Here’s the thing: I’m not very good with computers. So to keep me from hurting myself too badly, I need the simplest interface available that allows me to run multiple applications. But most of the command keys shouldn’t work in this interface and I should only have Finder, file and Help menus.
Luckily for my poor MacBook Airs, Apple thought of people like me when they wrote the Finder and invented something called Simple Finder which makes OS X even simpler than it is by default to use. To enable Simple Finder, just go to Parental controls, enable controls for a user and then check the box for Simple Finder. Or, if you have an entire population of users like me, who simply can’t be trusted with a full operating environment, you can send the InterfaceLevel key with the contents of simple (easy to remember for those of us who resemble said key) to com.apple.finder and restart our friendly neighborhood Finder:
defaults write com.apple.finder InterfaceLevel simple; killall Finder
Come to think of it, maybe I’m not so awful. Let’s say I want to turn that whole Simple Finder thing right back off. Well, all we have to do is delete that key we created and then restart the Finder:
defaults delete com.apple.finder InterfaceLevel; killall Finder
Actually, I am terrible with these things. So much so that it’s not appropriate for me to use a computer. Therefore, just take it away. I’ll be better off using that Samsung with Windows 8 for awhile. At least there, I won’t be able to get any of my apps open or find any of the administrative tools that could damage the computer!
One of the big things in OS X Mountain Lion is how the system handles sleeping and sleeping events. For example, Power Nap means that now, Push Notifications still work when the lid is shut provided that the system is connected to a power source. This ties into Notification Center, how the system displays those Push Notifications to users. Sure, there’s tons of fun stuff for Accessibility, Calendar, contacts, Preview, Messages, Gatekeeper, etc. But a substantial underpinning that changed is how sleep is managed.
And the handling of sleep extends to the command line. This manifests itself in a very easy to use command line utility called caffeinate. Ironically, caffeinate is similar to the sleep command, except it will keep the GUI awake in the event that Mountain Lion wants to take a nap (I’m not saying it should not be used as a replacement for sleep btw).
To just get an idea of what it does, run the caffeinate command, followed by a -t operator and then let’s say the number 2:
caffeinate -t 2
The system can’t go to sleep automatically now, for two seconds. The command will sit idle for those two seconds and then return you to a prompt. Now, extend that to about 10000:
caffeinate -t 10000
While the command runs, manually put the system to sleep. Note that the system will go to sleep manually but not automatically. Now, there are different ways that a Mac can go to sleep. Use the -d option to prevent the display from sleeping or -i to prevent the system from going into an idle sleep. The -s is similar to -i but only impactful when the AC power is connected while the -u option deals with user inactivity.
Overall, a fun little command. It’s just another little tool in an ever-growing arsenal of options.
Programmatically controlling the cloud is an important part of trying to reign in the chaos of disparate tools that the beancounters make us use these days. Of all the companies out there, Microsoft seems to understand this about as well as anyone and their fine programmers have provided us with a nice set of tools to manage Office 365 accounts, both in a browser (as with most cloud services) and in a shell (which is what we’ll talk about in this article).
This article isn’t really about scripting PowerShell. Instead we’re just looking at a workflow that could be used to script a Student Information System, HRIS solution or another tool that has thousands of users in it to communicate with Microsoft’s 365 cloud offering, providing access to Exchange, Lync, Access, Unified Messaging and of course, minesweeper. Wait, before you get carried away, I still haven’t found a way to access minesweeper through PowerShell… Sorry…
In order to manage Office 365 objects, you will first need to import the MSOnline module (e.g. of cmdlets) and then connect to an account with administrative access to an Office365 environment. To import the cmdlets, use the Import-Module cmdlet, indicating the module to import is MSOnline:
Import-Module MSOnline
The Get-Credential cmdlet informs you what account you are currently signed in as. Once you have imported the appropriate cmdlets, connect to MS Online using the Connect-MsolService cmdlet with no operators, as follows:
Connect-MsolService
You will then be prompted for a valid Live username and password. The Connect-MsolService cmdlet also supports a -Credential operator (Connect-MsolService –Credential) which allows for injecting authentication information into the command in a script. Next, setup a domain using New-MsolDomain along with the -Name operator followed by the name of the domain to use with Office 365:
New-MsolDomain -Name krypted.com
The output would appear as follows, indicating that the domain is not yet verified:
Name Status Authentication
krypted.com Unverified Managed
Once created, in order to complete that you are authoritative for the domain, build a text record in the DNS for the authoritative name server for the domain. To see what the text record should include, run Get-MsolDomainVerificationDns:
Label : deploymsonline.com
Text : MS=ms123456789
Ttl : 3600
Once the domain name shows as verified, you need to confirm it, done using Confirm-MsolDomain:
Confirm-MSolDomain -DomainName krypted.com
you can create a user within the domain. To see account information, use the Get-MsolUser cmdlet with no operators:
Get-MsolUser
To create an account, use the New-MsolUser cmdlet. This requires four attributes for the account being created: UserPrincipalName, DisplayName, FirstName and LastName. These are operators for the command as follows, creating an account called Charles Edge with a display name of Charles Edge and an email address of cedge@krypted.com:
