krypted.com

Tiny Deathstars of Foulness

View Your Old Settings

The first step to moving services from macOS Server for pretty much all services is to check out the old settings. The second step is to probably ask if where you’re going to put the service is a good idea. For example, these days I prefer to run DHCP services on a network appliance. But it can absolutely be run on a Mac. And so let’s look at how to do that. Here, we’ll use the serveradmin command to view the settings of the DHCP service:

/Applications/Server.app/Contents/ServerRoot/usr/sbin/serveradmin settings dhcp

The output is an array of subnets with different settings per subnet.

dhcp:static_maps = _empty_array
dhcp:subnets:_array_id:22217FF5-4DDB-4841-A731-EF5DA080E672:WINS_primary_server = ""
dhcp:subnets:_array_id:22217FF5-4DDB-4841-A731-EF5DA080E672:dhcp_router = "10.15.40.1"
dhcp:subnets:_array_id:22217FF5-4DDB-4841-A731-EF5DA080E672:WINS_secondary_server = ""
dhcp:subnets:_array_id:22217FF5-4DDB-4841-A731-EF5DA080E672:net_range_start = "10.15.40.2"
dhcp:subnets:_array_id:22217FF5-4DDB-4841-A731-EF5DA080E672:net_range_end = "10.15.43.253"
dhcp:subnets:_array_id:22217FF5-4DDB-4841-A731-EF5DA080E672:dhcp_domain_name = "clients.msp.jamfsw.corp"
dhcp:subnets:_array_id:22217FF5-4DDB-4841-A731-EF5DA080E672:dhcp_domain_name_server:_array_index:0 = "8.8.8.8"
dhcp:subnets:_array_id:22217FF5-4DDB-4841-A731-EF5DA080E672:dhcp_domain_name_server:_array_index:1 = "4.4.4.4"
dhcp:subnets:_array_id:22217FF5-4DDB-4841-A731-EF5DA080E672:lease_max = 36000
dhcp:subnets:_array_id:22217FF5-4DDB-4841-A731-EF5DA080E672:net_mask = "255.255.252.0"
dhcp:subnets:_array_id:22217FF5-4DDB-4841-A731-EF5DA080E672:dhcp_ldap_url = _empty_array
dhcp:subnets:_array_id:22217FF5-4DDB-4841-A731-EF5DA080E672:WINS_node_type = "NOT_SET"
dhcp:subnets:_array_id:22217FF5-4DDB-4841-A731-EF5DA080E672:dhcp_enabled = yes
dhcp:subnets:_array_id:22217FF5-4DDB-4841-A731-EF5DA080E672:WINS_NBDD_server = ""
dhcp:subnets:_array_id:22217FF5-4DDB-4841-A731-EF5DA080E672:net_address = "10.15.40.0"
dhcp:subnets:_array_id:22217FF5-4DDB-4841-A731-EF5DA080E672:WINS_scope_id = ""
dhcp:subnets:_array_id:22217FF5-4DDB-4841-A731-EF5DA080E672:selected_port_name = "en1"
dhcp:subnet_defaults:logVerbosity = "MEDIUM"
dhcp:subnet_defaults:routers:en0 = "10.15.40.1"
dhcp:subnet_defaults:WINS_node_type_list:_array_index:0 = "BROADCAST_B_NODE"
dhcp:subnet_defaults:WINS_node_type_list:_array_index:1 = "HYBRID_H_NODE"
dhcp:subnet_defaults:WINS_node_type_list:_array_index:2 = "NOT_SET"
dhcp:subnet_defaults:WINS_node_type_list:_array_index:3 = "PEER_P_NODE"
dhcp:subnet_defaults:WINS_node_type_list:_array_index:4 = "MIXED_M_NODE"
dhcp:subnet_defaults:WINS_node_type = "NOT_SET"
dhcp:subnet_defaults:dhcp_domain_name = "krypted.com"
dhcp:subnet_defaults:logVerbosityList:_array_index:0 = "LOW"
dhcp:subnet_defaults:logVerbosityList:_array_index:1 = "MEDIUM"
dhcp:subnet_defaults:logVerbosityList:_array_index:2 = "HIGH"
dhcp:subnet_defaults:dhcp_domain_name_server:_array_index:0 = "8.8.8.8"
dhcp:subnet_defaults:dhcp_domain_name_server:_array_index:1 = "4.4.4.4"
dhcp:subnet_defaults:selected_port_key = "en0"
dhcp:subnet_defaults:selected_port_key_list:_array_index:0 = "en0"
dhcp:subnet_defaults:selected_port_key_list:_array_index:1 = "bridge0"
dhcp:logging_level = "MEDIUM"

Configure DHCP Settings

The easy thing is to configure a DHCP server is using Internet Sharing from the Sharing System Preference pane. To do so, simply open System Preferences, click on Sharing and then Internet Sharing. But wait, where do you configure a scope, or the DNS Server or… The answer is “the command line” but don’t be put off by that. In this case I prefer it. 

