By default, OS X now updates apps that are distributed through the Mac App Store (MAS). Server running on macOS Sierra is really just the Server app, sitting on the App Store, installed on a standard Mac. If the Server app is upgraded automatically, you will potentially experience some adverse side effects, especially if the app is running on a Metadata Controller for Xsan, runs Open Directory, or a major release of the Server app ships. Additionally, if you are prompted to install a beta version on a production system, you could end up with issues. Therefore, in this article we’re going to disable these otherwise sweet features of OS X.
To get started, first open the System Preferences. From there, click on the App Store System Preference pane.
From the App Store System Preference pane, uncheck the following boxes:
Once disabled, you’ll need to keep on top of updates in the App Store manually. My recommendation is still to create an image of your server before each update.
If you see the field, click Change for “Your computer is set to receive beta software updates” and then click
You can also set these from the command line. To disable automatic app store updates:
defaults write /Library/Preferences/com.apple.commerce AutoUpdate -bool FALSE
To disable automatic macOS updates:
defaults write /Library/Preferences/com.apple.commerce AutoUpdateRestartRequired -bool FALSE
And to disable automatic Software Update update checks:
defaults write /Library/Preferences/com.apple.SoftwareUpdate AutomaticCheckEnabled -bool FALSE
Overall, be careful with automatic updates. I like leaving checking enabled so when I sit down at the console of a server I get prompted to update; however, I don’t want servers updating and restarting unless I tell them to, after I’ve performed a comprehensive regression test on the updates.
krypted September 29th, 2016
Installing OS X has never been easier than it got in Yosemite, when the installers were moved to the App Store. And since then it’s just gotten easier, and easier. In this article, we’ll upgrade a Mac from OS X 10.11 (El Capitan) to macOS Sierra (10.12), the latest and greatest. The first thing you should do is clone your system (especially if you’re upgrading a server). The second thing you should do is make sure you have a good backup. The third thing you should do is make sure you can swap back to the clone should you need to do so and that your data will remain functional on the backup. The fourth thing you should do is test that clone again…
Once you’re sure that you have a fallback plan, let’s get started by downloading “Install macOS Sierra” from the App Store. Once downloaded, you’ll see Install macOS Sierra sitting in LaunchPad, as well as in the /Applications folder.
Open the app and click Continue (provided of course that you are ready to restart the computer and install Sierra).
At the licensing agreement, click Agree (or don’t and there will be no Sierra for you).
At the pop-up click Agree again, unless you’ve changed your mind about the license agreement in the past couple of seconds (I’m sure it happens).
At the Install screen, click Install and the computer will reboot.
And you’re done. Now for the fun stuff!
krypted September 28th, 2016
Ever wonder why repetitive pings fail after a little while in OS X (e.g. those sent via the -f flag)? By default, OS X has an ICMP rate limit of 250 set. You can increase this or disable, using sysctl. To disable, set the value of net.inet.icmp.icmplim
sudo sysctl -w net.inet.icmp.icmplim=0
Happy icmp flooding!
krypted September 20th, 2016
Push Notifications can be used in most every service that macOS Server 5.2 (for Sierra) can run. Any service that requiring Push Notifications will often provide the ability to setup APNS during the configuration of the service. But at this point, I usually just set up Push Notifications when I setup a new server.
To enable Push Notifications for services, you’ll first need to have a valid AppleID. Once you have an AppleID, open the Server app and then click on the name of the server. Then click on the Settings screen and click on the checkbox for Notifications.
At the Settings screen for your server, click on the check-box for Apple Push Notifications (APN). Next, click on another screen and then click back to get the Edit Apple ID… button to appear. Click on Edit Apple ID…
At the Apple Push Notification Services certificate screen, enter an AppleID if you have not yet configured APNS and click on OK. The Apple Push Notification Service certificate will then be configured.
As you’ll see, if you’re editing a certificate, you’ll break any systems or services that use that certificate. For example, you would have to re-enroll all of your Profile Manager systems.
Then provide the AppleID and Password you’d like to use to generate the certificate.
The certificate is valid for one year, by default. Administrators receive an alert when the certificate is due to expire. To renew, open the same screen and click on the Renew button. Once you have generated a certificate, you’ll then be able to see the certificate in the Apple certificates portal.
krypted September 18th, 2016
SSH allows administrators to connect to another computer using a secure shell, or command line environment. ARD (Apple Remote Desktop) allows screen sharing, remote scripts and other administrative goodness. You can also connect to a server using the Server app running on a client computer. To enable any or all of these, open the Server app (Server 5.2 for Sierra), click on the name of the server, click the Settings tab and then click on the checkbox for what you’d like to enter.
All of these can be enabled and managed from the command line as well. The traditional way to enable Apple Remote Desktop is using the kickstart command. But there’s a simpler way in macOS Server 5.2 on Sierra. To do so, use the serveradmin command. To enable ARD using the serveradmin command, use the settings option, with info:enableARD to set the payload to yes:
sudo serveradmin settings info:enableARD = yes
Once run, open System Preferences and click on Sharing. The Remote Management box is then checked and the local administrative user has access to ARD into the host.
There are also a few other commands that can be used to control settings. To enable SSH for administrators:
sudo serveradmin settings info:enableSSH = yes
When you enable SSH from the serveradmin command you will not see any additional checkboxes in the Sharing System Preferences; however, you will see the box checked in the Server app. To enable SNMP:
sudo serveradmin settings info:enableSNMP = yes
Once SNMP is enabled, use the /usr/bin/snmpconf interactive command line environment to configure SNMP so you can manage traps and other objects necessary.
Note: You can’t have snmpd running while you configure SNMPv3. Once SNMPv3 is configured snmpd can be run.
To allow other computers to use the Server app to connect to the server, use the info:enableRemoteAdministration key from serveradmin:
sudo serveradmin settings info:enableRemoteAdministration = yes
To enable the dedication of resources to Server apps (aka Server Performance Mode):
sudo serveradmin settings info:enableServerPerformanceMode = yes
krypted September 16th, 2016
Yosemite brought Xsan 4, which included a whole new way to add clients to an Xsan. Xsan Admin is gone, as of El Capitan, but unchanged from then to macOS Sierra (other than a couple of binaries moving around). These days, instead of scanning the network using Xsan Admin. we’ll be adding clients using a Configuration Profile. This is actually a much more similar process to adding Xsan clients to a StorNext environment than it is to adding clients to Metadata Controllers running Xsan 3 and below. But instead of making a fsnameservers file, we’re plugging that information into a profile, which will do that work on the client on our behalf. To make the Xsan configuration profile, we’re going to use Profile Manager. With OS X Server 5 and 5.2, this trend continues.
To get started, open the Profile Manager web interface and click on a device or device group (note, these are scoped to systems so cannot be used with users and user groups). Then click on the Settings tab for the object you’re configuring Xsan for.
Click Edit for the profile listed (Settings for <objectname>) and scroll down until you see the entry for Xsan.
From the Xsan screen, click Configure.
This next screen should look a little similar, in terms of the information you’ve plugged into the Xsan 4 setup screen. Simply enter the name of the Xsan in the Xsan Name field, the IP address or host names of your metadata controllers in the File System Name Servers field and the Authentication Secret from the Xsan screen in the Server app into the Authentication Secret field. Click OK to close the dialog.
Click Save to save your changes. Then you’ll see the Download button become clickable.
The profile will download to your ~/Downloads directory as Settings_for_<OBJECTNAME>.mobileconfig. So this was called test and will result in a name of Settings_for_test.mobileconfig. That profile will automatically attempt to install. If this is an MDC where you’re just using Profile Manager to bake a quick profile, or if you don’t actually want to install the profile yet, click Cancel.
If you haven’t worked with profiles that much, note that when you click Show Profile, it will show you what is in the profile and what the profile can do.
Simply open this file on each client (once you test it of course) and once installed, they’ll automatically configure to join your Xsan. If you don’t have a Profile Manager server, you can customize this file for your environment (YMMV): Settings_for_test.mobileconfig
krypted September 14th, 2016
In case you’re using DEP and haven’t noticed this, you need to accept the latest terms of service in the Apple license agreement for DEP if you’re going to continue using the service. I don’t usually post emails I get from Apple, but I can easily see orgs using accounts that don’t have email flowing to anyone that is capable of responding, so I strongly recommend you go in and accept the latest and greatest agreements so your stuff doesn’t break!
Here’s the email I got from Apple:
Apple Deployment Programs
Thank you for participating in the Device Enrollment Program. On September 13 Apple will release updated software license agreements. Your Program Agent must go to the deployment website and accept the following agreements to continue to use the program:
- iOS 10 Software License Agreement
- Software License Agreement for macOS Sierra
For more information please see this support article:https://support.apple.com/kb/HT203063.
Note: If you’re using Casper, then the errors you’ll see will be something along the lines of:
Unable to Contact https://mdmenrollment.apple.com
krypted September 12th, 2016
krypted September 10th, 2016
When speaking to a group of people, I once created a folder called Old and then moved all my files in there. However, you can create a temporary desktop that shows as clean and empty. To do so, write the CreateDesktop key in the com.apple.finder defaults domain, with a setting of false, as follows:
defaults write com.apple.finder CreateDesktop -bool false
Then restart the Finder and it will show crisp and new:
Then once you’re done, delete the temporary desktop, by deleting the key, as follows:
defaults delete com.apple.finder CreateDesktop
Then restart the Finder to see your files again:
krypted September 6th, 2016
You can disable the Connect to Server menu in OS X. This can be done via MDM or using defaults. To do so with the defaults command, send a ProhibitConnectTo key into com.apple.finder as True and then restart the Finder, as follows using the defaults command:
defaults write com.apple.finder ProhibitConnectTo -bool true ; killall Finder
defaults write com.apple.finder ProhibitConnectTo -bool false
krypted September 4th, 2016