Cancelling an unwanted FileVault deferred enablement

March 12, 2018 Leave a comment

There are sometimes occasions when FileVault deferred encryption has been enabled for a particular Mac and then needs to be turned off. Since FileVault is not yet turned on at this point, there is no obvious way to turn off this deferred enablement.

However, it is possible to turn off a deferred enablement if needed. For more details, please see below the jump.

Read more…

Using to download macOS High Sierra installers

February 27, 2018 1 comment

Starting with macOS Sierra, Apple moved the macOS Installer applications from being exclusively an App Store download to now being included in the regular Software Update catalogs. This means that it’s possible to download macOS installers, including those for macOS betas or hardware-specific macOS builds, using the command-line softwareupdate tool.

To assist with this task, Greg Neagle has written a Python script named is designed to do the following:

1. Parse a specified Software Update feed.
2. Identify the listed products which appear to be macOS installers.
3. Display a menu of the available choices.

Once you’ve selected from the available options, the script does the following:

4. Creates a disk image and names it with the appropriate information for the specified macOS installer.
5. Mounts the disk image.
6. Downloads all the relevant packages from the Software Update feed for the specified macOS installer.
7. Installs the packages onto the disk image.
8. Unmounts the disk image.
9. Stores the disk image in the current working directory (this is likely going to be the logged-in user’s home folder.)

For more details, please see below the jump.

Read more…

Slides from the “Managing FileVault 2 on macOS High Sierra” Session at MacAD UK 2018 Conference

February 21, 2018 3 comments

For those who wanted a copy of my FileVault 2 management talk at MacAD UK 2018, here are links to the slides in PDF and Keynote format.


Keynote –

Hat tip to the attendee who brought to my attention that fdesetup sync is not supported on encrypted APFS boot drives. I’ve now updated the slides to reflect that it works on macOS High Sierra for HFS+ drives only.


Screen Shot 2018 02 21 at 12 54 13 PM


Screen Shot 2018 02 21 at 1 04 16 PM

Backing up the contents of an AWS-hosted Jamf Pro cloud distribution point to a local directory

February 15, 2018 Leave a comment

As part of removing unused packages from a Jamf Pro cloud distribution point using @shea_craig‘s Spruce tool, I needed to first make a backup of the contents of the cloud distribution point to a local directory on my Mac. That way, in case I had made an error and deleted the wrong installer package, I had a copy of the package readily available and could re-add the package back to my Jamf Pro server.

The cloud distribution point in question is hosted out in Amazon Web Services’ (AWS) S3 service, so I decided to use AWS’s awscli command line tool‘s S3 functions to run a one-way synchronization process between the cloud distribution point in S3 and my local directory. For more details, please see below the jump.

Read more…

FileVault management on macOS High Sierra session at Mac Admin & Developer Conference UK 2018

February 9, 2018 1 comment

I’ll be speaking at Mac Admin & Developer Conference UK 2018, which is taking place in London from February 20th – 21st, 2018. My session will be on Wednesday, February 21st and is covering FileVault management on macOS High Sierra, with discussion of how to manage encryption on both APFS and HFS Plus drives..

The full conference schedule is available from and you can see the entire list of speakers at

Secure Token and FileVault on Apple File System

January 20, 2018 9 comments

As part of Apple File System’s FileVault encryption on mac OS High Sierra, Apple introduced Secure Token. This is a new and undocumented account attribute, which is now required to be added to a user account before that account can be enabled for FileVault on an encrypted Apple File System (APFS) volume. To help make sure that at least one account has a Secure Token attribute associated with it, a Secure Token attribute is automatically added to the first account to log into the OS loginwindow on a particular Mac.

Users and groups preference pane only user gets secure token automatically

Once an account has a Secure Token associated with it, it can then create other accounts which will in turn automatically be granted their own Secure Token.

For the consumer user, this usually takes the following form:

  1. Secure Token is automatically enabled for the user account created by Apple’s Setup Assistant.
  2. The Setup Assistant-created user account with Secure Token then creates other users via the Users & Groups preference pane in System Preferences. Those accounts get their own Secure Token automatically.

However, Active Directory mobile accounts and user accounts created using command line tools do not automatically get Secure Token attributes associated with these accounts. Without the Secure Token attribute, those accounts are not able to be enabled for FileVault.

Filevault preference pane account without secure token cannot manage filevault

Update 1-20-2018: @mikeymikey has pointed out an exception to the rule:

Instead, the sysadminctl utility must be used to grant Secure Token to these accounts as a post-account creation action. In that case, the sysadminctl utility must be run by a user account with the following pre-requisites:

  1. Administrative rights
  2. Secure Token

For more details, please see below the jump.

Read more…

Oracle Java 9 JDK and JRE installation scripts for macOS

January 18, 2018 Leave a comment

Oracle has started to release Java 9 for macOS, so I’m posting a couple of scripts to download and install the following:

Oracle Java 9 JRE
Oracle Java 9 JDK

Oracle has been releasing two separate versions of Java 8 simultaneously and may do the same for Java 9, so these Java 9-focused scripts are designed to allow the user to set which version they want to install: the CPU release or the PSU release.

The difference between CPU and PSU releases is as follows:

  • Critical Patch Update (CPU): contains both fixes to security vulnerabilities and critical bug fixes.
  • Patch Set Update (PSU): contains all the fixes in the corresponding CPU, plus additional fixes to non-critical problems.

For more details on the differences between CPU and PSU updates, please see the link below:

For more information, please see below the jump.

Read more…

%d bloggers like this: