Archive

Archive for the ‘Mac administration’ Category

CasperCheck – an auto-repair process for Casper agents

April 23, 2014 1 comment

One of the issues that I occasionally run into in my shop is that sometimes the Casper agent on my Macs stop working properly. They stop checking in with the Casper server, or check in but can’t run policies anymore. I’ve set up smart groups on my Casper server to help me identify these machines, but actually fixing them has not been an automated process.

While at the JAMF Nation User Conference in October 2013, I was fortunate enough to hear Mike Dodge and Ajay Chand talk about the challenges they faced at Facebook with keeping Casper agents working in an environment where users are encouraged to break down any obstacle that gets in their way (sometimes, the obstacles in question were perceived to include the Casper agent.) As part of their talk, they mentioned they had a scripted way to verify that the Casper agent was running properly and automatically fix it if it wasn’t. This was a capability that I wanted to include in my own environment, so I asked them if this was going to be available at some point. They said it would be, so I waited to see what would be released.

At this point, the story fast forwards to March 2014, where the Facebook team was able to release their code to GitHub and I was able to take a look and see what they had done. I saw that I could adapt some of their work, but I would need to do additional work on my end to develop a solution that not only worked in my environment, but would be relatively straightforward to adapt to work in others’.

After a lot of work and testing, I’m happy to announce the release of CasperCheck. This is a script-driven solution that will do the following:

A. Check to see if a Casper-managed Mac’s network connection is live

B. If the network is working, check to see if the machine is on a network where the Mac’s Casper JSS is accessible.

C. If both of the conditions above are true, check to see if the Casper agent on the machine can contact the JSS and run a policy.

D. If the Casper agent on the machine cannot run a policy, the appropriate functions run and repair the Casper agent on the machine.

For more details, see below the jump.

Read more…

First Boot Package Install Revisited

April 17, 2014 1 comment

As covered previously, Greg Neagle’s createOSXinstallPkg is a useful tool for installing or upgrading Mac OS X in a variety of situations. One of the nicer features is that you can edit the OS X installer to install additional packages.

However, the limitations of the OS X install environment mean that there are a number of installers that won’t install correctly. In particular, packages that rely on pre- or postflight scripts to perform important tasks may fail to run properly in the OS X install environment.

To help work around this limitation, I developed First Boot Package Install.pkg, an installer package that enables other packages to be installed at first boot. It’s designed for use with createOSXinstallPkg with the goal of allowing installer packages that can’t run in the OS X Install environment to be incorporated into a createOSXinstallPkg-using deployment workflow.

The first version of First Boot Package Install.pkg had some limitations though, with the biggest one probably being that you couldn’t tell what it was doing when it was running. Instead, all that was displayed was the gray Apple loading screen.

AppleBootScreen

I tried various approaches of booting into verbose mode and writing log entries to the console, but none of the approaches were good enough to introduce into production. Fortunately, Per Olofsson developed exactly what I was looking for with his LoginLog tool.

login_log

Using LoginLog.app as a way to display updates to the user, I’ve been able to update First Boot Package Install.pkg with improved visual feedback. I’ve also now incorporated another piece of feedback I’ve received, which is to add a network check. This new check makes sure that the Mac has a network address other than 127.0.0.1 or 0.0.0.0 before it proceeds to install any packages. For more details, see below the jump.

Read more…

Repackaging the Microsoft Lync 14.0.8 installer

April 10, 2014 4 comments

Microsoft has released Microsoft Lync 14.0.8, which included compatibility with Mavericks. Since we have several folks using both Lync and Mavericks, I wanted to get this into our Casper server’s Self Service as soon as possible.

To test installing it, I downloaded the installer on a disk image from Microsoft’s site, then renamed the package from Lync Installer.pkg to Lync 14.0.8 Installer.pkg. After renaming it, I set up an installation policy for Self Service, scoped the policy so that only my test machine could see it, then ran the installation.

Failed.

I go check the logs and see this entry:

/usr/sbin/jamf is version 8.73
Executing Policy Microsoft Lync...
[STEP 1 of 2]
Downloading BOM for Lync 14.0.8 Installer.pkg...
This Apple Package did not have a valid index.bom file. Assuming it is a flat file package.
Downloading http://casper.server.here/repo_name/Packages//Lync 14.0.8 Installer.pkg...
Error: The package could not be found on the server.
[STEP 2 of 2]
Running Recon...
Displaying message to end user...

OK, maybe I did that wrong. Deleted the package and this time uploaded the installer to my Casper server without changing the name from Lync Installer.pkg.

/usr/sbin/jamf is version 8.73
Executing Policy Microsoft Lync...
[STEP 1 of 2]
Downloading BOM for Lync Installer.pkg...
This Apple Package did not have a valid index.bom file. Assuming it is a flat file package.
Downloading http://casper.server.here/repo_name/Packages//Lync Installer.pkg...
Error: The package could not be found on the server.
[STEP 2 of 2]
Running Recon...
Displaying message to end user...

Failed again. Meanwhile, /var/log/install.log on my test Mac only showed that installd was starting and then stopping. In short, Casper’s logs were right; the installation process was starting but couldn’t then find a package.

At that point, I started thinking. How would the developer have installed this package? How did Q&A likely test installing it, however minimally?

Developer – Would have double-clicked on the package to install it, followed by typing in an admin password.

Q&A – Same process as the developer, except they would have tested installing it from the mounted disk image.

Read more…

Creating an Office 2011 SP 4 14.4.1 installer

April 9, 2014 8 comments

One of the issues I worked on this week was building a new Office 2011 installer after Microsoft released the Office 2011 14.4.1 update. I have an existing process to build a combined Office 2011 installer using Packages, which I’ve used successfully for a while.

This time though, I hit a problem. When I installed the combined Office 2011 installer with DeployStudio, then logged in, I was asked to enter a product key. Since my work has a volume license, this isn’t a screen I should ever see.

Screen Shot 2014-04-09 at 5.38.23 PM

This is a problem that’s been seen with previous Microsoft Office 2011 installers and usually involves the volume license file not being applied when it should be. This behavior may be seen with the 14.4.1 update in the following cases:

1. Office 2011 is installed and then updated to 14.4.1 while nobody is logged in

2. Office 2011 is installed and then updated to 14.4.1 without any Office applications being launched between the initial installation and the update.

These two scenarios will likely apply if you’re building a new machine using an automated deployment tool, but likely will not if you’re a home user.

With luck, this will only be an issue for 14.4.1 and Microsoft will fix this issue in the next 14.4.x update. In the meantime, the easiest fix I’ve found in my testing this week is to get the necessary volume license file from a machine that has Office 14.3.x installed on it and put it back on an as-needed basis.

The needed file is /Library/Preferences/com.microsoft.office.licensing.plist. If you have a volume-licensed version of Office 2011 installed on your Mac, you should have this file.

Screen Shot 2014-04-09 at 4.17.48 PM

To address the issue of installing 14.4.1 without losing your volume license, you can use Packages‘ ability to add resources to a Packages-built package. See below the jump for how you can use an Office 2011 SP 3 installer package, the Office 2011 14.4.1 Update, and the com.microsoft.office.licensing.plist license file to build a unified Office 2011 SP 4 14.4.1 installer package that does not prompt for a product key.

Read more…

Using /etc/auto_home on Mavericks to mount shares under /home

April 6, 2014 2 comments

One of my users at work asked me recently about symlinking his network home folder to /home on his Mac running 10.9.2 and wanted to check to see if it was safe to do so.

In this case, the person in question works on both Fedora Linux, where his network home directory was mounted as /home/username, and on OS X. His network home directory was available via SMB on his Mac as smb://servername/home$/username. He wanted to be able to mount smb://servername/home$/username to /home/username on his Mac, so that it matched the mountpoint of his network home on his Fedora box.

At the time, here’s what I knew about /home:

1. Nothing appears to be stored in it by default

2. It’s listed in /etc/auto_master as a mountpoint

Screen Shot 2014-04-05 at 10.52.02 PM

3. Time Machine does not back it up

Read more…

Removing all recovery keys from a FileVault 2-encrypted Mavericks Mac

March 24, 2014 2 comments

One of the functions added to the fdesetup tool on 10.9 is removerecovery. This function removes the current recovery key(s) from a FileVault 2-encrypted Mac and can be used to remove with the personal and/or institutional recovery keys from a Mac.

One interesting aspect of this is that this function can be used to remove all recovery keys from a FileVault 2-encrypted Mac running Mavericks. Once the recovery keys have been removed from your Mac, only FileVault 2-enabled accounts will be able to unlock or decrypt it. For more details, see below the jump.

Read more…

Disabling FileVault 2 with fdesetup on Mountain Lion and Mavericks

March 22, 2014 Leave a comment

Recently, I was asked how to disable FileVault 2 without needing to go into System Preferences. The general idea was that an organization may want to provide their users without admin rights a way to turn off FileVault 2 on an as-needed basis.

Most of the work I’ve done has been focused around turning on FileVault 2 and managing it, rather than providing a way for users to turn it off. That said, fdesetup on both Mountain Lion and Mavericks provides a way to disable FileVault 2 with proper authorization.

To disable FileVault 2 on the Mac you’re logged into, run the following command with root privileges:

fdesetup disable

You’ll be prompted for either the password of an enabled user or a personal recovery key.

Screen Shot 2014-03-22 at 5.39.08 PM  

Screen Shot 2014-03-22 at 5.47.15 PM

Note: If a personal recovery key was not set up on a particular Mac, you’ll only be prompted for the password of an enabled user.

Screen Shot 2014-03-22 at 6.14.48 PM

Once the password or personal recovery key has been entered, the Mac will begin to decrypt.

For those who want to automate this procedure, you can do this using an expect script or other means. As an example, I’ve written an expect script which automates running the fdesetup disable process described above.

Payload-Free Package Creator.app

March 8, 2014 3 comments

I do a lot of work with payload-free packages and I’ve looked for a while for a tool that would let me easily create them from existing scripts. While I have a process for creating them as needed with pkgbuild, this approach still requires some setup work.

Payload-Free Package Creator logo

After thinking about it and taking a look at various approaches, I’ve developed Payload-Free Package Creator.app, an Automator application that will allow the selection of an existing script and create a payload-free package that runs the selected script. For more details, see below the jump.

Read more…

Deploying Sophos Anti-Virus for Mac OS X 9.x

February 20, 2014 4 comments

For the past few major releases, Sophos used a standard installer package to install both their free and paid antivirus solution. With the release of Sophos Anti-Virus 9.x though, Sophos changed how their antivirus solution for Macs was installed by switching to using an application to install it. For their customers using Sophos Enterprise Console, Sophos will still provide a installer metapackage, but all other customers now need to use the application to install Sophos Anti-Virus 9.x on Macs.

Screen Shot 2014-02-20 at 1.40.31 PM

Curiously, Sophos went to some lengths to make their install application look like a standard installer package.

Screen Shot 2014-02-20 at 1.44.33 PM

Screen Shot 2014-02-20 at 1.46.25 PM

This extended to the point of naming the actual application as Installer, which is the same name as Apple’s Installer.

Screen Shot 2014-02-20 at 1.45.41 PM

Screen Shot 2014-02-20 at 1.47.37 PM

This switch away from using installer packages was a problem for Mac admins who wanted to deploy Sophos 9.x, but did not have Sophos’ enterprise console. After doing some research and reading a very helpful thread on JAMF Nation, it looks like it is possible to repackage Sophos 9.x for deployment. For more details, see below the jump.

Read more…

Managing the Authorization Database in OS X Mavericks

February 16, 2014 2 comments

Prior to OS X Mavericks, the /etc/authorization XML file controlled the rights for many different actions, such as adding a printer, setting up Time Machine or setting DVD region codes. Modifying this file required root access and could be performed with a text editor. The /etc/authorization file could also be modified by using the security command line tool included with OS X, but most chose not to do so because directly editing the file was easier.

With the release of OS X Mavericks, /etc/authorization has been removed in favor of a new authorization database, which is a SQLite database located at /var/db/auth.db. There is also an authorization.plist file located in /System/Library/Security, which is used by the OS as a template for a new /var/db/auth.db database file, in the event that the OS detects on boot that /var/db/auth.db does not exist.

To see what’s in the database, you can export the database to a text file using the following command:

sudo sqlite3 auth.db .dump > /path/to/filename.txt

It’s also possible to open the exported data directly inside text editors that support this option. For example, the following command can be used to export the database and automatically open the exported data in a new TextWrangler document:

sudo sqlite3 auth.db .dump | edit

Read more…

Follow

Get every new post delivered to your Inbox.

Join 126 other followers

%d bloggers like this: