I’ll be speaking at MacTech Conference 2011, which runs November 2-4 in Los Angeles. I’ll be speaking about FileVault 2: How it works, how to get your own Mac encrypted and decrypted with FileVault 2, how to roll out FileVault 2 deployments in the enterprise and how to centrally manage a FileVault 2 recovery key across multiple Macs.
As a follow-up to my previous post, two colleagues across the sea have pointed me towards this KBase article on the Recovery HD partition:
Key part :
“Recovery HD is not needed to install and run OS X Lion and even access most of its capabilities and new features, but some features are not available without a Recovery HD installed on your computer. You will be able to run OS X Lion and all your favorite, compatible software titles. Many of the new features of OS X Lion will be available to you.
You won’t be able to use FileVault disk encryption to secure your data. You won’t have the on-disk utilities for disk repair and setting a firmware password.“
They were able to confirm with Apple that this meant that, while it was desirable to have a recovery partition, your 10.7 installation does not have to have it to be an Apple-supportable installation.
Hat tip: Harald and Martin
One of my users asked me yesterday “How do I add a contact from email to my Outlook contacts list?” It turns out that adding a contact from an email to your Outlook 2011 contacts is not an obvious process and not intuitive (at least it was not to me or my user.) Here’s how you can do it:
If you have an email from that person already:
1. Open a message from them.
2. Hover the mouse over their name and a pop-up window should appear.
3. Click the Open Outlook Contact button. (circled in red in the picture below.)
If you don’t have an email from them, but they are listed in your Exchange server’s global address list (GAL):
1. Start composing an email.
2. Enter the person’s name
3. Select their name when it appears. If it doesn’t appear on its own, click the Check Names button in your Outlook toolbar.
4. Hover the mouse over their name and a pop-up window should appear.
5. Click the Open Outlook Contact button. (circled in red in the picture below.)
As part of the release of 10.7, Apple has also released XCode 4.1 through the Mac App Store for free. While I applaud their generosity, having the Mac App Store be the delivery method can cause issues for those folks who need to add XCode to their machine deployment workflow.
To address this, you can use the methodology referenced in this post to repackage XCode 4.1 for distribution without needing an Apple ID. See below the jump for the procedure.
One of the really unknown features that Apple included with Lion is that you can now set your Exchange Out of Office message through Mail.
To configure your Out of Office message, select a folder from the mailbox you wish to set a reply for and click the configuration button at the lower left of the Mail window as shown below. Next, select Out of Office… from the menu which appears. You’ll get the window you see above.
One of the new less-known features in 10.7 is the Lion Recovery feature. The general idea is that you can boot from the hidden Recovery HD partition on your hard drive, or NetBoot from Apple’s Lion Internet Recovery (Internet Recovery is currently only available to the mid-2011 MacBook Airs and Mac Minis). Once booted to it, you’ll have access to all of the tools you need to reinstall Lion, repair your disk, and even restore from a Time Machine backup.
For Mac sysadmins, this can present an imaging problem as our imaging tools have been focused on applying an image to a partition. Imaging with the Recovery HD partition involves the following:
A) Repartitioning the drive so that you’ve got a 620 MB slice available for the Recovery HD partition.
B) Laying down two separate images, one for your regular 10.7 image and the other for Recovery HD.
Since the average sysadmin has other tools available to boot and fix the Mac, there may be a strong temptation to say “The heck with it. Why do I need it?”
Depending on your environment, you may not need it. However, there’s one place where having Recovery HD present is absolutely essential: If you plan to use FileVault 2.
Why does FileVault need Recovery HD?
FileVault 2 encrypts your boot partition, but your Mac still needs an unencrypted space to boot to and allow access to the encryption unlock tools. The Recovery HD partition serves as the needed unencrypted space. The FileVault encryption process will check before beginning the encryption to see if the Recovery HD partition is there and will not start the encryption process if it’s not there.
What imaging tools support imaging the Recovery HD partition?
There are currently two tools that I’m aware of that will lay down the Recovery HD partition as part of the imaging process. The first is Apple’s NetRestore and the second is DeployStudio.
As part of the imaging process, NetRestore will create the Recovery HD partition on the fly. Unfortunately, this means that you have to boot from NetRestore NetBoot set for this. You can’t create the NetRestore image in System Image Utility, pull out the System.dmg image and then apply it to get both the 10.7 partition and the Recovery HD partition created. Instead, you would have one partition with your 10.7 image on it.
UPDATE 7-28-2011: I re-ran my tests with NetRestore, after making sure that I only had one partition. I was flat wrong, NetRestore does not create the Recovery HD partition as part of the imaging process. Sorry for any confusion this may have caused.
DeployStudio – DeployStudio doesn’t build the Recovery HD partition from scratch. Instead, if you build a 10.7 Mac using the 10.7 installer, then pull an image of it using a DeployStudio rc128 boot set running 10.7.x. the DeployStudio boot set will pull both the 10.7 partition and the Recovery HD partition (assuming if it exists) as two separate images.
When imaging a new machine with that pulled image from a DeployStudio rc128 boot set running 10.7.x, if the Restore system recovery partitions option is checked in DeployStudio Admin for this imaging workflow, DeployStudio will restore both partitions automatically.
Note: It’s important that your DeployStudio rc128 boot set be running 10.7.x, as only 10.7′s asr command-line tool will handle the imaging process properly for restoring both partitions.
As part of getting of getting my shop ready to support 10.7, I’ve made some updates to the interactive MigrateLocalUsertoADDomainAcct that I have posted to my GitHub repositiory. The script (adapted from the original by Patrick Gallagher) helps you migrate a local user account to an equivalent AD domain account.
If you need this for your own shop, feel free to download a copy.
Direct link to script and README: https://github.com/rtrouton/rtrouton_scripts/tree/master/rtrouton_scripts/migrate_local_user_to_AD_domain
In Mac OS X 10.6.x, it’s possible to set the login window to not allow network users to log into the computer, even when the Mac itself is correctly bound to the your Active Directory or Open Directory domain.
If you run across a machine that is correctly bound to your domain, but not allowing logins from network accounts, see below the jump for how to check if the login window has been set to not allow logins by network users.