Git Quick-start

Git it easy. It’s a command with some verbs. Let’s start with the init verb, which creates an empty git repository in the working directory (or supply a path after the verb)

git init

Now let’s touch a file in that directory. Once a new file is there, which that new repo as your working directory, run git  with the status verb:

git status

Oh look, you now see that you’re “On branch master” – we’ll talk branching later. You see “No commits yet” and hey, what’s that, an Untracked file! Run git with the add verb, and this time you need to specify a file or path (I’ll use . assuming you’re working directory is still the directory of your path).

git add .


Now let’s run that status command again. And hey, it sees that you now have a staged file (or files). 

Now let’s run our first commit. This takes the tracked and staged file that we just created and commits it. Until we do this we can always revert back to the previous state of that file (which in this simple little walkthrough would be for the file to no longer exist). 

git commit -m “test”


Now let’s edit our file and this time let’s run git with the diff verb:

git diff


Hey, you can now see what changed between your file(s). Easy, right? Check out the logs to see what you’ve been doing to poor git:

git log


Hey look, there’s a commit listed there, along with an author, a date and time stamp, as well as a name of the file(s) in the commit. Now, let’s run a reset to revert to our last commit. This will overwrite the changes we just made prior to doing the diff (you can use a specific commit by using it as the next position after —hard or you can just leave it for the latest actual commit:

git reset —hard


Now this resets all files back to the way it was before you started mucking around with those poor files. OK, so we’ve been working off in our own little world. Before we explore the wide world that is cloning a repository off the interwebs, first we’re going to do a quick look at branches. You know how we reset all of our files in the previous command? What if we had 30 files and we just wanted to reset one? You shouldn’t work in your master branch for a number of reasons. So let’s look at existing branches by running git with the branch verb:

git branch


You see that you have one branch, the “* master” branch. To create a new branch, simply type git followed by the name of the branch you wish to create (in this case it will be called myspiffychanges1):

git branch myspiffychanges1


Run git with the branch verb again and you’ll see that below master, your new branch appears. The asterisk is always used so you know which branch you’re working in. To switch between branches, use the checkout verb along with the name of the branch:

git checkout myspiffychanges1


I could have done both of the previous steps in one command, by using the -b flag with the checkout verb:

git checkout -b myspiffychanges1


OK now, the asterisk should be on your new branch and you should be able to make changes. Let’s edit that file from earlier. Then let’s run another git status and note that your modifications can be seen. Let’s add them to the list of tracked changes using the git add  for the working directory again:

git add .


Now let’s commit those changes:

git commit -m "some changes"


And now we have two branches, a little different from one another. Let’s merge the changes into the master branch next. First, let’s switch back to the master branch:

git checkout master


And then let’s merge those changes:

git merge myspiffychanges1


OK – so now you know how to init a project, branch, and merge. Before we go on the interwebs let’s first setup your name. Notice in the logs that the Author field displays a name and an email address. Let’s see where that comes from:

git config --list

This is initially populated by ~/.gitconfig so you can edit that. Or, let’s remove what is in that list:

git config --unset-all user.name


And then we can add a new set of information to the key we’d like to edit:

git config user.name "Charles Edge" --global


You might as well set an email address too, so people can yell at you for your crappy code some day:

git config user.email “chuckufarley@me.com” --global


OK, optics aside, let’s clone an existing repository onto our computer. The clone verb allows you to, —insert suspense here— clone a repository into your home directory:

git clone https://github.com/autopkg/autopkg

The remote verb allows you to make a local copy of a branch. But it takes a couple of steps. First, init a project with the appropriate name and then cd into it. Then we’re going to grab the url from GitHub:

And add it using the remote verb:

git remote add AutoPkg https://github.com/autopkg/autopkg.git


Now let’s fetch a branch of that project, in this case, master:

git fetch test myspiffychanges1


Now we’ll want to download the contents of that branch:

git pull myspiffychanges1


And once we’ve made some changes, let’s push our changes:

git push test myspiffychanges1


This New Years Day, Learn The Jot Command

This New Years Day, Learn The Jot Command The jot command is one I haven’t used in awhile. But it’s still useful. Let’s take a look at a few of the things you can do with it. First, let’s just print lines into a new file called “century.txt” which we can do by running with the number of increments followed by the starting number, and then redirecting the output into the file name:

jot 100 1 > ~/Desktop/century.txt

Or to do integers instead, simply put the decimals:

jot 100 1.00 > ~/Desktop/century.txt

Or in descending order,

jot – 100 1 > ~/Desktop/century.txt

Now we could change the output to be just 50 to 100, by incrementing 50 (the first position) and starting at 50 (the second):

jot 50 50

The jot command is able to print sequential data, as we’ve seen. But we can also print random data, using the -r option. Following that option we have three important positions, the first is the number of iterations, but the next two are the lower and upper boundaries for the numbers, respectively. So in the below command we’ll grab 10 iterations (or ten random numbers) that are between 1 and 1000:

jot -r 10 1 1000

Now if we were to add a -c in there and use a and z as the upper and lower bounds, we’d get… letters (this time we’re just gonna’ ask for one letter)!

jot -r -c 1 a z

Something I find useful is just to shove random data into a file infinitely. And by useful I mean hopefully not left running overnight on my own computer (been there, done that). To do this, just use a 0 for the number of iterations:

jot -r -c 0

Something that is actually useful is the basic ASCII set:

jot -c 128 0

We can also append data to a word using -w. So let’s say we want to print the characters aa followed by a through z. In the below we’ll define that with -w and then we’ll list those two characters followed by %c which is where the character substitution goes and then the number of iterations followed by the lower bound:

jot -w aa%c 26 a

You can also do stuttering sequences, useful for the occasional tango dancer, so here we’ll do a 5/3 countdown:

jot – 100 0 -.5

Or we could create a one meg file by creating 1,024 bytes:

jot -b 0 1024 > onemegfile.txt

Oh wait, that file’s two megs. Get it? 😉

And running strings teaches you that you can’t bound random (a good lesson for the New Year). Anything you use jot for?

Happy New Years!

Use The Profiles Command In Sierra

You might be happy to note that other than the ability to interpret new payloads, the profiles command mostly stays the same in Sierra. You can still export profiles from Apple Configurator or Profile Manager (or some of the 3rd party MDM tools). You can then install profiles by just opening them and installing. Once profiles are installed on a Mac, mdmclient, a binary located in /usr/libexec will process changes such as wiping a system that has been FileVaulted (note you need to FileVault if you want to wipe an OS X Lion client computer). /System/Library/LaunchDaemons and /System/Library/LaunchAgents has a mdmclient daemon and agent respectively that start it up automatically. This, along with all of the operators remains static from 10.10 and on. To script profile deployment, administrators can add and remove configuration profiles using the new /usr/bin/profiles command. To see all profiles, aggregated, use the profiles command with just the -P option:

/usr/bin/profiles -P

As with managed preferences (and piggy backing on managed preferences for that matter), configuration profiles can be assigned to users or computers. To see just user profiles, use the -L option:

/usr/bin/profiles -L

You can remove all profiles using -D:

/usr/bin/profiles -D

The -I option installs profiles and the -R removes profiles. Use -p to indicate the profile is from a server or -F to indicate it’s source is a file. To remove a profile:

/usr/bin/profiles -R -F /tmp/HawkeyesTrickshot.mobileconfig

To remove one from a server:

/usr/bin/profiles -R -p com.WestCoastAvengers.HawkeyesTrickshot

The following installs HawkeyesTrickshot.mobileconfig from /tmp:

/usr/bin/profiles -I -F /tmp/HawkeyesTrickshot.mobileconfig

If created in Profile Manager:

