Archive
First Boot Package Install.pkg
As covered previously, Greg Neagle’s createOSXinstallPkg is a versatile tool for installing or upgrading Mac OS X in a variety of situations. One of the nicer features is that you can edit the OS X installer to install additional packages.
However, the limitations of the OS X install environment mean that there are a number of installers that won’t install correctly. In particular, packages that rely on pre- or postflight scripts to perform important tasks may fail to run properly in the OS X install environment.
To help work around this limitation, I’ve developed First Boot Package Install.pkg, an installer package that enables other packages to be installed at first boot.
It’s designed for use with createOSXinstallPkg with the goal of allowing installer packages that can’t run in the OS X Install environment to be used as part of a createOSXinstallPkg deployment workflow. See below the jump for the details.
Read more…
Changes to XProtect’s Java browser plug-in version management
In last night’s XProtect update, Apple added two new version checks. The first new check looks for Apple’s com.apple.java.JavaAppletPlugin Java browser plug-in identifier. This Apple Java browser plug-in is running on Mac OS X 10.6.x or was installed on 10.7.x or later by Java for OS X 2012-005 or earlier. Installing Java for OS X 2012-006 and later on 10.7.x and 10.8.x automatically removes the Apple Java browser plug-in.
The second new check looks for Apple’s com.apple.java.JavaPlugin2_NPAPI Java browser plug-in identifier. In this case, the Apple Java plug-in was re-enabled using the procedure in the following Apple KBase article: http://support.apple.com/kb/HT5559
This update also removes the Oracle Java browser plug-in version check from 10.6.x’s XProtect. Both new Apple Java version checks and the Oracle Java browser plug-in version check are in the 10.7.x and 10.8.x XProtect. See below the jump for the details.
Script to run remote commands via SSH
As a follow-on to my earlier post about running remote commands with SSH, I noticed I was repeatedly running particular commands via SSH on remote machines. I was copying and pasting the bits I needed into Terminal, but it was still a manual process and manual processes should be scripted whenever possible.
Here’s the script I wrote to solve my particular problem.
#!/bin/bash
# At the prompt, enter the IP address
# or DNS name of the machine you want
# to connect to.
echo -n "Enter IP Address or Domain Name: "
read ipaddress
# At the prompt, enter the username
# of the account you want to log in
# with.
echo -n "Enter Username: "
read username
# At the prompt, enter the command that
# you want to run on the remote machine.
echo -n "Enter the command you want to run on the remote machine: "
read command
echo ""
echo ""
# Error checking to verify that the correct
# information has been entered. If incorrect
# info has been entered, selecting No will
# exit the script.
echo "Is the information below correct?"
echo ""
echo "Remote machine: $ipaddress"
echo "Username: $username"
echo "Command: $command"
echo ""
echo "If it is correct, select Yes"
echo ""
select yn in "Yes" "No"; do
case $yn in
Yes) echo "OK, the script will continue."; break;;
No ) echo "To avoid errors, the script will need to be restarted. Exiting the script."; exit 0;;
esac
done
echo ""
echo ""
# Check to see if the command needs to be
# run with root privileges. If root privileges
# are needed, the SSH connection will force
# pseudo-tty allocation, which allows the command
# to be run via sudo
echo "Does this command need to run with root privileges? Once you select Yes or No, the command will run on the remote machine."
echo "Note: You will be prompted if authentication is required. If running the command as root, you may be prompted twice."
echo ""
select yn in "Yes" "No"; do
case $yn in
Yes) echo ""; ssh -t $username@$ipaddress "sudo $command"; break;;
No ) echo ""; ssh $username@$ipaddress "$command"; break;;
esac
done
#Exiting the script
echo ""
echo ""
echo "Finished running the remote command"
exit 0
The script is also available on my GitHub repo at the following location:
ASR’s hidden documentation
As part of trying to trace down a separate mystery, the folks in the ##osx-server IRC room made an interesting discovery: Apple’s asr tool has hidden documentation.
Normally, to access Apple’s documentation on a command-line tool, you would use man toolname_here or toolname_here help. asr has both of those, but it also has a separate command that reveals additional asr options not mentioned in the regular man or help pages.
With asr help, you get the following output:
Usage: asr
is one of the following:
asr help | version
asr restore --source --target []
asr restore --source asr:/// --file []
asr server --source --config []
asr imagescan --source [--filechecksum] [--nostream] [--SHA1]
is in bytes but may end with a scale factor (b, k, m, g)
common are any of:
--source path or url to disk image file, mountpoint, or
web accessible disk image
--puppetstrings print out messages in format good for machine parsing
--verbose display verbose output
--debug display debug output
restore are any of:
--target path to volume or mountpoint
--erase formats target volume
--format target format when erasing (defaults to source)
--noprompt don't require confirmation on erase
--noverify don't checksum results
--buffers number of buffers to use in block copy
--buffersize size of buffers to use in block copy
--csumbuffers number of buffers for the checksum if different
--csumbuffersize size of buffers for the checksum if different
--timeout max wait for stream in multicast client mode
server are any of:
--interface Use 'if' as the interface for the server's
outgoing stream
--config server configuration file in plist format
imagescan are any of:
--filechecksum calculate file checksum
--nostream don't reorder file for multicast streaming
--SHA1 add a SHA-1 checksum to the image
However, when you run FULL_USAGE=1 asr help, you get the following output:
Usage: asr
is one of the following:
asr help | version
asr restore --source --target []
asr restore --source asr:/// --file []
asr server --source --config []
asr imagescan --source [--filechecksum] [--nostream] [--SHA1]
asr partition --target [--testsize ]
[--retestsize ] [--recoverysize ]
asr freeze --target [--testsize ]
[--retestsize ] [--recoverysize ]
asr thaw --target [--recovery] [--modifyrecovery]
asr adjust --target [--settype ]
is in bytes but may end with a scale factor (b, k, m, g)
common are any of:
--source path or url to disk image file, mountpoint, or
web accessible disk image
--puppetstrings print out messages in format good for machine parsing
--verbose display verbose output
--debug display debug output
restore are any of:
--target path to volume or mountpoint
--hidden restore to the hidden customer software partition
--erase formats target volume
--format target format when erasing (defaults to source)
--noprompt don't require confirmation on erase
--noverify don't checksum results
--buffers number of buffers to use in block copy
--buffersize size of buffers to use in block copy
--csumbuffers number of buffers for the checksum if different
--csumbuffersize size of buffers for the checksum if different
--timeout max wait for stream in multicast client mode
server are any of:
--interface Use 'if' as the interface for the server's
outgoing stream
--config server configuration file in plist format
imagescan are any of:
--filechecksum calculate file checksum
--nostream don't reorder file for multicast streaming
--SHA1 add a SHA-1 checksum to the image
There are now four additional options listed:
asr partition --target [--testsize ]
[--retestsize ] [--recoverysize ]
asr freeze --target [--testsize ]
[--retestsize ] [--recoverysize ]
asr thaw --target [--recovery] [--modifyrecovery]
asr adjust --target [--settype ]
The question I don’t know the answer to is “What do these options do?”
I’ve seen asr adjust used to correct an incorrectly set Recovery HD partition, but I’m not familiar with what asr freeze and asr thaw do.
Do you know? Let me know in the comments.
FileVault Setup.app – local FileVault 2 encryption setup and enforcement
I was recently asked to help test a new utility called FileVault Setup for setting up and enforcing FileVault 2 encryption. It’s designed to be a user-friendly interface for Apple’s fdesetup tool on OS X 10.8.x which supports turning on FileVault 2 encryption and enabling a single user account.
One nice thing about this tool from my perspective is that it’s designed to be independent of any server-based resources. To the best of my knowledge, this is the first tool I’ve seen that allows FileVault encryption to be enforced on a machine entirely from the machine’s own resources. See below the jump for the details.
Booting into single-user mode on a FileVault 2-encrypted Mac
I recently communicated with a Mac admin who was concerned about using FileVault 2 in his environment because he didn’t want to lose access to tools like single-user mode. Like a number of Mac admins, he’d found single-user mode valuable in helping to diagnose and fix issues on troublesome Macs.
Fortunately, Apple makes it reasonably easy to boot into single-user mode on a FileVault 2-encrypted system. Here’s how to boot into single-user on a FileVault 2-encrypted system:
1. Hold down Command-S after powering the system.
2. The Mac will be begin booting into single user, then the FileVault 2 pre-boot login screen will appear.
3. Authenticate at the FileVault 2 pre-boot login screen by selecting an account and providing the account’s password.
4. The Mac will then unlock and continue booting into single-user mode.
To show what this looks like, I’ve made a short video showing the process. In this instance, I booted into single-user mode and performed a disk check using fsck, then continued with the rest of the boot process.
Migrating OS X VMs to a VMware ESXi server
I’ve started using ESXi servers more and more for hosting my test Macs, both here and at work. As part of that, I’ve found it to be considerably easier for me to build the VM inside of VMware Fusion on my Mac and move it to ESXi, then build it from scratch on my ESXi server.
That said, I’ve found the process for moving OS X VMs has not been straightforward. When I first tried moving 10.8.x VMs, I tried both VMware’s OVF Tool and VMware’s Standalone Converter, but neither initially appeared to provide me with the ability to transfer working OS X 10.8.x VMs.
In the end, I was able to find a way to use VMware’s Standalone Converter to transfer 10.8.x VMs, but the process involves some extra steps on the ESXi server’s end.
The process I’ve developed involves using a Windows 7 VM running inside of VMware Fusion, with the VMware Standalone Converter application installed. One thing to note before proceeding further is that I did not try this with a vSphere server. All my work has been done with VMware’s free ESXi server, so it may be that there’s an easier way to do this with vSphere. See below the jump for details.
Setting the default boot drive from the boot volume menu
This has been previously documented in a few places, but I just ran across this handy way to set the default boot drive from the boot volume menu.
When you start up a Mac holding down the Option key, the boot volume menu appears and displays all available bootable volumes. When you select a drive by clicking on it or selecting it with the arrow keys on your keyboard, it’ll boot from that drive until the next reboot. At the next reboot, unless you hold down the Option key again, the Mac will boot from whatever drive was set in the Startup Disk preference pane to be the default boot drive.
However, there’s also a way to change the default boot volume from the boot volume menu. In this case, once you got to the boot volume menu, you can let go of the Option key, then hold down the Control key. At that point, you should see the upward arrow icon that points at the currently selected drive turn into a circular arrow.
Once you select that drive and boot from it, it will now also be set as the Mac’s default boot drive.
Automatically enable the Java web plug-ins setting in Safari 6.0.3 and later
One of the features of Apple’s Safari 6.0.3 update is that it turns off the automatic execution of Java applets through Safari, even if the Java browser plug-in is otherwise enabled.
Safari 6.0.3 does allow for the automatic execution of Java applets to be re-enabled through the browser. However, if it’s been a while since a Java applet was launched, then automatic execution of Java applets is once again automatically disabled.
This was going to be an issue at my workplace, as we have a couple of applications that rely on Java applets running through the browser. Fortunately, I already had a fix for this issue; it just needed to be updated with some additional commands.
To make this work, I’ve written a script and launch agent combination. The script will perform a couple of tasks:
1. Set the com.apple.WebKit.JavaPlugInLastUsedTimestamp plist key in ~/Library/Preferences/.GlobalPreferences.plist
2. Enable the Enable applet plug-in and Web Start Applications setting in the Java Preferences application.
#!/bin/sh
# DYNAMICALLY SET THE UUID FOR THE BYHOST FILE NAMING
if [[ `ioreg -rd1 -c IOPlatformExpertDevice | grep -i "UUID" | cut -c27-50` == "00000000-0000-1000-8000-" ]]; then
MAC_UUID=`ioreg -rd1 -c IOPlatformExpertDevice | grep -i "UUID" | cut -c51-62 | awk {'print tolower()'}`
elif [[ `ioreg -rd1 -c IOPlatformExpertDevice | grep -i "UUID" | cut -c27-50` != "00000000-0000-1000-8000-" ]]; then
MAC_UUID=`ioreg -rd1 -c IOPlatformExpertDevice | grep -i "UUID" | cut -c27-62`
fi
# Enable Java browser plug-ins in Safari 6.0.3 and later
# for the current user by setting the com.apple.WebKit.JavaPlugInLastUsedTimestamp
# key in ~/Library/Preferences/.GlobalPreferences.plist
/usr/libexec/PlistBuddy -c "Delete :com.apple.WebKit.JavaPlugInLastUsedTimestamp" $HOME/Library/Preferences/.GlobalPreferences.plist
/usr/libexec/PlistBuddy -c "Add :com.apple.WebKit.JavaPlugInLastUsedTimestamp real $(( $(date "+%s") - 978307200 ))" $HOME/Library/Preferences/.GlobalPreferences.plist
/usr/bin/plutil -convert xml1 $HOME/Library/Preferences/.GlobalPreferences.plist
# Set the the "Enable applet plug-in and Web Start Applications" setting in
# the Java Preferences for the current user.
/usr/libexec/PlistBuddy -c "Delete :GeneralByTask:Any:WebComponentsEnabled" $HOME/Library/Preferences/ByHost/com.apple.java.JavaPreferences.${MAC_UUID}.plist
/usr/libexec/PlistBuddy -c "Add :GeneralByTask:Any:WebComponentsEnabled bool true" $HOME/Library/Preferences/ByHost/com.apple.java.JavaPreferences.${MAC_UUID}.plist
/usr/libexec/PlistBuddy -c "Delete :GeneralByTask:Any:WebComponentsLastUsed" $HOME/Library/Preferences/ByHost/com.apple.java.JavaPreferences.${MAC_UUID}.plist
/usr/libexec/PlistBuddy -c "Add :GeneralByTask:Any:WebComponentsLastUsed real $(( $(date "+%s") - 978307200 ))" $HOME/Library/Preferences/ByHost/com.apple.java.JavaPreferences.${MAC_UUID}.plist
/usr/bin/plutil -convert xml1 $HOME/Library/Preferences/ByHost/com.apple.java.JavaPreferences.${MAC_UUID}.plist
# Forces preferences to be re-read
/usr/bin/killall cfprefsd
The LaunchAgent runs the script on login to any user account with the logging-in user’s privileges and permissions.
You can find the updated script here on my GitHub repo:
Checking for accounts with Remote Management rights
Something a number of Mac admins need to know about the Macs in their environment is being able to detect which accounts have remote management rights on a particular Mac. Crafty users can be inventive about finding ways to grant themselves remote management rights, so admins need to be just as perceptive about identifying which accounts have remote management rights.
To help with the task of identifying which accounts have remote management rights, I’ve written a script to detect which local accounts had remote rights on a particular Mac.
#!/bin/sh
# Determines if the Remote Management settings are set
# for "All Users" or for "Only these users:" in System
# Preferences' Sharing preference pane
ARD_ALL_LOCAL=`/usr/bin/defaults read /Library/Preferences/com.apple.RemoteManagement ARD_AllLocalUsers`
# Lists all local user accounts on the Mac with a UID
# of greater or equal to 500 and less than 1024. This
# should exclude all system accounts and network accounts
#
# List is displayed if the "All Users" setting is
# set in the Remote Management settings.
ALL_ID500_PLUS_LOCAL_USERS=`/usr/bin/dscl . list /Users UniqueID | awk '$2 >= 500 && $2 < 1024 { print $1; }'`
# Lists all user accounts on the Mac that have been given
# explicit Remote Management rights. List is displayed if
# the "Only these users:" setting is set in the Remote
# Management settings.
REMOTE_MANAGEMENT_ENABLED_USERS=`/usr/bin/dscl . list /Users naprivs | awk '{print $1}'`
if [ "$ARD_ALL_LOCAL" = "1" ]; then
result=$ALL_ID500_PLUS_LOCAL_USERS
elif [ "$ARD_ALL_LOCAL" = "0" ]; then
result=$REMOTE_MANAGEMENT_ENABLED_USERS
fi
# Displays list of accounts that have
# been given Remote Management rights
echo $result
I’ve posted the script here on my GitHub repo:
https://github.com/rtrouton/rtrouton_scripts/tree/master/rtrouton_scripts/check_for_remote_management_accounts
I’ve also modified it for use as an Casper Extension attribute. I’ve posted it here on my GitHub repo:
https://github.com/rtrouton/rtrouton_scripts/tree/master/rtrouton_scripts/Casper_Extension_Attributes/check_for_remote_management_accounts
Recent Comments