Disable Unicast ARP Cache Validation In OS X

As of OS X 10.9 (and in many cases more importantly in OS X Server for 10.9 and higher), OS X now performs ARP cache validation when trying to pass traffic over a router. If you are double NAT’d/use redundant gateways then the traffic can be interpreted as network redirection and cause some pretty bad packet loss/latency. You can disable this feature by turning off net.link.ether.net.arp_unicast_lim using sysctl: sysctl -w net.link.ether.inet.arp_unicast_lim=0 That will only disable unicast arp validation until the next reboot. If it fixes a latency problem you’re having then you can go ahead and make it permanent by adding the following line into /etc/sysctl.conf: net.link.ether.inet.arp_unicast_lim=0 If you’re still having issues with latency, you should turn it back on. To enable it again, repeat, swapping the 0 with a 1.

Licensing The Xcode Command Line Tools

Tools that leverage the Xcode Command Line Tools might have a problem if you install the tools without agreeing to the license. Here, you can see IntelliJ complaining about just that: Screen Shot 2014-09-19 at 2.52.57 PM To agree to the license agreement, you can use xcrun along with the cc verb: sudo xcrun cc This is an interactive command line environment so in order to script it you’d need to use expect to feed in the correct parameters.

Manage Apex Domains In OS X

OS X Server supports running a traditional bind implementation of DNS. You can define a record for most any name, including google.com, www.google.com, www.www.google.com, etc. You can use this to redirect subdomains. In this example, we’ll create an A Record to point www.google.com to without breaking other google.com subdomains. To get started, let’s use the DNS service in the Server app to create test.www.google.com. The reason for this is that OS X will then create a zone file for www.google.com. If we created www.google.com instead, then OS X would automatically create google.com, which would break the other subdomains. To do so, open Server app and click on the DNS Service. Then click on the plus sign to create a new record. Screen Shot 2014-09-23 at 10.55.58 AM Now, if you restart dns and ping test.www.google.com you should see the referenced IP. To then change www.google.com, we’d edit the zone file stored at /Library/Server/named/db.www.krypted.com. This file will look like this when you first open it: www.google.com. 10800 IN SOA www.google.com. admin.www.google.com. ( 2014092301 ; serial 3600 ; refresh (1 hour) 900 ; retry (15 minutes) 1209600 ; expire (2 weeks) 86400 ; minimum (1 day) ) 10800 IN NS test.www.google.com. test.www.google.com. 10800 IN A We’ll add an a record for a.www.google.com: a.www.google.com. 10801 IN A Now, to change the apex record, you’d just replace the name you’ve been using with an @: @ 10801 IN A Good luck!

