to get a VPN Server installed on macOS. One would be to install openvpn:

sudo port -v install openvpn2

OpenVPN has a lot of sweet options, which you can read about at openvpn.net.

SoftEther
One of the other tools Apple mentioned is SoftEther. I decided not to cover it here because it uses Wine. And I’m not a fan of Wine. 

Or Use iVPN

That will require some work to get dependencies and some working with files and network settings. Another option would be to install iVPN from here, on the Mac App Store. You can install it manually as well, and if you do, you’ll need to pay separately through PayPal, which is what we’ll cover here.

Once installed, if you purchased the license separately, use the Enter Manually button to provide it.

At the Registration screen, make sure the name, email, and serial are entered exactly as you see them in the email you received.

At the Thank You screen, click OK.

At the EULA screen, click Accept assuming you accept the license agreement.

Configure iVPN
At the main screen, you’ll have a few options, which we’ll unpack here:
  • Use Directory Server: Allows you to use an LDAP or Active Directory connection to provide username and passwords to the service.
  • Use custom accounts: Allows you to manually enter accounts to provide username and passwords for clients to connect to the 
  • Shared Secret: The secret, or a second factor used with L2TP connection.
  • Allow 40-bit encryption keys: Allows clients to use lower levels of encryption. Let’s not do this.
  • IP Address Range: The beginning and ending IP that will be manually handed out to client computers. When configuring the range, take care not to enter a range of addresses in use by any other DHCP services on your network or you will end up with conflicts.
  • Basic DNS: Allows you to configure a primary and second DNS server to send to clients via DHCP when they connect to the VPN interface.
  • Advanced DNS: Allows you to configure DNS servers as well as Search Domains.
  • Configure Static Routes: Allows you to specify the interface and netmask used to access a given IP.
  • Export Configuration Profile: Exports a configuration profile. When imported into a Mac or iOS device, that profile automatically configures the connection to the PPTP or L2TP service you’ve setup.
  • VPN Host Name: Used for the configuration profile so a client system can easily find the server w

If you configure Directory Authentication, you’ll get prompted that it might be buggy. Click OK here.

The Directory Authentication screen allows you to choose which directory services to make available to PPTP or L2TP. If the system hasn’t been authenticated to a directory server, do so using the Users & Groups” System Preference pane.

Once you’ve chosen your directory service configuration, if you require a third DNS server, click on Advanced DNS and then enter it, or any necessary search-domains. Click Done when you’re finished.

Click the log button in the upper left-hand side to see the logs for the service. This is super-helpful when you start troubleshooting client connections or if the daemon stops for no good reason (other than the fact that you’re still running a VPN service on macOS Server and so the socket can’t bind to the appropriate network port).

Finally, you can also create a static route. Static routing provides a manually-configured routing entry, rather than information from a dynamic routing traffic, which means you can fix issues where a client can’t access a given IP because it’s using an incorrect network interface to access an IP.

Once everything is configure, let’s enter the publicly accessible IP address or DNS name of the server. Client computers that install the profile will then have their connection to the server automatically configured and will be able to test the connection.

Configure Clients
If you configured the new server exactly as the old one and just forwarded ports to the new host, you might not have to do anything, assuming you’re using the same username and password store (like a directory service) on the back-end. If you didn’t, you can setup new interfaces with a profile. If you pushed out an old profile to configure those, I’d recommend removing it first if any settings need to change. To configure clients, we’ll install the new profile. When you open the profile on a client system (just double-click it to open it), you’ll see the Install dialog box. Here, click on Continue. 

Because the profile isn’t signed, you’ll then get prompted again (note: you can sign the profile using another tool, like an MDM or Apple Configurator). Click Continue.

Then enter the username that will be used to connect to the VPN and click the Install button.

The Profile can then be viewed and manually removed if needed. 

Click on the new iVPN entry in the Network System Preference pane. Here, you can enable 

Now that it’s easy, let’s click the VPN icon in the menu bar and then click on Connect iVPN to test the connection.

Once clients can connect, you can use the iVPN icon in the menu bar to monitor the status of clients.

March 14th, 2018

Posted In: Mac OS X, Mac OS X Server, Mac Security

Tags: , , , , , , ,

« Previous PageNext Page »