krypted.com

Tiny Deathstars of Foulness

You know how in Notification Center, how you see a banner for awhile? You can customize how long that lasts. To do so, use defaults to write a bannerTime key into com.apple.notificationcenterui. They should be an integer that shows the number of seconds for the banner to display, For example, to set the banner to 10 seconds: defaults write com.apple.notificationcenterui bannerTime 10 Or 2 seconds: defaults write com.apple.notificationcenterui bannerTime 2 Once you set the time, log out and log back in (or reboot) for the change to take effect. Enjoy

November 17th, 2015

Posted In: Mac OS X

Tags: , , , , ,

Financial services is an interesting business when it comes to what you need to do to meet your regulatory requirements. With so much data and the services that enable you to access data moving to the cloud, it can be hard to keep up with how solutions meet any regulatory requirements you might have. At the end of the day, you’re primarily concerned about customer data leaking out of your environment and making sure that you can report on every single thing that happened in an environment. Whatever help we can provide in this article, make sure that you vet anything against what the individuals that review your regulatory requirements say. Click Here to Continue Reading More On blog.bushel.com

November 13th, 2015

Posted In: Bushel

Tags: , , , , ,

There are a couple of parts to this article. The first is to describe the server command, stored in /Applications/Server.app/Contents/ServerRoot/usr/sbin/server. The description of the command by Brad Chapman was so eloquently put on this JAMF Nation post that I’m just gonna’ paste it in here:
So … I just installed Server 5.0.x tonight on my Mac Mini running Yosemite (10.10.5). There was a question that came up during JNUC about upgrading Server and having a way to accept the license agreement without going through the GUI. So for shits and giggles I tried:
server setup
It’s not documented. And lo and behold, I got the prompt to accept the license agreement just like you do with Xcode. Post your trip reports here! Can this be automated?
tardis:~ chapman$ sudo server setup
Password:
To use server, you must agree to the terms of the software license agreement.

Press Return to view the software license agreement.

---insert license agreement here---

Do you agree to the terms of the software license agreement? (y/N) y

Administrator access is required to set up OS X Server on this Mac. Type an administrator's user name and password to allow this.
User name: chapman
Password: 

Initializing setup...
Getting server state...
Getting host names...
Writing server settings...
Configuring Service Authentication...
Creating certificates...
Getting certificates...
Renewing certificate...
Enabling server password hashes for local users...
Creating service principals...
Initializing certificates...
Preparing services...
Preparing Caching service...
Preparing Calendar service...
Preparing Profile Manager service...
Preparing File Sharing service...
Preparing Software Update service...
Preparing Messages service...
Preparing Mail service...
Preparing Web service...
Preparing Calendar service...
Preparing Wiki service...
Preparing Calendar service...
Preparing Profile Manager service...
Initializing Wiki...
Initializing Mail...
Initializing VPN...
Initializing Xcode...
Enabling autobuddy for local accounts...
Updating admin password policy...
Checking DNS Configuration...
Reading DNS configuration...
Completing setup...

server encountered errors during setup:

Unknown error
tardis:~ chapman$
I don’t know what the ‘unknown error’ was.
The error is pretty much typical. I rarely see a server that doesn’t spawn some kind of error, and most errors will throw this. Oh well. The only option that he didn’t mention that isn’t meant for internal use is help, which doesn’t even indicate setup as a verb. Now, here’s where it gets fun. This is cute, but if you’re scripting  a full server setup, you’ll want to bust out a little expect script here. I’m gonna’ put the username and password in cleartext here, to keep the script readable: #!/usr/bin/expect set timeout 300 spawn server setup expect "Press Return to view the software license agreement." { send \r } expect "Do you agree to the terms of the software license agreement? (y/N)" { send "y\r" } expect "User name:" { send "MYADMINUSERNAME\r" } expect "Password:" { send "MYPASSWORD\r" } interact Obviously, you would replace MYADMINUSERNAME with your admin username and MYPASSWORD with your password. But basically, drop the Server.app on a machine, run this, and you’re good to go. Now, hypothetically, if you’re spinning up a Caching server (e.g. if you’re building out 100 caching servers, this might come in handy), then you could use the commands described in this article I wrote earlier.

October 28th, 2015

Posted In: Mac OS X Server, Mass Deployment

Tags: , , , , , , , , , ,

The Caching Server in OS X Server 5 is pretty simple, right? You open up the server app and then click on the On button and you’re… off… to… the… races… Yup. There are also a few options that you can configure using the Server app. You can configure which IP addresses (or networks) are able to access your server. You can configure where the cache is stored. You can configure the amount of Cached used. And you can clear out that cache. Boom. Including the ON button, you’ve only got 5 things you can do here. Pretty easy. To script kicking off the service as just a proxy that caches all patches that it can, simply use the following command: sudo serveradmin start caching The above command simply enables the service and starts the daemon. At that point, it registers with Apple and starts caching what it can. For many environments, this is pretty much all you need to do. But you can also configure the options available in the GUI, and a few that aren’t, using the command line. And then there are some pretty cool things you can do in Caching under the hood that aren’t included in the Server app. Let’s look at what it might take to script setting up the Caching service. For example, if we wanted to do scripted Caching Server deployments. Well, we’d need to start the service. By default the service would start with only local subnets being able to access the service and all available content would be heated. Additionally, the default location for the cache is /Library/Server, with no limit to the cache and a reserved volume space of 25000000000 bytes. You can see this by looking at the output of serveradmin with a settings verb and the caching service, as follows: sudo serveradmin settings caching Which results in the following: caching:ServerRoot = "/Library/Server" caching:ReservedVolumeSpace = 25000000000 caching:LocalSubnetsOnly = yes caching:Port = 0 caching:CacheLimit = 0 caching:DataPath = "/Library/Server/Caching/Data" Now, let’s open up the caching server to the world, assuming of course that people can’t get to it unless they’re routable on our network. This makes caching for multiple subnets in a given LAN environment much simpler. To do so, we’d feed that caching:localSubnetsOnly back in, with a no: sudo serveradmin settings caching:LocalSubnetsOnly = no Once the service is started, you will be able to perform tasks, such as disabling the iCloud caching option. This is done by setting the AllowPersonalCaching key to false, as follows in the /Library/Server/Caching/Config/config.plist. <key>AllowPersonalCaching</key> <integer>false</integer> This can be done using the serveradmin command as well, using the settings verb with the caching service and the AllowPersonalCaching key, as follows: sudo serveradmin settings caching:AllowPersonalCaching = no You can also limit the space that the Caching Server uses for cached iCloud data with the Settings verb, the caching service and the PersonalCacheLimit keep, provided the PersonalCacheLimit doesn’t exceed the CacheLimit. For example: <key>PersonalCacheLimit</key> <integer>200000000000</integer> In /Library/Server/Caching/Config/ you’ll find a file called Config.plist. Here, you’ll find way more settings, including those not output when you run serveradmin. You can actually drop lots of settings into new servers by copying this file into the correct location. However, prior to doing so, you’ll need to sanitize the file. There are two unique keys that should never be copied between servers. The first is the ServerGUID. The ServerGUID is a generated unique identifier that the server creates for itself when started. <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>CacheLimit</key> <integer>0</integer> <key>DataPath</key> <string>/Library/Server/Caching/Data</string> <key>LastConfigData</key> <data> XXX </data> <key>LastConfigURL</key> <string>http://suconfig.apple.com/resource/registration/v1/config.plist</string> <key>LastPort</key> <integer>52303</integer> <key>LocalSubnetsOnly</key> <true/> <key>Port</key> <integer>0</integer> <key>ReservedVolumeSpace</key> <integer>25000000000</integer> <key>SavedCacheDetails</key> <dict/> <key>SavedCacheDetailsOrder</key> <array> <string>Mac Software</string> <string>iOS Software</string> <string>iCloud</string> <string>Books</string> <string>iTunes U</string> <string>Movies</string> <string>Music</string> <string>Other</string> </array> <key>SavedCacheDetailsStrings</key> <dict> <key>de</key> <dict> <key>Books</key> <string>Bücher</string> <key>Mac Software</key> <string>Mac-Software</string> <key>Movies</key> <string>Filme</string> <key>Music</key> <string>Musik</string> <key>Other</key> <string>Anderes</string> <key>iCloud</key> <string>iCloud</string> <key>iOS Software</key> <string>iOS-Software</string> <key>iTunes U</key> <string>iTunes U</string> </dict> <key>en</key> <dict> <key>Books</key> <string>Books</string> <key>Mac Software</key> <string>Mac Software</string> <key>Movies</key> <string>Movies</string> <key>Music</key> <string>Music</string> <key>Other</key> <string>Other</string> <key>iCloud</key> <string>iCloud</string> <key>iOS Software</key> <string>iOS Software</string> <key>iTunes U</key> <string>iTunes U</string> </dict> <key>es</key> <dict> <key>Books</key> <string>Libros</string> <key>Mac Software</key> <string>Software Mac</string> <key>Movies</key> <string>Películas</string> <key>Music</key> <string>Música</string> <key>Other</key> <string>Otros</string> <key>iCloud</key> <string>iCloud</string> <key>iOS Software</key> <string>Software iOS</string> <key>iTunes U</key> <string>iTunes U</string> </dict> <key>fr</key> <dict> <key>Books</key> <string>Livres</string> <key>Mac Software</key> <string>Logiciels Mac</string> <key>Movies</key> <string>Films</string> <key>Music</key> <string>Musique</string> <key>Other</key> <string>Autres</string> <key>iCloud</key> <string>iCloud</string> <key>iOS Software</key> <string>Logiciels iOS</string> <key>iTunes U</key> <string>iTunes U</string> </dict> <key>it</key> <dict> <key>Books</key> <string>Libri</string> <key>Mac Software</key> <string>Software Mac</string> <key>Movies</key> <string>Film</string> <key>Music</key> <string>Musica</string> <key>Other</key> <string>Altro</string> <key>iCloud</key> <string>iCloud</string> <key>iOS Software</key> <string>Software iOS</string> <key>iTunes U</key> <string>iTunes U</string> </dict> <key>ja</key> <dict> <key>Books</key> <string>ブック</string> <key>Mac Software</key> <string>Mac ソフトウェア</string> <key>Movies</key> <string>ムービー</string> <key>Music</key> <string>ミュージック</string> <key>Other</key> <string>その他</string> <key>iCloud</key> <string>iCloud</string> <key>iOS Software</key> <string>iOS ソフトウェア</string> <key>iTunes U</key> <string>iTunes U</string> </dict> <key>ko</key> <dict> <key>Books</key> <string>책</string> <key>Mac Software</key> <string>Mac 소프트웨어</string> <key>Movies</key> <string>동영상</string> <key>Music</key> <string>음악</string> <key>Other</key> <string>기타</string> <key>iCloud</key> <string>iCloud</string> <key>iOS Software</key> <string>iOS 소프트웨어</string> <key>iTunes U</key> <string>iTunes U</string> </dict> <key>nl</key> <dict> <key>Books</key> <string>Boeken</string> <key>Mac Software</key> <string>Mac-software</string> <key>Movies</key> <string>Films</string> <key>Music</key> <string>Muziek</string> <key>Other</key> <string>Overig</string> <key>iCloud</key> <string>iCloud</string> <key>iOS Software</key> <string>iOS-software</string> <key>iTunes U</key> <string>iTunes U</string> </dict> <key>zh-CN</key> <dict> <key>Books</key> <string>图书</string> <key>Mac Software</key> <string>Mac 软件</string> <key>Movies</key> <string>影片</string> <key>Music</key> <string>音乐</string> <key>Other</key> <string>其他</string> <key>iCloud</key> <string>iCloud</string> <key>iOS Software</key> <string>iOS 软件</string> <key>iTunes U</key> <string>iTunes U</string> </dict> <key>zh-Hans</key> <dict> <key>Books</key> <string>图书</string> <key>Mac Software</key> <string>Mac 软件</string> <key>Movies</key> <string>影片</string> <key>Music</key> <string>音乐</string> <key>Other</key> <string>其他</string> <key>iCloud</key> <string>iCloud</string> <key>iOS Software</key> <string>iOS 软件</string> <key>iTunes U</key> <string>iTunes U</string> </dict> <key>zh-Hant</key> <dict> <key>Books</key> <string>書籍</string> <key>Mac Software</key> <string>Mac 軟體</string> <key>Movies</key> <string>影片</string> <key>Music</key> <string>音樂</string> <key>Other</key> <string>其他</string> <key>iCloud</key> <string>iCloud</string> <key>iOS Software</key> <string>iOS 軟體</string> <key>iTunes U</key> <string>iTunes U</string> </dict> <key>zh-TW</key> <dict> <key>Books</key> <string>書籍</string> <key>Mac Software</key> <string>Mac 軟體</string> <key>Movies</key> <string>影片</string> <key>Music</key> <string>音樂</string> <key>Other</key> <string>其他</string> <key>iCloud</key> <string>iCloud</string> <key>iOS Software</key> <string>iOS 軟體</string> <key>iTunes U</key> <string>iTunes U</string> </dict> <key>zh_CN</key> <dict> <key>Books</key> <string>图书</string> <key>Mac Software</key> <string>Mac 软件</string> <key>Movies</key> <string>影片</string> <key>Music</key> <string>音乐</string> <key>Other</key> <string>其他</string> <key>iCloud</key> <string>iCloud</string> <key>iOS Software</key> <string>iOS 软件</string> <key>iTunes U</key> <string>iTunes U</string> </dict> <key>zh_TW</key> <dict> <key>Books</key> <string>書籍</string> <key>Mac Software</key> <string>Mac 軟體</string> <key>Movies</key> <string>影片</string> <key>Music</key> <string>音樂</string> <key>Other</key> <string>其他</string> <key>iCloud</key> <string>iCloud</string> <key>iOS Software</key> <string>iOS 軟體</string> <key>iTunes U</key> <string>iTunes U</string> </dict> </dict> <key>SavedCacheSize</key> <integer>0</integer> <key>ServerGUID</key> <string>A955E484-E2A6-4759-A8F4-108CF9B733A7</string> <key>ServerRoot</key> <string>/Library/Server</string> <key>Version</key> <integer>1</integer> There’s always some sanity checking you can do. The main reason I’ve seen the server not want to start is because the server cannot register with Apple. The first thing that the server does when it registers is establishes a connection to Apple using the ServerGUID and then pulls down more settings from http://suconfig.apple.com/resource/registration/v1/config.plist and if needed, begins heating the cache. Now, if the serveradmin command reports back a fullstatus that the server is pending and never makes a connection, there are two issues I’ve seen occur. The first is that you copied the ServerGUID from another host that’s already registered with Apple. The second is an error for “The operation couldn’t be completed” with an error code of 1. To see this, you can run serveradmin with fullstatus and then the service identifier and the caching:startupStatus identifier: caching:RegistrationStatus:error = <62706c69 73743030 d4010203 04050618 19582476 65727369 6f6e5824 6f626a65 63747359 24617263 68697665 72542474 6f701200 0186a0a4 07081112 55246e75 6c6cd409 0a0b0c0d 0e0f1056 4e53436f 64655a4e 53557365 72496e66 6f584e53 446f6d61 696e5624 636c6173 73100180 00800280 035f1014 636f6d2e 6170706c 652e7365 72766572 6d677264 d2131415 165a2463 6c617373 6e616d65 5824636c 61737365 73574e53 4572726f 72a21517 584e534f 626a6563 745f100f 4e534b65 79656441 72636869 766572d1 1a1b5472 6f6f7480 0108111a 232d3237 3c424b52 5d666d6f 7173758c 919ca5ad b0b9cbce d3000000 00000001 01000000 00000000 1c000000 00000000 00000000 00000000 d5> caching:RegistrationStatus:errorDescription = "The operation couldn’t be completed. (com.apple.servermgrd error 1.)" caching:RegistrationStatus:errorCode = 1 caching:RegistrationStatus = 0 This is usually because the server cannot make a connection to Apple. Check that the server can ping, or access the suconfig.apple.com server. Most of the time I’ve found that this involves a proxy. To sanity check for this in a script, try and curl down a copy of http://suconfig.apple.com/resource/registration/v1/config.plist. There’s more, but I’m out of time. Will come back to this.

October 23rd, 2015

Posted In: Mac OS X Server, Mass Deployment

Tags: , , , , , , , ,

The latest and greatest of the Enterprise Mac Admin’s Guide is now available for Pre-Order at http://www.amazon.com/Enterprise-Mac-Administrators-Guide-Second/dp/1484217055/ref=sr_1_1?s=books&ie=UTF8&qid=1445529968. This is an interesting update. If you happened to see the previous edition, I’d described more about Casper than most of the other third party products on the market. Screen Shot 2015-10-22 at 11.06.21 AM In this edition, there’s still an equal amount of information on Casper, but now there’s also more information on FileWave, and a whole chapter on the open source toolchain of products, including Munki and AutoPKG. The main reason I decided to update this title was actually the change from focusing on directory services (which still has plenty of page count) to focusing on profile management. The most substantial update to the book was Bill Smith though. Bringing him in as a co-author provided a lot of new insight, new content, and a good bit of cleaned up text. He’s been great to work with! This was a pretty big update, so hope you enjoy!    

October 22nd, 2015

Posted In: Mac OS X, Mac OS X Server, Mac Security, Mass Deployment

Tags: , , , , ,

The third edition of the Enterprise Mac OS X Security book is now available for pre-order on Amazon at http://www.amazon.com/gp/product/148421711X! Screen Shot 2015-10-22 at 10.26.51 AM Another title with Apress, for this edition I welcome Dan O’Donnell as a coauthor and in addition to modernizing everything, added a lot more on FileVault, signing, iCloud and Apple services. I don’t know how long the editorial process for this book will take, but it’s listed on Amazon with a ship date of December 3rd!

October 22nd, 2015

Posted In: Mac OS X, Mac Security, Mass Deployment

Tags: , , , , , ,

Installing OS X has never been easier than in Yosemite. In this article, we’ll look at upgrading a Mac from OS X 10.10 (Yosemite) to OS X 10.11 (El Capitan) to . The first thing you should do is clone your system. The second thing you should do is make sure you have a good backup. The third thing you should do is make sure you can swap back to the clone should you need to do so and that your data will remain functional on the backup. Once you’re sure that you have a fallback plan, let’s get started by downloading OS X El Capitan from the App Store. Once downloaded, you’ll see Install OS X El Capitan sitting in LaunchPad, as well as in the /Applications folder. Screen Shot 2015-09-23 at 11.27.08 PM Open the app and click Continue (provided of course that you are ready to restart the computer and install OS X El Capitan). Screen Shot 2015-09-23 at 11.27.51 PM At the licensing agreement, click Agree (or don’t and there will be no El Capitan for you). Screen Shot 2015-09-23 at 11.28.16 PM At the pop-up click Agree again, unless you’ve changed your mind about the license agreement in the past couple of seconds. Screen Shot 2015-09-23 at 11.28.35 PM At the Install screen, click Install and the computer will reboot. Screen Shot 2015-09-23 at 11.28.56 PM And you’re done. Now for the fun stuff! Screen Shot 2015-09-23 at 11.29.43 PM

October 11th, 2015

Posted In: Mac OS X, Mac OS X Server

Tags: , , , , , ,

Encrypting a volume in OS X couldn’t be easier. In this article, we will look at three ways to encrypt OS X El Capitan volumes in OS X Server 5. The reason there are three ways is that booted volumes and non-booted volumes have different methods for enabling encryption. Encrypting Attached Storage For non-boot volumes, just control-click or right-click on them and then click on Encrypt “VOLUMENAME” where the name of the volume is in quotes. Screen Shot 2015-09-25 at 10.29.58 PM When prompted, provide an encryption password for the volume, verify that password and if you so choose, provide a hint. Screen Shot 2015-09-25 at 10.30.59 PM Once the encryption process has begun, the entry previously clicked on says Encrypting “VOLUMENAME” where the name of the volume is in quotes. Before you can encrypt a volume from the command line you must first convert it to CoreStorage if it isn’t already. As volumes on external disks aren’t likely to be CoreStorage, let’s check using diskutil along with corestorage and then list: diskutil corestorage list Assuming your volume was already formatted with a non-corestorage format and isn’t listed, locate the volume and document the disk identifier (in this case disk2s3). Then, run diskutil corestorage along with the convert verb and the disk, as follows (no need to run this command if it’s already listed): sudo diskutil corestorage convert disk2s3 The output should look similar to the following: Started CoreStorage operation on disk2s3 Reco
Resizing disk to fit Core Storage headers
Creating Core Storage Logical Volume Group
Attempting to unmount disk2s3
Switching disk2s3 to Core Storage
Waiting for Logical Volume to appear
Mounting Logical Volume
Core Storage LVG UUID: 19D34AAA-498A-44FC-99A5-3E719D3DB6FB
Core Storage PV UUID: 2639E13A-250D-4510-889A-3EEB3B7F065C
Core Storage LV UUID: 4CC5881F-88B3-42DD-B540-24AA63952E31
Core Storage disk: disk4
Finished CoreStorage operation on disk2s3 Reco Once converted, the LV UUID (LV is short for Logical Volume) can be used to encrypt the logical volume using a password of crowbar to unlock it: sudo diskutil corestorage encryptvolume 4CC5881F-88B3-42DD-B540-24AA63952E31 -passphrase crowbar The output is similar to the following: Started CoreStorage operation on disk4 Reco
Scheduling encryption of Core Storage Logical Volume
Core Storage LV UUID: 4CC5881F-88B3-42DD-B540-24AA63952E31
Finished CoreStorage operation on disk4 Reco According to the size, this process can take some time. Monitor the progress using the corestorage list option: diskutil corestorage list In all of these commands, replace core storage w/ cs for less typing. I’ll use the shortened version as I go. I know that we rarely change passwords, but sometimes it needs to happen. If it needs to happen on a core storage encrypted volume, this can be done from the command line or a script. To do so, use diskutil cs with the changevolumepassphrase option. We’ll use -oldpassphrase to provide the old password and -newpassphrase to provide the new passphrase. diskutil cs changeVolumePassphrase FC6D57CD-15FC-4A9A-B9D7-F7CF26312E00 -oldpassphrase crowbar -newpassphrase hedeservedit I continue to get prompted when I send the -newpassphrase, so I’ve taken to using stdin , using -stdinpassphrase. Once encrypted there will occasionally come a time for decrypting, or removing the encryption, from a volume. It’s worth noting that neither encrypting or decrypting requires erasing. To decrypt, use the decryptVolume verb, again with the -passphrase option: diskutil cs decryptvolume 4CC5881F-88B3-42DD-B540-24AA63952E31 -passphrase crowbar FileVault 2: Encrypting Boot Volumes Boot volumes are configured a bit differently. This is namely because the boot volume requires FileVault 2, which unifies usernames and passwords with the encryption so that users enter one username and password rather than unlocking drives. To configure FileVault 2, open the Security & Privacy System Preference pane and then click on the FileVault tab. Click on the lock to make changes and then provide the password for an administrative account of the system. Then, click on “Turn On FileVault…” Screen Shot 2015-09-26 at 10.00.24 PM You’ll then be prompted to restart; do so to begin the encryption process. Screen Shot 2015-09-26 at 10.01.50 PM When prompted, choose whether to create a key or save the key to iCloud. In most cases, on a server, you’ll want to create a recovery key and save it to a very safe place. Screen Shot 2015-09-26 at 10.05.26 PM When prompted with the Recovery Key, document it and then click on Continue. Choose whether to restore the recovery key with Apple. If you will be storing the key with Apple then provide the AppleID. Otherwise, simply click the bullet for “Do not store the recovery key with Apple” and then click on the Continue button. When prompted, click on Restart to reboot and be prompted for the first account that can unlock the FileVaulted system. Screen Shot 2015-09-26 at 10.05.32 PM Once encrypted, the FileVault tab in the Security & Privacy System Preference pane shows the encryption status, or percent during encryption. That’s it. Managing FileVault 2 using the System Preferences is about as easy as it can get. But for those who require mass management, Apple has provided a tool called fdesetup for that as well. Using fdesetup with FileVault 2 FileVault 2 now comes with a nifty configuration utility called fdesetup. To use fdesetup to encrypt the boot volume, first check FileVault’s status by entering the fdesetup command along with the –status option (wait, no — required any more!): fdesetup status As with most other commands, read the help page before starting to use just in case there are any changes to it between the writing of this article and when you kick off your automated encryption. Done using the help verb: fdesetup help After confirming FileVault is off, enable FileVault with the enable option, as follows: sudo fdesetup enable Unless additional parameters are specified, an interactive session prompts for the primary user’s short name and password. Once enabled, a Recovery key is returned by the fdesetup command. You can also cancel this by just hitting Control-C so we can look at more complicated iterations of the command. It should be recorded or otherwise stored, something easily done by mounting in a script (e.g. a write-only share in a script for key escrowing). If more complicated measures are needed, of course check out Cauliflower Vest at code.google.com. The fdesetup command is now at version 2.36: fdesetup version Now, if you run fdesetup and you’ve deployed a master keychain then you’re going to have a little more work to do; namely point the -keychain command at the actual keychain. For example: sudo fdesetup enable -keychain /Library/Keychains/FileVaultMaster.keychain To define a certificate: sudo fdesetup enable -certificate /temp/filename.cer Adding additional users other than the one who enabled fdesetup is a bit different than the first: sudo fdesetup add -usertoadd robin To remove users, just remove them with a remove verb followed by the -user option and the username: sudo fdesetup remove -user robin The remove and add options also offer using the -uuid rather than the username. Let’s look at Robin’s uid : dscl . read /Users/robin GeneratedUID | cut -c 15-50 Yes, I used cut. If you have a problem with that then take your judgmental fuc… Nevermind. Take that GUID and plug it in as the uuid using the -uuid option. For example, to do so with the remove verb: sudo fdesetup remove -uuid 31E609D5-39CF-4A42-9F24-CFA2B36F5532 Or for good measure, we can basically replicate -user w/ -uuid for a nice stupid human trick: sudo fdesetup remove -uuid `dscl . read /Users/robin GeneratedUID | cut -c 15-50` All of the fdesetup commands can be run interactively or using options to define the variables otherwise provided in the interactive prompt. These are defined well in the man page. Finally, let’s look at -defer. Using -defer, you can run the fdesetup tool at the next login, write the key to a plist and then grab it with a script of some sort later. sudo fdesetup enable -defer /temp/fdesetupescrow.plist Or define users concurrently (continuing to use the robin test user): sudo fdesetup enable -user robin -defer /temp/fdesetupescrow.plist FileVault accounts can also use accounts from Directory Services automatically. These need to synchronize with the Directory Service routinely as data is cached. To do so: sudo fdesetup sync This is really just scratching the surface of what you can do with fdesetup. The definitive source for which is the man page as well as a nicely done article by Rich Trouton. Encrypting Time Machine Backups The last full disk encryption to discuss is Time Machine. To encrypt Time Machine backups, use Time Machine’s System Preference pane. The reason for this being that doing so automatically maintains mounting information in the Operating System, rather than potentially having an encrypted drive’s password get lost or not entered and therefore not have backups run. To enable disk encryption for Time Machine destinations, open the Time Machine System Preference pane and click on Select Backup Disk… From the backup disk selection screen, choose your backup target and then check the box for “Encrypt backups”. Then, click on Use Disk. At the overlay screen, provide a backup password twice and if you would like, a hint as to what that password is. When you are satisfied with your passwords, click on the Encrypt Disk button. Now, there are a couple of things to know here. 1. Don’t forget that password. 2. If you use an institutional FileVault Key then still don’t forget that password as it will not work. 3. Don’t forget that password… Scripty CLI Stuff We’ve always been able to enable FileVault using scripts thanks to fdesetup but now Apple’s taken some of the difficulty out of configuring recovery keys. This comes in the form of the changerecovery, haspersonalrecoverykey, hasinstitutionalkey, usingrecoverykey and validate recovery options. These options all revolve around one idea: make it easier to deploy centrally managed keys that can be used to unlock encrypted volumes in the event that such an action is required. There’s also a -recoverykey option, which indicates the number of the key if a recovery key is being used. To use the fdesetup command to check whether a computer has a personal recovery key use the haspersonalrecoverykey verb, as follows: fdesetup haspersonalrecoverykey The output will be a simple true or false exit. To use the fdesetup command to check whether a computer has an institutional recovery key, use the hasinstitutionalrecoverykey verb, as follows: fdesetup hasinstitutionalrecoverykey To enable a specific personal recovery key, provide it using the changerecovery verb, as follows: fdesetup changerecovery -personal This is an interactive command, so when prompted, provide the appropriate personal key. The removerecovery verb can also be used to remove keys. And my favorite, validaterecovery is used to check on whether or not a recovery key will work to unlock a host; which can be tied into something like an extension attribute in Casper in order to store a key and then validate the key every week or 4. This helps to make sure that systems are manageable if something happens. The enable verb also has a new -authrestart which does an authenticated reboot after enabling FileVault. Before using the -authrestart option, check that a system can actually run it by using fdesetup with the supportsauthrestart verb and it will exit on true or false. Defer mode is nothing new, where FileVault waits until a user password is provided; however, a new verb is available called showdeferralinfo which shows information about deferral mode. This is most helpful as a sanity check so you don’t go running commands you already ran or doing things to systems that have already been provided with tasks to perform otherwise. Conclusion Encrypting data in OS X can take on other forms as well. The keychains encrypt passwords and other objects. Additionally, you can still create encrypted dmgs and many file types have built in encryption as well. But the gist is that Apple encrypts a lot. They also sandbox a lot and with the addition of gatekeeper are code signing a lot. But encrypting volumes and disks is mostly about physical security, which these types of encryption provide a substantial solution for. While all this security might seem like a lot, it’s been in Apple’s DNA for a long time and really security is about layers and the Mac Systems Administrator batbelt needs a lot of items to allow us to adapt to the changing landscape of security threats. OS X is becoming a little more like iOS as can be expected and so I would suspect that encryption will become more and more transparent as time goes on. Overall, the options allow encrypting every piece of data that goes anywhere near a system. The mechanisms with which data is now encrypted are secure, as is the data at rest. Once data is decrypted, features like Gatekeeper and the application layer firewall supplement traditional network encryption to keep well secured.

October 10th, 2015

Posted In: Mac OS X, Mac OS X Server, Mac Security, Mass Deployment

Tags: , , , , , , , , ,

OS X and iOS developers need a continuous integration system. This automates the build, analysis, and testing solution for software development using Xcode. OS X Server has an Xcode service, capable of integrating your developer account with git, providing many of the options required to build a continuous integration system. Before you configure the Xcode service that can take committed code and then test and build your software, you’ll need an Apple developer account. The Xcode service then links git to a developer account and runs automations, referred to as bots, in Xcode. Therefore, you’ll also need to have Xcode installed on the computer running the Xcode service. Bots are then managed and reported on using a web app that the Server app runs. Once the pre-requisites are met, open the Server app and click on the Xcode service. Screen Shot 2015-09-24 at 10.11.10 PM Click on the Choose Xcode button. Screen Shot 2015-09-24 at 10.11.30 PM When prompted, browse to the version of Xcode you have installed on the server. Screen Shot 2015-09-24 at 10.11.37 PM If you haven’t accepted the Xcode licensing agreement, when prompted, click on Agree to do so. Screen Shot 2015-09-24 at 10.11.46 PM Xcode will require access to the Accessibility framework to run unit tests. Click on Request Access to provide the rights to Xcode to do so. Screen Shot 2015-09-24 at 10.19.13 PM Once access has been granted to Xcode, you’ll see the version indicated in the Build Using field. Screen Shot 2015-09-24 at 10.19.23 PM Next, click on Add Team, in order to identify the correct team from your Apple Developer account that will have access to the Xcode service. Screen Shot 2015-09-24 at 10.19.32 PM When prompted, select the team from your Apple Developer account that you wish to provide access to the server. Screen Shot 2015-09-24 at 10.20.27 PM Click on the Repositories tab. Here, you will define repositories for your Xcode projects. Click on the Repository Access button to define what protocols git should be accessible via. Screen Shot 2015-09-24 at 10.20.30 PM At the Repository Access screen, select HTTPS or SSH. Click OK. Screen Shot 2015-09-24 at 10.20.41 PM Click the Edit Repository Creators button. At the Repository Access screen, add any groups of users that should have access to create new git repositories. Once all of the appropriate users or groups have been added, click on OK. Finally, click on the plus sign to add your first repository. Screen Shot 2015-09-24 at 10.20.55 PM At the new repository screen, provide a name for the repository. Then, use the Edit button to choose the level of access that logged in users have. Back at the repository screen, click on the HTTPS Access button to provide access via HTTPS. Once saved, double-click on the repository again to see the uri for each type of access. And that’s it. Screen Shot 2015-09-25 at 7.02.47 PM Next, you’ll want to add a repository to the Xcode app. To do so, open Xcode and then use the Source Control menu to select Check Out. From there, you’ll get a Check Out screen. Screen Shot 2015-09-25 at 7.04.42 PM At the Check Out screen, enter the uniform the repository screen, shown in the previous step of this article and click on the Next button. Next, you’ll need to create bots to automate your build process.  

October 7th, 2015

Posted In: Mac OS X Server

Tags: , , , , , ,

By default, screenshots are pretty big on a retina display on an El Capitan machine. Like about 4 times the size they should be. I haven’t found a defaults key I can use yet to reduce them, so I’ve been using this little screenshotting app called RetinaCapture, available at https://gumroad.com/l/retinacapture. Basically, when you’re running it, you just open it up and click on the Window button. There, you can select a window to screenshot. Screen Shot 2015-09-24 at 8.37.33 AM Once you’ve selected the window, you’ll be prompted to save it somewhere with a name. Screen Shot 2015-09-24 at 8.38.00 AM   I don’t love having to use any 3rd party apps for my screenshotting workflow. Screens get resized for books and so I’m really only using this for my site. But, hopefully it helps someone else along the way. Happy screenshotting!

October 6th, 2015

Posted In: Mac OS X

Tags: , , , , , ,

« Previous PageNext Page »