krypted.com

Tiny Deathstars of Foulness

Exchange Online and Exchange 2010-2016 can block a device from accessing ActiveSync using a policy. To do so, first grab a list of all operating systems you’d like to block. To do so, first check which ones are out there using the Get-ActiveSyncDevice command, and looking at devicetype, deviceos, and deviceuseragent. This can be found using the following command:

Get-ActiveSyncDevice | select devicetype,deviceos,deviceuseragent

The command will show each of the operating systems that have accessed the server, including the user agent. You can block access based on each of these. In the following command, we’ll block one that our server found that’s now out of date:

New-ActiveSyncDeviceAccessRule -Characteristic DeviceOS -QueryString "iOS 8.1 12A369" -AccessLevel Block

To see all blocked devices, use

Get-ActiveSyncDeviceAccessRule | where {$_.AccessLevel -eq 'Block'}

If you mistakenly block a device, remove the block by copying it into your clipboard and then pasting into a Remove-ActiveSyncDeviceAccessRule commandlet:

Remove-ActiveSyncDeviceAccessRule -Characteristic DeviceOS -QueryString "iOS 8.1 12A369" -AccessLevel Block

Or to remove all the policies:

Get-ActiveSyncDeviceAccessRule | Remove-ActiveSyncDeviceAccessRule

May 25th, 2016

Posted In: iPhone, Microsoft Exchange Server

Tags: , , , ,

Leave a Comment

May 6th, 2016

Posted In: Mac OS X, Mac OS X Server

Tags: , , , , , , ,

A number of systems require you to use complex characters in passwords and passcodes. Here is a list of characters that can be used, along with the name and the associated unicode:

  •    (Space) U+0020
  • ! (Exclamation) U+0021
  • ” (Double quotes) U+0022
  • # (Number sign) U+0023
  • $ (Dollar sign) U+0024
  • % (Percent) U+0025
  • & (Ampersand) U+0026
  • ‘  (Single quotes) U+0027
  • ( (Left parenthesis) U+0028
  • ) (Right parenthesis) U+0029
  • * (Asterisk) U+002A
  • + (Plus) U+002B
  • , (Comma) U+002C
  • – (Minus sign) U+002D
  • . (Period) U+002E
  • / (Slash) U+002F
  • : (Colon) U+003A
  • ; (Semicolon) U+003B
  • < (Less than sign) U+003C (not allowed in all systems)
  • = (Equal sign) U+003D
  • > (Greater than sign) U+003E (not allowed in all systems)
  • ? (Question) U+003F
  • @ (At sign) U+0040
  • [ (Left bracket) U+005B
  • \ (Backslash) U+005C
  • ] (Right bracket) U+005D
  • ^ (Caret) U+005E
  • _ (Underscore) U+005F
  • ` (Backtick) U+0060
  • { (Left curly bracket/brace) U+007B
  • | (Vertical bar) U+007C
  • } (Right curly bracket/brace) U+007D
  • ~ (Tilde) U+007E

April 29th, 2016

Posted In: iPhone, Mac OS X, Mac OS X Server, Mac Security, Mass Deployment

Tags: , , , , , , , , ,

Precache, available at https://github.com/krypted/precache, is a script that populates the cache on an OS X Caching server for Apple updates. The initial release supported iOS. The script now also supports caching the latest update for an AppleTV. To use that, there’s no need to include an argument for AppleTV. Instead, you would simply  run the script followed by the model identifier, as follows:

sudo python precache.py AppleTV5,4

Screen Shot 2016-04-27 at 1.30.17 PM

April 28th, 2016

Posted In: Apple TV, iPhone, Mac OS X, Mac OS X Server, precache

Tags: , , , ,

April 26th, 2016

Posted In: Apple TV, iPhone, Mac OS X, Mac OS X Server, Mac Security, MacAdmins Podcast

Tags: , , , , , , ,

A little while back, I did a little writeup on how the OS X Caching Server caches updates at http://krypted.com/mac-security/how-the-os-x-caching-server-caches-updates/. The goal was to reverse engineer parts of how it worked for a couple of different reasons. The first was to get updates for devices to cache to my caching server prior to 15 people coming in before it’s cached and having caching it down on their own.

So here’s a little script I call precache. It’s a little script that can be used to cache available Apple updates into an OS X Server that is running the Caching Service. To use, run the script followed by the name of the model. For example, for an iPad 2,1, you would use the following syntax:

sudo python precache.py iPad2,1

To eliminate beta operating systems from your precache,use the –no-beta argument:

sudo python precache.py iPad2,1 --no-beta

I’ll probably add some other little things nee and there, this pretty much is what it is and isn’t likely to become much more. Unless someone has a good idea or forks it and adds it. Which would be cool. Enjoy.

Screen Shot 2016-04-24 at 12.24.23 PM

April 25th, 2016

Posted In: iPhone, Mac OS X, Mac OS X Server, Mac Security

Tags: , , , , ,

Apple Configurator 2 is a great tool. But you need to debug things from time to time. This might mean that a profile is misconfigured and not installing, or that a device can’t perform a task you are sending it to be performed. This is about the time that you need to enable some debug logs. To do so, quit Apple Configurator and then write a string of ALL into the ACULogLevel key in ~/Library/Containers/com.apple.configurator.ui/Data/Library/Preferences/com.apple.configurator.ui.plist:

defaults write ~/Library/Containers/com.apple.configurator.ui/Data/Library/Preferences/com.apple.configurator.ui.plist ACULogLevel -string ALL

To disable, quit Apple Configurator and then delete that ACULogLevel key:

defaults delete ~/Library/Containers/com.apple.configurator.ui/Data/Library/Preferences/com.apple.configurator.ui.plist ACULogLevel

April 19th, 2016

Posted In: Apple Configurator, iPhone

Tags: , , , , ,

The Caching Server in OS X is a little bit of a black box. But, it’s not all that complicated, compared to some things in the IT world. I’d previously written about command line management of the service itself here. When you enable the caching service, the server registers itself as a valid Caching Server. Nearby devices then lookup the closest update server with Apple and register with that update server using a GUID:

/Applications/Server.app/Contents/ServerRoot/usr/sbin/serveradmin settings caching:ServerGUID

Then, each time the device looks for an update, it does so against http://mesu.apple.com/assets/com_apple_MobileAsset_SoftwareUpdate/com_apple_MobileAsset_SoftwareUpdate.xml using the device model. Noticed this with this line in my proxy logs:

"GET http://mesu.apple.com/assets/com_apple_MobileAsset_SoftwareUpdate/com_apple_MobileAsset_SoftwareUpdate.xml HTTP/1.1" 200 - "-" "MobileAsset/1.0"

Let’s say that the device is an iPad 2,7, then the following information is used for the update, with a URL of http://appldnld.apple.com/iOS9.3.1/031-56322-20160331-F8B29F9E-F68D-11E5-AF11-0744ED25FABD/com_apple_MobileAsset_SoftwareUpdate/1c02ea51b4d2d50b04526c4ec29780b8e02dfe76.zip, which is created using the _BaseURL string followed by the _RelativePath string:

<dict>
<key>ActualMinimumSystemPartition</key>
<integer>1965</integer>
<key>Build</key>
<string>13E6238</string>
<key>InstallationSize</key>
<string>0</string>
<key>MinimumSystemPartition</key>
<integer>2017</integer>
<key>OSVersion</key>
<string>9.3.1</string>
<key>ReleaseType</key>
<string>Beta</string>
<key>SUDocumentationID</key>
<string>iOS931GM</string>
<key>SUInstallTonightEnabled</key>
<true/>
<key>SUMultiPassEnabled</key>
<true/>
<key>SUProductSystemName</key>
<string>iOS</string>
<key>SUPublisher</key>
<string>Apple Inc.</string>
<key>SupportedDeviceModels</key>
<array>
<string>P107AP</string>
</array>
<key>SupportedDevices</key>
<array>
<string>iPad2,7</string>
</array>
<key>SystemPartitionPadding</key>
<dict>
<key>1024</key>
<integer>1280</integer>
<key>128</key>
<integer>1280</integer>
<key>16</key>
<integer>160</integer>
<key>256</key>
<integer>1280</integer>
<key>32</key>
<integer>320</integer>
<key>512</key>
<integer>1280</integer>
<key>64</key>
<integer>640</integer>
<key>768</key>
<integer>1280</integer>
<key>8</key>
<integer>80</integer>
</dict>
<key>_CompressionAlgorithm</key>
<string>zip</string>
<key>_DownloadSize</key>
<integer>1164239508</integer>
<key>_EventRecordingServiceURL</key>
<string>https://xp.apple.com/report</string>
<key>_IsZipStreamable</key>
<true/>
<key>_Measurement</key>
<data>Rfrw7jNYWH8xNS67pXoq7NEhpUI=</data>
<key>_MeasurementAlgorithm</key>
<string>SHA-1</string>
<key>_UnarchivedSize</key>
<integer>1235575808</integer>
<key>__AssetDefaultGarbageCollectionBehavior</key>
<string>NeverCollected</string>
<key>__BaseURL</key>
<string>
http://appldnld.apple.com/iOS9.3.1/031-56322-20160331-F8B29F9E-F68D-11E5-AF11-0744ED25FABD/
</string>
<key>__CanUseLocalCacheServer</key>
<true/>
<key>__QueuingServiceURL</key>
<string>https://ns.itunes.apple.com/nowserving</string>
<key>__RelativePath</key>
<string>
com_apple_MobileAsset_SoftwareUpdate/1c02ea51b4d2d50b04526c4ec29780b8e02dfe76.zip
</string>
</dict>

You can then use these dictionaries to assemble this path for all items in the dictionary with “iPad 2,7” in the SupportedDevices key. You can also choose to assemble this path for all items with the OSVersion of a given string, such as 9.3.1 in this case. You could curl these updates down to a client, or request them through the caching service, which would cache them to the Caching Server, using the IP of the server (e.g. 10.1.1.2) http://10.1.1.2:55491/iOS9.3.1/031-56322-20160331-F8B29F9E-F68D-11E5-AF11-0744ED25FABD/1c02ea51b4d2d50b04526c4ec29780b8e02dfe76.zip?source=appldnld.apple.com

Found the above URL using a reverse proxy. This URL is generated based on an http request to the IP address of the caching service, followed by the port. The port is derived using the serveradmin command and query the settings for caching:Port as follows:

/Applications/Server.app/Contents/ServerRoot/usr/sbin/serveradmin settings caching:Port

In this example, the URL is then

http://10.1.1.2:55491/

But the URL then splits the _BaseURL into two parts, taking appldnld.apple.com from the URL and appending ?source=appldnld.apple.com. So without the update, the URL would be the following:

http://10.1.1.2:55491?source=appldnld.apple.com

OK, so now we’ll pop the other part of that _BaseURL in there:

http://10.1.1.2:55491/iOS9.3.1/031-56322-20160331-F8B29F9E-F68D-11E5-AF11-0744ED25FABD?source=appldnld.apple.com

And then there’s one more step, which is throw the zip in there:

http://10.1.1.2:55491/iOS9.3.1/031-56322-20160331-F8B29F9E-F68D-11E5-AF11-0744ED25FABD/1c02ea51b4d2d50b04526c4ec29780b8e02dfe76.zip?source=appldnld.apple.com

Viola. Curl that and the caching server will download that update and make it ready for clients to access. Everything is hashed and secure in the directory listed using this command:

/Applications/Server.app/Contents/ServerRoot/usr/sbin/serveradmin settings caching:DataPath

April 18th, 2016

Posted In: Apple Configurator, Mac OS X, Mac OS X Server, Mac Security

Tags: , , , , , , ,

Trying our best to get better, like if you were to watch Star Wars Episodes I through VI, the MacAdmins podcast now has an Episode II. No Jar Jar, but I’m there, so close enough!

Screen Shot 2016-04-05 at 12.02.01 AM

Find it at http://podcast.macadmins.org/2016/04/04/episode-2-in-depth-with-ios-9-3/

hammer2

April 5th, 2016

Posted In: Articles and Books, Mac OS X, Mac OS X Server, Mac Security, MacAdmins Podcast, Mass Deployment

Tags: , , , , ,

My latest Huffington Post article, Twenty Cool Things You Can Do with Box is online here. It begins:

If you are looking for a secure and uncomplicated and file sharing service, you will find box.com to be a wonderful way to share files from any device. Today, it is easier than ever for businesses to operate globally regardless of how large or small they are. This is because of the digital age that makes works products easy to share or transfer. Here are twenty cool things that you can do with box.com.

Screen Shot 2016-04-01 at 9.12.58 PM

For more, click here.

 

April 1st, 2016

Posted In: Apps, cloud, Mac OS X, Mac OS X Server, Mac Security, Mass Deployment

Tags: , , , , , , , , ,

Next Page »