krypted.com

Tiny Deathstars of Foulness

Spinnaker seems kinda’ complicated at first, but it’s not. To get it up and running, first install cask:

brew tap caskroom/cask
brew install brew-cask

Then redis and java:

brew install redis
brew cask install java

Download spinnaker from https://github.com/spinnaker/spinnaker.git (I dropped mine into ~/usr/local/build/spinnaker). From your spinnaker folder make a build directory and then run the script to update source:

mkdir ~/usr/local/spinnaker/build
cd ~/usr/local/spinnaker/build
~/usr/local/spinnaker/dev/refresh_source.sh –pull_origin –use_ssh –github_user default

From your build directory, fire it up:

~/usr/local/spinnaker/dev/run_dev.sh

Now run hal to see a list of versions:

hal version list

Then enable the version you want (e.g. 1.0.0):

hal config version edit –version 1.0.0

Then apply the version:

hal deploy apply

Then connect to fire up the UI:

hal deploy connect

Viola, now it’s just a GUI tool like anything else!

January 4th, 2018

Posted In: Mac OS X

Tags: ,

You know how when you buy apps at home, they show up on your computer at work, if you’re using the same iCloud account for the app store in both locations? Some companies want to disable that. To do so, send a ConfigDataInstall key into com.apple.softwareupdate, which can most easily be done with the defaults command:

sudo defaults write com.apple.SoftwareUpdate ConfigDataInstall -int 0

Or to turn it back on:

sudo defaults write com.apple.SoftwareUpdate ConfigDataInstall -int 1

January 2nd, 2018

Posted In: Mac OS X, Mass Deployment

Tags: , , ,

This New Years Day, Learn The Jot Command The jot command is one I haven’t used in awhile. But it’s still useful. Let’s take a look at a few of the things you can do with it. First, let’s just print lines into a new file called “century.txt” which we can do by running with the number of increments followed by the starting number, and then redirecting the output into the file name:

jot 100 1 > ~/Desktop/century.txt

Or to do integers instead, simply put the decimals:

jot 100 1.00 > ~/Desktop/century.txt

Or in descending order,

jot – 100 1 > ~/Desktop/century.txt

Now we could change the output to be just 50 to 100, by incrementing 50 (the first position) and starting at 50 (the second):

jot 50 50

The jot command is able to print sequential data, as we’ve seen. But we can also print random data, using the -r option. Following that option we have three important positions, the first is the number of iterations, but the next two are the lower and upper boundaries for the numbers, respectively. So in the below command we’ll grab 10 iterations (or ten random numbers) that are between 1 and 1000:

jot -r 10 1 1000

Now if we were to add a -c in there and use a and z as the upper and lower bounds, we’d get… letters (this time we’re just gonna’ ask for one letter)!

jot -r -c 1 a z

Something I find useful is just to shove random data into a file infinitely. And by useful I mean hopefully not left running overnight on my own computer (been there, done that). To do this, just use a 0 for the number of iterations:

jot -r -c 0

Something that is actually useful is the basic ASCII set:

jot -c 128 0

We can also append data to a word using -w. So let’s say we want to print the characters aa followed by a through z. In the below we’ll define that with -w and then we’ll list those two characters followed by %c which is where the character substitution goes and then the number of iterations followed by the lower bound:

jot -w aa%c 26 a

You can also do stuttering sequences, useful for the occasional tango dancer, so here we’ll do a 5/3 countdown:

jot – 100 0 -.5

Or we could create a one meg file by creating 1,024 bytes:

jot -b 0 1024 > onemegfile.txt

Oh wait, that file’s two megs. Get it? 😉

And running strings teaches you that you can’t bound random (a good lesson for the New Year). Anything you use jot for?

Happy New Years!

January 1st, 2018

Posted In: bash, Mac OS X, Mac OS X Server

Tags: , , , , ,

I’d written an efi version checker. But the lovely Andrew Seago texted me one that’s better than mine. So I present it here: current_efi_version=`/usr/libexec/efiupdater | grep "Raw" | cut -d ':' -f2 | sed 's/ //'`
echo "current_efi_version $current_efi_version"
latest_efi_version=`ls -La /usr/libexec/firmwarecheckers/eficheck/EFIAllowListShipping.bundle/allowlists/ | grep "$current_efi_version"`
echo "latest_efi_version $latest_efi_version"
if [ "$latest_efi_version" == "" ]; then
echo "EFI FAILED"
exit 1
else
echo "EFI PASSED"
exit 0
fi

November 2nd, 2017

Posted In: Mac OS X, Mac OS X Server, Mac Security, Mass Deployment, Uncategorized

Tags: , , ,

When you push a certificate out in a profile, the certificate is statically stored on a Mac. If you are delivering a certificate over the air and in a device profile that is seperate from the MDM payload then the Active Directory Certificate payload can enable automatic certificate renewals. You can enable automatic renewals with a defaults command (or manage the preference domain via MDM) using the following command:

defaults write /Library/Preferences/com.apple.mdm-client AutoRenewCertificatesEnabled -bool YES
Note: Because they’re already dymanic and all, SCEP payloads cannot be automatically renewed.

October 5th, 2017

Posted In: Mac OS X

Tags: , , , ,

You can easily disable password hints in macOS by opening the System Preferences, clicking on the “Users & Groups” System Preference pane and then clicking on Login Options. From there, uncheck the box for “Show password hints”


You can also disable this feature using the com.apple.loginwindow defaults domain. Send the following through a script to do so:

defaults write com.apple.loginwindow RetriesUntilHint -int 0

October 4th, 2017

Posted In: Mac OS X

Tags: , ,

The following is a list of application bundles that come pre-installed with macOS that are protected by SIP:
/Applications/App Store.app
/Applications/Automator.app
/Applications/Calculator.app
/Applications/Calendar.app
/Applications/Chess.app
/Applications/Contacts.app
/Applications/DVD Player.app
/Applications/Dashboard.app
/Applications/Dictionary.app
/Applications/FaceTime.app
/Applications/Font Book.app
/Applications/Game Center.app
/Applications/Image Capture.app
/Applications/Launchpad.app
/Applications/Mail.app
/Applications/Maps.app
/Applications/Messages.app
/Applications/Mission Control.app
/Applications/Notes.app
/Applications/Photo Booth.app
/Applications/Photos.app
/Applications/Preview.app
/Applications/QuickTime Player.app
/Applications/Reminders.app
/Applications/Safari.app
/Applications/Siri.app
/Applications/Stickies.app
/Applications/System Preferences.app
/Applications/TextEdit.app
/Applications/Time Machine.app
/Applications/Utilities
/Applications/iBooks.app
/Applications/iTunes.app
/Applications/Utilities/Activity Monitor.app
/Applications/Utilities/AirPort Utility.app
/Applications/Utilities/Audio MIDI Setup.app
/Applications/Utilities/Bluetooth File Exchange.app
/Applications/Utilities/Boot Camp Assistant.app
/Applications/Utilities/ColorSync Utility.app
/Applications/Utilities/Console.app
/Applications/Utilities/Digital Color Meter.app
/Applications/Utilities/Disk Utility.app
/Applications/Utilities/Grab.app
/Applications/Utilities/Grapher.app
/Applications/Utilities/Keychain Access.app
/Applications/Utilities/Migration Assistant.app
/Applications/Utilities/Script Editor.app
/Applications/Utilities/System Information.app
/Applications/Utilities/Terminal.app
/Applications/Utilities/VoiceOver Utility.app
/Applications/Utilities/X11.app
Note: Files located in /System, /usr, /bin, and /sbin are recursively protected as well.

October 2nd, 2017

Posted In: Mac OS X, Mac Security

Tags: , , ,

High Sierra sees the Caching service moved out of macOS Server and into the client macOS. This means administrators no longer need to run the Server app on caching servers. Given the fact that the Caching service only stores volatile data easily recreated by caching updates again, there’s no need to back the service up, and it doesn’t interact with users or groups, so it’s easily divested from the rest of the Server services.

And the setup of the Caching service has never been easier. To do so, first open System Preferences and click on the Sharing System Preferences pane.

From here, click on the checkbox for Content Caching to start the service.

At the Content Caching panel, the service will say “Content Caching: On” once it’s running. Here, you can disable the “Cache iCloud content” option, which will disable the caching of user data supplied for iCloud (everything in here is encrypted, by the way). You can also choose to share the Internet Connection, which will create a wireless network that iOS devices can join to pull content. 

Click Options. Here, you can see how much storage is being used and limit the amount used. 

defaults read /Library/Preferences/com.apple.AssetCache.plist

Which returns the following configurable options:

Activated = 1;
CacheLimit = 0; DataPath = “/Library/Application Support/Apple/AssetCache/Data”; LastConfigData = <BIGLONGCRAZYSTRING>; LastConfigURL = “http://suconfig.apple.com/resource/registration/v1/config.plist”; LastPort = 56452; LastRegOrFlush = “2017-09-11 16:32:56 +0000”; LocalSubnetsOnly = 1; PeerLocalSubnetsOnly = 1; Port = 0; Region = 263755EFEF1C5DA178E82754D20D47B6; ReservedVolumeSpace = 2000000000; SavedCacheDetails = {
SavedCacheSize = 0;
ServerGUID = “EB531594-B51E-4F6A-80B9-35081B924629”;
Version = 1;}

This means that all those settings that you used to see in the GUI are still there, you just access them via the command line, by sending defaults commands. For example, 

defaults write /Library/Preferences/com.apple.AssetCache.plist CacheLimit -int 20000000000

You can

AssetCacheManagerUtil status

Which returns something similar to the following:

2017-09-11 11:49:37.427 AssetCacheManagerUtil[23957:564981] Built-in caching server status: {
Activated = 1;
Active = 1;
CacheDetails = {
iCloud = 4958643;
“iOS Software” = 936182434;};
CacheFree = 472585174016;
CacheLimit = 0;
CacheStatus = OK;
CacheUsed = 941141077;
Parents = ();
Peers = ();
PersonalCacheFree = 472585174016;
PersonalCacheLimit = 0;
PersonalCacheUsed = 4958643;
Port = 56452;
PrivateAddresses = (“192.168.104.196”);
PublicAddress = “38.126.164.226”;
RegistrationStatus = 1;
RestrictedMedia = 0;
ServerGUID = “EB531594-B51E-4F6A-80B9-35081B924629”;
StartupStatus = OK;
TotalBytesDropped = 0;
TotalBytesImported = 4958643;
TotalBytesReturnedToChildren = 0;
TotalBytesReturnedToClients = 166627405;
TotalBytesReturnedToPeers = 0;
TotalBytesStoredFromOrigin = 166627405;
TotalBytesStoredFromParents = 0;
TotalBytesStoredFromPeers = 0;

You can also use AssetCacheManagerUtil to manage tasks previously built into the Server app. To see the available options, simply run the command:

bash-3.2# /usr/bin/AssetCacheManagerUtil

Which would show the following:

Options are:
-a|–all show all events
-j|–json print results in JSON
-l|–linger don’t exit
2017-09-11 11:57:30.066 AssetCacheManagerUtil[24213:569932] Commands are:
activate
deactivate
isActivated
canActivate
flushCache
flushPersonalCache
flushSharedCache
status
settings
reloadSettings
moveCacheTo path
absorbCacheFrom path read-only|and-destroy

As such, to enable the server:

bash-3.2# /usr/bin/AssetCacheManagerUtil activate 

To disable the server

bash-3.2# /usr/bin/AssetCacheManagerUtil deactivate

To check if the server can be activated

bash-3.2# /usr/bin/AssetCacheManagerUtil canActivate

To flush the cache of assets on the server:

bash-3.2# /usr/bin/AssetCacheManagerUtil flushCache 

To reload settings if you make any changes:

bash-3.2# /usr/bin/AssetCacheManagerUtil reloadSettings

To move the database

/usr/bin/AssetCacheManagerUtil moveCacheTo "/Volumes/SONY/Library/Application Support/Apple/AssetCache/Data"

Finally, if you’d like to see the caching server your client system is using, you can run the following command:

/usr/bin/AssetCacheLocatorUtil 2>&1 | grep guid | awk '{print$4}' | sed 's/^\(.*\):.*$/\1/' | uniq

And if you use Jamf Pro and would like to use this as an extension attribute, that’s posted here: https://github.com/krypted/cachecheck. I didn’t do any of the if/then there, as I’d usually just do that on the JSS.

Note: To see how AssetCache interacts with Tetherator, see Tethered Caching of iOS Assets from macOS 10.12.4.

September 28th, 2017

Posted In: Mac OS X, Mac OS X Server

Tags: , , , , , ,

A bootable installer is one of the fastest ways to install a Mac. Rather than copy the installer to a local drive you can run it right off a USB disk (or Thunderbolt if you dare). Such a little USB drive would be similar to the sticks that came with the older MacBook Air, when we were all still sitting around wondering how you would ever install the OS on a computer with no optical media or Ethernet otherwise. Luckily, Apple loves us. To make a bootable USB/flash drive of High Sierra like the one that used to come with the MacBook Air, first name the USB drive. I’ll use hsinstall for the purposes of this article. The format should be Mac OS Extended Journaled, although the new system drive will be apfs on the target volume. The installer is called Install macOS Sierra and is by default located in the /Applications directory. Inside the app bundle, there’s a new binary called createinstallmedia (nested in Contents/Resources). Using this binary you can create an installation drive (similar to what we used to do with InstallESD). To do so, specify the –volume to create the drive on (note that the target volume will be erased), the path of the “Install macOS High Sierra” app bundle and then we’re going to select –nointeraction so it just runs through the whole thing

/Applications/Install\ macOS\High\ Sierra.app/Contents/Resources/createinstallmedia --volume /Volumes/hsinstall --applicationpath /Applications/Install\ macOS\ High\ Sierra.app --nointeraction

Note: You’ll need to elevate your privileges for this to run.

Once run you’ll see that it erases the disk, copies the Installation materials (InstallESX, etc) and then makes the drive bootable, as follows:

Erasing Disk: 0%... 10%... 20%... 100%... Copying installer files to disk... Copy complete. Making disk bootable... Copying boot files... Copy complete.

Then you can either select the new volume in the Startup Disk System Preference pane or boot the computer holding down the option key to select the new volume.

Note: If you can do this on a system with a solid state drive it will be  faster. Although this took 17 minutes last I ran it even then so be patient for the files to copy.

September 28th, 2017

Posted In: Mac OS X

Tags: , , , ,

The first thing you’ll want to do on any server is setup the networking for the computer. To do this, open the System Preferences and click on Network. You usually want to use a wired Ethernet connection on a server, but in this case we’ll be using Wi-Fi. Here, click on the Wi-Fi interface and then click on the Advanced… button.

At the setup screen for the interface, provide a good static IP address. Your network administrator can provide this fairly easily. Here, make sure you have an IP address and a subnet mask. Since we need to install the Server app from the Mac App Store, and that’s on the Internet, you’ll also need to include a gateway, which provides access to the Internet and using the DNS tab, the name servers for your Internet Service Provider (ISP).
 
Once you have provided a static IP address, verify that you can route to the Internet (e.g. open Safari and visit a website). Provided you can, the first step to installing macOS Server onto High Sierra is to download the Server app from the Mac App Store. To do so, open the App Store app and search for Server. In the available apps, you’ll see the Server app from Apple. Here, click on Buy and let the app download. That was pretty easy, right. Well, the fun has just gotten started. Next, open the app.

When you first open the Server app, you’ll see the Server screen. Here, you can click on the following options:
  • Other Mac: Shows a list of Macs with the Server app that can be remotely configured. Choosing another system does not complete the setup process on the system you’re working on at the moment.
  • Cancel: Stops the Server app setup assistant and closes the Server App.
  • Continue: Continues installing the Server app on the computer you are using.
  • Help: Brings up the macOS Server manual.
 

Click Continue to setup macOS Server on the machine you’re currently using. You’ll then be prompted for the licensing agreement from Apple. Here, check the box to “Use Apple services to determine this server’s Internet reachability” and click on Agree (assuming of course that you agree to Apple’s terms in the license agreement).

Installing macOS Server must be done with elevated privileges. At the prompt, enter the credentials for an account with administrative access and click on the Allow button.

The services are then configured as needed and the command line tools are made accessible. This can take some time, so be patient. When the app is finished with the automation portion of the configuration, you will be placed into the Server app for the first time. Your first order of business is to make sure that the host names are good on the computer. Here, first check the Host Name. If the name doesn’t resolve properly (forward and reverse) then you will likely have problems with the server at some point. Therefore, go ahead and click on Edit Host Name… Here, enter the fully qualified address that the server should have. In the DNS article, we’ll look at configuring a good DNS server, but for now, keep in mind that you’ll want your DNS record that points to the server to match what you enter here. And users will use this address to access your server, so use something that is easy to communicate verbally, when needed.

 
At the Change Host Name screen, click Next. At the “Accessing your Server” screen, click on Internet and then click on the Next button.



At the “Connecting to your Server” screen, provide the Computer Name and the Host Name. The Computer Name is what you will see when you connect to the server over Bonjour and what will be listed in the Sharing System Preference pane. The Host Name is the fully qualified host name (fqdn) of the computer. I usually like to take the computer name and put it in front of the domain name. For example, in the following screen, I have osxserver as the name of the computer and osxserver.krypted.com as the host name.



Once you have entered the names, click on the Finish button. You are then prompted to Change Host Name. Click on Change Host Name at this screen.

Next, let’s open Terminal and run changeip with the -checkhostname option, to verify that the IP and hostname match:

sudo changeip -checkhostname


Provided that the IP address and hostname match, you’ll see the following response.

sudirserv:success = “success”

If the IP address and hostname do not match, then you might want to consider enabling the DNS server and configuring a record for the server. But at this point, you’ve finished setting up the initial server and are ready to start configuring whatever options you will need on the server.

September 28th, 2017

Posted In: Mac OS X, Mac OS X Server, Mac Security, Mass Deployment

Tags: , , , , ,

« Previous PageNext Page »