Tag Archives: mdls

Mac OS X Mac Security Mass Deployment

Reindex Spotlight from the Command Line

Spotlight is really a simple tool. Spotlight consists of mds, a command that is the metadata server, mdworker, the pawn that mds sends to scan objects and index them and then the three command lines of mdutil (manage the indexes), mdls (list metadata of an object) and mdfind, which as the name implies, finds things. All of this is used to keep a database called .store.db nested under .Spotlight-V100 at the root of each volume that’s been indexed.

Screen Shot 2013-11-14 at 9.39.09 PM

To reindex Spotlight from the command line, we’ll use mdutil. From a command prompt, enter the following to index your boot volume.

sudo mdutil -E /

Or an external drive named krypted:

sudo mdutil -E /Volumes/krypted

When indexing, you will see the mds and mdworker processes running. If the process does not seem to be completing timely, you can use lsof to see where it is in the process. If the indexing errors then try and manually reindex based on the file that you see from where it crapped out:

mdimport /Volumes/krypted/designingwomencollection/episode0101.mov

Or to mdimport the directory that might be problematic:

mdimport /Volumes/krypted/designingwomencollection

Finally, the attributes that are tracked by Spotlight are many. The metadata attributes themselves are typically in xattr. For example, Command Line Finder Tags (http://krypted.com/mac-os-x/command-line-finder-tags/).  To see the raw metadata for a file, use xattr:

xattr -l /Volumes/krypted/designingwomencollection/episodelist.pdf

The output of which would include the following:

com.apple.FinderInfo:
00000000  00 00 00 00 00 00 00 00 00 1C 00 00 00 00 00 00  |................|
00000010  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  |................|
00000020
com.apple.metadata:_kMDItemUserTags:
00000000  62 70 6C 69 73 74 30 30 A1 01 55 52 65 64 0A 36  |bplist00..URed.6|
00000010  08 0A 00 00 00 00 00 00 01 01 00 00 00 00 00 00  |................|
00000020  00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00  |................|
00000030  00 10                                            |..|
00000032
com.apple.quarantine: 0041;520d0314;Safari;

The more metadata (QuickTime and some other apps can put a lot of metadata in files btw) the more you’d see. You can assign metadata manually or even exclude directories from indexing if you see the system is stuck on indexing a given directory.

Mac OS X Mac OS X Server Mac Security Mass Deployment Uncategorized

Viewing Mac App Store Purchases From The Command Line

As you may have noticed, we’ve been working on building some links between the App Store and patch management tools such as Casper, FileWave and Munki. We’ve been looking at policy-based management of apps as well. In this semi-new world of signing and stores and the such, there’s actually a good bit you can ascertain about an app both inside the app as well as inside metadata OS X keeps about the app. I’ve discussed signing (apps and packages) in the past, but let’s look at using some commands to help us out with some tasks.

The first command is to determine some information about apps that are on the computer. Spotlight keeps a fair amount of information about these apps and can be invoked using the mdls command. Running the command with no additional parameters looks like this (I’m gonna’ use iMovie in these examples, although note that there are spaces in a lot of app names and paths as you start scripting things – so use IFS rather than trying to use traditional array):

mdls /Applications/iMovie.app

This results in output similar to the following (I’ve stripped out a few fields as they consume a lot of space and aren’t super pertinent to what I’m trying to do here):

kMDItemAlternateNames = (
"iMovie.app"
)
kMDItemAppStoreCategory = "Video"
kMDItemAppStoreCategoryType = "public.app-category.video"
kMDItemCFBundleIdentifier = "com.apple.iMovieApp"
kMDItemContentCreationDate = 2011-09-28 08:04:34 +0000
kMDItemContentModificationDate = 2012-09-22 02:13:45 +0000
kMDItemContentType = "com.apple.application-bundle"
kMDItemDisplayName = "iMovie"
kMDItemExecutableArchitectures = (
i386
)
kMDItemFSContentChangeDate = 2012-09-22 02:13:45 +0000
kMDItemFSCreationDate = 2011-09-28 08:04:34 +0000
kMDItemVersion = "9.0.8"

To just ask for one of these attributes, run the command along with the -name option in addition to the metadata attribute you’d like returned. For example, to see the bundle ID (kMDItemCFBundleIdentifier), use:

mdls /Applications/iMovie.app -name kMDItemCFBundleIdentifier /Applications/iMovie.app

Now, if you’d like to just quickly ascertain what apps on the system came from the App Store, use the mdfind command, along with whatever of the attributes matches what you want to know. Running mdfind for kMDItemAppStoreHasReceipt of 1 would look like the following and would result in a list of all apps on the system that came from the App Store:

mdfind kMDItemAppStoreHasReceipt=1

Blacklisting all apps that are part of a specific category (and with regard to customer requests, that category seems to always be Games) is something we get a lot of banter about with customers. To determine this information for apps, you can run mdfind on kMDItemAppStoreCategory for Games:

mdfind kMDItemAppStoreCategory=Games

You could then dump the contents of those into something that can blacklist apps (or whitelist based on other categories). Now, version control is another hot topic at various organizations. To see the version type of a given app, use the -name option with mdls kMDItemVersion

mdls /Applications/iMovie.app -name kMDItemVersion /Applications/iMovie.app

Then you can track the version of the app and take action through other ways to remove old versions and force users to upgrade. The mdfind command can also be leveraged to find apps that have escaped their traditional homes of /Applications and /Applications/Utilities, with the ability to obtain a full list by querying for kMDItemContentType of app bundles, as follows:

mdfind kMDItemContentType="com.apple.application-bundle"

Loading a list of apps (output from `mdfind kMDItemAppStoreHasReceipt=1` or `mdfind kMDItemAppStoreCategory=Games`) into an array and then querying each one of them for more information is pretty trivial beyond the steps we’ve already taken. This information can then be fed into some kind of Managed Prefs script to deny or allow access to various objects or an admin could even chmod the bundle, mark it as invisible, poison it (keep in mind, if you alter it you’ll break the signing), etc in order to get some desired outcome.

You can also use defaults to read a users com.apple.storeagent.plist file for the AppleID field to see what AppleID is currently logged into the AppStore, providing another variable that can be reported on:

defaults read /Users/cedge/Library/Preferences/com.apple.storeagent.plist AppleID

And yes, it’s worth noting that users from another account or a system image, etc can be used to download apps so this one isn’t exactly certain but the purchaser isn’t stored anywhere within the bundle nor is it permissioned in a way that we can use to find the purchaser that way.

There’s still a bit of a gap right now with regards to some of these technologies that Mac SysAdmins are managing. The consumeristic technologies such as App Stores are here to stay. We’re kidding ourselves if we think that we won’t be able to buy certain apps via Volume Licenses and have pkg installers for too much longer. Apple has made no indication that they’re dropping the results that can be obtained with a simple installer command, but with forcing signing on certain objects, gatekeeper and other technologies it’s hard to say what the future will really have in store for us. Getting to a point where we can report on elements of the App Store and hopefully eventually deploy objects through the App Store should continue to help bridge these factors, but I still see the need for additional binaries from Apple to be introduced to get the rest of the way there (or at least expose a method to me so I can go in there and buy an app through the method).