krypted.com

Tiny Deathstars of Foulness

There are a couple of parts to this article. The first is to describe the server command, stored in /Applications/Server.app/Contents/ServerRoot/usr/sbin/server. The description of the command by Brad Chapman was so eloquently put on this JAMF Nation post that I’m just gonna’ paste it in here:

So … I just installed Server 5.0.x tonight on my Mac Mini running Yosemite (10.10.5). There was a question that came up during JNUC about upgrading Server and having a way to accept the license agreement without going through the GUI.

So for shits and giggles I tried:

server setup

It’s not documented. And lo and behold, I got the prompt to accept the license agreement just like you do with Xcode.

Post your trip reports here! Can this be automated?

tardis:~ chapman$ sudo server setup
Password:
To use server, you must agree to the terms of the software license agreement.

Press Return to view the software license agreement.

---insert license agreement here---

Do you agree to the terms of the software license agreement? (y/N) y

Administrator access is required to set up OS X Server on this Mac. Type an administrator's user name and password to allow this.
User name: chapman
Password: 

Initializing setup...
Getting server state...
Getting host names...
Writing server settings...
Configuring Service Authentication...
Creating certificates...
Getting certificates...
Renewing certificate...
Enabling server password hashes for local users...
Creating service principals...
Initializing certificates...
Preparing services...
Preparing Caching service...
Preparing Calendar service...
Preparing Profile Manager service...
Preparing File Sharing service...
Preparing Software Update service...
Preparing Messages service...
Preparing Mail service...
Preparing Web service...
Preparing Calendar service...
Preparing Wiki service...
Preparing Calendar service...
Preparing Profile Manager service...
Initializing Wiki...
Initializing Mail...
Initializing VPN...
Initializing Xcode...
Enabling autobuddy for local accounts...
Updating admin password policy...
Checking DNS Configuration...
Reading DNS configuration...
Completing setup...

server encountered errors during setup:

Unknown error
tardis:~ chapman$

I don’t know what the ‘unknown error’ was.

The error is pretty much typical. I rarely see a server that doesn’t spawn some kind of error, and most errors will throw this. Oh well. The only option that he didn’t mention that isn’t meant for internal use is help, which doesn’t even indicate setup as a verb. Now, here’s where it gets fun. This is cute, but if you’re scripting  a full server setup, you’ll want to bust out a little expect script here. I’m gonna’ put the username and password in cleartext here, to keep the script readable:

#!/usr/bin/expect
set timeout 300
spawn server setup
expect "Press Return to view the software license agreement." { send \r }
expect "Do you agree to the terms of the software license agreement? (y/N)" { send "y\r" }
expect "User name:" { send "MYADMINUSERNAME\r" }
expect "Password:" { send "MYPASSWORD\r" }
interact

Obviously, you would replace MYADMINUSERNAME with your admin username and MYPASSWORD with your password. But basically, drop the Server.app on a machine, run this, and you’re good to go. Now, hypothetically, if you’re spinning up a Caching server (e.g. if you’re building out 100 caching servers, this might come in handy), then you could use the commands described in this article I wrote earlier.

October 28th, 2015

Posted In: Mac OS X Server, Mass Deployment

Tags: , , , , , , , , , ,

Installing OS X has never been easier than in Yosemite. In this article, we’ll look at upgrading a Mac from OS X 10.10 (Yosemite) to OS X 10.11 (El Capitan) to . The first thing you should do is clone your system. The second thing you should do is make sure you have a good backup. The third thing you should do is make sure you can swap back to the clone should you need to do so and that your data will remain functional on the backup. Once you’re sure that you have a fallback plan, let’s get started by downloading OS X El Capitan from the App Store. Once downloaded, you’ll see Install OS X El Capitan sitting in LaunchPad, as well as in the /Applications folder.

Screen Shot 2015-09-23 at 11.27.08 PM

Open the app and click Continue (provided of course that you are ready to restart the computer and install OS X El Capitan).

Screen Shot 2015-09-23 at 11.27.51 PM

At the licensing agreement, click Agree (or don’t and there will be no El Capitan for you).

Screen Shot 2015-09-23 at 11.28.16 PM

At the pop-up click Agree again, unless you’ve changed your mind about the license agreement in the past couple of seconds.

Screen Shot 2015-09-23 at 11.28.35 PM

At the Install screen, click Install and the computer will reboot.

Screen Shot 2015-09-23 at 11.28.56 PM

And you’re done. Now for the fun stuff!

Screen Shot 2015-09-23 at 11.29.43 PM

October 11th, 2015

Posted In: Mac OS X, Mac OS X Server

Tags: , , , , , ,

You might be happy to note that other than the ability to interpret new payloads, the profiles command mostly stays the same in El Capitan, from Yosemite. You can still export profiles from Apple Configurator or Profile Manager (or some of the 3rd party MDM tools). You can then install profiles by just opening them and installing. Once profiles are installed on a Mac, mdmclient, a binary located in /usr/libexec will process changes such as wiping a system that has been FileVaulted (note you need to FileVault if you want to wipe an OS X Lion client computer). /System/Library/LaunchDaemons and /System/Library/LaunchAgents has a mdmclient daemon and agent respectively that start it up automatically. This, along with all of the operators remains static from 10.10.

To script profile deployment, administrators can add and remove configuration profiles using the new /usr/bin/profiles command. To see all profiles, aggregated, use the profiles command with just the -P option:

/usr/bin/profiles -P

As with managed preferences (and piggy backing on managed preferences for that matter), configuration profiles can be assigned to users or computers. To see just user profiles, use the -L option:

/usr/bin/profiles -L

You can remove all profiles using -D:

/usr/bin/profiles -D

The -I option installs profiles and the -R removes profiles. Use -p to indicate the profile is from a server or -F to indicate it’s source is a file. To remove a profile:

/usr/bin/profiles -R -F /tmp/HawkeyesTrickshot.mobileconfig

To remove one from a server:

/usr/bin/profiles -R -p com.WestCoastAvengers.HawkeyesTrickshot

The following installs HawkeyesTrickshot.mobileconfig from /tmp:

/usr/bin/profiles -I -F /tmp/HawkeyesTrickshot.mobileconfig

If created in Profile Manager:

/usr/bin/profiles -I -p com.WestCoastAvengers.HawkeyesTrickshot

You can configure profiles to install at the next boot, rather than immediately. Use the -s to define a startup profile and take note that if it fails, the profile will attempt to install at each subsequent reboot until installed. To use the command, simply add a -s then the -F for the profile and the -f to automatically confirm, as follows (and I like to throw in a -v usually for good measure):

profiles -s -F /Profiles/SuperAwesome.mobileconfig -f -v

And that’s it. Nice and easy and you now have profiles that only activate when a computer is started up. As of OS X Yosemite, the dscl command got extensions for dealing with profiles as well. These include the available MCX Profile Extensions:

-profileimport -profiledelete -profilelist [optArgs]
-profileexport
-profilehelp

To list all profiles from an Open Directory object, use 
-profilelist. To run, follow the dscl command with -u to specify a user, -P to specify the password for the user, then the IP address of the OD server (or name of the AD object), then the profilelist verb, then the relative path. Assuming a username of diradmin for the directory, a password of moonknight and then cedge user:

dscl -u diradmin -P moonknight 192.168.210.201 profilelist /LDAPv3/127.0.0.1/Users/cedge

To delete that information for the given user, swap the profilelist extension with profiledelete:

dscl -u diradmin -P apple 192.168.210.201 profilelist /LDAPv3/127.0.0.1/Users/cedge

If you would rather export all information to a directory called ProfileExports on the root of the drive:

dscl -u diradmin -P moonknight 192.168.210.201 profileexport . all -o /ProfileExports

In Yosemite we got a few new options (these are all still in 10.11 with no new operators), such as -H which shows whether a profile was installed, -z to define a removal password and -o to output a file path for removal information. Also, as in Yosemite it seems as though if a configuration profile was pushed to you from MDM, you can’t remove it (fyi, I love having the word fail as a standalone in verbose output):

bash-3.2# profiles -P
_computerlevel[1] attribute: profileIdentifier: 772BED54-5EDF-4987-94B9-654456CF0B9A
_computerlevel[2] attribute: profileIdentifier: 00000000-0000-0000-A000-4A414D460003
_computerlevel[3] attribute: profileIdentifier: C11672D9-9AE2-4F09-B789-70D5678CB397
charlesedge[4] attribute: profileIdentifier: com.krypted.office365.a5f0e328-ea86-11e3-a26c-6476bab5f328
charlesedge[5] attribute: profileIdentifier: odr.krypted.com.ADD7E5A6-8EED-4B11-8470-C56C8DC1E2E6
_computerlevel[6] attribute: profileIdentifier: EE08ABE9-5CB8-48E3-8E02-E46AD0A03783
_computerlevel[7] attribute: profileIdentifier: F3C87B6E-185C-4F28-9BA7-6E02EACA37B1
_computerlevel[8] attribute: profileIdentifier: 24DA416D-093A-4E2E-9E6A-FEAD74B8B0F0
There are 8 configuration profiles installed

bash-3.2# profiles -r 772BED54-5EDF-4987-94B9-654456CF0B9A
bash-3.2# profiles -P
_computerlevel[1] attribute: profileIdentifier: F3C87B6E-185C-4F28-9BA7-6E02EACA37B1
_computerlevel[2] attribute: profileIdentifier: EE08ABE9-5CB8-48E3-8E02-E46AD0A03783
_computerlevel[3] attribute: profileIdentifier: 24DA416D-093A-4E2E-9E6A-FEAD74B8B0F0
_computerlevel[4] attribute: profileIdentifier: 00000000-0000-0000-A000-4A414D460003
_computerlevel[5] attribute: profileIdentifier: 772BED54-5EDF-4987-94B9-654456CF0B9A
_computerlevel[6] attribute: profileIdentifier: C11672D9-9AE2-4F09-B789-70D5678CB397
charlesedge[7] attribute: profileIdentifier: odr.krypted.com.ADD7E5A6-8EED-4B11-8470-C56C8DC1E2E6
charlesedge[8] attribute: profileIdentifier: com.krypted.office365.a5f0e328-ea86-11e3-a26c-6476bab5f328
There are 8 configuration profiles installed

bash-3.2# profiles -rv 772BED54-5EDF-4987-94B9-654456CF0B9A
profiles: verbose mode ON
profiles: returned error: -204
fail

October 6th, 2015

Posted In: Mac OS X, Mac OS X Server, Mac Security, Mass Deployment

Tags: , , , , , , ,

You’ve got Open Directory running and humming beautifully in OS X Server 5 (running on OS X Yosemite or OS X El Capitan). You show up to work and the hard drive has died on that perfectly configured Open Directory Master. Luckily, you have a replica and you have an archive of your Master. You can restore or you can promote your Replica to a Master. What to do? Well, I can’t tell you what you should do, but I can tell you that Apple has planned for this. Here, we’re going to look at promoting that Replica to a Master. Because after all, hard drives fail. Let’s look at what all this looks like.

Create An Open Directory Archive

In order to properly restore an Open Directory Master or promote a Replica to a Master, you’ll need the SSL keys. You should also just keep archives of your Open Directory environment around (albeit in a secure location) because you really never know. To create an Open Directory Archive, which has the keys in it as well as data needed to restore a Master, first open the Server app. From within the Server app, click on the Open Directory service.

Screen Shot 2015-09-24 at 10.28.01 PM

Towards the bottom of the screen, click on the cog wheel icon.

Screen Shot 2015-09-24 at 10.28.22 PM

At the menu, click Archive Open Directory Master…

Screen Shot 2015-09-24 at 10.28.49 PM

When prompted, provide the username and password to the Open Directory environment shown in the Server field and then click on the Connect button.

At the Archive Open Directory Master screen, choose a location to create your archive. Also, provide a password for the archive. Click the Archive button when you’re ready to proceed.

At the Confirm Settings screen, click Archive. The archive is then created. Keep this safe as it has all your base are belong to us in it. You have to do this proactively. Once the hard drive in that Open Directory Master craps out, you’ll need the Archive to put the pieces of Humpty Dumpty back together again.

Promote A Replica To A Master

Provided you have a Replica and an Archive, promoting a Replica to a Master couldn’t be easier in OS X Server. To do so, open the Server app from the Replica and then use the cog wheel icon to bring up the menu.

Screen Shot 2015-09-24 at 10.29.40 PM

Here, click Promote Replica to Master.

Screen Shot 2015-09-24 at 10.29.19 PM

At the “Promote Open Directory replica to master” screen, provide an Open Directory username and password (e.g. diradmin with the appropriate password). Also, choose the archive you created previously. Then click Next. The Replica will become an archive. Once finished, remove any other replicas and repromote them.

Stop Open Directory

Another option is to stop Open Directory on the replicas until you can get your Master back up and running. To stop Open Directory, open the Server app and click on the Open Directory service. Click on the OFF button. You’ll then be prompted to verify that you really want to stop directory services on the server. Click OK (which should probably read a bit more ominous, like “OMG, OK”. The server is then stopped. To completely remove Open Directory from the old server, run the slapconfig command, followed by -destroyldapserver:

slapconfig -destroyldapserver

Also, don’t forget to go to the Master and remove any servers from there as well, once they’ve been fully demoted. View the logs using cat for any other weirdness:

cat /Library/Logs/slapconfig.log

October 1st, 2015

Posted In: Mac OS X Server

Tags: , , , , , , ,

OS X Server 5 is now available to be installed. To do so, first backup your server. Then, backup your server again, making sure you have a functional, bootable clone. Once you’re sure you have a solid backup of your server, open the App Store and search for Server. When you find the Server app, click on it.

Screen Shot 2015-09-23 at 10.23.26 PM

At the OS X Server screen, click on Install.

Screen Shot 2015-09-23 at 10.25.51 PM

The download will begin. Once complete, you’ll see a notice that the “Server app replacement detected.” Click OK. Then, open the Server app.

Screen Shot 2015-09-23 at 10.54.24 PM

When the Server app opens, you’ll be prompted to update the server. Click Continue.

Screen Shot 2015-09-23 at 10.58.30 PM

At the Licensing Agreement screen, click Agree.

Screen Shot 2015-09-23 at 10.59.08 PM

At the screen to confirm your administrative access, provide a name and password for an account with administrative access and then click on Allow.

Screen Shot 2015-09-23 at 11.00.26 PM

Services are then upgraded. Once complete, the Server app will open and should have settings consistent with the settings prior to the upgrade.

Screen Shot 2015-09-23 at 11.01.04 PM

September 26th, 2015

Posted In: Mac OS X Server

Tags: , , , , , ,

I’ve been light on posting here, mostly because I’ve been swamped with work, selling my old house, buying a new house, doing some crazy taxes, wrapping production on a new book and updating the Take Control of OS X Server book to Yosemite Server. Well, earlier this week I sold my house, got the next version of Bushel ready to rock and filed my taxes. Aaaaannnnnndddddd, the Yosemite version of Take Control Of OS X Server is now available at http://tid.bl.it/1xuCJUC.

Screen Shot 2015-02-05 at 2.24.54 PM

Boom. Will get back to my normally scheduled postings shortly!

February 5th, 2015

Posted In: Mac OS X, Mac OS X Server, Mac Security, Mass Deployment

Tags: , , , , , , , , , , , , ,

I’ve seen a few instances where an upgrade caused Final Cut to run kinda’ strangely. To resolve, I’ve just been doing a quick reinstall of Final Cut. To do so:

  • First move the Final Cut application to the trash (it’s in the /Applications folder).
  • From your home folder, go to ~/Library/Application Support and move the Final Cut folder in there into the trash.
  • From Library/Preferences in your home folder, put com.apple.FinalCut.plist, com.apple.FinalCut.LSSharedFileList and com.apple.FinalCut.UserDestinations.plist in the trash.
  • Finally, trash com.apple.FinalCut directory from ~/Library/Caches.

Once done, go back to the Mac App Store and reinstall Final Cut and open it. Those folders you just tossed out will get re-created. Your toolbars and other customizations are likely to be gone, so you’ll have to spend a few minutes getting your workspace back to the way you had it, but if Final Cut was acting oddly it should be back to normal.

Good luck!

January 21st, 2015

Posted In: Final Cut Server, Mac OS X

Tags: , , , , , , , , ,

The latest Roundcube installer for OS X Server is now available at http://topicdesk.com/downloads/roundcube. This update, which provides a pretty awesome WebMail interface to OS X Server’s Mail Service provides the following:

  • One installer that supports all Mavericks and Yosemite
  • Roundcube WebMail 1.0.3 installed as a WebApp
  • Automatically Configured Plugins
  • Roundcube CardDav: Server-based address books
  • Roundcube Managesieve: Server-side mail filtering and vacation messages
  • PHP and Roundcube Config automatically configured for a typical Mac installation
  • sqllite database – we no longer use Postgres
  • Integration with the Mail Service running on OS X Server

December 17th, 2014

Posted In: Mac OS X, Mac OS X Server

Tags: , , , , , , ,

The profiles command in Yosemite (and Mavericks for that matter), can configure profiles to install at the next boot, rather than immediately. Use the -s to define a startup profile and take note that if it fails, the profile will attempt to install at each subsequent reboot until installed. To use the command, simply add a -s then the -F for the profile and the -f to automatically confirm, as follows (and I like to throw in a -v usually for good measure):

profiles -s -F /Profiles/SuperAwesome.mobileconfig -f -v

And that’s it. Nice and easy and you now have profiles that only activate when a computer is started up.

November 13th, 2014

Posted In: iPhone, Mac OS X, Mac OS X Server

Tags: , , , , ,

Installing OS X has never been easier than in Yosemite. In this article, we’ll look at upgrading a Mac from OS X 10.9 (Mavericks) to OS X 10.10 (Yosemite). The first thing you should do is clone your system. The second thing you should do is make sure you have a good backup. The third thing you should do is make sure you can swap back to the clone should you need to do so and that your data will remain functional on the backup. Once you’re sure that you have a fallback plan, let’s get started by downloading OS X Yosemite from the App Store. Once downloaded, you’ll see Install OS X Yosemite sitting in LaunchPad, as well as in the /Applications folder.

Screen Shot 2014-11-04 at 5.09.18 PM

Open the app and click Continue (provided of course that you are ready to restart the computer and install OS X Yosemite).

Install1

At the licensing agreement, click Agree (or don’t and there will be no Mavericks for you).

Install2

At the pop-up click Agree again, unless you’ve changed your mind about the license agreement in the past couple of seconds.

Install3

At the Install screen, click Install and the computer will reboot.

Install4

And you’re done. Now for the fun stuff!

Install5

November 5th, 2014

Posted In: Mac OS X, Mass Deployment

Tags: , , , , , ,

Next Page »