I do a lot of work with payload-free packages and I’ve looked for a while for a tool that would let me easily create them from existing scripts. While I have a process for creating them as needed with pkgbuild, this approach still requires some setup work.
After thinking about it and taking a look at various approaches, I’ve developed Payload-Free Package Creator.app, an Automator application that will allow the selection of an existing script and create a payload-free package that runs the selected script. For more details, see below the jump.
For the past few major releases, Sophos used a standard installer package to install both their free and paid antivirus solution. With the release of Sophos Anti-Virus 9.x though, Sophos changed how their antivirus solution for Macs was installed by switching to using an application to install it. For their customers using Sophos Enterprise Console, Sophos will still provide a installer metapackage, but all other customers now need to use the application to install Sophos Anti-Virus 9.x on Macs.
Curiously, Sophos went to some lengths to make their install application look like a standard installer package.
This extended to the point of naming the actual application as Installer, which is the same name as Apple’s Installer.
This switch away from using installer packages was a problem for Mac admins who wanted to deploy Sophos 9.x, but did not have Sophos’ enterprise console. After doing some research and reading a very helpful thread on JAMF Nation, it looks like it is possible to repackage Sophos 9.x for deployment. For more details, see below the jump.
In my shop, we use a Xerox color copier/printer along with a number of Canon ImageRunner printers. Like the Canons, I have the Xerox printer available in Casper’s Self Service so that our users can set this printer up themselves on their Macs. When I recently overhauled my Canon printer setups, I decided to also revisit how Self Service handled setting up the Xerox printer. Unlike our Canon printers, our Xerox printer used LPR already so I figured that getting the right drivers deployed should be straightforward.
Then I looked at Xerox’s driver page and saw three different driver installers available:
For 10.5.x – Xerox Print Driver 2.94.3
For 10.6.x – Xerox Print Driver 2.112.0
For 10.7.x through 10.9.x – Xerox Print Driver 2.113.0
I wanted to maintain roughly the same workflow as I had with the Canon printers, but I also wanted to make sure that the OS-appropriate driver was delivered to each Mac.
For details on how I addressed this, see below the jump.
In my shop, we use a number of Canon ImageRunner printers and have them set up in Casper’s Self Service so that our users can set them up themselves. All of the Canon printers in question have PostScript enabled, so I’ve been deploying the Canon PostScript drivers.
Historically, one of the things that was installed along with the drivers was a proprietary printing application that sat between the Mac’s CUPS printing system and the actual printer. That changed with the release of Canon’s 4.x PostScript drivers. With the new drivers, Canon has switched to using LPR and no longer uses that proprietary printing application.
Good news: Canon is no longer building in a custom printer program to handle talking to the printer; instead the new drivers are using LPR.
Bad news: Our existing printer setups that are available in Self Service do not work with the new printer drivers. I would need to delete and re-add our various printers to Self Service.
The bad news wasn’t a big problem by itself, but my testing showed that updating the printers in Self Service to accommodate the new printer drivers would make them no longer backwards-compatible with the old drivers. The new drivers would need to be installed in order for the new printers to work. Conversely, just pushing out the new drivers to our Macs could result in existing printer setups breaking.
In short, here were the problems I was looking at:
1. The old printer setups could not use the new drivers
2. The new printer setups could not use the old drivers
3. The new drivers needed to be installed before the new printer setup happened.
4. I didn’t want to break existing printer setups if I could avoid it.
Making the new drivers available in Self Service as standalone installers wasn’t an issue but I was concerned about adding them to the printer setups themselves. That potentially could result in the printer drivers being installed over and over again as people set up multiple printers on one Mac. I also wanted to avoid problems with accidentally trying to overwrite newer drivers, in the event that Canon released new drivers and someone installed them before I updated the driver installer in Self Service.
For details on how I addressed this, see below the jump.
Oracle’s Java 7 Update 51 has introduced new security requirements for browser plugins for applets and web start applications. However, not all applets are able to run using the new requirements. To help with this, Oracle has included a way to whitelist specific sites using Java 7’s new Exception Site List. This allows the applets and web start applications hosted on the specified sites to continue to work, even if they don’t meet the new security requirements in Java 7.
On Mac OS X 10.7 and higher, the Exception Site List is a plaintext file named exception.sites, which is stored in /Users/username/Library/Application Support/Oracle/Java/Deployment/security.
To help Mac admins manage the Exception Site List, I’ve written a script which is designed to add websites to Oracle’s Java 7’s Exception Site List without overwriting existing entries. For more details, see below the jump.
If you want others to be able to temporarily use your computer, but you don’t want to create an account for each user, Mac OS X allows you to create a guest account. This guest account allows a person to log in to the Mac without entering a password, but the account type has the following limitations:
- Guest users can’t make changes to other user accounts.
- Guest users can’t change setting on the computer.
- Guest users can’t log in remotely.
- Files created by guest users are deleted when the user logs out. As part of this, a temporary home folder is created for the guest’s files but this folder and its contents are deleted when the user logs out.
By default, OS X only allows the creation of a single guest account with the name of Guest. That said, it is possible to create custom guest accounts with names that are different from Guest. This would allow Mac admins to create multiple guest accounts if needed. See below the jump for more details.
As part of a project to assess the deployment options for National Instruments’ LabVIEW 2013 Pro, I was asked to see if I could deploy it through Casper’s Self Service. After some work, I was able to repackage the installer in a way that deploys smoothly. In the process, I saw a number of ways that this particular installer went against The Commandments of Packaging. See below the jump for details.
As part of a domain migration project, I was recently tasked with figuring out a way to handle migrating the Macs from one AD domain to another. I had the following requirements:
- Unbind the Mac from the old AD domain
- Bind the Mac to the new AD domain
- Migrate the user’s data from the old AD domain to the new AD domain
Preferably, it would be a procedure that anybody could use. That way, anyone on the team could be perform the migration process regardless of their personal skill level with Macs.
I had a pre-existing interactive script that I could modify and use to fulfill requirement 3, but I needed a way to fulfill requirements 1 and 2.
With some help from DeployStudio, I was able to develop an unbind / rebind procedure that fulfilled requirements 1 and 2. It also gave me the following features:
- Anyone on our helpdesk team could do it, regardless of familiarity with Macs or Active Directory.
- Potential for human error was minimized
- Reboots (generally a good idea when making directory service changes) were a built-in part of the migration process.
For details, see below the jump.
A while ago, I needed to script a method for binding Macs running 10.6.x and later to our Linux-based OpenLDAP server. Recently, we needed to move our OpenLDAP domain to a different OpenLDAP domain as part of a larger directory service migration project. A small part of that project was moving the LDAP-bound Macs to the new LDAP domain, preferably with as little disruption as possible.
One enormous advantage I had with this LDAP move was the following:
All UIDs, GIDs, usernames, passwords and group names were going to be identical between the two LDAP domains.
As a consequence, I would not need to do any permissions changes, rebuild accounts, make sure people got new passwords or a host of other things normally associated with a directory service change. My task was essentially to tell the Macs “Stop talking to the OpenLDAP service at that address, start talking to this other OpenLDAP service at this address”
As part of the project, I also wanted to accommodate two separate Active Directory domains differently. I wasn’t binding to AD as part of this process, but if a particular Mac was bound to Domain A, I wanted to unbind. If a Mac was bound to Domain B, I didn’t want to unbind but I did want the new LDAP server to be the primary authentication source.
Using my previous OpenLDAP binding script as a starting point, I was able to build a script to handle moving our Macs without downtime or account changes. See below the jump for details.
Apple has released Xcode 5.0.2 through the Mac App Store for all Macs running 10.8.4 and higher. While the command line tools for Mavericks are now included with Xcode, the command line tools for Mountain Lion can be installed separately through the Xcode preferences, in the Downloads section.
For my users who are developers, Xcode is part of their their new machine builds. I wanted to include Xcode 5.0.2 and also, where appropriate, install the command line tools automatically without needing to enter an Apple ID. With a little help from the Mac App Store, I was able to do this using Packages. See below the jump for the details.