• Mac OS X,  Mac OS X Server,  Mac Security,  Mass Deployment

    Securely Erase Freespace and Volumes In OS X Without Disk Utility

    One of the options thats a tad bit hidden in OS X is the Secure Erase option, which runs a multi-pass erase on a volume. Additionally, there’s no option to Secure Erase free space on a volume. But you can still securely erase whatever you’d like (other than you boot volume obviously), when needed. To do so, use the diskutil command along with the secureErase option. The format of the command to secureErase freespace is: diskutil secureErase freespace [level] [device] The levels are as follows (per the man page as not all of these are specified in Disk Utility): Single-pass zero-fill erase Single-pass random-fill erase US DoD 7-pass secure erase…

  • Mac OS X,  Mac OS X Server,  Mac Security,  Mass Deployment,  Unix

    Bash: Check That A Script Is Running As Root

    Pretty much every script I’m working on these days must be run as root. Checking what user is running something is pretty straight forward, as there’s a built-in shell variable for $USER that contains the user running a script. To see this real quick, simply run the following: echo $USER You can then put this into your scripts. I’ve been using the same block of code for decades, which can be run in a script by itself if you’d like to paste this into one. if [[ $USER != "root" ]]; then echo "This script must be run as root" else echo "You are root" exit 1 fi Note: Keep in mind…

  • Mac OS X,  Mac Security,  Mass Deployment

    Enable And Disable Permissions On Volumes Using A Script

    Someone hands you a USB drive. You put it in your computer and you can’t access anything on it. You are running an imaging lab and you want to backup or troubleshoot a device before you re-image it, but you can’t access certain files. Obviously, you can sudo. But, you can also simply disable permissions on that volume (which, like getting someone to make you a sandwich, requires sudo of course). The command used to enable and disable permissions on a volume is vsdbutil, located at /usr/sbin/vsdbutil. And there’s a LaunchDaemon at /System/Library/LaunchDaemons/com.apple.vsdbutil.plist that interacts with diskarbitrationd so that when a volume is mounted, it is marked as having permissions…

  • Mac OS X

    hostinfo

    The hostinfo command displays information about your host; namely your kernel version, the number of processors the kernel is configured for, the number of physical processors active, the number of logical processors active, the type of those processors, which ones are active, the amount of memory available, tasks, threads, and average load. Run hosting without any arguments or options: hostinfo The output would be as follows (ymmv per system): Mach kernel version: Darwin Kernel Version 15.0.0: Wed Aug 26 19:41:34 PDT 2015; root:xnu-3247.1.106~5/RELEASE_X86_64 Kernel configured for up to 4 processors. 2 processors are physically available. 4 processors are logically available. Processor type: x86_64h (Intel x86-64h Haswell) Processors active: 0 1…

  • Mac OS X,  Mac OS X Server,  Mac Security,  Mass Deployment

    Encrypting OS X Server 5 Volumes In El Capitan

    Encrypting a volume in OS X couldn’t be easier. In this article, we will look at three ways to encrypt OS X El Capitan volumes in OS X Server 5. The reason there are three ways is that booted volumes and non-booted volumes have different methods for enabling encryption. Encrypting Attached Storage For non-boot volumes, just control-click or right-click on them and then click on Encrypt “VOLUMENAME” where the name of the volume is in quotes. When prompted, provide an encryption password for the volume, verify that password and if you so choose, provide a hint. Once the encryption process has begun, the entry previously clicked on says Encrypting “VOLUMENAME” where…

  • Mac OS X,  Mac OS X Server,  Mac Security,  Mass Deployment

    Use The profiles Command Line In El Capitan

    You might be happy to note that other than the ability to interpret new payloads, the profiles command mostly stays the same in El Capitan, from Yosemite. You can still export profiles from Apple Configurator or Profile Manager (or some of the 3rd party MDM tools). You can then install profiles by just opening them and installing. Once profiles are installed on a Mac, mdmclient, a binary located in /usr/libexec will process changes such as wiping a system that has been FileVaulted (note you need to FileVault if you want to wipe an OS X Lion client computer). /System/Library/LaunchDaemons and /System/Library/LaunchAgents has a mdmclient daemon and agent respectively that start…

  • Mac OS X,  Mac OS X Server,  Mac Security,  Ubuntu,  Unix

    Grab Your WAN IP In Scripts

    Sometimes when I’m writing a script, I need something to phone home to something in the script. For example, this can tell another daemon where to ssh into when I invoke it remotely. So, let’s say I want to grab my WAN address in a script. I can use curl with a number of 3rd party sites (sites that often change. But, one that we can use here is ipecho.net. Here, we’ll look at their plain output page here: curl ipecho.net/plain This can then get output into a variable or file for processing in other parts of a script. For example, the output here is basically the same thing but…

  • Mac OS X,  Mac OS X Server,  Ubuntu,  Unix

    Separate commands on one line in Bash

    In bash, you can run multiple commands in a single line of a script. You do so by separating them with a semi-colon (;). The great thing about this is that if you end up using a variable, you can pass it on to subsequent commands. Here, we’re going to string three commands together and then echo the output: a=1;b=2;c=$a+$b;echo $c because we told c to be $a + $b, the $a expands to 1 and the $b expands to 2, we throw them together and then echo out the contents of c$ which appears as follows: 1+2 Now, we could have this thing do math as well, by wrapping…

  • Mac OS X,  Mac OS X Server,  Mac Security

    qlmanage

    QuickLook scans file contents before you open those files. Usually this just lets you view a file quickly. But you can also use this same technology from the command line to bring about a change to the Finder without actually opening a file. To access QuickLook from the command line, use qlmanage. qlmanage -p ~/Desktop/MyTowel42.pdf While open, click the space bar to go back to your Terminal session. The most notable use case here is that when you use qlmanage you don’t run the risk of changing the date/time stamp of the files.

  • Mac OS X,  Mac OS X Server

    (Cross-Post) Video from JSS-autopkg-addon Presentation

    JSS-autopkg-addon Presentation from Allister Banks on Vimeo. (Guest post by Allister Banks) On June 26th, I had the pleasure of being invited by @Tecnico1931 to the NYC Metro JAMF user group meeting. A worksheet I created for this event may be found here: url.aru-b.com/jssAutopkg See also Shea Craig’s python-jss, and thanks go out to James Barclay, Sam Johnson, and all the folks mentioned in the video.