Now, let’s go hacking around in your bootp.plist. This file is stored at /private/etc/bootpd.plist and you’ll need to sudo in order to edit the file. First, back it up. Next, let’s cat the file and cover a few basic examples of migrating the settings:

<?xml version=”1.0″ encoding=”UTF-8″?>
<!DOCTYPE plist PUBLIC “-//Apple//DTD PLIST 1.0//EN” “http://www.apple.com/DTDs/PropertyList-1.0.dtd”>
<plist version=”1.0″>
<dict>
<key>NetBoot</key>
<dict/>
<key>Subnets</key>
<array>
<dict>
<key>allocate</key>
<true/>
<key>dhcp_domain_name</key>
<string>krypted.com</string>
<key>dhcp_domain_name_server</key>
<array>
<string>8.8.8.8</string>
<string>4.4.4.4</string>
</array>
<key>dhcp_router</key>
<string>10.15.40.1</string>
<key>lease_max</key>
<integer>36000</integer>
<key>name</key>
<string>10.15.42/22 Wi-Fi</string>
<key>net_address</key>
<string>10.15.40.0</string>
<key>net_mask</key>
<string>255.255.252.0</string>
<key>net_range</key>
<array>
<string>10.15.40.2</string>
<string>10.15.43.253</string>
</array>
<key>selected_port_name</key>
<string>en1</string>
<key>uuid</key>
<string>22217FF5-4DDB-4841-A731-EF5DA080E672</string>
</dict>
</array>
<key>netboot_disabled</key>
<array>
<string>en8</string>
</array>
</dict>
</plist>

Let’s start with a simple example of copying the range from one of these to another. First, locate the net_range_startand the net_range_endkeys in your serveradmin output. Then find the net_range array in your bootp.plist. They’re the same in my two examples because the macOS Server app was just hacking the bootp.plist (OK it was doing more but that was the main thing it was doing). On a fresh new server you might have a very different plist, so you can borrow the above if ya’ need to. Replace the two values in the two strings with those in your server if needed. 

 Next, find the dhcp_routersetting for that subnet and match it to the same in the bootp.plist. Then, the net_mask. These are all that are required for DHCP to work (technically, the router isn’t required, but it’s super-weird on Apple stuff when there’s not a router, so it’s best to have one when possible. If you need WINS, domain names, DNS Servers, etc, simply repeat the process. You can also copy and paste the code block between the <dict> sections if you need multiple subnets. Or you could move the service to a network appliance more capable, if needed.

The settings for bootp  include the following, many of which can be seen in the above output:
  • dhcp_enabled – Used to enable dhcp for each network interface. Replace the <false/> immediately below with <array> <string>en0</string> </array>. For additional entries, duplice the string line and enter each from ifconfig that you’d like to use dhcp on.
  • bootp_enabled – This can be left as Disabled or set to an array of the adapters that should be enabled if you wish to use the bootp protocol in addition to dhcp. Note that the server can do both bootp and dhcp simultaneously.
  • allocate – Use the allocate key for each subnet in the Subnets array to enable each subnet once the service is enabled.
  • Subnets – Use this array to create additional scopes or subnets that you will be serving up DHCP for. To do so, copy the entry in the array and paste it immediately below the existing entry. The entry is a dictionary so copy all of the data between and including the <dict> and </dict> immediately after the <array> entry for the subnet itself.
  • lease_max and lease_min – Set these integers to the time for a client to retain its dhcp lease
  • name – If there are multiple subnet entries, this should be unique and reference a friendly name for the subnet itself.
  • net_address – The first octets of the subnet followed by a 0. For example, assuming a /24 and 172.16.25 as the first three octets the entry would be 172.16.25.0.
  • net_mask – The subnet mask clients should have
  • net_range – The first entry should have the first IP in the range and the last should have the last IP in the range. For example, in the following example the addressing is 172.16.25.2 to 172.16.25.253.
  • dhcp_domain_name_server – There should be a string for each DNS server supplied by dhcp in this array
  • dhcp_domain_search – Each domain in the domain search field should be suppled in a string within this array, if one is needed. If not, feel free to delete the key and the array if this isn’t needed.
  • dhcp_router – This entry should contain the router or default gateway used for clients on the subnet, if there is one. If not, you can delete the key and following string entries.

