Tiny Deathstars of Foulness

It can be tough to get information about larger Mac deployments. I’ve written a few books on it. Apple has built some pages on it. But many prefer to consume their content through video. As such, Sean Collins has teamed up with to put together an IT Administrator’s Guide for El Capitan. With topics ranging from SIP to DEP, and all the acronyms in the middle, Sean’s soothing voice will guide you through what you need to get started with a new Mac deployment.

Screen Shot 2016-01-15 at 2.11.19 PM

Many a job can seem daunting, but with this latest addition to our arsenal, you’ll instantly feel less intimidated. It’s like the Sun A of the Mac world. But afterwards, when you go into corpse pose, you won’t fall asleep, because the content is too good. Check it out here:

January 15th, 2016

Posted In: Mac OS X, Mac OS X Server, Mac Security, Mass Deployment

Tags: , , , ,

If you’re interested in Mac Security, the next edition of my Enterprise Mac Security book is now shipping. You can get it here The book is shipping from 3rd party sellers, but should ship directly from Amazon soon at the regular price. I don’t usually know exactly when, but it should also appear for Kindle and on the Apple Books store as well. Hope you enjoy!

Screen Shot 2016-01-11 at 8.27.19 PM

January 12th, 2016

Posted In: Mac OS X, Mac OS X Server, Mac Security

Tags: , , , , ,

There are a couple of parts to this article. The first is to describe the server command, stored in /Applications/ The description of the command by Brad Chapman was so eloquently put on this JAMF Nation post that I’m just gonna’ paste it in here:

So … I just installed Server 5.0.x tonight on my Mac Mini running Yosemite (10.10.5). There was a question that came up during JNUC about upgrading Server and having a way to accept the license agreement without going through the GUI.

So for shits and giggles I tried:

server setup

It’s not documented. And lo and behold, I got the prompt to accept the license agreement just like you do with Xcode.

Post your trip reports here! Can this be automated?

tardis:~ chapman$ sudo server setup
To use server, you must agree to the terms of the software license agreement.

Press Return to view the software license agreement.

---insert license agreement here---

Do you agree to the terms of the software license agreement? (y/N) y

Administrator access is required to set up OS X Server on this Mac. Type an administrator's user name and password to allow this.
User name: chapman

Initializing setup...
Getting server state...
Getting host names...
Writing server settings...
Configuring Service Authentication...
Creating certificates...
Getting certificates...
Renewing certificate...
Enabling server password hashes for local users...
Creating service principals...
Initializing certificates...
Preparing services...
Preparing Caching service...
Preparing Calendar service...
Preparing Profile Manager service...
Preparing File Sharing service...
Preparing Software Update service...
Preparing Messages service...
Preparing Mail service...
Preparing Web service...
Preparing Calendar service...
Preparing Wiki service...
Preparing Calendar service...
Preparing Profile Manager service...
Initializing Wiki...
Initializing Mail...
Initializing VPN...
Initializing Xcode...
Enabling autobuddy for local accounts...
Updating admin password policy...
Checking DNS Configuration...
Reading DNS configuration...
Completing setup...

server encountered errors during setup:

Unknown error
tardis:~ chapman$

I don’t know what the ‘unknown error’ was.

The error is pretty much typical. I rarely see a server that doesn’t spawn some kind of error, and most errors will throw this. Oh well. The only option that he didn’t mention that isn’t meant for internal use is help, which doesn’t even indicate setup as a verb. Now, here’s where it gets fun. This is cute, but if you’re scripting  a full server setup, you’ll want to bust out a little expect script here. I’m gonna’ put the username and password in cleartext here, to keep the script readable:

set timeout 300
spawn server setup
expect "Press Return to view the software license agreement." { send \r }
expect "Do you agree to the terms of the software license agreement? (y/N)" { send "y\r" }
expect "User name:" { send "MYADMINUSERNAME\r" }
expect "Password:" { send "MYPASSWORD\r" }

Obviously, you would replace MYADMINUSERNAME with your admin username and MYPASSWORD with your password. But basically, drop the on a machine, run this, and you’re good to go. Now, hypothetically, if you’re spinning up a Caching server (e.g. if you’re building out 100 caching servers, this might come in handy), then you could use the commands described in this article I wrote earlier.

October 28th, 2015

Posted In: Mac OS X Server, Mass Deployment

Tags: , , , , , , , , , ,

The latest and greatest of the Enterprise Mac Admin’s Guide is now available for Pre-Order at This is an interesting update. If you happened to see the previous edition, I’d described more about Casper than most of the other third party products on the market.

Screen Shot 2015-10-22 at 11.06.21 AM

In this edition, there’s still an equal amount of information on Casper, but now there’s also more information on FileWave, and a whole chapter on the open source toolchain of products, including Munki and AutoPKG. The main reason I decided to update this title was actually the change from focusing on directory services (which still has plenty of page count) to focusing on profile management.

The most substantial update to the book was Bill Smith though. Bringing him in as a co-author provided a lot of new insight, new content, and a good bit of cleaned up text. He’s been great to work with!

This was a pretty big update, so hope you enjoy!



October 22nd, 2015

Posted In: Mac OS X, Mac OS X Server, Mac Security, Mass Deployment

Tags: , , , , ,

There is a nifty feature in the profiles command in El Capitan (dating back to Mavericks), where you can configure profiles to install at the next boot, rather than immediately. Use the -s to define a startup profile and take note that if it fails, the profile will attempt to install at each subsequent reboot until installed. To use the command, simply add a -s then the -F for the profile and the -f to automatically confirm, as follows (and I like to throw in a -v usually for good measure):

profiles -s -F /Profiles/SuperAwesome.mobileconfig -f -v

And that’s it. Nice and easy and you now have profiles that only activate when a computer is started up.

October 12th, 2015

Posted In: Mac OS X Server

Tags: , ,

Installing OS X has never been easier than in Yosemite. In this article, we’ll look at upgrading a Mac from OS X 10.10 (Yosemite) to OS X 10.11 (El Capitan) to . The first thing you should do is clone your system. The second thing you should do is make sure you have a good backup. The third thing you should do is make sure you can swap back to the clone should you need to do so and that your data will remain functional on the backup. Once you’re sure that you have a fallback plan, let’s get started by downloading OS X El Capitan from the App Store. Once downloaded, you’ll see Install OS X El Capitan sitting in LaunchPad, as well as in the /Applications folder.

Screen Shot 2015-09-23 at 11.27.08 PM

Open the app and click Continue (provided of course that you are ready to restart the computer and install OS X El Capitan).

Screen Shot 2015-09-23 at 11.27.51 PM

At the licensing agreement, click Agree (or don’t and there will be no El Capitan for you).

Screen Shot 2015-09-23 at 11.28.16 PM

At the pop-up click Agree again, unless you’ve changed your mind about the license agreement in the past couple of seconds.

Screen Shot 2015-09-23 at 11.28.35 PM

At the Install screen, click Install and the computer will reboot.

Screen Shot 2015-09-23 at 11.28.56 PM

And you’re done. Now for the fun stuff!

Screen Shot 2015-09-23 at 11.29.43 PM

October 11th, 2015

Posted In: Mac OS X, Mac OS X Server

Tags: , , , , , ,

A bootable installer is one of the fastest ways to install El Capitan. Rather than copy the installer to a local drive you can run it right off a USB disk (or Thunderbolt if you dare). Such a little USB drive would be similar to the sticks that came with the older MacBook Air, when we were all still sitting around wondering how you would ever install the OS on a computer with no optical media or Ethernet otherwise. Luckily, Apple loves us.

To make a bootable USB/flash drive of El Capitan like the one that used to come with the MacBook Air, first name the USB drive. I’ll use mavinstall for the purposes of this article. The format should be Mac OS Extended Journaled. The installer is called Install OS X El Capitan and is by default located in the /Applications directory. Inside the app bundle, there’s a new binary called createinstallmedia (nested in Contents/Resources).

Screen Shot 2015-09-08 at 12.05.22 AM
Using this binary you can create an installation drive (similar to what we used to do with InstallESD). To do so, specify the –volume to create the drive on (note that the target volume will be erased), the path of the Install OS X El Capitan app bundle and then we’re going to select –nointeraction so it just runs through the whole thing

/Applications/Install\ OS\ X\ El\ --volume /Volumes/mavinstall --applicationpath /Applications/Install\ OS\ X\ El\ --nointeraction

Note: You’ll need to elevate your privileges for this to run.

Once run you’ll see that it erases the disk, copies the Installation materials (InstallESX, etc) and then makes the drive bootable, as follows:

Erasing Disk: 0%... 10%... 20%... 100%...
Copying installer files to disk...
Copy complete.
Making disk bootable...
Copying boot files...
Copy complete.

Then you can either select the new volume in the Startup Disk System Preference pane or boot the computer holding down the option key to select the new volume.

Note: If you can do this on a system with a solid state drive it will be  faster. Although this took 17 minutes last I ran it even then so be patient for the files to copy.

October 11th, 2015

Posted In: Mac OS X, Mac OS X Server

Tags: , , , , ,

In case your Mac just isn’t emo enough for ya’, Apple’s provided us a cool little new feature in Yosemite called dark mode. No, this won’t cause Hellboy to leap forth from your MacBook Air. Well, maybe he’ll visit your MacBook Pro, but I haven’t tested that so please don’t quote me on that. Instead, you’ll get the nice new dark menu bar:

Screen Shot 2015-09-10 at 10.41.10 PM

But that’s not all folks! Your dock will also get all dark and gothy!

Screen Shot 2015-09-10 at 10.41.29 PM

To turn it on, just open the General System Preference pane and check the box for “Use dark menu bar and Dock”.

Screen Shot 2015-09-10 at 10.42.23 PM

Enjoy! Oh, and if that’s not emo enough for you feel free to watch this sad emo love song video (yes, I googled for “sad emo” to find it; no, it’s not bookmarked; yes, I bought eyeliner after watching it; yes, then my high school self time travelled to present day and kicked the crap out of me; yes, I thanked him).

October 5th, 2015

Posted In: Mac OS X

Tags: , , , , , ,

I wrote about using the smbutil for DFS in Lion awhile back. I haven’t needed to write anything else as it hadn’t changed since. The statshares option has an -m option to look at a mount path for showing the path to the mount (e.g. if the mount is called krypted this should be something like /Volumes/krypted):

smbutil statshares -m /Volumes/krypted

When run, you see a list of all the attributes OS X tracks for that mount path, including the name of the server, the user ID (octal), how SMB negotiated an authentication, what version of SMB is running (e.g. SMB_1), the type of share and whether signing, extended security, Unix and large files are supported.

Additionally, if you’d like to see the attributes for all shares, use the -a option after statshares:

smbutil statshares -a

Overall, this is a nice health check type of verb to the smbutil command that can be added to any monitoring or troubleshooting workflow.

October 4th, 2015

Posted In: Mac OS X, Mac OS X Server

Tags: , , ,

A nifty little feature of nvram is the ability to delete all of the firmware variables you’ve created. This can get helpful if you’ve got a bunch of things that you’ve done to a system and want to remove them all. If you run nvkram followed by a -p option you’ll see all of the configured firmware variables:

nvram -p

If you run it with a -d you’ll delete the given variables that you define (e.g. boot-args):

nvram -d boot-args

But, if you run the -c you’ll wipe them all:

nvram -c

October 4th, 2015

Posted In: Mac OS X

Tags: , ,

Next Page »