Automating Oracle Java 7 updates

August 16, 2014 2 comments

Something I’ve wanted to do for a while was to write a script to download and install the latest Java 7 update from Oracle. I’ve been using AutoPkg to download the latest Java 7 updates using AutoPkg’s OracleJava7 recipes, but I wanted to develop a script that would do the following:

  1. Download the latest Java 7 installer from Oracle’s website
  2. Install the latest Java 7 update
  3. Clean up after itself

Oracle didn’t make this an easy task, as the download URL seems to change on a per-update version. AutoPkg handles its update task by scraping Oracle’s manual download page for the current correct URL to use.

Oracle does provide a Sparkle-based update mechanism for Java 7 on OS X, so I wanted to see if there was a way to leverage that to pull down updates. The only address I could find in that regard was the SUFeedURL value included in Java 7’s /Library/Internet Plug-Ins/JavaAppletPlugin.plugin/Contents/Info.plist file. I checked that value using the following command:

defaults read "/Library/Internet Plug-Ins/JavaAppletPlugin.plugin/Contents/Info" SUFeedURL

The output I received for Java 7 Update 67 was the following:


https://javadl-esd-secure.oracle.com/update/mac/au-1.7.0_67.xml

I decided to see what output would come back from Oracle’s site when accessed, so I used the following curl command to see what was returned:

/usr/bin/curl --silent https://javadl-esd-secure.oracle.com/update/mac/au-1.7.0_67.xml 

The following XML was returned and I was gratified to see that it contained a download link to a Java 7 Update 67 disk image.

Screen Shot 2014-08-16 at 5.58.35 PM

One of the important things I was able to establish is that the XML address embedded with Java 7 Update 67 is not special in this regard. As part of my testing, I verified that using the SUFeedURL value for Java 7 Update 15 and 65 will also work to pull the address of the latest Oracle Java 7 installer disk image.

Using this information, I was able to build a script that can download and install the latest Java 7 update. See below the jump for details.

Read more…

FileVault 2 Institutional Recovery Keys – Creation, Deployment and Use

August 13, 2014 Leave a comment

As part of Apple’s FileVault 2 encryption, Apple has provided for the use of recovery keys. These keys are a backup method to unlock FileVault 2’s encryption in the event that the usual method of logging using a user’s account password is not available.

There are two main types of recovery keys available:

1. Personal recovery keys – These are recovery keys that are automatically generated at the time of encryption. These keys are generated as an alphanumeric string and are unique to the machine being encrypted. In the event that an encrypted Mac is decrypted and then re-encrypted, the existing personal recovery key would be invalidated and a new personal recovery key would be created as part of the encryption process.

Figure_1–Personal_Recovery_Key_displayed_in_the_FileVault_preference_pane

2. Institutional recovery keys – These are pre-made recovery keys that can be installed on a system prior to encryption and most often used by a company, school or institution to have one common recovery key that can unlock their managed encrypted systems.

Institutional keys are not automatically created and will need to be properly generated before they can be used. For more information on institutional recovery keys, see below the jump.

Read more…

Problems decrypting FileVault 2 encrypted drives while booted from Mavericks’ Recovery HD

August 12, 2014 8 comments

While working with a colleague to prepare a FileVault 2 rollout at his institution, he reported that in his testing, the decryption process did not appear to be working correctly when he was booted from the Recovery HD partition and using the command line diskutil-based decryption procedure that I had posted. In his testing, he was finding that the CoreStorage volume that the FileVault 2 encryption process created was not being removed when the diskutil corestorage revert command was run. The drive was being decrypted, but the CoreStorage volume was being left behind. This caused problems in his testing, because he found that rebooting afterwards led to the Mac booting to a prohibited sign.

Screen Shot 2014-08-11 at 9.02.14 PM

This symbol at boot means the system has found a bootable installation of Mac OS X on the system, but there is something wrong with it.

After some additional testing, he discovered that he actually needed to run diskutil corestorage revert twice in succession. Running diskutil corestorage revert the first time would decrypt the drive. Running diskutil corestorage revert a second time following the first command would then remove the unencrypted CoreStorage volume. Once the CoreStorage volume was removed, the Mac would then be able to reboot normally to the regular boot drive.

The behavior seems to be tied to the following:

1. Booting from a Mavericks Recovery HD partition (all testing was done with a 10.9.4 Recovery HD partition.)

2. Decrypting either of the following methods:

A. Using Recovery HD‘s Disk Utility to decrypt the FileVault 2-encrypted boot drive. This decryption method is described here.

B. Running diskutil corestorage -revert from the Terminal. This decryption method is described here.

3. Letting the drive get to Conversion Progress: 100% while booted from the Recovery HD partition. Conversion Progress status can be displayed by running the diskutil corestorage list command in Terminal.

Screen Shot 2014-08-11 at 7.47.05 PM

4. Rebooting back to the main boot drive once Conversion Progress: has reached 100%.

The end result is a locked CoreStorage volume that will not unlock or mount on boot, or when accessed from a Recovery HD partition or Apple’s Internet Recovery. This was the root cause for the prohibited symbol at boot that my colleague was receiving.

In my testing, I did find it was possible to decrypt the drive via Disk Utility or the command line when it was attached as an external drive (via Target Disk Mode or other means) to a Mac that was booted to a full version of OS X 10.9.x. Once decrypted, I verified that the CoreStorage volume was removed. Once I had verified that, I further verified that I could now boot normally from the previously non-bootable hard drive.

One drawback to decrypting while attached to a regular 10.9.x boot drive is that you are not able to use an Institutional Recovery Key (IRK). Using that kind of recovery key for unlocking or decryption only works when booted from a Recovery HD partition or Internet Recovery. Since that’s precisely where our problem exists, I investigated further to see if there were alternate workarounds for this problem. For more details and the workarounds I found, see below the jump.

Read more…

Contacting AppleCare to unlock work-owned iCloud-locked iPhones

August 7, 2014 3 comments

I recently had a situation where I was asked to figure out a way to get a work-owned iCloud-locked phone’s activation lock removed. After doing some research, I was able to find a way to do this and was able to go from having an activation-locked iPhone to having a ready-for-activation iPhone.

If you have a work-owned iPhone that has been activation-locked with an Apple ID, it is possible to contact AppleCare and get the activation lock removed. The key is to be able to provide to Apple a clear chain of ownership of the iPhone by your company, school or institution, usually through providing an electronic copy of the invoice or other proof of purchase. If you can’t prove that your company, school or institution owns the specific iPhone in question, Apple will not unlock it.

Assuming that your work has purchased the activation-locked iPhone directly from Apple, or via a business account with one of the mobile carriers, you should be able to contact the vendor to get proof of purchase.

Here’s the procedure I used to get from an activation-locked iPhone to a ready-for-activation iPhone:

Note: Getting the lock lifted may take a few business days from the time that the request is submitted.

1. Get the IMEI of the iPhone. If possible, also get the serial number and phone number. See the link below for Apple’s KBase article on how to find this information:

http://support.apple.com/kb/HT4061

2. If needed, have one of your workplace’s authorized contacts work with the vendor who sold the iPhone to your company, school or institution and get an electronic copy of the proof of purchase.

The reason to get the proof of purchase is that it will be needed to establish that your company, school or institution purchased and has ownership of the iPhone.

3. Once you have the proof of purchase available to you, verify that it has the following information:

Invoice number

iPhone serial number (may be the same as the IMEI)

iPhone phone number

4. With the proof of purchase readily available for reference, call the relevant AppleCare line for your company, school or institution. See the link below for AppleCare’s contact numbers.

http://support.apple.com/kb/HE57

5. If asked about the device you need support for, say “iPhone“.

6. When connected to the support rep, explain that you have an iCloud-locked phone and that you would like to submit a request to have it unlocked.

7. Tell them that you have the IMEI for the iPhone in question and provide it when asked.

8. Apple may ask you for the invoice number, serial number and/or phone number of the iPhone to help them look it up on their end and verify ownership.

9. Once the Apple rep has provisionally established that your company, school or institution has ownership of the iPhone, they will send you an email with instructions on how to contact the group that handles unlocks of iCloud-locked phones.

10. Follow the instructions in the email and make sure to provide an electronic copy of the proof of purchase.

If all goes well, Apple should unlock the activation-locked work-owned iPhone within a few business days and notify the person who submitted the request to have the lock removed.

Categories: iOS, iPhone

Wanted: bugreport.jamfsoftware.com

August 2, 2014 2 comments

In working through various issues with JAMF, I’ve noticed that a variety of issues I’ve reported are themselves tied to JAMF’s internal bug-reporting system of defect numbers. At the moment, the only way I get any visibility into progress on those defect numbers is by asking my account manager. My current account manager is pretty responsive, but this seems like a job that can be offloaded from his list of responsibilities. I also don’t always want to open a support call when I notice a bug, sometimes I just want to report it.

Here’s what I would want from JAMF in a bug reporting solution:

  • I want a way to report bugs that I’ve noticed.
  • I want a way to be able to check for myself the status of the reported bug.
  • I also want to know how many other people are reporting this issue. Not just because I’d like to know if I’m filing a duplicate issue, but stats like that may give me some insight into how soon my bug will get fixed.

For a bug report itself, I want:

  1. The ability to upload screenshots and screen capture movies and be able to attach them to the bug report.
  2. The ability to add additional information to the initial bug report.
  3. Email notifications when my bug’s status has changed.
  4. A way for the developer working on the bug to be able to reach out and get more details from me directly.
  5. The ability to see both open and closed bug reports that I’ve submitted.
  6. If I’ve filed a duplicate issue, read-only access to the original filed bug report.

I file bug reports with Apple, so I know the drill. I know not all bugs get fixed as fast as I want them to. Sometimes, they don’t get fixed at all. What I want is more information, and to be able to access that information myself.

As it happens, there’s an existing Feature Request for this already open at JAMF Nation. Please vote it up. Hopefully one day soon, I’ll see that status change from UNDER REVIEW to IMPLEMENTED.

Categories: Casper, Mac administration

Penn State MacAdmins Conference 2013 and 2014 music playlists

July 27, 2014 Leave a comment

I found myself wanting to pull together a mix of the best of the Penn State MacAdmins playlists, so I looked up both 2013 and 2014 playlists. For those who also want both Spotify playlists, please see the links below:

Penn State MacAdmins 2013 Spotify: http://spoti.fi/macadmins13

Penn State MacAdmins 2014 Spotify: http://tinyurl.com/psumacmusic

My thanks to @jaharmi for having the 2013 link available on his blog. Like him, I’m posting these links because I want an easy way to find them later.

Saved application states and Office 2011 EXC_BAD_ACCESS application crashes

July 26, 2014 2 comments

I had an interesting issue crop up yesterday. One of our users sent in a ticket to report that Word 2011 on her laptop kept crashing with an EXC_BAD_ACCESS error. None of her other Office 2011 applications were exhibiting the behavior; it was specific to Word 2011.

Screen Shot 2014-07-25 at 10.33.23 AM

When this error has cropped up in the past, I’ve fixed it in the past by removing Word’s Normal.dotm template from /Users/username/Library/Application Support/Microsoft/Office/User Templates or removing the com.microsoft preference files for the affected application from /Users/username/Library/Preferences.

So this time, I moved the following files to a new folder that I created on the user’s desktop:

/Users/username/Library/Application Support/Microsoft/Office/User Templates/Normal.dotm
/Users/username/Library/Preferences/com.microsoft.Word.plist

Then I logged the user out, asked them to log back in and had them relaunch Word. Crash. EXC_BAD_ACCESS error again. This was going to be an unusual one…

Read more…

Follow

Get every new post delivered to your Inbox.

Join 154 other followers

%d bloggers like this: