Tiny Deathstars of Foulness

I have another article up on the world webs. This one is on cloud use in small businesses, with IT Business Edge. Check it out at

Screen Shot 2016-01-20 at 3.24.36 PM

January 20th, 2016

Posted In: cloud, Mac OS X, Mac OS X Server, Mac Security, Mass Deployment, Microsoft Exchange Server

Tags: ,

Leave a Comment

Ever since the kids from Silicon Valley went to TechCrunch, I’ve been thinking that at some point I’d want to put a piece there. Luckily, I recently got the chance. Today, 16 Apple Security Advances To Take Note Of In 2016 went up on TechCrunch. You can access the article here.

Screen Shot 2016-01-18 at 7.36.16 PM

The original article actually listed the year that each was introduced in order. It was a lot of work to go back in time and piece the timeline together, so since the years didn’t make it through editorial, I list them here (not that anyone actually cares):

  • 2002: Managed Preferences
  • 2003: FileVault
  • 2004: Require all software installers that need system resources to prompt for a password
  • 2005: Restrict setuid and setgid in scripts
  • 2007: Time Machine
  • 2007: Application Firewall
  • 2007: ASLR(Address Space Layout Randomization)
  • 2009: Application Sandboxing
  • 2009: XProtect, or File Quarantine
  • 2008: Antiphishing
  • 2010: The Mac App Store
  • 2012: Gatekeeper
  • 2012: Mobile Device Management
  • 2013: iCloud Keychain
  • 2015: System Integrity Protection, or SIP

And yes, since I was there for each of these, I did feel old writing this… :-/

And yes, thank you for asking, I did just publish another book on Mac Security, which you can buy here. :)

January 18th, 2016

Posted In: Mac OS X, Mac OS X Server, Mac Security, Mass Deployment

Tags: , , , , , , ,

Leave a Comment

It can be tough to get information about larger Mac deployments. I’ve written a few books on it. Apple has built some pages on it. But many prefer to consume their content through video. As such, Sean Collins has teamed up with to put together an IT Administrator’s Guide for El Capitan. With topics ranging from SIP to DEP, and all the acronyms in the middle, Sean’s soothing voice will guide you through what you need to get started with a new Mac deployment.

Screen Shot 2016-01-15 at 2.11.19 PM

Many a job can seem daunting, but with this latest addition to our arsenal, you’ll instantly feel less intimidated. It’s like the Sun A of the Mac world. But afterwards, when you go into corpse pose, you won’t fall asleep, because the content is too good. Check it out here:

January 15th, 2016

Posted In: Mac OS X, Mac OS X Server, Mac Security, Mass Deployment

Tags: , , , ,

One of the options thats a tad bit hidden in OS X is the Secure Erase option, which runs a multi-pass erase on a volume. Additionally, there’s no option to Secure Erase free space on a volume. But you can still securely erase whatever you’d like (other than you boot volume obviously), when needed. To do so, use the diskutil command along with the secureErase option.

Screen Shot 2016-01-07 at 7.44.07 AM

The format of the command to secureErase freespace is:

diskutil secureErase freespace [level] [device]

The levels are as follows (per the man page as not all of these are specified in Disk Utility):

  1. Single-pass zero-fill erase
  2. Single-pass random-fill erase
  3. US DoD 7-pass secure erase
  4. Gutmann algorithm 35-pass secure erase
  5. US DoE algorithm 3-pass secure erase

So for example, let’s say you had a volume called Seldon and you wanted to do a standard Single-pass zero-fill erase. In this example you would use the following:

diskutil secureErase freespace 0 /Volumes/Seldon

If you were to automate the command then you would want to dump the output into a log file. For example:

diskutil secureErase freespace 0 /Volumes/Seldon > /var/log/secureeraselog.tmp

You can also secureErase a volume itself. To erase a volume called /Volumes/Seldon, use the same structure of the command, but this time without the freespace option:

diskutil secureErase 0 /Volumes/Seldon

The latest update to Disk Utility removes a lot of options from the GUI, but overall, I have yet to find a scenario where a task I need to perform isn’t still available, if only from the command line.

January 7th, 2016

Posted In: Mac OS X, Mac OS X Server, Mac Security, Mass Deployment

Tags: , , , , , , , ,

Pretty much every script I’m working on these days must be run as root. Checking what user is running something is pretty straight forward, as there’s a built-in shell variable for $USER that contains the user running a script. To see this real quick, simply run the following:

echo $USER

You can then put this into your scripts. I’ve been using the same block of code for decades, which can be run in a script by itself if you’d like to paste this into one.

if [[ $USER != "root" ]]; then
echo "This script must be run as root"
echo "You are root"
exit 1

Note: Keep in mind that the built-in $USER variable is case sensitive.

Obviously, most people won’t keep the lines that contain the else and you are root echo statements. You can just remove these or replace them with the meat of your script that requires elevated privileges to run. Enjoy.

December 21st, 2015

Posted In: Mac OS X, Mac OS X Server, Mac Security, Mass Deployment, Unix

Tags: , , , , , , , ,

Spotlight just kinda’ works. Except when it doesn’t. Which is luckily pretty rare, for the use cases that Spotlight was designed for. But when it doesn’t work, you have a few tools that I’ve highlighted over the years to help you out, including articles on shared volumes, manually indexing, disabling Spotlight, and a few others. But what if you need to go in more depth to isolate an issue? For this, Apple has provided us with a tool called mddiagnose, in /usr/bin. In the following command, we’ll run an mddiagnose to dump a bunch of system statistics that we can then look at. Here, we’ll do that to a folder called test in our current working directory:

/usr/bin/mddiagnose -f test

The output is then test.mdsdiagnostic, a directory with a CrashReporter, spindump, Samples, DiagnosticReports, a few system.log exports, and a diagnostic.log.

You can then view your log using the more command (or cat or less or whatevers)

more ~/test.mddiagnostic/diagnostic.log

Here, you’ll see the output of a bunch of scripts that were run. I find that this is the most informational aspect of what I get from the mddiagnose output. Every time I’ve actually fixed an issue here, it’s been with this output.

The other aspect of mddiagnose that I’ve found useful is checking permissions and paths. Here, you can answer the simple question of whether mdutil has permissions to check a path. We’ll do so using the -p option:

mddiagnose -p /Library/Application\ Support/Appifitizer


Screen Shot 2015-12-09 at 11.11.01 AM

December 15th, 2015

Posted In: Mac OS X, Mac OS X Server, Mac Security, Mass Deployment

Tags: , , , , , , ,

By default, most computers come with one partition and one volume on that partition. Well, in OS X there’s also a recovery partition, but that’s hidden so we’ll pretend like there’s just one. You can create additional volumes, which are useful for a number of different scenarios. The operation of creating partitions usually involves resizing a partition. That can be somewhat dangerous, so make sure to backup your Mac before doing so.

To create an additional partition (and by default an HFS+ filesystem on that partition), first open Disk Utility from /Applications/Utilities.

Screen Shot 2015-12-08 at 11.21.47 AM

Note that by default, the boot volume is highlighted. You can’t create a partition inside a volume or partition, so click on the name of the disk above that.

Screen Shot 2015-12-08 at 11.21.52 AM

Here, you can choose to run First Aid, Erase, Mount/Unmount, and Info. Most are unavailable when clicked on a disk, so let’s click on Partition. Doing so shows you each partition on the physical disk.

Screen Shot 2015-12-08 at 11.21.57 AM

You can click on each partition to see information about the partition. Let’s click on the plus sign (+) to create our new partition.

Screen Shot 2015-12-08 at 11.22.11 AM

When prompted, provide a name for the partition. You can choose a different format for the partition, but let’s leave that as the default for now. Then enter a size and click on Apply.

Screen Shot 2015-12-08 at 11.20.00 AM

If you’re taking space away from a partition, the old partition will be resized as a smaller partition, provided that there’s enough free space to do so.

Screen Shot 2015-12-08 at 11.20.05 AM


Once the process is complete, you should see your new volume mount.



December 14th, 2015

Posted In: Mac OS X, Mac OS X Server, Mac Security, Mass Deployment

Tags: , , , , ,

I’m gonna’ be speaking at the inaugural Mac Admin and Developer Conference, from Amsys in London. JAMF Software is sponsoring Mac Admin & Developer Conference in London, on Feb 9th and 10th. And this gives us the chance to help promote a 15% off discount on the normal ticket price of £497 + VAT, promo price: £422 + VAT.

Screen Shot 2015-12-11 at 8.29.14 AM

JAMF has a landing page on our site to help you use our discount at To get the discount, simply email and mention JAMF!

December 11th, 2015

Posted In: Mac OS X, Mac OS X Server, Mac Security, Mass Deployment, public speaking

Previously, I covered how to Programmatically Obtain Recent Wi-Fi Networks On A Mac. But, here I’m gonna’ go a step further and look at how to extract the password for a network as well. The two are stored in different locations. The recent networks are in the /Library/Preferences/SystemConfiguration/ defaults domain. If you pull one of those, then you can use the security command to extract the password itself.

security find-generic-password -ga "Krypted Home"

The output is as follows, showing everything that is tracked about this network in the keychain.

keychain: "/Library/Keychains/System.keychain"
class: "genp"
0x00000007 <blob>="Krypted Home"
0x00000008 <blob>=<NULL>
"acct"<blob>="Krypted Home"
"cdat"<timedate>=0x32303135313230373135313731375A00 "20151207151717Z\000"
"desc"<blob>="AirPort network password"
"mdat"<timedate>=0x32303135313230373135313731375A00 "20151207151717Z\000"
password: "test"

You can constrain the output with awk and grep so that you’d only see the password as the output of the command. Then, you can feed it back into other objects, like a new .mobileconfig.

December 11th, 2015

Posted In: Apple Configurator, Mac OS X, Mac OS X Server, Mac Security, Mass Deployment

Tags: , , , , , ,

Next Page »