Manage Profiles From The Command Line In OS X 10.9

You can export profiles from Apple Configurator or Profile Manager (or some of the 3rd party MDM tools). You can then install profiles by just opening them and installing. Once profiles are installed on a Mac, mdmclient, a binary located in /usr/libexec will process changes such as wiping a system that has been FileVaulted (note you need to FileVault if you want to wipe an OS X Lion client computer). /System/Library/LaunchDaemons and /System/Library/LaunchAgents has a mdmclient daemon and agent respectively that start it up automatically. NEWScreen-Shot-2013-10-07-at-3.50.40-PMTo script profile deployment, administrators can add and remove configuration profiles using the new /usr/bin/profiles command. To see all profiles, aggregated, use the profiles command with just the -P option: /usr/bin/profiles -P As with managed preferences (and piggy backing on managed preferences for that matter), configuration profiles can be assigned to users or computers. To see just user profiles, use the -L option: /usr/bin/profiles -L You can remove all profiles using -D: /usr/bin/profiles -D The -I option installs profiles and the -R removes profiles. Use -p to indicate the profile is from a server or -F to indicate it’s source is a file. To remove a profile: /usr/bin/profiles -R -F /tmp/HawkeyesTrickshot.mobileconfig To remove one from a server: /usr/bin/profiles -R -p com.WestCoastAvengers.HawkeyesTrickshot The following installs HawkeyesTrickshot.mobileconfig from /tmp: /usr/bin/profiles -I -F /tmp/HawkeyesTrickshot.mobileconfig If created in Profile Manager: /usr/bin/profiles -I -p com.WestCoastAvengers.HawkeyesTrickshot There is a nifty new feature in the profiles command in Mavericks, where you can configure profiles to install at the next boot, rather than immediately. Use the -s to define a startup profile and take note that if it fails, the profile will attempt to install at each subsequent reboot until installed. To use the command, simply add a -s then the -F for the profile and the -f to automatically confirm, as follows (and I like to throw in a -v usually for good measure): profiles -s -F /Profiles/SuperAwesome.mobileconfig -f -v And that’s it. Nice and easy and you now have profiles that only activate when a computer is started up. As of OS X Mavericks, the dscl command has extensions for dealing with profiles as well. These include the available MCX Profile Extensions: -profileimport -profiledelete -profilelist [optArgs] -profileexport -profilehelp To list all profiles from an Open Directory object, use 
-profilelist. To run, follow the dscl command with -u to specify a user, -P to specify the password for the user, then the IP address of the OD server (or name of the AD object), then the profilelist verb, then the relative path. Assuming a username of diradmin for the directory, a password of moonknight and then cedge user: dscl -u diradmin -P moonknight profilelist /LDAPv3/ To delete that information for the given user, swap the profilelist extension with profiledelete: dscl -u diradmin -P apple profilelist /LDAPv3/ If you would rather export all information to a directory called ProfileExports on the root of the drive: dscl -u diradmin -P moonknight profileexport . all -o /ProfileExports

Clear ASL Logs Following Upgrades

I’ve had a couple of servers that after upgrading to 10.9 I’ve noticed were pretty slow to open up Terminal. To fix, I just cleared the ASL logs. To do so, just rm the contents of /var/log/asl. Here, I back them up first: cp -r /var/log/asl/ /Users/krypted/Desktop/asl/ rm -f /var/log/asl/*.asl If you end up not needing them you can just delete the asl directory from your Desktop.

Debugging and Deploying iBooks

Just got to do my first troubleshooting for the iBooks app in OS X. Wasn’t a ton of info, so went digging for the debug menu that has become a staple of so many Apple apps. And it turns out that it was there. Looking at the plist for iBooksX prefs: defaults read com.apple.iBooksX This shows that we can go ahead and deploy a key to suppress the welcome screen (nice little deployment note made there) and a few other things. But what I was looking for is that BKShowDebugMenu key { BKAlreadyDisplayedWelcomeExperience = 1; "BKBookshelfCategoryManager~012384" = 1; BKBookshelfViewControllerFilterAction = 5; BKBookshelfViewControllerSortAction = 1; BKShowDebugMenu = 0; BKSimulateCrashDuringMigration = 0; LibraryCountDate = "2013-11-03 03:26:26 +0000"; } Let’s just turn that sucker on: defaults write com.apple.iBooksX BKShowDebugMenu -boolean TRUE And then viola, the next time iBooks opens there’s a nice little Debug menu. Here, I was able to click Migrate from iTunes again (the option in the File menu didn’t work for me) and before you know it, all the titles that didn’t migrate over the first time magically appeared. Screen Shot 2013-10-26 at 10.27.06 PM Hope this helps someone. Also, if you want to suppress the “welcome experience” in iBooks during deployment: defaults write com.apple.iBooksX BKAlreadyDisplayedWelcomeExperience -boolean TRUE Finally, if you’re looking for a key that you can use to verify that a computer has actually logged in with an iTunes account in iBooks (could be helpful for keying off things in scripts or whatever), note that a CachedStorefrontID key (and a couple of other cached keys) is created when iBooks accesses the store or an AppleID for the first time.

View Power Consuming Apps In Mavericks

Mavericks allows you to look at power hungry apps, so you can keep track of what’s draining your batter. To do so, click no the battery icon in the menu bar and then look in the Apps Using Significant Energy section. Screen Shot 2013-10-23 at 7.44.26 PM If you’re concerned about an aggregate of apps using too much energy, hold down the option key when you click on the icon. When you do so, the Condition will be listed; hopefully as Normal.

Mavericks & Show Hidden Files

I noticed this because part of my postflight imaging task for my lab systems is to show all files, but in Mavericks, the com.apple.finder defaults domain is case sensitive. So if you have com.apple.Finder you’ll need to edit it in such a workflow. So, for example, if you need to see hidden files, use the following commands: defaults write com.apple.finder AppleShowAllFiles -boolean true killall Finder The problem with seeing hidden files is that you see a lot of stuff that you really probably don’t want to see. So to get back to a state where you don’t have to see all of the invisible files, use the following commands: defaults delete com.apple.finder AppleShowAllFiles killall Finder

OS X 10.9 Mavericks Makes fdesetup A Bit More Useful

Previously I’ve written a little here and there about using FileVault and more specifically scripting things around Filevault. The fdesetup command that enables FileVault for OS X clients from the command line got a few new options in OS X 10.9 Mavericks. We’ve always been able to enable FileVault using scripts thanks to fdesetup but now Apple’s taken some of the difficulty out of configuring recovery keys. This comes in the form of the changerecovery, haspersonalrecoverykey, hasinstitutionalkey, usingrecoverykey and validate recovery options. These options all revolve around one idea: make it easier to deploy centrally managed keys that can be used to unlock encrypted volumes in the event that such an action is required. There’s also a -recoverykey option, which indicates the number of the key if a recovery key is being used. To use the fdesetup command to check whether a computer has a personal recovery key use the haspersonalrecoverykey verb, as follows: fdesetup haspersonalrecoverykey The output will be a simple true or false exit. To use the fdesetup command to check whether a computer has an institutional recovery key, use the hasinstitutionalrecoverykey verb, as follows: fdesetup hasinstitutionalrecoverykey To enable a specific personal recovery key, provide it using the changerecovery verb, as follows: fdesetup changerecovery -personal This is an interactive command, so when prompted, provide the appropriate personal key. The removerecovery verb can also be used to remove keys. And my favorite, validaterecovery is used to check on whether or not a recovery key will work to unlock a host; which can be tied into something like an extension attribute in Casper in order to store a key and then validate the key every week or 4. This helps to make sure that systems are manageable if something happens. The enable verb also has a new -authrestart which does an authenticated reboot after enabling FileVault. Before using the -authrestart option, check that a system can actually run it by using fdesetup with the supportsauthrestart verb and it will exit on true or false. Defer mode is nothing new, where FileVault waits until a user password is provided; however, a new verb is available called showdeferralinfo which shows information about deferral mode. This is most helpful as a sanity check so you don’t go running commands you already ran or doing things to systems that have already been provided with tasks to perform otherwise. Overall, there’s a lot of really enterprise-friendly options new in Mavericks that those who do larger-scale deployments of Mavericks will be interested in using!

No More Blessing Folder9 In OS X 10.9 Mavericks

In OS X you’ve always had this weird shroud of the “Classic” environment. This type of environment was used to facilitate running things in the previous incarnation of Apple’s operating systems. Many of these have disappeared over the years. In Mavericks we see  yet another go away in a very small an almost noticeable binary, bless. While this command conjures fears of getting excommunicated by a Borgia for many, for those of us in the Apple community, the bless command is used to define a folder to mount to boot to. In 10.8 and below, there was an option to bless –folder9, used to define a OS 9/Classic system folder. Given that you can’t run those operating systems on hardware that runs 10.9 Mavericks, Apple has finally managed to rid even its most religious sounding binary of all traces of OS 9. Hallelujah! No, I’m not done yet. There’s one more thing. –bootBlockFile, –save9–saveX and –use9 are also gone now as they’re legacy (pretty much for OS 9) and no longer required.