Running recoverydiagnose in macOS Recovery
Most Mac admins, especially those who file bug reports or who work with AppleCare Enterprise, are familiar with running the sysdiagnose tool to gather diagnostic information about a Mac they’re working on. Running sysdiagnose will trigger a large number of macOS’s performance and problem tracing tools and use their reports to assemble what amounts to a snapshot of your Mac’s complete state at the time you ran the sysdiagnose tool, which can be very useful to developers trying to trace down why a particular problem is occurring.
However, this tool only applies to a Mac’s regular OS. What if the problem you’re seeing is in the macOS Recovery environment? In that case, you can run the recoverydiagnose tool in macOS Recovery to gather similar data specifically for macOS Recovery-related problems. For more details, please see below the jump.
PkgSigner AutoPkg processor updated for Python 3
A while back, I discussed how to incorporate installer package signing into AutoPkg workflows. The PkgSigner processor used in this workflow was originally written by Paul Suh and it uses Apple’s productsign tool to access a Developer ID Installer certificate stored in the login keychain.
Like other processors and AutoPkg itself, PkgSigner needed updating to Python 3 when Python 2 reached end-of-life in April 2020. This updating process has been completed, thanks to Nick McDonald. To make sure PkgSigner is consistently using the same Python environment across machines, PkgSigner has also been set to use the Python 3 install bundled with AutoPkg.
For those who need it, I have a copy of the PkgSigner processor available via the link below:
https://github.com/rtrouton/AutoPkg_Processors/tree/master/PkgSigner
Enabling diagnostic logging for Microsoft Outlook 2019
I was recently asked for assistance with a way to enable diagnostic logging for Microsoft Outlook 2019 for macOS:
I had seen Microsoft’s KBase article on how to do it, where it references enabling logging via the Outlook preferences:
https://support.microsoft.com/en-us/help/2872257/how-to-enable-logging-in-outlook-for-mac
However, the KBase article only references how to enable this logging via the GUI and does not show how to do this via the command line. Fortunately my colleague @golby knew which settings could enabled from the command line to produce the requested logging. For more details, please see below the jump:
create_macos_vm_install_dmg updated for macOS Big Sur installer disk images
As part of testing macOS Big Sur 11.0.0, I’ve updated my create_macos_vm_install_dmg script. For more details, please see below the jump.
WWDC 2020 notes
This week, I’m attending Apple’s WWDC 2020 conference from the comforts of home. As part of this, I’m taking notes during the labs and session videos. Due to wanting to stay on the right side of Apple’s NDA, I’ve been posting my notes to Apple’s developer forums rather than to here.
To make it easier for Mac admins to access them, I’ve set up a post in the forums where I’ve linking the various forum posts with my notes. It’s available via the link below:
Using an Activation Lock bypass code from Jamf Pro to clear Activation Lock on a Mac
As part of macOS Catalina, Apple introduced Activation Lock for Macs. As on iOS, Activation Lock is an anti-theft feature designed to prevent activation of a Mac if it’s lost or stolen.
Activation Lock on Macs does have some requirements in order for it to work. The Mac must:
- Run macOS Catalina or later
- Use the Apple T2 Security chip
- Two-factor authentication must be enabled on the Apple ID used for enable Activation Lock.
- Secure Boot must be enabled with Full Security settings and Disallow booting from external media selected.
Once these requirements are satisfied, Activation Lock is automatically enabled when Apple’s Find My service is enabled.
However, having Activation Lock turn on when Find My is enabled can lead to situations where it’s enabled by an employee on company-owned equipment. When this happens, companies, schools or institutions need a way to bypass Activation Lock without needing to know anything about the Apple ID used by the employee.
To provide this bypass, Apple has made it possible for companies, schools and institutions to use their MDM solution to clear Activation Lock. For more details, please see below the jump:
Allowing external boot drives for T2-equipped Macs
With WWDC 2020 only a couple of weeks away, a number of folks are preparing to run the new beta version of macOS. While some will choose to go all-in and run the new OS on their main boot drive, others will prefer to install the new OS onto an external drive. However, for Macs equipped with T2 chips, there’s an extra step involved with allowing your Mac to boot from an external drive. For more details, please see below the jump.
Videos from Penn State MacAdmins Campfire Sessions 2020
The good folks at Penn State have begun posting session videos from the Penn State MacAdmins Campfire Sessions to YouTube. As they become available, you should be able to access them via the link below:
https://www.youtube.com/playlist?list=PLRUboZUQxbyUyqkH7BFaQGAR7x51olLNt
I’ve linked my “Introduction to MDM and Configuration Profiles” session here:
My colleague Anthony Reimer’s “Things I Learned from the Autopkg Maintainers” session is likewise available here:
Deleting all Jamf Pro policies in a specified category
Every so often, I need to delete a bunch of Jamf Pro policies at once. One convenient way I’ve found to do this is to assign all the policies I want to delete to one category which doesn’t have any other policies assigned to it. Once assigned, I can then use the API to delete them all at once.
To assist with this task, I’ve been using a script written by Jeffrey Compton but over time I found that I wanted more functionality. To meet my own needs, I took Jeffery’s original idea and written my own script to target the policies in a particular Jamf Pro category. For more details, please see below the jump.
Mad, bad and possibly dangerous – a cautionary tale of software installation
In my career, I’ve run across a lot of terrible installers in a variety of forms. The one I ran across today though is noteworthy enough that I want to point it out because of the following reasons:
- It’s an installer application. I have opinions on those.
- It’s for a security product where, as part of the installation, you need to provide the username and password for an account on the Mac which has:
- Administrator privileges
- Secure Token
Note: I have no interest in talking to the vendor’s legal department, so I will not be identifying the vendor or product by name in this post. Instead, I will refer to the product and vendor in this post as “ComputerBoat” and leave discovery of the company’s identity to interested researchers.
For more details, please see below the jump.
Recent Comments