Downloading installer packages from Jamf Pro when no other options are available

May 25, 2023 5 comments

Every so often, Mac admins who administer Jamf Pro may run into a situation like this:

  1. They need an installer package For Reasons.
  2. That installer package is only stored on their Jamf Pro server.
  3. They don’t have access to the distribution point which stores their Jamf Pro server’s installer packages.

In a situation like this, you can use a Jamf Pro policy to provide the installer to a specified Mac. For more details, please see below the jump.

Read more…

20 years of Der Flounder

May 25, 2023 7 comments

I noticed that I first wrote an entry on this blog twenty years ago. I figured that deserved some commemoration and recognition.

The blog started out as a personal blog (as evidenced by its early entries) and gradually morphed into being what it is today. I plan to keep writing it because it’s still fun for me and I can see that it’s helped folks out. First blog entry was naturally about starting the blog:

Subject? I don’t need no steenking subject!

At the time, I was using LiveJournal as they had a client app for Mac OS X and that made it easy for me to get started with blogging. Over the years, the blog moved a few times:

I moved to WordPress.com in September 2008 and they’ve been graciously hosting me ever since. Thanks, folks.

I’ve been using MarsEdit for at least the last six years to write my blog posts, so thanks also to Daniel Jalkut at Red Sweater for putting out a quality product that helps me stay focused on the writing of a blog post and not the fiddly bits of how to post it.

For my past, present and future readers:

Thank you. This place wouldn’t be what it is without you.

Categories: Personal

Setting user-level global preferences in a macOS configuration profile

May 12, 2023 Leave a comment

When managing user settings with a profile, you often need to define what the preference domain is in order to specify which settings to manage. Usually you can check the CFBundleIdentifier of an application to get the unique identifier used to define the preference domain.

Normally, these unique IDs (and corresponding preference domains) use a reverse-DNS-lookup scheme. For example, the preference domain for Apple’s web browser Safari is the following:

com.apple.Safari

This is derived from:

a. Apple using the following domain name:

apple.com

b. The application in question being named Safari.

Note: This is a convention, rather than a hard and fast requirement, but most applications’ unique identifiers and corresponding preference domains will use this naming convention.

However, there’s an exception to be aware of. macOS uses a special domain to identify settings which should apply to all applications started by the same user. This preference domain is called the NSGlobalDomain, but unlike most preference domains, you don’t use NSGlobalDomain to define the preference domain when trying to manage their settings with a profile. This can cause some confusion when trying to manage these settings. The preference domain in this case is the following:

.GlobalPreferences

For more details, please see below the jump.

Read more…

Using Script2Pkg to create payload-free installer packages

Payload-free packages are something I’ve discussed from time to time, as I’ve found them to be very useful additions to my Mac admin toolkit. For those not familiar with the concept, payload-free installer packages are installer packages that exist only to run scripts. They don’t install any files, which would be referred to as the installer package’s payload. With no payload included with these installer packages, the installer packages built by this tool are referred to as payload-free.

A while back, I wrote a tool that would let me easily create them from existing scripts named Payload-Free Package Creator.app. The general idea was that you could use this tool to select a script, and then Payload-Free Package Creator.app would create an unsigned payload-free installer package which would run the selected script.

I’m happy to say that my team at work has expanded on that idea and has both built and open-sourced a tool for building payload-free packages named Script2Pkg. Script2Pkg includes the following functions:

  1. Building an unsigned payload-free installer package
  2. Building a signed payload-free installer package
  3. Building a signed and notarized payload-free installer package
  4. Verifying signing and notarization status of any installer package

For more details, please see below the jump.

Read more…

Using the plutil command line tool to work with JSON on macOS Monterey and later

April 15, 2023 Leave a comment

One of the issues Mac admins may face is working with JSON files as part of shell scripting. There are several solutions to this problem, including using the third-party jq command line tool and Apple’s JavaScript for Automation (JXA) interface. For posts on using these solutions, please see the links below:

jq:

JXA:

Another available option is to use the plutil command line tool on macOS Monterey and later to do the following:

  • Read values from JSON files
  • Convert plist files in XML format to JSON

For more details, please see below the jump.

Read more…

Migrating an APNS certificate from one Apple ID to another Apple ID

April 11, 2023 1 comment

As part of a recent change, I needed to migrate an APNS certificate from being associated with one Apple ID to now being associated with another Apple ID. Apple has a KBase article available which provides contact information for this, which is available via the link below:

https://support.apple.com/HT208643

For those folks with AppleCare support plans, you can also submit a ticket to AppleCare. That’s the route I took. Regardless of which support avenue you pursue, Apple will request the following information from you.

