Stoked that we got to interview Michael Lynn (@mikeymikey) for the MacAdmins podcast. It turned out to be a great episode on the future of Mac management and MDM. I’m glad we were able to have him join in! Pepijn and Marcus did a great job as well, so all round, a great episode. Hope you enjoy! Or find it on the Podcast site at http://podcast.macadmins.org/2016/10/24/episode-13-mdm-me-maybe/
You can grant access to certain columns to view in SQL without providing access to specific users to see the whole database. This is pretty useful when delegating reporting to users, without giving them access to all of the data in your database. For example, a user might be able to see a column with an address, but not a column with a credit card number, increasing database security while allowing you to delegate certain tasks when appropriate. In this article, we’ll use the same “Customers” table from our first articles, signupdate:
ID Site Contact Address City Zip Country SignupDate 1 Krypted Charles Edge my house Minneapolis 55418 US 2005-01-01 2 Apple Tim Cook spaceship Cupertino 95014 US 2015-12-05 3 Microsoft Satya Nadella campus Redmond 98053 US 2014-11-01 4 Facebook Mark Zuckerberg foodhall Menlo Park 94025 US 2010-03-10 5 JAMF Dean Hager Grain Exchange Minneapolis 55418 US 2016-01-01Next, we’ll create a view called SignupDate that only has customers that signed up on January 1st of 2005. This view returns the data set of contacts and signup dates:
CREATE VIEW signupdate AS SELECT * FROM Customers WHERE OrderDate='2005-01-01';The syntax is similar to a SELECT, but with CREATE VIEW followed by the name of the view and then AS followed by the SELECT statement. The view is a virtual table containing the output of the query rather than data. Once created, use use the signupdate view in a query:
SELECT * FROM signupdate;This SQL statement returns the following results:
1 Krypted Charles Edge my house Minneapolis 55418 US 2005-01-01You can also use the view to contain a query with just the columns you want, according to how you structure your query, thus granting access to specific columns, without granting access to all of the columns in a table.
Push Notifications can be used in most every service in the Server app, especially in 3.5 for Yosemite (which I still like to call Yosemite Server as it makes me think of Yosemite Sam in a tux, pouring champagne). Any service that requires Push Notifications will provide the ability to setup APNS during the configuration of the service. But at this point, I usually just set up Push Notifications when I setup a new server. To enable Push Notifications for services, you’ll first need to have a valid AppleID. Once you have an AppleID, open the Server app and then click on the name of the server. At the Overview screen, click on Settings. At the Settings screen for your server, click on the check-box for “Enable Apple push notifications.” At the Apple Push Notification Services certificate screen, enter an AppleID if you have not yet configured APNS and click on OK. The Apple Push Notification Service certificate will then be configured. The certificate is valid for one year, by default. Administrators receive an alert when the certificate is due to expire. To renew, open the same screen and click on the Renew button.
Earlier, I wrote an article on enabling some of the settings in SMB that are now unavailable in the GUI, but were still available from the command line. I have now decided to go ahead an document some of the ones for AFP that have been removed during the transition to the Server app. The first to mention is maximum connections. There are a number of reasons that throttling maximum afp connections can be handy. The serveradmin afp setting for it is maxConnections, which by default is set to -1, indicating unlimited. To set this to 500, one would run:
serveradmin settings afp:maxConnections = 500The second setting to mention is greetings. The default is to send a greeting each time a user connects if one is enabled. I find that just sending the greeting once satisfies the policy most environments would have around such things. I’ve also found that enough environments setup greetings that I’ve had to do this enough times that it’s fresh in my memory. Therefore, to configure, use Server.app to setup a greeting and then run the following command:
serveradmin settings afp:sendGreetingOnce = yesAnother thing that many environments are going to want is activity logs. By default these are disabled. To enable:
serveradmin settings afp:activityLog = yesAnd the setting for how frequently to roll those activity logs is gone from the GUI as well. To edit that (let’s just set it to 2 weeks instead of the default of 1 week):
serveradmin settings afp:activityLogTime = 14The checkboxes for each type of activity to log are gone, so to access each (by default these are all enabled, so enabling the activity log turns them all on, therefore we’ll just disable here, even though as it seems the server team is well aware of, if you use one most use all:
serveradmin settings afp:loggingAttributes:logOpenFork = no serveradmin settings afp:loggingAttributes:logCreateDir = no serveradmin settings afp:loggingAttributes:logLogin = no serveradmin settings afp:loggingAttributes:logLogout = no serveradmin settings afp:loggingAttributes:logDelete = no serveradmin settings afp:loggingAttributes:logCreateFile = noNote: Activity logs are still by IP address rather than userID Error logs don’t roll (setting of 0), so to set them to do so (again using 14):
serveradmin settings afp:errorLogTime = 14The disconnect idle users option is also now gone. To enable it:
serveradmin settings afp:idleDisconnectOnOff = yesThis doesn’t edit the tickle time, but then, that was never presented in the GUI anyway (it controls how frequently a client who’s connected via afp checks into the server). To customize the disconnect message:
serveradmin settings afp:idleDisconnectMsg = "Did you fall asleep there bub?"And of course, you might need to customize the number of hours before a user is considered idle:
serveradmin settings afp:idleDisconnectTime = 1To globally disable guest access:
serveradmin settings afp:guestAccess = noAnd to allow the root user to log into afp:
serveradmin settings afp:allowRootLogin = yesFinally, to access the masquerade as a user option for administrative accounts, which I’m not sure I like, but which some do:
serveradmin settings afp:attemptAdminAuth = yes
LeftHand Storage uses the cliq command line for configuring their devices. cliq isn’t necessarily interactive and so we end up needing to specify the username, password and IP of the device with each command (although you can setup a key as well if you’re going to be doing automated tasks). One task that I’ve found to be pretty common is to use cliq to enable Chap authentication for volumes. To do so you’ll use the assignVolumeChap verb. Along with the assignVolumeChap verb you will need a number of options, each with an = for the payload of the option and delimited with a space between them. When using the assignVolumeChap verb you will need to supply a volume that you will be enabling authentication on, which is done using the volumeName option. You will also need to assign a password that will be entered on devices in order to connect to the target/volume, done using the targetSecret option. With most commands you will also need to specify the address of the storage node, the administrative user for that storage node and the password for it as well, these done using login, userName and passWord options respectively. You can obtain information about volumes using the getLocalVolumes verb:
cliq getLocalVolumesTo put all of these together, let’s look at an example where the storage node has an IP address of 192.168.100.100, an administrative user name of admin and an administrative password of ADMINPASSWORD. For this storage node we have a volume that we have created called MYSHAREDVOLUME and want to use a password of PASSWORDFORLUN to access it.
cliq assignVolumeChap volumeName=MYSHAREDVOLUME targetSecret=PASSWORDFORLUN login=192.168.100.100 userName=admin passWord=ADMINPASSWORDSome other important verbs we’ve had to use are createCluster, connectVolume, configureRaid, createRemoteSnapshot (which is good to do before making any changes btw) and of course, createVolume (which you would need to do before assigning authentication to the volume). Each item that has a create typically has an associated delete (eg – deleteVolume, deleteRaid, etc) and an associated modify (eg – modifyVolume, modifyRaid, etc), which can be used to remove the added item and edit it (respectively). Overall, there are a lot of verbs that can be used with cliq, making it a somewhat robust scripting interface if you need to automate events. Another verb I find that I use a lot when I’m first setting up a device is the getPerformanceStats verb, which has a single option in interval, the number of milliseconds between sampling the performance statistics.
Forgot the admin password in Mac OS X? Well, Apple let’s you boot computers into what is known as Single User Mode. To boot a Mac into Single User Mode, boot the machine holding down Command-S. Once the system boots up, you should see a command prompt. Here, run fsck:
fsck -fyThen mount the file system:
mount -uw /Then reset the password using the passed command
passwd <username>For example, if the user is root:
passwd rootWhen prompted, provide the desired administrative password.