One of my users requested help today with inserting document citations from Mekentosj Papers into Word 2011, where the user wanted to use the Papers Word 2008 export feature instead of using Endnote. The procedure was not intuitive, so I’ve documented it and posted it here in the event anyone else needs it. See below the jump for the procedure.
If you want to use FileVault 2 with FileVaultMaster.keychain as a managed recovery key, the issue of regularly changing your institution’s Master Password may come up if your worksite mandates password rotation. Since the Master Password’s sole function is to act as the password used to unlock the FileVaultMaster.keychain, this should be relatively straightforward. As long as the public key on your Macs and the private and public keys in your escrowed FileVaultMaster.keychain stay the same, the password to unlock FileVaultMaster.keychain can be updated as often as needed.
There’s two strategies you can use here:
1. You can change the password on a copy of your institution’s FileVaultMaster.keychain and push the updated FileVaultMaster.keychain to /Library/Keychains on your Macs – In my opinion, this is probably the most secure way to do this because you’re replacing one encrypted file with another encrypted file, without revealing in transit what the new password is. The main danger would be an incomplete or corrupted copy of the keychain file somehow being pushed to the machines.
2. You can use the security command to update the existing FileVaultMaster.keychain on the machines – In this case, you’re using the security command’s keychain password functionality to update the password used to unlock /Library/Keychains/FileVaultMaster.keychain from a known old password to a known new password. You would need to use sudo, or run it as root, as the FileVault keychain should be owned and writable only by root. Here’s the command to use (command should be all on one line):
sudo security set-keychain-password -o old_master_password -p new_master_password /Library/Keychains/FileVaultMaster.keychain
The main security concern here would be that the passwords referenced in the command would be sent in the clear, and all sudo-using commands will show up in /var/log/system.log. Running the commands as the root user without using sudo would mean that the command should not show up in /var/log/system.log, but it may show up in the root user’s history.
In addition to using Disk Utility, you can also use the command line to unlock or decrypt a FileVault 2-encrypted drive. In order to make sure it all works, I recommend that you use the Recovery HD partition or the Recovery HD partition cloned onto an external drive. See below the jump for the procedure.
Bad things happen and sometimes those bad things cause your FileVault 2-encrypted Mac to be unbootable. In the event that you find yourself in this place, or you’re about to be, here’s how you can unlock or decrypt your FileVault 2-encrypted drive using Disk Utility and the password of an account that’s authorized to log in at the FileVault 2 pre-boot login screen.
Update – June 11, 2013: As of Mac OS X 10.8.4, you will need to unlock the encrypted volume first, then you will be able to decrypt it. See this post for details.
1. Boot your Mac and hold down ⌘-R (Command –R) to boot from the Mac’s Recovery HD partition.
Note: You can also boot from a 10.7 installer drive , boot to Target Disk Mode and connect it via Firewire or Thunderbolt to another Mac, or use some other 10.7-booting drive. As long as you have 10.7′s Disk Utility, this should work.
2. Open Disk Utility.
3. Select your locked hard drive.
4. Under the File menu, select Unlock “Drive Name” or Turn Off Encryption… , based on what you want to do.
5. When prompted for a password, you can enter the password of any authorized account on the drive.
6. If you unlock the drive, you should then be able to use Disk Utility’s repair tools to hopefully fix the problem that’s preventing your Mac from booting.
7. If you turn off the encryption, the encrypted drive will decrypt. Once it’s finished decrypting, you should be able to access your data again using normal recovery methods (booting from another 10.6 or 10.7 boot drive, utility drive, etc.)
Since releasing the original version of my FileVault 2 encryption status check script , it was brought to my attention that there was a reporting problem with it. It worked fine with one FileVault 2 encrypted drive in the Mac but multiple encrypted drives (like an encrypted Time Machine backup drive) on the same Mac were causing the script’s reporting to have problems. Fortunately, I now have not one script where the problem has been fixed, but two! Both Peter Bukowinski and Mike Osterman stepped up and sent me fixes. If you had previously downloaded a copy of my script, I encourage you to get the new version.
Mike’s fixes have now been posted as part of my regular script and have been rolled into both the Casper Extension Attribute and the Absolute Manage Custom Info Item. Peter’s fix was a complete rewrite of my script to make it leaner and more efficient.
I’ve added Peter’s script to a new directory named scripts_by_third_parties. If anybody else wants to send me their own FileVault 2 status check scripts, please do so. I’ll be happy to host them here in my GitHub repo after testing them out and making sure they work.
A few months back, I posted a way to activate the Java web plug-ins from the command-line and also posted an accompanying script using PlistBuddy. At the time, I was only targeting the default user template as I was mostly doing test installs of 10.7 where I was creating new users. However, recently I’ve begun testing upgrades on machines with existing users and those users weren’t getting the new settings.
To fix this, I went digging in the latest build of DeployStudio. DeployStudio had recently included the ability to suppress the iCloud and gesture demos in ds_finalize, so I took a look to see if I could adapt what the DeployStudio developers had done for my own purposes. Sure enough, the answer to my problem was included as a for loop inside DeployStudio’s ds_finalize.sh script. (For those interested and who have DeployStudio handy, this script is in stored in /Applications/Utilities/DeployStudio Admin.app/Contents/Frameworks/DSCore.framework/Versions/A/Resources/Tools/Common/ds_finalize.sh.) The new script is also now using defaults instead of PlistBuddy (hat tip to Chris Hotte for posting how to use defaults to set the correct plist values.)
See below the jump for what the new and improved Java-enabling script looks like.
A while back, I had posted an AppleScript that Peter Bukowinski and I had built to provide an easy-to-use way to look up the location of an Active Directory home folder. With the changes to the Active Directory plug-in on Mac OS X 10.7.x, the script also needed to be updated so I’m posting the updated script and code. The script should be usable on AD-bound 10.6.x and 10.7.x Macs, and Peter has added some new functionality to display the correct fileshare connection information for both Macs and Windows boxes.
In order to work correctly, the script needs for the Mac to be bound to an AD domain. The AD-bound Mac also needs to be connected to the AD domain via a domain-reachable network connection or via VPN.
Using the script:
Launch the script and provide the username in the blank provided, then click OK.
The home folder’s address will then be displayed in a dialog box, with the correct fileshare information for both Windows and Mac. You’ll also be prompted to copy the home folder information to the Mac’s clipboard for pasting (if needed.) Click OK to dismiss the dialog without copying the information. Clicking any of the buttons will quit the script.
As before, it should be pretty generic but the only location I’ve tested it at is here at my workplace. If you’re planning to use it on 10.7.x AD-bound Macs, check the code as you will need to make some edits.