Configure DHCP Reservations

To configure reservations, use the /etc/bootptab file. This file should have a column for the name of a computer, the hardware type (1), the hwaddr (the MAC address) and ipaddr for the desired IP address of each entry:

%%
# hostname hwtype hwaddr ipaddr bootfile
a.pretendco.com 1 00:00:00:aa:bb:cc 172.16.25.25
b.pretendco.com 1 00:00:00:aa:bb:cc 172.16.25.29

Starting and Stopping the Service

Once everything is configured, fire it up using the following command:

sudo /bin/launchctl load -w /System/Library/LaunchDaemons/bootps.plist

And terminate using the following command:

sudo /bin/launchctl unload -w /System/Library/LaunchDaemons/bootps.plist

Once configured, configure the service to start automatically. To do so, open /System/Library/LaunchDaemons/bootps.plist. Here, just change the Disabled key to False, by changing the word True in line 6 to False.

Troubleshooting: Inspect Leases on Clients

I did an article some time ago about how DHCP leases work. Once you have clients using the DHCP server, you can also renew and view their leases from the command line, which does not usually show you a new lease in the GUI immediately. To reset the DHCP lease from the command line, use ipconfig:

ipconfig set en0 BOOTP
ipconfig set en0 DHCP


If the information is displayed on the screen, then it has to be stored somewhere, right? When your system sends an acceptance for a lease, the leases are then stored in /var/db/dhcpclient/leases. These are stored in standard property list form using the interface, followed by the MAC address of the interface followed by .plist. For example, if your MAC address is en0-1,10:9a:cc:ab:5d:ac then the lease would cat as follows:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>IPAddress</key>
<string>192.168.210.94</string>
<key>LeaseLength</key>
<integer>86400</integer>
<key>LeaseStartDate</key>
<date>2018-02-31T15:36:59Z</date>
<key>PacketData</key>
<data>
AgEGAMHrfCMAAAAAAAAAAMCo0l4AAAAAAAAAABCa3atdrAAAAAAAAAAAAAD/AAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAA/wAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABjglNjNQEFNgTAqNIBAQT///8A
MwQAAVGANAEDAwTAqNIBBghEV02CRFdIgv8AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
</data>
<key>RouterHardwareAddress</key>
<data>
AAaxLwVA
</data>
<key>RouterIPAddress</key>
<string>192.168.210.1</string>
</dict>
</plist>

The keys in this file make it easier to script figuring out a few things about your active leases, such as when they’re going to expire, when the lease was accepted or even whether or not the system has a lease (especially when it shouldn’t have a lease). But they can cause misreporting. If the information seems “stuck” in the System Preferences pane you can then rm the dhcp lease file.

Note: If the RouterIPAddress cannot be reached, the lease will be delayed in processing, causing the lease to appear to take a long time to be obtained even though it’s looping to hopefully find a more appropriate lease with a RouterIPAddress that can be reached.

For anyone who uses a shell script to reset their IP address, I recommend using the following as the full script, rather than the two lines most commonly used (where $leasefile is the name of your lease file):

ipconfig set en0 BOOTP
ipconfig set en0 DHCP
rm /var/db/dhcpclient/leases/$leasefile


Being the nerd I am, I called mine ipcfg.exe and end with an echo of the IP:

ipconfig getifaddr en0

Finally, a very effective way I’ve seen people reset leases that are seriously stuck is to swap locations and then swap back. Let’s say your users generally use the “Automatic” location and you have one called “TEMP”. You can use the scselect command to see locations and switch between them. So to switch to TEMP, we would simply:

scselect TEMP

And then to select Automatic again:

scselect Automatic

Now be careful with this last little tidbit. As if you have TEMP and don’t have any interfaces active and are running remotely then you might have some walking (or driving) around to do…

Configure DHCP Options

The DHCP Service also has a number of DHCP options available; most notably the options available in the GUI. But what about options that aren’t available in the GUI, such as NTP. Well, using /etc/bootpd.plist, the same file we used to define servers allowed to relay, you can also define other options. These begin with the following keys that can be added into your property list:
  • dhcp_time_offset (option 2)
  • dhcp_router (option 3)
  • dhcp_domain_name_server (option 6)
  • dhcp_domain_name (option 15)
  • dhcp_network_time_protocol_servers (option 42)
  • dhcp_nb_over_tcpip_name_server (option 44)
  • dhcp_nb__over_tcpip_dgram_dist_server (option 45)
  • dhcp_nb_over_tcpip_node_type (option 46)
  • dhcp_nb_over_tcpip_scope (option 47)
  • dhcp_smtp_server (option 69)
  • dhcp_pop3_server (option 70)
  • dhcp_nntp_server (option 71)
  • dhcp_ldap_url (option 95)
  • dhcp_netinfo_server_address (option 112)
  • dhcp_netinfo_server_tag (option 113)
  • dhcp_url (option 114)
  • dhcp_domain_search (option 119)
  • dhcp_proxy_auto_discovery_url (option 252)
But you can also add options by their numerical identifier. To add them, add the following into your /etc/bootpd.plist file and then restart the DHCP service:

<string>dhcp_option_120</string> <data> 192.168.210.7 </data>

In the above, you’d replace the option 120 (SIP) with the option you wish to use. Numbers correspond to options as follows:
0 – Pad
1 – Subnet Mask
3 – Router
4 – Time Server
5 – Name Server
6 – Domain Name Server
7 – Log Server
8 Quote Server
9 – LPR Server
10 – Impress Server
11 – Resource Location Server
12 – Host Name
13 – Boot File Size
14 – Merit Dump File
15 – Domain Name
16 – Swap Server
17 – Root Path
18 – Extensions Path
19 – IP Forwarding
20 – WAN Source Routing
21 – Policy Filter
22 – Maximum Datagram Reassembly Size
23 – Default IP Time-to-live
24 – Path MTU Aging Timeout
25 – Path MTU Plateau Table
26 – Interface MTU
27 – All Subnets are Local
28 – Broadcast Address
29 – Perform Mask Discovery
30 – Mask supplier
31 – Perform router discovery
32 – Router solicitation address
33 – Static routing table
34 – Trailer encapsulation.
35 – ARP cache timeout
36 – Ethernet encapsulation
37 – Default TCP TTL
38 – TCP keep alive interval
39 – TCP keep alive garbage
40 – Network Information Service Domain
41 – Network Information Servers
42 – NTP servers
43 – Vendor specific information
44 – NetBIOS over TCP/IP name server
45 – NetBIOS over TCP/IP Datagram Distribution Server
46 – NetBIOS over TCP/IP Node Type
47 – NetBIOS over TCP/IP Scope
48 – X Window System Font Server
49 – X Window System Display Manager
50 – Requested IP Address
51 – IP address lease time
52 – Option overload
53 – DHCP message type
54 – Server identifier
55 – Parameter request list
56 – Message
57 – Maximum DHCP message size
58 – Renew time value
59 – Rebinding time value
60 – Class-identifier
61 – Client-identifier
62 – NetWare over IP Domain Name
63 – NetWare over IP information
64 – Network Information Service Domain
65 – Network Information Service Servers
66 – TFTP server name
67 – Bootfile name
68 – Mobile IP Home Agent
69 – Simple Mail Transport Protocol Server
70 – Post Office Protocol Server
71 – Network News Transport Protocol Server
72 – Default World Wide Web Server
73 – Default Finger Server
74 – Default Internet Relay Chat Server
77 – User Class Information
78 – SLP Directory Agent
79 – SLP Service Scope
80 – Rapid Commit
81 – Fully Qualified Domain Name
82 – Relay Agent Information
83 – Internet Storage Name Service
85 – NDS servers
86 – NDS tree name
87 – NDS context
88 – BCMCS Controller Domain Name list
89 – BCMCS Controller IPv4 address list
90 – Authentication
91 – Client Last Transaction Time
92 – Associated IP
93 – Client System Architecture Type
94 – Client Network Interface Identifier
95 – LDAP, Lightweight Directory Access Protocol
97 – Client Machine Identifier
98 – Open Group User Authentication
100 – IEEE 1003.1 TZ String
101 – Reference to the TZ Database
112 – NetInfo Parent Server Address
113 – NetInfo Parent Server Tag
114- URL
116 – Auto-Configure
117 – Name Service Search
118 – Subnet Selection
119 – DNS domain search list
120 – SIP Servers DHCP Option
121 – Classless Static Route Option
123 – GeoConfiguration
124 – Vendor-Identifying Vendor Class
125 – Vendor-Identifying Vendor Specific
128 – TFPT Server IP address
129 – Call Server IP address
130 – Discrimination string
131 – Remote statistics server IP address
132 – 802.1P VLAN ID
133 – 802.1Q L2 Priority
134 – Diffserv Code Point
135 – HTTP Proxy for phone-specific applications
136 – PANA Authentication Agent
139 – IPv4 MoS
140 – IPv4 Fully Qualified Domain Name MoS
150 – TFTP server address
176 – IP Telephone
220 – Subnet Allocation
221 – Virtual Subnet Selection
252 – Proxy auto-discovery
254 – Private use
255 – End
And that’s it. This whole thing can take 5-10 minutes. In fact, if you were using macOS Server then just backup your bootp.plist and copy it to another machine, assuming the network interface (en0, en1, etc) hasn’t changed. Or change it if it has. But, for all the other weird stuff that was in the UI (or even the stuff that was never in the UI), here’s a pretty lengthy explanation of how to manage all of it from the command line. Building a GUI to configure these wouldn’t be that hard either, assuming you have bootp built into the Mac for awhile (and I think you need it for Internet sharing). Oh, that reminds me, Internet sharing is likely to overwrite any custom settings, so once you hack the plist, don’t go back to System Preferences-based management.

March 20th, 2018

Posted In: Mac OS X, Mac OS X Server

Tags: , , , , , , , , , ,

The WD MyCloud is a pretty single-purpose device. It’s a disk with a network interface, and as with Direct Attached Storage, the MyCloud Network Attached Storage is pretty easy to connect to.

First, let’s look at connecting to the web interface via the menu item, where you can drag and drop files to the device. Once the device is configured, use the WD menu item to see your device. From there, click on the name of your device.

Alternatively, you could visit mycloud.com and sign into the web interface there. 

In both cases, you’ll see a list of files and then in the sidebar, you’ll see those options to configure settings, add integrations, view active its, and view photos that are on the device. 


From here, you can simply drag and drop files into the web page, just like with a box or dropbox account, but the files are stored on the device. Additionally, you can send a link to a file or folder. To do so, right-click on the object you wish to share and then click Share Link.

At the resulting screen, you’ll see a link. Click Copy to copy the link into your clipboard so you can paste it into an email.

You may also want other users to be able to log into your WD MyCloud. To allow them to do so, open Settings and click on Add User. Then provide the email address for the user and click on Send Invites.

Finally, you can also mount  the drive directly to computers. To do so, click on “Connect to Server” (or Command-K) from the Finder.

At the Connect to Server screen, enter the address of the server and click Connect. If you don’t know the address and you’re on the local network of the device. Additionally, if you have the menu item installed, you’ll see the device in the sidebar of your Mac. 

It’s worth noting that with the exception of the ability to share a link to a file or folder, the permissions on the device are pretty much wide open, as you can see below. Additionally, any files you bring into the device will end up with the same wide open permissions. And while you can change permissions on files, they’ll revert back. So if you will need more granular capabilities with file permissions, this might not be the device for you. This device is a very inexpensive way to do very small workgroups or home file sharing, but beyond that it could be too basic for a lot of business use cases. What I like about it though, is that it doesn’t pretend to be anything but what it is. And it does that very well, in a very easy-to-use way.

Now the MyCloud NAS comes with removable drives and a more robust interface. It’s still easy to use, but you can configure RAID levels, basic iSCSI functionality, and users. I still wouldn’t put this in front of large workgroups, but to replace a macOS Server for a small business, or as a basic NAS head, it’s a solid, easy-to-manage device.

March 19th, 2018

Posted In: Mac OS X, Mac OS X Server, Network Infrastructure

Tags: , , , ,

Hey look, there’s a new category on the Jamf Marketplace, available at https://marketplace.jamf.com/apps/#category=AppConfig,selecting the AppConfig category. The new AppConfig category gives administrators of any MDM that supports AppConfig access to a set of apps that support AppConfig. If you have an app that isn’t listed here, feel free to let me know. 

What does this mean? Well, AppConfig is a way of sending data into an app. App config allows a customer to deploy settings into applications on iOS devices in much the same way that settings can be sent into a Mac app via the defaults command. This means an end user could get an app installed on their device from the iOS App Store, a custom app, or a B2B app and that app would have any settings the user might need to connect to servers or configure the experience.

So what is Managed App Config? At it’s most basic, you identify a label and a value in XML and send it to an iOS device that’s running iOS 7 or later (e.g. via Jamf 9 and up). The vendor who makes the app has to basically define what those settings are. Which brings up an interesting problem never fully addressed with defaults domains: standardization and ease-of-use (although MCX was close). 


AppConfig.org  is a consortium of MDM vendors and software vendors that maintain the emerging AppConfig standards around Managed App Config (within the confines of what Apple gives vendors) and then makes a feed of settings for apps that conform to those standards. Jamf is a founding member of Appconfig.org, along with MobileIron and AirWatch. Examples of what you could put into the AppConfig.org feed include 
  • Enabling certain features of apps
  • Server URLs
  • Logos (if they’re pulled dynamically)
  • Text labels
  • Language packs

To see a list of apps that are available, check out http://www.appconfig.org. 

Managed App Config options are set by vendors at compile time within the code and then the XML sent with the app is parsed by the app at installation time. If you’re a software vendor who wants to get started with AppConfig, check out the Spec Creator from Jamf Research or get in touch with the developer relations team from any MDM vendor.

If you’re a customer of an app and would like to leverage Managed App Config and your vendor isn’t listed on the appconfig.org site, get in touch with them, as this is the future of app management and chances are that you won’t be the only organization looking to unlock this type of feature. 

