Tiny Deathstars of Foulness

The Server 5 app that installs on Sierra is great. But sometimes a change doesn’t get committed properly or has a mismatch with a certificate, and the server doesn’t respond properly… I know, you’ve been told that host name changes and IP changes are all kinds of OK at this point; “look, Charles, there’s a button!” Well, go ahead, click it. Don’t mind me, you might just be alright. But then again, you might not if you’re running Open Directory, Profile Manager, or a few other services… When it works it’s a thing of beauty. But when it doesn’t, you might be restoring some stuff from backup. But just before you do that restore, let’s try one more thing. Let’s try and rebuild some certificates and configuration settings that shouldn’t impact actual service operation. Let’s try to reset the Server app and let a fresh install of the Server see if it can fix issues.

Now, I want to be clear, this is usually the last resort before restoring a backup. I’ve had a lot of luck with services remaining functional and preserving settings when I do this, but don’t expect that to be the case every time. Basically, we’re going to do what we looked at doing back in ’09 with AppleSetupDone but one designed just for servers, so the file is in the same place (/var/db) and called .ServerSetupDone. To remove it, close Server app and run the following command:

sudo rm /var/db/.ServerSetupDone

Once removed, open the Server app again and then let the Server app run as though it’s new. Cruft, begone! Make sure to check things like server logs in the event that the service goes unresponsive again, and be wary of performing this step multiple times as there’s likely another underlying issue that you shouldn’t be resetting the server to resolve.

October 11th, 2016

Posted In: Mac OS X Server

Tags: , , , ,

Leave a Comment

There are a couple of ways to create groups in macOS Server 5.2, running on Sierra. The first is using the Server app, the second is using the Users & Groups System Preference pane and the third is using the command line. In this article we will look at creating groups in the directory service with the Server app.

Once a server has been an Open Directory Master all user and group accounts created will be in the Local Network Group when created in Server app. Before that, all user and group objects are stored locally when created in Server app. Once promoted to an Open Directory server, groups are created in the Open Directory database or if you select it from the directory domain drop-down list, locally. Groups can also be created in both locations, using a command line tool appropriate for group management.

 To create a new group, open the Server app and then click on Groups in the ACCOUNTS list of the Server app sidebar. From here, you can switch between the various directory domains accessible to the server using the drop-down list available. Click on the plus sign to create a local network group.
At the New Group screen, provide a name for the group in the Full Name field. This can have spaces. Then create a short name for the group in the Group Name field. This should not have spaces.
Click Done when you have supplied the appropriate information and the group is created. Once done, double-click on the group to see more options.
Here, use the plus sign (“+”) to add members to the group or highlight members and use the minus sign (“-“) to remove users from the group. You can also choose to use the following options:
  • Mailing Lists: Lists that are connected to the group.
  • Members: The users that are part of the group
  • Give this group a shared folder: Creates a shared directory for the group, or a group with an ACL that grants all group members access.
  • Make group members Messages buddies: Adds each group member to each other group members buddy list in the Messages client.
  • Enable group mailing list: Enables a list using the short name of the group where all members receive emails to that address.
  • Create Group Wiki: Opens the Wiki interface for creating a wiki for the group.
  • Keywords: Keywords/tags to help locate users.
  • Notes: Notes about users.

Once changes have been made, click Done to commit the changes.

October 7th, 2016

Posted In: Mac OS X Server

Tags: , , , , , , ,

Leave a Comment

You might be happy to note that other than the ability to interpret new payloads, the profiles command mostly stays the same in Sierra. You can still export profiles from Apple Configurator or Profile Manager (or some of the 3rd party MDM tools). You can then install profiles by just opening them and installing. Once profiles are installed on a Mac, mdmclient, a binary located in /usr/libexec will process changes such as wiping a system that has been FileVaulted (note you need to FileVault if you want to wipe an OS X Lion client computer). /System/Library/LaunchDaemons and /System/Library/LaunchAgents has a mdmclient daemon and agent respectively that start it up automatically. This, along with all of the operators remains static from 10.10 and on.

To script profile deployment, administrators can add and remove configuration profiles using the new /usr/bin/profiles command. To see all profiles, aggregated, use the profiles command with just the -P option:

/usr/bin/profiles -P

As with managed preferences (and piggy backing on managed preferences for that matter), configuration profiles can be assigned to users or computers. To see just user profiles, use the -L option:

/usr/bin/profiles -L

You can remove all profiles using -D:

/usr/bin/profiles -D

The -I option installs profiles and the -R removes profiles. Use -p to indicate the profile is from a server or -F to indicate it’s source is a file. To remove a profile:

/usr/bin/profiles -R -F /tmp/HawkeyesTrickshot.mobileconfig

To remove one from a server:

/usr/bin/profiles -R -p com.WestCoastAvengers.HawkeyesTrickshot

The following installs HawkeyesTrickshot.mobileconfig from /tmp:

/usr/bin/profiles -I -F /tmp/HawkeyesTrickshot.mobileconfig

If created in Profile Manager:

/usr/bin/profiles -I -p com.WestCoastAvengers.HawkeyesTrickshot

You can configure profiles to install at the next boot, rather than immediately. Use the -s to define a startup profile and take note that if it fails, the profile will attempt to install at each subsequent reboot until installed. To use the command, simply add a -s then the -F for the profile and the -f to automatically confirm, as follows (and I like to throw in a -v usually for good measure):

profiles -s -F /Profiles/SuperAwesome.mobileconfig -f -v

And that’s it. Nice and easy and you now have profiles that only activate when a computer is started up. As of OS X Yosemite, the dscl command got extensions for dealing with profiles as well. These include the available MCX Profile Extensions:

-profileimport -profiledelete -profilelist [optArgs]

To list all profiles from an Open Directory object, use 
-profilelist. To run, follow the dscl command with -u to specify a user, -P to specify the password for the user, then the IP address of the OD server (or name of the AD object), then the profilelist verb, then the relative path. Assuming a username of diradmin for the directory, a password of moonknight and then cedge user:

dscl -u diradmin -P moonknight profilelist /LDAPv3/

To delete that information for the given user, swap the profilelist extension with profiledelete:

dscl -u diradmin -P apple profilelist /LDAPv3/

If you would rather export all information to a directory called ProfileExports on the root of the drive:

dscl -u diradmin -P moonknight profileexport . all -o /ProfileExports

In Yosemite we got a few new options (these are all still in 10.11 with no new operators), such as -H which shows whether a profile was installed, -z to define a removal password and -o to output a file path for removal information. Also, as in Yosemite it seems as though if a configuration profile was pushed to you from MDM, you can’t remove it (fyi, I love having the word fail as a standalone in verbose output):

bash-3.2# profiles -P
_computerlevel[1] attribute: profileIdentifier: 772BED54-5EDF-4987-94B9-654456CF0B9A
_computerlevel[2] attribute: profileIdentifier: 00000000-0000-0000-A000-4A414D460003
_computerlevel[3] attribute: profileIdentifier: C11672D9-9AE2-4F09-B789-70D5678CB397
charlesedge[4] attribute: profileIdentifier: com.krypted.office365.a5f0e328-ea86-11e3-a26c-6476bab5f328
charlesedge[5] attribute: profileIdentifier:
_computerlevel[6] attribute: profileIdentifier: EE08ABE9-5CB8-48E3-8E02-E46AD0A03783
_computerlevel[7] attribute: profileIdentifier: F3C87B6E-185C-4F28-9BA7-6E02EACA37B1
_computerlevel[8] attribute: profileIdentifier: 24DA416D-093A-4E2E-9E6A-FEAD74B8B0F0
There are 8 configuration profiles installed

bash-3.2# profiles -r 772BED54-5EDF-4987-94B9-654456CF0B9A
bash-3.2# profiles -P
_computerlevel[1] attribute: profileIdentifier: F3C87B6E-185C-4F28-9BA7-6E02EACA37B1
_computerlevel[2] attribute: profileIdentifier: EE08ABE9-5CB8-48E3-8E02-E46AD0A03783
_computerlevel[3] attribute: profileIdentifier: 24DA416D-093A-4E2E-9E6A-FEAD74B8B0F0
_computerlevel[4] attribute: profileIdentifier: 00000000-0000-0000-A000-4A414D460003
_computerlevel[5] attribute: profileIdentifier: 772BED54-5EDF-4987-94B9-654456CF0B9A
_computerlevel[6] attribute: profileIdentifier: C11672D9-9AE2-4F09-B789-70D5678CB397
charlesedge[7] attribute: profileIdentifier:
charlesedge[8] attribute: profileIdentifier: com.krypted.office365.a5f0e328-ea86-11e3-a26c-6476bab5f328
There are 8 configuration profiles installed

bash-3.2# profiles -rv 772BED54-5EDF-4987-94B9-654456CF0B9A
profiles: verbose mode ON
profiles: returned error: -204

October 3rd, 2016

Posted In: Uncategorized

Tags: , , , , , ,

The logs in Xcode Server (Server 5.2 for Sierra) by default point to /Library/Server/XcodeLogs/credserver.log. This takes all of the output from xcscredd and xcscredhandler. If you’re doing a lot of debugging then logs can be pointed to another location, such as another drive. The path to the logs is defined in the /Applications/ directory. The file to edit is a standard property list, XCSCredentialServer.plist:

<?xml version=”1.0″ encoding=”UTF-8″?>

<!DOCTYPE plist PUBLIC “-//Apple//DTD PLIST 1.0//EN” “”>

<plist version=”1.0″>




















Once open, look for a key called logPath. Change that to the desired path, such as /Volumes/MyDrive/Logs/credserver.log and then restart the service:

serveradmin stop xcode; serveradmin start xcode

October 1st, 2016

Posted In: Mac OS X Server

Tags: , , , , , , ,

By default, screenshots are pretty big on a retina display on a Sierra machine. Like about 4 times the size they should be. I haven’t found a defaults key I can use yet to reduce them, so I’ve been using this little screenshotting app called RetinaCapture, available at

Basically, when you’re running it, you just open it up and click on the Window button. There, you can select a window to screenshot.

Screen Shot 2015-09-24 at 8.37.33 AM

Once you’ve selected the window, you’ll be prompted to save it somewhere with a name.

Screen Shot 2015-09-24 at 8.38.00 AM

I don’t love having to use any 3rd party apps for my screenshotting workflow. In fact, it bugs the crap out of me. Screens get resized by publishers for books and so I’m really only using this for my site. But, hopefully it helps someone else along the way. Happy screenshotting!

September 28th, 2016

Posted In: Mac OS X

Tags: , , , , , ,

One of my favorite things to do every year is head to Gothenburg to see Tycho, Patrik, and the rest of the wonderful country of Sweden (and city of Gothenburg). It’s a great city and Tycho does a great job to curate MacSysAdmin into an informative conference. And, the site is now live to buy your tickets for the 2016 event!

Screen Shot 2016-05-09 at 2.59.40 PM

It’s one of those conferences that sells out, so don’t wait too long to pick up your ticket! 🙂

May 10th, 2016

Posted In: Mac OS X, Mac OS X Server, Mac Security, MacAdmins Podcast, Mass Deployment

Tags: , , , ,

May 6th, 2016

Posted In: Mac OS X, Mac OS X Server

Tags: , , , , , , ,

A number of systems require you to use complex characters in passwords and passcodes. Here is a list of characters that can be used, along with the name and the associated unicode:

  •    (Space) U+0020
  • ! (Exclamation) U+0021
  • ” (Double quotes) U+0022
  • # (Number sign) U+0023
  • $ (Dollar sign) U+0024
  • % (Percent) U+0025
  • & (Ampersand) U+0026
  • ‘  (Single quotes) U+0027
  • ( (Left parenthesis) U+0028
  • ) (Right parenthesis) U+0029
  • * (Asterisk) U+002A
  • + (Plus) U+002B
  • , (Comma) U+002C
  • – (Minus sign) U+002D
  • . (Period) U+002E
  • / (Slash) U+002F
  • : (Colon) U+003A
  • ; (Semicolon) U+003B
  • < (Less than sign) U+003C (not allowed in all systems)
  • = (Equal sign) U+003D
  • > (Greater than sign) U+003E (not allowed in all systems)
  • ? (Question) U+003F
  • @ (At sign) U+0040
  • [ (Left bracket) U+005B
  • \ (Backslash) U+005C
  • ] (Right bracket) U+005D
  • ^ (Caret) U+005E
  • _ (Underscore) U+005F
  • ` (Backtick) U+0060
  • { (Left curly bracket/brace) U+007B
  • | (Vertical bar) U+007C
  • } (Right curly bracket/brace) U+007D
  • ~ (Tilde) U+007E

April 29th, 2016

Posted In: iPhone, Mac OS X, Mac OS X Server, Mac Security, Mass Deployment

Tags: , , , , , , , , ,

Use the following keys to do fun things when typing a command in bash (mostly keybindings):

  1. Use the up arrow to run the previous command
  2. Continue using the arrow to scroll to commands further in the history
  3. Use Control-r to search through your command history
  4. Control-w deletes the last word
  5. Control-u deletes the line you were typing
  6. Control-a moves the cursor to the beginning of the line
  7. Control-e moves the cursor to the end of the line
  8. Control-l clears the screen
  9. Control-b moves the cursor backward by a character
  10. Control-u moves the cursor forward by a character
  11. Control-_ is an undo
  12. “man readline” shows the bash keybindings (ymmv per OS)
  13. Tab completes an argument
  14. !! repeats the last command. Useful when using sudo in front of the last line from bash
  15. !$ repeats the last argument for a command
  16. $_ shows the last word from the previous command
  17. “cd -” is like a back button
  18. !!:p outputs the last command with arguments
  19. cd !!:* cd into the argument from the previous command
  20. Escape-. expands the argument from the last command
  21. pbcopy and pbpaste accesses the clipboard from Terminal
  22. Use ; to separate commands in a single line
  23. Use | to pipe output to another command
  24. Use > to send output to a new file, or >> to append output to the end of a file or < to bring input from a file
  25. “Open .” opens the current working directory in a Finder window


March 21st, 2016

Posted In: Mac OS X, Mac OS X Server, Programming

Tags: , , , ,

There are two defaults keys that can be used to manage the recent places options in the OS X Finder. Both are in the .GlobalPreferences. The first is NSNavRecentPlaces and the second is NSNavRecentPlacesLimit.

The NSNavRecentPlacesLimit key limits the number of items that are stored in the list. To increase the default to, let’s say, 20, use the defaults command to set the NSNavRecentPlacesLimit key to an integer of 20:

defaults write .GlobalPreferences NSNavRecentPlacesLimit -int 20

Then use defaults to read the setting:

defaults read NSNavRecentPlacesLimit

You’ll need to “killall Finder” in order to see this in a Finder Save dialog. You can also inject items into the RecentPlaces array, called NSNavRecentPlaces, or delete the objects in the array. The array appears as follows:

NSNavRecentPlaces =     (

You can set these using defaults write as well, writing the NSNavRecentPlaces as a list of quoted and comma separated values (note the ‘):

defaults write NSNavRecentPlaces = '("/test","/test2","/test3")';

Or, if you only want to clear the recent places list, delete the key:

defaults delete .GlobalPreferences NSNavRecentPlaces

March 11th, 2016

Posted In: Mac OS X, Mass Deployment

Tags: , , , , , , , ,

Next Page »