Apple discontinues macOS Server
After a long run, first beginning with Mac OS X Server 1.0 in 1999, Apple has announced the end of macOS Server as of April 21, 2022. The final version is macOS Server 5.12.2, which runs on macOS Monterey.
macOS Server 5.12.2 has shed many of the features once supported by macOS Server. As of 5.12.2, the following two services are supported:
Both services are not currently available outside of macOS Server, so Apple discontinuing macOS Server also means the end of the line for Apple’s Open Directory directory service and Apple’s Profile Manager MDM service.
For current customers who have purchased macOS Server, macOS Server 5.12.2 remains available in the App Store.
Building a Privileges installer package using AutoPkg
In working with folks who want to build installer packages to install the Privileges app, I’ve noticed that a number of them have experienced problems with manually building an installer package for Privileges which correctly installs the Privileges app’s helper tool.
The result of an installer which does not install the helper tool correctly is that when a user requests administrator privileges using the Privileges app, the app prompts them to install the helper tool. This requires administrative rights, which sets up a chicken and egg situation where admin privileges are being required to get admin privileges.
Fortunately, there is an automated method for building the installer package which (so far) has worked correctly in each case I’m familiar with. There are AutoPkg recipes available for creating a Privileges installer package and AutoPkg is able to build a correctly working Privileges installer package.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
computername:~ username$ autopkg search com.github.rtrouton.Privileges | |
Name Repo Path | |
—- —- —- | |
Privileges.munki.recipe apfelwerk-recipes Privileges/Privileges.munki.recipe | |
Privileges.install.recipe rtrouton-recipes Privileges/Privileges.install.recipe | |
Privileges.munki.recipe rtrouton-recipes Privileges/Privileges.munki.recipe | |
Privileges.jss.recipe rtrouton-recipes JSS/Privileges.jss.recipe | |
Privileges.pkg.recipe rtrouton-recipes Privileges/Privileges.pkg.recipe | |
Privileges.download.recipe rtrouton-recipes Privileges/Privileges.download.recipe | |
To add a new recipe repo, use 'autopkg repo-add <repo name>' | |
computername:~ username$ |
For more details, please see below the jump.
Payload-Free Package Creator 2.4 now available
Payload-Free Package Creator.app, an Automator application that allows the selection of an existing script and then create a payload-free package that runs the selected script, has been updated to version 2.4.
The functionality and operations of the app have not changed from Payload-Free Package Creator 2.3. The main change is that Payload-Free Package Creator.app is now a Universal app, allowing it to run natively on both Intel and Apple Silicon Macs.
Payload-Free Package Creator 2.4, along with all components and scripts, are available on GitHub via the link below:
Simple Package Creator 1.5 now available
Simple Package Creator.app, an Automator application that will allow the selection of a self-contained application and creates an installer package that enables the installation of the application with pre-set permissions into /Applications, has been updated to version 1.5.
The functionality and operations of the app have not changed from Simple Package Creator 1.4. The main change is that Simple Package Creator.app is now a Universal app, allowing it to run natively on both Intel and Apple Silicon Macs.
Simple Package Creator 1.5, along with all components and scripts, are available on GitHub via the link below:
profiles command includes client-side rate limitation for certain functions on macOS 12.3
One of the changes brought with macOS 12.3 is that the profiles command line tool now includes a rate limiter for some of its functions:
profiles show
profiles validate
In both cases, running these functions may be limited to once every 23 hours.
For those familiar with rate limitation on the server side, where a server may choose to limit how many calls can be received in a set period from a client, this rate limitation is similar but is set and managed entirely on the client side. This means that there is no bypassing the profiles command’s rate limitation in this case for the Mac in question.
One way this may appear is on Macs which are part of the Automated Device Enrollment program, where the Mac can show its enrollment status by running the following command:
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
profiles show -type enrollment |
In the event that this command errors, the profiles command will block further attempts to display this information for the next 23 hours. In this situation, you may see output like that shown below:
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
username@computername ~ % sudo profiles show -type enrollment | |
Password: | |
Device Enrollment configuration: | |
(null) | |
username@computername ~ % sudo profiles show -type enrollment | |
Error fetching Device Enrollment configuration – Request too soon. Try again later. |
At this time, I don’t know where the information which tracks this 23 hour limitation is stored, but I did confirm that it is stored somewhere in the writable portion of the Mac’s boot drive. Wiping the Mac’s boot drive, via a disk wipe and OS reinstall or via Erase All Contents and Settings, will remove whatever is tracking and enforcing the 23 hour limitation.
Update – 4-22-2022:
It looks like the file which tracks this information is stored in the following location:
/private/var/db/ConfigurationProfiles/Settings/.profilesFetchTimerCheck
This file is protected by SIP. Thanks to zolotkey in the comments!
Also, in the original version of this post, I had made a mistake and conflated the functions of the following commands:
- profiles renew -type enrollment
- profiles show -type enrollment
The profiles renew -type enrollment command can be used to enroll or re-enroll a Mac which is part of the Automated Device Enrollment program with the MDM server that ADE associates the Mac with. To the best of my knowledge, the renew function of the profiles command does not have a client side rate limitation on macOS 12.3. Thanks also to Richard in the comments for catching my mistake and letting me know about it.
Using macOS installer disk images to boot VMware Fusion virtual machines to macOS Recovery
Booting a VMware Fusion virtual machine to the macOS Recovery environment can be challenging, as Fusion uses Command-R as a keyboard shortcut for restoring snapshots.
This is the same keyboard shortcut as booting to macOS Recovery for Intel Macs so if you’re not very fast, or you don’t have the virtual machine window selected correctly, you may be looking at an unwanted request to restore a snapshot instead of macOS Recovery.
Fortunately, there’s a workaround for this behavior which will reliably get you into macOS Recovery. For more details, please see below the jump.
Using custom variables in an AutoPkg recipe to set version information
As part of a recent task to build an AutoPkg recipe which creates an installer package for a screen saver, I ran into an issue. The vendor, for reasons that no doubt make sense to them, split the version information for the screen saver across two separate keys:
- Major part of the version number: Stored in the CFBundleShortVersionString key of the screen saver’s Info.plist file
- Minor part of the version number: Stored in the CFBundleVersion key of the screen saver’s Info.plist file
What this meant is that for version 1.4 of the screen saver, the version information was stored as follows:
- CFBundleShortVersionString key: 1
- CFBundleVersion key: 4
Getting this information was not the problem. AutoPkg includes a PlistReader processor which allows multiple values to be read from one plist file, so I used it as shown below to read the CFBundleShortVersionString key’s and the CFBundleVersion key’s values and store them in the following variables:
- CFBundleVersion key: minor_version
- CFBundleShortVersionString: major_version
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
<dict> | |
<key>Arguments</key> | |
<dict> | |
<key>info_path</key> | |
<string>%pathname%/Carousel Cloud.saver/Contents/Info.plist</string> | |
<key>plist_keys</key> | |
<dict> | |
<key>CFBundleVersion</key> | |
<string>minor_version</string> | |
<key>CFBundleShortVersionString</key> | |
<string>major_version</string> | |
</dict> | |
</dict> | |
<key>Processor</key> | |
<string>PlistReader</string> | |
</dict> |
So now I had the version info (in separate pieces) and now I needed to put them together. The problem I was seeing was that my usual solution, AutoPkg’s Versioner processor is set up to read one value from a plist file. I had two values and neither were in a plist file.
