Yesterday I posted https://krypted.com/mac-security/script-to-list-extensions-running-on-a-mac/ to scriptify some research on App Extensions and System Extensions. I mentioned that it’s also possible to loop through /Applications or /Applications/Utilities and look for any .systemextension bundles (which includes network extensions as those are .networkextension.systemextension – and ultimately they’re all kinda’ auxiliary kext’s ‘even though’cause kexts are bad – but I digress). So here’s a script that loops through the file hierarchy supplied by $1 and then checks any found against systemextensionsctl to make sure they’re running: https://github.com/krypted/extensionslist/blob/main/systemextensions.sh In action, here are a couple of outputs of what it can look like. Per developer documentation (and with a little experience writing them), the two locations…
-
-
Script to List Extensions Running on a Mac
I wrote an article about extensions on macOS a few weeks ago, and have since written a couple of other extensions. The interesting thing about modern extensions is that different types of extensions can live in different places on a file system, become instantiated in different ways or with different mechanisms, and due to the way message traverse XPC, operate in very different ways. The tools Apple has made available make it possible to see what’s running are primarily geared towards protecting privacy. This leaves a small gap for those interested more in securing machines and preventing exfiltration. There isn’t a single binary that can provide a simple listing of…
-
Managing Virus Scans With ClamAV
There are a number of solutions on the market for scanning a Mac for files that have become infected with a virus or macro-virus. Many of these have a negative return on investment. So customers can instead go the open source route to scan files and quarantine them. And customers can use Jamf Pro to enable doing so. This page is meant to provide a quick and dirty guide to doing so, along with how this might be packaged and potentially tracked with Jamf Pro. First, we’ll install and configure a free tool called clamav. There are a number of ways to install clam. For this example, just to get…
-
Extension Attribute to Grab iTunes Hashes for VPP on macOS
Here’s a new extension attribute at https://github.com/krypted/ituneshash/blob/master/ituneshash.sh for grabbing the hash ID used for iTunes Store accounts, useful with VPP: #!/bin/sh # # # #Jamf Pro Extension Attribute to return the App Store Account Hash for iTunes #Note that the return is null if one is not found # # result=`/usr/libexec/mdmclient QueryAppInstallation | grep iTunesStoreAccountHash | sed '/.*\"\(.*\)\".*/ s//\1/g'` echo "<result>$result</result>" The output is something like: <result>oBSmAAAa0nUAAACBHe5AaALlNBg=</result> Which would bring the string into Jamf Pro
-
Jamf Pro Extension Attribute For TouchID
Built a quick extension attribute for Jamf Pro environments to check if TouchID is enabled and report back a string in $result – this could easily be modified and so I commented a few pointers for environments that might need to modify it (e.g. to check for user-level as it’s currently system-level). To see/have the code, check https://github.com/krypted/TouchID_check.