Tag Archives: os x

Mac OS X Mac Security

Using sysdiagnose to Capture Performance Data In OS X

May 13, 2013 – 6:00 am

“My computer sometimes just runs slow,” “the fan on my laptop won’t turn off sometimes,” and “my network connection keeps dropping.” These are amongst the most annoying off problems to solve for our users because they are intermittent. And to exacerbate things, many of these users have these problems at home or at remote locations, making it difficult for systems administrators to see them.
Screen Shot 2013-05-10 at 11.31.17 AM
There is something I use in these cases, though, that has helped isolate these problems from time to time. Simply tell users to Control-Option-Command-Shift-Period when they have these problems. Doing so will run the sysdiagnose command and then open a Finder window with the output of the command. Sysdiagnose takes a quick snapshot of many common logs and performance data, zips it up and opens a Finder window, pointing to where it is (/var/tmp with the filename containing a date stamp of when the command was run). This file contains output from allmemory, lsof, top, netstat, sysctl, spindump, fs_usage, system_profiler, mount, airport, odutil and many others. Each is in its own log and easy to navigate.

When running /usr/sbin/sysdiagnose from the command line there are a couple of options. My favorite is -f (which I think must be short for favorite) which allows me to write to my file to a directory I specify rather than some random object in a tmp directory. You can also get even more output using -t. Verbose logging is obtained using -h and passing a pid will also provide information about the pid. So let’s say that process 10883 is giving me some problems. I could run the following to get some good output on my desktop:

sysdiagnose -h -t -f ~/Desktop

Anyway, hope you enjoy!

Tags , , , , , , , | Permalink | Comment (0)
certifications Mac OS X Mac OS X Server Mac Security

New 3rd Party Apple Certification Exams Now Available

May 1, 2013 – 10:01 am

After hearing about these new certifications for a good 3 or 4 years, I’m stoked that Tech2000 has now made the new Advanced OS X Certification exams available. Currently, there are three exams:

  • OS X Directory Services Specialist Certification Exam
  • OS X Deployment Specialist Certification Exam
  • OS X Mobile Device and Profile Specialist Certification Exam

These exams are a more modern rendition of what Apple Training would be providing if they still did any courses beyond the OS X Server ACTC. Basically, you can think of it as though the previous Security or Xsan exams were swapped out with Mobile Devices, which makes sense given the changing climate of things.

Now, these are not Apple exams. But I don’t really think it matters too much whether there’s an Apple logo on them or not. At the end of the day if you do this kind of stuff then it’s nice to have a 3rd party option available if you so choose to go down that route!

The Tech2000 site is available at http://www.t2000inc.com/apple/osxcertification.html.

Tags , , , | Permalink | Comments Off
iPhone Mac OS X Mac OS X Server

My New Book on Apple Configurator

February 20, 2013 – 7:02 am

My next book, coauthored with Mr. TJ Houston, is now available. The rough draft was mostly complete the week of MacSysAdmin in Sweden. I announced the book at the conference and was busy at work after to get as much as possible complete. And after many an hour and month spent editing this book (props to TJ for doing a lot of the editing), it’s finally  available on Packt Publishing. To quote the site, this is what the book is on:

The Apple Configurator is an incredible piece of software which grants full control in mobile device management, but on a larger scale. The popularity of people taking their own devices to work has grown tremendously. However, valued professional and personal information is at risk, through loss, theft, or hacking. Instant Apple iOS Configuration Utility How-to is a hands-on guide that eliminates any worries that are associated with the deployment and security of iOS devices. This book provides practical, quick win solutions to combat these issues, with clear, concise, and informative examples providing solutions to secure, remote wipe, and encrypt devices. The book will further explore how to personalize iOS devices for configuration and deployment.

newcover

With the Instant Apple iOS Configurator Utility Book How-to, learn to build profiles with customised control settings, with examples on how to capture device information and use console logs for added protection. You will become skilled at tracking and installing provisional profiles for greater security. We will also explore developing workflows for successful deployment, installing software and applications whilst managing files on iOS devices, and how to deploy enrolment profiles for mobile device management solutions en masse. If you are looking for a complete guide that provides simple solutions to complex problems, look no further.

To buy, visit this link: http://www.packtpub.com/apple-ios-configuration-utility/book

Note: I think the title is a little off, that’s in progress for being fixed.

Tags , , , , , , , | Permalink | Comments Off
Articles and Books iPhone

iPads In The Enterprise Training From TrainSignal

January 10, 2013 – 7:00 am

TrainSignal, a popular site for computer based training videos, has built a course for iPads in the Enterprise. As a technical reviewer, I’ve had a chance to check out all the content, and it’s a good overview of what it takes to deploy iOS in enterprise environments. The course covers Apple Configurator, iPhone Configuration Utility and other tools common in such a deployment as well as the general concepts that those not yet familiar with iOS should get before embarking on such a deployment.

The course is narrated by and developed by John O’Neill Sr., who brings a really upbeat and refreshing tempo to the table. To access the content, check it out at http://www.trainsignal.com/iPads-in-the-Enterprise-Training.aspx.

 

Tags , , , , | Permalink | Comments Off
certifications Mac OS X Mac OS X Server Mac Security Mass Deployment

Apple Pro Training Series for ACTC

January 8, 2013 – 7:00 am

Arek Dreyer and Ben Greisler have been at it again. The latest editions of the Apple Training Series books are now out, providing a guide to getting certified with OS X Server. I haven’t gotten mine yet, but I suspect that the book, as with the previous books, will be excellent.

To quote the book description:

The only Apple-certified book on OS X Server on Mountain Lion, this comprehensive reference takes support technicians and ardent Mac users deep inside the server for the latest operating system, covering everything from networking technologies to service administration, customizing users and groups, and more. Aligned to the learning objectives of the Apple Certified Technical Coordinator certification exam, the lessons in this self-paced volume serves as a perfect supplement to Apple’s own training class and a first-rate primer for computer support personnel who need to support and maintain OS X Server on Mountain Lion as part of their jobs. Step-by-step exercises reinforce the concepts taught through practical application. Quizzes summarize and reinforce acquired knowledge. The Newest version of OS X is more business-friendly than ever, making it simple to get a network up and running quickly, and IT professionals will need Server Essentials to integrate Macs into their organizations.

The Apple Pro Training Series serves as both a self-paced learning tool and the official curriculum for the OS X Mountain Lion and OS X Server on Mountain Lion certification programs.

The Apple Support Essentials book is out as well (thanks, Mr. White!). Its description is as follows:

The only Apple-certified book on OS X Mountain Lion, this revised best-seller will take you deep inside the latest big-cat operating system–covering everything from installation and configuration, customizing the operating system, supporting applications, setting up peripherals, and more. Whether you’re a support technician or simply an ardent Mac user, you’ll quickly learn and master the new features in OS X Mountain Lion. Following the learning objectives of the Apple Certified Support Professional exam, this self-paced book is a perfect guide for Apple’s training and a first-rate primer for computer support personnel who need to troubleshoot and optimize OS X Mountain Lion as part of their jobs. Step-by-step exercises reinforce the concepts taught through practical application. Chapter review sections and quizzes summarize and reinforce acquired knowledge.

The Apple Pro Training Series serves as both a self-paced learning tool and the official curriculum for OS X Mountain Lion and OS X Mountain Lion Server certification programs.

Tags , , , , , , , | Permalink | Comments Off
Mac OS X Server Uncategorized

Creating Groups in Mountain Lion Server

September 2, 2012 – 8:00 am

There are four ways to create groups in Mountain Lion Server. The first is using the Server app, the second is using Workgroup Manager, the third is using the Users & Groups System Preference pane and the fourth is using the command line. In this article we will look at creating groups in the Server app.

Once a server has been an Open Directory Master all user and group accounts created will be in the Local Network Group when created in Server app. Before that, all user and group objects are stored locally when created in Server app. Once promoted to an Open Directory server, local groups must be created in Workgroup Manager, the Users & Groups System Preference pane or using a command line tool appropriate for group management.

 To create a new group, open the Server app and then click on Groups in the ACCOUNTS list of the Server app sidebar. From here, you can switch between the various directory domains accessible to the server using the drop-down list available. Click on the plus sign to create a local network group.
At the New Group screen, provide a name for the group in the Full Name field. This can have spaces. Then create a short name for the group in the Group Name field. This should not have spaces.
Click Done when you have supplied the appropriate information and the group is created. Once done, double-click on the group to see more options.
Here, use the plus sign (“+”) to add members to the group or highlight members and use the minus sign (“-”) to remove users from the group. You can also choose to use the following options:
  • Give this group a shared folder: Creates a shared directory for the group, or a group with an ACL that grants all group members access.
  • Make group members Messages buddies: Adds each group member to each other group members buddy list in the Messages client.
  • Enable group mailing list: Enables a list using the short name of the group where all members receive emails to that address.
  • Create Group Wiki: Opens the Wiki interface for creating a wiki for the group.

Once changes have been made, click Done to commit the changes.

Tags , , , , , , , , , , , , , , , , , | Permalink | Comments (6)
Mac OS X

Signing Installation Packages

August 31, 2012 – 5:00 am

In OS X, installers are known as packages. The trend in OS X is to sign anything going onto a computer so that it can then be installed without concern that the product is not authentic. The productsign command provides the ability to sign packages in much the same way that the codesign command can be used on apps. For example, let’s say that we wanted to sign a package called Alpha.pkg in /tmp with Apple DeveloperID 31415926535897932384626 and have it result in a new package, Omega.pkg in the same directory. The command would be as follows:

productsign --sign 'Developer ID Installer: 31415926535897932384626'
'/temp/Alpha.pkg' '/temp/Omega.pkg'

You can also timestamp the signing by adding a –timestamp option or disable trusted timestamps with the –timestamp=none. You can also indicate a keychain using the –keychain option or –cert to indicate a certificate to embed in the archive. Once signed, you can then test the signing using the spctl command along with the –assess option. The –type option would also indicate a type of install, resulting in the following for Omega.pkg:

spctl --assess --type install /temp/Omega.pkg

Tags , , , , , , , | Permalink | Comments Off
Mac OS X Mac OS X Server

10 Features I Miss From Mountain Lion & Mountain Lion Server

August 23, 2012 – 5:00 am

Apple’s not going to slow down innovation just to make me happy. I get that. But what have I noticed most about the differences between Mountain Lion and Mountain Lion Server and their predecessors, and maybe what to do to get some of them back?

  1. Podcast Producer: I am going to just put it out there. I liked Podcast Producer. I hope it shows back up in the future, even though I’m controlling my expectations. As someone who deals with a lot of video, there are a number of features that were really helpful to me, with or without Xgrid. I’ve replaced the command line aspects with tools such as ffmpeg, which we used in addition to at times, but some of the ways that pcastaction did things were really elegant comparably. On the graphical side, much of the functionality is available in the various sites that produce video streams and of course, there’s always YouTube. Either way, in regards to Mountain Lion Server, this represents one of the most substantial changes for those of us that deal with video.
  2. DHCP: I know, I know… I wrote an article on how to keep using DHCP. That doesn’t mean that the lack of GUI options is any less irritating. Every time I manually edit a config file that should have a GUI front-end it makes me ornery. Not that I’m not always ornery, but that’s not the point here…
  3. RSS: This is more of a client thing. But Mail.app and Safari used to give me the ability to quickly and easily look at RSS feeds and handled them in a way that was very streamlined with my experience across the rest of the operating system. I am now using more and more Google Reader along with tools like Reeder, but I liked the fact that everything I needed for RSS madness was installed on even the test systems I used
  4. X11: I know, I know… Use XQuartz. It was nice having it built in though…
  5. Web Sharing: I guess the answer here is to just buy OS X Server. You can still fire up the LaunchDaemon and use Apache, but it’s a bit of a challenge. And the version in Server isn’t identical to Apache in Mountain Lion. There are two ways I’ve handled this. The first is to install Mountain Lion Server and then use the command `webpromotion demote` to switch the Apache configuration back to that of a client computer. The second is to fire up the LaunchDaemon directly using launchctl. If you’d like, there are also a number of free and/or 3rd party web servers, such as MAMP.
  6. Negative Mode: Well, I covered this already, and while the keystroke was gone, the feature never was – but here’s how to fix. Also, @sacrilicious turned me on to nocturne, which is pretty cool as well!
  7. iCal, Address Book and NetBoot: Actually, they’re now called Calendar, Contacts and NetInstall respectively. But still there. I actually like the renaming a lot, so I guess I don’t really miss any of them.
  8. Radius: OK, it’s there. Just command line only (unless you’re using an Apple AirPort). Maybe I should write an article about radius…
  9. The Server command line options: Actually, they just moved to a relative path to /Applications/Server.app/Contents/ServerRoot, as I mentioned here.
  10. Server Admin: I was going to say FTP, then I remembered it’s back. And then I remembered I never missed it in the first place. But dropping the remainder of the GUI tools for servers represents a bit of a challenge, mostly in figuring out how to do a few of the minor things, like enabling Server Side File Tracking, etc.
Tags , , , , , , , , , , , , , | Permalink | Comments (5)
Mac OS X Mac OS X Server Mac Security Mass Deployment

Setting Up & Troubleshooting An Open Directory Replica In OS X Mountain Lion Server

August 11, 2012 – 8:00 am

Yesterday we looked at setting up an Open Directory Master in OS X Mountain Lion Server. An Open Directory Replica keeps a copy of the Open Directory database available for users even when the Master goes offline. But it can also take a part of the load from the Open Directory Master and when using the new Locales feature, balance network traffic. To get started with an Open Directory Replica, first enable SSH, now disabled by default.

Next, use the changeip to check the host name. While the Server app is cool, it caches stuff and I’ve seen it let things go threat shouldn’t be let go. Therefore, in order to make sure that the server has such an address, I still recommend using changeip, but I also recommend using the Server application. In Mountain Lion, I’ve seen each find things that other misses. To use changeip:

sudo changeip -checkhostname

The address and host names should look correct and match what you see in the Server application’s Next Steps drawer.

Primary address = 10.0.0.1

Current HostName = odr.krypted.com
DNS HostName = odr.krypted.com

The names match. There is nothing to change.
dirserv:success = “success”

Provided everything is cool with the hostname, use the slapconfig command to preflight a replica prior to promotion. The syntax there is the same as the -createreplica syntax, used as follows, assuming the master has an IP address of 172.16.2.23:

/usr/sbin/slapconfig -preflightreplica 172.16.2.23 diradmin

Provided that the server is ready, open the Server app on a freshly installed computer you want to be your Open Directory replica and click on the Open Directory service.

Then, use the ON button to start the configuration process. When prompted, click on “Join an existing Open Directory domain as a replica” and click on the Next button. When prompted, enter the parent Open Directory server’s host name (likely the name of the Open Directory Master), directory admin user name (the diradmin or custom username provided when Open Directory was configured), and then the directory admin password. Then click on the Next button again to setup the services.

At the Confirm settings screen, click on the Set Up button and the replica is completed provided there are no issues with the configuration. Once you’ve created your first replica, you can then start to define replica trees, where each replica looks at one above it, which then looks at another. I’ll do another article later on replica trees.

Note: If there are any problems during promotion, I start over every time using slapconfig along with the -destroyldapserver option to nuke everything in OD:

sudo slapconfig -destroyldapserver

Use the logs to help if you’re having replica creation problems. These can be added using the -enableslapdlog option:

slapconfig -enableslapdlog

You can use the -addreplica option to add replicas manually while running tail on the slapd logs:

tail -f /var/log/slapd.log

Once the replica has been created, you can add more and more until you exceed 32. At that point, you have a fairly large Open Directory environment and you go to add the 33rd replica but you get a funny error that dserr doesn’t have listed. The reason is likely that a single Open Directory Master can only have 32 replicas – and the fact that you’ve made it that far means you get a cookie. Cookie or no, you can have 32 replicas on each replica (thus having a replica tree), ergo allowing for a total of 1,024 replicas and a master. So rather than bind that 33rd replica to a master, move to a replica tree model, trying to offload replicas in as geographically friendly a fashion as possible (thus reducing slap traffic on your WAN links) by repositioning replicas per site. Similar to how Active Directory infrastructures often have a global catalog at each site, if you’ve got a large number of Open Directory Replicas then you should likely try and limit the number that connects back to each master per site to 1.

Assuming that each replica can sustain a good 350 clients on a bad day (and we always plan for bad days), even the largest pure Mac OS X deployments will have plenty of LDAP servers to authenticate to. However, you’re likely going to have issues with clients being able to tell which Open Directory server is the most appropriate to authenticate through. Therefore, cn=config will need to be customized per group that leverages each replica, or divert rules used with ipfw to act as a traffic cop. Overall, the replica trees seem to be working fairly well in Snow Leopard, netting a fairly scalable infrastructure for providing LDAP services.

You can also get pretty granular with the slurpd (the daemon that manages Open Directory replication) logs by invoking slurpd with a -d option followed by a number from 4 to 65535, with intensity of logs getting more as the number gets higher. You can also use the -r option to indicate a specific log file. If you have more than 32 replicas then it stands to reason that you also have a large number of objects in Open Directory, a fair amount of change occurring to said objects and therefore a fair amount of replication IO. In order to offload this you can move your replication temp directory onto SSD drives, by specifying the -t option when invoking slurpd.

The slurpd replication occurs over port 389 (by default). Therefore, in a larger environment you should be giving priority to network traffic. If you choose to custom make/install slurpd then you’ll also need to go ahead and build your Kerberos principles manually. In this case you would get a srvtab file for the slurpd server and then configure slapd to accept Kerberos Authentication for slaves. Having said this, I haven’t seen an environment where I had to configure slurpd in this fashion.

Tags , , , , , , , , , , | Permalink | Comments Off
Mac OS X Mac OS X Server Mac Security Mass Deployment

Installing and Managing NetBoot Services in OS X Mountain Lion Server

August 9, 2012 – 5:15 am

The NetBoot service has allowed administrators of Mac OS X computers to leverage images hosted on a server to boot computers to a central location since OS X was first introduced by Apple. Since the very first versions of OS X, the service has been called NetBoot. In the Server app, Apple has added a number of options surrounding the NetBoot service. It is now called NetInstall.

The first step to configuring the NetBoot service is to decide what you want the NetBoot service to do. There are three options:

  • Create a NetBoot Image: Allows Macs to boot over the network to a disk image hosted on a server.
  • Create a NetInstall Image: Leverage NetBoot as a boot disk so that an image hosted on a server can be used to run an OS X installer.
  • Create a NetRestore Image: Leverage NetBoot as a boot disk so that you can restore a computer that has been configured over a network. Use this option to restore an image that has been prepared.

For the purposes of this example, we’re going to use an OS X Mountain Lion installer to boot an OS X computer over the network. The first step in doing so is to create a Network Disk Image. Before setting it up, download the Install OS X Mountain Lion installer app into the /Applications directory from the App Store.

To then set up the NetBoot disk image, often referred to as the NetBoot set, open the Server app and then click on System Image Utility from the Tools menu of OS X.

When System Image Utility opens, click on the Install OS X Mountain Lion entry in the list of available sources. Then, in the list of options, click on NetBoot Image and then click on the Continue button.

At the Image Settings screen, enter the name the NetBoot set will have in the Network Disk field. Then, enter a description of what is on the NetBoot set in the Description field. If the image will be served from multiple servers, check the box for “Image will be served from more than one server.”

Then provide an account name, short name and password in the Image Settings screen. Once provided, click Create to generate the Network Disk Image.

When prompted, click on the Agree button to accept the licensing agreement.

Then, when prompted, select a location to store the Disk Image and click on Save.

The computer will then start creating the NetBoot set. Once finished, it’s time to set up the NetInstall service in OS X Mountain Lion Server. To get started, go back to the Server app.

First, define which disk will host NetBoot Images. To do so, click on the Edit Storage Settings button. At the Storage Settings overlay, select the volume that Images will be hosted as well as the volume that Client Data will be hosted. The Image is what you are creating and the Client Data is dynamic data stored in images.

If you only have one disk, as in this example, click on “Images & Client Data” for that disk. Then click on the OK button.

Once you’ve selected a disk to store your image, we need to copy the disk image into the Library/NetBoot/NetBootSP0 folder of the disk used for images. Once in the appropriate folder, click on the Edit button for the Enable NetInstall on: field

Check the box for the interface you want to serve images over (if you only have one then it’s pretty obvious which interface this will be. Click on the OK button to save your settings. Then, click on the Images tab.

Each server can host multiple images. The Images tab displays a list of NetBoot images stored in the Library/NetBoot/NetBootSP0 directory. By default, images have a red indicator light. This means they’re not being served over any specific protocol yet. Double-click on an image.

At the image settings screen, check the box for “Make available over” and for many environments, select NFS as the protocol. Note, you can also restrict access to the image to certain models of Apple computers and/or certain MAC addresses by using the “Image is visible to” and “Restrict access to this images” options respectively.

Additionally, use the Make this image available for diskless booting option to allow computers without hard drives to boot to the image.

Click on the Done button and the image will appear as green in the list of images. Click on the image and then click on the cog-wheel icon. Click on “Use as Default Boot Image” to set an image to be the default images computers boot to when booting to NetBoot.

Now, it’s as easy as clicking on the ON button. Do so to start the service.

Once started, open a Terminal window. Here, let’s get a status of the service using the serveradmin fullstatus option (along with the service name, which is still netboot from the command line):

sudo serveradmin fullstatus netboot

The output of which shows the various components, logs and states of components:

netboot:state = "RUNNING"
netboot:stateTFTP = "RUNNING"
netboot:readWriteSettingsVersion = 1
netboot:netBootConnectionsArray = _empty_array
netboot:logPaths:netBootLog = "/var/log/system.log"
netboot:dhcpLeasesArray = _empty_array
netboot:stateDHCP = "STOPPED"
netboot:stateHTTP = "STOPPED"
netboot:serviceCanStart = 1
netboot:timeOfSnapshot = "2012-08-09 03:59:45 +0000"
netboot:stateNFS = "RUNNING"
netboot:stateImageArray:_array_index:0:_array_index:0 = 0
netboot:stateImageArray:_array_index:0:_array_index:1 = 0
netboot:stateImageArray:_array_index:0:_array_index:2 = 0
netboot:stateImageArray:_array_index:0:_array_index:3 = 0
netboot:stateImageArray:_array_index:0:_array_index:4 = 2
netboot:stateImageArray:_array_index:1:_array_index:0 = 1
netboot:stateImageArray:_array_index:1:_array_index:1 = 1
netboot:stateImageArray:_array_index:1:_array_index:2 = 1
netboot:stateImageArray:_array_index:1:_array_index:3 = 0
netboot:stateImageArray:_array_index:1:_array_index:4 = 2
netboot:stateImageArray:_array_index:2:_array_index:0 = 0
netboot:stateImageArray:_array_index:2:_array_index:1 = 0
netboot:stateImageArray:_array_index:2:_array_index:2 = 0
netboot:stateImageArray:_array_index:2:_array_index:3 = 0
netboot:stateImageArray:_array_index:2:_array_index:4 = 2
netboot:stateImageArray:_array_index:3:_array_index:0 = 0
netboot:stateImageArray:_array_index:3:_array_index:1 = 0
netboot:stateImageArray:_array_index:3:_array_index:2 = 0
netboot:stateImageArray:_array_index:3:_array_index:3 = 0
netboot:stateImageArray:_array_index:3:_array_index:4 = 2
netboot:servicePortsRestrictionInfo = _empty_array
netboot:netBootClientsArray = _empty_array
netboot:servicePortsAreRestricted = "NO"
netboot:setStateVersion = 1
netboot:startedTime = "2012-08-09 03:58:01 +0000"
netboot:stateAFP = "RUNNING"

And to start the service when not running:

sudo serveradmin start netboot

There are also a number of settings available at the command line that are not in the graphical interface. For example, to allow writing to the NetBoot share:

sudo serveradmin settings netboot:netBootStorageRecordsArray:_array_index:0:readOnlyShare = no

Or to get more verbose logs:

sudo serveradmin settings netboot:logging_level = "HIGH"

And last but not least, to stop the service:

sudo serveradmin stop netboot

In the beginning of this article, I mentioned that ways to configure NetInstall images. I’ll cover NetInstall and NetRestore in later articles as they tend to be more involved workflow-wise than copying a volume into a Network Disk Image.

Tags , , , , , , , , , | Permalink | Comments (15)

Next Page »

Next Page »