Security Update 2017-001 being pushed to both macOS 10.13.0 and 10.13.1

November 30, 2017 4 comments

To fix the vulnerability popularly referred to as #IAMROOT , Apple has begun pushing Security Update 2017-001 to Macs running the following OS versions:

  • macOS 10.13.0
  • macOS 10.13.1

This update is being deployed using the same automated installation mechanism that Apple previously used to deploy OS X NTP Security Update 1.0 back in 2014, where Security Update 2017-001 is being silently downloaded and installed on vulnerable Macs.

Screen Shot 2017 11 30 at 2 08 59 PM

For more details, please see below the jump.

Read more…

Categories: Mac administration, macOS

Blocking logins to the root account on macOS High Sierra

November 28, 2017 7 comments

A security vulnerability was discovered in macOS High Sierra today, where you could enable and log into the root account without providing a password.



Update 11-29-2017: Apple has released Security Update 2017-001 to fix this issue. Please install this update as soon as possible.




Update 11-30-2017: Apple is now automatically installing Security Update 2017-001 on vulnerable Macs.



To address this this issue until Apple releases an update to fix it, there’s two steps you can take which will block logins to the root account:

  1. Set a password for the root account on your Mac
  2. Change the root’s account’s login shell to /usr/bin/false

When you set the root account’s login shell to /usr/bin/false, the shell is changed to point to a command that does nothing except return a status code which reports an error. The login process will interpret that error status code as being a failed login, so it will stop the login process at that point and prompt for the password again.

Since the login process will always receive the error code from the false command, the login process will never succeed. For more details, see below the jump.

Read more…

Categories: Mac administration, macOS

First Boot Package Install Generator.app now adds product identifier tags to its packages

November 22, 2017 Leave a comment

As a follow-up to Greg Neagle’s discovery that product identifiers are now needed to ensure best results when adding additional packages to macOS High Sierra OS installers, I’ve updated First Boot Package Installer Generator.app to add product identifiers by default to the firstboot packages created by this tool.

The product identifier values will be the user-selected Package Identifier followed by the Version Identifier.

Screen Shot 2017 11 21 at 2 21 13 PM

Screen Shot 2017 11 21 at 2 21 19 PM

These values will appear in the firstboot package’s distribution file as shown below:

Screen Shot 2017 11 21 at 2 22 03 PM

For those who need this capability, an installer for First Boot Package Install Generator.app 1.7 can be downloaded via the link below:

https://github.com/rtrouton/First_Boot_Package_Install_Generator/releases/tag/1.7

Enabling Touch ID authorization for sudo on macOS High Sierra

November 17, 2017 2 comments

My colleague @mikeymikey brought this tweet by Cabel Sasser to my attention yesterday:

I have a Touch ID-enabled MacBook Pro and use sudo frequently, so I’ve implemented this on my own laptop. For more details, see below the jump.

Read more…

Categories: Mac administration, macOS, Unix

APFS encryption status check script

November 13, 2017 1 comment

As part of working Apple File System, I’ve developed a script which is designed to check and report the status of encrypted Apple File System (APFS) drives. Currently, here’s what the script is detecting and reporting:

It first checks to see if a Mac is running 10.13.x or higher. If the Mac is question is running 10.13.x or higher, the script reports if it is using encryption on an APFS drive and gives the encryption or decryption status.

If encrypted, the following message is displayed:

FileVault is On.

Screen Shot 2017 11 12 at 8 38 08 PM

 

If not encrypted, the following message is displayed:

FileVault is Off.

Screen Shot 2017 11 12 at 8 43 07 PM

If encrypting, the following message is displayed:

Encryption in progress:

How much has been encrypted is also displayed.

Screen Shot 2017 11 12 at 8 08 30 PM

 

If decrypting, the following message is displayed without quotes:

Decryption in progress:

How much has been decrypted is also displayed.

Screen Shot 2017 11 12 at 8 38 48 PM

 

 

 

If run on a drive which is not using APFS, the following message is displayed:

Unable to display encryption status for filesystems other than APFS.

Screen Shot 2017 11 12 at 8 44 11 PM

 

The script is available below and here on my GitHub repository:

https://github.com/rtrouton/rtrouton_scripts/tree/master/rtrouton_scripts/check_apfs_encryption

I’ve also built a Jamf Pro Extension Attribute:

https://github.com/rtrouton/rtrouton_scripts/tree/master/rtrouton_scripts/Casper_Extension_Attributes/check_apfs_encryption

Downloading macOS Sierra from the Mac App Store

November 10, 2017 2 comments

Now that macOS High Sierra has been released, it’s become more difficult to access the macOS Sierra installer in the Mac App Store (MAS) for those who still need it.

Previous versions of OS X and Mac OS X which were purchased by an Apple ID will appear in the MAS’s Purchased list for that Apple ID, but macOS Sierra is an exception because it did not need to be purchased using an Apple ID.

Screen shot 2015 11 19 at 2 43 08 pm

Fortunately, Sierra has not been removed from the MAS and it is still available for download. Apple has a KBase article, available via the link below, which shows how to access the macOS Sierra page in the Mac App Store:

https://support.apple.com/HT208202

To access the macOS Sierra page directly, please click on the link below:

https://itunes.apple.com/us/app/macos-sierra/id1127487414?ls=1&mt=12

That link should open the MAS and take you to the macOS Sierra download page.

Screen Shot 2017 11 10 at 11 06 58 AM

In the event that you’re blocked from downloading macOS Sierra, you should be able to download it in a virtual machine. I have a post on how to do this, available via the link below:

https://derflounder.wordpress.com/2017/02/21/downloading-older-os-installers-on-incompatible-hardware-using-vms/

Categories: Mac administration, macOS

Session videos from Jamf Nation User Conference 2017 now available

November 10, 2017 1 comment

Jamf has posted the session videos for from JAMF Nation User Conference 2017, including the video for my Apple File System session.

For those interested, all of the JNUC 2017 session videos are available on YouTube. For convenience, I’ve linked my session here.

%d bloggers like this: