krypted.com

Tiny Deathstars of Foulness

The next release of iOS (10.3), macOS (10.12.4), and tvOS (10.2) bring us a host of new management features. These include DEP configuration, remote wipe, single app mode, conference room mode, and remote reboot for Apple TVs. The next evolution of iOS brings us sounds in lost mode, the ability to prevent users from connecting to unmanaged wireless networks (just make sure to push that policy after sending down the actual managed wireless networks – or eek), the option to remotely shut down and reboot devices,

The Mac options includes some of the above but also restricting the feature to unlock macOS devices with Touch ID, restrict documents and desktop syncing with Apple’s iCloud service. Shared iPad environments also get new passcode policies.

Jamf Pro 9.98 has also comes with Symantec PKI integration and lots, and lots, and lots of resolutions to product issues. For more, see https://www.jamf.com/blog/are-you-ready-for-apples-next-release/. For a full run-down of profile options and MDM commands: http://docs.jamf.com/9.98/casper-suite/release-notes/What’s_New_in_This_Release.html.

Keeping with Apple’s evolving standards, Managed Preferences and Provisioning Profiles are being deprecated: http://docs.jamf.com/9.98/casper-suite/release-notes/Deprecations_and_Removals.html (which isn’t to say you can’t still deploy these kinds of things using your own scripts, etc).

Finally, if you have a problem in your environment and want to see if it’s been fixed, for a list of defects and product improvements – see http://docs.jamf.com/9.98/casper-suite/release-notes/Bug_Fixes_and_Enhancements.html

March 23rd, 2017

Posted In: JAMF, Mac OS X, Mac OS X Server

Tags: , , , ,

Leave a Comment

You search for items in macOS using compound conditions in a number of ways. One way is with awk. Here, we’re going to grab the output of a simple ls command. That gets piped into an awk statement. Then we’re going to look at the expression to evaluate. Basically, we’re going to say anything that contains com. as well as apple and .plist. Because it’s ls, we’re looking for names of files that match those patterns. Each pattern is listed in brackets. And then there’s the {print} to lay out the action of printing to the files that match the pattern to the screen:

ls |awk '/[com.][apple][.plist]/ {print}'

Note: I know you’re not supposed to use ls in scripts. Don’t care. If it were dates and such, I’d of used stat…

March 14th, 2017

Posted In: Mac OS X, Mac OS X Server

Tags: , , , ,

One Comment

If you happen to be tweaking the macOS subsystems for logging, I’ve put them into a little python class. If you need it, find it at this gist:

https://gist.github.com/krypted/495e48a995b2c08d25dc4f67358d1983

Could use an array of all the levels, TTLs, and options. But I’ll get to that when I get some time. If this is all you need, though:

class Logging(object):

__name__ = 'logger.info(1)'
plist = '/System/Library/Preferences/Logging/Subsystems/'

def __init__(__name__, plist, *args, **kwargs):
super(getLogger/, self).__init__()

logger.info('Input parameters:\n'
'accessibility: "{com.apple.Accessibility.plist}"\n'
'StandaloneHIDFudPlugins: "{com.apple.StandaloneHIDFudPlugins.plist}"\n'
'duetactivityscheduler: "{com.apple.duetactivityscheduler.plist}"\n'
'passkit: "{com.apple.passkit.plist}"\n'
'AppKit: "{com.apple.AppKit.plist}"\n'
'SystemConfiguration: "{com.apple.SystemConfiguration.plist}"\n'
'eapol: "{com.apple.eapol.plist}"\n'
'persona: "{com.apple.persona.plist}"\n'
'AppleIR: "{com.apple.AppleIR.plist}"\n'
'TCC: "{com.apple.TCC.plist}"\n'
'icloudpreferences: "{com.apple.icloudpreferences.plist}"\n'
'apple.pf: "{com.apple.pf.plist}"\n'
'AssetCache: "{com.apple.AssetCache.plist}"\n'
'TimeMachine: "{com.apple.TimeMachine.plist}"\n'
'internetAccounts: "{com.apple.internetAccounts.plist}"\n'
'photoanalysisd.graph: "{com.apple.photoanalysisd.graph.plist}"\n'
'AssetCacheServices: "{com.apple.AssetCacheServices.plist}"\n'
'Transport: "{com.apple.Transport.plist}"\n'
'libsqlite3: "{com.apple.libsqlite3.plist}"\n'
'photoanalysisd.job: "{com.apple.photoanalysisd.job.plist}"\n'
'BezelServices: "{com.apple.BezelServices.plist}"\n'
'accounts: "{com.apple.accounts.plist}"\n'
'locationd.Core: "{com.apple.locationd.Core.plist}"\n'
'photoanalysisd: "{com.apple.photoanalysisd.plist}"\n'
'DesktopServices: "{com.apple.DesktopServices.plist}"\n'
'amp.MediaServices: "{com.apple.amp.MediaServices.plist}"\n'
'locationd.Legacy: "{com.apple.locationd.Legacy.plist}"\n'
'pluginkit: "{com.apple.pluginkit.plist}"\n'
'ExchangeWebServices: "{com.apple.ExchangeWebServices.plist}"\n'
'authkit: "{com.apple.authkit.plist}"\n'
'locationd.Motion: "{com.apple.locationd.Motion.plist}"\n'
'sandbox.reporting: "{com.apple.sandbox.reporting.plist}"\n'
'FaceTime: "{com.apple.FaceTime.plist}"\n'
'avfaudio: "{com.apple.avfaudio.plist}"\n'
'locationd.Position: "{com.apple.locationd.Position.plist}"\n'
'sbd: "{com.apple.sbd.plist}"\n'
'Finder: "{com.apple.Finder.plist}"\n'
'awd.awdd: "{com.apple.awd.awdd.plist}"\n'
'locationd.Utility: "{com.apple.locationd.Utility.plist}"\n'
'securityd: "{com.apple.securityd.plist}"\n'
'HTTPServer: "{com.apple.HTTPServer.plist}"\n'
'awd.framework: "{com.apple.awd.framework.plist}"\n'
'mDNSResponder: "{com.apple.mDNSResponder.plist}"\n'
'sharing: "{com.apple.sharing.plist}"\n'
'IDS: "{com.apple.IDS.plist}"\n'
'bluetooth: "{com.apple.bluetooth.plist}"\n'
'mac.install: "{com.apple.mac.install.plist}"\n'
'siri: "{com.apple.siri.plist}"\n'
'IPConfiguration: "{com.apple.IPConfiguration.plist}"\n'
'calendar: "{com.apple.calendar.plist}"\n'
'mail: "{com.apple.mail.plist}"\n'
'social: "{com.apple.social.plist}"\n'
'ManagedClient: "{com.apple.ManagedClient.plist}"\n'
'captive: "{com.apple.captive.plist}"\n'
'mediaremote: "{com.apple.mediaremote.plist}"\n'
'socialpushagent: "{com.apple.socialpushagent.plist}"\n'
'Messages: "{com.apple.Messages.plist}"\n'
'catalyst: "{com.apple.catalyst.plist}"\n'
'multipeerconnectivity: "{com.apple.multipeerconnectivity.plist}"\n'
'symptomsd: "{com.apple.symptomsd.plist}"\n'
'MessagesEvents: "{com.apple.MessagesEvents.plist}"\n'
'cdp: "{com.apple.cdp.plist}"\n'
'network: "{com.apple.network.plist}"\n'
'syncdefaults: "{com.apple.syncdefaults.plist}"\n'
'NetworkSharing: "{com.apple.NetworkSharing.plist}"\n'
'clouddocs: "{com.apple.clouddocs.plist}"\n'
'networkextension: "{com.apple.networkextension.plist}"\n'
'useractivity: "{com.apple.useractivity.plist}"\n'
'ProtectedCloudStorage: "{com.apple.ProtectedCloudStorage.plist}"\n'
'coreanimation: "{com.apple.coreanimation.plist}"\n'
'networkserviceproxy: "{com.apple.networkserviceproxy.plist}"\n'
'Registration: "{com.apple.Registration.plist}"\n'
'coreaudio: "{com.apple.coreaudio.plist}"\n'
'nlcd: "{com.apple.nlcd.plist}"\n'
'SkyLight: "{com.apple.SkyLight.plist}"\n'
'coredata: "{com.apple.coredata.plist}"\n'
'notes: "{com.apple.notes.plist}"\n'

try:
plist()
except Exception as e:
logger.error(e)

March 13th, 2017

Posted In: Mac OS X

Tags: , , , , , , , ,

Leave a Comment

You can quickly and easily back up your Filewave databases using the fwcontrol command to stop a Filewave server (thus preserving the integrity of the data you are backing up) and then backing up the database using the /fwxserver directory.

To get started, we’ll first down the server. This is done using the fwcontrol command along with the server option and the stop verb, as follows:

sudo fwcontrol server stop

Now that there won’t be data trying to commit into the database, let’s make a backup of the database directory using the cp command:

cp -rp /fwxserver/DB ~/Desktop/Databasebak

To start the database, use the decontrol command with the server option and the start verb, as follows:

fwcontrol server start

Note, if you will be moving to a new Filewave server, you would want to lock clients during this transition, so before restarting your server, use the sqlite3 command to set the status to 1 in the user table:

sqlite3 /fwxserver/DB/server.sqlite 'update user set status = 1;'

February 15th, 2017

Posted In: Mac OS X, Mac OS X Server, Mac Security, Network Infrastructure

Tags: ,

So I comment a lot of lines out in my /etc/hosts file. This usually means that I end up with a lot of cruft at the top of my file. And while I write comments into files and scripts here and there, I don’t always want to see them. So I can grep them out by piping the output of the file to grep as follows:

cat /etc/hosts | grep -v "^#"

You could also do the same, eliminating all lines that start with a “v” instead:

cat !$ | grep -v "^v"

February 13th, 2017

Posted In: Mac OS X, Unix

Tags: , , , , , ,

The “What’s New in macOS” page for Sierra (10.12) lays out a little known change that a colleague at Jamf was working on the other day (hat tip to Brock):

Starting in macOS 10.12, you can no longer provide external code or data alongside your code-signed app in a zip archive or unsigned disk image. An app distributed outside the Mac App Store runs from a randomized path when it is launched and so cannot access such external resources. To provide secure execution, code sign your disk image itself using the codesign tool, or distribute your app through the Mac App Store. For more information, see the updated revision to macOS Code Signing In Depth.

This is further explained in the equally misnamed “OS X Code Signing In Depth“:

If using a disk image to ship an app, users should drag the app from the image to its desired installation location (usually /Applications) before launching it. This also applies to apps installed via ZIP or other archive formats or apps downloaded to the Downloads directory: ask the user to drag the app to /Applications and launch it from there.

This practice avoids an attack where a validly signed app launched from a disk image, ZIP archive, or ISO (CD/DVD) image can load malicious code or content from untrusted locations on the same image or archive. Starting with macOS Sierra, running a newly-downloaded app from a disk image, archive, or the Downloads directory will cause Gatekeeper to isolate that app at a unspecified read-only location in the filesystem. This will prevent the app from accessing code or content using relative paths.

The gist is, if an app isn’t signed via the Mac App Store, Gatekeeper is going to limit the ability of the app to launch via “Gatekeeper Path Randomization.” Basically, treat an app from a mounted drive as if it were coming from a Safari download. There are a few ways to distribute app bundles or binaries that do not violate this. One is to sign a disk image that contains such an app:

spctl -a -t open --context context:primary-signature -v /Volumes/MyApp/MyApp.dmg

If spctl runs properly, you should see the following:

/Volumes/MyApp/MyAppImage.dmg: accepted source=mydeveloperid

In the above spctl command, we use the following options:

  • -a assesses the file you indicate (basically required for this operation)
  • -t allows me to specify a type of execution to allow, in this case it’s ‘open’
  • –context
  • -v run verbosely so I can build error correction into any scripts
  • –status while I don’t use status, I could do a second operation to validate that the first worked and use the status option to check it
  • –remove I also don’t use remove, but I could undo what I just did by doing so (or just deleting the dmg

For more on managing Gatekeeper from the command line, see http://krypted.com/mac-security/manage-gatekeeper-from-the-command-line-in-mountain-lion/.

Another method is to remove the lsquarantine attribute, which is automagically applied, using xattr as follows:

xattr -r -d com.apple.quarantine /Volumes/MyApp/MyAppImage.app

The options in the above use of the xattr command:

  • -r run recursively so we catch binaries inside the app bundle
  • -d delete the com.apple.quarantine bit

Xattr has a lot of different uses; you can programmatically manage Finder tags with it, http://krypted.com/mac-os-x/command-line-finder-tags/. To see the full xattr dump on a given file, use the -l option as follows:

xattr -l com.apple.quarantine MyAppImage.dmg

The output is as follows:

xattr: No such file: com.apple.quarantine
MyAppImage.dmg: com.apple.metadata:kMDItemDownloadedDate:
00000000 62 70 6C 69 73 74 30 30 A1 01 33 41 BE 31 0B A5 |bplist00..3A.1..|
00000010 70 D4 56 08 0A 00 00 00 00 00 00 01 01 00 00 00 |p.V………….|
00000020 00 00 00 00 02 00 00 00 00 00 00 00 00 00 00 00 |…………….|
00000030 00 00 00 00 13 |…..|
00000035
MyAppImage.dmg: com.apple.metadata:kMDItemWhereFroms:
00000000 62 70 6C 69 73 74 30 30 A1 01 5F 10 22 63 69 64 |bplist00.._.”cid|
00000010 3A 69 6D 61 67 65 30 30 31 2E 70 6E 67 40 30 31 |:myappimage.dmg@01|
00000020 44 32 36 46 46 44 2E 35 37 31 30 37 30 46 30 08 |D26FFD.571070F0.|
00000030 0A 00 00 00 00 00 00 01 01 00 00 00 00 00 00 00 |…………….|
00000040 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |…………….|
00000050 2F |/|
00000051

This could be helpful when troubleshooting and/or scripting (or just way too much informations!).

Finally, if you’re an application developer, check out new API for App Translocation in the 10.12 SDK for <Security/SecTranslocate.h>  I guess one way to think of this is… Apple doesn’t want you running software this way any more. And traditionally they lock things down further, not less, so probably best to find alternatives to running apps out of images, from a strategy standpoint.

January 25th, 2017

Posted In: Mac OS X, Mac Security

Tags: , , , , ,

Apple recently introduced a laptop with the same fingerprint technology found in an iPhone as well as a T-1 chip to take the sapphire Touch ID sensor information and store it securely, non-reversibly(ish), on the machine. OS X 10.12 now comes with a tool that can manage the fingerprints, stored as keys, on the device. The bioutil command is simple to use, with a few options that are mostly useful for enabling different features of the new technology.

Let’s get started by enabling the unlock option, using the -r option to see if Touch ID is enabled for the current user and -s to check the system as well:

bioutil -r -s

Now let’s enable Touch ID to be able to unlock the system, with -u (provided it’s not already enabled):

bioutil -u

If you’ll be using ApplePay, also use -a (on a per-user basis):

bioutil -a

Next, let’s enables Touch ID to unlock the system for the current user:

bioutil -w -u 1

This user will obviously need to provide their fingerprint in order to use Touch ID. Once done, let’s see how many fingerprints they’ve registered using the -c option (which checks for the number of fingerprints registered by the currently enrolled user):

bioutil -c

Now let’s delete all fingerprints for the current user (note that they’re not reversible so you can’t actually look at the contents):

bioutil -p

Next, we’ll use sudo to remove all fingerprints for all users (since we’re crossing from user land, we’ll need to provide a password):

sudo bioutil -p -s

Instead, we could have targeted just deleting the fingerprints that had been registered for user 1024, using -s and -d together, followed by the actual UID (which also requires sudo – as with all -s option combos):

sudo bioutil -s -d 1024

Now let’s disable Touch ID for the computer, using -w to write a config, and that -u from earlier, setting it to 0 for off:

sudo bioutil -w -s -u 0

And viola, you’re managing the thing. Throw these in an Extension Attribute or in Munki and you’re managing/checking/knowing/reporting/all the thingsings! Enjoy!

December 16th, 2016

Posted In: Mac OS X, Mac OS X Server, Mac Security

Tags: , , , , , ,

macOS has keychains. Sometimes they’re a thing. When they are you might want to delete them. Let’s say you have an admin account. You want to keep the keychains for that account, but remove all the others. For this, you could do a shell operator to extglob. Or you could do a quick while loop as follows:

ls /Users | grep -v "admin" | while read USERNAME do; rm -Rf "/Users/$USERNAME/Library/Keychains/*" done;

If you borrow this, be careful.

December 1st, 2016

Posted In: Mac OS X, Mac Security

Tags: , , , ,

I thought there might be an easier way to do this. So there’s this binary called serverrails that I assumed would install rails – no wait, actually it’s a ruby script that tells me to ‘gem install rails’ – which fails:

cat `which serverrails`
#!/usr/bin/ruby
# Stub rails command to load rails from Gems or print an error if not installed.
require 'rubygems'

version = ">= 0"
if ARGV.first =~ /^_(.*)_$/ and Gem::Version.correct? $1 then
version = $1
ARGV.shift
end

begin
gem 'railties', version or raise
rescue Exception
puts 'Rails is not currently installed on this system. To get the latest version, simply type:'
puts
puts ' $ sudo gem install rails'
puts
puts 'You can then rerun your "rails" command.'
exit 0
end

load Gem.bin_path('railties', 'rails', version)

Given that doesn’t work, we can just do this the old fashioned way… First let’s update rails to 2.2 or 2.2.4 using rvm, so grab the latest rvm and install it into /usr/local/rvm:

sudo curl -sSL https://get.rvm.io | bash -s stable --ruby

Then fire it up:

sudo source /etc/profile.d/rvm.sh

Then install the latest ruby:

sudo rvm install 2.2

Set it as default:

sudo rvm use 2.2 –default

Then run your gem install:

gem install rails

#thingsthatshouldbeautomatedandoddlyarenot

November 14th, 2016

Posted In: Mac OS X, Mac OS X Server

Tags: , , , , , ,

Recently, I got a strange message when trying to run a command:

You have exceeded the maximum number of shell sessions.

I’d seen a series of commands but never really needed to use them, so I ran:

shell_session_delete_expired

And viola, life was good. My command run. Of course, the next time I went to close the terminal correctly using the exit command. Upon doing so, I noticed:

logout
Saving session…
…copying shared history…
…saving history…truncating history files…
…completed.

[Process completed]

screen-shot-2016-11-06-at-2-30-34-pm

So, I opened a new shell and ran:

shell_session_update

And go the same result. Same with:

shell_session_save

Fun.

November 8th, 2016

Posted In: Mac OS X, Mac OS X Server, Mac Security

Tags: , , , ,

Next Page »