Archive

Archive for January, 2013

Java blocked in Safari on 10.6.x – 10.8.x

January 31, 2013 20 comments

As of January 31st, it appears that Apple has blocked both Java 6 and Java 7 Update 11 from running in Safari.


Update 1 – February 1, 2013: Oracle has released Java 7 Update 13 to address the vulnerabilities in Java 7 Update 11. Once Java 7 Update 13 has been installed, Safari will no longer block the Java plug-in on 10.7.x – 10.8.x.



Update 2 – February 1, 2013: Apple has released Java for Mac OS X 10.6 Update 12 to address the vulnerabilities in Java 6 on 10.6.x Macs. Once Java for Mac OS X 10.6 Update 12 has been installed via Apple’s Software Update, Safari will no longer block the Java plug-in on 10.6.x.


To verify this on your own machine:

1. Open Safari on a Mac running 10.6.x or higher.

2. Go to http://www.java.com/en/download/testjava.jsp to test your Java browser plug-in.

Instead of a report that Java is working, you’ll receive a Blocked Plug-In message.

Screen Shot 2013-01-31 at 6.45.36 AM

The best workaround at this time is to use Firefox. I tested with Firefox 18 and Firefox is not blocking the Java plug-in at this time.

Screen Shot 2013-01-31 at 6.46.27 AM

Current Status:

Java 6 on 10.6.x: Apple has released Java for Mac OS X 10.6 Update 12 to address the vulnerabilities in Java 6 on 10.6.x Macs. Once Java for Mac OS X 10.6 Update 12 has been installed via Apple’s Software Update, Safari will no longer block the Java plug-in on 10.6.x.

Java 7 on 10.7.x and 10.8.x: Oracle has released Java 7 Update 13 to address the vulnerabilities in Java 7 Update 11. Once Java 7 Update 13 has been installed, Safari will no longer block the Java plug-in on 10.7.x – 10.8.x

The blocking was done by Apple’s built-in malware protection. For those interested, the list of acceptable browser plug-in versions is stored at /System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/XProtect.meta.plist

As of 7:07 AM on Thursday, January 31st, XProtect.meta.plist on my 10.8.2 laptop had the following contents:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
	<key>JavaWebComponentVersionMinimum</key>
	<string>1.6.0_37-b06-435</string>
	<key>LastModification</key>
	<string>Thu, 31 Jan 2013 04:41:14 GMT</string>
	<key>PlugInBlacklist</key>
	<dict>
		<key>10</key>
		<dict>
			<key>com.macromedia.Flash Player.plugin</key>
			<dict>
				<key>MinimumPlugInBundleVersion</key>
				<string>11.3.300.271</string>
			</dict>
			<key>com.oracle.java.JavaAppletPlugin</key>
			<dict>
				<key>MinimumPlugInBundleVersion</key>
				<string>1.7.11.22</string>
			</dict>
		</dict>
	</dict>
	<key>Version</key>
	<integer>2028</integer>
</dict>
</plist>


Java 6 plug-in
The plugin version installed by Apple is 1.6.0_37-b06-434. The plug-in blacklist is specifying that 1.6.0_37-b06-435 or higher is required, so 1.6.0_37-b06-434 is being blocked automatically.

Java 7 plug-in
The plugin version installed by the current Oracle Java 7 Update 11 installer is 1.7.11.21. The plug-in blacklist is specifying that 1.7.11.22 or higher is required, so 1.7.11.21 is being blocked automatically.

Updated FileVault 2 status scripts now available – now handles unencrypted Fusion drives

January 28, 2013 Leave a comment

I’ve updated the FileVault 2 status check scripts so that they’re now able to correctly handle unencrypted Fusion drives. The scripts should now report accurately on 10.8.x Macs that use Fusion drives, as well as other 10.7.x and 10.8.x Macs.

The changes are now available as part of my regular script. They have also been rolled into both the Casper Extension Attribute and the Absolute Manage Custom Info Item scripts. Use them in good health and please let me know if you find any problems with them.

Disabling the Sleep command in the Apple menu

January 27, 2013 3 comments

After recently participating in a discussion about disabling the Sleep command in the Apple menu, I wanted to document how to do this. This may be most useful for Mac terminal services, which was the context where I learned how to do this.

1. Log in with an account that has admin privileges

2. Open Terminal and run the following command:

sudo defaults write /Library/Preferences/SystemConfiguration/com.apple.PowerManagement SystemPowerSettings -dict SleepDisabled -bool YES

Screen Shot 2013-01-26 at 9.48.54 PM

3. You should see that the Sleep command is now grayed-out in the Apple menu.

Screen Shot 2013-01-26 at 9.48.58 PM

To revert back, you’ll need to do the following:

1. Log in with an account that has admin privileges

2. Open Terminal and run the following command:

sudo defaults write /Library/Preferences/SystemConfiguration/com.apple.PowerManagement SystemPowerSettings -dict SleepDisabled -bool NO

Screen Shot 2013-01-26 at 10.00.34 PM

3. Restart the Mac (this is necessary to apply the change.)

After the restart, you should see that the Sleep command is available again in the Apple menu.

Screen Shot 2013-01-26 at 9.52.41 PM

Updated daily server report scripts for 10.7.x and 10.8.x

January 26, 2013 2 comments

I’ve made some updates to the daily server report scripts that I host on my GitHub repo, as I recently tested them on 10.7.x and 10.8.x Server. The existing 10.5.x – 10.6.x script runs fine as-is on 10.7.x Server, but I needed to make a few changes for 10.8.x Server.

I updated the following parts to support 10.8 Server:

PATH

Added /Applications/Server.app/Contents/ServerRoot/usr/sbin to the PATH export, as serveradmin has moved to /Applications/Server.app/Contents/ServerRoot/usr/sbin/serveradmin

Changes to the UNSUCCESSFUL ATTEMPTS TO LOGIN VIA SSH section

In 10.8, /var/log/secure.log‘s functions have been moved to Apple System Log. The script is running syslog -k Time ge -24h | grep 'sshd' to check ASL for SSH activity in the last 24 hours. The SSH activity is exported to /private/tmp/ssh-status.txt, then ssh-status.txt is scraped for SSH errors.

You can access the scripts here on my GitHub repo:

https://github.com/rtrouton/rtrouton_scripts/tree/master/rtrouton_scripts/daily_server_report_script

Building Mac test environments with VMWare Fusion, NetBoot and DeployStudio

January 23, 2013 4 comments

When new software appears, Mac admins need test boxes that match their standard configuration in order to verify that the new software doesn’t adversely affect anything in their environment. In the past, this has usually meant that admins needed to either have an available test box, or go find one when they needed to test something.

The advent of good virtualization solutions meant it was easier to build test boxes without needing additional hardware, but getting the VM to match your standard could take some time and effort.

In VMWare Fusion 5.x, VMWare added NetBoot support for virtual machines running Mac OS X. This proved to be an enormous boon to Mac admins who used NetBoot to help set up their machines: They could now build VMs using the exact same processes that were used to build their users’ Macs. They could also leverage tools like createOSXinstallPkg to set up template VMs with either the latest available OS X installer from the Mac App Store or custom builds of OS X that ship with new hardware.

See below the jump for an example of how you can leverage VMWare’s NetBoot support, createOSXinstallPkg and DeployStudio to set up a new Mac VM with a factory-fresh install of OS X Mountain Lion.

Read more…

Setting up ESXi 5.1 on a 2011 Mac Mini Server

January 21, 2013 25 comments

One thing I’ve wanted to do for a while is virtualizing my home server setup, as well as making it easier to stand up (and take down) test servers as needed.

I’ve been doing a lot of work with VMWare Fusion on my Mac and could have gone that way, but I wanted to do the virtualization with VMWare’s free ESXi software. I hadn’t previously set up a dedicated hypervisor, so I wanted to learn how to do that.

I have a 2011 Mac Mini Server, which is fortunate because setting up ESXi on that Mini model has been well-documented in a number of places. The latest available version as of this date is ESXi 5.1, so I decided to install that. After some work, I now have ESX 5.1 running on my Mini Server. See below the jump for the details.

Read more…

Categories: VMware, VMware ESXi

Running remote commands via SSH

January 16, 2013 2 comments

On occasion, I need to run a single remote command on a single system, but don’t have a tool handy (like Apple Remote Desktop’s Send Unix function) to do it. If the machine in question has SSH enabled though, there’s a simple way to do this.

1. Open Terminal

2. Run the following command:

ssh username@server.domain.com "your command here"

For example, if you wanted to use tail to display the latest entries to /var/log/system.log, you would run the following command:

ssh username@server.domain.com "tail -f /var/log/system.log"

You’ll be prompted for a password, which will be used by SSH to log into the remote system. If the password is accepted, tail should start displaying the latest entries to /var/log/system.log as they’re written. To stop, you would hit Control-C as usual. That will stop the command’s execution and close the SSH connection automatically.

Screen Shot 2013-01-16 at 1.07.04 PM

When running commands that require elevated privileges, you’ll need to add the -t flag to your SSH command. -t tells SSH to force pseudo-tty allocation, which in turn provides a way to feed your account’s password to the remote server and run the command via sudo.

For example, if you wanted to restart opendirectoryd on a remote Mac running 10.8.x, you would run the following command:

ssh -t username@server.domain.com "sudo killall opendirectoryd"

You’ll be prompted for a password, which will be used by SSH to log into the remote system. You’ll then be prompted again for a password, which will be used by sudo to authenticate that your account is authorized to run the command with sudo. Once the command is run and completes successfully, the SSH connection closes automatically.

Screen Shot 2013-01-16 at 1.25.12 PM

Oracle Java 7 plug-in blocked by Safari

January 11, 2013 27 comments

It appears Apple has blocked Safari on 10.7 and 10.8 Macs from running Oracle’s Java 7 in the wake of a zero-day exploit for Java:

New Year Java Zero-Day Attacks Under Way


Update – January 31, 2013: It appears that Apple has blocked Java from running in Safari on Macs running 10.6.x and higher. New post with latest information available here.



Update – January 13, 2013: Oracle has released Java 7 Update 11 to address the vulnerabilities in Java 7 Update 10. Once Java 7 Update 11 has been installed, Safari will no longer block the Java plug-in.

You can download the latest Java installer for OS X from here: http://www.java.com/en/download/mac_download.jsp?locale=en


To verify this on your own machine:

1. Open Safari on a 10.7.x or 10.8.x Mac

2. Go to http://www.java.com/en/download/testjava.jsp to test your Java browser plug-in.

Instead of a report that Java is working, you’ll receive a Blocked Plug-In message.

Screen Shot 2013-01-11 at 9.39.41 AM

I’ve verified that 10.5.x and 10.6.x Macs do not appear to be affected by this, as they are not running Java 7.

Picture 1Screen shot 2013-01-11 at 10.07.36 AM

Oracle has not yet released an updated Java 7 installer, so there’s nothing currently available to fix this issue. The latest Java installer for OS X was released in November 2012 and contains the vulnerability.

The best workaround at this time is to use Firefox. I tested with Firefox 18 and Firefox is not blocking the Java plug-in at this time.

Update – January 12, 2013: Mozilla has announced that they are also now blocking the Java plug-in unless the user specifically authorizes it to run by clicking on the warning message for the plug-in.

Screen Shot 2013-01-12 at 2.57.08 PM

Chrome will not work as an alternate browser, as Oracle’s Java 7 browser plug-in only works with 64-bit applications. Firefox and Safari are both 64-bit, but Google Chrome is a 32-bit application.

Screen Shot 2013-01-11 at 9.45.26 AM

If the Java application you need to run does not require Java 7, you can also re-enable the Apple Java 6 browser plug-in. You can do this using the procedure in this post.

Update: The blocking was done by Apple’s built-in malware protection. For those interested, the list of acceptable browser plug-in versions is stored at /System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/XProtect.meta.plist

As of 12:26 PM on Friday, January 11th, XProtect.meta.plist on my 10.7.5 workstation had the following contents

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
	<key>LastModification</key>
	<string>Thu, 10 Jan 2013 22:48:02 GMT</string>
	<key>PlugInBlacklist</key>
	<dict>
		<key>10</key>
		<dict>
			<key>com.macromedia.Flash Player.plugin</key>
			<dict>
				<key>MinimumPlugInBundleVersion</key>
				<string>11.3.300.271</string>
			</dict>
			<key>com.oracle.java.JavaAppletPlugin</key>
			<dict>
				<key>MinimumPlugInBundleVersion</key>
				<string>1.7.10.19</string>
			</dict>
		</dict>
	</dict>
	<key>Version</key>
	<integer>1037</integer>
</dict>
</plist>

The plugin version installed by the current Oracle Java 7 Update 10 installer is 1.7.10.18. The plug-in blacklist is specifying that 1.7.10.19 or higher is required, so 1.7.10.18 is being blocked automatically.

Installing 10.6.8 on a 2011 Mac Mini

January 11, 2013 7 comments

A few months back, I saw that I was running out of space on my home theater Mac Mini. This was a 2007 Mac Mini with 2 GBs of RAM running 10.6.8, with a 1 TB drive that held media content and 2 TB backup drive connected via FireWire 400. I also noticed that it was struggling to play the latest HD movies from the iTunes Store.

This Mini also acted as my Tivo2Go server and DVD player, so I couldn’t just replace the Mini with an Apple TV and call it a day. So I pitched to my wife the idea of replacing the 2007 Mac Mini with a newer Mini and upgrading the storage with a 2 TB drive to hold media content and 4 TB backup drive connected via FireWire 800. To help future-proof it against future storage needs, I also wanted to get a Mini with Thunderbolt capability.

“Fine, but it needs to be able to run Front Row.”

That was a problem. The first Mini models to come with Thunderbolt were the 2011 Mac Minis. The 2011 Mac Minis were among the first Mac models that supported only 10.7.0 and higher. Front Row is noticeably absent in 10.7.0 and higher .

In short, I needed a 2011 Mac Mini to run Mac OS X 10.6.8.

After a bit of research and head-scratching, I was able to get both what I wanted and what my wife wanted. See below the jump for the details.

Read more…

Categories: Mac OS X

Updating server bookmarks in com.apple.sidebarlists.plist

January 10, 2013 1 comment

As part of server and storage changes, you may find that you’ve got obsolete bookmarks stored in Connect to Server‘s Favorite Servers: list. This is usually an inconvenience more than anything else, but I wanted to see if I could script a fix in the aftermath of a couple of shares moving from one server to another at work.

In my case, I wanted to update the Connect to Server server bookmarks for our local admin account. These bookmarks are stored in /Users/username/Library/Preferences/com.apple.sidebarlists.plist. I didn’t want to replace the existing com.apple.sidebarlists.plist file and I didn’t want to disturb any of the other settings in the file. I just wanted to change the values of a couple of keys in the plist without worrying about the order in which they were stored.

Thanks to the sed command, there is a way to do this. After some trial and error with the syntax, I found that this command did what I wanted:


/usr/bin/sed -i "" -e 's/smb:\/\/oldservername\/oldsharename/smb:\/\/newservername\/newsharename/g' /Users/username/Library/Preferences/com.apple.sidebarlists.plist

In order to be able to run sed on the file, I needed to convert it to XML first. Also, since the search and replace work is being done by the root account, I needed to fix the permissions on the file once sed had finished its work. To this, I’ve written the following script:

Update – January 16, 2013: I made some updates to the script to include OS and error checking.


#!/bin/sh

# Determine OS version
osvers=$(sw_vers -productVersion | awk -F. '{print $2}')

# Get current date
FILE_DATE=`date +%Y%m%d`


# If the Mac is running 10.5.8 or lower, the script should exit

if [[ ${osvers} -lt 6 ]]; then
   exit 0
fi

# If the Mac is running 10.6.0 or higher, the script should should run

if [[ ${osvers} -ge 6 ]]; then
   
   # Check for the /Users/username/Library/Preferences/com.apple.sidebarlists.plist file

   if [ -f /Users/username/Library/Preferences/com.apple.sidebarlists.plist ]; then
      
      # Back up the existing file

      /bin/cp /Users/username/Library/Preferences/com.apple.sidebarlists.plist /Users/username/Library/Preferences/com.apple.sidebarlists-$FILE_DATE.plist

      # Fix permissions on backup file

      /usr/sbin/chown username /Users/username/Library/Preferences/com.apple.sidebarlists-$FILE_DATE.plist
      
      # Convert plist to XML

      /usr/bin/plutil -convert xml1 /Users/username/Library/Preferences/com.apple.sidebarlists.plist

      # Search and replace in /Users/username/Library/Preferences/com.apple.sidebarlists.plist
      /usr/bin/sed -i "" -e 's/smb:\/\/oldservername\/oldsharename/smb:\/\/newservername\/newsharename/g' /Users/username/Library/Preferences/com.apple.sidebarlists.plist

      # Fix permissions on file
      
      /usr/sbin/chown username /Users/username/Library/Preferences/com.apple.sidebarlists.plist

   fi
fi

exit 0

As written, the script does a find and replace on /Users/username/Library/Preferences/com.apple.sidebarlists.plist as follows:

Find: smb://oldserver/oldsharename

Screen Shot 2013-01-10 at 10.31.58 AM

Replace with: smb://newserver/newsharename

Screen Shot 2013-01-10 at 10.32.14 AM

I’ve tested on Mac OS X 10.6.8, 10.7.5 and 10.8.2 and the scripted search and replace works on all three OSs. You will need to log out and log back in to see the changes.

For those interested, the script is available here on my GitHub repo:
https://github.com/rtrouton/rtrouton_scripts/tree/master/rtrouton_scripts/updating_connect_to_server_favorites

Follow

Get every new post delivered to your Inbox.

Join 126 other followers

%d bloggers like this: