Archive
First Boot Package Install.pkg
As covered previously, Greg Neagle’s createOSXinstallPkg is a versatile tool for installing or upgrading Mac OS X in a variety of situations. One of the nicer features is that you can edit the OS X installer to install additional packages.
However, the limitations of the OS X install environment mean that there are a number of installers that won’t install correctly. In particular, packages that rely on pre- or postflight scripts to perform important tasks may fail to run properly in the OS X install environment.
To help work around this limitation, I’ve developed First Boot Package Install.pkg, an installer package that enables other packages to be installed at first boot.
It’s designed for use with createOSXinstallPkg with the goal of allowing installer packages that can’t run in the OS X Install environment to be used as part of a createOSXinstallPkg deployment workflow. See below the jump for the details.
Read more…
Changes to XProtect’s Java browser plug-in version management
In last night’s XProtect update, Apple added two new version checks. The first new check looks for Apple’s com.apple.java.JavaAppletPlugin Java browser plug-in identifier. This Apple Java browser plug-in is running on Mac OS X 10.6.x or was installed on 10.7.x or later by Java for OS X 2012-005 or earlier. Installing Java for OS X 2012-006 and later on 10.7.x and 10.8.x automatically removes the Apple Java browser plug-in.
The second new check looks for Apple’s com.apple.java.JavaPlugin2_NPAPI Java browser plug-in identifier. In this case, the Apple Java plug-in was re-enabled using the procedure in the following Apple KBase article: http://support.apple.com/kb/HT5559
This update also removes the Oracle Java browser plug-in version check from 10.6.x’s XProtect. Both new Apple Java version checks and the Oracle Java browser plug-in version check are in the 10.7.x and 10.8.x XProtect. See below the jump for the details.
Script to run remote commands via SSH
As a follow-on to my earlier post about running remote commands with SSH, I noticed I was repeatedly running particular commands via SSH on remote machines. I was copying and pasting the bits I needed into Terminal, but it was still a manual process and manual processes should be scripted whenever possible.
Here’s the script I wrote to solve my particular problem.
#!/bin/bash
# At the prompt, enter the IP address
# or DNS name of the machine you want
# to connect to.
echo -n "Enter IP Address or Domain Name: "
read ipaddress
# At the prompt, enter the username
# of the account you want to log in
# with.
echo -n "Enter Username: "
read username
# At the prompt, enter the command that
# you want to run on the remote machine.
echo -n "Enter the command you want to run on the remote machine: "
read command
echo ""
echo ""
# Error checking to verify that the correct
# information has been entered. If incorrect
# info has been entered, selecting No will
# exit the script.
echo "Is the information below correct?"
echo ""
echo "Remote machine: $ipaddress"
echo "Username: $username"
echo "Command: $command"
echo ""
echo "If it is correct, select Yes"
echo ""
select yn in "Yes" "No"; do
case $yn in
Yes) echo "OK, the script will continue."; break;;
No ) echo "To avoid errors, the script will need to be restarted. Exiting the script."; exit 0;;
esac
done
echo ""
echo ""
# Check to see if the command needs to be
# run with root privileges. If root privileges
# are needed, the SSH connection will force
# pseudo-tty allocation, which allows the command
# to be run via sudo
echo "Does this command need to run with root privileges? Once you select Yes or No, the command will run on the remote machine."
echo "Note: You will be prompted if authentication is required. If running the command as root, you may be prompted twice."
echo ""
select yn in "Yes" "No"; do
case $yn in
Yes) echo ""; ssh -t $username@$ipaddress "sudo $command"; break;;
No ) echo ""; ssh $username@$ipaddress "$command"; break;;
esac
done
#Exiting the script
echo ""
echo ""
echo "Finished running the remote command"
exit 0
The script is also available on my GitHub repo at the following location:
Managing Safari’s Java whitelist
Safari 6.0.4 and later (for Mac OS X 10.7.x and 10.8.x), and 5.1.9 and later (for Mac OS X 10.6.x) now prompts you to enable the Java browser plug-in on a website-by-website basis. When a Java applet is allowed, it is added to a whitelist in Safari’s Security settings.
This was going to be an issue at my workplace, as we have a couple of applications that rely on Java applets running through the browser. To help fix this and manage the Safari Java whitelist, I’ve written a couple of scripts. These scripts are designed to add websites to Safari’s Java whitelist without overwriting existing entries. For more details, see below the jump.
Automatically enable the Java web plug-ins setting in Safari 6.0.3 and later
One of the features of Apple’s Safari 6.0.3 update is that it turns off the automatic execution of Java applets through Safari, even if the Java browser plug-in is otherwise enabled.
Safari 6.0.3 does allow for the automatic execution of Java applets to be re-enabled through the browser. However, if it’s been a while since a Java applet was launched, then automatic execution of Java applets is once again automatically disabled.
This was going to be an issue at my workplace, as we have a couple of applications that rely on Java applets running through the browser. Fortunately, I already had a fix for this issue; it just needed to be updated with some additional commands.
To make this work, I’ve written a script and launch agent combination. The script will perform a couple of tasks:
1. Set the com.apple.WebKit.JavaPlugInLastUsedTimestamp plist key in ~/Library/Preferences/.GlobalPreferences.plist
2. Enable the Enable applet plug-in and Web Start Applications setting in the Java Preferences application.
#!/bin/sh
# DYNAMICALLY SET THE UUID FOR THE BYHOST FILE NAMING
if [[ `ioreg -rd1 -c IOPlatformExpertDevice | grep -i "UUID" | cut -c27-50` == "00000000-0000-1000-8000-" ]]; then
MAC_UUID=`ioreg -rd1 -c IOPlatformExpertDevice | grep -i "UUID" | cut -c51-62 | awk {'print tolower()'}`
elif [[ `ioreg -rd1 -c IOPlatformExpertDevice | grep -i "UUID" | cut -c27-50` != "00000000-0000-1000-8000-" ]]; then
MAC_UUID=`ioreg -rd1 -c IOPlatformExpertDevice | grep -i "UUID" | cut -c27-62`
fi
# Enable Java browser plug-ins in Safari 6.0.3 and later
# for the current user by setting the com.apple.WebKit.JavaPlugInLastUsedTimestamp
# key in ~/Library/Preferences/.GlobalPreferences.plist
/usr/libexec/PlistBuddy -c "Delete :com.apple.WebKit.JavaPlugInLastUsedTimestamp" $HOME/Library/Preferences/.GlobalPreferences.plist
/usr/libexec/PlistBuddy -c "Add :com.apple.WebKit.JavaPlugInLastUsedTimestamp real $(( $(date "+%s") - 978307200 ))" $HOME/Library/Preferences/.GlobalPreferences.plist
/usr/bin/plutil -convert xml1 $HOME/Library/Preferences/.GlobalPreferences.plist
# Set the the "Enable applet plug-in and Web Start Applications" setting in
# the Java Preferences for the current user.
/usr/libexec/PlistBuddy -c "Delete :GeneralByTask:Any:WebComponentsEnabled" $HOME/Library/Preferences/ByHost/com.apple.java.JavaPreferences.${MAC_UUID}.plist
/usr/libexec/PlistBuddy -c "Add :GeneralByTask:Any:WebComponentsEnabled bool true" $HOME/Library/Preferences/ByHost/com.apple.java.JavaPreferences.${MAC_UUID}.plist
/usr/libexec/PlistBuddy -c "Delete :GeneralByTask:Any:WebComponentsLastUsed" $HOME/Library/Preferences/ByHost/com.apple.java.JavaPreferences.${MAC_UUID}.plist
/usr/libexec/PlistBuddy -c "Add :GeneralByTask:Any:WebComponentsLastUsed real $(( $(date "+%s") - 978307200 ))" $HOME/Library/Preferences/ByHost/com.apple.java.JavaPreferences.${MAC_UUID}.plist
/usr/bin/plutil -convert xml1 $HOME/Library/Preferences/ByHost/com.apple.java.JavaPreferences.${MAC_UUID}.plist
# Forces preferences to be re-read
/usr/bin/killall cfprefsd
The LaunchAgent runs the script on login to any user account with the logging-in user’s privileges and permissions.
You can find the updated script here on my GitHub repo:
Checking for accounts with Remote Management rights
Something a number of Mac admins need to know about the Macs in their environment is being able to detect which accounts have remote management rights on a particular Mac. Crafty users can be inventive about finding ways to grant themselves remote management rights, so admins need to be just as perceptive about identifying which accounts have remote management rights.
To help with the task of identifying which accounts have remote management rights, I’ve written a script to detect which local accounts had remote rights on a particular Mac.
#!/bin/sh
# Determines if the Remote Management settings are set
# for "All Users" or for "Only these users:" in System
# Preferences' Sharing preference pane
ARD_ALL_LOCAL=`/usr/bin/defaults read /Library/Preferences/com.apple.RemoteManagement ARD_AllLocalUsers`
# Lists all local user accounts on the Mac with a UID
# of greater or equal to 500 and less than 1024. This
# should exclude all system accounts and network accounts
#
# List is displayed if the "All Users" setting is
# set in the Remote Management settings.
ALL_ID500_PLUS_LOCAL_USERS=`/usr/bin/dscl . list /Users UniqueID | awk '$2 >= 500 && $2 < 1024 { print $1; }'`
# Lists all user accounts on the Mac that have been given
# explicit Remote Management rights. List is displayed if
# the "Only these users:" setting is set in the Remote
# Management settings.
REMOTE_MANAGEMENT_ENABLED_USERS=`/usr/bin/dscl . list /Users naprivs | awk '{print $1}'`
if [ "$ARD_ALL_LOCAL" = "1" ]; then
result=$ALL_ID500_PLUS_LOCAL_USERS
elif [ "$ARD_ALL_LOCAL" = "0" ]; then
result=$REMOTE_MANAGEMENT_ENABLED_USERS
fi
# Displays list of accounts that have
# been given Remote Management rights
echo $result
I’ve posted the script here on my GitHub repo:
https://github.com/rtrouton/rtrouton_scripts/tree/master/rtrouton_scripts/check_for_remote_management_accounts
I’ve also modified it for use as an Casper Extension attribute. I’ve posted it here on my GitHub repo:
https://github.com/rtrouton/rtrouton_scripts/tree/master/rtrouton_scripts/Casper_Extension_Attributes/check_for_remote_management_accounts
Managing Adobe Flash browser plug-in settings for Apple’s XProtect malware protection
As a follow-up to my earlier post about managing XProtect’s ability to block Java browser plug-ins , a Mac admin named scifiman sent me a launchdaemon and script to manage Adobe Flash using a similar method. Thanks, scifiman!
<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>Label</key> <string>com.company.xprotect_re-enable_adobe_flash</string> <key>ProgramArguments</key> <array> <string>sh</string> <string>/Library/Scripts/xprotect_re-enable_adobe_flash.sh</string> </array> <key>QueueDirectories</key> <array/> <key>RunAtLoad</key> <true/> <key>StartInterval</key> <integer>900</integer> <key>WatchPaths</key> <array/> </dict> </plist>
#!/bin/sh
# This script is a modified version of rtrouton's re-enable_java_6_and_7 script.
# This script will check the current Adobe Flash browser plug-in
# version and compare it against the minimum version allowed by
# Apple's XProtect malware protection. If the minimum Flash version
# allowed by XProtect does not allow the current version of the Flash
# browser plug-in on the Mac, the script will alter the Mac's
# /System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/XProtect.meta.plist
# file to set the minimum version allowed to match the current version
# of the Mac's Flash browser plug-in. This allows the Mac's current Flash
# browser plug-in to run in Safari without being blocked.
#
# Original script is from here:
# https://gist.github.com/scifiman/5109047
#
osvers=$(sw_vers -productVersion | awk -F. '{print $2}')
# javaVendor=`/usr/bin/defaults read "/Library/Internet Plug-Ins/JavaAppletPlugin.plugin/Contents/Info" CFBundleIdentifier`
CURRENT_FLASH_BUILD=`/usr/libexec/PlistBuddy -c "print :CFBundleShortVersionString" /Library/Internet\ Plug-Ins/Flash\ Player.plugin/Contents/Info.plist`
XPROTECT_FLASH_BUILD=`/usr/libexec/PlistBuddy -c "print 
lugInBlacklist:10:com.macromedia.Flash\ Player.plugin:MinimumPlugInBundleVersion" /System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/XProtect.meta.plist`
#
# Check to see if Xprotect is blocking Adobe's Flash browser plug-in and re-enable the plug-in if needed.
# Changes in this section are from Pepijn Bruienne's re-enable_java_6 script: https://github.com/bruienne
#
if [[ -e /System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/XProtect.meta.plist ]]; then
if [ ${CURRENT_FLASH_BUILD} != ${XPROTECT_FLASH_BUILD} ]; then
/usr/bin/logger "Current Flash build (${CURRENT_FLASH_BUILD}) does not match the minimum build required by Xprotect (${XPROTECT_FLASH_BUILD}). Setting current version as the minimum build."
/usr/libexec/PlistBuddy -c "Set lugInBlacklist:10:com.macromedia.Flash\ Player.plugin:MinimumPlugInBundleVersion $CURRENT_FLASH_BUILD" /System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/XProtect.meta.plist
/usr/bin/plutil -convert xml1 /System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/XProtect.meta.plist
/bin/chmod a+r /System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/XProtect.meta.plist
else
/usr/bin/logger "Current Flash build is ${CURRENT_FLASH_BUILD} and Xprotect minimum build is ${XPROTECT_FLASH_BUILD}, nothing to do here."
fi
fi
exit 0
The script has been tested on 10.6.8, 10.7.5 and 10.8.2, so it should cover all current OSs that use Apple’s XProtect malware protection.
Scifiman’s original gist is available here:
https://gist.github.com/scifiman/5109047
I’m hosting a copy of the script and launchdaemon here on my GitHub repo:
Using Apple Remote Desktop Admin to help script ARD kickstart options
Apple Remote Desktop is a tool that just about every Mac admin uses at some point. The client is built into OS X and it’s usually straightforward to turn on. It also includes a command line tool called kickstart which can be used to configure the Apple Remote Desktop client. The kickstart tool is useful because you can use it to script your configuration. That said, if you have a complex ARD configuration, getting the kickstart options correct can be tricky.
One way to help with this is to have Apple Remote Desktop Admin do the kickstart configuration work for you. See below the jump for the details.
Managing Java browser plug-in settings for Apple’s XProtect malware protection
In response to a number of recent Java exploits, both Apple and Mozilla have begun blocking vulnerable versions of Java from running in their respective browsers via their malware protection mechanisms. While this is the right move from a security perspective, it can leave enterprises without the ability to access mission-critical systems that use Java applets running in a browser.
The fix should be to update those affected machines with the latest version of Java. However, this assumes that a) the latest available version of Java is not itself blocked and b) the mission-critical system is able to use the latest version of Java.
From my own perspective, what Apple is doing from a malware protection standpoint is the right thing. I just don’t want my users to lose the ability to access our systems that use a Java applet, especially when the latest available version of Java is blocked and I don’t have a way to otherwise satisfy Apple’s XProtect malware protection without disabling XProtect.
My fix was this: manage XProtect’s ability to disable the Java browser plug-in by modifying the Java browser plug-in settings in the affected Mac’s /System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/XProtect.meta.plist file. See below the jump for the details.
Deploying Java for Mac OS X 10.6 Update 12 using the softwareupdate tool
With the latest round of Java browser blockages and updates being released, I wanted a way to deploy Apple’s Java for Mac OS X 10.6 Update 12 to those 10.6.x Macs that needed it. However, I wanted to make sure that I wasn’t deploying to machines that already had it. I also didn’t want to do a general Apple software update, I just wanted to update Java.
Fortunately, Apple’s softwareupdate command-line tool gives me a way to do this. I’m able to use the softwareupdate tool to list all available updates, then grep the list to see if the Java update I want is included:
softwareupdate -l | grep "Java"
For Macs that haven’t had Java for Mac OS X 10.6 Update 12 installed, the update should be named and described as follows:
* JavaForMacOSX10.6-12.0 Java for Mac OS X 10.6 Update 12 (12.0), 70724K [recommended]
The name that softwareupdate uses for the update will appear as the first item listed. In this case, it’s JavaForMacOSX10.6-12.0. I can also use softwareupdate to specify and install that update:
softwareupdate --install JavaForMacOSX10.6-12.0
I then wrote the following script that uses softwareupdate to install Java for Mac OS X 10.6 Update 12. It does the following:
1. Verify that Java for Mac OS X 10.6 Update 12 is an available update for this Mac.
2. If Java for Mac OS X 10.6 Update 12 is an available update, the script logs that the update is being installed. Apple’s softwareupdate tool then installs that update silently in the background.
3. If Java for Mac OS X 10.6 Update 12 is not an available update, the script logs that information then exits silently.
#!/bin/sh
#
# Using the softwareupdate tool
# to detect if the Mac has
# Java for Mac OS X 10.6 Update 12
# as an available update.
#
JAVA_UPDATE_DETECT=$( softwareupdate -l | grep -o "JavaForMacOSX10.6-12.0" )
#
# If Java for Mac OS X 10.6 Update 12
# is an available update, script installs
# the update. If Java for Mac OS X 10.6 Update 12 is
# not an available update, script reports that and
# exits.
#
if [[ "${JAVA_UPDATE_DETECT}" = "JavaForMacOSX10.6-12.0" ]]; then
logger "Installing Java for Mac OS X 10.6 Update 12"
softwareupdate --install JavaForMacOSX10.6-12.0
else
logger "Java for Mac OS X 10.6 Update 12 not an available update. Exiting."
fi
exit 0
This script is available here on my GitHub repo:
https://github.com/rtrouton/rtrouton_scripts/tree/master/rtrouton_scripts/install_apple_java_updates
Recent Comments