Downloading installer packages from Jamf Pro when no other options are available
Every so often, Mac admins who administer Jamf Pro may run into a situation like this:
- They need an installer package For Reasons.
- That installer package is only stored on their Jamf Pro server.
- They don’t have access to the distribution point which stores their Jamf Pro server’s installer packages.
In a situation like this, you can use a Jamf Pro policy to provide the installer to a specified Mac. For more details, please see below the jump.
20 years of Der Flounder
I noticed that I first wrote an entry on this blog twenty years ago. I figured that deserved some commemoration and recognition.
The blog started out as a personal blog (as evidenced by its early entries) and gradually morphed into being what it is today. I plan to keep writing it because it’s still fun for me and I can see that it’s helped folks out. First blog entry was naturally about starting the blog:
Subject? I don’t need no steenking subject!
At the time, I was using LiveJournal as they had a client app for Mac OS X and that made it easy for me to get started with blogging. Over the years, the blog moved a few times:
- LiveJournal
- Mac OS X 10.4.x Server’s Blojsom-based blog platform
- Self-hosted WordPress
- WordPress.com
I moved to WordPress.com in September 2008 and they’ve been graciously hosting me ever since. Thanks, folks.
I’ve been using MarsEdit for at least the last six years to write my blog posts, so thanks also to Daniel Jalkut at Red Sweater for putting out a quality product that helps me stay focused on the writing of a blog post and not the fiddly bits of how to post it.
For my past, present and future readers:
Thank you. This place wouldn’t be what it is without you.
Setting user-level global preferences in a macOS configuration profile
When managing user settings with a profile, you often need to define what the preference domain is in order to specify which settings to manage. Usually you can check the CFBundleIdentifier of an application to get the unique identifier used to define the preference domain.
Normally, these unique IDs (and corresponding preference domains) use a reverse-DNS-lookup scheme. For example, the preference domain for Apple’s web browser Safari is the following:
com.apple.Safari
This is derived from:
a. Apple using the following domain name:
b. The application in question being named Safari.
Note: This is a convention, rather than a hard and fast requirement, but most applications’ unique identifiers and corresponding preference domains will use this naming convention.
However, there’s an exception to be aware of. macOS uses a special domain to identify settings which should apply to all applications started by the same user. This preference domain is called the NSGlobalDomain, but unlike most preference domains, you don’t use NSGlobalDomain to define the preference domain when trying to manage their settings with a profile. This can cause some confusion when trying to manage these settings. The preference domain in this case is the following:
.GlobalPreferences
For more details, please see below the jump.
Using Script2Pkg to create payload-free installer packages
Payload-free packages are something I’ve discussed from time to time, as I’ve found them to be very useful additions to my Mac admin toolkit. For those not familiar with the concept, payload-free installer packages are installer packages that exist only to run scripts. They don’t install any files, which would be referred to as the installer package’s payload. With no payload included with these installer packages, the installer packages built by this tool are referred to as payload-free.
A while back, I wrote a tool that would let me easily create them from existing scripts named Payload-Free Package Creator.app. The general idea was that you could use this tool to select a script, and then Payload-Free Package Creator.app would create an unsigned payload-free installer package which would run the selected script.
I’m happy to say that my team at work has expanded on that idea and has both built and open-sourced a tool for building payload-free packages named Script2Pkg. Script2Pkg includes the following functions:
- Building an unsigned payload-free installer package
- Building a signed payload-free installer package
- Building a signed and notarized payload-free installer package
- Verifying signing and notarization status of any installer package
For more details, please see below the jump.
Using the plutil command line tool to work with JSON on macOS Monterey and later
One of the issues Mac admins may face is working with JSON files as part of shell scripting. There are several solutions to this problem, including using the third-party jq command line tool and Apple’s JavaScript for Automation (JXA) interface. For posts on using these solutions, please see the links below:
jq:
- https://sher-chowdhury.medium.com/working-with-json-using-jq-ce06bae5545a
- https://codeahoy.com/learn/introtobash/ch15/
- https://cameronnokes.com/blog/working-with-json-in-bash-using-jq/
JXA:
- https://www.macblog.org/posts/how-to-parse-json-macos-command-line/
- https://paulgalow.com/how-to-work-with-json-api-data-in-macos-shell-scripts
- https://scriptingosx.com/2021/11/the-unexpected-return-of-javascript-for-automation/
Another available option is to use the plutil command line tool on macOS Monterey and later to do the following:
- Read values from JSON files
- Convert plist files in XML format to JSON
For more details, please see below the jump.
Migrating an APNS certificate from one Apple ID to another Apple ID
As part of a recent change, I needed to migrate an APNS certificate from being associated with one Apple ID to now being associated with another Apple ID. Apple has a KBase article available which provides contact information for this, which is available via the link below:
https://support.apple.com/HT208643
For those folks with AppleCare support plans, you can also submit a ticket to AppleCare. That’s the route I took. Regardless of which support avenue you pursue, Apple will request the following information from you.
- APNS Certificate Subject DN
- APNS Certificate CN
- APNS Certificate Serial Number
- APNS Certificate Expiration Date
- The Apple ID you want to migrate from
- The Apple ID you want to migrate to
For more information, please see below the jump:
macOS Ventura 13.3 alters expected behavior for Finder’s Open With functionality for macOS installer packages
I’m a frequent user of macOS’s Open With functionality, where I can control-click on a file and select what app I want to open the file with.
Among the files I’m used to doing this with are installer package files. However, I noticed that as of macOS 13.3, this mostly stopped working as the only choice I now had for installer packages was the Installer app. Here’s how it looks on macOS 13.2.1, on a Mac with the Suspicious Package application installed:
Here’s how it looks on macOS 13.3, on a Mac with the Suspicious Package application installed:
When I looked in a Get Info window for an installer package on macOS 13.3, the Open with: functionality was both grayed out and set to Installer.
Normally I would have suspected a bug in macOS 13.3, but according to Randy Saldinger of Mothers Ruin Software, this appears to be an undocumented change by Apple in macOS 13.3.
For more details, please see below the jump.
Creating a sysdiagnose file using Activity Monitor
The sysdiagnose tool is used for gathering a large amount of diagnostic files and logging, and it’s often very useful when it comes to figuring out why a problem is happening. However, it can sometimes be challenging to get a sysdiagnose-generated file from someone who is not comfortable with using the Terminal as the usual method for generating a sysdiagnose file involves opening the Terminal and running commands there.
Fortunately, there’s also a way to generate a sysdiagnose file using Activity Monitor. This may be an alternate way to help get you the desired sysdiagnose file from someone who normally wouldn’t ever use the Terminal on macOS. For more details, please see below the jump.
Granting Volume Owner status on Apple Silicon Macs
macOS on Apple Silicon Macs includes a concept known as volume ownership. You must be a volume owner to perform the following tasks on an Apple Silicon Mac:
- Make changes to startup security policy for a specific install of macOS.*
- Be able to authorize the installation of macOS software updates or macOS upgrades.
- Authorize running Erase All Contents and Settings.
* There may be multiple installations of macOS on one Apple Silicon Mac; each macOS install would have their own startup security policy.
For more information on volume ownership, please see Apple’s Platform Deployment article linked below:
https://support.apple.com/guide/deployment/use-secure-and-bootstrap-tokens-dep24dbdcf9e/web (see the Volume ownership section.)
How do you get volume ownership though? It turns out that Apple has this currently set up on macOS as a two-fer deal: If an account account has Secure Token, it is also granted volume ownership. For more details, please see below the jump.
Setting a user account to automatically log in using sysadminctl on macOS Ventura
On macOS, it’s possible to set an account to automatically log in. However, up until macOS Ventura, there hasn’t been an Apple command line tool available which will do the following:
- Set the desired account to automatically log in
- Create the /etc/kcpassword file
Setting the desired account to log in could be accomplished by running the following command with root privileges:
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| /usr/bin/defaults write /Library/Preferences/com.apple.loginwindow autoLoginUser -string username_goes_here |
The hard part was correctly creating the /etc/kcpassword file, which stores an obfuscated copy of the password used by the account which is being set for auto-login. Without that file properly created and available in the specified location, the automatic login process would fail. For those interested in how the kcpassword file is set up, please see the link below:
https://www.offsec.com/offsec/in-the-hunt-for-the-auto-login-setup-process/
There have been several tools built by the community which successfully create the kcpassword file, but Apple themselves hadn’t provided a way to do this in macOS Monterey or earlier, outside of using the GUI for Users & Groups in System Preferences.
As of macOS Ventura, the sysadminctl command line tool has been updated with functionality to enable and disable auto-login for specified accounts. For more details, please see below the jump.
Der Flounder 
Recent Comments