The “What’s New in macOS” page for Sierra (10.12) lays out a little known change that a colleague at Jamf was working on the other day (hat tip to Brock): Starting in macOS 10.12, you can no longer provide external code or data alongside your code-signed app in a zip archive or unsigned disk image. An app distributed outside the Mac App Store runs from a randomized path when it is launched and so cannot access such external resources. To provide secure execution, code sign your disk image itself using the codesign tool, or distribute your app through the Mac App Store. For more information, see the updated revision to…
-
-
Who Signed My OS X App?
The codesign command is used to sign apps and check the signature of apps. Apps need to be signed more and more and more these days. So, you might need to loop through your apps and verify that they’re signed. You might also choose to stop trusting given signing authorities if one is compromised. To check signing authorities, you can use codesign -dv --verbose=4 /Applications/Firefox.app/ 2>&1 | sed -n '/Authority/p' The options in the above command: -d is used to display information about the app (as opposed to a -s which would actually sign the app) -v increases the verbosity level (without the v’s we won’t see the signing “Authority”) –verbose=4 indicates the level of verbosity…
-
See IPv4 and IPv6 Machines On The Network
Prepare for your network administrators to cringe… I’ve spoken on these commands but never really put them together in this way, exactly. So I wanted to find a coworker on a network. So one way to find people is to use a ping sweep. Here I’m going to royally piss off my switch admins and ping sweep the subnet: ping 255.255.255.255 Next, I’m going to run arp to translate: arp -a Finally, if a machine is ipv6, it wouldn’t show up. So I’m going to run: ndp -a Now, I find the hostname, then look at the MAC address, copy that to my clipboard, find for that to get the IP…
-
Debug Logging Profile Manager on macOS Servers
OS X Server stores most logs in files that are in the /Library/Logs/ProfileManager directory. Logs are split up between php, devicemgrd.log, scep_helper.log, servermgr_devicemgr.log, profilemanager.log and others. In my experience, if there’s a lot of errors at first, or if the service doesn’t work, just reformat and start over. But, once a server is in production, you don’t want to re-enroll devices after you do that. So, as with all good error prodding, start with the logs to troubleshoot. By default the logs can appear a bit anemic. You can enable more information by increasing the logging level. Here, we’ll shoot it up to 6, which can be done with the…
-
Episode 18 of the MacAdmins Podcast
So fun!
-
Programatically Manage Fingerprints in OS X
Apple recently introduced a laptop with the same fingerprint technology found in an iPhone as well as a T-1 chip to take the sapphire Touch ID sensor information and store it securely, non-reversibly(ish), on the machine. OS X 10.12 now comes with a tool that can manage the fingerprints, stored as keys, on the device. The bioutil command is simple to use, with a few options that are mostly useful for enabling different features of the new technology. Let’s get started by enabling the unlock option, using the -r option to see if Touch ID is enabled for the current user and -s to check the system as well: bioutil…
-
JNUC 2017 Announced!
The last JamfNation User Conference, or JNUC for short, was far and away the biggest and best. It was packed though, and given the year-over-year increase in people attending, the conference is being moved to the Hyatt Regency in downtown Minneapolis. For more information on or to early-bird register for JNUC 2017, visit the official JNUC page. I’ll certainly be there, and I look forward to seeing all of you again and meeting all the newcomers this year, as well as getting a recording going of the MacAdmins Podcast while we’re all together!
-
Remove All User Keychains Except One in macOS
macOS has keychains. Sometimes they’re a thing. When they are you might want to delete them. Let’s say you have an admin account. You want to keep the keychains for that account, but remove all the others. For this, you could do a shell operator to extglob. Or you could do a quick while loop as follows: ls /Users | grep -v "admin" | while read USERNAME do; rm -Rf "/Users/$USERNAME/Library/Keychains/*" done; If you borrow this, be careful.
-
Outlook 2016 and Logs
The logs for Outlook are… Interesting… Diagnostics are difficult without logs. They used to be at ~/Library/Containers/com.microsoft.outlook/ Data/Library/Logs/ or To enable logs, open Outlook and then click on Window and then click Sync Errors. From there, click on the cogwheel and then check the box for “Turn on logging for troubleshooting” Now go ahead and quit Outlook and open it again. When prompted, click “Leave Logging On” and then when you get errors, open the logs. Once enabled, you’ll see logs at ~/Library/Group Containers/UBF8T346G9.Office/OfficeLogging/. You can edit a maximum size for the log files using defaults to send a EWSMaxLogLength key to com.microsoft.Outlook using the following command: defaults write ~/Library/Preferences/com.microsoft.Outlook EWSMaxLogLength 64
-
Simple XPath options with Jamf Pro
Given the increased reliance on XML in scripts and exchanging data, a number of different solutions leverage XML traversal options to get all the things done. We frequently use path to bring a file into a script or program, or accept input from STDIN. The most basic task that we then perform is simply selecting an item from that file or STDIN and then variabalizing it. One common tool that we use here is Path. XPath calls these objects nodes, and uses path expressions to select these nodes. A path expression is the path along the xml input that is followed to find a piece of data. There are some…