krypted.com

Tiny Deathstars of Foulness

My session from MacTech 2017.

September 10th, 2018

Posted In: Mac OS X, Mac OS X Server, Mac Security

Tags: , , ,

Hey look, there’s a new category on the Jamf Marketplace, available at https://marketplace.jamf.com/apps/#category=AppConfig,selecting the AppConfig category. The new AppConfig category gives administrators of any MDM that supports AppConfig access to a set of apps that support AppConfig. If you have an app that isn’t listed here, feel free to let me know. 

What does this mean? Well, AppConfig is a way of sending data into an app. App config allows a customer to deploy settings into applications on iOS devices in much the same way that settings can be sent into a Mac app via the defaults command. This means an end user could get an app installed on their device from the iOS App Store, a custom app, or a B2B app and that app would have any settings the user might need to connect to servers or configure the experience.

So what is Managed App Config? At it’s most basic, you identify a label and a value in XML and send it to an iOS device that’s running iOS 7 or later (e.g. via Jamf 9 and up). The vendor who makes the app has to basically define what those settings are. Which brings up an interesting problem never fully addressed with defaults domains: standardization and ease-of-use (although MCX was close). 


AppConfig.org  is a consortium of MDM vendors and software vendors that maintain the emerging AppConfig standards around Managed App Config (within the confines of what Apple gives vendors) and then makes a feed of settings for apps that conform to those standards. Jamf is a founding member of Appconfig.org, along with MobileIron and AirWatch. Examples of what you could put into the AppConfig.org feed include 
  • Enabling certain features of apps
  • Server URLs
  • Logos (if they’re pulled dynamically)
  • Text labels
  • Language packs

To see a list of apps that are available, check out http://www.appconfig.org. 

Managed App Config options are set by vendors at compile time within the code and then the XML sent with the app is parsed by the app at installation time. If you’re a software vendor who wants to get started with AppConfig, check out the Spec Creator from Jamf Research or get in touch with the developer relations team from any MDM vendor.

If you’re a customer of an app and would like to leverage Managed App Config and your vendor isn’t listed on the appconfig.org site, get in touch with them, as this is the future of app management and chances are that you won’t be the only organization looking to unlock this type of feature. 

Let’s look at how this actually works. The Managed App Config options per supported app are available on a feed. The feed is available at http://d2e3kgnhdeg083.cloudfront.net. Here, as follows, you’ll see a list of all of the apps supported.


You can then copy the path for an app, such as com.adobe.Adobe-Reaser/1/appconfig.xml and append it to the end of the URL to get the feed for that specific app. You can test this using http://d2e3kgnhdeg083.cloudfront.net/com.adobe.Adobe-Reader/1/appconfig.xml to see output as follows.


Here, note that most of these fields are key value pairs defined by Adobe (in this example at least). You can enable or disable features of Adobe Reader using these keys. The same is true with a tool like Box that might want a more granular collection of settings than a feature like Managed Open In. 

Once you have the XML, you can then copy it to the clipboard and paste it into the App Configuration tab of an app, as follows. 

Finally, Apple has sample code available at https://developer.apple.com/library/content/samplecode/sc2279/Introduction/Intro.html

March 13th, 2018

Posted In: iPhone, JAMF

Tags: , , , , , , ,

My latest inc.com piece is available at https://www.inc.com/charles-edge/your-employees-want-extra-training-but-youre-going-to-have-to-help-them-get-star.html. It starts off like this, if it’s your kinda’ thing:
Employee engagement is dipping, according to a new study by human resources consultancy Aon Hewitt, but as an manager, you can make the workplace more appealing through positive initiatives such as employee training and development. Indeed, I’ve often had people I manage ask for more training. My answer is always an emphatic “yes.” But then something funny often happens: nothing. Giving staff approval for trainingdoesn’t necessarily mean that they’ll do it unless you follow up methodically and even micromanage the process. Why does this happen and what does it show about how employers and employees alike can do a better job to make sure development happens? I have five theories.

July 7th, 2017

Posted In: Articles and Books

Tags: , , , , ,

Clients discover the Apple Caching service bundled with macOS Server (and in the future macOS) automatically. You can create a text recored for _aaplcache._tcp on your DNS server. That would look
_aaplcache._tcp 518400 IN TXT “prs=192.168.50.100”
Name: _aaplcache._tcp with a type of TXT and a TTL of 518400 seconds. The prs is the address to be used and is set to a value using prs=192.168.50.100.

June 15th, 2017

Posted In: Mac OS X Server

Tags: , , , ,

June 2nd, 2017

Posted In: Mac OS X, Mac OS X Server, Mac Security, MacAdmins Podcast

Tags: , , , , ,

Added 3 new flags into precache tonight: –jamfserver, –jamfuser, and –jamfpassword. These are used to provide a Jamf Pro server (or cloud instance), the username to an account that can list the mobile devices on that server, and a password to that account respectively. Basically, when you provide these, the script will pull a unique set of models and then precache updates for them. It’s similar to grabbing a list of devices: curl -s -u myuser:mypassword https://myserver.jamfcloud.com/JSSResource/mobiledevices And then piping the output of a device list to: perl -lne 'BEGIN{undef $/} while (/<model_identifier>(.*?)<\/model_identifier>/sg){print $1}' And then running that array as an input to precache.py. Hope this helps make the script more useful!

May 13th, 2017

Posted In: iPhone, Mac OS X Server

Tags: , , , , , ,

This is the first page of a 5 page piece I just finished writing for MacTech. After the last episode of the MacAdmins podcast though, I wanted to go ahead and get some of the information out there. For a much more detailed analysis, check out MacTech! Apple has a number of different logging APIs. For the past few releases, Apple has tried to capture everything possible in logs, creating what many administrators and developers might consider to be a lot of chatter. As such, an entirely new interface needed to be developed to categorize and filter messages sent into system logs.

Writing Logs

The logger command is still used to create entries in system logs. However, if you are then using tail to view /var/log/system.log then you will notice that you no longer see your entry being written. This is because as the logs being created in macOS have gotten more complex, the tools to read and write those logs has gotten more complicated as well. Let’s take a simple log entry. Below, we’ll write the string “Hello Logs” into the system log. To do so, use the –i option to put the process id of the logger process and –s to write to the system log, as well as to stderr. To make the entry easier we’ll tag it with –t followed by the string of the tag. And finally, we’ll quote the entry we want written into the log. This is basically the simplest form of an entry: logger -is -t krypted "Hello Logs" Once written, use the log command to read your spiffy new entries. This isn’t terribly different than how things worked previously. If you’re a developer, you will need to note that all of the legacy APIs you might be using, which include asl_log_message, NSLog, and syslog, have been redirected to the new Unified Logging system, provided you build software for 10.12 (you can still build as before for 10.11, iOS 9, tvOS 10, and watchOS 3 and below). These are replaced with the os_log, os_log_info, os_log_debug, os_log_error, os_log_fault, and os_log_create APIs (which correspond to various levels of logs that are written).

Reading Logs

Logs are now stored in the tracev3 formatted files in /var/db/diagnostics, which is a compressed binary format. As with all binary files, you’ll need new tools to read the files. Console has been updated with a new hierarchical capability and the ability to watch activities, subsystems, etc. The log command provides another means of reading those spiffy new logs. To get started, first check out the man page: man log That “Hello Logs” string we used earlier is part of a message that you can easily view using the ‘log show’ command. In the below example, we’ll just run a scan of the last 3 minutes, using the –last option, and then providing a –predicate. We’ll explain those a bit later, but think of it as query parameters – here, we’ll specify to look for “Hello Logs” in eventMessage: log show --predicate 'eventMessage contains "Hello Logs"' --last 3m Filtering the log data using “eventMessage CONTAINS “Hello Logs”” shows us that our entry appears as follows:
Timestamp                       Thread     Type        Activity             PID 2017-03-23 23:51:05.236542-0500 0x4b83bb   Default     0x0                  88294  logger: Hello Logs ——————————————————————————————————————– Log      – Default:          1, Info:                0, Debug:             0, Error:          0, Fault:          0 Activity – Create:           0, Transition:          0, Actions:           0

March 26th, 2017

Posted In: Mac OS X, Mac OS X Server

Tags: , , , , , ,

OK, I don’t talk politics, about personal stuff, etc on this site usually. And I’m not gonna’ start now. But with Give To The Max Day in Minnesota today, I did write an article on the meaning of Compassion on Huffington Post. It can be found at http://www.huffingtonpost.com/charles-edge/what-does-compassion-mean_b_12999974.html if you’re interested in such things; if not, hope you have a wonderful day! screen-shot-2016-11-16-at-2-44-34-pm

November 17th, 2016

Posted In: Tamarisk

Tags: , , , , ,

The Server 5 app that installs on Sierra is great. But sometimes a change doesn’t get committed properly or has a mismatch with a certificate, and the server doesn’t respond properly… I know, you’ve been told that host name changes and IP changes are all kinds of OK at this point; “look, Charles, there’s a button!” Well, go ahead, click it. Don’t mind me, you might just be alright. But then again, you might not if you’re running Open Directory, Profile Manager, or a few other services… When it works it’s a thing of beauty. But when it doesn’t, you might be restoring some stuff from backup. But just before you do that restore, let’s try one more thing. Let’s try and rebuild some certificates and configuration settings that shouldn’t impact actual service operation. Let’s try to reset the Server app and let a fresh install of the Server see if it can fix issues. Now, I want to be clear, this is usually the last resort before restoring a backup. I’ve had a lot of luck with services remaining functional and preserving settings when I do this, but don’t expect that to be the case every time. Basically, we’re going to do what we looked at doing back in ’09 with AppleSetupDone but one designed just for servers, so the file is in the same place (/var/db) and called .ServerSetupDone. To remove it, close Server app and run the following command: sudo rm /var/db/.ServerSetupDone Once removed, open the Server app again and then let the Server app run as though it’s new. Cruft, begone! Make sure to check things like server logs in the event that the service goes unresponsive again, and be wary of performing this step multiple times as there’s likely another underlying issue that you shouldn’t be resetting the server to resolve.

October 11th, 2016

Posted In: Mac OS X Server

Tags: , , , ,

Organizations frequently have another party write iOS apps for them. When doing so, the organization typically wants to sign the .ipa (how iOS apps are deployed) prior to deploying the app to users. To do so, you would sign the .ipa with your provisioning profile. To make doing so easier, here’s ipasign, a python script that does most of the work for ya’: https://github.com/krypted/ipasign/

September 27th, 2016

Posted In: iPhone, Mac OS X, Mac OS X Server

Tags: , , , ,

Next Page »