Tiny Deathstars of Foulness

There are two defaults keys that can be used to manage the recent places options in the OS X Finder. Both are in the .GlobalPreferences. The first is NSNavRecentPlaces and the second is NSNavRecentPlacesLimit.

The NSNavRecentPlacesLimit key limits the number of items that are stored in the list. To increase the default to, let’s say, 20, use the defaults command to set the NSNavRecentPlacesLimit key to an integer of 20:

defaults write .GlobalPreferences NSNavRecentPlacesLimit -int 20

Then use defaults to read the setting:

defaults read NSNavRecentPlacesLimit

You’ll need to “killall Finder” in order to see this in a Finder Save dialog. You can also inject items into the RecentPlaces array, called NSNavRecentPlaces, or delete the objects in the array. The array appears as follows:

NSNavRecentPlaces =     (

You can set these using defaults write as well, writing the NSNavRecentPlaces as a list of quoted and comma separated values (note the ‘):

defaults write NSNavRecentPlaces = '("/test","/test2","/test3")';

Or, if you only want to clear the recent places list, delete the key:

defaults delete .GlobalPreferences NSNavRecentPlaces

March 11th, 2016

Posted In: Mac OS X, Mass Deployment

Tags: , , , , , , , ,

One of the more common requests we get for iOS devices is to restrict what sites on the web that a device can access. This can be done in a number of ways. One is using the content filter option in Apple Configurator 2. The second is using a Global HTTP Proxy. We’ll cover both here, using custom profiles. Both require the device be Supervised.

Use the Content Filter

To enable the Content Filter, open Apple Configurator and click on the New menu. From there, click on Content Filter in the sidebar. You have three ways you can use the Content Filter. These include:

  • Built-in: Limit Adult Content: A basic profile that allows you to specifically whitelist and blacklist sites. This gives you very basic control of sites. Here, use the plus sign to enter a URL, as you can see here.

Screen Shot 2015-10-26 at 3.43.56 PM

  • Built-in: Specific Websites Only: This option only allows certain sites, and creates a badge for each in the bookmarks list of Safari.

Screen Shot 2015-10-26 at 3.52.40 PM

  • Plug-in: Allows you to install third party plug-ins on iOS devices. If using this, you would likely have instructions for building the profile from the vendor.

Screen Shot 2015-10-26 at 3.54.06 PM

The Content Filter is a pretty straight forward profile, except when using the plug-ins. Close the screen to save the profile.

Screen Shot 2015-10-26 at 3.56.37 PM

Once saved, you can use the filter profile in blueprints, via an MDM solution, or install manually through Configurator.

Use the Global HTTP Proxy

In Apple Configurator 2 there’s an option for a Global HTTP Proxy for Supervised devices. This allows you to have a proxy for HTTP traffic that is persistent across apps, and to have that proxy applicable when users go home or if they’re in the office/school. If you have a PAC file, you can deploy the global proxy using that, by selecting Auto as your deployment option.

Screen Shot 2015-10-26 at 4.01.47 PM

If you don’t use a PAC file, you can also manually define settings to access your proxy. Here, we specify the proxy server address and port, as well as an optional username and password. Additionally, new in Apple Configurator 2, we have the option to bypass the proxy for captive portals, which you’ll want to use if you require joining a network via a captive portal.

Screen Shot 2015-10-26 at 3.59.37 PM

Each Wi-Fi network that you push to devices also has the ability to have a proxy associated as well. This is supported by pretty much every MDM solution, with screens similar to the following, which is how you do it in Apple Configurator.

Screen Shot 2015-10-26 at 4.03.59 PM

I am all about layered defense, though. Or if a proxy is not an option then having an alternative is a great call. Another way to disable access to certain sites is to outright disable Safari and use another browser. This can be done with most MDM solutions as well as using a profile. To see what this would look like using Apple Configurator 2, see the below profile.

Screen Shot 2015-10-26 at 4.05.50 PM

Now, once Safari has been disabled, you then need to provide a different browser. There are a number of third party browsers available on the App Store. Some provide enhanced features such as Flash integration while others remove features or restrict site access.

In this example we’re using the K9 Web Protection Browser. This browser is going to just block sites based on what the K9 folks deem appropriate. Other browsers of this type include X3watchMobicip (which can be centrally managed and has a ton of pretty awesome features), bSecure (which ties in with their online offerings for reporting, etc) and others.

While this type of thing isn’t likely to be implemented at a lot of companies, it is common in education environments and even on kiosk types of devices. There are a number of reasons I’m a strong proponent of a layered approach to policy management for iOS. By leveraging proxies, application restrictions, reporting and when possible Mobile Device Management, it becomes very possible to control the user experience to an iOS device in such a way that you can limit access to web sites matching a certain criteria.

November 1st, 2015

Posted In: Apple Configurator, Mass Deployment

Tags: , , , , , , ,

A nifty little new option that came in OS X 10.9 Mavericks and stays in Yosemite is the ability to delete all of the firmware variables you’ve created. This can get helpful if you’ve got a bunch of things that you’ve done to a system and want to remove them all. If you run nvkram followed by a -p option you’ll see all of the configured firmware variables:

nvram -p

If you run it with a -d you’ll delete the given variables that you define (e.g. boot-args):

nvram -d boot-args

But, if you run the -c you’ll wipe them all:

nvram -c

October 31st, 2014

Posted In: Mac OS X, Mac OS X Server, Mass Deployment

Tags: , , , ,

The next chapter of my next book is again available free for TidBits readers at

This article is a pre-release chapter in the upcoming “Take Control of OS X Server,” by Charles Edge, scheduled for public release later in 2014. Apart from “Chapter 1: Introducing OS X Server,” and “Chapter 2: Choosing Server Hardware,” these chapters are available only to TidBITS members; see “‘Take Control of OS X Server’ Streaming in TidBITS” for details.

Hope you enjoy! And thanks again to Adam and Tanya for their awesome editorial!

June 3rd, 2014

Posted In: Articles and Books, Mac OS X Server

Tags: , , ,

Well, it’s that time of the year when one of my favorite conferences opens up registration! Come one, come all to MacSysAdmin for good times, good people and lots of fun Macinnerdiness! I hope to see you there! The official page is up at
Screen Shot 2014-04-13 at 8.02.49 PM

April 14th, 2014

Posted In: Mac OS X, Mac OS X Server, Mac Security, Mass Deployment, public speaking

Tags: , , , ,

Nice and easy one today. By default, the Safari status bar is disabled at the bottom of a Safari screen. To enable:

defaults write ShowStatusBar -boolean YES

January 31st, 2014

Posted In: Mac OS X, Mass Deployment

Tags: , , ,

Some iOS and/or OS X deployments require us to create a boatload of Apple IDs. This could be to redeem VPP codes, to do iOS backups, to configure Messages, now giving the ability for OS X Server users to password reset for themselves, etc. I have sat and manually created Apple IDs for a number of clients. I’ve created dozens at a single sitting and there are some serious annoyances and challenges with doing so manually. For example, you’re gonna’ fat finger something. If you type 10 things in for 50 accounts then it’s hard to imagine you’re not gonna’ mess something up in one of those 500 fields. It’s also time consuming and well, just annoying.

Then, along came a script. That script allowed us to create loads of IDs on the fly. Now, we have a very nice GUI tool called the Apple ID Automation Builder that can be used to batch create a number of Apple IDs on the fly. Brought to us by Greg Moore and hosted by, this is one of those rare finds that is a serious time saver and very valuable when you need it in your bat belt. Great little tool, well worth the money and I look forward to providing Greg with plenty of accolades should we ever meet!

May 12th, 2013

Posted In: iPhone, Mac OS X, Mac OS X Server

Tags: , , , , , , , ,

JAMF has announced the 2012 rendition of their National User Conference. Having been to two of these, I can say that if you use any JAMF products that it is a great event to attend. It is a lot of very specific information about integrating, mass deploying, mass managing, mass document distributing and mass 3rd partying for Apple products.

The National User Conference will be held October 23-25 2012, 8:00 am – 5:00 pm in beautiful Minneapolis, Minnesota (where all the cool kids live). The venue is one of the best conference spots I’ve seen in the Guthrie theater, overlooking the stone arch bridge. In previous years, there have been announcements, new versions, people discussing their specific integrations, etc. I would also think that if you use another product that you might find the conference helpful, as you get to see whether the grass really is greener on the other side!

Anyway, I recommend coming out to Minneapolis for this one if you can. And if you do, let me know!

June 18th, 2012

Posted In: iPhone, Mac OS X, Mass Deployment

Tags: , , , , , ,

A special thanks to Nick McSpadden for his third submission to With all the new changes in OS X/Server I haven’t even had time to write as many in such a span!!!

This is a follow up post to the Firefox Management guide.

Knowing how to use the CCK to manage Firefox, the next big question is: how do we get this into Munki? It’s unfortunately not as cut and paste as we’d hope, because, with all things, Firefox tends to make us do a bit of work to get what we want from it.

Importing Firefox 10.0.10 ESR (current version as of writing time) into Munki is easy. You can add whatever other stuff you need to the pkginfo, but it tends to take care of itself.

Importing the CCK into Firefox is where this gets fun. Luckily, some very smart people have figured this out, thanks to the MacEnterprise mailing list. See the conversation here: Credit goes to Nate Walck for the script and Greg Neagle for the advice.

If you are deploying the CCK into the internal Firefox application distribution directory, then you may notice that a vanilla install of Firefox does not have the directories. We’ll have to create them as part of the install process.

If you want to put the Firefox CCK files somewhere other than inside Firefox, you’d need to change the add-on scopes for Firefox to load it. This isn’t really ideal either, because it requires micromanaging the Firefox install, which means that every time you import a new Firefox update, you have to do a lot of manual labor to make sure all these preferences get included.

One solution is to repackage Firefox with the CCK itself and deploy that as one. It works just fine, but it’s a lot of work – especially with Firefox’s release schedule. You’d have to rebundle it for Munki every six weeks. Pox on that, I say. But editing Firefox preferences is also undesirable for the extra work it generates.

Greg’s suggestion: a symlink! Throw the CCK anywhere, such as /Library/Application Support/FirefoxCCK/, and then create a symlink into Firefox’s bundles directory.  In this post, I’ll be using the example CCK configuration named “” as in my last post.

There are a few pieces to this we need to incorporate:

  1. A postinstall script for Firefox that guarantees the establishment of the symbolic link between the CCK location and the internal Firefox bundles directory.
  2. A package for the CCK itself that drops the items in the location you want, with the appropriate installs key to ensure it reinstalls if deleted.
  3. The CCK package should also establish a symbolic link to itself if one does not already exist.
  4. A guaranteed reinstall of Firefox, should it be deleted, that also incorporates the re-establishment of the symbolic link.

We can accomplish part of this in a postinstall script for Firefox in Munki:

mkdir -p -m 755 /Applications/
mkdir -p -m 755 /Library/Application Support/FirefoxCCK/
if [ ! -L /Applications/ ];
 ln -s /Library/Application Support/FirefoxCCK/ /Applications/

The if statement above is potentially unnecessary, since it’s unlikely there would be a situation in which Firefox would install but somehow the internal contents of /Contents/MacOS/distribution/bundles/ is preserved, but I figure the extra check won’t hurt.

You can also set this same script to be a postinstall_script for the CCK package, so that if you ever have to add more addons to Firefox, you can guarantee that the symbolic link will be established.

To guarantee the sanctity of our CCK, we’d have to add an installs item to check that the unpacked CCK exists. We check the CCK’s path, and that the CCK’s md5 matches the expected one (so that we can guarantee it hasn’t been changed). The CCK’s existence and its md5 should be installs keys for the CCK itself.  In this case, I do not explicitly call for an installs check on the symlink itself, on the basis that it’s extremely unlikely someone will delete the symbolic link but not  Unless the user has administrative privilege, they can’t delete either of them anyway.  If your users have administrative privileges, then it doesn’t really make sense to manage Firefox for them.

The installs keys for Firefox:


The installs keys for the CCK package (obviously you’ll need to change your checksum accordingly):

 <string>/Library/Application Support/FirefoxCCK/</string>
 <string>/Library/Application Support/FirefoxCCK/</string>

We do it this way to guarantee that the CCK is always linked to the correct place in Firefox, even if Firefox is updated, or installed separately. Since Firefox always creates the symlink as part of its install, we don’t have to worry about it breaking if the user deletes Firefox, or Firefox gets updated to a new version (which won’t have the directories or symlink inside it by default).

The CCK will only get reinstalled if it’s missing from the /Library/Application Support/ folder (or wherever you initially stashed it).

This way, as long as the CCK is listed as an update-for for Firefox, you’ll always guarantee that the correct Firefox management is installed.  The only thing you need to remember to do is copy the postinstall_scripts to each new version of the Firefox and CCK pkginfos (although the CCK pkginfo will need a new checksum if you make changes).

June 5th, 2012

Posted In: Mass Deployment

Tags: , , ,

The following is a post from the most excellent Nick McSpadden. It is very well written and I am proud that it is the first article published on this site using the new submissions page. Looks like it’s time to change the banner from my Notes from the Underground, er, I mean, Field, to just Notes from the Field!


This is a sort of follow-up to my guide on managing Firefox, this time focusing on managing Google Chrome. I’m working on current Chrome version 18 (which just today got updated to 19), and I don’t know for sure how far back this will work, but I think anything higher than v16 properly supports the MCX policies.

The good news about Google Chrome is that it supports MCX! Unlike Firefox, which requires specific and somewhat obtuse procedures for managing it (including depending upon an add-on that is independently maintained by a hard working individual), the most important parts of Chrome management can be done with already-existing MCX controls.

First let me start off with a link to a very helpful set of information:
That link covers just about everything you’ll need to know about Chrome policies and management, though some of it is buried. I discovered (much to my chagrin) that the Chromium site is much more thoroughly documented that Google’s official “Chrome for Administrators” site.

Some important notes about Chrome MCX: all Chrome policies are required to be set to “Always.” They’re like Profiles from Profile Managers – there’s no middle ground. Even if you set it to “Once” or “Often,” Chrome will treat the policy as permanent and prevent the user from changing it. Any policy being managed by MCX in Chrome will be grayed out to user interaction (and there will be a message in the “Options” window about how some settings are being managed by the administrator). So you’re going to have to “Always” manage these settings whether you like it or not.

The good news is, there’s an alternative, the Master Preferences. The downside is that the Master Preferences is a “once” option, and doesn’t prevent the user from changing it. It’s a good way to provide default settings without restricting the users’ ability to personalize it later on. More on that later.

So, following the Mac Quick Start Guide: (

1. Inside a fresh copy of Google Chrome is a nice fresh copy of the manifest. Access it here: /Applications/Google

2. Load this manifest into WGM

3. Here’s the full description of all policies in the Chrome manifest:

4. There are some particularly important settings that will be relevant to most. Here’s what my plist looks like for a lab computer (no individual users):

  • AutoFillEnabled – False (disables the ability to store autofill information)
  • BookmarkBarEnabled – True (forces the bookmark bar to show up on all tabs, all the time)
  • HideWebStorePromo – True (prevents the web store from trying to sell you things, but does not disable the web store)
  • HomePageIsNewTabPage – False (if you don’t disable this, the homepage will be set to the default Chrome tab page, which opens up the “Most Visited/Apps” switcher)
  • HomepageLocation – URL (even if you set this, if HomePageIsNewTabPage is set to true, this URL gets ignored)
  • PasswordManagerEnabled – False (for lab machines, I don’t want them saving passwords, intentionally or accidentally)
  • RestoreOnStartup – 0 (0 forces it to open the homepage URL on startup)
  • SyncDisabled – True (same reason as Password Manager – I don’t want these personalized at any time).

That gives you a basic setup for most things you’ll need to worry about. If you deploy this, you’ll notice a few problems, though. The first time you launch Chrome, it gives you an undismissable dialogue box asking you if you want to make Chrome the default or submit other info. That’s bad. The above manifest also provides no way to control the auto update mechanism, if that’s something you want to do.

This is where the Master Preferences file comes in – By specifying a Master Preferences file, we can load up default preferences for user accounts *when they are created.* Note that the Master Preferences file has absolutely no effect on already existing Chrome profiles – only upon new-user generation does Chrome load this file. It literally copies and pastes the settings in here into the appropriate places in ~/Library/Application Support/Google/Chrome/Default/Preferences.

On Mac OS X, the Master Preferences file must be located at:
/Library/Google/Google Chrome Master Preferences
(yes, really – the file must be named “Google Chrome Master Preferences” with no extension), and must obviously be readable by any user who can launch Chrome (i.e. use 644 permissions).

The Master Preferences file is a JSON file that can contain any of the preferences normally used by Chrome. If you want the full list of all possible preferences, load up a default Chrome profile and take a look at the Preferences file I mentioned at the path above. It has everything you’d ever want (and a lot of stuff you probably don’t). To save you some time, here are some important ones you’ll want to use specifically for deploying Chrome:

"homepage_is_newtabpage" : false,
"browser" : {
"show_home_button" : true,
"check_default_browser" : false
"bookmark_bar" : {
"show_on_all_tabs" : true
"distribution" : {
"skip_first_run_ui" : true,
"show_welcome_page" : false,
"import_bookmarks" : false,
"import_bookmarks_from_file" : "/Library/Google/chrome_bookmarks.html",
"make_chrome_default" : false
"sync_promo" : {
"user_skipped" : true

The page I linked above goes into a bit more detail about this, but I want to give a quick note about the interaction between preferences and MCX. MCX always wins. Any policy managed by the MCX and also specified in the Master Prefs will always go the MCX policy. In the example above, if I had set “homepage_is_newtabpage” to true, it would still be false because MCX sets it to false, and that policy is always enforced.

The really import part is the “distribution” section. “skip_first_run_ui” will get rid of that annoying dialog box that comes up when you first launch Chrome. The “import_bookmarks” option asks the user through a UI dialog box if the user wishes to import bookmarks from another browser. Obviously, we want to suppress that. There’s an option instead to silently import bookmarks from an HTML file. You can create this bookmarks HTML file by setting up the bookmarks the way you want, and then Exporting them in the Bookmark Manager. I place that bookmarks file in /Library/Google/ because it’s already used, but you can put it anywhere. There is, however, a known bug that has now been assigned a milestone and a solver in Chromium’s bug list – the “import_bookmarks_from_file” is actually ignored if the “skip_first_run_ui” is set to true. So right now, you can’t silently import your bookmarks in.

The “sync_promo” item doesn’t seem to be necessary if you disable Sync in the MCX settings above, but since MCX policy always wins over Master Prefs, there’s no penalty or downside to including it.

Note that your JSON syntax has to be perfect for this to work. Any incorrect comma placements, and it simply ignores your master prefs file. If you find that your Master Prefs isn’t loading up as expected, run Chrome from the Terminal with the debug log turned on to see what’s happening:
/Applications/Google Chrome –enable-logging –v=1
This places a file called “chrome_debug.log” in ~/Library/Application Support/Google/Chrome/Default/ (i.e. default user data directory). The first line will tell you exactly what went wrong with your Master Prefs file.

Now, there’s still one more problem here: new tabs open up to the default Chrome “New Apps / Most Visited” switcher page (called the newtab page). Unfortunately for us, there’s no way to change this behavior present in the UI. The good news is, this behavior annoys plenty of other users, and there are a million extensions you can use to get rid of it. More good news, is that you can silently include extensions in your MCX manifest!

So simply add this to your MCX settings above (forgive the pseudo XML here, just to indicate type of key):
<array> <string>lcncmkcnkcdbbanbjakcencbaoegdjlp;</string> </array>

This silently forces the install of an extension called “Empty New Tab Page,” and specifies an update URL for it (required, since Chrome autoupdates its extensions too if they come from the Chrome Web Store / Extensions pages). The extension does what you think it does – you get a blank page. There are other extensions for customizing the new tab pages, or anything else, so as long as you get the extension ID (it’s the long block of letters in the beginning), you can load whatever you want in here.

There you go! I’ve tested this using Local MCX on my 10.6 and 10.7 machines, and it works perfectly (deployed through Munki as well). On the whole, Chrome is a bit easier to manage and deploy than Firefox, just because it doesn’t require modifying the app itself to do this. Also, the Master Preferences file works for any instance of Google Chrome – even if the users install a copy somewhere other than /Applications. This also does work for Chromium, the open-source version of Chrome.

Hope this helps someone.

May 19th, 2012

Posted In: Mass Deployment

Tags: , , ,

Next Page »