krypted.com

Tiny Deathstars of Foulness

Profile Manager first appeared in OS X Lion Server as the Apple-provided tool for managing Apple devices, including Mobile Device Management (MDM) for iOS based devices as well as Profile management for OS X based computers, including MacBooks, MacBook Airs, Mac Minis, Mac Pros and iMacs running Mac OS X 10.7 and up. Profile Manager has seen a few more updates over the years, primarily in integrating new MDM options provided by Apple and keeping up with the rapidly changing MDM landscape. Apple has added DEP functionality, content distribution, VPP, and other features over the years. In El Capitan Server, there are plenty of new options, including the ability to deploy VPP apps to devices rather than Apple IDs.

In this article we’ll get Profile Manager setup and perform some basic tasks.

Preparing For Profile Manager

Before we get started, let’s prep the system for the service. This starts with configuring a static IP address and properly configuring a host name for the server. In this example, the hostname will be osxserver.krypted.com. We’ll also be using a self-signed certificate, although it’s easy enough to generate a CSR and install it ahead of time. For the purposes of this example, we have installed Server from the App Store (and done nothing else with Server except open it the first time so it downloads all of its components from the web) and configured the static IP address using the Network System Preferences. Next, we’ll set the hostname to odr using the scutil tool.

sudo scutil --set HostName odr.krypted.com

Then the ComputerName:

sudo scutil --set ComputerName odr.krypted.com

And finally, the LocalHostName:

sudo scutil --set LocalHostName our

Now check changeip:

sudo changeip -checkhostname

The changeip command should output something similar to the following:

Primary address = 192.168.210.201


Current HostName = odr.krypted.com


DNS HostName = odr.krypted.com


The names match. There is nothing to change.
dirserv:success = "success"

If you don’t see the success and that the names match, you might have some DNS work to do next, according to whether you will be hosting DNS on this server as well. If you will be hosting your own DNS on the Profile Manager server, then the server’s DNS setting should be set to the IP address of the Server. To manage DNS, start the DNS service and configure as shown previously:

screen-shot-2016-09-26-at-9-57-55-am

Provided your DNS is configured properly then changeip should work. If you’re hosting DNS on an Active Directory integrated DNS server or some other box then just make sure you have a forward and reverse record for the hostname/IP in question.

Profile Manager is built atop the web service, APNS and Open Directory. Next, click on the Web service and just hit start. While not required for Profile Manager to function, it can be helpful. We’re not going to configure anything else with this service in this article so as not to accidentally break Profile Manager. Do not click on anything while waiting for the service to start. While the indicator light can go away early, note that the Web service isn’t fully started until the path to the default websites is shown (the correct entry, as seen here, should be /Library/Server/Web/Data/Sites/Default) and a View Server Website link is shown at the bottom of the screen. If you touch anything too early then you’re gonna’ mess something up, so while I know it’s difficult to do so, be patient (honestly, it takes less than a minute, wait for it, wait for it, there!).

screen-shot-2016-09-26-at-9-58-31-am

Once the Web service is started and good, click on the View Server Web Site link at the bottom and verify that the Welcome to OS X Server page loads.

Setting Up Profile Manager

Provided the Welcome to OS X Server page loads, click on the Profile Manager service. Here, click on the Configure button.

screen-shot-2016-09-26-at-8-56-47-am

At the first screen of the Configure Device Management assistant, click on Next.

screen-shot-2016-09-26-at-10-01-23-am

Assuming the computer is not yet an Open Directory master or Replica, and assuming you wish to setup a new Open Directory Master, click on Create a new Open Directory domain at the Configure Network Users and Groups screen.

screen-shot-2016-09-26-at-10-03-15-am

Then click on Next. At the Directory Administrator screen, provide the username and password you’d like the Open Directory administrative account to have (note, this is going to be an Open Directory Master, so this example diradmin account will be used to authenticate to various Apple tools if we want to make changes to the Open Directory users, groups, computers or computer groups from there). Once you’re done entering the correct information, click Next.

screen-shot-2016-09-26-at-10-03-43-am

At the Organization Information screen, enter your information (e.g. name of Organization and administrator’s email address). Keep in mind that this information will be in your certificate (and your CSR if you submit that for a non-self-signed certificate) that is used to protect both Profile Manager and Open Directory communications. Click Next.

screen-shot-2016-09-26-at-10-04-43-am

At the Confirm Settings screen, make sure the information that will be used to configure Open Directory is setup correctly. Then click Set Up (as I’ve put a nifty red circle next to – although it probably doesn’t help you find it if it’s the only button, right?).

screen-shot-2016-09-26-at-10-05-03-am

The Open Directory master is then created. At the Organization Information screen, enter the name of the contact information for an administrator and click on the Next button. Even if you’re tying this thing into something like Active Directory, this is going to be a necessary step (unless of course you’re already running Open Directory on the system). Once Open Directory is setup you will be prompted to provide the information for an SSL Certificate.

At the Organization Information screen, enter your information and click Next.

screen-shot-2016-09-26-at-10-05-42-am

At the Configure an SSL Certificate screen, choose a certificate and click Next.

screen-shot-2016-09-26-at-10-06-06-am

This can be the certificate provided when Open Directory is initially configured, which is self-signed, or you can select a certificate that you have installed using a CSR from a 3rd party provider. At this point, if you’re using a 3rd party Code Signing certificate you will want to have installed it as well. Choose a certificate from the Certificate: drop-down list and then click on Next.

If using a self-signed certificate you will be prompted that the certificate isn’t signed by a 3rd party. Click Next if this is satisfactory.

If you do not already have a push certificate installed for the system, you will then be prompted to enter the credentials for an Apple Push Notification Service (APNS) certificate. This can be any valid AppleID. It is best to use an institutional AppleID (e.g. push@krypted.com) rather than a private one (e.g. charles@krypted.com). Once you have entered a valid AppleID username and password, click Next.

Provided everything is working, you’ll then be prompted that the system meets the Profile Manager requirements. Click on the Finish button to complete the assistant.

screen-shot-2016-09-26-at-10-06-38-am

When the assistant closes, you will be back at the Profile Manager screen in the Server application. Here, check the box for Sign Configuration Profiles.

screen-shot-2016-09-26-at-10-08-39-am

The Code Signing Certificate screen then appears. Here, choose the certificate from the Certificate field.

screen-shot-2016-09-26-at-10-08-59-am

Unless you’re using a 3rd party certificate there should only be one certificate in the list. Choose it and then click on OK. If you are using a 3rd party certificate then you can import it here, using the Import… selection. Then click OK to save your settings. Back at the Profile Manager screen, you will see a field for the Default Configuration Profile. If you host all of your services on the one server (Mail, Calendars, VPN, etc) then leave the box checked for Include configuration for services; otherwise uncheck it.

screen-shot-2016-09-26-at-11-52-49-am

Profile Manager has the ability to distribute apps and content from the App Store Volume Purchase Program or Apple School Manager through Profile Manager. To use this option, first sign up on the VPP site. Once done, you will receive a token file. Using the token file, check the box in Profile Manager for Volume Purchase Program” or “Apple School Manager” and then use the Configure… button to select the token file.

screen-shot-2016-09-26-at-11-54-36-am

Now that everything you need is in place, click on the ON button to start the service and wait for it to finish starting (happens pretty quickly).

screen-shot-2016-09-26-at-11-54-58-am

The process is the same for adding a DEP token. If you’re just using Profile Manager to create profiles that you’ll import into other tools (Casper, Deploy Studio, Apple Configurator, etc) you can skip adding these tokens as they’re likely to cause more problems than they help with.

Once you’ve got everything configured, start the service. Once started, click on the Open Safari link for Profile Manager and the login page opens. Administrators can login to Profile Manager to setup profiles and manage devices.

screen-shot-2016-09-26-at-11-57-27-am

The URL for this (for odr.krypted.com) is https://odr.krypted.com/profilemanager. Use the Everyone profile to automatically configure profiles for services installed on the server if you want them deployed to all users. Use custom created profiles for everything else. Also, under the Restrictions section for the everyone group, you can choose what to allow all users to do, or whether to restrict access to certain Profile Manager features to certain users. These include access to My Devices (where users enroll in the system), device lock (so users can lock their own devices if they loose them) and device wipe. You can also allow users to automatically enroll via DEP and Configurator using this screen.

screen-shot-2016-09-26-at-8-43-36-pm

Enrolling Into Profile Manager

To enroll devices for management, use the URL https://odr.krypted.com/MyDevices (replacing the hostname with your own). Click on the Profiles tab to bring up a list of profiles that can be installed manually.

screen-shot-2016-09-26-at-8-44-22-pm

From Profiles, click or tap the Enroll button. The profile is downloaded and when prompted to install the profile, click Continue.

Screen Shot 2015-09-25 at 8.58.18 PM

Then click Install if installing using a certificate not already trusted.

Screen Shot 2015-09-25 at 8.58.35 PM

Once enrolled, click on the Profile in the Profiles System Preference pane to see the settings being deployed.

Screen Shot 2015-09-25 at 8.59.12 PM

You can then wipe or lock the device from the My Devices portal. Management profiles from the MDM server are then used. Devices can opt out from management at any time. If you’re looking for more information on moving Managed Preferences (MCX) from Open Directory to a profile-based policy management environment, review this article and note that there are new options in dscl for removing all managed preferences and working with profiles in Mavericks (10.9), Yosemite (10.10), and El Capitan (10.11).

If there are any problems when you’re first getting started, an option is always to run the wipeDB.sh script that resets the Profile Manager (aka, devicemgr) database. This can be done by running the following command:

sudo /Applications/Server.app/Contents/ServerRoot/usr/share/devicemgr/backend/wipeDB.sh

Automating Enrollment & Random Management Tips

The two profiles needed to setup a client on the server are accessible from the web interface of the Server app. Saving these two profiles to a macOS computer then allows you to automatically enroll devices into Profile Manager using Apple Configurator, as shown in this previous article.
When setting up profiles, note that the username and other objects that are dynamically populated can be replaced through a form of variable expansion using payload variables in Profile Manager. For more on doing so, see this article.

Note: As the database hasn’t really changed, see this article for more information on backing up and reindexing the Profile Manager database.

Device Management

Once you’ve got devices enrolled, those devices can easily be managed from a central location. The first thing we’re going to do is force a passcode on a device. Click on Devices in the Profile Manager sidebar.

screen-shot-2016-09-26-at-8-45-40-pm

Click on a device in Profile Manager’s admin portal, located at https:///profilemanager (in this case https://odr.krypted.com/profilemanager). Here, you can see:

  • General Information: the type of computer, capacity of the drive, version of OS X, build version, serial number of the system and the currently logged in user.
  • Details: UDID, Ethernet MAC, Wi-Fi MAC, Model, Last Checkin Time, Available disk space, whether Do Not Disturb is enabled and whether the Personal Hotspot is enabled.
  • Security information: If FileVault is enabled, whether a Personal Recovery is set and whether an Institutional Recovery Key has been installed.
  • Restrictions, whether any restrictions have been deployed to the device from Profile Manager.
  • Installed Apps: A list of all the apps installed (packages, App Store, Drivers, via MDM, etc).
  • In Device Groups: What groups are running on the system.
  • Certificates: A list of each certificate installed on the computer.

Screen Shot 2015-09-25 at 9.08.31 PM

The device screen is where much of the management of each device is handled, such as machine-specific settings or using the cog-wheel icon, wiping, locking, etc. From the device (or user, group, user group or device group objects), click on the Settings tab and then click on the Edit button.

screen-shot-2016-09-26-at-8-47-10-pm

Here, you can configure a number of settings on devices. There are sections for iOS specific devices, macOS specific settings and those applicable to both platforms. Let’s configure a passcode requirement for an iPad.

screen-shot-2016-09-26-at-8-47-35-pm

Click on Passcode, then click on Configure.

screen-shot-2016-09-26-at-8-48-19-pm

At the Passcode settings, let’s check the box for Allow simple value and then set the Minimum Passcode Length to 4. I find that with iOS, 4 characters is usually enough as it’ll wipe far before someone can brute force that. However, if a fingerprint can unlock your devices then more characters is fine as it’s quick to enter them. Click OK to commit the changes.

screen-shot-2016-09-26-at-8-58-34-pm

Once configured, click Save. At the “Save Changes?” screen, click Save. The device then prompts you to set a passcode a few moments later. The next thing we’re going to do is push an app. To do so, first find an app in your library that you want to push out. Right-click (or control-click) on the app and click on Show in Finder. You can install an Enterprise App from your library or browse to it using the VPP program if the app is on the store. Before you start configuring apps, click on the Apps entry in the Profile Manager sidebar.

screen-shot-2016-09-26-at-8-59-08-pm

At the Apps screen, use the Enterprise App entry to select an app or use the Volume Purchase Program button to open the VPP and purchase an app. Then, from the https:///profilemanager portal, click on an object to manage and at the bottom of the About screen, click Enable VPP Managed Distribution Services.

screen-shot-2016-09-26-at-9-00-03-pm

Click on the Apps tab.

screen-shot-2016-09-26-at-9-00-31-pm

From the Apps tab, click on the plus sign icon (“+”). At the Add Apps screen, choose the app added earlier and then authenticate if needed, ultimately selecting the app. The app is then uploaded and displayed in the list. Click Add to add to the selected group. Then, click on Done. Then click on Save… and an App Installation dialog will appear on the iOS device you’re pushing the app to.

At the App Installation screen on the iPad, click on the Install button (unless you’re using Device-based VPP) and the app will instantly be copied to the last screen of apps on the device. Tap on the app to open it and verify it works. Assuming it does open then it’s safe to assume that you’ve run the App Store app logged in as a user who happens to own the app. You can sign out of the App Store and the app will still open. However, you won’t be able to update the app as can be seen here.

Note: If you push an app to a device and the user taps on the app and the screen goes black then make sure the app is owned by the AppleID signed into the device. If it is, have the user open App Store and update any other app and see if the app then opens.

Finally, let’s wipe a device. From the Profile Manager web interface, click on a device and then from the cog wheel icon at the bottom of the screen, select wipe.

At the Wipe screen, click on the device and then click Wipe. When prompted, click on the Wipe button again, entering a passcode to be used to unlock the device if possible. The iPad then says Resetting iPad and just like that, the technical walkthrough is over.

Screen Shot 2015-09-25 at 9.15.11 PM

Note: For fun, you can use the MyDevices portal to wipe your iPad from the iPad itself.

Conclusion

To quote Apple’s Profile Manager page:

Profile Manager simplifies deploying, configuring, and managing them all. It’s one place where you control everything: You can create profiles to set up user accounts for mail, calendar, contacts, and messages; configure system settings; enforce restrictions; set PIN and password policies; and more. Because it’s integrated with the Apple Push Notification service, Profile Manager can send out updated configurations over the air, automatically. And it includes web-based administration, so you can manage your server from any modern web browser. Profile Manager even gives users access to a self-service web portal where they can download and install new configuration profiles, as well as clear passcodes and remotely lock or wipe their Mac, iPhone, or iPad if it’s lost or stolen.

For the money, Profile Manager is an awesome tool. Apps such as Casper, AirWatch, Zenprise, MaaS360, etc all have far more options, but aren’t as easy to install (well, Bushel is… 😉 and nor do they come at such a low price point. Profile Manager is a great option if all of the tasks you need to perform are available within the tool. If not, then it’s worth a look, if only as a means to learn more about the third party tools and to export profiles you’ll use in other solutions.

September 27th, 2016

Posted In: iPhone, Mac OS X, Mac OS X Server

Tags: , , ,

Leave a Comment

Ever wonder why repetitive pings fail after a little while in OS X (e.g. those sent via the -f flag)? By default, OS X has an ICMP rate limit of 250 set. You can increase this or disable, using sysctl. To disable, set the value of net.inet.icmp.icmplim

sudo sysctl -w net.inet.icmp.icmplim=0

Happy icmp flooding!

September 20th, 2016

Posted In: Mac OS X, Mac Security

Tags: , , , ,

Leave a Comment

Push Notifications can be used in most every service that macOS Server 5.2 (for Sierra) can run. Any service that requiring Push Notifications will often provide the ability to setup APNS during the configuration of the service. But at this point, I usually just set up Push Notifications when I setup a new server.
screen-shot-2016-09-25-at-11-12-51-pm
To enable Push Notifications for services, you’ll first need to have a valid AppleID. Once you have an AppleID, open the Server app and then click on the name of the server. Then click on the Settings screen and click on the checkbox for Notifications.

screen-shot-2016-09-25-at-11-13-09-pm

At the Settings screen for your server, click on the check-box for Apple Push Notifications (APN). Next, click on another screen and then click back to get the Edit Apple ID… button to appear. Click on Edit Apple ID…

screen-shot-2016-09-25-at-11-13-47-pm

At the Apple Push Notification Services certificate screen, enter an AppleID if you have not yet configured APNS and click on OK. The Apple Push Notification Service certificate will then be configured.

screen-shot-2016-09-25-at-11-14-03-pm

As you’ll see, if you’re editing a certificate, you’ll break any systems or services that use that certificate. For example, you would have to re-enroll all of your Profile Manager systems.

screen-shot-2016-09-25-at-11-15-53-pm

Then provide the AppleID and Password you’d like to use to generate the certificate.

screen-shot-2016-09-25-at-11-16-26-pm

The certificate is valid for one year, by default. Administrators receive an alert when the certificate is due to expire. To renew, open the same screen and click on the Renew button. Once you have generated a certificate, you’ll then be able to see the certificate in the Apple certificates portal.

September 18th, 2016

Posted In: Mac OS X Server, Mac Security

Tags: , , , , ,

Leave a Comment

Yosemite brought Xsan 4, which included a whole new way to add clients to an Xsan. Xsan Admin is gone, as of El Capitan, but unchanged from then to macOS Sierra (other than a couple of binaries moving around). These days, instead of scanning the network using Xsan Admin. we’ll be adding clients using a Configuration Profile. This is actually a much more similar process to adding Xsan clients to a StorNext environment than it is to adding clients to Metadata Controllers running Xsan 3 and below. But instead of making a fsnameservers file, we’re plugging that information into a profile, which will do that work on the client on our behalf. To make the Xsan configuration profile, we’re going to use Profile Manager. With OS X Server 5 and 5.2, this trend continues.

To get started, open the Profile Manager web interface and click on a device or device group (note, these are scoped to systems so cannot be used with users and user groups). Then click on the Settings tab for the object you’re configuring Xsan for.

Screen Shot 2015-09-25 at 9.21.10 PM

Click Edit for the profile listed (Settings for <objectname>) and scroll down until you see the entry for Xsan.

Screen Shot 2015-09-25 at 9.21.57 PM

From the Xsan screen, click Configure.

Screen Shot 2015-09-25 at 9.22.58 PM

This next screen should look a little similar, in terms of the information you’ve plugged into the Xsan 4 setup screen. Simply enter the name of the Xsan in the Xsan Name field, the IP address or host names of your metadata controllers in the File System Name Servers field and the Authentication Secret from the Xsan screen in the Server app into the Authentication Secret field. Click OK to close the dialog.

Screen Shot 2015-09-25 at 9.23.30 PM

Click Save to save your changes. Then you’ll see the Download button become clickable.

The profile will download to your ~/Downloads directory as Settings_for_<OBJECTNAME>.mobileconfig. So this was called test and will result in a name of Settings_for_test.mobileconfig. That profile will automatically attempt to install. If this is an MDC where you’re just using Profile Manager to bake a quick profile, or if you don’t actually want to install the profile yet, click Cancel.

Screen Shot 2015-09-25 at 9.24.10 PM

If you haven’t worked with profiles that much, note that when you click Show Profile, it will show you what is in the profile and what the profile can do.

Screen Shot 2015-09-25 at 9.24.18 PM

Simply open this file on each client (once you test it of course) and once installed, they’ll automatically configure to join your Xsan. If you don’t have a Profile Manager server, you can customize this file for your environment (YMMV): Settings_for_test.mobileconfig

September 14th, 2016

Posted In: Mac OS X Server, Mac Security, Xsan

Tags: , , , , ,

Leave a Comment

Let’s start out with what’s actually available in the Server Admin CLI: serveradmin. The serveradmin command, followed by settings, followed by san shows a few pieces of information:

bash-3.2# serveradmin settings san
san:computers = _empty_array
san:primaryController = "95C99FB1-80F2-5016-B9C3-BE3916E6E5DC"
san:ownerEmail = "krypted@me.com"
san:sanName = "krypted"
san:desiredSearchPolicy:_array_index:0 = ""
san:serialNumbers = _empty_array
san:dsType = 0
san:ownerName = "Charles Edge"
san:managePrivateNetwork = yes
san:metadataNetwork = "10.0.0.0/24"
san:numberOfFibreChannelPorts = 2
san:role = "CONTROLLER"

Here, we see the metadata network, the GUID of the primary (active) MDC, the name of the SAN, an array of serial numbers (if applicable – in a purely Mountain Lion/Mavericks SAN they aren’t), the owner info plugged in earlier and the metadata network interface being used.
Next, we’ll take a peak at the fsm process for each volume:

bash-3.2# ps aux | grep fsm
root 7030 0.7 0.7 2694708 62468 ?? Ss 10:18AM 0:03.08 /System/Library/Filesystems/acfs.fs/Contents/bin/fsm BettyWhite mdm.pretendco.lan 0
root 6834 0.1 0.0 2478548 2940 ?? S 10:10AM 0:01.37 fsmpm -- -- /var/run/fsmpm-sync.6800 1800

Next, we can look at the version rev, which shows that the Server Revision is the same as in Mavericks, but the build number has incremented by 19 commits:

bash-3.2# cvversions
File System Server:
Server Revision 5 Branch Head
Created on Tue Sep 13 09:59:14 PDT 2015
Built in /SourceCache/XsanFS/XsanFS-527/buildinfo
Host OS Version:
Darwin 14.0.0 Darwin Kernel Version 14.0.0: Sat Sep 24 01:15:10 PDT 2015; root:xnu-2738.0.0.0.5~1/RELEASE_X86_64 x86_64

Next, we’ll check out the contents of /Library/Preferences/Xsan. First the volume configuration file:

bash-3.2# cat BettyWhite.cfg
# Globals
AllocationStrategy Round
FileLocks Yes
BufferCacheSize 32M
Debug 0x0
CaseInsensitive Yes
EnableSpotlight Yes
EnforceACLs Yes
SpotlightSearchLevel ReadWrite
FsBlockSize 16K
GlobalSuperUser Yes
InodeCacheSize 8K
InodeExpandMin 0
InodeExpandInc 0
InodeExpandMax 0
InodeDeleteMax 0
InodeStripeWidth 0
JournalSize 16M
MaxConnections 139
MaxLogSize 10M
MaxLogs 4
NamedStreams Yes
Quotas Yes
QuotaHistoryDays 7
ThreadPoolSize 256
UnixIdFabricationOnWindows Yes
UnixNobodyUidOnWindows -2
UnixNobodyGidOnWindows -2
WindowsSecurity Yes
# Disk Types
[DiskType LUN2Type]
Sectors 488355807
SectorSize 512
# Disks
[Disk LUN2]
Type LUN2Type
Status UP
# Stripe Groups
[StripeGroup All]
Status Up
StripeBreadth 16
Metadata Yes
Journal Yes
Exclusive No
Read Enabled
Write Enabled
Rtmb 0
Rtios 0
RtmbReserve 0
RtiosReserve 0
RtTokenTimeout 0
MultiPathMethod Rotate
Node LUN2 0
Affinity All

