krypted.com

Tiny Deathstars of Foulness

By default, OS X now updates apps that are distributed through the Mac App Store (MAS). Server running on macOS Sierra is really just the Server app, sitting on the App Store, installed on a standard Mac. If the Server app is upgraded automatically, you will potentially experience some adverse side effects, especially if the app is running on a Metadata Controller for Xsan, runs Open Directory, or a major release of the Server app ships. Additionally, if you are prompted to install a beta version on a production system, you could end up with issues. Therefore, in this article we’re going to disable these otherwise sweet features of OS X.

To get started, first open the System Preferences. From there, click on the App Store System Preference pane.

screen-shot-2016-09-25-at-5-01-45-pm

From the App Store System Preference pane, uncheck the following boxes:

  • Automatically Check For Updates: Unchecking this box disables the download in the background option and the installation of app updates.
  • Automatically Download Apps Purchased on Other Macs: If you buy an upgrade, you could accidentally install that upgrade on production servers you don’t intend to install the upgrade on.

Once disabled, you’ll need to keep on top of updates in the App Store manually. My recommendation is still to create an image of your server before each update.

If you see the field, click Change for “Your computer is set to receive beta software updates” and then click

screen-shot-2016-09-25-at-5-04-39-pm

You can also set these from the command line. To disable automatic app store updates:

defaults write /Library/Preferences/com.apple.commerce AutoUpdate -bool FALSE

To disable automatic macOS updates:

defaults write /Library/Preferences/com.apple.commerce AutoUpdateRestartRequired -bool FALSE

And to disable automatic Software Update update checks:

defaults write /Library/Preferences/com.apple.SoftwareUpdate AutomaticCheckEnabled -bool FALSE

Overall, be careful with automatic updates. I like leaving checking enabled so when I sit down at the console of a server I get prompted to update; however, I don’t want servers updating and restarting unless I tell them to, after I’ve performed a comprehensive regression test on the updates.

September 29th, 2016

Posted In: Mac OS X, Mac OS X Server, Mac Security, Mass Deployment

Tags: , , , , ,

Leave a Comment

Installing OS X has never been easier than it got in Yosemite, when the installers were moved to the App Store. And since then it’s just gotten easier, and easier. In this article, we’ll upgrade a Mac from OS X 10.11 (El Capitan) to macOS Sierra (10.12), the latest and greatest. The first thing you should do is clone your system (especially if you’re upgrading a server). The second thing you should do is make sure you have a good backup. The third thing you should do is make sure you can swap back to the clone should you need to do so and that your data will remain functional on the backup. The fourth thing you should do is test that clone again…

Once you’re sure that you have a fallback plan, let’s get started by downloading “Install macOS Sierra” from the App Store. Once downloaded, you’ll see Install macOS Sierra sitting in LaunchPad, as well as in the /Applications folder.

screen-shot-2016-09-25-at-4-46-14-pm

Open the app and click Continue (provided of course that you are ready to restart the computer and install Sierra).

screen-shot-2016-09-25-at-4-48-53-pm

At the licensing agreement, click Agree (or don’t and there will be no Sierra for you).

screen-shot-2016-09-25-at-4-49-18-pm

At the pop-up click Agree again, unless you’ve changed your mind about the license agreement in the past couple of seconds (I’m sure it happens).

screen-shot-2016-09-25-at-4-49-35-pm

At the Install screen, click Install and the computer will reboot.

screen-shot-2016-09-25-at-4-49-39-pm

And you’re done. Now for the fun stuff!

September 28th, 2016

Posted In: Mac OS X, Mac OS X Server, Mac Security, Mass Deployment

Tags: , , , , , ,

Leave a Comment

Ever wonder why repetitive pings fail after a little while in OS X (e.g. those sent via the -f flag)? By default, OS X has an ICMP rate limit of 250 set. You can increase this or disable, using sysctl. To disable, set the value of net.inet.icmp.icmplim

sudo sysctl -w net.inet.icmp.icmplim=0

Happy icmp flooding!

September 20th, 2016

Posted In: Mac OS X, Mac Security

Tags: , , , ,

Leave a Comment

Push Notifications can be used in most every service that macOS Server 5.2 (for Sierra) can run. Any service that requiring Push Notifications will often provide the ability to setup APNS during the configuration of the service. But at this point, I usually just set up Push Notifications when I setup a new server.
screen-shot-2016-09-25-at-11-12-51-pm
To enable Push Notifications for services, you’ll first need to have a valid AppleID. Once you have an AppleID, open the Server app and then click on the name of the server. Then click on the Settings screen and click on the checkbox for Notifications.

screen-shot-2016-09-25-at-11-13-09-pm

At the Settings screen for your server, click on the check-box for Apple Push Notifications (APN). Next, click on another screen and then click back to get the Edit Apple ID… button to appear. Click on Edit Apple ID…

screen-shot-2016-09-25-at-11-13-47-pm

At the Apple Push Notification Services certificate screen, enter an AppleID if you have not yet configured APNS and click on OK. The Apple Push Notification Service certificate will then be configured.

screen-shot-2016-09-25-at-11-14-03-pm

As you’ll see, if you’re editing a certificate, you’ll break any systems or services that use that certificate. For example, you would have to re-enroll all of your Profile Manager systems.

screen-shot-2016-09-25-at-11-15-53-pm

Then provide the AppleID and Password you’d like to use to generate the certificate.

screen-shot-2016-09-25-at-11-16-26-pm

The certificate is valid for one year, by default. Administrators receive an alert when the certificate is due to expire. To renew, open the same screen and click on the Renew button. Once you have generated a certificate, you’ll then be able to see the certificate in the Apple certificates portal.

September 18th, 2016

Posted In: Mac OS X Server, Mac Security

Tags: , , , , ,

Leave a Comment

SSH allows administrators to connect to another computer using a secure shell, or command line environment. ARD (Apple Remote Desktop) allows screen sharing, remote scripts and other administrative goodness. You can also connect to a server using the Server app running on a client computer. To enable any or all of these, open the Server app (Server 5.2 for Sierra), click on the name of the server, click the Settings tab and then click on the checkbox for what you’d like to enter.

screen-shot-2016-09-25-at-11-31-10-pm

All of these can be enabled and managed from the command line as well. The traditional way to enable Apple Remote Desktop is using the kickstart command. But there’s a simpler way in macOS Server 5.2 on Sierra. To do so, use the serveradmin command. To enable ARD using the serveradmin command, use the settings option, with info:enableARD to set the payload to yes:

sudo serveradmin settings info:enableARD = yes

Once run, open System Preferences and click on Sharing. The Remote Management box is then checked and the local administrative user has access to ARD into the host.

screen-shot-2016-09-25-at-11-32-17-pm

There are also a few other commands that can be used to control settings. To enable SSH for administrators:

sudo serveradmin settings info:enableSSH = yes

When you enable SSH from the serveradmin command you will not see any additional checkboxes in the Sharing System Preferences; however, you will see the box checked in the Server app. To enable SNMP:

sudo serveradmin settings info:enableSNMP = yes

Once SNMP is enabled, use the /usr/bin/snmpconf interactive command line environment to configure SNMP so you can manage traps and other objects necessary.

Note: You can’t have snmpd running while you configure SNMPv3. Once SNMPv3 is configured snmpd can be run. 

To allow other computers to use the Server app to connect to the server, use the info:enableRemoteAdministration key from serveradmin:

sudo serveradmin settings info:enableRemoteAdministration = yes

To enable the dedication of resources to Server apps (aka Server Performance Mode):

sudo serveradmin settings info:enableServerPerformanceMode = yes

September 16th, 2016

Posted In: Mac OS X Server, Mac Security

Tags: , , , , ,

Leave a Comment

Yosemite brought Xsan 4, which included a whole new way to add clients to an Xsan. Xsan Admin is gone, as of El Capitan, but unchanged from then to macOS Sierra (other than a couple of binaries moving around). These days, instead of scanning the network using Xsan Admin. we’ll be adding clients using a Configuration Profile. This is actually a much more similar process to adding Xsan clients to a StorNext environment than it is to adding clients to Metadata Controllers running Xsan 3 and below. But instead of making a fsnameservers file, we’re plugging that information into a profile, which will do that work on the client on our behalf. To make the Xsan configuration profile, we’re going to use Profile Manager. With OS X Server 5 and 5.2, this trend continues.

To get started, open the Profile Manager web interface and click on a device or device group (note, these are scoped to systems so cannot be used with users and user groups). Then click on the Settings tab for the object you’re configuring Xsan for.

Screen Shot 2015-09-25 at 9.21.10 PM

Click Edit for the profile listed (Settings for <objectname>) and scroll down until you see the entry for Xsan.

Screen Shot 2015-09-25 at 9.21.57 PM

From the Xsan screen, click Configure.

Screen Shot 2015-09-25 at 9.22.58 PM

This next screen should look a little similar, in terms of the information you’ve plugged into the Xsan 4 setup screen. Simply enter the name of the Xsan in the Xsan Name field, the IP address or host names of your metadata controllers in the File System Name Servers field and the Authentication Secret from the Xsan screen in the Server app into the Authentication Secret field. Click OK to close the dialog.

Screen Shot 2015-09-25 at 9.23.30 PM

Click Save to save your changes. Then you’ll see the Download button become clickable.

The profile will download to your ~/Downloads directory as Settings_for_<OBJECTNAME>.mobileconfig. So this was called test and will result in a name of Settings_for_test.mobileconfig. That profile will automatically attempt to install. If this is an MDC where you’re just using Profile Manager to bake a quick profile, or if you don’t actually want to install the profile yet, click Cancel.

Screen Shot 2015-09-25 at 9.24.10 PM

If you haven’t worked with profiles that much, note that when you click Show Profile, it will show you what is in the profile and what the profile can do.

Screen Shot 2015-09-25 at 9.24.18 PM

Simply open this file on each client (once you test it of course) and once installed, they’ll automatically configure to join your Xsan. If you don’t have a Profile Manager server, you can customize this file for your environment (YMMV): Settings_for_test.mobileconfig

September 14th, 2016

Posted In: Mac OS X Server, Mac Security, Xsan

Tags: , , , , ,

Leave a Comment

In case you’re using DEP and haven’t noticed this, you need to accept the latest terms of service in the Apple license agreement for DEP if you’re going to continue using the service. I don’t usually post emails I get from Apple, but I can easily see orgs using accounts that don’t have email flowing to anyone that is capable of responding, so I strongly recommend you go in and accept the latest and greatest agreements so your stuff doesn’t break!

Here’s the email I got from Apple:

Apple Deployment Programs

Thank you for participating in the Device Enrollment Program. On September 13 Apple will release updated software license agreements. Your Program Agent must go to the deployment website and accept the following agreements to continue to use the program:

  • iOS 10 Software License Agreement
  • Software License Agreement for macOS Sierra

For more information please see this support article:https://support.apple.com/kb/HT203063.

Note: If you’re using Casper, then the errors you’ll see will be something along the lines of:

Unable to Contact https://mdmenrollment.apple.com

September 12th, 2016

Posted In: iPhone, JAMF, Mac OS X, Mac OS X Server, Mac Security, MacAdmins Podcast

Tags: , , , , ,

Leave a Comment

September 10th, 2016

Posted In: Articles and Books, iPhone, Mac OS X, Mac OS X Server, Mac Security, MacAdmins Podcast

One Comment

When speaking to a group of people, I once created a folder called Old and then moved all my files in there. However, you can create a temporary desktop that shows as clean and empty. To do so, write the CreateDesktop key in the com.apple.finder defaults domain, with a setting of false, as follows:

defaults write com.apple.finder CreateDesktop -bool false

Then restart the Finder and it will show crisp and new:

killall Finder

Then once you’re done, delete the temporary desktop, by deleting the key, as follows:

defaults delete com.apple.finder CreateDesktop

Then restart the Finder to see your files again:

killall Finder

September 6th, 2016

Posted In: Mac OS X, Mac Security

Tags: , ,

You can disable the Connect to Server menu in OS X. This can be done via MDM or using defaults. To do so with the defaults command, send a ProhibitConnectTo key into com.apple.finder as True and then restart the Finder, as follows using the defaults command:

defaults write com.apple.finder ProhibitConnectTo -bool true ; killall Finder

To undo:

defaults write com.apple.finder ProhibitConnectTo -bool false

September 4th, 2016

Posted In: Mac OS X, Mac Security

Tags: , , , , ,

Next Page »