I have another article up on the world webs. This one is on cloud use in small businesses, with IT Business Edge. Check it out at http://www.itbusinessedge.com/slideshows/6-ways-small-businesses-can-master-the-cloud-in-2016-08.html.
krypted January 20th, 2016
Ever since the kids from Silicon Valley went to TechCrunch, I’ve been thinking that at some point I’d want to put a piece there. Luckily, I recently got the chance. Today, 16 Apple Security Advances To Take Note Of In 2016 went up on TechCrunch. You can access the article here.
The original article actually listed the year that each was introduced in order. It was a lot of work to go back in time and piece the timeline together, so since the years didn’t make it through editorial, I list them here (not that anyone actually cares):
And yes, since I was there for each of these, I did feel old writing this… :-/
And yes, thank you for asking, I did just publish another book on Mac Security, which you can buy here.
krypted January 18th, 2016
It can be tough to get information about larger Mac deployments. I’ve written a few books on it. Apple has built some pages on it. But many prefer to consume their content through video. As such, Sean Collins has teamed up with Lynda.com to put together an IT Administrator’s Guide for El Capitan. With topics ranging from SIP to DEP, and all the acronyms in the middle, Sean’s soothing voice will guide you through what you need to get started with a new Mac deployment.
Many a job can seem daunting, but with this latest addition to our arsenal, you’ll instantly feel less intimidated. It’s like the Sun A of the Mac world. But afterwards, when you go into corpse pose, you won’t fall asleep, because the content is too good. Check it out here:
krypted January 15th, 2016
One of the options thats a tad bit hidden in OS X is the Secure Erase option, which runs a multi-pass erase on a volume. Additionally, there’s no option to Secure Erase free space on a volume. But you can still securely erase whatever you’d like (other than you boot volume obviously), when needed. To do so, use the diskutil command along with the secureErase option.
The format of the command to secureErase freespace is:
diskutil secureErase freespace [level] [device]
The levels are as follows (per the man page as not all of these are specified in Disk Utility):
So for example, let’s say you had a volume called Seldon and you wanted to do a standard Single-pass zero-fill erase. In this example you would use the following:
diskutil secureErase freespace 0 /Volumes/Seldon
If you were to automate the command then you would want to dump the output into a log file. For example:
diskutil secureErase freespace 0 /Volumes/Seldon > /var/log/secureeraselog.tmp
You can also secureErase a volume itself. To erase a volume called /Volumes/Seldon, use the same structure of the command, but this time without the freespace option:
diskutil secureErase 0 /Volumes/Seldon
The latest update to Disk Utility removes a lot of options from the GUI, but overall, I have yet to find a scenario where a task I need to perform isn’t still available, if only from the command line.
krypted January 7th, 2016
Pretty much every script I’m working on these days must be run as root. Checking what user is running something is pretty straight forward, as there’s a built-in shell variable for $USER that contains the user running a script. To see this real quick, simply run the following:
You can then put this into your scripts. I’ve been using the same block of code for decades, which can be run in a script by itself if you’d like to paste this into one.
if [[ $USER != "root" ]]; then
echo "This script must be run as root"
echo "You are root"
Note: Keep in mind that the built-in $USER variable is case sensitive.
Obviously, most people won’t keep the lines that contain the else and you are root echo statements. You can just remove these or replace them with the meat of your script that requires elevated privileges to run. Enjoy.
krypted December 21st, 2015
Spotlight just kinda’ works. Except when it doesn’t. Which is luckily pretty rare, for the use cases that Spotlight was designed for. But when it doesn’t work, you have a few tools that I’ve highlighted over the years to help you out, including articles on shared volumes, manually indexing, disabling Spotlight, and a few others. But what if you need to go in more depth to isolate an issue? For this, Apple has provided us with a tool called mddiagnose, in /usr/bin. In the following command, we’ll run an mddiagnose to dump a bunch of system statistics that we can then look at. Here, we’ll do that to a folder called test in our current working directory:
/usr/bin/mddiagnose -f test
The output is then test.mdsdiagnostic, a directory with a CrashReporter, spindump, Samples, DiagnosticReports, a few system.log exports, and a diagnostic.log.
You can then view your log using the more command (or cat or less or whatevers)
Here, you’ll see the output of a bunch of scripts that were run. I find that this is the most informational aspect of what I get from the mddiagnose output. Every time I’ve actually fixed an issue here, it’s been with this output.
The other aspect of mddiagnose that I’ve found useful is checking permissions and paths. Here, you can answer the simple question of whether mdutil has permissions to check a path. We’ll do so using the -p option:
mddiagnose -p /Library/Application\ Support/Appifitizer
krypted December 15th, 2015
By default, most computers come with one partition and one volume on that partition. Well, in OS X there’s also a recovery partition, but that’s hidden so we’ll pretend like there’s just one. You can create additional volumes, which are useful for a number of different scenarios. The operation of creating partitions usually involves resizing a partition. That can be somewhat dangerous, so make sure to backup your Mac before doing so.
To create an additional partition (and by default an HFS+ filesystem on that partition), first open Disk Utility from /Applications/Utilities.
Note that by default, the boot volume is highlighted. You can’t create a partition inside a volume or partition, so click on the name of the disk above that.
Here, you can choose to run First Aid, Erase, Mount/Unmount, and Info. Most are unavailable when clicked on a disk, so let’s click on Partition. Doing so shows you each partition on the physical disk.
You can click on each partition to see information about the partition. Let’s click on the plus sign (+) to create our new partition.
When prompted, provide a name for the partition. You can choose a different format for the partition, but let’s leave that as the default for now. Then enter a size and click on Apply.
If you’re taking space away from a partition, the old partition will be resized as a smaller partition, provided that there’s enough free space to do so.
Once the process is complete, you should see your new volume mount.
krypted December 14th, 2015
I’m gonna’ be speaking at the inaugural Mac Admin and Developer Conference, from Amsys in London. JAMF Software is sponsoring Mac Admin & Developer Conference in London, on Feb 9th and 10th. And this gives us the chance to help promote a 15% off discount on the normal ticket price of £497 + VAT, promo price: £422 + VAT.
JAMF has a landing page on our site to help you use our discount at http://www.jamfsoftware.com/events/mac-admin-developer-conference-uk/. To get the discount, simply email email@example.com and mention JAMF!
krypted December 11th, 2015
Previously, I covered how to Programmatically Obtain Recent Wi-Fi Networks On A Mac. But, here I’m gonna’ go a step further and look at how to extract the password for a network as well. The two are stored in different locations. The recent networks are in the /Library/Preferences/SystemConfiguration/com.apple.airport.preferences defaults domain. If you pull one of those, then you can use the security command to extract the password itself.
security find-generic-password -ga "Krypted Home"
The output is as follows, showing everything that is tracked about this network in the keychain.
0x00000007 <blob>="Krypted Home"
"desc"<blob>="AirPort network password"
You can constrain the output with awk and grep so that you’d only see the password as the output of the command. Then, you can feed it back into other objects, like a new .mobileconfig.
krypted December 11th, 2015