Tiny Deathstars of Foulness

My latest piece is available at It starts off like this, if it’s your kinda’ thing:

Employee engagement is dipping, according to a new study by human resources consultancy Aon Hewitt, but as an manager, you can make the workplace more appealing through positive initiatives such as employee training and development.

Indeed, I’ve often had people I manage ask for more training. My answer is always an emphatic “yes.”

But then something funny often happens: nothing. Giving staff approval for trainingdoesn’t necessarily mean that they’ll do it unless you follow up methodically and even micromanage the process.

Why does this happen and what does it show about how employers and employees alike can do a better job to make sure development happens? I have five theories.

July 7th, 2017

Posted In: Articles and Books

Tags: , , , , ,

Leave a Comment

Just posted another article on NotOnMyWatch. This one on how leaders use “I” vs “We”

You can access it at:

December 27th, 2016

Posted In: public speaking

Tags: , , , , , ,

When applying management profiles, it helps to be able to look at the logs and troubleshoot why any settings aren’t applied. To view logs on an Apple TV, open Xcode and then click on an Apple TV.

Screen Shot 2015-11-02 at 9.37.52 PM

From the Apple TV screen, click on View Device Logs. The logs will appear in the app.

Screen Shot 2015-11-02 at 9.37.58 PM

Click Done when you’re finished reviewing the logs.

November 8th, 2015

Posted In: Apple TV

Tags: , , , , , , ,

You may have noticed a few new articles on Apple Configurator 1 recently (which isn’t assuming anyone actually notices what I’m writing about). While preparing for the massive change that is Apple Configurator 2, I’ve taken the liberty to put a page up compiling many of my articles that align into a guide on Apple Configurator 1, to offer up an outline for what I’ll be working on for Apple Configurator 2. This guide is now available at

August 13th, 2015

Posted In: Apple Configurator, iPhone

Tags: , , , , ,

Apple Configurator is a great tool to manage iOS devices. It’s also a pretty decent tool when you need to create profiles for use on Macs. Apple Configurator is easily installed using the Mac App Store. This involves 3 workflows:

  1. Prepare: Setup a device initially.
  2. Supervise: Manage a device using Apple Configurator long-term.
  3. Assign: Manage content on devices using Apple Configurator.

However you plan on using Apple Configurator, the first step to use the product is to download it for free and install it on an OS X computer. To install Apple Configurator, first open the App Store and search for Apple Configurator.

Screen Shot 2015-07-27 at 2.46.26 PM

When listed, click on Apple Configurator.

Screen Shot 2015-07-27 at 2.47.28 PM

Then click on Get, then click on Install App. If prompted for your Apple ID, provide it.

Screen Shot 2015-07-27 at 2.52.00 PM

This downloads Apple Configurator to the /Applications directory on your computer. Once installed, open Apple Configurator and click on Prepare to get started with the product. I’ve done a series of articles at to help guide you through the process of getting comfortable with Apple Configurator.

August 12th, 2015

Posted In: Apple Configurator

Tags: , , , , , , ,

DNS is DNS. And named is named. Except in OS X Server. The configuration files for the DNS services in OS X Server are stored in /Library/Server/named. This represents a faux root of named configuration data, similar to how that configuration data is stored in /var/named on most other platforms. Having the data in /Library/Server/named makes it more portable across Mac DNS Servers.

Traditionally, you would edit this configuration data by simply editing the configuration files, and that’s absolutely still an option. In Yosemite Server, a command is available at /Applications/ called dnsconfig, introduced back in Mavericks. The dnsconfig command appears simple at first. However, the options available are actually far more complicated than they initially appear. The verbs available include help (show help information), list (show the contents of configurations and zone files), add (create records and zones) and delete (remove records and zones).

To view data available in the service, use the list verb. Options available when using the list verb include –acl (show ACLs), –view (show BIND view data), –zone (show domains configured in the service), –rr (show resource records) and –rrtype (show types of resource records). For example, let’s say you have a domain called and you would like to view information about that zone. You could use the dnsconfig command along with the list verb and then the –zone option and the domain name:

/Applications/ list

The output would show you information about the listed zone, usually including View data:

allow-transfer: none
allow-update: none

To see a specific record, use the –rr option, followed by = and then the fqdn, so to see

/Applications/ list

By default views are enabled and a view called is created when the DNS server first starts up. You can create other views to control what different requests from different subnets see; however, even if you don’t create any views, you’ll need to add the –view option followed by the name of the view (– to any records that you want to create. To create a record, use the add verb. You can add a view (–view), a zone (–zone) or a record (–rr). Let’s start by adding a record to the from our previous example. In this case we’ll add an A record called www that points to the IP address of

/Applications/ add --rr=www A

You can add a zone, by providing the –view to add the zone to and not providing a –rr option. Let’s add krypted.lan:

/Applications/ add --zone=krypted.lan

Use the delete verb to remove the data just created:

/Applications/ delete --zone=krypted.lan

Or to delete that one www record earlier, just swap the add with a delete:

/Applications/ delete --rr=www A

Exit codes would be “Zone krypted.lan removed.” and “Removed 1 resource record.” respectively for the two commands. You can also use the –option option when creating objects, along with the following options (each taken as a value followed by an =, with this information taken by the help page):

  • allow-transfer Takes one or more address match list entry. Address match list entries consist of any of these forms: IP addresses, Subnets or Keywords.
  • allow-recursion Takes one or more address match list entry.
  • allow-update Takes one or more address match list entry.
  • allow-query Takes one or more address match list entry.
  • allow-query-cache Takes one or more address match list entry.
  • forwarders Takes one or more IP addresses, e.g.
  • directory Takes a directory path
  • tkey-gssapi-credential Takes a kerberos service principal
  • tkey-domain Takes a kerberos realm
  • update-policy Takes one complete update-policy entry where you can grant or deny various matched objects and specify the dentity of the user/machine that is allowed/disallowed to update.. You can also identify match-type (Type of match to be used in evaulating the entry) and match-name (Name used to match) as well as rr-types (Resource record types that can be updated)

Overall, this command shows a commitment to continuing to make the service better, when you add records or remove them you can instantly refresh the Server app and see the updates. It’s clear a lot of work went into this and it’s a great tool for when you’re imaging systems and want to create records back on a server or when you’re trying to script the creation of a bulk list of records (e.g. from a cached file from a downed host). It also makes working with Views as easy as I’ve seen it in most platforms and is overall a breeze to work with as compared to using the serveradmin command to populate objects so the GUI doesn’t break when you update records by hitting files directly.

October 16th, 2014

Posted In: Mac OS X, Mac OS X Server, Mac Security, Mass Deployment, Network Infrastructure

Tags: , , , , , , , , ,

When deploying XenApp, there are a few ports that typically need to be open for the solution to work properly. The most common of these are 1603 and 1604, but you may also need to open 1494 and 2598 as well. And of course, 443 and 80 if you’re doing web stuff. So here’s the list and what they do:

  • Admin: 135
  • Access Gateway Deployment: 443
  • App Streaming: 445
  • Citrix ICA thin client protocol: 1494
  • Citrix ICAbrowser: 1604
  • Independent Management Architecture: 2512
  • Management Console: 2513
  • Citrix Session Reliability Service: 2598

Citrix_SSLVPN_COIL_NetDiagThere are also a number of ports that communicate back into your infrastructure, such as LDAP (can be a RODC), RADIUS and DNS. If you’re blocking internal ports (e.g. if your Citrix infrastructure is in a DMZ) then you’ll also need ports 9001, 9002 and 9005 in order to administer your Citrix environment, but only from hosts that will perform administration tasks. Also, if you use AppController, port 9736 between hosts provides the High Availability service, 4443 is for the admin tool and 3820 and 21 are used for log transfers. If you have a separate license server you’ll need the Citrix servers to communicate with it via 27000, 7279, 8082 and 80. If you use a separate SQL Server for any of this stuff, you’ll also need 1433 and 1434 to it.

April 21st, 2014

Posted In: Windows Server

Tags: , , , , , ,

Well, it’s that time of the year when one of my favorite conferences opens up registration! Come one, come all to MacSysAdmin for good times, good people and lots of fun Macinnerdiness! I hope to see you there! The official page is up at
Screen Shot 2014-04-13 at 8.02.49 PM

April 14th, 2014

Posted In: Mac OS X, Mac OS X Server, Mac Security, Mass Deployment, public speaking

Tags: , , , ,

Web Services in Mac OS X, Mac OS X Server, Linux and most versions of Unix are provided by Apache, an Open Source project that much of the Internet owes its origins to. Apache owes its name to the fact that it’s “a patchy” service. These patches are often mods, or modules. Configuring web services is as easy in OS X Mavericks Server (10.9) as it has ever been. To set up the default web portal, simply open the Server app, click on the Websites service and click on the ON button.

Screen Shot 2013-10-07 at 7.06.28 PMAfter a time, the service will start. Once running, click on the View Server Website link at the bottom of the pane.

Screen Shot 2013-10-07 at 7.07.01 PM

Provided the stock OS X Server page loads, you are ready to use OS X Server as a web server.

Screen Shot 2013-10-07 at 7.07.43 PMBefore we setup custom sites, there are a few things you should know. The first is, the server is no longer really designed to remove the default website. So if you remove the site, your server will exhibit inconsistent behavior. Also, don’t remove the files that comprise the default site. Instead just add sites, which is covered next. Webmail is gone. You don’t have to spend a ton of time looking for it as it isn’t there. Also, Mountain Lion Server added web apps, which we’ll briefly review later in this article as well, as those continue in Mavericks Server.  Finally, enabling PHP and Python on sites is done globally, so this setting applies to all sites hosted on the server.

Screen Shot 2013-10-07 at 8.04.38 PMNow that we’ve got that out of the way, let’s add our first custom site. Do so by clicking on the plus sign. At the New Web Site pane, you’ll be prompted for a number of options. The most important is the name of the site, with other options including the following:

  • Domain Name: The name the site is accessible from. The default sites do not have this option as they are accessible from all names that resolve to the server.
  • IP Address: The IP address the site listens on. Any means the site is available from every IP address the server is configured to use. The default websites do not have this option as they are accessible from all addresses automatically
  • Port: By default, sites without SSL run on port 80 on all network interfaces, and sites with SSL run on port 443 on all network interfaces. Use the Port field to use custom ports (e.g., 8080). The default sites do not have this option as they are configured to use 80 and 443 for default and SSL-based communications respectively.
  • SSL Certificate: Loads a list of SSL certificates installed using Keychain or the SSL Certificate option in the Settings pane of the Server application
  • Store Site Files In: The directory that the files that comprise the website are stored in. These can be placed into the correct directory using file shares or copying using the Finder. Click on the drop-down menu and then select Other to browse to the directory files are stored in.
  • Who Can Access: By default Anyone (all users, including unauthenticated guests) can access the contents of sites. Clicking on Anyone and then Customize… brings up the “Restrict access to the following folders to a chosen group” screen, where you can choose web directories and then define groups of users who can access the contents.
  • Additional Domains: Click on the Edit… button to bring up a simple list of domain names the the site also responds for (e.g. in addition to, add
  • Redirects: Click on the Edit… button to bring up a list of redirects within the site. This allows configuring redirects to other sites. For example, use /en to load or /cn to load
  • Aliases: Click on the Edit… button to load a list of aliases. This allows configuring redirects to folders within the same server. For example, /en loads /Library/Server/Web/Data/Sites/Default
  • Index Files: Click on the Edit… button to bring up a list of pages that are loaded when a page isn’t directly indicated. For example, when visiting, load the wp.php page by default.
  • Advanced Options: The remaining options are available by clicking on the “Edit Advanced Settings…” button.
  • Enable Server Side Includes: Allows administrators to configure leveraging includes in web files, so that pieces of code can be used across multiple pages in sites.
  • Allow overrides using .htaccess files: Using a .htaccess file allows administrators to define who is able to access a given directory, defining custom user names and passwords in the hidden .htaccess file. These aren’t usually required in an OS X Server web environment as local and directory-based accounts can be used for such operations. This setting enables using custom .htaccess files instead of relying on Apple’s stock web permissions.
  • Allow folder listing: Enables folder listings on directories of a site that don’t have an Index File (described in the non-Advanced settings earlier).
  • Allow CGI execution: Enables CGI scripts for the domain being configured.
  • Use custom error page: Allows administrators to define custom error pages, such as those annoying 404 error pages that load when a page can’t be found
  • Make these web apps available on this website: A somewhat advanced setting, loads items into the webapps array, which can be viewed using the following command:  sudo serveradmin settings web:definedWebApps

Once you’ve configured all the appropriate options, click on Done to save your changes. The site should then load. Sites are then listed in the list of Websites.

The Apache service is most easily managed from the Server app, but there are too many options in Apache to really be able to put into a holistic graphical interface. The easiest way to manage the Websites service in OS X Mavericks server is using the serveradmin command. Apache administrators from other platforms will be tempted to use the apachectl command to restart the Websites service. Instead, use the serveradmin command to do so. To start the service:

sudo serveradmin start web

To stop the service(s):

sudo serveradmin stop web

And to see the status:

sudo serveradmin fullstatus web

Fullstatus returns the following information:

web:health = _empty_dictionary
web:readWriteSettingsVersion = 1
web:apacheVersion = "2.2"
web:servicePortsRestrictionInfo = _empty_array
web:startedTime = "2013-10-08 01:05:32 +0000"
web:apacheState = "RUNNING"
web:statusMessage = ""
web:ApacheMode = 2
web:servicePortsAreRestricted = "NO"
web:state = "RUNNING"
web:setStateVersion = 1

While the health option typically resembles kiosk computers in the Computer Science departments of most major universities, much of the rest of the output can be pretty helpful including the Apache version, whether the service is running, any restrictions on ports and the date/time stamp that the service was started.

To see all of the settings available to the serveradmin command, run it, followed by settings and then web, to indicate the Websites service:

sudo serveradmin settings web

The output is pretty verbose and can be considered in two sections, the first includes global settings across sites as well as the information for the default sites that should not be deleted:

web:defaultSite:documentRoot = "/Library/Server/Web/Data/Sites/Default"
web:defaultSite:serverName = ""
web:defaultSite:realms = _empty_dictionary
web:defaultSite:redirects = _empty_array
web:defaultSite:enableServerSideIncludes = no
web:defaultSite:customLogPath = ""/var/log/apache2/access_log""
web:defaultSite:webApps = _empty_array
web:defaultSite:sslCertificateIdentifier = ""
web:defaultSite:fullSiteRedirectToOtherSite = ""
web:defaultSite:allowFolderListing = no
web:defaultSite:serverAliases = _empty_array
web:defaultSite:errorLogPath = ""/var/log/apache2/error_log""
web:defaultSite:fileName = "/Library/Server/Web/Config/apache2/sites/0000_any_80_.conf"
web:defaultSite:aliases = _empty_array
web:defaultSite:directoryIndexes:_array_index:0 = "index.html"
web:defaultSite:directoryIndexes:_array_index:1 = "index.php"
web:defaultSite:directoryIndexes:_array_index:2 = "/wiki/"
web:defaultSite:directoryIndexes:_array_index:3 = "default.html"
web:defaultSite:allowAllOverrides = no
web:defaultSite:identifier = "37502141"
web:defaultSite:port = 80
web:defaultSite:allowCGIExecution = no
web:defaultSite:serverAddress = "*"
web:defaultSite:requiresSSL = no
web:defaultSite:proxies = _empty_dictionary
web:defaultSite:errorDocuments = _empty_dictionary
web:defaultSecureSite:documentRoot = "/Library/Server/Web/Data/Sites/Default"
web:defaultSecureSite:serverName = ""
web:defaultSecureSite:realms = _empty_dictionary
web:defaultSecureSite:redirects = _empty_array
web:defaultSecureSite:enableServerSideIncludes = no
web:defaultSecureSite:customLogPath = ""/var/log/apache2/access_log""
web:defaultSecureSite:webApps = _empty_array
web:defaultSecureSite:sslCertificateIdentifier = ""
web:defaultSecureSite:fullSiteRedirectToOtherSite = ""
web:defaultSecureSite:allowFolderListing = no
web:defaultSecureSite:serverAliases = _empty_array
web:defaultSecureSite:errorLogPath = ""/var/log/apache2/error_log""
web:defaultSecureSite:fileName = "/Library/Server/Web/Config/apache2/sites/0000_any_443_.conf"
web:defaultSecureSite:aliases = _empty_array
web:defaultSecureSite:directoryIndexes:_array_index:0 = "index.html"
web:defaultSecureSite:directoryIndexes:_array_index:1 = "index.php"
web:defaultSecureSite:directoryIndexes:_array_index:2 = "/wiki/"
web:defaultSecureSite:directoryIndexes:_array_index:3 = "default.html"
web:defaultSecureSite:allowAllOverrides = no
web:defaultSecureSite:identifier = "37502140"
web:defaultSecureSite:port = 443
web:defaultSecureSite:allowCGIExecution = no
web:defaultSecureSite:serverAddress = "*"
web:defaultSecureSite:requiresSSL = yes
web:defaultSecureSite:proxies = _empty_dictionary
web:defaultSecureSite:errorDocuments = _empty_dictionary
web:dataLocation = "/Library/Server/Web/Data"
web:mainHost:keepAliveTimeout = 15.000000
web:mainHost:maxClients = "50%"

The second section is per-site settings, with an array entry for each site:

web:customSites:_array_index:0:documentRoot = "/Library/Server/Web/Data/Sites/"
web:customSites:_array_index:0:serverName = ""
web:customSites:_array_index:0:realms = _empty_dictionary
web:customSites:_array_index:0:redirects = _empty_array
web:customSites:_array_index:0:enableServerSideIncludes = no
web:customSites:_array_index:0:customLogPath = "/var/log/apache2/access_log"
web:customSites:_array_index:0:webApps = _empty_array
web:customSites:_array_index:0:sslCertificateIdentifier = ""
web:customSites:_array_index:0:fullSiteRedirectToOtherSite = ""
web:customSites:_array_index:0:allowFolderListing = no
web:customSites:_array_index:0:serverAliases = _empty_array
web:customSites:_array_index:0:errorLogPath = "/var/log/apache2/error_log"
web:customSites:_array_index:0:fileName = "/Library/Server/Web/Config/apache2/sites/"
web:customSites:_array_index:0:aliases = _empty_array
web:customSites:_array_index:0:directoryIndexes:_array_index:0 = "index.html"
web:customSites:_array_index:0:directoryIndexes:_array_index:1 = "index.php"
web:customSites:_array_index:0:directoryIndexes:_array_index:2 = "/wiki/"
web:customSites:_array_index:0:directoryIndexes:_array_index:3 = "default.html"
web:customSites:_array_index:0:allowAllOverrides = no
web:customSites:_array_index:0:identifier = "41179886"
web:customSites:_array_index:0:port = 80
web:customSites:_array_index:0:allowCGIExecution = no
web:customSites:_array_index:0:serverAddress = "*"
web:customSites:_array_index:0:requiresSSL = no
web:customSites:_array_index:0:proxies = _empty_dictionary
web:customSites:_array_index:0:errorDocuments = _empty_dictionary

The final section (the largest by far) includes array entries for each defined web app. The following shows the entry for a Hello World Python app:

web:definedWebApps:_array_index:20:requiredWebAppNames = _empty_array
web:definedWebApps:_array_index:20:includeFiles = _empty_array
web:definedWebApps:_array_index:20:requiredModuleNames = _empty_array
web:definedWebApps:_array_index:20:startCommand = ""
web:definedWebApps:_array_index:20:sslPolicy = 0
web:definedWebApps:_array_index:20:requiresSSL = no
web:definedWebApps:_array_index:20:requiredByWebAppNames = _empty_array
web:definedWebApps:_array_index:20:launchKeys:_array_index:0 = "org.postgresql.postgres"
web:definedWebApps:_array_index:20:proxies = _empty_dictionary
web:definedWebApps:_array_index:20:preflightCommand = ""
web:definedWebApps:_array_index:20:stopCommand = ""
web:definedWebApps:_array_index:20:name = "org.postgresql.postgres"
web:definedWebApps:_array_index:20:displayName = ""

Each site has its own configuration file defined in the array for each section. By default these are stored in the /Library/Server/Web/Config/apache2/sites directory, with /Library/Server/Web/Config/apache2/sites/ being the file for the custom site we created previously. As you can see, many of the options available in the Server app are also available in these files:

<VirtualHost *:80>
DocumentRoot "/Library/Server/Web/Data/Sites/"
DirectoryIndex index.html index.php /wiki/ default.html
CustomLog /var/log/apache2/access_log combinedvhost
ErrorLog /var/log/apache2/error_log

<IfModule mod_ssl.c>
SSLEngine Off
SSLProtocol -ALL +SSLv3 +TLSv1
SSLProxyEngine On
SSLProxyProtocol -ALL +SSLv3 +TLSv1

<Directory “/Library/Server/Web/Data/Sites/”>
Options All -Indexes -ExecCGI -Includes +MultiViews
AllowOverride None
<IfModule mod_dav.c>
Deny from all
ErrorDocument 403 /customerror/websitesoff403.html


The serveradmin command can also be used to run commands. For example, to reset the service to factory defaults, delete the configuration files for each site and then run the following command:

sudo serveradmin command web:command=restoreFactorySettings

The final tip I’m going to give in this article is when to make changes with each app. I strongly recommend making all of your changes in the Server app when possible. When it isn’t, use serveradmin and when you can’t make changes in serveradmin, only then alter the configuration files that come with the operating system by default. I also recommend keeping backups of all configuration files that are altered and a log of what was altered in each, in order to help piece the server back together should it become unconfigured miraculously when a softwareupdate -all is run next.

October 22nd, 2013

Posted In: Mac OS X Server

Tags: , , , , , , , , , , , , , , , , , ,

SimpleMDM is a newish Mobile Device Management service that is free, from MJVLabs, the makers of Presense. Now, it’s newish and currently completely free, so there are specific cases where it’s appropriate. Currently, SimpleMDM can be used to:

  • Setup very specific mail
  • Setup SSIDs and passwords (those are the only two options)
  • Disable the App Store or require a password to access the app store
  • Configure Basic, Strong or Very Secure password requirements
  • Restrict content
  • Disable Camera &/or FaceTime
  • Disable Safari
  • Disable iCloud
  • Disable YouTube
  • Disable Multiplayer Gaming

The solution is simple to use. Just visit the website at, click on Create New Account, enter your information and click the link in the email they send you. Then log in. Once logged in, the layout is very basic and workflow oriented.

Each block indicates a group of devices. By default, there’s a Default Group (similar to Everyone in Profile Manager environments) and a Quarantine Group. Click on Add Group to bring up a screen that allows you to configure most of the policies for the group.

Here, provide a name for the group and then configure the displayed options required by your organization. Click Save to save the changes. Then click on Settings in the right-hand sidebar and then click on Email Providers. Here, enter the information for your mail server, provided all required options are available.

Once you are satisfied with your mail settings, click Save (note, that accounts will be prompted for account/password at the time the profile is installed). You can also click Wireless Networks here, which has an option for SSID and Password.

Now, one thing that I find interesting about SimpleMDM is that it has the option to set a minimum version of iOS as well as block apps. To configure these options, click on the disclosure triangle to the right of a group name and click on Rules.

At the Rules screen, set the “Minimum required version of iOS” and choose whether to allow or deny apps, checking those you wish to allow or deny as needed.

I like to configure all my settings and then enroll devices. To enroll, click on the Add Device button in the right-hand sidebar.

Click on which group to add a device to, provide a name for the device that will be referenced within SimpleMDM and choose whether to text or email the enrollment profile to the user. If SMS, enter the users phone number. If Email, enter the email address and then click on the Create button.

When the user taps the profile they will be able to enroll in the SimpleMDM service.

Some things you will need a different MDM solution to do:

  • Anything that involves certificates (other than telling mail to use one, but not provide it)
  • Anything about 802.1x
  • Any pushing out of applications
  • Pushing out webclips
  • VPN, LDAP (for Contacts), Calendar (CalDAV), Contacts (CardDAV), SCEP
  • OS X management
  • APN configuration
  • Disable Siri
  • Customize In-App purchasing
  • Disable screen capture
  • Manage Photo Stream
  • Disable Popups, cookies, javascript and force the fraud warning in Safari
  • Set ratings region
  • Manage diagnostic data
  • Configure profiles to be non-removable
  • Use a web portal for enrollment from devices rather than through email/sms

Now, none of these things are anything against SimpleMDM. Features make things more complicated and it’s simple. I think more features will come. For now, if you just need these basic options then why bother with your own infrastructure. If there’s just one more thing you think you might need, make a feature request and see if it gets added. Either way, it’s cool to see what I consider the next step in the evolution of MDM, a free tool. I’d also like to see a self-serviceable open source option as well eventually, of which I know of a few projects in the works but none ready to mention. Either way, excellent first try and kudos to the developers of SimpleMDM.

August 6th, 2012

Posted In: iPhone

Tags: , , , , ,

Next Page »