Archive

Archive for the ‘Mac administration’ Category

First Boot Package Install Generator.app

October 19, 2014 Leave a comment

With the release of Yosemite, Apple has apparently made an undocumented change to the way it allows packages to be added to the OS installer. If you add any additional packages for installation as part of the OS install/upgrade, they must all be distribution-style flat packages. You can convert a component flat package to be a distribution-style flat packages by running the command below:

productbuild –package /path/to/component.pkg /path/to/distribution.pkg

This change is a problem for First Boot Package Install.pkg and First Boot Package Install With Automated Apple Software Update.pkg, as they are both built as a bundle-style package and not as flat packages. While both First Boot Package Install.pkg and First Boot Package Install With Automated Apple Software Update.pkg run fine on Yosemite, they cannot be added to customized NetInstall images created with System Image Utility or to createOSXinstallPkg-built Yosemite OS installer packages.

First_Boot_Package_Install_Generator_Icon  

To address this issue, I’ve developed First Boot Package Install Generator.app, an Automator application that will allow the selection of a folder containing installer packages and then generate a distribution-style flat package that enables the selected packages to be installed at startup. It’s designed for use with createOSXinstallPkg with the goal of allowing installer packages that can’t run in the OS X Install environment to be used as part of a createOSXinstallPkg deployment workflow. See below the jump for the details.

Read more…

Disabling the iCloud and Diagnostics pop-up windows in Yosemite

October 16, 2014 Leave a comment

Starting in 10.7.2, Apple has set the iCloud sign-in to pop up on the first login.

Screen Shot 2014-10-16 at 7.07.55 PM

In 10.10, Apple added a new Diagnostics & Usage window that pops up at first login after the iCloud sign-in.

Screen Shot 2014-10-16 at 7.08.39 PM

Since having these pop-up windows appear may not be desirable in all Mac environments, it makes sense to be able to turn this off for new user accounts. As part of preparing for Yosemite in my own shop, I’ve developed a script that should disable both the iCloud and Diagnostics pop-ups on 10.7.2 – 10.10.0. See below the jump for the details.

Read more…

Scripted decryption when using a FileVault 2 institutional recovery key with Mavericks’ Recovery HD

October 4, 2014 Leave a comment

Something that has usually been a manually-driven process for me has been FileVault 2 decryption when using an institutional recovery key. In large part, this is because you need to boot to either Recovery HD or Apple’s Internet Recovery. When you combine that with this known issue with decrypting when booted from Recovery HD or Apple’s Internet Recovery, it made me wish for a scripted process for decrypting when using an institutional recovery key.

Apparently, I should wish for things more often because @ttaniguti has developed a script that does precisely that. FileVault Rescue’s decrypt.sh script is designed to properly decrypt a FileVault 2-encrypted Mac using an institutional recovery key while the Mac is booted to Mavericks’ Recovery HD or Apple’s Internet Recovery.

In my testing, the script works fine on a FileVault 2-encrypted Mac running 10.9.5 and it avoids the known issues with decrypting while booted from Recovery HD by running diskutil cs revert twice at the proper times in the decryption process.

To use this script, you will need the following:

1. A FileVaultMaster.keychain file that contains the private key of your institutional recovery key.

2. The unlock password for the FileVaultMaster.keychain file stored in a plaintext file named pass.txt

Once you have both of these, copy the two files along with the decrypt.sh script to something that you’ll be able to access while booted to Mavericks’ Recovery HD or Apple’s Internet Recovery. A USB flash drive would work well here.

A YouTube video is available to show you how to use the script and I’ve linked it below:

Hat tip to Allister Banks for letting me know about this script.

Disabling the Featured Banner in Casper 9.5.1

September 24, 2014 1 comment

As part of preparing for Yosemite, I’ve started testing Casper 9.5.1. As part of my testing, I wanted to address an issue that first appeared for me in Casper 9.4: The blue Featured banner in Self Service.

I use the Featured setting to publish items to the Self Service landing page. When I upgraded my test environment to Casper 9.4, I noticed that all of my Featured items now had a blue Featured banner. Since everything on the main landing page is set to be Featured, in my opinion the banner is distracting and does not add value.

blue_featured_banner

I have submitted a feature request to be able to turn off the blue Featured banner, but as of 9.5.1 this feature request is marked as UNDER REVIEW and has not been implemented. Since I anticipate that I’ll have Macs running Yosemite within the next month, I’ll likely need to deploy Casper 9.5.1 and I wanted to be able to stop this banner from appearing in 9.5.1’s Self Service.

The approach I adopted was to take a copy of the appropriate PNG file on the Casper server and use Preview’s Instant Alpha tool to make all content in the image transparent. In effect, I wanted to have the Featured banner file still be there (to help avoid failures in the event that something in Self Service was checking for the file’s presence) but have the banner itself be completely invisible to my users. This approach worked just fine in my testing and it appears to be similar to what Christopher Collins is using in his shop.

For those who want a copy of the transparent PNG file that I created, I have it available for download here. Once downloaded and uncompressed, it’ll be a PNG file named casper_95_featured.png.

Using the downloaded PNG file, here’s how to deploy on a Casper server to make the Featured banner transparent:

NOTE: The instructions below are for a Casper server running on Red Hat Enterprise Linux, where the JSS Tomcat directory is stored in /usr/local/jss and the Tomcat server has an associated tomcat7 user. The JSS Tomcat directory may be installed in a different location and the Tomcat user may not be named tomcat7 on operating systems other than RHEL . When in doubt, contact JAMF Support for assistance.

1. Log into the Casper server using an account that can use root privileges.

2. Copy casper_95_featured.png into /usr/local/jss/tomcat/webapps/ROOT/images/selfservice2

3. Rename the existing featured.png in /usr/local/jss/tomcat/webapps/ROOT/images/selfservice2 to now be named featured_bak.png

4. Rename casper_95_featured.png to now be named featured.png

5. Run the following command with root privileges:

chown tomcat7:tomcat7 /usr/local/jss/tomcat/webapps/ROOT/images/selfservice2/featured.png

6. Start Self Service and verify that the blue Featured image does not appear.

Screen Shot 2014-09-24 at 7.37.41 AM

If the blue Featured banner is still appearing in Self Service, the Featured banner may be cached on individual Macs To fix this, you can clear the Self Service cache on the affected machines by following the procedure below:

1. Quit Self Service

2. Remove the com.jamfsoftware.selfservice folder from /Users/username/Library/Caches/

3. Relaunch Self Service

The blue Featured banner should no longer appear in Self Service.

Stopping unwanted collabd errors in /var/log/system.log on Mavericks Server

September 5, 2014 2 comments

As part of standing up a new DeployStudio server on Mavericks Server in my shop, I noticed that I had a lot of errors showing up in /var/log/system.log that looked like this:

September 5 10:21:16 servername_here collabd[240]: [CSConnectionPool.m:196 fa7d000 +9998ms] Could not open a connection to Postgres. Please make sure it is running and has the correct access.
September 5 10:21:16 servername_here collabd[240]: [CSXCWorkSchedulerService.m:196 fa7d000 +0ms] Failed to open DB connection, retrying in 10s: [CSDatabaseError] Connection to DB failed

This error is caused by OS X Server’s wiki service trying and failing to get a database connection. Googling for those errors led me to a lot of results on how to fix a busted Wiki on OS X Server, but I wasn’t interested in running OS X’s wiki service on this box. If you’re in a similar situation, the collabd service can be stopped via Mavericks Server’s serveradmin tool to fix this issue.

To stop the collabd service, run the following command:

sudo serveradmin stop collabd

After a few minutes, you should see the following output:

collabd:state = "STOPPED"

The errors should also stop appearing in /var/log/system.log.

Deploying Sophos Enterprise Anti-Virus for Mac OS X 9.x

September 2, 2014 10 comments

For the past few major releases, Sophos used a standard installer package to install both their free and paid antivirus solution. With the release of Sophos Anti-Virus 9.x though, Sophos changed how their antivirus solution for Macs was installed. Sophos has now switched to using an application to install their antivirus. However, for their customers using Sophos Enterprise Console, Sophos still provides an installer metapackage. This is good news for Mac admins, but the configuration and login credentials that used to be stored in /Library/Preferences/com.sophos.sau.plist in Sophos 8.x has been overhauled in Sophos 9.x. /Library/Preferences/com.sophos.sau.plist in Sophos 9.x now no longer contains login information, only server locations.

The login credentials no longer being available in /Library/Preferences/com.sophos.sau.plist meant that the Sophos Anti-Virus client was not able to connect back to the Sophos enterprise console and receive either management or updates. Since those login credentials were working in my shop for machines in Active Directory OUs that the Sophos enterprise console was managing, that meant that those credentials were available somewhere on the system. After working on the problem in his own shop, Tim Kimpton figured out that both of the following files were needed:

/Library/Preferences/com.sophos.sau.plist

/Library/Sophos Anti-Virus/Sophos.keychain

Once I had this information and understood what was going on, I was able to build and deploy a Sophos Enterprise Anti-Virus for Mac OS X 9.x installer that was able to install a pre-configured set of auto-update settings. For more details, see below the jump.

Read more…

First Boot Package Install With Automated Apple Software Update.pkg

August 31, 2014 3 comments

While working recently on First Boot Package Install.pkg, I decided to implement a way to automatically install all available Apple software updates along with enabling other packages to be installed at first boot. After some work and testing, I’m happy to announce the release of First Boot Package Install With Automated Apple Software Update.pkg.

The main difference between First Boot Package Install.pkg and First Boot Package Install With Automated Apple Software Update.pkg is that before installing the user-selected packages, all available Apple software updates are downloaded and installed. By design, the First Boot Package Install With Automated Apple Software Update.pkg script will use Apple’s softwareupdate tool to check for and install available updates, then reboot the Mac automatically until all available updates have been installed.

Screen Shot 2014-08-30 at 9.34.24 PM

Screen Shot 2014-08-30 at 9.36.48 PM

As not all shops that may want to use First Boot Package Install.pkg will find this functionality to be needed or desirable, I’ve set up a new repo on Github for First Boot Package Install With Automated Apple Software Update.pkg. That way, Mac admins will be able to choose which one they want to use.

All First Boot Package Install With Automated Apple Software Update.pkg components and scripts are available at my GitHub repo:

https://github.com/rtrouton/First-Boot-Package-Install-With-Automated-Apple-Software-Update

Please see the README available at the repo for how to use First Boot Package Install With Automated Apple Software Update.pkg. The Iceberg project files are also available via the link above if you want to build a customized First Boot Package Install With Automated Apple Software Update.pkg for your own environment.

Follow

Get every new post delivered to your Inbox.

Join 160 other followers

%d bloggers like this: