krypted.com

Tiny Deathstars of Foulness

Organizations frequently have another party write iOS apps for them. When doing so, the organization typically wants to sign the .ipa (how iOS apps are deployed) prior to deploying the app to users. To do so, you would sign the .ipa with your provisioning profile. To make doing so easier, here’s ipasign, a python script that does most of the work for ya’:

September 27th, 2016

Posted In: iPhone, Mac OS X, Mac OS X Server

Tags: , , , ,

In a couple of previous articles I looked at automating the Application Layer Firewall in OS X. These are pretty common articles that get back-linked to the site, so I decided to update them earlier, rather than later, in the Lion release. The tools to automate firewall events from the command line are still stored in /usr/libexec/ApplicationFirewall. And you will still use socketfilterfw there for much of the heavy lifting. However, now there are much more helpful and functional options in socketfilterfw that will allow you to more easily script the firewall. Some tricks I’ve picked up with alf scripting:
  • Configure the firewall fully before turning it on (especially if you’re doing so through something like Casper or Absolute Manage where you might kick yourself out of your session otherwise).
  • Whatever you do, you can always reset things back to defaults by removing com.apple.alf.plist file from /Library/Preferences replacing it /usr/libexec/ApplicationFirewall/com.apple.alf.plist.
  • Configure global settings, then per-application settings
  • To debug: “/usr/libexec/ApplicationFirewall/socketfilterfw -d”
In /usr/libexec/ApplicationFirewall is the Firewall command, the binary of the actual application layer firewall and socketfilterfw, which configures the firewall. To configure the firewall to block all incoming traffic: /usr/libexec/ApplicationFirewall/socketfilterfw --setblockall on A couple of global options that can be set. Stealth Mode: /usr/libexec/ApplicationFirewall/socketfilterfw --setstealthmode on Firewall logging: /usr/libexec/ApplicationFirewall/socketfilterfw --setloggingmode on To start the firewall: /usr/libexec/ApplicationFirewall/socketfilterfw --setglobalstate on While it would be nice to think that that was going to be everything for everyone, it just so happens that some environments actually need to allow traffic. Therefore, traffic can be allowed per signed binary. To allow signed applications: /usr/libexec/ApplicationFirewall/socketfilterfw --setallowsigned on This will allow all TRUSTEDAPPS. The –listapps option shows the status of each filtered application: /usr/libexec/ApplicationFirewall/socketfilterfw --listapps This shows the number of exceptions, explicitly allowed apps and signed exceptions as well as process names and allowed app statuses. There is also a list of TRUSTEDAPPS, which will initially be populated by Apple tools with sharing capabilities (e.g. httpd & smbd). If you are enabling the firewall using a script, first sign your applications that need to allow sharing but are not in the TRUSTEDAPPS section by using the -s option along with the application binary (not the .app bundle): /usr/libexec/ApplicationFirewall/socketfilterfw -s /Applications/MyApp.app/Contents/MacOS/myapp Once signed, verify the signature: /usr/libexec/ApplicationFirewall/socketfilterfw -v /Applications/MyApp.app/Contents/MacOS/myapp Once signed, trust the application using the –add option: /usr/libexec/ApplicationFirewall/socketfilterfw --add /Applications/MyApp.app/Contents/MacOS/myapp To see a list of trusted applications. You can do so by using the -l option as follows: /usr/libexec/ApplicationFirewall/socketfilterfw -l If, in the course of your testing, you determine the firewall just isn’t for you, disable it: /usr/libexec/ApplicationFirewall/socketfilterfw --setglobalstate off Or to manually stop it using launchctl (should start again with a reboot): launchctl unload /System/Library/LaunchAgents/com.apple.alf.useragent.plist launchctl unload /System/Library/LaunchDaemons/com.apple.alf.agent.plist If you disable the firewalll using launchctl, you may need to restart services for them to work again.

July 20th, 2011

Posted In: Mac OS X, Mac OS X Server, Mac Security, Mass Deployment

Tags: , , , , , , , , , , , , ,