Fortunately, there are multiple ways to solve this problem. The first I thought of was to build a new plist as part of the recipe’s run and put the version information in. The workflow works like this:
1. Use the PlistReader processor to read the desired information.
2. Use the FileCreator processor processor to create a new plist file with the version information formatted as needed.
3. Use the PlistReader processor to read the version information out of the newly-created plist file.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
<dict> | |
<key>Arguments</key> | |
<dict> | |
<key>info_path</key> | |
<string>%pathname%/Carousel Cloud.saver/Contents/Info.plist</string> | |
<key>plist_keys</key> | |
<dict> | |
<key>CFBundleVersion</key> | |
<string>minor_version</string> | |
<key>CFBundleShortVersionString</key> | |
<string>major_version</string> | |
</dict> | |
</dict> | |
<key>Processor</key> | |
<string>PlistReader</string> | |
</dict> | |
<dict> | |
<key>Processor</key> | |
<string>FileCreator</string> | |
<key>Arguments</key> | |
<dict> | |
<key>file_path</key> | |
<string>%RECIPE_CACHE_DIR%/com.companyname.carouselcloudscreensaver.plist</string> | |
<key>file_mode</key> | |
<string>0755</string> | |
<key>file_content</key> | |
<string><?xml version="1.0" encoding="UTF-8"?> | |
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> | |
<plist version="1.0"> | |
<dict> | |
<key>complete_version</key> | |
<string>%major_version%.%minor_version%</string> | |
</dict> | |
</plist> | |
</string> | |
</dict> | |
</dict> | |
<dict> | |
<key>Arguments</key> | |
<dict> | |
<key>info_path</key> | |
<string>%RECIPE_CACHE_DIR%/com.companyname.carouselcloudscreensaver.plist</string> | |
<key>plist_keys</key> | |
<dict> | |
<key>complete_version</key> | |
<string>version</string> | |
</dict> | |
</dict> | |
<key>Processor</key> | |
<string>PlistReader</string> | |
</dict> |
This approach works, but now you have a plist file to clean up later. Another approach is to use custom variable assigning as part of another AutoPkg processor’s run. In this case, you’re using an AutoPkg processor and adding a separate argument which is probably unrelated to the other work the processor is doing, but does the value assignment work you couldn’t accomplish otherwise.
A pretty safe processor to use for this is the EndOfCheckPhase processor. The reason is that by itself, the EndOfCheckPhase processor takes no actions. Instead, it’s used as a marker in AutoPkg recipes to tell AutoPkg to stop checking for new information as part of a recipe’s run. However, even though the EndOfCheckPhase processor doesn’t take actions and doesn’t by default include Arguments values, AutoPkg will still process Arguments values if they’re defined for the EndOfCheckPhase processor. That allows custom variables to be set with values that you couldn’t otherwise set and pass them to AutoPkg. The workflow in this case looks like this:
1. Add the EndOfCheckPhase processor to the very end of the recipe.
2. Perform the desired variable assignment as an Arguments value
The reason to add it to the end is to make sure that all of the other tasks the recipe is performing are completed by the time this processor runs.
In this case, I used this method with the the EndOfCheckPhase processor in the screen saver’s .download recipe to assign the version variable to use the values of the major_version and minor_version variables, separated by a period.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
<dict> | |
<key>Processor</key> | |
<string>EndOfCheckPhase</string> | |
<key>Arguments</key> | |
<dict> | |
<key>version</key> | |
<string>%major_version%.%minor_version%</string> | |
</dict> | |
</dict> |
The result for the latest version of the screen saver software is that the version variable is assigned the following value:
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
'version': '1.4' |
I’ve posted the recipes which use this technique for setting version information to GitHub. They’re available via the link below:
https://github.com/autopkg/rtrouton-recipes/tree/master/CarouselCloudScreenSaver
Jamf Pro Server software no longer supported on macOS as of Jamf Pro 10.37.0
To follow up on my earlier posts on the Jamf Pro Server Installer for macOS being retired, Jamf has added the following to the Deprecations and Removals section of the Jamf Pro 10.36.0 release notes:
Support Ending for Hosting Jamf Pro Server on macOS—Starting with the release of Jamf Pro 10.37.0, hosting the Jamf Pro server on macOS will no longer be supported. Mac computers with Apple silicon are not supported by the Jamf Pro Installer for macOS. In addition, the Jamf Pro Installer for macOS will not be available to download. The Jamf Pro utilities that were included in the Jamf Pro Installer for macOS—Composer, Jamf Admin, Jamf Recon, and Jamf Remote—will be made available as a separate download.
If you want to migrate your Jamf Pro server from macOS to Jamf Cloud, contact Jamf Support. If you want to keep your server on premise, you can migrate your Jamf Pro server to one of the following servers: Red Hat Enterprise Linux, Ubuntu, or Windows. For more information, see the Migrating to Another Server article.
For those folks who are running on-premise Jamf Pro servers on Macs, I strongly recommend contacting Jamf Support right now and plan a migration if you haven’t already. As of February 21st, 2022, Jamf’s published support for running Jamf Pro includes the following OS, database and Java versions:
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Recommended Configuration: | |
Operating Systems: | |
Windows Server 2019 | |
Ubuntu Server 20.04 LTS | |
Red Hat Enterprise Linux 7.x | |
Database software versions: | |
MySQL 8.0.27 – InnoDB | |
Amazon Aurora (MySQL 5.7 compatible) | |
MySQL 5.7.36 or later – InnoDB | |
Java version: | |
OpenJDK 11 | |
Minimum Supported: | |
Operating Systems: | |
Windows Server 2016 | |
Windows Server 2012 R2 | |
Ubuntu Server 18.04 LTS | |
macOS 10.15 (Support for the Jamf Pro Installer for macOS and hosting Jamf Pro server on macOS will be discontinued with the release of Jamf Pro 10.37.0.) | |
macOS 10.14 (Support for the Jamf Pro Installer for macOS and hosting Jamf Pro server on macOS will be discontinued with the release of Jamf Pro 10.37.0.) | |
Database software versions: | |
MySQL 5.7.36 – InnoDB | |
MySQL 5.7.8 on Amazon RDS – InnoDB | |
Java version: | |
Oracle Java 11 |
Using AutoPkg to get the latest Jamf Protect installer and uninstaller from your Jamf Protect tenant
Jamf has enabled a new feature on Jamf Protect tenants, where you can generate a download URL for the latest Jamf Protect client installer and uninstaller. These download URLs do not require authentication, but a security identifier unique to the Jamf Protect tenant needs to be included as part of the download URL:
Once generated, the download links are formatted similar to this:
Installer:
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
curl "https://jamf.protect.tenant.here/installer.pkg?security_token_goes_here" -o installer.pkg |
Â
Uninstaller:
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
curl "https://jamf.protect.tenant.here/uninstaller.pkg?security_token_goes_here" -o uninstaller.pkg |
Â
For example, if the Jamf Protect tenant and security identifier were as shown below, the curl commands would look like this:
- Jamf Protect tenant: companyname.protect.jamfcloud.com
- Security token: c1f0d1cb-8ddc-4f36-9578-58a7388053d5
Installer:
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
curl "https://companyname.protect.jamfcloud.com/installer.pkg?c1f0d1cb-8ddc-4f36-9578-58a7388053d5" -o installer.pkg |
Uninstaller:
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
curl "https://companyname.protect.jamfcloud.com/uninstaller.pkg?c1f0d1cb-8ddc-4f36-9578-58a7388053d5" -o uninstaller.pkg |
Since the Jamf Protect installer and uninstaller can be downloaded from your Jamf Protect tenant, this means that it’s now possible to use AutoPkg to get the latest Jamf Protect client installer and uninstaller as soon as they are available from your Jamf Protect tenant. For more details, please see below the jump.
autopkg-conductor updated to support both JamfUploaderSlacker and Slacker AutoPkg processors
As part of my preparations for Jamf’s planned authentication changes to the Classic API, I’ve been working more with the JamfUploader AutoPkg processors for Jamf Upload. These processors have emerged as a successor to JSSImporter, the original tool available to upload installer packages and other components to Jamf Pro using AutoPkg.
As part of my work with Jamf Upload, I’ve also updated my autopkg-conductor script to allow the use of either Jamf Upload’s JamfUploaderSlacker AutoPkg processor or JSSImporter’s Slacker AutoPkg processors. For more details, please see below the jump.
Recent Comments