Tag Archives: Mac OS X

Active Directory Mac OS X Mac OS X Server Mac Security Mass Deployment

Destroy Open Directory Servers Using The Server App

You can destroy an LDAP server using the Server app (and still using slapconfig -destroyldapserver). To do so, open the Server app and click on Open Directory. Then click on the Open Directory server in the list of servers.

Screen Shot 2015-01-16 at 11.22.15 PM

When prompted to destroy the LDAP Master, click on Next.

Screen Shot 2014-12-15 at 10.09.56 PM

When asked if you’re sure, click Continue.

Screen Shot 2014-12-15 at 10.10.00 PM

When asked if you’re really, really sure, click Destroy.

Screen Shot 2014-12-15 at 10.10.03 PM


Mac OS X Mac OS X Server

Use a Keystroke to Maximize Finder Windows In OS X

The Maximize jelly in OS X that makes a screen the full size that the screen should be is great. The command that it runs is called Zoom. There’s another one to minimize screens, as well. The minimize has a keystroke mapped of Command-Shift-M. I use it all the time. You can also map a keystroke to make the windows bigger, invoking that Zoom command. Sometimes, when I plug and unplug the monitor on my desk at work at take my laptop home, I end up with windows stuck where the jellies (what those little buttons in the top corner of the screen are called) are above the menu bar and I can’t click them. So the keystroke helps as it basically resizes for me.

To map the keystroke to maximize a screen, first open System Preferences from the Apple menu and open the Keyboard System Preference pane. Then click on the Shortcuts tab and then App Shortcuts in the list of shortcuts. Then click on the + button at the bottom of the list. By default, you’ll see All Applications as the Application your keystroke will work in, but if you only need to do this in certain apps, you can select one instead.

Screen Shot 2015-01-15 at 8.32.46 AM

Next, in the Menu Title field, enter Zoom which is the name of that command from earlier. Click in the Keyboard Shortcut field and enter a key combination you’d like to use. On mine it’s mapped to Control-Command-M. Then click on the Add button.

Nice and easy. You might have to restart apps to pick up the new keystroke but usually you do not. Enjoy.

Oh, and if you’re interested in scripting this as part of your imaging process, see Defaults & symbolichotkeys in Mac OS X.

Mac OS X Mac OS X Server Mac Security

Yosemite and statshares in smbutil

The statshares option has an -m option to look at a mount path for showing the path to the mount (e.g. if the mount is called krypted this should be something like /Volumes/krypted):

smbutil statshares -m /Volumes/krypted

When run, you see a list of all the attributes OS X tracks for that mount path, including the name of the server, the user ID (octal), how SMB negotiated an authentication, what version of SMB is running (e.g. SMB_1), the type of share and whether signing, extended security, Unix and large files are supported.

Additionally, if you’d like to see the attributes for all shares, use the -a option after statshares:

smbutil statshares -a

Overall, this is a nice health check type of verb for the smbutil command that can be added to any monitoring or troubleshooting workflow. Other verbs for smbutil include lookup, status, view, and identity. All are very helpful in troubleshooting connections to smb targets.

Mac OS X Mac OS X Server Mac Security Network Infrastructure

Directory Utility in Yosemite. I’m not Dead Yet… Mapping Attributes 101

The Directory Utility application has moved to /System/Library/CoreServices/Applications. Once open, you can use it to bind to directory services, change search policies and even dink around with NIS if you still rock the flannel with your ripped up jeans. But, the thing that I tend to do in Directory Utility the most is look at user and group attributes. To do so, open Directory Utility and click on the Directory Editor tab. In the bar directly below, you’ll see Viewing and In Node. The Viewing option is what type of object you’re going to look at. The In Node option shows the directory domain you’re viewing. Below, we show the local users in /Local/Default. Screen Shot 2014-10-30 at 9.02.04 AM

Click on a user and you will see all of the attributes that exist for that user. Not all users are created equal when it comes to attributes, so if you’re looking for a specific attribute then you can go through different users to see what they have.

Screen Shot 2014-10-30 at 9.12.18 AM

Change the In Node option to /LDAPV3/ (or the name of your directory service such as your Active Directory) to see all the attributes available there. You can then note the names and use them in scripts, etc.

Screen Shot 2014-10-30 at 9.04.11 AM

You can also access this information via dscl, but I’ve covered that enough times in the past to be bored with myself for even making the reference. Enjoy.

Mac OS X Mass Deployment

Upgrade to OS X Yosemite

Installing OS X has never been easier than in Yosemite. In this article, we’ll look at upgrading a Mac from OS X 10.9 (Mavericks) to OS X 10.10 (Yosemite). The first thing you should do is clone your system. The second thing you should do is make sure you have a good backup. The third thing you should do is make sure you can swap back to the clone should you need to do so and that your data will remain functional on the backup. Once you’re sure that you have a fallback plan, let’s get started by downloading OS X Yosemite from the App Store. Once downloaded, you’ll see Install OS X Yosemite sitting in LaunchPad, as well as in the /Applications folder.

Screen Shot 2014-11-04 at 5.09.18 PM

Open the app and click Continue (provided of course that you are ready to restart the computer and install OS X Yosemite).


At the licensing agreement, click Agree (or don’t and there will be no Mavericks for you).


At the pop-up click Agree again, unless you’ve changed your mind about the license agreement in the past couple of seconds.


At the Install screen, click Install and the computer will reboot.


And you’re done. Now for the fun stuff!


iPhone Mac OS X Mac OS X Server Mac Security Mass Deployment

Add Your VPP Token To Profile Manager Running on Yosemite (OS X Server)

Apple began rolling out new features with the new Volume Purchasing Program (VPP) program last year. There are lots of good things to know, here. First, the old way should still work. You’re not loosing the stuff you already invested in such as Configurator with those codes you might have used last year with supervision. However, you will need an MDM solution (Profile Manager, Casper, Absolute, FileWave, etc) to use the new tools. Also, the new token options are for one to one (1:1) environments. This isn’t for multi-tenant environments. You can only use these codes and options for iOS 7 and OS X 10.9 and 10.10. Also, if you install your vpptoken on Yosemite Server and you’re running that same vpptoken elsewhere, Yosemite Server will take all of the codes that have been issued for itself (feature or bug, you decide).

But this article isn’t about the fine print details of the new VPP. Instead, this article is about making Profile Manager work with your new VPP token. Before you get started, know that when you install your vpptoken, if it’s in use by another MDM, Profile Manager will unlicensed all apps with your other MDM. To get started, log into your VPP account. Once logged in, click on your account email address and then select Account Summary.


Then, click on the Download Token link and your token will be downloaded to your ~/Downloads (or wherever you download stuff).


Once you have your token, open the Server app and click on the Profile Manager service.


Click on the checkbox for Distribute apps and books from the Volume Purchase Program.


At the VPP Managed Distribution screen, drag the .vpptoken file downloaded earlier into the screen.

Click Continue. The VPP code email address will appear in the screen. Click Done.


Back at the profile manager screen, you should then see that the checkbox is filled and you can now setup Profile Manager.


The rest of the configuration of Profile Manager is covered in a previous article.

Note: The account used to configure the VPP information is not tracked in any serveradmin settings.

Mac OS X Mac OS X Server Mac Security Mass Deployment

Configure An Open Directory Master In OS X Yosemite Server

Open Directory has never been so easy to setup for a basic environment as it is in OS X Yosemite Server (OS X 10.10, Server app 4). It’s also never been so annoyingly simple to use that to do anything cool requires a bunch of command line foo. No offense to the developers, but this whole idea that the screens that were being continually refined for a decade just need to be thrown out and started fresh seems to have led to a few babies thrown out along with them. Not often as I’m kinda’ digging most of the new config screens in OS X Yosemite Server, but with Open Directory, it’s just too easy. Features mean buttons. Buttons make things a tad bit more complicated to use than an ON/OFF switch…

Anyway, rant over. Moving on. As with almost any previous version of OS X Server and Open Directory, once you’ve installed the Server app, run the changeip command along with the -checkhostname option to verify that the IP, DNS and hostname match. If (and only if as it will fail if you try anyway) you get an indication of “Success.”

bash-3.2# changeip -checkhostname
dirserv:success = "success"

To set up the Open Directory Master, open the Server app and click on the Open Directory service (might need to Show under Advanced in the Server app sidebar). From here, click on the ON button.


For the purposes of this example, we’re setting up an entirely new Open Directory environment. At the “Configure Network Users and Groups” screen, click on “Create a new Open Directory Domain” and click on the Next button.


Note: If you are restoring an archive of an existing Open Directory domain, you would select the bottom option from this list.

At the Directory Administrator screen, enter a username and password for the directory administrator account. The default account is sufficient, although it’s never a bad idea to use something a bit less generic.


Once you’ve entered the username and password, click on the Next button. Then we’re going to configure the SSL information.


At the Organization Information screen, enter a name for the organization in the Organization Name field and an Email Address to be used in the SSL certificate in the Admin Email Address field. Click on Next.


At the Confirm Settings screen, make sure these very few settings are OK with you and then click on the Set Up button to let slapconfig (the command that runs the OD setup in the background, kinda’ like a cooler dcpromo) do its thing. When the Open Directory master has been configured, there’s no need to reboot or anything, the indicator light for the Open Directory service should appear. If the promotion fails then look to the preflight options I wrote up awhile back.


Clicking on the minus (“-”) button while a server is highlighted runs a slapconfig -destroyldapserver on the server and destroys the Open Directory domain if it is the only server. All domain information is lost when this happens.


Next, let’s bind a client. Binding clients can be done in a few different ways. You can use a script, a Profile, the Users & Groups System Preference pane or build binding into the imaging process. For the purpose of this example, we’ll use the System Preference pane.

To get started, open up the System Preference pane and then click on Users & Groups. From here, click on Login Options and then unlock the lock in the lower left corner of the screen, providing a username and password when prompted.


Click on the Edit… button and then the plus sign (“+”).


Then, enter the name of the Open Directory Master (the field will expand with options when you enter the host name.


It’s probably best not to use the IP address at this point as the master will have an SSL certificate tied to the name. Click OK to accept the certificate (if it’s self-signed) and then the system should finish binding. Once bound, I like to use either id or dscl to verify that directory accounts are properly resolving before I try logging in as an Open Directory user.
Provided everything works that’s it. The devil is of course in the details. There is very little data worth having if it isn’t backed up. Notice that you can archive by clicking on the cog wheel icon in the Open Directory service pane, much like you could in Server Admin. Or, because this helps when it comes to automating backups (with a little expect), to run a backup from the command line, run the slapconfig command along with the -backupdb option followed by a path to a folder to back the data up to:

sudo slapconfig -backupdb /odbackups

The result will be a request for a password then a bunch of information about the backup:

bash-3.2# sudo slapconfig -backupdb /odbackups
2014-09-23 00:26:01 +0000 slapconfig -backupdb
Enter archive password:
2014-09-23 00:26:06 +0000 1 Backing up LDAP database
2014-09-23 00:26:06 +0000 popen: /usr/sbin/slapcat -l /tmp/slapconfig_backup_stage57244NLmNnX/backup.ldif, "r"
5420be1e bdb_monitor_db_open: monitoring disabled; configure monitor database to enable
2014-09-23 00:26:06 +0000 popen: /usr/sbin/slapcat -b cn=authdata -l /tmp/slapconfig_backup_stage57244NLmNnX/authdata.ldif, "r"
5420be1e bdb_monitor_db_open: monitoring disabled; configure monitor database to enable
2014-09-23 00:26:06 +0000 popen: /bin/cp /var/db/openldap/openldap-data/DB_CONFIG /tmp/slapconfig_backup_stage57244NLmNnX/DB_CONFIG, "r"
2014-09-23 00:26:06 +0000 popen: /bin/cp /var/db/openldap/authdata//DB_CONFIG /tmp/slapconfig_backup_stage57244NLmNnX/authdata_DB_CONFIG, "r"
2014-09-23 00:26:06 +0000 popen: /bin/cp -r /etc/openldap /tmp/slapconfig_backup_stage57244NLmNnX/, "r"
2014-09-23 00:26:06 +0000 popen: /bin/hostname > /tmp/slapconfig_backup_stage57244NLmNnX/hostname, "r"
2014-09-23 00:26:06 +0000 popen: /usr/sbin/sso_util info -pr /LDAPv3/ > /tmp/slapconfig_backup_stage57244NLmNnX/local_odkrb5realm, "r"
2014-09-23 00:26:06 +0000 popen: /usr/bin/tar czpf /tmp/slapconfig_backup_stage57244NLmNnX/krb5backup.tar.gz /var/db/krb5kdc/kdc.conf /var/db/krb5kdc/acl_file.* /var/db/krb5kdc/m_key.* /etc/krb5.keytab , "r"
tar: Removing leading '/' from member names
2014-09-23 00:26:06 +0000 2 Backing up Kerberos database
2014-09-23 00:26:06 +0000 popen: /bin/cp /var/db/dslocal/nodes/Default/config/KerberosKDC.plist /tmp/slapconfig_backup_stage57244NLmNnX/KerberosKDC.plist, "r"
2014-09-23 00:26:06 +0000 popen: /bin/cp /Library/Preferences/com.apple.openldap.plist /tmp/slapconfig_backup_stage57244NLmNnX/, "r"
2014-09-23 00:26:06 +0000 3 Backing up configuration files
2014-09-23 00:26:06 +0000 popen: /usr/bin/sw_vers > /tmp/slapconfig_backup_stage57244NLmNnX/version.txt, "r"
2014-09-23 00:26:06 +0000 popen: /bin/cp -r /var/db/dslocal /tmp/slapconfig_backup_stage57244NLmNnX/, "r"
2014-09-23 00:26:06 +0000 Backed Up Keychain
2014-09-23 00:26:06 +0000 4 Backing up CA certificates
2014-09-23 00:26:06 +0000 5 Creating archive
2014-09-23 00:26:06 +0000 command: /usr/bin/hdiutil create -ov -plist -puppetstrings -layout UNIVERSAL CD -fs HFS+ -volname ldap_bk -srcfolder /tmp/slapconfig_backup_stage57244NLmNnX -format SPARSE -encryption AES-256 -stdinpass /odbackups
2014-09-23 00:26:12 +0000 Removed directory at path /tmp/slapconfig_backup_stage57244NLmNnX.
2014-09-23 00:26:12 +0000 Removed file at path /var/run/slapconfig.lock.

To restore a database (such as from a previous version of the operating system where such an important option was actually present) use the following command (which just swaps backupdb with -restoredb)

sudo slapconfig -restoredb /odbackups

Both commands ask you for a password to encrypt and decrypt the disk image created by them.

Mac OS X

Make the Menu Bar All Emo In Yosemite

In case your Mac just isn’t emo enough for ya’, Apple’s provided us a cool little new feature in Yosemite called dark mode. No, this won’t cause Hellboy to leap forth from your MacBook Air. Well, maybe he’ll visit your MacBook Pro, but I haven’t tested that so please don’t quote me on that. Instead, you’ll get the nice new dark menu bar:

Screen Shot 2014-10-02 at 8.21.43 PM

But that’s not all folks! Your dock will also get all dark and gothy!

Screen Shot 2014-10-02 at 8.21.35 PM

To turn it on, just open the General System Preference pane and check the box for “Use dark menu bar and Dock”.

Screen Shot 2014-10-02 at 8.19.04 PM

Enjoy! Oh, and if that’s not emo enough for you feel free to watch this sad emo love song video (yes, I googled for “sad emo” to find it; no, it’s not bookmarked; yes, I bought eyeliner after watching it; yes, then my high school self time travelled to present day and kicked the crap out of me; yes, I thanked him).

Mac OS X Mac OS X Server Mac Security Mass Deployment Network Infrastructure

Mac Network Commands Cheat Sheet

After writing up the presentation for MacSysAdmin in Sweden, I decided to go ahead and throw these into a quick cheat sheet for anyone who’d like to have them all in one place. Good luck out there, and stay salty.

Get an ip address for en0:

ipconfig getifaddr en0

Same thing, but setting and echoing a variable:

ip=`ipconfig getifaddr en0` ; echo $ip

View the subnet mask of en0:

ipconfig getoption en0 subnet_mask

View the dns server for en0:

ipconfig getoption en0 domain_name_server

Get information about how en0 got its dhcp on:

ipconfig getpacket en1

View some network info:

ifconfig en0

Set en0 to have an ip address of and a subnet mask of

ifconfig en0 inet netmask

Show a list of locations on the computer:

networksetup -listlocations

Obtain the active location the system is using:

networksetup -getcurrentlocation

Create a network location called Work and populate it with information from the active network connection:

networksetup -createlocation Work populate

Delete a network location called Work:

networksetup -deletelocation Work

Switch the active location to a location called Work:

networksetup -switchlocation Work

Switch the active location to a location called Work, but also show the GUID of that location so we can make scripties with it laters:

scselect Work

List all of the network interfaces on the system:

networksetup -listallnetworkservices

Rename the network service called Ethernet to the word Wired:

networksetup -renamenetworkservice Ethernet Wired

Disable a network interface:

networksetup -setnetworkserviceenabled off

Change the order of your network services:

networksetup -ordernetworkservices “Wi-Fi” “USB Ethernet”

Set the interface called Wi-Fi to obtain it if it isn’t already

networksetup -setdhcp Wi-Fi

Renew dhcp leases:

ipconfig set en1 BOOTP && ipconfig set en1 DHCP
ifconfig en1 down && ifconfig en1 up

Renew a dhcp lease in a script:

echo "add State:/Network/Interface/en0/RefreshConfiguration temporary" | sudo scutil

Configure a manual static ip address:

networksetup -setmanual Wi-Fi

Configure the dns servers for a given network interface:

networksetup -setdnsservers Wi-Fi

Obtain the dns servers used on the Wi-Fi interface:

networksetup -getdnsservers Wi-Fi

Stop the application layer firewall:

launchctl unload /System/Library/LaunchAgents/com.apple.alf.useragent.plist
launchctl unload /System/Library/LaunchDaemons/com.apple.alf.agent.plist

Start the application layer firewall:

launchctl load /System/Library/LaunchDaemons/com.apple.alf.agent.plist
launchctl load /System/Library/LaunchAgents/com.apple.alf.useragent.plist

Allow an app to communicate outside the system through the application layer firewall:

socketfilterfw -t
“/Applications/FileMaker Pro/FileMaker Pro.app/Contents/MacOS/FileMaker Pro”

See the routing table of a Mac:

netstat -nr

Add a route so that traffic for communicates over the network interface:

route -n add

Log bonjour traffic at the packet level:

sudo killall -USR2 mDNSResponder

Stop Bonjour:

launchctl unload -w /System/Library/LaunchDaemons/com.apple.mDNSResponder.plist

Start Bojour:

launchctl load -w /System/Library/LaunchDaemons/com.apple.mDNSResponder.plist

Put a delay in your pings:

ping -i 5

Ping the hostname 5 times and then stop the ping:

ping -c 5 google.com

Flood ping the host:

ping -f localhost

Set the packet size during your ping:

ping -s 100 google.com

Customize the source IP during your ping:

ping -S google.com

View disk performance:

iostat -d disk0

Get information about the airport connection on your system:

/System/Library/PrivateFrameworks/Apple80211.framework/Versions/A/Resources/airport -I

Scan the available Wireless networks:

/System/Library/PrivateFrameworks/Apple80211.framework/Versions/A/Resources/airport -s

Trace the path packets go through:

traceroute google.com

Trace the routes without looking up names:

traceroute -n google.com

Trace a route in debug mode:

traceroute -d google.com

View information on all sockets:

netstat -at

View network information for ipv6:

netstat -lt

View per protocol network statistics:

netstat -s

View the statistics for a specific network protocol:

netstat -p igmp

Show statistics for network interfaces:

netstat -i

View network information as it happens (requires ntop to be installed):


Scan port 80 of www.google.com

/System/Library/CoreServices/Applications/Network\ Utility.app/Contents/Resources/stroke www.google.com 80 80

Port scan krypted.com stealthily:

nmap -sS -O krypted.com/24

Establish a network connection with www.apple.com:

nc -v www.apple.com 80

Establish a network connection with gateway.push.apple.com over port 2195

/usr/bin/nc -v -w 15 gateway.push.apple.com 2195

Establish a network connection with feedback.push.apple.com only allowing ipv4

/usr/bin/nc -v -4 feedback.push.apple.com 2196

Setup a network listener on port 2196 for testing:

/usr/bin/nc -l 2196

Capture some packets:

tcpdump -nS

Capture all the packets:

tcpdump -nnvvXS

Capture the packets for a given port:

tcpdump -nnvvXs 548

Capture all the packets for a given port going to a given destination of

tcpdump -nnvvXs 548 dst

Capture the packets as above but dump to a pcap file:

tcpdump -nnvvXs 548 dst -w /tmp/myfile.pcap

Read tcpdump (cap) files and try to make them human readable:

tcpdump -qns 0 -A -r /var/tmp/capture.pcap

What binaries have what ports and in what states are those ports:

lsof -n -i4TCP

Make an alias for looking at what has a listener open, called ports:

alias ports='lsof -n -i4TCP | grep LISTEN'

Report back the name of the system:


Flush the dns cache:

dscacheutil -flushcache

Clear your arp cache:

arp -ad

View how the Server app interprets your network settings:

serveradmin settings network

Whitelist the ip address

/Applications/Server.app/Contents/ServerRoot/usr/libexec/afctl -w

Finally, the script network_info.sh shows information about a Macs network configuration. Both active and inactive network interfaces are listed, in the order that they are used by the OS and with a lot of details (MAC-address, interface name, router, subnet mask etc.).

Mac OS X Mac OS X Server

(Cross-Post) Video from JSS-autopkg-addon Presentation

JSS-autopkg-addon Presentation from Allister Banks on Vimeo.

(Guest post by Allister Banks)

On June 26th, I had the pleasure of being invited by @Tecnico1931 to the NYC Metro JAMF user group meeting.

A worksheet I created for this event may be found here: url.aru-b.com/jssAutopkg

See also Shea Craig’s python-jss, and thanks go out to James Barclay, Sam Johnson, and all the folks mentioned in the video.