Other attributes can be included as well, or you can use a csv file to import accounts. Once created, you can use the Set-MSolUserPassword cmdlet to configure a password, identifying the principal with -userPrincipalName and the new password quoted with -NewPassword. I also elected to not make the user change their password at next login (through the web portal users have to reset their password and they’re randomly generated, so this is much more traditionally equivalent to what we’ve done in Active Directory Users and Computers):
We can also use Set-MsolPasswordPolicy to change the password policy, although here we’ll use Set-MsolUser for the account so that the password never expires:
Also, you could use Set-MailboxPermission to configure permissions on mailboxes. I’ve also found that Get-MsolAccountSku is helpful to get information about the actual account I’m logged in as and while I’m waiting for a domain to verify that I can use Get-MsolDomain to see the status. Once the domain is accepted, Get-AcceptedDomain shows information about the domain. Set-MsolUserLicense can be used to manage who gets what license.
Finally, all of this could be strung together into a subsystem by any organization to centrally bulk import and manage delegated domains in an Office365 environment. There are going to be certain areas where human intervention is required but overall, most of the process can be automated, and once automated, monitoring the status (e.g. number of accounts, etc) can also be automated, providing a clear and easy strategy for 3rd party toolsets to be integrated with the Office 365 service that Microsoft is providing. It is a new world, this cloud thing, but it sure seems a lot like the old world where we built middleware to do the repetitive parts of our jobs… Just so happens we’re tapping into their infrastructure rather than our own…
I’ve mentioned the codesign tool in previous articles, but today let’s look at a specific use. I recently needed to generate a report of the executable for around 2000 app bundles. Luckily, codesign displays the executable for an app when run with the –display option:
Another tool that I haven’t written much about is productsign (also in /usr/sbin of Mac OS X 10.8). I’ll look at that one next, as a means of signing packages.
These days, you can spend a lot of money buying really nice digital signage tools. And if you’re doing so, then you likely have some pretty dynamic content you’d like to load. Something that doesn’t necessarily lend itself to a dynamic content platform, but which is nice for the quick presentation that you whip up and want to use for a form of digital signage is Keynote presentations. These are inexpensive and can be played on monitors through AirPlay or directly through a Mac Mini connected to a television or big monitor. Great for a monitor in the company lobby, the hallway in the school or for subliminal messaging at the DMV to convince you that no, the guy with the forehead tat isn’t really going to shank you (srsly, metal detectors, pls).
There are a few issues there, though. First, for most uses, you need the presentation to either go on forever or need to queue up a bunch of them. Then, you need to set the presentation to automatically start when opened so that you can just open files through a script. Scripts being able to be set as login items for a default user. There are also some logistical issues with the physical hardware if it’s in public, but I’ll assume you’ve got those covered and move on to the technical details of how to do the above tasks.
To prepare a Keynote presentation, first open the Keynote, click on Inspector in the toolbar and then at the inspector click on the document icon (in the far left top corner of the inspector). Then, check the boxes for “Automatically play upon open” and “Loop slideshow”. This will automatically play the presentation and start it again when it’s done.
Then I’d use the second icon from the left on each slide to automate the transition to the next slide.
Then, the entire Keynote is automated. That part is all done within Keynote and the next part is just opening and closing Keynote from the command line. To open via ARD or another management tool, send the following command:
open /Users/admin/Desktop/Presentationname.key
Then to close Keynote and run something else:
killall Keynote
To close one presentation and immediately reopen a different presentation, merge the commands into one line:
killall Keynote; open /Users/admin/Desktop/Presentationname.key
Just make sure everything’s automated or the loop won’t run. Now, to automate events within Keynote will require clicking on things from an AppleScript or Automator workflow or using the AppleScript options for Keynote. To automate just clicking to move to another slide can be done with the following AppleScript (and sent via osascript), although it’s usually best done within Keynote:
tell application “System Events”
click
end tell
The following are all of the Keynote-specific options from Automator:
To close a single presentation, the following workflow would do the trick:
One challenge is that when you loop through different Keynote presentations, you would see the desktop of OS X and the Dock while Keynote is re-opening if you kill it off first. It should take a little less than a second. Once keynote re-opens, you see the menu for keynote for about another half second while the keynote document is opening. If I don’t close Keynote and instead just open a 2nd document then I see the Keynote menu bar for a split second while the second presentation is starting and I don’t end up seeing the actual Desktop. That would be done just by opening a second presentation from the command line. The caveat is that as you toggle between them, if you don’t kill off the Keynote application, you’ll end up starting where the other left off rather than at the beginning (which might be fine in a given workflow).
You can, if you need to kill the application, launch the screen saver first:
osascript -e 'tell application id "com.apple.ScreenSaver.Engine" to launch'
Or just in bash:
open -a /System/Library/Frameworks/ScreenSaver.framework//Versions/A/Resources/ScreenSaverEngine.app
This just fires up the screen saver to try and hide what you’re doing in the background. You can layer the three commands we’ve looked at on top of each other as a single command from ARD:
osascript -e 'tell application id "com.apple.ScreenSaver.Engine" to launch' ; killall Keynote ; open /Users/admin/Desktop/Presentationname.key
That would effectively kick off the screen saver, kill keynote while it’s hidden and then open the new presentation. The presentation would need to be transferred to the client system first, but that’s usually the easy part. You could also sleep the commands to bring up different presentations and bolt more logic in, although much of that is best left inside of Keynote itself. If you wanted to get extra crafty, in case the desktop did ever appear, you could have a fail safe of having the screen saver appear as the desktop background, which I wrote up awhile ago here. There are also various kiosk applications that do crazy things like replace the Finder or fire up kioskish (is that a word?!?!) browsers and the such, but all will likely require a little testing and massaging to get just right.
Overall, Apple products can make for pretty good signage options given how well they typically handle various graphics and connectivity, without buying 3rd party tools. You do get what you pay for, so it might be worth looking at some of those tools. Also, it’s worth noting that Rich Trouton wrote up a nice article on using AppleTV for this type of stuff here on his site. I’ve also scripted digital content delivery to Macs using Final Cut Server, CatDV and various scripting tools such as python. We’ve even gone so far as to programatically create the actual Keynote files, but that’s probably best saved for a github gist rather than a krypted.com post…
There are a number of features that make mass deployment of Mac OS X pretty easy. Some of these would be great to have in Windows. These range from systemconfiguration to networksetup and the ability to look at packages that have been installed and review their bills of material. Well, the good people at Vexasoft have built a number of Powershell libraries that, while they aren’t named as such, do a number of the features that these commands do, just for Windows clients via Powershell. And the best part is, a number of them are free.
Let’s look at what some of these commands do:
First, there are the cmdlets used to manage the network stack (so similar to various verbs in networksetup). These include Add-NetworkAdapterDNS, Add-NetworkAdapterGateway, Add-NetworkAdapterIP, Disable-NetworkAdapter, Enable-NetworkAdapter, Get-NetworkAdapter, Remove-NetworkAdapterIP, Remove-NetworkAdapterGateway, Remove-NetworkAdapterDNS, Set-(followed by the others from the above sets) and Rename-NetworkAdapter.
Second, you can automate binding with Set-Domain. This is similar to dsconfigad but less awesome because it’s third party, but still more awesome than the native tools because it’s easier.
Third, rename the system. This is similar to scutil, hostname, sets. Just use Rename-Computer to change the name of a Windows system.
My favorite, having written something similar, is probably Get-RemoteDesktopConfig and Set-RemoteDesktopConfig, similar to the kickstart options in OS X.
And a tool similar to installer in OS X, Install-MSIProduct, which installs MSIs.
Sixth, there’s Set-Pagefile, because if you’re gonna’ change it, do so while imaging to save a reboot later…
While there are others, the final one I’d like to mention is still free: Get-RegistryKey, which gives us the ability to basically run the closest thing to defaults commands I’ve found against the Windows platform.
They install as standard Powershell modules, making them easy to drop into practically any imaging environment. Much of these can be done via WMI or Powershell already, but will require a bit more legwork to script. Having them pre-built makes it easier than ever to perform some basic tasks for other platforms en masse, on Windows.
Client systems don’t have to have drives. Nor should they, in certain circumstances. Therefore, diskless NetBoot has been a part of OS X since the early beginnings. And it’s great provided you have the Server Admin application handy. But if you want to enable/control diskless NetBoot without Server Admin then you’re going to need to use the command line.
Each of your NetBoot images will be stored in an array, which can be seen by running the serveradmin command, along with the settings option and then the net boot service, as follows:
serveradmin settings netboot
Locate the netBootImagesRecordsArray, which shows the images that are served up on the server. Find the appropriate one (most people tend to only have one) and then make sure that the SupportsDiskless option is set to yes.
You can also set DisabledSystemIdentifiers, EnabledSystemIdentifiers, Type (type of file share), pathToImage, Architecture and use IsEnabled to enable and disable images programatically. This allows administrators to programmatically control NetBoot and therefore build custom imaging workflows that, for example, update the NetBoot set for NetRestore at the time of generating the NetRestore NetBoot set. It would also come in handy if any of these features were ever removed from the GUI…
Imaging can be a complicated task. Many imaging environments have a lot of scripts, packages, base images and other aspects of automation. The more of these that you have, the more potential combinations you have for the state of a system once they’ve been run. This gets complicated when you want to make sure that each possible combination of images will have a consistent result when installed. For example, take something simple, like a property list. Each possible combination of packages, scripts images and even managed preferences might have a different impact on that poor property list.
A simple defaults command can often give administrators the ability to see what settings have been applied to a system. For simple tasks that can be programatically trapped for, this might be enough. You can argue that everything can be programatically discovered, but I would argue that is an immature way to look at such things. The example I used in the Enterprise Mac Administrator’s Guide was looking at Microsoft Word. Let’s say that you install 24 fonts. When you open Word, you end up needing to check and make sure that each font loads. You can verify fonts test clean, but you can’t verify that they show up in Word. Microsoft gives you the ability to list fonts that appear in the font menu programatically. But you would literally need to open Word and look in the fonts menu on each regression of each system image in order to tell if the fonts actually appear in the list and if so, whether they look right. One small example. In many environments, each application will have 10 or more tests, with a lot of applications potentially being deployed – and the list grows as failures are discovered year over year…
Now let’s say you’ve got 80 packages in your self service library. At this point, in order to tell that every combination is cool, you’d need to manually open Word on a lot of image combinations in order to verify that your fonts load properly. EggPlant is a tool that enables administrators to run a script that clicks on things for us and reports back on what happens when we do. Now, AppleScript can do some of this as well. But eggPlant gets very in depth in terms of scripting logic and is cross platform. EggPlant leverages a Vine server that gets installed on clients. Screen shots are then taken through a Vine client and compared to screen shots you make and save in eggPlant to compare to the ones that are captured from Vine. That’s a bit of overs implication, but at the end of the day, bolt some simple scripting on top of that and you’ve got a pretty advanced solution. EggPlant now also supports iOS by jail breaking devices to load the Vine server.
EggPlant is one of the best tools for this kind of thing for the Mac platform. It’s more popular amongst those who do a lot of web testing, but it shoehorns nicely into post-flight imaging regression testing. I had a good conversation with @tvsutton at the Penn State Mac Admins conference about eggPlant and he mentioned a tool called Sikuli that I hadn’t used before, so hat tip to him for the rest of this article. While eggPlant has way more logic in it, for simple regression testing, you can leverage Sikuki in its place, which wouldn’t cause some of the potential conflicts that running a localized Vine server might cause on client systems.
Sikuli is a simple tool that allows administrators to script graphical events. You can effectively automate anything you see on a screen using the same type of screen shots; however, with Sikuli, you dump the screen shots directly into the script via the scripting interface, known as the Sikuli IDE.
The options along the left side are some common commands that can be run, in serial from top to bottom. Not all of the possible methods are exposed in the GUI sidebars, but many of the more common ones are. Let’s go ahead and manually enter switchApp followed by an application you’d like to open with your script. In my example, I’m going to use Server.app:
switchApp("Server.app")
While the command says switchApp, it might as well say openApp, as the application will open when you run the command. Go ahead and see for yourself (assuming you have a Lion Server and can therefore open Server.app. Now, let’s look at some graphical interfacing, go ahead and click on click in the sidebar, which will dim the screen and bring up crosshairs for taking a screenshot. Here, select some part of the screen. I’m using Users for my example:
Once you take the screenshot, it should appear in the parenthesis after click. Next, we’re going to send a screenshot command to the computer itself. To do so, we’re going to use the type command, which conveniently types content into the screen. You can also use this for dialog boxes and other such things, but we’re going to just use it to send a screenshot command to the server. To do so, we’re going to tell it to type the 3 key, along with KeyModifier.SHIFT and KeyModifier.CMD:
type("3", KeyModifier.SHIFT + KeyModifier.CMD)
Now your screen will look something like this:
Running the workflow should result in a screenshot on your desktop, of the users on the system. Next, let’s just repeat this process by clicking on all the screens, grabbing a little screenshot of each and producing results on the desktop. All we’re going to do is cut/copy/paste the actual commands and then loop through each of the services and screens in Server Admin until we’ve gotten a screenshot of each:
Now is when things can start getting a little more interesting. We could have done everything we did up to now using Automator. But Sikuli has some built in logic. Here, we’re going to use the wait option in the Find section of the sidebar to go ahead and wait each screen that can be latent to show content. After we click the services, we’ll wait for a pattern on the screen not specific to any given system but that only appears when the settings appear, as follows:
This is a basic configuration of Sikuli, with a simple task, take some screenshots of the Server application. It can then be anchored to an imaging workflow by invoking the workflow from the command line. The command line is just a shell script sitting in the Sikuli-IDE, which is by default dropped into Applications. Because you won’t need it for standard systems, you can use it in special regression testing workflows from your imaging solution. Save the workflow you’ve been running as some title (I’ll use ServerApp) with the .sikuli extension. Then, to run it from the command line, fire up sikuli along with the actual project and a -r operator to tell it to run:
You can also use the sikuli-ide.jar or sikuli-script.jar to get an even lighter install, documented at http://sikuli.org/docx/faq/010-command-line.html#cmdoption-t on the sikuli.org site. On that page, it also explains how to pass arguments to Jython’s sys.argv using the –args option as well as using -stderr. The scripting environment from there becomes jython, a mashup language that takes python and java and uses a little duct tape to hold them together. Overall, it’s an interesting concept. There isn’t a lot of logic, unless you’re willing to script things. But if you are willing to script things then you can do pretty much anything you might want. For example, you can have it play bejeweled for you, so you can actually get some work done (although perhaps you’d rather play bejeweled and script your meetings…):
Ever need to automate changes to image files? Maybe a LaunchAgent that would watch a specific folder and resize png files that were dropped in there, or a little script that sanitized images as they came in to be a specific size (e.g. Poster Frames)? Well, sips is a little tool built into OS X that can help immensely with this. It will even convert that png to a jpeg or pict to png. Let’s look at using sips. First up, let’s just get the width and height of an image file:
There’s lots more you can do with sips. It also happens to be built into OS X in the /usr/bin folder. Call on it for general still image manipulation. It’s quick and easily scriptable and best of all, a useful tool that can save lots of manual time converting images.
In a couple of previous articles I looked at automating the Application Layer Firewall in OS X. These are pretty common articles that get back-linked to the site, so I decided to update them earlier, rather than later, in the Lion release. The tools to automate firewall events from the command line are still stored in /usr/libexec/ApplicationFirewall. And you will still use socketfilterfw there for much of the heavy lifting. However, now there are much more helpful and functional options in socketfilterfw that will allow you to more easily script the firewall.
Some tricks I’ve picked up with alf scripting:
Configure the firewall fully before turning it on (especially if you’re doing so through something like Casper or Absolute Manage where you might kick yourself out of your session otherwise).
Whatever you do, you can always reset things back to defaults by removing com.apple.alf.plist file from /Library/Preferences replacing it /usr/libexec/ApplicationFirewall/com.apple.alf.plist.
Configure global settings, then per-application settings
To debug: “/usr/libexec/ApplicationFirewall/socketfilterfw -d”
In /usr/libexec/ApplicationFirewall is the Firewall command, the binary of the actual application layer firewall and socketfilterfw, which configures the firewall. To configure the firewall to block all incoming traffic:
/usr/libexec/ApplicationFirewall/socketfilterfw --setblockall on
A couple of global options that can be set. Stealth Mode:
/usr/libexec/ApplicationFirewall/socketfilterfw --setstealthmode on
Firewall logging:
/usr/libexec/ApplicationFirewall/socketfilterfw --setloggingmode on
To start the firewall:
/usr/libexec/ApplicationFirewall/socketfilterfw --setglobalstate on
While it would be nice to think that that was going to be everything for everyone, it just so happens that some environments actually need to allow traffic. Therefore, traffic can be allowed per signed binary. To allow signed applications:
/usr/libexec/ApplicationFirewall/socketfilterfw --setallowsigned on
This will allow all TRUSTEDAPPS. The –listapps option shows the status of each filtered application:
This shows the number of exceptions, explicitly allowed apps and signed exceptions as well as process names and allowed app statuses. There is also a list of TRUSTEDAPPS, which will initially be populated by Apple tools with sharing capabilities (e.g. httpd & smbd). If you are enabling the firewall using a script, first sign your applications that need to allow sharing but are not in the TRUSTEDAPPS section by using the -s option along with the application binary (not the .app bundle):
Archive