Let’s look at how this actually works. The Managed App Config options per supported app are available on a feed. The feed is available at http://d2e3kgnhdeg083.cloudfront.net. Here, as follows, you’ll see a list of all of the apps supported.


You can then copy the path for an app, such as com.adobe.Adobe-Reaser/1/appconfig.xml and append it to the end of the URL to get the feed for that specific app. You can test this using http://d2e3kgnhdeg083.cloudfront.net/com.adobe.Adobe-Reader/1/appconfig.xml to see output as follows.


Here, note that most of these fields are key value pairs defined by Adobe (in this example at least). You can enable or disable features of Adobe Reader using these keys. The same is true with a tool like Box that might want a more granular collection of settings than a feature like Managed Open In. 

Once you have the XML, you can then copy it to the clipboard and paste it into the App Configuration tab of an app, as follows. 

Finally, Apple has sample code available at https://developer.apple.com/library/content/samplecode/sc2279/Introduction/Intro.html

March 13th, 2018

Posted In: iPhone, JAMF

Tags: , , , , , , ,

The past couple of years has forced me to rethink many of my recommendations for how you backup computers in small office and home environments. Previously, I would have said that you could use a disk attached to an Apple AirPort. But the AirPort Base Station is no longer being made. Previously, I would have said you could use Time Machine Server, a service built into macOS Server in 5.4 and below. But that service is no longer being made in macOS Server by Apple and is now found in the Sharing System Preference pane . Previously, I might have even said to use the home edition of CrashPlan, which could have backed up to their cloud and/or a home server. But that plan is no longer being offered by Code 42.

So what are we to do? Well, luckily now the offerings out there are just endless. One of those offerings is so easy, you can run out to Best Buy, return home with a WD (Western Digital) MyCloud.com drive, and be up and running in about 5 minutes. I’ll cover other options when I cover file services and Synology. But in the meantime, let’s look at setting up a WD MyCloud.com drive, account, and configuring both to work with Time Machine. 

Setup Your WD Hard Drive
First, we’ll setup the drive. This is pretty straight forward. Plug the ethernet cable into your network, wait for the drive to boot up, and then go to the MyHome setup page.

Here, you’ll be prompted to setup a My Cloud Home account. Enter a name, email address, and password. Then click on Create Account.

 
You’ll then be prompted for the device you plugged in, which is discovered on the network. Click Connect.


Choose whether you want to share product improvement data. Ever since my team as a product manager I’m a huge fan of doing so, so I clicked Share.

Once that’s done, you’ll be prompted to get the desktop app. While not absolutely necessary, it’s not a bad idea. If you want the app, click Download.

Once the app is done downloading, open the directory and open the installer.

Click Install Now.

Once complete, you’ll see the menu bar. Click it and then add your device if you don’t see it by clicking on “I don’t see my device” 

When prompted, enter your email address and password that you created earlier and then click on Sign In.

Click Skip.

Next, in the notifications area for updating the software make sure to run that. There was a pretty bad vulnerability awhile back and that will make sure you’re good. Then click on the name of your WD MyCloud Home.


Add IFTTT Alerts

I want to see when new updates, channels or options are added, so I’m going to enable that. To do so, click on Services in the sidebar. and then click on Enable for IFTTT.

Assuming the terms of service are acceptable, click “I Agree”

When prompted, choose to connect to IFTTT.

From the IFTTT site, click Connect.

Choose which options to give IFTTT for the MyCloud API.

Browse the channels and enable each that you’d like and then click “Turn on.”

Mount the MyCloud Drive
Next, open a “Connect to Server” dialog box (Command-K from the Finder) and click on Browse.

Click on the MyCloud-XXX where XXX is the identifier for your MyCloud account.

Click on the timemachinebackup folder.

The folder should initially be empty. Now let’s open the Time Machine System Preference pane.

Click on “Select Backup Disk…”

Choose Your MyDisk From Time Machine

Choose the TimeMachineBackup directory for the MyCloud Device and click on “Use Disk.”

You’ll then want to create a user for backing up. To do so, go back to the mycloud.com site and click on settings. Then click on “Add user…” and enter an email address.

The email address will get an email to setup an account. Do so and then once you’ve configured the user, enter the email address and password when prompted.

Now wait for the first backup to finish. If you ever see any errors, check them; otherwise, you should backup to the device as with a locally attached drive, but you won’t need to plug directly into the drive to run backups.

Conclusion
This doesn’t solve for a lot of use cases that Time Machine Server would have been better for. But it’s a simple task that should cost you a little over a hundred bucks and get you backing up. I’m still a fan of cloud services. Backblaze, Carbonite, and others will backup your data for an annual fee of a little less than what a MyDrive costs. I’ll cover those in later articles, but for now, you’ve got a backup on your network, which even if you use one of those services is a great option in the event of hardware failure, as you can quickly get back up and running with a full system restore!

March 12th, 2018

Posted In: Mac OS X, Network Infrastructure

Tags: , , , , , ,

I have a new article for Thrive Global (another Arianna Huffington property) available at Thrive Global. This one is on “Tools and best practices on monitoring and teaching your kids responsible mobile device use.” It starts out like this:
My world changed when I awoke one day to find my 4-year-old daughter with a tablet in her hands, watching Transformers. The sight unleashed a handful of worries I hadn’t before experienced. Prior to that morning, I knew her to be fan of Star Wars figures, Legos and stuffed animals. And while I wasn’t displeased by her choice to watch a Michael Bay movie, I did start thinking about what else she could access on the device.
Click here to read more…
Screenshot of "Embracing (and managing) tech for your iGen child"

March 11th, 2018

Posted In: iPhone

Tags: , , , , ,

In an earlier article, I mentioned that MAMP Pro was still the best native GUI for managing web services on the Mac, now that macOS Server will no longer serve up those patchy services. After we cover the management in this article, you’ll likely understand why it comes it at $59. 

So you’ve installed MAMP. And you need more than the few basic buttons available there. So MAMP Pro came with it and you can try it for a couple of weeks for free. When you open MAMP Pro, you’ll see a screen where you can perform a number of management tasks. This is a more traditional side-bar-driven screen that will look like what Server Admin might have looked like before the web services screen got simplified in macOS Server.

The Hosts item in SETTINGS will show you each host installed on the server. Think of a host as a site. Each web server can serve up a virtually unlimited number of websites. You can configure an IP binding to the site, or hav
 
If you click on the plus sign, you can add a site. In this example, I’ll add www.krypted.com and then click on create. When doing so, you can configure a database for each site (e.g. if you’re doing multi-tenant hosting), build a site off a template, or select a root directory for the site. 



The Apache tab of each host allows you to configure host-specific settings, including enabling options for directives such as Indexes, Includes, SymLink following, and CGI. More options than were in macOS Server for sure. You can also order allows, allow overrides, add new directives, set the index (or the default page of each site), add additional virtualhosts (such as krypted.com for www.krypted.com), and add a server admin email address. 

These were Apache-centric settings for each host. Click on the Nginx tab if you’re using Nginx instead of Apache. Nginx is a bit less “patchy” so there are a fewer options here. But they’re similar: Configure an index, add parameters, and a feature not available in the GUI options for Apache: allow or deny access based on IP.
 
The SSL tab allows you to generate a CSR, upload the cert and key file, and force connections to use https.

The Extras tab allows you to automatically install standard web packages. For example, here we’ll select WordPress.

Click on the Databases tab. To connect a site to a database, enter the name of the database when prompted. Note: the site itself will need credentials in order to connect, and if you’ve setup an “Extra” in the above step, the database will automatically be configured.

Next, let’s configure the ports used by the web servers. The previous settings were per-site. The rest that we cover in this article will be per-server, as these are global settings applied to the daemons themselves. Each of those services will have a port or ports associated with them. For example, the standard web port used is 80 or 443 for SSL-based connections and the standard port for MySQL is 3306. For publicly-facing sites these would be the standard ports, and given how common they are, there’s a button for “Set ports to 80, 81, 443, 7443, 3306”. Otherwise, you can enter each independently. Because the attaching of daemons is done here, this is also where you configure the user that services run as, as well as when to start the services and truncate log files.

The Editor option configures how the editor appears, which we’ll cover last in this article. The Editing option manages how the editor works (e.g. things  like tabs, autocompletes, etc.

The Fonts & Colors tab allows you to select each color assigned to various types of text.  

The Default Apps tab allows you to configure which app is opened when opening each type of file supported. 

Again, we’ll look at the editor later in this article. First, let’s finish getting the web server setup. Click on Apache. Here, you can load new Apache mods you download from the interwebs. I should mention that an important security step in locking down a publicly-facing web server is to disable all of the mods you don’t absolutely need. 

At the bottom of this screen, there’s also a handle little link to the directory with your logs, so you can read through them if needed.

The Nginx option underneath is similar. Access to log files is there, as is the ability to enable installed Nginx mods. 

The MySQL option also provides access to some straight-forward command-line options, but in a nice GUI. Here, you can configure a root password for MySQL ( which does this: Reset A Lost MySQL Password ), enable phpMyAdmin, MySQL Workbench, and Sequel Pro-based administration, enable network access to the MySQL Service (using ports configured in the Ports section of the app) which I cover at Allow Remote Connections To MySQL, and view logs.

The Dynamic DNS options are cool. Click there, and if your web server is behind a DHCP address, you can configure a dynamic DNS service including DNS-O-Matic, no-ip.com, dyn.com, easydns.com, etc. This way when you reboot and get a new IP address from your ISP, it’ll update the service automatically.

Memcached is a distributed memory object caching system. It’s used to make sites appear faster or to distribute caching between servers for systems that, for example, get clustered. It’s included here for a reason, I’m sure of it! Either way, I actually use it for a few things and like the fact that it’s there. To enable, simply choose how much memory to give it, configure the logging level (usually low unless you’re troubleshooting), and gain access to logs. If you check the “Include Memcached server in GroupStart” then memcache will fire up when you start your web services.

Click postfix. Here, you configure your server to route mail through an email account. If you run this from the command line, you can also configure your server to be a mail server; however, when you do that you’re likely to get mail bouncing all over the place. So if the server or a service on the server is supposed to send mail, it’s usually best to route through something like a gmail account. 

The Languages section allows you to configure how PHP, Python, Perl, and Ruby work on the server. For PHP, you can configure which version of PHP is installed, configure a version of PHP for hosts, enable caching (different than memcached), enable a few basic extensions (I’ve been playing with oauth a lot recently), choose logging options, and have a simple way to see the logs. 

Since you’re running on a Mac, you already have Python, but if you click on the Python option, you can make the version of Python bundled with Mac is 2.7.10 instead of 2.7.13.

Click on Perl to do the same.

Click on Ruby to do the same.

The editor is also pretty easy to use. Simply use the plus sign to add a file you’d like to edit. Keep in mind when browsing that everything MAMP Pro needs is self-contained in the /Applications/MAMP directory, so it should be pretty easy to find files for editing. 

And that’s it. This seems like a lot of stuff, but between sites like ServerFault and other Apache/Nginx articles, you’ll likely find most of the things you need. It’s worth mentioning that I consider this another baby step to just managing Apache using config files. macOS Server tried hard to reduce the complexity of where different settings and options are derived from; MAMP Pro makes no allusion that web server management should be so simple. That’s one of the things I like about it. It’s like you went from riding in a buggy on the back of a bike to riding with training wheels. The more you know, the better off you are.

March 10th, 2018

Posted In: Mac OS X, Mac OS X Server, Mac Security, WordPress

Tags: , , , , , , , , , , ,

February 21st, 2018

Posted In: MacAdmins Podcast

Tags: , , ,

Been working on a new plugin to embed device details from Jamf Pro into Jira Service Desk. It looks a little like this:


To access the plugin, see the links below.

https://github.com/krypted/Jira-Device-Lookups-in-Jamf

February 13th, 2018

Posted In: JAMF

Tags: , , , , ,

Many of the people that read my articles undoubtedly arleady know this, but Apple has announced a sharp reduction in the number of services provided. Per this article, the Calendar, Contacts, DHCP, DNS, Mail, Messages, NetInstall, VPN, Websites, and Wiki services are being deprecated and Apple has provided a few services, per service, that they recommend moving to. Those services, per the above article, include the following:

Calendar

Contacts

DHCP

DNS

Mail

Messages

NetInstall

VPN

Websites

Wiki

I’ve been saying many of these services/features should go away in macOS Server so the developers could focus on providing an excellent experience and solid QA/unit testing for the services/features that remain. The fact that apps are being swiftified is great, as it speaks volumes to the future of the services themselves. The fact that Apple is reducing the number of licenses they’re tracking and the mistake they’re allowing customers to make is also great.

Having said that, every time I think that a service should go away, I hear from someone that they rely on that service. Most of this feedback comes from consultants who have made the server a central part of their consultancy. As someone who used to plan services as products for customers in consultancies, if you find yourself in similar situations when planning where services go when Apple retires them, I would strongly recommend looking at SaaS solutions where customers can give you a login and you can help guide them into a new and better solution. At least, that’s the way I positioned most of these services in the last version of the macOS Server book…

Yes, it was great having Apple handle all of the patching and customers were able to take advantage of a lot of technology with very few resources. However, that’s just not where we are any more. And rather than argue about it or try emailing Tim Cook or make petitions or even complain, save your cycles and look for new and better replacements for each service (preferably not ones that require physical servers, provided that customers are okay with that)! 

And stay tuned. I suspect we’ll cover this on an upcoming episode of the Mac Admins Podcast! 😉

What are your thoughts? Remorse? Applause?

January 25th, 2018

Posted In: Mac OS X, Mac OS X Server

Tags: , , ,

December 29th, 2017

Posted In: MacAdmins Podcast

Tags: , , , , ,

« Previous PageNext Page »