/usr/bin/profiles -I -p com.WestCoastAvengers.HawkeyesTrickshot

You can configure profiles to install at the next boot, rather than immediately. Use the -s to define a startup profile and take note that if it fails, the profile will attempt to install at each subsequent reboot until installed. To use the command, simply add a -s then the -F for the profile and the -f to automatically confirm, as follows (and I like to throw in a -v usually for good measure):

profiles -s -F /Profiles/SuperAwesome.mobileconfig -f -v

And that’s it. Nice and easy and you now have profiles that only activate when a computer is started up. As of OS X Yosemite, the dscl command got extensions for dealing with profiles as well. These include the available MCX Profile Extensions: -profileimport -profiledelete -profilelist [optArgs] -profileexport -profilehelp

To list all profiles from an Open Directory object, use 
-profilelist. To run, follow the dscl command with -u to specify a user, -P to specify the password for the user, then the IP address of the OD server (or name of the AD object), then the profilelist verb, then the relative path. Assuming a username of diradmin for the directory, a password of moonknight and then cedge user:

dscl -u diradmin -P moonknight 192.168.210.201 profilelist /LDAPv3/127.0.0.1/Users/cedge

To delete that information for the given user, swap the profilelist extension with profiledelete:

dscl -u diradmin -P apple 192.168.210.201 profilelist /LDAPv3/127.0.0.1/Users/cedge

If you would rather export all information to a directory called ProfileExports on the root of the drive:

dscl -u diradmin -P moonknight 192.168.210.201 profileexport . all -o /ProfileExports

In Yosemite we got a few new options (these are all still in 10.11 with no new operators), such as -H which shows whether a profile was installed, -z to define a removal password and -o to output a file path for removal information. Also, as in Yosemite it seems as though if a configuration profile was pushed to you from MDM, you can’t remove it (fyi, I love having the word fail as a standalone in verbose output):
bash-3.2# profiles -P _computerlevel[1] attribute: profileIdentifier: 772BED54-5EDF-4987-94B9-654456CF0B9A _computerlevel[2] attribute: profileIdentifier: 00000000-0000-0000-A000-4A414D460003 _computerlevel[3] attribute: profileIdentifier: C11672D9-9AE2-4F09-B789-70D5678CB397 charlesedge[4] attribute: profileIdentifier: com.krypted.office365.a5f0e328-ea86-11e3-a26c-6476bab5f328 charlesedge[5] attribute: profileIdentifier: odr.krypted.com.ADD7E5A6-8EED-4B11-8470-C56C8DC1E2E6 _computerlevel[6] attribute: profileIdentifier: EE08ABE9-5CB8-48E3-8E02-E46AD0A03783 _computerlevel[7] attribute: profileIdentifier: F3C87B6E-185C-4F28-9BA7-6E02EACA37B1 _computerlevel[8] attribute: profileIdentifier: 24DA416D-093A-4E2E-9E6A-FEAD74B8B0F0 There are 8 configuration profiles installed bash-3.2# profiles -r 772BED54-5EDF-4987-94B9-654456CF0B9A bash-3.2# profiles -P _computerlevel[1] attribute: profileIdentifier: F3C87B6E-185C-4F28-9BA7-6E02EACA37B1 _computerlevel[2] attribute: profileIdentifier: EE08ABE9-5CB8-48E3-8E02-E46AD0A03783 _computerlevel[3] attribute: profileIdentifier: 24DA416D-093A-4E2E-9E6A-FEAD74B8B0F0 _computerlevel[4] attribute: profileIdentifier: 00000000-0000-0000-A000-4A414D460003 _computerlevel[5] attribute: profileIdentifier: 772BED54-5EDF-4987-94B9-654456CF0B9A _computerlevel[6] attribute: profileIdentifier: C11672D9-9AE2-4F09-B789-70D5678CB397 charlesedge[7] attribute: profileIdentifier: odr.krypted.com.ADD7E5A6-8EED-4B11-8470-C56C8DC1E2E6 charlesedge[8] attribute: profileIdentifier: com.krypted.office365.a5f0e328-ea86-11e3-a26c-6476bab5f328 There are 8 configuration profiles installed bash-3.2# profiles -rv 772BED54-5EDF-4987-94B9-654456CF0B9A profiles: verbose mode ON profiles: returned error: -204 fail

Add A Chime To Your Ring

The Ring is a great little device. I love it when I see an alert on my Apple Watch, tap a button on my phone, and then see the UPS deliverer walking away from my front door. When you’re home though, it’s nice to have a door chime. The first thing you do when you’re setting up one of these is to join a wireless network called Chime-****something****. This is pretty common in the home automation world. Devices ship running as a WAP so you can wirelessly control and set them up. IMG_8431 Once the device joins the wireless network, open the Ring app and then verify that you’re joined to the right wireless network. If you need to leave the app and join the right network, do so. IMG_8432 Provided that you’re joined to the Chime network, the Chime will then scan for Wi-Fi networks. IMG_8433 Once the networks have been listed, choose the one yours will live on (or use the Add Hidden Network option if you have a suppressed SSID). IMG_8434 When prompted, provide a password for the network. IMG_8435 The chime then completes setup and should be audible when the button on the Ring is pressed. IMG_8436

Manage Apps On The Apple Watch

The Apple Watch is just another wearable with a limited feature set. In much the same way that the iPhone is just another phone. But they’re not. They have apps. And the apps are what make these devices so powerful. Installing apps on an Apple Watch is pretty straight forward. But before we do, it’s worth mentioning that there are two types. the first is a glance. This is just another view for an app that is on your iPhone that the Apple Watch talks to. The second is an actual app. These have more functionality and more options. There are also built-in apps that can be shown or hidden. Apps are managed from the phone. To install either type of app, simply open the Apple Watch app on your phone. From there, you will see any apps that have either an app or a glance available on a device. IMG_3508 Tap on an entry and you’ll see whatever is available for that app. New apps aren’t displayed on your Apple Watch. Use the slider to control whether it is displayed or not. IMG_3509 Some apps have more options. If so, tap on the app and enable those options if needed. When you enable these apps, you’ll see the icon start loading on the watch, in much the same way that an icon starts to load on a phone when you purchase the app from the App Store. IMG_3510 Also, some apps, when you download an update to the app, will even prompt you to install a glance for the app on your phone. IMG_3511   The apps show up on right side of the default apps on the watch. IMG_3647 Here’s the Nike app. This app only works properly when you open the app on the phone. It sits at a loading screen and only opens when the app on the phone opens. When it shows up, you can then do whatever the app is built to do. In this case, start and stop runs. IMG_3648 That’s it. Straight forward. Just be patient. Takes awhile for Apple Watches to communicate with phones and to move data back and forth between them.

Set Up Your New Apple Watch

You waited. And you tapped your fingers on the desk. And you sat and waited some more, for the UPS person. You stared at your mailbox. And then, after all of that, UPS showed up. And you signed. And then you had that box in your hands. The cardboard box, when opened, gave way to a sweet white box. You opened it by pulling the little tag off, and then you pulled the watch out of the box. You tried on the two bands. And you picked the one that fit you the best. So now what? Turn on the watch by hitting the button on the side and watch that beautiful Apple logo light up the screen. But now you need to pair the watch with your phone for it to be useable. So what to do? Well, first of all, make sure your phone is updated to the latest and greatest version of iOS. From there, open the Apple Watch app on the iPhone. IMG_3471 The app will prompt you to start pairing a watch with the phone. You can only pair one watch with an iPhone. Tap the Start Pairing button. When prompted, line up the screen on the watch with the image and the outline. IMG_3472 Wait for the watch to complete pairing and then tap the Set Up Apple Watch button. IMG_3473 You’ll then be prompted for which wrist to put the watch on. I used my dominant wrist, so right. IMG_3474 You’ll then be prompted to accept the Terms and Conditions (aka license agreement) from Apple. Tap Agree. IMG_3475 Tap Agree again. IMG_3476 Next, when prompted for the Apple ID to use, if you’d like to use an Apple ID with the watch, provide the password for that Apple ID using the Enter Password button, or use the Skip This Step option to skip the Apple ID. IMG_3477 At the Location Services screen, tap OK. This is really just informational to let you know that Location Services will be used. It’s kinda’ necessary to use the watch properly. IMG_3478 At the Siri screen, again, you’re informed that Siri will be used. Tap OK. IMG_3479 At the Diagnostics screen, same thing. You’re informed that diagnostics will be supplied to Apple. Tap OK. IMG_3480 At the Apple Watch Passcode screen, choose whether you’d like to use a passcode on the watch. I’m not a fan of using a passcode on the watch; however, you will have to use one if you want to use Apple Pay on the watch. Tap Create a Passcode to set one up now and then provide the passcode you’d like to use. IMG_3481 The Apple Watch will sync apps and show glances from apps that are on the phone. Tap Install All to go ahead and install any Apple Watch apps on the device. You can always turn them off later. Or you can tap Choose Later to go ahead and complete setup and wait until later to set up the watch and finish apps setup later. I’d recommend using Install All and then turn off the ones you don’t want later. IMG_3482 Then the watch will start syncing with your devices. At the Apple Watch Is Syncing screen, wait. Don’t do anything else or get the watch too far from the phone or you’ll have to start over from scratch. IMG_3483 The watch looks like this while it’s syncing. IMG_3484 Once the watch is finished syncing, use the My Watch app to sync apps, show glances, setup Apple Pay and configure which built-in apps are shown on the device. IMG_3508 The next and most important aspect of your new Apple Watch is to use it and love it. Go for a run, sync some apps, enjoy the hell out of your new watch. It’s great. Now, get to it!

Video on Setting Up a Munki Repo

(Allister Banks Guest Post:) As part of my presentations at LOPSA-East(the pdf slides of this one is here) earlier this year, I wanted to demonstrate how quickly you can get a proof-of-concept of Munki running on a recent Mac OS without Server. I had always used Greg Neagle’s awesome intro articles for MacTech(especially part 2,) which were  created back in 10.6 days(simpler times, amirite?) This video takes you through the setup of a Munki repo, and goes on to demonstrate not only basic Munki interaction and functionality, but if you setup MunkiWebAdmin and the reporting scripts on your clients in addition, it does a quick tour of that interface. Setting Up a Munki Repository on 10.7+, Quick MunkiWebAdmin Demo from Allister Banks on Vimeo. Pardon the length, lack of sound and meme’s sprinkled throughout, but I hope it’s of use to someone!

Installing the DHCP Service in Windows Server

With the DHCP service no longer in the Server apps provided by Apple (for the most part), it’s important to look at alternative solutions to host the service. The DHCP Service in Windows Server is a Role that a Windows Server can fill that dynamically assigns IP addresses to client computers requesting addresses. The DHCP Role is easily added using the Server Manager application, available in the Administrative Tools menu of the Start Menu. Once opened, click on the Add Roles button. At the Select Server Roles screen, locate DHCP Server and then check the box for it, which will allow you to click on the Next button. At the DHCP Server screen, click on Next. At the Select Network Connection Bindings screen, check the box for each network interface that will be available to DHCP to host DHCP scopes (a scope being a range of addresses that the server will host. Click on Next. At the Specify IPv4 DNS Server Settings screen, enter the name of the search domain to be assigned in the “Parent domain” field. Then provide the ip address for the first DNS server that is provided to clients in the “Preferred DNS server IPv4 address” field. Click on Next once the appropriate DNS information has been provided. If you are using “WINS servers click on WINS is required for applications on this network” and then click on the Next button. At the “Add or Edit DHCP Scopes” screen, click on the Add… button to provide the first DHCP scope for the environment. At the Add Scope screen, enter the following information:
  • Scope name: A friendly name for the DHCP scope (e.g. Marketing Subnet)
  • Starting IP address: The first IP address in the scope of addresses provided
  • Ending IP address: The last IP address in the scope of addresses provided (note that you cannot overlap pools and that
  • Subnet type: Select a type of scope being created (note that this changes the lease times)
  • Activate this scope: Check this box to make the scope available immediately
  • Subnet mask: The subnet mask used by clients of the scope
  • Default gateway: The router for the scope being created
Once you’re satisfied with your settings, click OK. Next, select whether DHCP will be provided for IPv6 and click on Next. If IPv6 is supported, enter the address of an IPv6 based DNS service. Click Next. Next, integrate DHCP with Active Directory (to disable, use the “Skip authorization of this DHCP server in AD DS”) by either allowing the service to use the credentials of the currently logged in user or using the Specify button to provide a different user account. Click Next. At the Summary screen, verify the settings are as intended and then click on Next.The role is then installed and if you selected to do so the service is started as well. There are a lot of steps here, but if you’re new to Windows Server, don’t let that intimidate you. It’s a wizard and normally takes me a little less than 5 minutes, about what we grew to expect from OS X Server.

Installing the Mountain Lion Server VPN Server

OS X Server has long had a VPN service that can be run. The server is capable of running the two most commonly used VPN protocols: PPTP and L2TP. The L2TP protocol is always in use, but the server can run both concurrently. You should use L2TP when at all possible. Sure, “All the great themes have been used up and turned into theme parks.” But security is a theme that it never hurts to keep in the forefront of your mind. If you were thinking of exposing the other services in Mountain Lion Server to the Internet without having users connect to a VPN service then you should think again, because the VPN service is simple to setup and even simpler to manage. Setting Up The VPN Service In Mountain Lion To setup the VPN service, open the Server app and click on VPN in the Server app sidebar. The VPN Settings  screen has two options available in the “Configure VPN for” field, which has two options:
  • L2TP: Enables only the L2TP protocol
  • L2TP and PPTP: Enables both the L2TP protocol and the PPTP protocol
The VPN Host Name field is used by administrators leveraging profiles. The setting used becomes the address for the VPN service in the Everyone profile. L2TP requires a shared secret or an SSL certificate. In this example, we’ll configure a shared secret by providing a password in the Shared Secret field. Additionally, there are three fields, each with an Edit button that allows for configuration:
  • Client Addresses: The dynamic pool of addresses provided when clients connect to the VPN 
  • DNS Settings: The name servers used once a VPN client has connected to the server. As well as the Search Domains configuration.
  • Routes: Select which interface (VPN or default interface of the client system) that a client connects to each IP address and subnet mask over.
  • Save Configuration Profile: Use this button to export configuration profiles to a file, which can then be distributed to client systems (OS X using the profiles command, iOS using Apple Configurator or both using Profile Manager).
Once configured, open incoming ports on the router/firewall. PPTP runs over port 1723. L2TP is a bit more complicated (with keys bigger than a baby’s arm), running over 1701, but also the IP-ESP protocol (IP Protocol 50). Both are configured automatically when using Apple AirPorts as gateway devices. Officially, the ports to forward are listed at http://support.apple.com/kb/TS1629. Using The Command Line I know, I’ve described ways to manage these services from the command line before. But, “tonight we have number twelve of one hundred things to do with your body when you’re all alone.” The serveradmin command can be used to manage the service as well as the Server app. The serveradmin command can start the service, using the default settings, with no further configuration being required: sudo serveradmin start vpn And to stop the service: sudo serveradmin stop vpn And to list the available options: sudo serveradmin settings vpn To disable L2TP, set vpn:Servers:com.apple.ppp.l2tp:enabled to no: sudo serveradmin settings vpn:Servers:com.apple.ppp.l2tp:enabled = no To configure how long a client can be idle prior to being disconnected: sudo serveradmin settings vpn:Servers:com.apple.ppp.l2tp:PPP:DisconnectOnIdle = 10 By default, each protocol has a maximum of 128 sessions, configureable using vpn:Servers:com.apple.ppp.pptp:Server:MaximumSessions: sudo serveradmin settings vpn:Servers:com.apple.ppp.pptp:Server:MaximumSessions = 200 To see the state of the service, the pid, the time the service was configured, the path to the log files, the number of clients and other information, use the fullstatus option: sudo serveradmin fullstatus vpn Which returns output similar to the following: vpn:servicePortsAreRestricted = "NO" vpn:readWriteSettingsVersion = 1 vpn:servers:com.apple.ppp.pptp:AuthenticationProtocol = "MSCHAP2" vpn:servers:com.apple.ppp.pptp:CurrentConnections = 0 vpn:servers:com.apple.ppp.pptp:enabled = yes vpn:servers:com.apple.ppp.pptp:MPPEKeySize = "MPPEKeySize128" vpn:servers:com.apple.ppp.pptp:startedTime = "2012-07-31 02:05:38 +0000" vpn:servers:com.apple.ppp.pptp:Type = "PPP" vpn:servers:com.apple.ppp.pptp:SubType = "PPTP" vpn:servers:com.apple.ppp.pptp:AuthenticatorPlugins = "DSAuth" vpn:servers:com.apple.ppp.pptp:pid = 97849 vpn:servers:com.apple.ppp.l2tp:AuthenticationProtocol = "MSCHAP2" vpn:servers:com.apple.ppp.l2tp:CurrentConnections = 0 vpn:servers:com.apple.ppp.l2tp:enabled = yes vpn:servers:com.apple.ppp.l2tp:startedTime = "2012-07-31 02:05:39 +0000" vpn:servers:com.apple.ppp.l2tp:Type = "PPP" vpn:servers:com.apple.ppp.l2tp:SubType = "L2TP" vpn:servers:com.apple.ppp.l2tp:AuthenticatorPlugins = "DSAuth" vpn:servers:com.apple.ppp.l2tp:pid = 97852 vpn:servicePortsRestrictionInfo = _empty_array vpn:health = _empty_dictionary vpn:logPaths:vpnLog = "/var/log/ppp/vpnd.log" vpn:configured = yes vpn:state = "RUNNING" vpn:setStateVersion = 1 Security folk will be stoked to see that the shared secret is shown in the clear using: vpn:Servers:com.apple.ppp.l2tp:L2TP:IPSecSharedSecretValue = "a dirty thought in a nice clean mind" Configuring Users For VPN Access Each account that accesses the VPN server needs a valid account to do so. To configure existing users to use the service, click on Users in the Server app sidebar. At the list of users, click on a user and then click on the cog wheel icon, selecting Edit Access to Services. At the Service Access screen will be a list of services that could be hosted on the server; verify the checkbox for VPN is highlighted for the user. Setting Up Client Computers As you can see, configuring the VPN service in Mountain Lion Server is a simple and straight-forward process – much easier than eating your cereal with a fork and doing your homework in the dark.. Configuring clients is as simple as importing the profile generated by the service. However, you can also configure clients manually. To do so in OS X, open the Network System Preference pane. From here, click on the plus sign (“+”) to add a new network service. At the prompt, select VPN in the Interface field and then either PPTP or L2TP over IPSec in the VPN Type. Then provide a name for the connection in the Service Name field and click on Create. At the list of network interfaces in the Network System Preference pane, provide the hostname or address of the server in the Server Address field and the username that will be connecting to the VPN service in the Account Name field. If using L2TP, click on Authentication Settings. At the prompt, provide the password entered into the Shared Secret field earlier in this article in the Machine Authentication Shared Secret field and the user’s password in the User Authentication Password field. When you’re done, click OK and then provided you’re outside the network and routeable to the server, click on Connect to test the connection. Conclusion Setting Up the VPN service in OS X Mountain Lion Server is as simple as clicking the ON button. But much more information about using a VPN can be required. The natd binary is still built into Mountain Lion at /usr/sbin/natd and can be managed in a number of ways. But it’s likely that the days of using an OS X Server as a gateway device are over, if they ever started. Sure “feeling screwed up at a screwed up time in a screwed up place does not necessarily make you screwed up” but using an OS X Server for NAT when it isn’t even supported any more probably does. So rather than try to use the server as both, use a 3rd party firewall like most everyone else and then use the server as a VPN appliance. Hopefully it can do much more than just that to help justify the cost. And if you’re using an Apple AirPort as a router (hopefully in a very small environment) then the whole process of setting this thing up should be super-simple.