Category Archives: Mac Security

Mac OS X Mac OS X Server Mac Security Mass Deployment

Take Control Of OS X Server (Yosemite) Now Available

I’ve been light on posting here, mostly because I’ve been swamped with work, selling my old house, buying a new house, doing some crazy taxes, wrapping production on a new book and updating the Take Control of OS X Server book to Yosemite Server. Well, earlier this week I sold my house, got the next version of Bushel ready to rock and filed my taxes. Aaaaannnnnndddddd, the Yosemite version of Take Control Of OS X Server is now available at http://tid.bl.it/1xuCJUC.

Screen Shot 2015-02-05 at 2.24.54 PM

Boom. Will get back to my normally scheduled postings shortly!

Mac OS X Mac OS X Server Mac Security Mass Deployment Ubuntu Unix WordPress

Install Pow for Rails Testing On OS X

Pow is a Rack server for OS X. It’s quick and easy to use and lets you skip that whole update an Apache file, then edit /etc/hosts, ethane move a file, then run an app type of process. To get started with Pow, curl it down and pipe it to a shell, then provide the password when prompted to do so:

odr:~ charlesedge$ curl get.pow.cx | sh
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 9039 100 9039 0 0 10995 0 --:--:-- --:--:-- --:--:-- 10996
*** Installing Pow 0.5.0...
*** Installing local configuration files...
/Users/charlesedge/Library/LaunchAgents/cx.pow.powd.plist
*** Installing system configuration files as root...
Password:
/Library/LaunchDaemons/cx.pow.firewall.plist
/etc/resolver/dev
*** Starting the Pow server...
*** Performing self-test...
*** Installed

For troubleshooting instructions, please see the Pow wiki:

https://github.com/basecamp/pow/wiki/Troubleshooting

To uninstall Pow, `curl get.pow.cx/uninstall.sh | sh`

To install an app into Pow, create a symlink to it using ln (assuming ~/.pow is your current working directory):

ln -s /path/to/myapp

Then just open the url, assuming my app is kryptedapp.com:

open http://kryptedapp.com

Pow can also use ~/Library/LaunchAgents/cx.pow.powd.plist to port proxy. This allows you to redirect different apps to different ports. When pow boots, it runs .powconfig, so there’s a lot you can do there, like export, etc. Once you’re done testing out pow, if you don’t decide it’s awesome, remove it with the following command:

curl get.pow.cx/uninstall.sh | sh

Kerio Mac OS X Mac OS X Server Mac Security Mass Deployment

Modern Mac Synchronization with ChronoSync

ChronoSync is one of those tools that’s been in the Mac community for a long time (rightfully so). It’s been a little while since I got the chance to really tinker around with ChronoSync so I thought I’d do a little article on what I got to find during my tinkerations. To get started with ChronoSync, go to their website at http://www.econtechnologies.com/chronosync/overview.html. Next, we’re going to walk through the most basic of setups (and you can get all kinds of complicated from there if you’d like!).

Once you’ve downloaded, ChronoSync, run the installer from the disk image that was downloaded.

Screen Shot 2015-01-31 at 11.50.13 AM

Then walk through the installer, basically following the defaults (unless you’d like to install to a volume other than your boot volume).

Screen Shot 2015-01-31 at 11.50.15 AM

Once the installer is finished, open the app and register the product.

Screen Shot 2015-01-31 at 11.53.16 AM

Once registered, you’ll see a nice screen giving you a few options. We’re going to create a single plan (synchronizer document) to backup a single source to a single target. To do so, click on the option to “Create a new synchronizer document”.

Screen Shot 2015-01-31 at 11.53.55 AM

At the Setup screen, you have a right and left column. When I used to do a lot of manual migrations, I would always always  always line up my source on the left and my target on the right (or invariably you risk data loss by copying in the wrong direction), so the workflow in ChronoSync has always made sense to me. Because a lot of the data I use needs root access, I’m going to select “Local Volumes (Admin access)” in the “Connect to” field and then use the Choose button to select my actual source. Repeat that process in the Right Target section of the screen.

Screen Shot 2015-01-31 at 11.54.10 AM

The default action that will be performed is to backup from the left to the right targets (the term target referring to the folder, not that it’s a source or target in the backup operation). Click into the Operation field to bring up a list of the options that can be performed between your left and right targets.

Screen Shot 2015-01-31 at 12.10.07 PM

The option I’m selecting is “Synchronize Bidirectional” as this is an article about syncing data. The other options are pretty well defined in the manual, but it’s worth mentioning that the Bootable Mirror options are especially useful. Once you’ve set the type of sync, you can also use the Options menu to define some pretty granular settings for your sync. For the purposes of this sync, which brings over server shares, I’m going to leave Conflict resolution set to Ask User and use the custom option under the Special File/Folder Handling section to enable the “Verify copied data” option and “Preserve Comments” option. Note that if you’re doing this on servers and would like to stop a service (such as postgres) before a sync and start it after, you can use the scripts section of this screen. You can also configure notifications, sending emails when syncs have errors, or every time there’s a sync.

Screen Shot 2015-01-31 at 12.17.43 PM

Click Rules to build inclusion/exclusion rules (for example, I don’t often sync things like operating system and software installers since I can just go download them again, pretty easily). Click Archive in the sidebar if you’d like to remove files based on a trigger (e.g. if it’s been removed from the source, archive it, etc).

Next, you can simply click Synchronize to run an immediate sync of the files and folders you’ve defined in your Sync Document. Or, you can click Add to Schedule to define when you’d like to run your Synchronization Documents.

There, less than 5 minutes and we’ve got a pretty advanced sync going. Use the Log button to see how everything went. And remember, always verify that the archives and backups are running on a good schedule. For example, I like to have at least a weekly cadence to make sure that media one each side of a sync can still open. It helps me sleep better.

Articles and Books Mac OS X Mac OS X Server Mac Security Mass Deployment Network Printing public speaking

MacIT Is Coming Back In July

MacWorld is kinda’ dead. Long live MacWorld (I cry nightly over this). But MacIT, alive and well and awesome (I hadn’t really spent any time on the floor for a long time anyway)! Here’s the email announcing the MacIT dates, which will be July 14th through 16th in Santa Clara! I’m super-stoked! :)

MacIT_logo_emailDear MacIT constituents,

Mark your calendars for MacIT 2015!

I’m pleased to announce that we have secured dates for the MacIT 2015 Conference. This year’s event will be held July 14-16 at the Santa Clara Convention Center in Silicon Valley (Santa Clara, CA). Our team is hard at work to ensure the first “stand alone” MacIT is a must-attend event for enterprise professionals. The program committee is currently vetting themes and topics for the conference and our call for presenters is currently posted on our website – http://www.macitconf.com. Our returning sponsors, JAMF, Code42, ESET, Parallels, and CoSoSys are ready to preview their iOS and OS X solutions at MacIT 2015, and our sponsor recruitment team is in discussions with many of the manufacturers you have requested access to.

The world of enterprise integration for iOS and OS X continues to evolve at an exciting pace and MacIT continues to be a unique meeting and marketplace for the enterprise professional. MacIT will continue to focus on all things “Apple in the Enterprise” – technology and standards tutorials, realistic product and solution chain evaluations, candid analysis, case studies, peer problem solving, access to key vendors, and insights to help you assess Apple’s role in the enterprise technology world, and how these tools can best be put to work in your organization. Our goal is always to provide you the best (quantity and quality) content, presenters, manufacturers, and professional networking access to make you a success in your deployment projects.

I look forward to keeping in touch with you via email and social media with event updates and announcements over the coming months, and hope to see you at MacIT 2015.

Best Regards,

Paul Kent Conference Chairman, MacIT

MacIT on Twitter: https://twitter.com/MacITConf #MacIT2015

MacIT on Facebook: https://www.facebook.com/pages/MacIT/151684994917868

iPhone Mac OS X Mac OS X Server Mac Security MobileMe

MacTech Pro

MacTech just announced MacTech Pro: a new series of one day, regional events that are specifically designed for professional Apple techs, consultants, and support staff.  MacTech Pro Events are single-track, hotel-based seminars that are specifically geared to serve the needs of professional consultants, IT Pros and techs who support others on OS X and iOS.  The first MacTech Pro will take place on March 4th, 2015 in Seattle.

