The past couple of years has forced me to rethink many of my recommendations for how you backup computers in small office and home environments. Previously, I would have said that you could use a disk attached to an Apple AirPort. But the AirPort Base Station is no longer being made. Previously, I would have said you could use Time Machine Server, a service built into macOS Server in 5.4 and below. But that service is no longer being made in macOS Server by Apple and is now found in the Sharing System Preference pane . Previously, I might have even said to use the home edition of CrashPlan, which could have backed up to their cloud and/or a home server. But that plan is no longer being offered by Code 42.

So what are we to do? Well, luckily now the offerings out there are just endless. One of those offerings is so easy, you can run out to Best Buy, return home with a WD (Western Digital) MyCloud.com drive, and be up and running in about 5 minutes. I’ll cover other options when I cover file services and Synology. But in the meantime, let’s look at setting up a WD MyCloud.com drive, account, and configuring both to work with Time Machine. 

Setup Your WD Hard Drive
First, we’ll setup the drive. This is pretty straight forward. Plug the ethernet cable into your network, wait for the drive to boot up, and then go to the MyHome setup page.

Here, you’ll be prompted to setup a My Cloud Home account. Enter a name, email address, and password. Then click on Create Account.

 
You’ll then be prompted for the device you plugged in, which is discovered on the network. Click Connect.


Choose whether you want to share product improvement data. Ever since my team as a product manager I’m a huge fan of doing so, so I clicked Share.

Once that’s done, you’ll be prompted to get the desktop app. While not absolutely necessary, it’s not a bad idea. If you want the app, click Download.

Once the app is done downloading, open the directory and open the installer.

Click Install Now.

Once complete, you’ll see the menu bar. Click it and then add your device if you don’t see it by clicking on “I don’t see my device” 

When prompted, enter your email address and password that you created earlier and then click on Sign In.

Click Skip.

Next, in the notifications area for updating the software make sure to run that. There was a pretty bad vulnerability awhile back and that will make sure you’re good. Then click on the name of your WD MyCloud Home.


Add IFTTT Alerts

I want to see when new updates, channels or options are added, so I’m going to enable that. To do so, click on Services in the sidebar. and then click on Enable for IFTTT.

Assuming the terms of service are acceptable, click “I Agree”

When prompted, choose to connect to IFTTT.

From the IFTTT site, click Connect.

Choose which options to give IFTTT for the MyCloud API.

Browse the channels and enable each that you’d like and then click “Turn on.”

Mount the MyCloud Drive
Next, open a “Connect to Server” dialog box (Command-K from the Finder) and click on Browse.

Click on the MyCloud-XXX where XXX is the identifier for your MyCloud account.

Click on the timemachinebackup folder.

The folder should initially be empty. Now let’s open the Time Machine System Preference pane.

Click on “Select Backup Disk…”

Choose Your MyDisk From Time Machine

Choose the TimeMachineBackup directory for the MyCloud Device and click on “Use Disk.”

You’ll then want to create a user for backing up. To do so, go back to the mycloud.com site and click on settings. Then click on “Add user…” and enter an email address.

The email address will get an email to setup an account. Do so and then once you’ve configured the user, enter the email address and password when prompted.

Now wait for the first backup to finish. If you ever see any errors, check them; otherwise, you should backup to the device as with a locally attached drive, but you won’t need to plug directly into the drive to run backups.

Conclusion
This doesn’t solve for a lot of use cases that Time Machine Server would have been better for. But it’s a simple task that should cost you a little over a hundred bucks and get you backing up. I’m still a fan of cloud services. Backblaze, Carbonite, and others will backup your data for an annual fee of a little less than what a MyDrive costs. I’ll cover those in later articles, but for now, you’ve got a backup on your network, which even if you use one of those services is a great option in the event of hardware failure, as you can quickly get back up and running with a full system restore!

Autopkgr is basically a small app that allows you to select some repositories of recipes and then watch and run them when they update. It’s a 5 minute or less installation, and at its simplest will put software packages into a folder of your choosing so you can test/upload/scope to users. Or you can integrate it with 3rd party tools like Munki, FileWave, or Jamf using the JSSImporter. Then if you exceed what it can do you can also dig under the hood and use Autopkg itself. It’s an app, and so it needs to run on a Mac. Preferably one that doesn’t do much else. 


Installing Autopkgr

You can obtain the latest release of Autopkgr at https://github.com/lindegroup/autopkgr. To install, drag the app to the Applications folder. 

When you open AutoPkgr for the first time, you’ll prompted for the user name and password to install the helper tool (think menu item). 

The menu item then looks like the following.

These are the most common tasks that administrators would run routinely. They involve checking Autopkg recipes to see if there are new versions of supported software titles, primarily. Opening the Autopkgr app once installed, though, shows us much more. Let’s go through this screen-by-screen in the following sections.


Moving AutoPkg Folders Around 

By default, when installed with Autopkgr, Autopkg stores its cache in ~/Library/AutoPkg/Cache and the repos are sync’d to ~/Library/AutoPkg/RecipeRepos. You can move these using the Choose… button in the Folders & Integration tab of Autopkgr, although it’s not necessary (unless, for example, you need to move the folders to another volume). 

Note: You can also click on the Configure AutoPkg button to add proxies, pre/post processing scripts, and GitHub tokens if needed. 


Keeping Autopkg and Git up-to-date

The Install tab is used to configure AutoPkg settings. If there is a new version of AutoPkg and Git, you’ll see an Install button for each (used to obtain the latest and greatest scripts); otherwise you’ll see a green button indicating it’s up-to-date. 

You can also configure AutoPkgr to be in your startup items by choosing to have it be available at login, and show/hide the Autopkgr menu item and Dock item. 


Configuring Repositories and Recipes

Repositories are where collections of recipes live. Recipes are how they’re built. Think of a recipe as a script that checks for a software update and then follows a known-good way of building that package. Recipes can then be shared (via GitHub) and consumed en masse. 

To configure a repository, click on the “Repos & Recipes” tab in Autopkgr. Then select the repos to use (they are sorted by stars so the most popular appear first). 

Note: There are specific recipes for Jamf Pro at https://github.com/autopkg/jss-recipes.git.

Then you’ll see a list of the recipes (which again, will make packages) that AutoPkgr has access to. Check the ones you want to build and click on the Run Recipes Now. 

If you don’t see a recipe for a title you need, use the search box at the bottom of the screen. That would show you a given entry for any repos that you’ve added. Again, all of the sharing of these repos typically happens through GitHub, but you can add any git url (e.g. if you wanted a repo of recipes in your organization. 

Once you’ve checked the boxes for all the recipes you want to automate, you can then use the “Run AutoPkg Now” option in the menu items to build, or rely on a routine run, as described in the next section.


Scheduling Routine Builds

Autopkgr can schedule a routine run to check recipes. This is often done at night after administrators leave the office. To configure, click on the schedule tab and then check the box for Enable scheduled AutoPkg runs. You can also choose to update your recipes from the repos by checking the “Update all recipes before each AutoPkg run” checkbox.


Getting Notified About New Updates To Packages

I know this sounds crazy. But people like to get notified when there’s a new thing showing up. To configure a variety of notification mechanisms, click on the Notifications tab in AutoPkgr.

Here, you can configure alerts via email, Slack, HipChat, macOS Notification Center, or via custom webhooks.


Integrating Autopkg with Jamf (and other supported vendors)

When integrating with another tool, you’ll need to first install the integration. To configure the JSSImporter, we’ll open the “Folders & Integrations” tab in Autopkgr and then click on the Install JSSImporter button.

Once installed, configure the URL, username and password (for Customer API access) and configure any distribution points that need to have the resultant packages copied to. 


Once the JSSImporter is configured, software should show up in Jamf Pro scoped to a new group upon each build.  It is then up to the Jamf Administrator to complete the scoping tasks so software shows up on end user devices.


What the JSSImporter Does from Autopkg

This option doesn’t seem to work at this time. Using the following may make it work:

sudo easy_install pip && pip install -I --user pyopenssl

Note: The above command may error if you’re using macOS Server. If so, call easy_install directly via 

/System/Library/Frameworks/Python.framework/Versions/2.7/Extras/lib/python/easy_install.py.

In this article, I looked at enabling SMB and AFP shares via the command line for macOS:

Setup the File Sharing Service in macOS 10.13, High Sierra

One thing I din’t cover is enabling SMB sharing for a specific user. This is different as passwords need to be stored in an SMB hash. And you can set that hash type with the pwpolicy command. So to do so, we’ll run the command with the -u option so we can supply the username, the -sethashtypes followed by SMB-NT as the hashtype followed by “on” as can be seen here:

pwpolicy -u charles.edge -sethashtypes SMB-NT on

The interpreter then asks for a password (which can be supplied programmatically with expect if this is done while creating the account:
Password for authenticator charles.edge:Setting hash types for user <charles.edge></charles.edge>

Spinnaker seems kinda’ complicated at first, but it’s not. To get it up and running, first install cask:

brew tap caskroom/cask
brew install brew-cask

Then redis and java:

brew install redis
brew cask install java

Download spinnaker from https://github.com/spinnaker/spinnaker.git (I dropped mine into ~/usr/local/build/spinnaker). From your spinnaker folder make a build directory and then run the script to update source:

mkdir ~/usr/local/spinnaker/build
cd ~/usr/local/spinnaker/build
~/usr/local/spinnaker/dev/refresh_source.sh –pull_origin –use_ssh –github_user default

From your build directory, fire it up:

~/usr/local/spinnaker/dev/run_dev.sh

Now run hal to see a list of versions:

hal version list

Then enable the version you want (e.g. 1.0.0):

hal config version edit –version 1.0.0

Then apply the version:

hal deploy apply

Then connect to fire up the UI:

hal deploy connect

Viola, now it’s just a GUI tool like anything else!

You know how when you buy apps at home, they show up on your computer at work, if you’re using the same iCloud account for the app store in both locations? Some companies want to disable that. To do so, send a ConfigDataInstall key into com.apple.softwareupdate, which can most easily be done with the defaults command:

sudo defaults write com.apple.SoftwareUpdate ConfigDataInstall -int 0

Or to turn it back on:

sudo defaults write com.apple.SoftwareUpdate ConfigDataInstall -int 1

This New Years Day, Learn The Jot Command The jot command is one I haven’t used in awhile. But it’s still useful. Let’s take a look at a few of the things you can do with it. First, let’s just print lines into a new file called “century.txt” which we can do by running with the number of increments followed by the starting number, and then redirecting the output into the file name:

jot 100 1 > ~/Desktop/century.txt

Or to do integers instead, simply put the decimals:

jot 100 1.00 > ~/Desktop/century.txt

Or in descending order,

jot – 100 1 > ~/Desktop/century.txt

Now we could change the output to be just 50 to 100, by incrementing 50 (the first position) and starting at 50 (the second):

jot 50 50

The jot command is able to print sequential data, as we’ve seen. But we can also print random data, using the -r option. Following that option we have three important positions, the first is the number of iterations, but the next two are the lower and upper boundaries for the numbers, respectively. So in the below command we’ll grab 10 iterations (or ten random numbers) that are between 1 and 1000:

jot -r 10 1 1000

Now if we were to add a -c in there and use a and z as the upper and lower bounds, we’d get… letters (this time we’re just gonna’ ask for one letter)!

jot -r -c 1 a z

Something I find useful is just to shove random data into a file infinitely. And by useful I mean hopefully not left running overnight on my own computer (been there, done that). To do this, just use a 0 for the number of iterations:

jot -r -c 0

Something that is actually useful is the basic ASCII set:

jot -c 128 0

We can also append data to a word using -w. So let’s say we want to print the characters aa followed by a through z. In the below we’ll define that with -w and then we’ll list those two characters followed by %c which is where the character substitution goes and then the number of iterations followed by the lower bound:

jot -w aa%c 26 a

You can also do stuttering sequences, useful for the occasional tango dancer, so here we’ll do a 5/3 countdown:

jot – 100 0 -.5

Or we could create a one meg file by creating 1,024 bytes:

jot -b 0 1024 > onemegfile.txt

Oh wait, that file’s two megs. Get it? 😉

And running strings teaches you that you can’t bound random (a good lesson for the New Year). Anything you use jot for?

Happy New Years!

I’d written an efi version checker. But the lovely Andrew Seago texted me one that’s better than mine. So I present it here: current_efi_version=`/usr/libexec/efiupdater | grep "Raw" | cut -d ':' -f2 | sed 's/ //'`
echo "current_efi_version $current_efi_version"
latest_efi_version=`ls -La /usr/libexec/firmwarecheckers/eficheck/EFIAllowListShipping.bundle/allowlists/ | grep "$current_efi_version"`
echo "latest_efi_version $latest_efi_version"
if [ "$latest_efi_version" == "" ]; then
echo "EFI FAILED"
exit 1
else
echo "EFI PASSED"
exit 0
fi

When you push a certificate out in a profile, the certificate is statically stored on a Mac. If you are delivering a certificate over the air and in a device profile that is seperate from the MDM payload then the Active Directory Certificate payload can enable automatic certificate renewals. You can enable automatic renewals with a defaults command (or manage the preference domain via MDM) using the following command:

defaults write /Library/Preferences/com.apple.mdm-client AutoRenewCertificatesEnabled -bool YES
Note: Because they’re already dymanic and all, SCEP payloads cannot be automatically renewed.

You can easily disable password hints in macOS by opening the System Preferences, clicking on the “Users & Groups” System Preference pane and then clicking on Login Options. From there, uncheck the box for “Show password hints”


You can also disable this feature using the com.apple.loginwindow defaults domain. Send the following through a script to do so:

defaults write com.apple.loginwindow RetriesUntilHint -int 0

The following is a list of application bundles that come pre-installed with macOS that are protected by SIP:
/Applications/App Store.app
/Applications/Automator.app
/Applications/Calculator.app
/Applications/Calendar.app
/Applications/Chess.app
/Applications/Contacts.app
/Applications/DVD Player.app
/Applications/Dashboard.app
/Applications/Dictionary.app
/Applications/FaceTime.app
/Applications/Font Book.app
/Applications/Game Center.app
/Applications/Image Capture.app
/Applications/Launchpad.app
/Applications/Mail.app
/Applications/Maps.app
/Applications/Messages.app
/Applications/Mission Control.app
/Applications/Notes.app
/Applications/Photo Booth.app
/Applications/Photos.app
/Applications/Preview.app
/Applications/QuickTime Player.app
/Applications/Reminders.app
/Applications/Safari.app
/Applications/Siri.app
/Applications/Stickies.app
/Applications/System Preferences.app
/Applications/TextEdit.app
/Applications/Time Machine.app
/Applications/Utilities
/Applications/iBooks.app
/Applications/iTunes.app
/Applications/Utilities/Activity Monitor.app
/Applications/Utilities/AirPort Utility.app
/Applications/Utilities/Audio MIDI Setup.app
/Applications/Utilities/Bluetooth File Exchange.app
/Applications/Utilities/Boot Camp Assistant.app
/Applications/Utilities/ColorSync Utility.app
/Applications/Utilities/Console.app
/Applications/Utilities/Digital Color Meter.app
/Applications/Utilities/Disk Utility.app
/Applications/Utilities/Grab.app
/Applications/Utilities/Grapher.app
/Applications/Utilities/Keychain Access.app
/Applications/Utilities/Migration Assistant.app
/Applications/Utilities/Script Editor.app
/Applications/Utilities/System Information.app
/Applications/Utilities/Terminal.app
/Applications/Utilities/VoiceOver Utility.app
/Applications/Utilities/X11.app
Note: Files located in /System, /usr, /bin, and /sbin are recursively protected as well.