Tag Archives: howto

Mac OS X

Video on Setting Up a Munki Repo

(Allister Banks Guest Post:)

As part of my presentations at LOPSA-East(the pdf slides of this one is here) earlier this year, I wanted to demonstrate how quickly you can get a proof-of-concept of Munki running on a recent Mac OS without Server. I had always used Greg Neagle’s awesome intro articles for MacTech(especially part 2,) which were  created back in 10.6 days(simpler times, amirite?) This video takes you through the setup of a Munki repo, and goes on to demonstrate not only basic Munki interaction and functionality, but if you setup MunkiWebAdmin and the reporting scripts on your clients in addition, it does a quick tour of that interface.

Setting Up a Munki Repository on 10.7+, Quick MunkiWebAdmin Demo from Allister Banks on Vimeo.

Pardon the length, lack of sound and meme’s sprinkled throughout, but I hope it’s of use to someone!

Windows Server

Installing the DHCP Service in Windows Server

With the DHCP service no longer in the Server apps provided by Apple (for the most part), it’s important to look at alternative solutions to host the service. The DHCP Service in Windows Server is a Role that a Windows Server can fill that dynamically assigns IP addresses to client computers requesting addresses. The DHCP Role is easily added using the Server Manager application, available in the Administrative Tools menu of the Start Menu. Once opened, click on the Add Roles button.

At the Select Server Roles screen, locate DHCP Server and then check the box for it, which will allow you to click on the Next button.

At the DHCP Server screen, click on Next.

At the Select Network Connection Bindings screen, check the box for each network interface that will be available to DHCP to host DHCP scopes (a scope being a range of addresses that the server will host. Click on Next.

At the Specify IPv4 DNS Server Settings screen, enter the name of the search domain to be assigned in the “Parent domain” field. Then provide the ip address for the first DNS server that is provided to clients in the “Preferred DNS server IPv4 address” field. Click on Next once the appropriate DNS information has been provided.

If you are using “WINS servers click on WINS is required for applications on this network” and then click on the Next button.

At the “Add or Edit DHCP Scopes” screen, click on the Add… button to provide the first DHCP scope for the environment.

At the Add Scope screen, enter the following information:

  • Scope name: A friendly name for the DHCP scope (e.g. Marketing Subnet)
  • Starting IP address: The first IP address in the scope of addresses provided
  • Ending IP address: The last IP address in the scope of addresses provided (note that you cannot overlap pools and that
  • Subnet type: Select a type of scope being created (note that this changes the lease times)
  • Activate this scope: Check this box to make the scope available immediately
  • Subnet mask: The subnet mask used by clients of the scope
  • Default gateway: The router for the scope being created

Once you’re satisfied with your settings, click OK. Next, select whether DHCP will be provided for IPv6 and click on Next.

If IPv6 is supported, enter the address of an IPv6 based DNS service. Click Next.

Next, integrate DHCP with Active Directory (to disable, use the “Skip authorization of this DHCP server in AD DS”) by either allowing the service to use the credentials of the currently logged in user or using the Specify button to provide a different user account.

Click Next.

At the Summary screen, verify the settings are as intended and then click on Next.The role is then installed and if you selected to do so the service is started as well. There are a lot of steps here, but if you’re new to Windows Server, don’t let that intimidate you. It’s a wizard and normally takes me a little less than 5 minutes, about what we grew to expect from OS X Server.

Mac OS X Mac OS X Server Mac Security Mass Deployment Network Infrastructure

Installing the Mountain Lion Server VPN Server

OS X Server has long had a VPN service that can be run. The server is capable of running the two most commonly used VPN protocols: PPTP and L2TP. The L2TP protocol is always in use, but the server can run both concurrently. You should use L2TP when at all possible.

Sure, “All the great themes have been used up and turned into theme parks.” But security is a theme that it never hurts to keep in the forefront of your mind. If you were thinking of exposing the other services in Mountain Lion Server to the Internet without having users connect to a VPN service then you should think again, because the VPN service is simple to setup and even simpler to manage.

Setting Up The VPN Service In Mountain Lion

To setup the VPN service, open the Server app and click on VPN in the Server app sidebar. The VPN Settings  screen has two options available in the “Configure VPN for” field, which has two options:

  • L2TP: Enables only the L2TP protocol
  • L2TP and PPTP: Enables both the L2TP protocol and the PPTP protocol

The VPN Host Name field is used by administrators leveraging profiles. The setting used becomes the address for the VPN service in the Everyone profile. L2TP requires a shared secret or an SSL certificate. In this example, we’ll configure a shared secret by providing a password in the Shared Secret field. Additionally, there are three fields, each with an Edit button that allows for configuration:

  • Client Addresses: The dynamic pool of addresses provided when clients connect to the VPN 
  • DNS Settings: The name servers used once a VPN client has connected to the server. As well as the Search Domains configuration.
  • Routes: Select which interface (VPN or default interface of the client system) that a client connects to each IP address and subnet mask over.
  • Save Configuration Profile: Use this button to export configuration profiles to a file, which can then be distributed to client systems (OS X using the profiles command, iOS using Apple Configurator or both using Profile Manager).

Once configured, open incoming ports on the router/firewall. PPTP runs over port 1723. L2TP is a bit more complicated (with keys bigger than a baby’s arm), running over 1701, but also the IP-ESP protocol (IP Protocol 50). Both are configured automatically when using Apple AirPorts as gateway devices. Officially, the ports to forward are listed at http://support.apple.com/kb/TS1629.

Using The Command Line

I know, I’ve described ways to manage these services from the command line before. But, “tonight we have number twelve of one hundred things to do with your body when you’re all alone.” The serveradmin command can be used to manage the service as well as the Server app. The serveradmin command can start the service, using the default settings, with no further configuration being required:

sudo serveradmin start vpn

And to stop the service:

sudo serveradmin stop vpn

And to list the available options:

sudo serveradmin settings vpn

To disable L2TP, set vpn:Servers:com.apple.ppp.l2tp:enabled to no:

sudo serveradmin settings vpn:Servers:com.apple.ppp.l2tp:enabled = no

To configure how long a client can be idle prior to being disconnected:

sudo serveradmin settings vpn:Servers:com.apple.ppp.l2tp:PPP:DisconnectOnIdle = 10

By default, each protocol has a maximum of 128 sessions, configureable using vpn:Servers:com.apple.ppp.pptp:Server:MaximumSessions:

sudo serveradmin settings vpn:Servers:com.apple.ppp.pptp:Server:MaximumSessions = 200

To see the state of the service, the pid, the time the service was configured, the path to the log files, the number of clients and other information, use the fullstatus option:

sudo serveradmin fullstatus vpn

Which returns output similar to the following:

vpn:servicePortsAreRestricted = "NO"
vpn:readWriteSettingsVersion = 1
vpn:servers:com.apple.ppp.pptp:AuthenticationProtocol = "MSCHAP2"
vpn:servers:com.apple.ppp.pptp:CurrentConnections = 0
vpn:servers:com.apple.ppp.pptp:enabled = yes
vpn:servers:com.apple.ppp.pptp:MPPEKeySize = "MPPEKeySize128"
vpn:servers:com.apple.ppp.pptp:startedTime = "2012-07-31 02:05:38 +0000"
vpn:servers:com.apple.ppp.pptp:Type = "PPP"
vpn:servers:com.apple.ppp.pptp:SubType = "PPTP"
vpn:servers:com.apple.ppp.pptp:AuthenticatorPlugins = "DSAuth"
vpn:servers:com.apple.ppp.pptp:pid = 97849
vpn:servers:com.apple.ppp.l2tp:AuthenticationProtocol = "MSCHAP2"
vpn:servers:com.apple.ppp.l2tp:CurrentConnections = 0
vpn:servers:com.apple.ppp.l2tp:enabled = yes
vpn:servers:com.apple.ppp.l2tp:startedTime = "2012-07-31 02:05:39 +0000"
vpn:servers:com.apple.ppp.l2tp:Type = "PPP"
vpn:servers:com.apple.ppp.l2tp:SubType = "L2TP"
vpn:servers:com.apple.ppp.l2tp:AuthenticatorPlugins = "DSAuth"
vpn:servers:com.apple.ppp.l2tp:pid = 97852
vpn:servicePortsRestrictionInfo = _empty_array
vpn:health = _empty_dictionary
vpn:logPaths:vpnLog = "/var/log/ppp/vpnd.log"
vpn:configured = yes
vpn:state = "RUNNING"
vpn:setStateVersion = 1

Security folk will be stoked to see that the shared secret is shown in the clear using:

vpn:Servers:com.apple.ppp.l2tp:L2TP:IPSecSharedSecretValue = "a dirty thought in a nice clean mind"

Configuring Users For VPN Access

Each account that accesses the VPN server needs a valid account to do so. To configure existing users to use the service, click on Users in the Server app sidebar.

At the list of users, click on a user and then click on the cog wheel icon, selecting Edit Access to Services.

At the Service Access screen will be a list of services that could be hosted on the server; verify the checkbox for VPN is highlighted for the user.

Setting Up Client Computers

As you can see, configuring the VPN service in Mountain Lion Server is a simple and straight-forward process – much easier than eating your cereal with a fork and doing your homework in the dark.. Configuring clients is as simple as importing the profile generated by the service. However, you can also configure clients manually. To do so in OS X, open the Network System Preference pane. From here, click on the plus sign (“+”) to add a new network service.

At the prompt, select VPN in the Interface field and then either PPTP or L2TP over IPSec in the VPN Type. Then provide a name for the connection in the Service Name field and click on Create.

At the list of network interfaces in the Network System Preference pane, provide the hostname or address of the server in the Server Address field and the username that will be connecting to the VPN service in the Account Name field. If using L2TP, click on Authentication Settings.

At the prompt, provide the password entered into the Shared Secret field earlier in this article in the Machine Authentication Shared Secret field and the user’s password in the User Authentication Password field. When you’re done, click OK and then provided you’re outside the network and routeable to the server, click on Connect to test the connection.


Setting Up the VPN service in OS X Mountain Lion Server is as simple as clicking the ON button. But much more information about using a VPN can be required. The natd binary is still built into Mountain Lion at /usr/sbin/natd and can be managed in a number of ways. But it’s likely that the days of using an OS X Server as a gateway device are over, if they ever started. Sure “feeling screwed up at a screwed up time in a screwed up place does not necessarily make you screwed up” but using an OS X Server for NAT when it isn’t even supported any more probably does. So rather than try to use the server as both, use a 3rd party firewall like most everyone else and then use the server as a VPN appliance. Hopefully it can do much more than just that to help justify the cost. And if you’re using an Apple AirPort as a router (hopefully in a very small environment) then the whole process of setting this thing up should be super-simple.

Mac OS X Mac Security Mass Deployment

Manage Gatekeeper from the Command Line in Mountain Lion

Gatekeeper is the new feature of OS X that controls what types of apps can be opened. To configure Gatekeeper, open the Security & Privacy System Preference pane. Click on the General tab and unlock to make changes. Here, you’ll see “Allow applications downloaded from:” along with the following 3 options:

  • Mac App Store: Only apps downloaded from the App Store can be opened.
  • “Mac App Store and identified developers”: Only apps downloaded from the App Store and those signed can be opened.
  • Anywhere: Any app can be opened.

Configuring Gatekeeper in Mountain Lion

Configuring Gatekeeper is as easy as selecting one of these options. Now, under the hood, the state of Gatekeeper is kept in /var/db/SystemPolicy-prefs.plist. There’s only one option there, though: enabled. So you could try and run defaults to disable Gatekeeper: defaults write /var/db/SystemPolicy-prefs enabled no. However, doing so is not really going to provide all the options available in the GUI. To configure the options, Apple has provided spctl, a command line tool used to manage Gatekeeper. In it’s simplest form, Gatekeeper can be enabled using the –master-enable and –master-disable options, which are pretty straight forward. Use –master-enable to enable Gatekeeper:

spctl --master-enable

And then use –master-disable to disable Gatekeeper:

spctl --master-disable

Whether Gatekeeper (assessments) is enabled or disabled can be returned using the –status option:

spctl --status

The -a option is used to assess an application to see if it will open or not:

spctl -a /Applications/GitHub.app

If an application passes and has a rule available then you’ll get no response. If there’s no rule for the application, you’ll get a response that:

/Applications/GarageBuy.app: unknown error 99999=1869f

You add rules about apps using the –add option. Each app gets a label, defined with the –label option. For example, to add GitHub:

spctl --add --label "GitHub" /Applications/GitHub.app

To then enable access to GitHub:

spctl --enable --label "GitHub"

Or disable:

spctl --disable --label "GitHub"

As with most things, there’s actually a rub. spctl doesn’t always work. I’ve had more than a few issues with getting the labels to apply just right. Sometimes the -a will report back that an app is rejected and it will still open. I think this is first gen technology and that prior to relying on it that it would be a really good idea to test very thoroughly before deploying.

cloud Mac OS X


Google recently decided that it was time to force some other company to buy cloudy dispositioned upstarts, Dropbox and Box.net. Google also decided that Office365 represented Microsoft being a little too brazen in their attempts to counteract the inroads that Google has made into Microsoft territory. Therefor, Google thumped their chest and gave away 5GB of storage in Google Drive. Google then released a tool that synchronizes data stored on a Google Drive to Macs and Windows systems.

Installing Google Drive is pretty easy. Just browse to Google Docs and Google will tell you that there’s this weird new Google Drive thing you should check out.

Here, click on Download Google Drive for Mac (or Windows if you use Windows). Then agree to give your first born to Google (but don’t worry, they’d never collect on that debt ’cause they’re sworn to do no evil).

Once downloaded, run the installer. You can link directly to your documents now using https://drive.google.com.

The only real question the installer asks is whether you’d like to automatically sync your Google Drive to the computer. I said yes, but if you’ve got a smallish drive you might decide not to. Once the Google Drive application has been downloaded and installed, open it (by default it’s set to open at startup). You’ll then see a icon in the menu bar that looks a little like a recycling symbol. Here, click on Open Google Drive folder.

The folder with your Google Docs then shows up on your desktop. Copy an item in there and it syncs up to Google. It can then easily be shared through the Google Apps web portal and accessed from other systems.

While there are still a number of features that Box.net and Dropbox will give you due to the fact that they’re a bit more mature, I’d expect Google Drive to catch up fast. And given that I already have tons of documents in Google Docs, it is nice to have them saved down to my local system. I’m now faced with an interesting new challenge: where to draw the line in my workflow between Google Drive, Dropbox and Box.net. Not a bad problem to have, really! Given the frustrations of having things strewn all over the place I’ll want to minimize some of the haphazardness I’ve practiced with regards to why I put things in different places in the past. In some cases I need to be able to email to folders, have expiring links or to have extended attributes sync between services, so there are some aspects that are likely to be case-by-case… Overall though, I’m very happy with the version 1 release of Google Drive. I mean, who complains about free stuff!?!?!

iPhone Mac OS X Mac OS X Server Mac Security Mass Deployment Network Infrastructure Xsan

Video ON Setting Up File Sharing Services In Lion Server

Active Directory Mac OS X Mac OS X Server Mass Deployment Windows Server

Using DFS in OS X Lion

DFS stands for Distributed File Sharing. DFS is most commonly used to virtualize the way with which storage is presented to users. Once virtualized, mounts are able to replicate to one another or be moved between servers without impacting the end user experience. While many who have never used DFS will wonder why enterprises actually care about it, those of us who have used it extensively will be stoked that this new feature has been incorporated into OS X Lion.

Using DFS in OS X is similar to using DFS in Windows, simply connect to a share and the work on the back end to locate where the share is actually stored is done on the server. Use Command-K (or Connect to Server from the Go menu) to bring up the Connect to Server dialog box. Enter the name of the server. You’ll be presented with a list of shares. Pick one and viola, you’re using DFS. The ease of use is why people like it. Well, that and the replication…

Now, connecting to DFS is sure to be rife with problems. For troubleshooting, Apple has provided the wonderful smbutil from Valentines Day 2000 (ya’, it’s that old). smbutil comes complete with a dfs command that can be used to lookup dfs referrals. Use smbutil followed by the dfs command and then a url to check roots and links. For example, let’s say we have a box called myDFSbox.krypted.com. And let’s say that myDFSbox has a root called losangeles and a link called engineering. The command to check the referrals would be:

smbutil dfs smb://myDFSbox.krypted.com/losangeles/engineering

You can also inject the username and password for the domain between the protocol (smb://) and the host name (myDFSbox.krypted.com). While smbutil is helpful, I haven’t yet run into any issues where OS X didn’t enumerate the DFS environment on its own. But then, it is new and so there’s plenty of time to find issues.

Microsoft Exchange Server

Exchange 2010 and Archive-Only Mailboxes

Once upon a time, in a dark and dreary place, Exchange administrators (an already downtrodden lot mind you) had to let users archive their mail to pst files. These files, open while Outlook was open and distributed across the enterprise file servers, caused the poor Exchange administrators great pain and suffering as they were uncontrollable. The pst files roamed, causing great pains to SMB/CIFS, switching and other admins and these pst files worse of all had no policies applied to them.

Then came a bright knight in shining armor. He brought with him Exchange 2010 and stories of mailboxes that could be used for archival to replace the monstrosity pst files that had been in use for decades (ok, maybe just a decade, or a tad more, but close enough).

For environments running Exchange 2010, he explained that to configure archive mailboxes:

  • Click on Start > Administrative Tools
  • Open the Exchange Management Console
  • Click on Recipient Configuration
  • Click on the user who you would like to configure
  • Using the action pane, click on Enable Archive
  • To see an archive, log in to Outlook Web App with the user. You can then drag and drop some items into the online archive and change its name.

Then everyone realized that Microsoft, in their infinite wisdom, invented online archiving because it requires a CAL of its own. Each of the Exchange Admins then realized that the cost of said CAL would come from their own allotment of porridge!

Health: such a small price to pay for online archiving!

Mac OS X Mass Deployment

LoginHook Bonjour

Want users to be able to use Bonjour at home without having their systems registering with Bonjour when they’re on your network?

Many environments have taken to wholesale disabling Bonjour. This can be done by augmenting the LaunchDaemon that invokes Bonjour, com.apple.mDNSResponder.plist that is located at /System/Library/LaunchDaemons. You add a -NoMulticastAdvertisements to the ProgramArguments array. This can be done with the defaults command as so:

defaults write /System/Library/LaunchDaemons/com.apple.mDNSResponder ProgramArguments -array-add “-NoMulticastAdvertisements”

This can then be undone by writing the contents you want back into the array without the -NoMulticastAdvertisements:

defaults write /System/Library/LaunchDaemons/com.apple.mDNSResponder ProgramArguments -array /usr/sbin/mDNSResponder -launchd

This is somewhat well documented, initially appearing as an Apple kbase article. However, we should keep in mind that computers, especially laptops, have a tendency to go home with people. Therefore, you may very well want to fire Bonjour back up in the event that your users are not in your environment. Prior to Mac OS X 10.6 (aka 10.5 and below) you could edit the /System/Library/SystemConfiguration/Kicker.bundle/Contents/Resources/Kicker.xml file to add a shell script and upon network change it would fire off an event to run some script that you craft. In this case, the script you might run would be a simple look for some variable you decide to key off of and run one of the two above commands based on an if/then keyed off against whether the name mybigserver.mydomain.com has a valid hostname (we’re assuming it does in your network and it does not when not in your network):

if [ $(host mybigserver.mydomain.com | grep -ic “not found:”) > 0 ]; then
defaults write /System/Library/LaunchDaemons/com.apple.mDNSResponder ProgramArguments -array /usr/sbin/mDNSResponder -launchd
defaults write /System/Library/LaunchDaemons/com.apple.mDNSResponder ProgramArguments -array-add “-NoMulticastAdvertisements”

You can also use this as a login hook or the if/then swapped out with one another as a logout hook; customize to your hearts content. You could even run it at boot time or on a scheduled interval, instead of as a login hook. Now, the simple fact is that since this is easy, it’s tempting. But luckily some really smart guys thought of a better way to do this kind of thing (not relying on a login or logout hook). They though that the old 10.5 Kicker was a much better solution and came up with the next best thing, crankd, which allows you to fire off a shell script (maybe one similar to the one here) when the network status changes. Thanks to all involved with this project.


ePub and iPad

As an author, I’m pretty interested in the changing face of the publishing industry. Tim O’Reilly was on the cover of Inc magazine this month and I’ve been following his musings about publishing for some time. But this whole digital publishing thing has to make an author think about what it means for us. But as a geek, I’m stuck in the technical, wondering if I were to self-publish something straight to the iPad, what would it look like? Not the content, but the files.

ePub seems to be the main focus of e-book devices and where the industry is going to go. ePub is a format ratified by the International Digital Publishing Forum (PDPF) and based on XHTML. ePub support will be built into the upcoming version of a couple of different software packages, most notably Scrivener. For software that has ePub support, you can export out of the software easily as an ePub file. These files can then be viewed from iBooks on the iPad, i2Reader on the iPhone, Calibre on Mac OS X/Windows/Linux and Aldiko for Android.

Now how to reach the masses and get them to buy, download and read your content is another story. Currently, Amazon allows you to submit content to the Kindle store and Aldiko allows you to copy ePub files directly to an Android through the use of an SD card. Lulu should allow content to go directly to the iBookstore, but for those of us with an eye to publish to the iPad will need to wait for a few more details to unfold. In the meantime, read up on ePub if you’re interested in self-publishing (especially on the DRM capabilities) and I’ll post something here when I’m ready to announce any projects I have in the poker going that direction. Also, in the meantime feel free to pick up the 1st edition of the Mac OS X security book I did on Kindle. :)
Name Your Link