Modular OS Deployment session at MacIT 2012
Thank you to all the folks who turned out early on a Saturday morning to hear Mike Boylan and myself give our modular OS deployment session. I was very surprised and gratified that it turned out to be a standing room-only session.
For those who attended and want a reference copy, I’ve posted our slides here in PDF format.
Opening Inaccessible Attachments in Outlook 2011
One of my users ran into an unusual display issue in Outlook 2011, where emails with attachments will sometimes not be displayed in the reading window.
These messages will show up with the paper clip icon that indicates that there’s an attachment (indicated by the red square in the picture below.)
When opened, the message will not show the attachment line
(Note: the recipients have been redacted from the screenshot below.)
I have not found a fix for this issue, but I’ve found a workaround that allows access to the attachment. See below the jump for the procedure
Attaching Files to Meeting Invitations in Outlook 2011
I was asked by one of our users today how to attach files to a meeting invitation in Outlook 2011. After some research, here’s how you do it:
1. Set up a new meeting invitation in Outlook 2011.
2. Once the meeting invite opens up, drag your file you want to attach into the blank gray area to the right of Duration.
Your attachment will then appear in a newly-appearing attachment line below the start and end time for the meeting.
Interestingly enough, you can’t add files to Outlook 2011 appointments. If you need to add a file attachment to an appointment, click the Invite button in your Appointment window.
The appointment will then turn into a meeting invite and allow you to attach files. Invite your own email address and hit the Send button to add the event to your calendar.
Encrypting 10.7 non-boot volumes without erasing them
In addition to using FileVault 2 to encrypt your boot partition, it’s possible to encrypt your non-boot storage on 10.7 using the same CoreStorage-based encryption. Apple provided a way to do this via Disk Utility, where you would need to erase the drive and have the new volume be set up as an encrypted volume.
It is also possible to encrypt the drive without erasing it first from the command line. This allows your existing data to stay on your drive while the drive is being encrypted. See below the jump for the procedure.
Hidden users with hidden home folders not migrated when upgrading to 10.7
In a number of Mac environments, it’s advantageous for Mac admins to hide the IT administrator account so that it can’t be deleted or altered by other users on those Macs. In other cases, like Jamf’s Casper, the system management tool needs an account in order to do its work. In both cases, hiding the affected account and its associated home folder is a good strategy to keep unwanted attention from noticing the account.
One way you can hide the account is to create it using a UID that’s lower than 500. Apple uses UIDs of 501 and higher for its accounts. UIDs of 500 and lower are assumed to be system-only accounts and should not show up at either the login window or in the Accounts or Users & Groups listing in System Preferences.
The downside to this is that these hidden accounts may not be migrated when upgrading your Mac to a new OS, which may leave you without your usual administrator account following the upgrade. I first noticed this with 10.7.x, but I’ve heard that it also affects hidden accounts when migrating from 10.5.x to 10.6.x.
How can you tell if your hidden account will be migrated? Here’s what works and doesn’t as of Mac OS X 10.7.x:
Note: In the description below, Visible refers to a user account that shows up and is editable in the Accounts or Users & Groups listing in System Preferences. Hidden refers to an account with a UID that’s lower than 500.
Successfully migrates:
Visible user account, where the home folder is stored in /Users
Hidden user account, where the home folder is stored in /Users
Visible user account, where the home folder is stored somewhere other than /Users
Does not successfully migrate:
Hidden user account, where the home folder is stored somewhere other than /Users
If you have a hidden user account with a home folder stored outside of /Users, there’s a couple of solutions that you may be able to leverage as part of the upgrade process to get those hidden admin accounts back.
1. If you’re upgrading to 10.7.x, use CreateLionUser to build installer packages that recreate your hidden user accounts following the upgrade. These installer packages should be incorporated into your upgrade workflow and set to run after the main 10.7 upgrade process has finished.
2. If the hidden user is needed by your system management tool, check to see if the needed user is created by the agent installer. If it is, then re-running the agent installer should put back the needed hidden user account.
2011 in review
The WordPress.com stats helper monkeys prepared a 2011 annual report for Der Flounder.
Here’s an excerpt:
The concert hall at the Syndey Opera House holds 2,700 people. This blog was viewed about 50,000 times in 2011. If it were a concert at Sydney Opera House, it would take about 19 sold-out performances for that many people to see it.
Clearing the font cache to fix an Outlook 2011 hanging problem
I had an issue today where Outlook 2011 was giving the spinning beachball right after opening. When I looked at the process list in Activity Monitor, I saw that the Microsoft Database Daemon process was using over 50% of CPU and sometimes going as high as 80% while the beachball was spinning. I also noticed that the fontd process was occasionally popping up to the top of the list of active processes, then going back to normal processor usage. After fifteen minutes, the spinning beachball went away and Outlook started behaving normally.
Since the fontd process had caught my attention, I decided to go with a sudden hunch and cleared the font cache system-wide. After that, I logged out of the user’s account and had them log back in. This time, Outlook opened right away. No beachball and no heavy Microsoft Database Daemon CPU usage. Based on that, Outlook was having some issues with something buried in the font cache and forcing a rebuild fixed the issue. In case someone else has a similar issue, here’s the commands I ran:
sudo atsutil databases -remove
(removes all user and system font caches)
sudo atsutil server -shutdown
(stops the Apple Type Services service that manages the font caches)
sudo atsutil server -ping
(restarts the Apple Type Services service)
I’ve also posted a script for automating the font clearing and ATS stop/restart on my GitHub repo. It’s available here.
Checking which accounts on a Mac have administrator rights
Something a number of Mac admins need to know about the Macs in their environment is being able to detect which accounts have admin rights on a particular Mac. This can be particularly important not just in secured networks, but also in schools. Savvy users can be inventive about finding ways to grant themselves admin rights, so admins need to be just as savvy about identifying which accounts have admin rights and shouldn’t.
To help with the task of identifying which accounts have admin rights, I found that Ryan Manly had posted a script-based Extension Attribute for use with Casper to detect which accounts had admin rights on a particular Mac. For those who need it, I’ve posted the Extension Attribute to my own GitHub repo as well as modifying it for use as an Absolute Manage Custom Information Item or as a generic standalone script.
Monitoring the Casper JSS Tomcat on Red Hat Linux
In my Casper setup, Casper’s JSS depends on a Jamf-installed Tomcat 7 installation on both my Casper production and Casper test servers, both of which are hosted on Red Hat Enterprise Linux 6.x VM servers.
To make sure that Tomcat is restarted automatically in case of a problem, a set of scripts has been installed with an accompanying crontab entry to check Tomcat to make sure it’s running. If not, an email with diagnostic information is sent then Tomcat is restarted. See below the jump for the scripts and the root crontab entry I’m using.
Repackaging Matlab 2011b with Composer
Since starting to use Casper at my workplace, I’ve wanted to be able to provide a unlicensed Matlab installer via Self Service. The reason I wanted it unlicensed is because, while we have a Matlab network license server, it has a very limited license pool. Instead, most of our labs purchase standalone licenses and register them to the person using it.
However, a showstopper issue I’ve run into has been that Matlab needs to have a license entered as part of the installation process. After some trial and error, I was able to figure out a way to use Jamf Software’s Composer build a Self Service-deployable installer that uses our network license and also an unlicensed installer. See below the jump for the details.
Recent Comments