MacTech Pro will take place in nine U.S. cities in 2015 including:

• March 4, 2015 : MacTech Pro, Seattle
• March 25, 2015 : MacTech Pro, San Francisco
• April 15, 2015 : MacTech Pro, Boston
• May 6, 2015 : MacTech Pro, Atlanta
• June 24, 2015 : MacTech Pro, Washington DC
• July 22, 2015 : MacTech Pro, Chicago
• August 12, 2015 : MacTech Pro, New York
• September 2, 2015 : MacTech Pro, Dallas
• September 30, 2015 : MacTech Pro, Denver

Using MacTech’s proven “running order” approach, MacTech Pro will pack in the maximum amount of sessions possible into the time available combined with the opportunity to talk to sponsors, network with peers and meet new contacts. Event topics in 2015 include:

• Deconstructing iCloud Drive: What a Tech Must Know
• Time Machine Deep Dive, and Fitting it Into a Backup Strategy
• The Professional Apple Tech’s Toolbox
• Using OS Resources to Diagnose Troubles
• Caching servers, DNS Tricks, and More
• VPP, DEP, and Under 13: How New Apple ID Requirements Impact You and Your Clients
• Productivity Tools: Best Practices and Uses of Microsoft Office
• Security, Viruses and Malware. It’s real. It’s now. You need to take it seriously.
• Managing Your Clients To Increase Productivity and to Optimize Revenue

MacTech Pro Events are economically priced, include the full day of sessions, lunch, breaks and access to sponsor tables. Those who register early can take advantage of the Early Registration and save $200.00 and pay only $299 to register for any of the nine regional MacTech Pro Events in 2015.

To honor the announcement, those that register this week can save an additional $50 savings for any MacTech Pro Event in 2015 — $249 until January 26th.  EDU pricing for students, educators and staff is $199.

Additional information on topics, sessions, sessions chairs, speaker and sponsorship opportunities are available at http://pro.mactech.com/

Active Directory Mac OS X Mac OS X Server Mac Security Mass Deployment

Destroy Open Directory Servers Using The Server App

You can destroy an LDAP server using the Server app (and still using slapconfig -destroyldapserver). To do so, open the Server app and click on Open Directory. Then click on the Open Directory server in the list of servers.

Screen Shot 2015-01-16 at 11.22.15 PM

When prompted to destroy the LDAP Master, click on Next.

Screen Shot 2014-12-15 at 10.09.56 PM

When asked if you’re sure, click Continue.

Screen Shot 2014-12-15 at 10.10.00 PM

When asked if you’re really, really sure, click Destroy.

Screen Shot 2014-12-15 at 10.10.03 PM

Wait.

Bushel iPhone Mac OS X Mac OS X Server Mac Security Mass Deployment

Enroll Devices Into Bushel

To manage a device from Bushel, it must first be added to your Bushel. The technical whiz-bang name for that process is Enrollment. We currently provide 3 ways to enroll devices into your Bushel. All three are available on the Enrollment page when you’re logged into Bushel.

Screen Shot 2014-09-11 at 11.41.46 AM

The first and best way to enroll devices into your Bushel is an Apple program called the Device Enrollment Program, or DEP for short. DEP is a way of tying devices to your Bushel so that they cannot be removed from the device, even if the device is wiped. Other than through DEP,  all enrollment into your Bushel is optional on the devices and so devices can be unenrolled at will. DEP requires an actual DEP account with Apple, which you can sign up for at https://deploy.apple.com/qforms/open/register/index/avs.

The second way to enroll devices into your Bushel is via Open Enrollment. When you Configure Open Enrollment you create a link that allows your users to enroll without logging into the portal. Simply open Open Enrollment from the Enrollment page and click Enable. Once enabled, you’ll see the URL to enroll devices.

Screen Shot 2014-09-11 at 11.43.44 AM

The third way to enroll devices is manually. Simply log into your Bushel, click on Enrollment and then click on the Enroll button for Enroll This Device. When prompted for “Who will this device belong to?” enter the username (e.g. the user’s name in front of their email address most likely or the username for your email system if it’s something different than that). Also provide the email address itself in the Email Address field and then click Enroll This Device. Now, if you want to enroll the device you’re using, simply complete the screen prompts for the profile installation and you’ll be good to go. Or, you can save the mobileconfig file that’s downloaded and send it to others in order to allow them to install it as well. Simply cancel the installation process (most easily done from a Mac) and distribute the Enroll.mobileconfig file as needed. You can also put a user’s name in front of the file name, so you know which will enroll each user. If you need to enroll 3 or 4 people in other countries or cities, this might be the best option!

Screen Shot 2014-09-11 at 11.48.46 AM

OK, so we basically gave 4 ways to enroll. But that’s because we’re trying to make it as easy as possible to enroll devices into your Bushel.

Mac OS X Mac OS X Server Mac Security Network Infrastructure Xsan

Configure sFlows on a Brocade 8470

sFlow is an industry standard that allows network equipment with the appropriate agents to send data to sFlow collectors, which then analyze network traffic. You can install sFlow on routers, switches, and even put agents on servers to monitor traffic. Brocade (along with most other switch manufacturers) supports sFlow.

Before you do anything log into the switch and check the current flow configuration:

show sFlow

To configure, log into the switch and use the the int command to access an interface. From within the interface, use the following command:

sflow forwarding

Then exit the interface using the very difficult to remember exit command:

exit

Repeat the enablement of forwarding for any other necessary interfaces. Next, we’ll configure a few globals that would be true across all interfaces. The first is the destination address, done using the destination verb followed by the IP and then the port (I’m using the default 6343 port for sFlow):

sflow destination 192.168.210.87 6343

Set the sample rate:

sflow sample 512

Set the polling interval:

sflow polling-interval 30

Finally, enable sFlow:

sflow enable

Consulting iPhone Mac OS X Mac OS X Server Mac Security Mass Deployment personal public speaking sites

krypted.com Turns 10 Today

Wow, seems like just yesterday I took down the old static page that was just a bunch of links I used to find stuff and went with a full-on WordPress site and published my first article. Doesn’t seem like I’ve been writing that long. But when I look at the over 2,500 posts on this site and the fact that I hit over 210,000 uniques last month, I guess it must be true. I’m so thankful that people want to read this stuff. And I’m really glad that I’ve been able to help a few people over the years. I hope the next 10 years are even better than the last 10! And thank you for coming back here and there, when you need to.

athletic-events-tv-sports-fan-birthays-ecards-someecards

Oh, and Happy New Year!

 

Articles and Books Bushel Consulting Mac OS X Mac OS X Server Mac Security Mass Deployment personal

Childproof Your Mac

When I put a computer in my daughters room, I soon realized I could no longer watch over her shoulder as she worked away at school games, Minecraft and of course Civilization (after all, that was my first game). So much as I wrote an article a long time ago about child-proofing an iPad, now I’m writing about child-proofing a Mac.

For me, I find that child-proofing is a bit like taking my kid to McDonald’s. I said never ever ever ever would I do this and then… Well, peer pressure, ya’ll… So if I have to do it, I figure someone else might. So here’s a quick and dirty guide to doing so. The gist of this guide is to continue using the same admin account that was created when you setup the computer initially. But to also create another account for the child, one that has some restrictions to keep them in a customized user experience. This might be to keep them out of things they try to do on purpose, keep them from accidentally finding some things they shouldn’t or maybe just to customize the user experience to make the computer easier to use (after all, if they can’t remove Minecraft from the Dock, they can’t come crying when they can’t find it.

Create a Managed Account

Most of the work that needs to be done, can be done within the System Preferences. This is available under the Apple menu as System Preferences…

Screen Shot 2014-12-26 at 5.09.00 PM

Once open, click on the Users & Groups System Preference.

Screen Shot 2014-12-26 at 5.09.41 PM

At the Users & Groups System Preference pane, click on the plus sign (+).

Childproof_Managed_Account

 

At the new account screen, choose “Managed with Parental Controls” in the New Account field. Then provide the child’s name in the Full Name field and an Account Name will be automatically created (note that I shortened the name in this example to make it easier for the child to log in).

Assuming your child doesn’t have their own iCloud account, set the password to “Use separate password” and then type it in. Once you’re happy with these settings, create the new account, which can be managed with Parental Controls by clicking on the Create User button.

Childproof_User

Restrict Applications and The Dock

Once the account is created, click on the “Enable parental controls” checkbox and then on the Open Parental Controls… button.

Screen Shot 2014-12-26 at 5.01.32 PM

At the Parental Controls System Preference pane, you’ll have a few options.

  • Check the Use Simple Finder box if you’d like the user to have a limited user experience (no command keys, only certain windows open, etc). I would usually only recommend doing this if you have very small children (like maybe pre-school age). I usually like them to be able to do as much as possible to foster the whole hacker mentality nice and young!
  • Check the box for Limit Applications if you’d only like certain apps to open. This is right up front on the main screen because it’s kinda’ important. Use the Allowed Apps section to select which apps can and can’t be opened (if there’s a checkbox beside the app name it can be opened by the user).
  • Use the Allow App Store Apps drop-down list to to set an age ranking minimum. These are available in 4+, 9+, 12+, 17+ and All (which basically disables restrictions).
  • Check the box for “Prevent the Dock from being modified” if you would like to restrict the new account from being able to edit the Dock. I usually wait for this, as I like to customize the Dock by putting the apps I want the child to open into the Dock. To do so, skip now, log in as the new user, log out and then customize the Dock. Once you’re done, log out, log in as an administrative user and then check the box.

Web Restrictions

Next, click on the Web tab. Here, you’ll effectively have 3 options: don’t restrict any content, let Apple try and block inappropriate content and build a whitelist of allowed content (with all other content blocked). Now, it’s worth mentioning that there can be an annoying element here, which is that if a site needs to be opened up for access, a child might come bugging you. But I like that, so I’m configuring this.

Screen Shot 2014-12-26 at 5.01.40 PM

Options include:

  • Allow unrestricted access to websites: Don’t block any content. Allow unfettered access to all websites ever.
  • Try to limit access to adult websites automatically: Click on the Customize button to add white and blacklisted sites, or sites that were accidentally restricted or allowed that maybe shouldn’t of. Or, if you want to restrict access to a specific web-based game that has become problematic.Screen Shot 2014-12-26 at 5.46.23 PM
  • Allow access to only these websites: This option allows access to only the websites you allow access to. A word of warning here, a lot of sites pull content from other sites, which can be kinda’ annoying…

Note: It’s worth mentioning that I discovered a few websites I’d of never tried to use in the allow list, so worth checking them out to see if your child will dig on some of these sites!

Once you’re satisfied with the options you’ve configured, click on the People tab.

Configure Who Your Child Can Communicate With

At the People screen, you can configure who the person using the Managed Account can communicate with. Here, restrict access to Game Center, restrict who the account can send and receive mail with and of course, who the account can use the Messages app with.

Screen Shot 2014-12-26 at 5.02.09 PM

The above options include the following:

  • Allow joining Game Center multiplayer games: Uncheck this box to restrict the user from playing any multiplayer games that use Game Center to connect people. If the user is using a game that doesn’t integrate with Game Center then they would still be able to use that game to enter into a multi-player game.
  • Allow adding Game Center friends: Uncheck this box to keep the user with the Managed Account from adding any new friends in Game Center.
  • Limit Mail to allowed contacts: Only allow people in the Allowed Contacts section to exchange emails with the user of the account.
  • Send requests to: Define an email address that can receive a contact request and approve it. I use this so that when my daughter needs something she can let me know.
  • Limit Messages to allowed contacts: Only allow people in the Allowed Contacts section to message with the user of the account.
  • Allowed Contacts: Use the plus sign at the bottom of this section of the screen to add new contacts and the minus button to remove contacts.

Note: Apple rarely uses the word restrict. Instead, they prefer to allow things to happen by default and then let you disallow these features. Basically the same thing, but keep this in mind when you’re configuring accounts as sometimes you can accidentally click the wrong thing if you’re not accustomed to such double-negativery. 

Once you have configured who the user of this account can communicate with, click on the Time Limits tab.

Configure Time Limits

Time limits are used to restrict what times the user can use the computer as well as how long per day that the user can actually use the computer. The options available include:

  • Limit weekday use to: Define a maximum number of hours that the managed user can use the computer on a given workday between Monday through Friday. This can be anywhere from half an hour to 8 hours of time.
  • Limit weekend use to: Define a maximum number of hours that the managed user can use the computer on a given Saturday or Sunday. This can be anywhere from half an hour to 8 hours of time.
  • School nights: Define the time frames where the computer cannot be used by the Managed User on Sunday through Thursday evenings. For example, the below screen shows that on weeknights, the Emerald Edge user can’t use the computer from 8PM to 6AM.
  • Weekend: Define the time frames where the computer cannot be used by the Managed User on Friday and Saturday nights. For example, the below screen shows that on weeknights, the Emerald Edge user can’t use the computer from 8PM to 6AM.

Screen Shot 2014-12-26 at 5.02.40 PM

Time limits are the only things that matter for some who like to physically sit with a child while they use a computer, as you might just want to keep the child from waking up in the middle of the night and accidentally seeing something that scares them. But for many, time limits won’t be enough, as kids might spend hours gaming or doing homework unmonitored.

More Stuffs

Next, click the Other tab. Here, you’ve got the miscellaneous restrictions that really don’t fit anywhere else in Parental Controls. The options available include the following:

  • Disable built-in camera: Turn off the built-in camera for the user. Note that third party cameras wills till work for the user.
  • Disable Dictation: Turn off Dictation/Speakable Items for the user. Note that apps like Dragon Naturally Speaking can still be used.
  • Hide profanity in Dictionary: Use this option to disable any articles in the Dictionary app that have profanity in them.
  • Limit printer administration: Don’t allow the user to manage printers. Note that if you do this, you’ll want to install any Bonjour printers first.
  • Disable changing the password: Don’t allow the user to change the password.
  • Limit CD and DVD burning: Disable any optical media writing for the Managed Account.

Screen Shot 2014-12-26 at 5.03.09 PM

Note: I know I said earlier that Apple rarely says restrict or disable. They will get around to fixing this screen eventually… ;)

View Logs

Once you have configured parental Controls, click on that Logs button in the lower right corner of the screen. Here, you’ll see the following:

  • Show activity for: Indicate the period of time to show logs for.
  • Websites Visited: A list of the websites accessed by the user of the managed account. Note that no third party web browsers are shown unless they use Apple’s webkit (which is basically not really any).
  • Websites Blocked: A list of any websites that were blocked while attempting to access them.
  • Applications: A list of the applications used by the user of the managed account.
  • Messages: Transcripts of conversations sent and received using the Messages app. Note that any third party chatting apps aren’t logged here.
  • Clear Log: Deletes the log. Use this after you’ve checked the behavior and wish to have the next time you check only show you what’s changed.

Screen Shot 2014-12-26 at 5.02.49 PM

And that’s what you can do with Parental Controls. But there’s more, which we’ll look at shortly. When you click out of a field, the settings are changed in a System Preference, so you should be able to just close the window and have your settings persist.

Conclusion

We’ve gone through creating a new account, restricting access to what that account can do and how and when to use these options. But there’s much, much more than we can cover in this article. There are tons of other restrictions that don’t fit into these basic options, accessed either through what are known as managed preferences or via profiles, which can easily be created by tools like Apple Configurator, Profile Manager and 3rd party mobile device management tools such as Bushel.

Screen Shot 2014-12-26 at 6.13.22 PM

Ultimately, I can pretty much break out of about any managed environment you put me in. And in the age of YouTube, chances are that your child has many the same materials I’ve either presented, written or that others have written. So please don’t consider these options as much more than just a general guideline unless you’re using a Device Enrollment Program-enabled device.

Anyway, good luck, and you’re a good parent for caring.