The above is not the XML I was thinking we’d see, but the same format and variables previously available. The configuration for the SAN itself is XML though:

bash-3.2# cat config.plist


 

computers

desiredSearchPolicy



dsType
0
managePrivateNetwork
metadataNetwork
10.0.0.0/24
ownerEmail
krypted@me.com
ownerName
Charles Edge
primaryController
95C99FB1-80F2-5016-B9C3-BE3916E6E5DC
role
CONTROLLER
sanName
krypted
serialNumbers




The automount file is a plist as well:

bash-3.2# cat automount.plist


 

BettyWhite

AutoMount
rw
MountOptions

atimedelay
no
dircachesize
10485760
threads
12





The aux-data is also a plist:

bash-3.2# cat BettyWhite-auxdata.plist


 

Config

ClientDelayAccessTimeUpdates
0
ClientDirCacheSize
10485760
ClientThreadCount
12
StoragePoolIdealLUNCount
4
StoragePoolStripeBreadth
16

FailoverPriorities


controllerUUID
95C99FB1-80F2-5016-B9C3-BE3916E6E5DC
enabled
1



 
Next, cvadmin remains basically unchanged, with the addition of restartd/startd/stopd (managing the fem and the removal of :

Xsanadmin (BettyWhite) > help
Command summary:
activate, debug, dirquotas, disks, down, fail, filelocks, fsmlist, help, latency-test, multipath, paths, proxy, qos, quit, quotas, quotacheck, quotareset, ras, repfl, repquota, repof, resetrpl, rollrj, select, show, start, stat, stop, up, who, ?
activate [ | ]
Activate a File System .
This command may cause an FSM to activate.
If the FSM is already active, no action is taken.
debug [ [+/-] ]
Get or Set (with ) the FSS Debug Flags.
Enter debug with no value to get current setting and bit meanings.
Value should be a valid number. Use 0x to indicate hexadecimal.
If the ‘+’ or ‘-’ argument is used, only specified flags
will be modified.
‘+’ will set and ‘-’ will disable the given flags.
dirquotas <create|mark|destroy>
The ‘create’ command turns the given directory into the root of a
Directory Quota namespace. The command will not return until the
current size value of the directory is tallied up. The ‘mark’
command also turns the given directory into the root of a
Directory Quota namespace, but the current size value is left
uninitialized.  The command ‘quotacheck’ should be run later to
initialize it. The ‘destroy’ command destroys the namespace
associated with the given directory.  The directory’s contents
are left unchanged.
disks [refresh]
Display the acfs Disk volumes visible to this machine.
If the optional “refresh” is used, the volumes will.
be re-scanned by the fsmpm.
disks [refresh] fsm
Display the acfs meta-data Disk volumes in use by the fsm.
If the optional “refresh” is used, additional paths to these
volumes may be added by the fsm.
down
Bring down stripe group .
fail [ | ]
Failover a File System .
This command may cause a stand by FSM to activate.
If the FSM is already active, the FSM will
shut down. A stand-by FSM will take over or the
FSM will be re-launched if it is stand-alone.
fsmlist [] [on ]
Display the state of FSM processes, running or not.
Optionally specify a single to display.
Optionally specify the host name or IP address of the system
to list the FSM process(es) on.
help (?)  This message.
latency-test [ | all] []
Run an I/O latency test between the FSM process and one
client or all clients.  The default test duration is
2 seconds.
multipath < balance | cycle | rotate | static | sticky >
Change the Multi Path method for stripe group
to “balance”, “cycle”, “rotate”, “static”, or “sticky”.
paths
Display the acfs Disk volumes visible to this machine
grouped according to the “controller” identity.
proxy [ long ]
proxy who
Display Disk Proxy Servers, and optionally the disks
they serve, for this filesystem
The “who” option displays all proxy connections
for the specified host.
qos       Display per-stripe group QOS statistics.
quit      Exit
filelocks
Query cluster-wide file/record lock enforcement.
Enter filelocks with no value to get current setting.
Currently Cluster flocks are automatically used on Unix.
Windows file/record locks are optional.
quotas
Get the current state of the quota system
quotas get <user|group|dir|dirfiles>
Get quota parameters for user, group, or directory .
quotas set <user|group|dir|dirfiles>
Set current quota parameters for user, group, or directory
. can be the name of a user or group or the
path to a directory. For users and groups, it can also be an
integer interpreted as a uid or gid.  Setting the hardlim,
softlim, and timelim to 0 disables quota enforcement for that user,
group, or directory. The values for hardlim and softlim are
expressed in bytes when setting user, group, or dir values.  When
setting dirfiles values, they are numbers of regular file inodes.
The value for timelim is expressed in minutes.
quotacheck
Recalculate the amount of space consumed (the current
size field of the quota record) by all users,
groups, and directory namespaces in the file system. This
command can be run on an active file system although file
updates (writes, truncates, etc.) will be delayed until
quotacheck has completed.
quotareset
Like quotacheck, but deletes the quota database before
performing the check. All limits and directory namespaces
will be lost. Use with extreme caution.
ras enq “detail string”
Generate an SNFS RAS event.  For internal use only.
ras enq “detail string”
Generate a generic RAS event.  For internal use only.
repquota
Generate quota reports for all users, groups, and directory
namespaces in the file system. Three files are generated:
1. quota_report.txt – a “pretty” text file report.
2. quota_report.csv – a comma delimited report
suitable for Excel spreadsheets.
3. quota_regen.in – a list of cvadmin commands that
can be used to set up an identical quota database
on another Xsan.
repfl
Generate a report of currently held locks
on all connected acfs clients.
repof
Generate a report of currently open files
on all connected acfs clients.
resetrpl [clear]
Repopulate Reverse Path Lookup (RPL) information.
The optional “clear” argument causes existing
RPL data to be cleared before starting repopulation.
Note: “resetrpl” is only available when cvadmin is
invoked with the -x option.  Running resetrpl
may significantly delay FSM activation.  This command
is not intended for general use.  Only run “resetrpl”
when recommended by Technical Support.
restartd [once]
Stop and start the process.
For internal use only.
rollrj
Force the FSM to start a new restore journal.
This command is only used on a managed file system
select [ | | none]
Select the active File System .
Typing “select none” will de-select the current FSS.
If the FSM is inactive (standing by) it cannot be selected.
Using this command with no argument shows all active FSSs.
show [ ] [ long ]
Show all stripe groups or a specific stripe group .
Adding the modifier “long” shows more verbose information.
start [on] []
Start the File System Service for .
When running on an HA MDC, the local service is started and
then an attempt is made to start the service on the peer MDC.
Optionally specify the hostname or IP address to start the
FSM on that MDC only.
startd [once]
Start the process.
For internal use only.
stat      Display the general status of the file system.
stats [clear]
Display read/write statistics for the file system.
If clear, zero the stats after printing.
stop [on] [] |
Stop the File System Services for
or . Stopping by name without specifying a
hostname will stop all instances of the service, and will
cancel any pending restart of the service on the local system.
Stopping by name on a particular system will stop or cancel
a restart of the service on that system.  Stopping by
number only stops the service associated with the index.
Indexes are displayed on the left side as “nn>” when.
using the “select” command.
stopd
Stop the process.
For internal use only.
up
Bring up stripe group .
If there are no stripe groups that have exclusively numeric names,
the stripe group index number shown in the “show” command may be
used in place of .
who [] [long]
List clients attached to file system.
In the short form, “who” returns the following information:
- acfs I.D.       – Client License Identifier
- Type            – Type of client connection
FSM              – File System Manager (FSM) connection
ADM              – Administrative (cvadmin) connection
CLI              – File system client connection. May be
followed by a CLI type character:
S – Disk Proxy Server
C – Disk Proxy Client
H – Disk Proxy Hybrid Client
- Location        – Client’s hostname or IP address
- Up Time         – Total time client has been connected to FSM
- License Expires – Date client’s license will expire
In the long form, “who” returns network path, build, latency
and reconnect information, if available.
Administrative and FSM clients return a limited set of information.
Xsanadmin (BettyWhite) > select
List FSS
File System Services (* indicates service is in control of FS):
1>*BettyWhite[0]        located on 10.0.0.1:57724 (pid 7030)

September 13th, 2016

Posted In: Xsan

Tags: , , ,

Leave a Comment

When running a DNS/BIND server on Linux or macOS, you can check the version number by running a simple named command with the -v option.

named -v

The output is as follows:

BIND 9.9.7-P3 (Extended Support Version)

September 11th, 2016

Posted In: Mac OS X, Unix

Tags: , , ,

Leave a Comment

September 9th, 2016

Posted In: Apple Watch, Apps, iPhone, Mac OS X

Tags: , , , , , , ,

Leave a Comment

Special thanks to @dials_mavis for being basically the best ever, cutting this thing together while he was sick, and for the rest of the team for being awesome to help hide the fact that I’m not. 🙂

September 8th, 2016

Posted In: Mac OS X, Mac OS X Server, MacAdmins Podcast

Tags: , , , ,

Leave a Comment

App Store Stats and Fun Stuff

  • 17,000,000!
  • 900,000,000 lighting connector devices
  • 10 year anniversary of the Apple Music Festival, with Britney
  • 140 billion app downloads
  • 106% YoY download increases
  • 2 times the “nearest competitor”
  • 1/2 million games on the store
  • Mario: Super Mario Run
  • Mention ConnectEd!
  • Everyone Can Code
  • iWork
    • Real Time Collaboration (only behind Google by how long?)
    • But it’s prettier than what Google does
    • Apple is the 2nd largest watchmaker now, and largest smartwatch maker

Watch:

  • WatchOS 3
    • New dock
    • New faces
    • Tapback messaging
    • Animated stickers in messages
    • Full screen effects, just like in Messages for Mac
    • Breathe
    • Emergency Messaging
    • Developers
    • Pokémon Go for watch
    • 500,000,000 downloads of Go, 4.6 Billion KM
  • Apple Watch Series 2: $369, Series 1 is $269
    • 50 meters, new seals, new adhesives, speaker ejects water
    • Redesigned SiP, 2nd gen display, 2x brighter
    • 1,000 nits, great for sun
    • Built-in GPS – exposed to the API
    • Available in ceramic
    • NikePlus watch

iPhone 7: $629 with Plus starting at $729

  • Over 1 Billion devices, with the best selling product “of its kind” in the history of the world
  • A video that left no dry eyes in the audience
  • New design
  • Jet black finish, black finish (my style btw), gold, silver, rose gold
  • Force sensitive, solid state, taptic Engine-driven home button
  • Homekit, home app, Works with “Apple HomeKit”
  • Messages: Stickers, confetti, etc
  • Water and dust resistant
  • New dual camera, stabilization, f/1.8 aperture sense for 50% more light, six-element sense, 12 megapixel sensor, true tone flash, with 4 LEDs (50% brighter, with a flicker sensor to compensate for artificial lighting), 2x the throughput of the image signal processor (called by Phil Schiller “the supercomputer of” digital photos), depth of field
  • Front-side camera: 7MP FaceTime HD camera, wide color capture, image stabilization
  • 1x to 10x zoom
  • 25% brighter display, wide color gamut, Instagram sent a rep
  • Stereo Speakers on the phones
  • Headphones via lightning or bluetooth, comes with a free adaptor
  • Wireless: Apple AirPods, W1 Apple-designed wireless chip, intelligent high-efficiency playback, infrared sensors detect you, voice accelerometers target the source of your voice, and reduce external noise. 5 hours per charge, 24hours of life off the case, with incredible sound “a technical tour de force”
  • LTE up to 450Mbps
  • Apple Pay goes to Japan
  • Performance: “Apple’s chip team is killing it”
  • A10 Fusion: 64 bit, four-core processor, 40% faster than A9, 2x faster than A8, 120x faster than iPhone1. 2 high performance cores, two high efficiency cores, for longer battery life, with a performance controller, new 6 core graphics chip in the A10, for 3x faster GPU of the A8, for a total of 240x the performance of the original iPhone.
  • 7 and 7 plus now go from 32 to 256GB of storage (yowza)
  • iPhone Upgrade Program, includes a new iPhone every year, choose your carrier, starts at 32/mo and includes AppleCare Plus, now expanding to the UK and China

iOS 10 drops on September 13th 2016, OS X on September 20th, 2016.

Things not discussed re: iOS 10:

  • Siri API (e.g. Wink, but also options for when I’ll use the Home app vs Wink – and waiting for Wink to integrate with HomeKit)
  • All the fun new Messages options:
    • Sketches
    • Annotations on photos and videos
    • Bigger emoji
    • Effects in messages
    • Messages app store
    • Memories in Photos like I have in Facebook
  • Better Apple Music and Maps
  • The ability to manage the following with MDM:
    • Callkit: managing the default app for Calls
    • Moving some restrictions to Supervised mode (differentiating Corporate vs personally owned devices
    • Notification APIs

September 7th, 2016

Posted In: iPhone

Tags: , ,

Leave a Comment

When speaking to a group of people, I once created a folder called Old and then moved all my files in there. However, you can create a temporary desktop that shows as clean and empty. To do so, write the CreateDesktop key in the com.apple.finder defaults domain, with a setting of false, as follows:

defaults write com.apple.finder CreateDesktop -bool false

Then restart the Finder and it will show crisp and new:

killall Finder

Then once you’re done, delete the temporary desktop, by deleting the key, as follows:

defaults delete com.apple.finder CreateDesktop

Then restart the Finder to see your files again:

killall Finder

September 6th, 2016

Posted In: Mac OS X, Mac Security

Tags: , ,

Next Page »