I do a lot of work with payload-free packages and I’ve looked for a while for a tool that would let me easily create them from existing scripts. While I have a process for creating them as needed with pkgbuild, this approach still requires some setup work.
After thinking about it and taking a look at various approaches, I’ve developed Payload-Free Package Creator.app, an Automator application that will allow the selection of an existing script and create a payload-free package that runs the selected script. For more details, see below the jump.
For the past few major releases, Sophos used a standard installer package to install both their free and paid antivirus solution. With the release of Sophos Anti-Virus 9.x though, Sophos changed how their antivirus solution for Macs was installed by switching to using an application to install it. For their customers using Sophos Enterprise Console, Sophos will still provide a installer metapackage, but all other customers now need to use the application to install Sophos Anti-Virus 9.x on Macs.
Curiously, Sophos went to some lengths to make their install application look like a standard installer package.
This extended to the point of naming the actual application as Installer, which is the same name as Apple’s Installer.
This switch away from using installer packages was a problem for Mac admins who wanted to deploy Sophos 9.x, but did not have Sophos’ enterprise console. After doing some research and reading a very helpful thread on JAMF Nation, it looks like it is possible to repackage Sophos 9.x for deployment. For more details, see below the jump.
Prior to OS X Mavericks, the /etc/authorization XML file controlled the rights for many different actions, such as adding a printer, setting up Time Machine or setting DVD region codes. Modifying this file required root access and could be performed with a text editor. The /etc/authorization file could also be modified by using the security command line tool included with OS X, but most chose not to do so because directly editing the file was easier.
With the release of OS X Mavericks, /etc/authorization has been removed in favor of a new authorization database, which is a SQLite database located at /var/db/auth.db. There is also an authorization.plist file located in /System/Library/Security, which is used by the OS as a template for a new /var/db/auth.db database file, in the event that the OS detects on boot that /var/db/auth.db does not exist.
To see what’s in the database, you can export the database to a text file using the following command:
sudo sqlite3 auth.db .dump > /path/to/filename.txt
It’s also possible to open the exported data directly inside text editors that support this option. For example, the following command can be used to export the database and automatically open the exported data in a new TextWrangler document:
sudo sqlite3 auth.db .dump | edit
I recently purchased a new MacBook Pro Retina for my own use and encrypted it with FileVault 2. As part of setting it up, I ran the following command to ensure that the laptop hibernated (where the contents of the RAM are written to disk) and also have the FileVault 2 key automatically removed from the saved RAM state when I put the laptop to sleep:
sudo pmset -a destroyfvkeyonstandby 1 hibernatemode 25
I then put my laptop to sleep and shortly thereafter went to sleep myself.
The next morning, I went to wake up my laptop. I expected to see my account icon and a password blank at the FileVault 2 login screen, which would indicate that it had been asleep.
Instead, I saw the icons for all of the FileVault 2-enabled accounts on my laptop.
That indicated that my laptop had turned off instead of being asleep. For more details, see below the jump.
In my shop, we use a Xerox color copier/printer along with a number of Canon ImageRunner printers. Like the Canons, I have the Xerox printer available in Casper’s Self Service so that our users can set this printer up themselves on their Macs. When I recently overhauled my Canon printer setups, I decided to also revisit how Self Service handled setting up the Xerox printer. Unlike our Canon printers, our Xerox printer used LPR already so I figured that getting the right drivers deployed should be straightforward.
Then I looked at Xerox’s driver page and saw three different driver installers available:
For 10.5.x – Xerox Print Driver 2.94.3
For 10.6.x – Xerox Print Driver 2.112.0
For 10.7.x through 10.9.x – Xerox Print Driver 2.113.0
I wanted to maintain roughly the same workflow as I had with the Canon printers, but I also wanted to make sure that the OS-appropriate driver was delivered to each Mac.
For details on how I addressed this, see below the jump.
In my shop, we use a number of Canon ImageRunner printers and have them set up in Casper’s Self Service so that our users can set them up themselves. All of the Canon printers in question have PostScript enabled, so I’ve been deploying the Canon PostScript drivers.
Historically, one of the things that was installed along with the drivers was a proprietary printing application that sat between the Mac’s CUPS printing system and the actual printer. That changed with the release of Canon’s 4.x PostScript drivers. With the new drivers, Canon has switched to using LPR and no longer uses that proprietary printing application.
Good news: Canon is no longer building in a custom printer program to handle talking to the printer; instead the new drivers are using LPR.
Bad news: Our existing printer setups that are available in Self Service do not work with the new printer drivers. I would need to delete and re-add our various printers to Self Service.
The bad news wasn’t a big problem by itself, but my testing showed that updating the printers in Self Service to accommodate the new printer drivers would make them no longer backwards-compatible with the old drivers. The new drivers would need to be installed in order for the new printers to work. Conversely, just pushing out the new drivers to our Macs could result in existing printer setups breaking.
In short, here were the problems I was looking at:
1. The old printer setups could not use the new drivers
2. The new printer setups could not use the old drivers
3. The new drivers needed to be installed before the new printer setup happened.
4. I didn’t want to break existing printer setups if I could avoid it.
Making the new drivers available in Self Service as standalone installers wasn’t an issue but I was concerned about adding them to the printer setups themselves. That potentially could result in the printer drivers being installed over and over again as people set up multiple printers on one Mac. I also wanted to avoid problems with accidentally trying to overwrite newer drivers, in the event that Canon released new drivers and someone installed them before I updated the driver installer in Self Service.
For details on how I addressed this, see below the jump.
As I’ve mentioned previously, Apple does at least one thing with each new OS release that a) annoys me and b) makes me wonder about the thought process that went behind it.
In Mavericks, it’s smart quotes. These are quotes that are curved in shape and face in different directions, depending on if they’re opening quotes or closing quotes.
Having smart quotes is inconvenient for me because I can’t always tell when they’re in use until I copy and paste. If I’m copying and pasting content into a script, smart quotation marks aren’t recognized as legal quote marks, which means I have to find and replace them.
Fortunately, it’s possible to turn smart quotes off. See below the jump for details.
It’s been a long time coming, but Java 6 on OS X has hit the end of the road for updates. Mike Swingler has posted a message to the Apple java-dev list that confirms that no further Java SE 6 updates are available for any platform, including OS X. Java for OS X 2013-005 and Java for Mac OS X v10.6 Update 17 are the latest versions available and install Java SE 6 build 1.6.0_65.
As part of this post, I’d like to say thanks to the Java folks at Apple for going above and beyond. Apple’s last Java 6 update was released in Oct 15, 2013, which was a full eight months after Oracle discontinued updates for other platforms. This allowed some vulnerabilities in Java 6 to be addressed that otherwise wouldn’t have been.
For those who need them, download links for Java for OS X 2013-005 and Java for Mac OS X v10.6 Update 17 are available below:
If you want others to be able to temporarily use your computer, but you don’t want to create an account for each user, Mac OS X allows you to create a guest account. This guest account allows a person to log in to the Mac without entering a password, but the account type has the following limitations:
- Guest users can’t make changes to other user accounts.
- Guest users can’t change setting on the computer.
- Guest users can’t log in remotely.
- Files created by guest users are deleted when the user logs out. As part of this, a temporary home folder is created for the guest’s files but this folder and its contents are deleted when the user logs out.
By default, OS X only allows the creation of a single guest account with the name of Guest. That said, it is possible to create custom guest accounts with names that are different from Guest. This would allow Mac admins to create multiple guest accounts if needed. See below the jump for more details.
A change that occurred between Mountain Lion and Mavericks is that it’s no longer possible to add additional users with fdesetup by using a non-enabled admin user’s credentials. Instead, you must use either a previously-enabled user’s credentials or use a personal recovery key (aka an individual recovery key) to authorize adding a user account with fdesetup add.
The recovery key option is specifically for the personal recovery key; there is not an option in fdesetup add to use the institutional recovery recovery. This is an issue for IT shops that are using fdesetup enable with the -defer option in combination with an institutional recovery key because the Mavericks way to authorize additional accounts depends on an enabled user’s password (which in this case would be an end-user’s password) or a personal recovery key (which doesn’t exist.)
There is a way to fix this in a roundabout way, by leveraging the ability of fdesetup in Mavericks to generate a new personal recovery key using fdesetup changerecovery. fdesetup changerecovery allows the use of an institutional recovery keychain to authorize the generation of a new personal recovery key. To do this, run the following command:
sudo fdesetup changerecovery -personal -key /path/to/keychain_with_both_private_and_public_recovery_keys_inside.keychain
You’ll be prompted for the password to unlock the institutional recovery keychain. Once that password is provided, a new personal recovery key will be generated.
To verify that this new recovery key is valid, run the following command:
sudo fdesetup validaterecovery
If the new personal recovery key is valid, you should receive a result of “true”.
fdesetup can also export the recovery key to a plist file by using the -outputplist flag. To generate a new personal recovery key and have it exported to a plist, run the following command:
sudo fdesetup changerecovery -personal -key /path/to/FileVaultMaster.keychain -outputplist > /path/to/new_recovery_key.plist
The plist should contain information similar to what’s shown below and include the new personal recovery key information in the RecoveryKey plist value.
<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>Change</key> <true/> <key>EnabledDate</key> <string>2013-12-20 13:51:58 -0500</string> <key>HardwareUUID</key> <string>00000000-0000-1000-8000-000C2991B2C4</string> <key>HasMasterKeychain</key> <true/> <key>RecoveryKey</key> <string>MLZA-NZTC-MVLM-O82Q-Y8TW-F8FX</string> <key>SerialNumber</key> <string>VM401BlpPKGn</string> </dict> </plist>
fdesetup changerecovery doesn’t currently include a way to utilize the institutional recovery keychain without requiring a password to be entered, but it is possible to automate the password entry process using an expect script or other means. As an example, I’ve written an expect script which automates running the fdesetup changerecovery process described above to generate a new personal recovery key and export it to a plist.