  • APNS Certificate Subject DN
  • APNS Certificate CN
  • APNS Certificate Serial Number
  • APNS Certificate Expiration Date
  • The Apple ID you want to migrate from
  • The Apple ID you want to migrate to

For more information, please see below the jump:

Read more…

macOS Ventura 13.3 alters expected behavior for Finder’s Open With functionality for macOS installer packages

April 1, 2023 7 comments

I’m a frequent user of macOS’s Open With functionality, where I can control-click on a file and select what app I want to open the file with.

Screenshot 2023 04 01 at 5 05 04 PM

Among the files I’m used to doing this with are installer package files. However, I noticed that as of macOS 13.3, this mostly stopped working as the only choice I now had for installer packages was the Installer app. Here’s how it looks on macOS 13.2.1, on a Mac with the Suspicious Package application installed:

Screenshot 2023 04 01 at 4 24 19 PM

Here’s how it looks on macOS 13.3, on a Mac with the Suspicious Package application installed:

Screenshot 2023 04 01 at 4 38 03 PM

When I looked in a Get Info window for an installer package on macOS 13.3, the Open with: functionality was both grayed out and set to Installer.

Screenshot 2023 04 01 at 4 50 43 PM

Normally I would have suspected a bug in macOS 13.3, but according to Randy Saldinger of Mothers Ruin Software, this appears to be an undocumented change by Apple in macOS 13.3.

Screenshot 2023 04 01 at 5 12 50 PM

For more details, please see below the jump.

Read more…

Creating a sysdiagnose file using Activity Monitor

March 16, 2023 1 comment

The sysdiagnose tool is used for gathering a large amount of diagnostic files and logging, and it’s often very useful when it comes to figuring out why a problem is happening. However, it can sometimes be challenging to get a sysdiagnose-generated file from someone who is not comfortable with using the Terminal as the usual method for generating a sysdiagnose file involves opening the Terminal and running commands there.

Fortunately, there’s also a way to generate a sysdiagnose file using Activity Monitor. This may be an alternate way to help get you the desired sysdiagnose file from someone who normally wouldn’t ever use the Terminal on macOS. For more details, please see below the jump.

Read more…

Categories: Mac administration, macOS

Granting Volume Owner status on Apple Silicon Macs

March 10, 2023 1 comment

macOS on Apple Silicon Macs includes a concept known as volume ownership. You must be a volume owner to perform the following tasks on an Apple Silicon Mac:

* There may be multiple installations of macOS on one Apple Silicon Mac; each macOS install would have their own startup security policy.

For more information on volume ownership, please see Apple’s Platform Deployment article linked below:

https://support.apple.com/guide/deployment/use-secure-and-bootstrap-tokens-dep24dbdcf9e/web (see the Volume ownership section.)

How do you get volume ownership though? It turns out that Apple has this currently set up on macOS as a two-fer deal: If an account account has Secure Token, it is also granted volume ownership. For more details, please see below the jump.

Read more…

Setting a user account to automatically log in using sysadminctl on macOS Ventura

March 4, 2023 2 comments

On macOS, it’s possible to set an account to automatically log in. However, up until macOS Ventura, there hasn’t been an Apple command line tool available which will do the following:

  • Set the desired account to automatically log in
  • Create the /etc/kcpassword file

Setting the desired account to log in could be accomplished by running the following command with root privileges:


/usr/bin/defaults write /Library/Preferences/com.apple.loginwindow autoLoginUser -string username_goes_here

view raw

gistfile1.txt

hosted with ❤ by GitHub

The hard part was correctly creating the /etc/kcpassword file, which stores an obfuscated copy of the password used by the account which is being set for auto-login. Without that file properly created and available in the specified location, the automatic login process would fail. For those interested in how the kcpassword file is set up, please see the link below:

https://www.offsec.com/offsec/in-the-hunt-for-the-auto-login-setup-process/

There have been several tools built by the community which successfully create the kcpassword file, but Apple themselves hadn’t provided a way to do this in macOS Monterey or earlier, outside of using the GUI for Users & Groups in System Preferences.

Screen Shot 2023 03 04 at 12 49 59 PM

As of macOS Ventura, the sysadminctl command line tool has been updated with functionality to enable and disable auto-login for specified accounts. For more details, please see below the jump.

Read more…

Categories: Mac administration, macOS
%d bloggers like this: