Tiny Deathstars of Foulness

Apple Configurator 2 is now out and there are some really cool new features available to people deploying Apple Configurator. Apple Configurator 2 now supports feature called Blueprints. A Blueprint is a set of configuration options (such as profiles, apps, etc) that are easily applied to devices by applying a given Blueprint. So basically a canned set of options that can be configured on a device. For example, you can have a Blueprint called Training that have training apps and settings for a training room network and then you can have another Blueprint for Kiosks, that have different apps for a kiosk, one app for a kiosk, an SSID for a kiosk wireless network, and throw that single app into Single User Mode. Pretty cool, since before you needed to have all this stuff in, select the appropriate options and then deploy them. Now, you can more quickly train student workers or deployment staff to get devices initially configured before deployment them in a school or company.

To install the new Apple Configurator, open up the App Store, search for Apple Configurator and then click on the Get button. It’s only 61MB so installs quickly.

Screen Shot 2015-10-01 at 2.51.36 PM

Once installed, open Apple Configurator 2  from /Applications.

Screen Shot 2015-10-01 at 2.51.14 PM

Another great new feature of Apple Configurator 2 is the command line interface for Apple Configurator: cfgutil. Go ahead and click on the Apple Configurator 2 menu and select Install Automation Tools from the menu.

Screen Shot 2015-10-01 at 2.55.05 PM

When prompted,

Screen Shot 2015-10-01 at 2.55.09 PM

Once installed, you’ll find cfgutil at /usr/local/bin/cfgutil. I’ve been working on some documentation for using the command line interface, so I’ll get it posted when I’m done. But for now, let’s go back to Apple Configurator 2 and click on Blueprints to make a new Blueprint.

Screen Shot 2015-10-01 at 4.09.38 PM

From Blueprints, click on your new Blueprint.

Screen Shot 2015-10-01 at 4.09.47 PM

From the Blueprint. you can add Apps, create Profiles and assign devices. Here, we’re going to click Profiles in the sidebar. Initially there won’t be any Profiles on the device. Click on New.

Screen Shot 2015-10-01 at 4.24.23 PM

Click on File then click on New Profile.

Screen Shot 2015-10-01 at 4.27.14 PM

The General screen just requires a new name. There are a few new options for profiles, as you can see by clicking on Restrictions and scrolling to the bottom.

Screen Shot 2015-10-01 at 4.26.48 PM

There are a lot of new options for iOS devices. Many require device supervision. I’ll cover setting up devices and enabling supervision later. Using Advanced options, you can also clear passcode, obtain unlock tokens, start single app mode, and enable encrypted backups. Plenty of fun things to cover!

October 1st, 2015

Posted In: Apple Configurator, iPhone

Tags: , , , , , , ,

I was recently building some preflight scripts and was looking to record some information about a machine live, before proceeding with a script. I found the cheapest way to determine information about architectures and chipsets when scripting preflight scripts for OS X to be the arch and machine commands respectively. For example, to verify the architecture is i386, use the arch command with no options:


Which simply outputs “i386”:


To check the machine type, simply use the machine command:


Which outputs as follows:


December 14th, 2014

Posted In: Mac OS X, Mac OS X Server, Mac Security, Mass Deployment, Network Infrastructure

Tags: , , , , , , ,

Recently I was working on a project where we were isolating IP addresses by country. In the process, I found an easy little tool built right into OS X called ip2cc. Using ip2cc, you can lookup what country an IP is in. To do so, simply run ip2cc followed by a name or ip address. For example, to lookup you might run:


Or to lookup Much Music, you might run:


The output would be:

IP::Country modules (v2.28)
Copyright (c) 2002-13 Nigel Wetters Gourlay
Database updated Wed May 15 15:29:48 2013

Country: CA (Canada)

You can just get the country line:

ip2cc | grep Country:

To just get the country code:

ip2cc | grep Country: | awk '{ print $2 }'

Finally, ip2cc is located at /usr/bin/ip2cc so we’ll complicate things just a tad by replacing the hostname with the current IP (note that private IPs can’t be looked up, so this would only work if you’re rocking on a wan ip or feeding it what a curl from a service like whatismyip brings back):

ip2cc `ipconfig getifaddr en0` | grep Country: | awk '{ print $2 }'

December 13th, 2014

Posted In: Mac OS X, Mac OS X Server

Tags: , , , , , , , , , ,

The jamf binary comes with a lot of cool little features that you can use to script things quickly, because JAMF has already built things to help you. We’ll look at two really quick. The first is the deleteAccount verb which, surprisingly, deletes accounts. With that verb, you’ll use the -username operator to define a given user that you’d like to remove. That username is defined as the short name (or what dscl shows) of a given user. For example, if I wanted to remove the user rorygilmore, I’d run the following command:

/usr/sbin/jamf deleteAccount -username rorygilmore

You can then provide a popup on the screen that you completed that action:

/usr/sbin/jamf displayMessage -message “rorygilmore has been deleted"

You can then add a new user, using the createAccount verb. To do so, run the jamf binary using the createAccount verb. This verb provides for a number of options, including a short name (-username), a full name (-realname), a password (-password), a home directory (-home) and a default shell (-shell). If you want the user to be an admin of the system you can also add an -admin option. Below, we’ll string it all together:

/usr/sbin/jamf createAccount -username lorelaigilmore -realname "Lorelai Gilmore" -password lukedanes -home /Users/lorelai -shell bash -admin


When I do this stuff I like to run a quick recon again:

/usr/sbin/jamf recon

If you have any questions, you can use the help verb to see what all this thing can do:

/usr/sbin/jamf help

And if you need more information on a given verb, run the help verb followed by the one you need more information on:

/usr/sbin/jamf help policy


October 6th, 2014

Posted In: Mac OS X, Mac OS X Server, Mac Security, Mass Deployment

Tags: , , , , , , , ,

(Guest post by Allister Banks)

Working with modern tools in the ‘auto'(dmg/pkg) suite, it sure reinforces the old chestnut, ‘it’s turtles XML all the way down.’ The thing that struck me when first diving into using autopkg was that different product recipes could potentially have a good amount of similarities when they share common processors. One example is drag-drop apps that can be discovered with an ‘appcast’ URL, which, in my recollection, became common as the Sparkle framework gained popularity.

This commonality is exactly the type of thing sysadmins like myself seek to automate, so I built a few helper scripts to 1. discover what apps have appcast URLs, 2. generate the base download recipe, and further, the 3. pkg-building recipe that can use the download recipe as a ‘parent’, and the 4. munki or JSS recipes which can nest the pkg recipe in it. Recursivity is the new black.


Please do take a look if you feel you’ve got apps that folks haven’t built recipes for yet, and laugh at/use/fork my code as you see fit!

April 3rd, 2014

Posted In: Uncategorized

Tags: , , , , , ,

The LDIFDE utility exports and imports objects from and to Active Directory using the ldif format, which is kinda’ like csv when it gets really drunk and can’t stay on one line. Luckily, ldif can’t drive. Actually, each attribute/field is on a line (which allows for arrays) and an empty line starts the next record. Which can make for a pretty messy looking file the first time you look at one. The csvde command can be used to export data into the csv format instead. In it’s simplest form the ldifde command can be used to export AD objects just using a -f option to specify the location (the working directory that we’re running the ldifde command from if using powershell to do so or remove .\ if using a standard command prompt):

ldifde -f .\ADExport.ldf

This exports all attributes of all objects, which overlap with many in a target Active Directory and so can’t be imported. Therefore, you have to limit the scope of what you’re exporting, which you can do in a few ways. The first is to only export a given OU. To limit, you’ll define a dn with a -d flag followed by the actual dn of the OU you’re exporting and then you’d add a -p for subtree. In the following example we’ll export all of the objects from the sales OU to the SalesOUExport.ldf file:

ldifde -d "OU=sales,DC=krypted,DC=local" -p subtree -f .\SalesOUExport.ldf

Restoring objects still results in an error that the server is “Unwilling To Perform” the import because “The modification was not permitted for security reasons.” Basically, this just means “hey I’m not going to import into some of the fields that I know I have to reserve for objects managed by the system, such as creation date (whencreated), last changed date (whenchanged), etc. So we can take some of these and omit them from our export. You can use ADMT or just look at an ldif or csv file to determine which attributes from the schema that you think need to be omitted, but at a minimum it should include objectguid, uSNCreated, uSNChanged, whencreated and when changed (and a lot of the Exchange attributes if you’ve extended the schema for your forest). To omit use the -o and enclose the omitted attributes in parenthesis. In the following example, we’ll export to the SalesOUExportO.ldf file, and add the -o flag to the previous command:

ldifde -d "OU=sales,DC=krypted,DC=local" -p subtree -o "objectguid,uSNCreated,uSNChanged,whencreated,whenchanged" -f .\SalesOUExportO.ldf

You can also omit using the -m flag, which includes only the essential attributes, so we’ll add that to the command as well:

ldifde -d "OU=sales,DC=krypted,DC=local" -p subtree -o "objectguid,uSNCreated,uSNChanged,whencreated,whenchanged" -m -f .\SalesOUExportO.ldf

Use the -l option to limit the attributes being exported to only those specified.

The -r option restricts the export to a given category or class. For example, if we only wanted to export users, we can restrict to objectClass-User

ldifde -d "OU=sales,DC=krypted,DC=local" -p subtree -r "(objectClass=user)" -o "objectguid,uSNCreated,uSNChanged,whencreated,whenchanged" -m -f .\SalesOUExportOM.ldf

Now I’m feeling like we have a good restricted set of data that we’re moving. Let’s go ahead and give importing a shot on a target server. To do so, we’ll just use -i to specify this is an import, followed by -k to say “don’t stop if you have a problem with just one record”, -f to define a file and -j to write a log. We’ll use the working directory for the file path and the log path, assuming this is being done by calling the .exe from within powershell:

ldifde -i -k -f .\SalesOUExportOM.ldf -j .\

Once complete, the exported objects should appear once you close and re-open Active Directory Users and Computers. You can also export one object, then programmatically create objects in an ldif file as needed by importing them into Active Directoryusing ldifde.

March 20th, 2014

Posted In: Active Directory, Windows Server

Tags: , , , , , , , , ,

Before I type anything else, allow me to state that running a search and deleting things with a script from a users (or a loop of all users) is a very dangerous process. However, I’ve often noticed that an outbreak of bad things can cause us to do some pretty awesome things. So, you can use the get-Mailbox cmdlet to pipe a mailbox into the search-mailbox cmdlet and from there use the -SearchQuery option to search for an attachment, following the attachment option with a filename and then delete it using the -DeleteContent option. The example would be as follows:

Get-Mailbox -Identity “cedge” | Search-Mailbox -SearchQuery -DeleteContent

You can also filter search queries based on To, From, CC, Subject, Sent date and of course, policy data. You can also use the -TargetMailbox and -TargetFolder options to move messages into a quarantine mailbox/space.

January 3rd, 2014

Posted In: Microsoft Exchange Server, Network Infrastructure, Windows Server

Tags: , , , , , , ,

Ever wonder what your computer is up to? Ever wanted to know how much time the computer was awake for, how much battery was left, the exact percentage of use each core was taking up, how much CPU CrashPlan is using, etc?

Well, lucky you, there’s systemstats. You just run it:


And it tells you all kinds of juicy stuff.

System Version: 13A598
Total Time: 195:13:01

Time on A/C: 165:42:24
Time on Battery: 29:30:35
Wake Time: 181:18:08
User Active: 46:46:18
User Idle: 134:31:49
Dark Wake Time: 00:01:15
Sleep Time: 13:53:37
Standby Time: 00:19:57

Time on Battery: 29:30:35 -10.2 %/hr -21576 mAh -7112 mW
Wake: 15:58:13 -20.8 %/hr -23766 mAh -12158 mW
User Active: 14:08:59 -21.3 %/hr -21389 mAh -12335 mW
User Idle: 01:49:14 -18.3 %/hr -2377 mAh -10485 mW
Dark Wake: 00:00:25 0.0 %/hr 0 mAh 0 mW
Sleep: 13:31:56 2.3 %/hr 2190 mAh -547 mW
Standby: 00:19:53 3.4 %/hr 80 mAh 0 mW

CPU Summary
Avg. Frequency: 2.296 GHz
Interrupt Rate: 5915 Hz
C-State Res: 10.4% C2 6% C3 0% C6 0% C7 4% C8 0% C9 0% C10 0%
A/C: 10.4%
User Active: 10.2%
User Idle: 10.5%
Battery: 10.6%
User Active: 9.4%
User Idle: 20.0%

I/O Summary
Disk Reads: 29010238
Disk Writes: 8644168
Bytes Read: 1114.0 GB ( 1.7 MB/s)
Bytes Written: 837617.1 MB ( 1.3 MB/s)

Packets Sent: 11713682
Packets Received: 10172390
Bytes Sent: 3723.3 MB ( 5.8 KB/s)
Bytes Received: 5930.3 MB ( 9.3 KB/s)

Top I/O Activity
Time: 2013-12-01 22:33:22 to 2013-12-01 22:43:33 (00:10:10)
Disk Reads: 172740
Disk Writes: 157121
Bytes Read: 13887.9 MB ( 22.8 MB/s)
Bytes Written: 13577.9 MB ( 22.3 MB/s)

Packets Sent: 3140
Packets Received: 3043
Bytes Sent: 417.2 KB ( 0.7 KB/s)
Bytes Received: 934.7 KB ( 1.5 KB/s)

Time: 2013-12-01 18:54:30 to 2013-12-01 19:04:30 (00:10:00)
Disk Reads: 84194
Disk Writes: 72153
Bytes Read: 6770.4 MB ( 11.3 MB/s)
Bytes Written: 6480.2 MB ( 10.8 MB/s)

Packets Sent: 4093
Packets Received: 3566
Bytes Sent: 523.2 KB ( 0.9 KB/s)
Bytes Received: 886.2 KB ( 1.5 KB/s)

Time: 2013-11-28 19:44:23 to 2013-11-28 23:30:44 (03:46:21)
Disk Reads: 123879
Disk Writes: 56082
Bytes Read: 5711.6 MB ( 9.8 MB/s)
Bytes Written: 5089.0 MB ( 8.7 MB/s)

Packets Sent: 11964
Packets Received: 12613
Bytes Sent: 1.3 MB ( 2.4 KB/s)
Bytes Received: 8.0 MB ( 14.0 KB/s)

Top Fan Activity
Time: 2013-11-30 20:13:54 to 2013-11-30 20:54:02 (00:40:08)
Total samples: 41
High samples: 41
Very high samples: 0
Process Intrpts.: 984413
CPU Time: 00:51:31 (128.4%)
00:20:26 (50.9%) 29802 com.crashplan.engine
00:19:18 (48.1%) 566137
00:03:46 (9.4%) 61786
00:01:24 (3.5%) 392
00:01:06 (2.7%) 4202

Time: 2013-11-26 11:32:06 to 2013-11-26 12:09:16 (00:37:10)
Total samples: 37
High samples: 37
Very high samples: 0
Process Intrpts.: 2629811
CPU Time: 01:51:05 (298.9%)
01:03:04 (169.7%) 1696708
00:20:56 (56.4%) 51668 com.crashplan.engine
00:10:33 (28.4%) 142432
00:04:33 (12.3%) 194380
00:01:56 (5.2%) 207486

Time: 2013-11-29 22:23:26 to 2013-11-29 22:47:26 (00:24:00)
Total samples: 24
High samples: 24
Very high samples: 0
Process Intrpts.: 676512
CPU Time: 00:24:28 (102.0%)
00:12:23 (51.6%) 17603 com.crashplan.engine
00:04:36 (19.2%) 316533
00:01:28 (6.1%) 45086
00:01:12 (5.0%) 88281 PluginProcess
00:00:49 (3.5%) 4453

Memory Summary
Swap Dev is SSD: Yes
Total: 8192.0 MB
Free: 22.0 MB
Wired: 996.4 MB
Compressor: 1156.7 MB
Compressed: 4734.5 MB
Internal: 4605.2 MB
External: 630.3 MB
Purgeable: 102.5 MB

IOAccelResident: 222.2 MB
IOAccelWired: 29.9 MB
IOAccelDirty: 215.0 MB
IOAccelCached: 0.0 KB
IOAccelPurgeable: 20.7 MB

Faults: 33729152413
Purges: 47945857 ( 294.2 KB/s)
Zero-fills: 1642607459 ( 9.8 MB/s)
Reactivations: 300385037 ( 1.8 MB/s)
Page-ins: 3348672 ( 20.5 KB/s)
Page-outs: 625293 ( 3.8 KB/s)
Decompressions: 216406239 ( 1.3 MB/s)
Compressions: 226784564 ( 1.4 MB/s)
Swap-ins: 24865424 ( 152.6 KB/s)
Swap-outs: 25968750 ( 159.3 KB/s)

Top Memory Activity
Time: 2013-11-30 11:20:01 to 2013-11-30 11:30:06 (00:10:05)
Free: 8.6 MB
Wired: 1106.0 MB
Compressor: 2800.5 MB
Compressed: 12724.1 MB
Internal: 3824.1 MB
External: 322.8 MB
Purgeable: 188.4 MB

IOAccelResident: 133.7 MB
IOAccelWired: 31.6 MB
IOAccelDirty: 133.2 MB
IOAccelCached: 0.0 KB
IOAccelPurgeable: 53.1 MB

Faults: 65814909
Purges: 12056 ( 79.7 KB/s)
Zero-fills: 69663 ( 460.6 KB/s)
Reactivations: 265442 ( 1.7 MB/s)
Page-ins: 839 ( 5.5 KB/s)
Page-outs: 92 ( 0.6 KB/s)
Decompressions: 818629 ( 5.3 MB/s)
Compressions: 764666 ( 4.9 MB/s)
Swap-ins: 2305 ( 15.2 KB/s)
Swap-outs: 0 ( 0.0 KB/s)
Resident: 2786.5 MB
Resident: 44.0 MB com.twitter.twitter-mac
Resident: 32.9 MB
Resident: 19.9 MB
Resident: 18.7 MB PluginProcess
Resident: 18.3 MB
Resident: 17.1 MB
Resident: 15.8 MB com.getdropbox.dropbox
Resident: 15.1 MB
Resident: 14.3 MB

Time: 2013-11-29 14:36:08 to 2013-11-29 14:46:08 (00:10:00)
Free: 9.3 MB
Wired: 1083.1 MB
Compressor: 846.8 MB
Compressed: 8802.5 MB
Internal: 5753.3 MB
External: 369.4 MB
Purgeable: 187.7 MB

IOAccelResident: 109.1 MB
IOAccelWired: 29.1 MB
IOAccelDirty: 106.5 MB
IOAccelCached: 0.0 KB
IOAccelPurgeable: 37.4 MB

Faults: 65284735
Purges: 7618 ( 50.8 KB/s)
Zero-fills: 811805 ( 5.3 MB/s)
Reactivations: 554636 ( 3.6 MB/s)
Page-ins: 2844 ( 19.0 KB/s)
Page-outs: 385 ( 2.6 KB/s)
Decompressions: 371537 ( 2.4 MB/s)
Compressions: 643820 ( 4.2 MB/s)
Swap-ins: 84120 ( 560.8 KB/s)
Swap-outs: 0 ( 0.0 KB/s)
Resident: 4105.4 MB
Resident: 101.7 MB
Resident: 52.2 MB
Resident: 50.4 MB
Resident: 44.8 MB com.companyline.hall.desktop
Resident: 42.4 MB
Resident: 36.3 MB
Resident: 32.9 MB
Resident: 30.3 MB
Resident: 25.9 MB PluginProcess

Time: 2013-11-30 17:00:00 to 2013-11-30 17:10:05 (00:10:05)
Free: 9.9 MB
Wired: 1106.7 MB
Compressor: 1511.3 MB
Compressed: 12493.7 MB
Internal: 5103.0 MB
External: 330.8 MB
Purgeable: 155.9 MB

IOAccelResident: 60.6 MB
IOAccelWired: 18.5 MB
IOAccelDirty: 60.6 MB
IOAccelCached: 0.0 KB
IOAccelPurgeable: 20.7 MB

Faults: 65878278
Purges: 4766 ( 31.5 KB/s)
Zero-fills: 87085 ( 575.8 KB/s)
Reactivations: 225172 ( 1.5 MB/s)
Page-ins: 1243 ( 8.2 KB/s)
Page-outs: 50 ( 0.3 KB/s)
Decompressions: 616041 ( 4.0 MB/s)
Compressions: 611348 ( 3.9 MB/s)
Swap-ins: 16157 ( 106.8 KB/s)
Swap-outs: 0 ( 0.0 KB/s)
Resident: 3943.2 MB
Resident: 47.1 MB com.companyline.hall.desktop
Resident: 41.3 MB
Resident: 38.9 MB com.knock.mac
Resident: 36.6 MB
Resident: 33.0 MB
Resident: 31.2 MB
Resident: 29.2 MB
Resident: 28.1 MB
Resident: 19.0 MB PluginProcess

Top Battery Usage
Time: 2013-11-30 22:13:28 to 2013-11-30 22:24:28 (00:11:00)
Power: -17602 mW (-33.2 %/hr)
Avg. Frequency: 2.268 GHz
Interrupt Rate: 14517 Hz
C-State Res: 0.0% C2 0% C3 0% C6 0% C7 0% C10 0%
Display Brightness: 63.0%
Process Intrpts.: 350900
CPU Time: 00:13:16 (120.7%)
00:05:24 (49.2%) 8138 com.crashplan.engine
00:02:46 (25.2%) 139408
00:01:06 (10.1%) 16276
00:01:03 (9.6%) 2471
00:00:44 (6.8%) 21194 PluginProcess

Time: 2013-11-30 20:23:42 to 2013-11-30 20:34:42 (00:11:00)
Power: -17425 mW (-30.9 %/hr)
Avg. Frequency: 2.268 GHz
Interrupt Rate: 10763 Hz
C-State Res: 0.0% C2 0% C3 0% C6 0% C7 0% C10 0%
Display Brightness: 63.0%
Process Intrpts.: 268964
CPU Time: 00:14:40 (133.5%)
00:05:53 (53.6%) 156021
00:05:35 (50.8%) 8153 com.crashplan.engine
00:01:08 (10.4%) 18777
00:00:22 (3.5%) 109
00:00:19 (2.9%) 1094

Time: 2013-11-30 20:12:42 to 2013-11-30 20:23:42 (00:11:00)
Power: -17185 mW (-30.1 %/hr)
Avg. Frequency: 2.268 GHz
Interrupt Rate: 11389 Hz
C-State Res: 0.0% C2 0% C3 0% C6 0% C7 0% C10 0%
Display Brightness: 63.0%
Process Intrpts.: 265886
CPU Time: 00:13:11 (120.0%)
00:05:39 (51.4%) 8116 com.crashplan.engine
00:04:14 (38.5%) 151136
00:01:07 (10.3%) 18607
00:00:23 (3.5%) 109
00:00:15 (2.4%) 901

Top CPU Activity
Time: 2013-12-01 22:43:33 to 2013-12-01 22:52:55 (00:09:22)
Avg. Frequency: 2.267 GHz
Interrupt Rate: 11241 Hz
C-State Res: 0.0% C2 0% C3 0% C6 0% C7 0% C10 0%
Process Intrpts.: 198556
CPU Time: 00:06:17 (67.1%)
00:05:05 (54.3%) 6391 com.crashplan.engine
00:00:43 (7.6%) 119102
00:00:04 (0.7%) 3319 com.knock.mac
00:00:03 (0.6%) 39
00:00:02 (0.5%) 827

Time: 2013-12-01 22:40:29 to 2013-12-01 22:43:33 (00:03:03)
Avg. Frequency: 2.267 GHz
Interrupt Rate: 20376 Hz
C-State Res: 0.0% C2 0% C3 0% C6 0% C7 0% C10 0%
Process Intrpts.: 68684
CPU Time: 00:02:59 (98.0%)
00:01:27 (47.8%) 2328 com.crashplan.engine
00:01:09 (38.2%) 39619
00:00:02 (1.6%) 301
00:00:02 (1.5%) 2817
00:00:02 (1.5%) 657

Time: 2013-12-01 22:33:22 to 2013-12-01 22:40:29 (00:07:06)
Interrupt Rate: 20376 Hz
C-State Res: 0.0% C2 0% C3 0% C6 0% C7 0% C10 0%
Process Intrpts.: 161174
CPU Time: 00:07:07 (100.1%)
00:03:23 (47.8%) 5414 com.crashplan.engine
00:02:42 (38.1%) 92153
00:00:06 (1.6%) 700
00:00:06 (1.5%) 6552
00:00:06 (1.5%) 1528

Connected Devices
Display Brightness: 19.7%
Wi-Fi on: 191:08:52 (98% of total)
Discrete GPU on: 00:00:00 (0% of total)
Bluetooth on: 195:12:57 (100% of total)

USB Devices
– iPhone
– iPad
– FuelBand

December 3rd, 2013

Posted In: Mac OS X, Mac OS X Server, Mac Security

Tags: , , , , , , , ,

I’ve long been a supporter of building tools in self service portals such as those provided by JAMF and Munki to provide users who don’t have administrative permissions to perform tasks that wouldn’t typically otherwise be destructive. One such example is a simple repair permissions. An administrator can simply open Disk Utility, select their disk and then click Repair Disk Permissions

Screen Shot 2013-10-24 at 7.11.31 PMBut if you want to do this as a user who doesn’t have administrative privileges you would need to elevate your privileges before doing so. In a larger environment this would be incredibly annoying for dozens, hundreds, thousands or even tens of thousands of users to bring their computer to an administrator just to type in a password. But, if you have a patch management solution that has some kind of a self service portal, users could do this themselves. Typically, you would create a very small payload free package. This package might just contain a single script that might even be as short as a one-liner. For example, the following command would actually run a repairPermissions.

diskutil repairPermissions /

You could also send some environmental variables from your patch management tool for the boot volume, but in this simple instance we’re just going to run it, with the following type of output:

Started verify/repair permissions on disk0s2 Macintosh HD
Permissions differ on "Library/Application Support"; should be drwxr-xr-x ; they are drwxrwxr-x
Repaired "Library/Application Support"
Group differs on "Library/Printers/InstalledPrinters.plist"; should be 80; group is 0
Permissions differ on "Library/Printers/InstalledPrinters.plist"; should be -rw-rw-rw- ; they are -rw-r--r--
Repaired "Library/Printers/InstalledPrinters.plist"
[ \ 0%..10%..20%..30%..40%..50%..60%..70%................ ] 74% 0:00:34
Finished verify/repair permissions on disk0s2 Macintosh HD

You could get much more complicated, writing the output to syslog or even a syslog server. You can also have metapackages that just do a bunch of tasks and call them things like “Try to fix my computer.” Provided you have a patch management tool, you could also just scope some devices and push some of these things out en masse; however, for the most part, I’m a fan of self service, so that’s the example I’m using this for.

October 28th, 2013

Posted In: Mac OS X

Tags: , , , , , , , , ,

Next Page »