Using Markdown comments to add search keywords to Self Service descriptions
For those using Jamf Pro’s Self Service, one of the handier features can be the Search function built into the app. This search is able to examine Self Service policies and use the information in the policy and Self Service description to populate its search results. For the most part, just the displayed information in the policy should allow Self Service’s search to display relevant policies.
However, you may have a need to force the search process to include policies that would otherwise fall outside of the search parameters. For those who need this ability, thanks to Self Service’s support of Markdown it’s possible to invisibly add search keywords to a Self Service policy description. For more details, please see below the jump.
Connecting to AWS EC2 instances via Session Manager
When folks have needed command line access to instances running in Amazon Web Service’s EC2 service, SSH has been the usual method used. However, in addition to using SSH to connect to EC2 instances in AWS, it is also possible to connect remotely via Session Manager, one of the services provided by AWS’s Systems Manager tool.
Session Manager uses the Systems Manager agent to provide secure remote access to the Mac’s command line interface without needing to change security groups and allow SSH access to the instance. In fact, Session Manager allows remote access to EC2 instances which have security groups configured to allow no inbound access at all. For more details, please see below the jump.
Jamf Pro server installer for macOS being retired
As part of the release notes for Jamf Pro 10.28, there is this note in the Deprecations and Removals section:
Support ending for the Jamf Pro Server Installer for macOS — Support for using the Jamf Pro Installer for macOS will be discontinued in a future release. Mac computers with Apple silicon are not supported by the Jamf Pro Installer for macOS. If you want to migrate your Jamf Pro server from macOS to Jamf Cloud, contact Jamf Support. If you want to keep your server on premise, you can migrate your Jamf Pro server from macOS to one of the following servers: Red Hat Enterprise Linux, Ubuntu, or Windows. For more information, see the Migrating to Another Server Knowledge Base article.
For those folks who are running on-premise Jamf Pro servers on Macs, it looks like it’s time to contact Jamf Support and plan a migration if you haven’t already. As of March 17th, 2021, Jamf’s published support for running Jamf Pro includes the following OS, database and Java versions:
| Recommended Configuration: | |
| Operating Systems: | |
| Windows Server 2019 | |
| Ubuntu Server 20.04 LTS | |
| Red Hat Enterprise Linux 7.x | |
| macOS 10.15.5 | |
| Database software versions: | |
| MySQL 8.0 – InnoDB | |
| Amazon Aurora (MySQL 5.7 compatible) | |
| MySQL 5.7.8 or later – InnoDB | |
| Java version: | |
| OpenJDK 11 | |
| Minimum Supported: | |
| Operating Systems: | |
| Windows Server 2016 | |
| Windows Server 2012 R2 | |
| Ubuntu Server 18.04 LTS | |
| macOS 10.14.5 | |
| Database software versions: | |
| MySQL 5.7.8 – InnoDB | |
| MySQL 5.7.8 on Amazon RDS – InnoDB | |
| Java version: | |
| Oracle Java 11 |
Using Twocanoes’ Signing Manager to sign AutoPkg-built installer packages
As part of many application or package building workflows, there is a requirement to sign the end result to guarantee that the app or package has not been tampered with. With the advent of Apple’s notarization process, this has become even more important because an app or installer package must be signed before it can be notarized.
However, in order to sign apps or packages, you must have the signing certificate available. This has often meant putting copies of Apple signing certificates, complete with the certificate’s private key, onto the Mac or Macs used to build the application and/or installer package. This has security concerns because if the signing certificate’s private key is compromised, you must now revoke the existing certificate, get a new one from Apple and re-sign everything that used that now-revoked signing certificate.
To assist with the security concerns, Twocanoes Software has developed Signing Manager. This tool provides a way to centralize hosting of signing certificates and make their signing capabilities securely available to Macs which need them. In my own case, I’m investigating Signing Manager in the context of signing AutoPkg-built installer packages. For more details, please see below the jump.
Selectively removing the drop shadow from screenshots on macOS Big Sur
One of my personal preferences with macOS is removing the drop shadow from screenshots. On macOS Catalina and earlier, I was able to to turn off drop shadows on screenshots by running the following commands:
defaults write com.apple.screencapture disable-shadow true killall SystemUIServer
This appears to not work on fresh installs of macOS Big Sur, though it appears to still work on Big Sur Macs who had the setting applied prior to upgrading to Big Sur. However, when using keyboard shortcuts to make screenshots, it looks like there’s a way to selectively add or remove the drop shadow at the time of making the screenshot. For more details, please see below the jump.
Listing the full OS installers available from Apple’s Software Update feed on macOS Big Sur
One of the changes in macOS Big Sur is that the softwareupdate command has been updated with new functionality.
| usage: softwareupdate <cmd> [<args> …] | |
| ** Manage Updates: | |
| -l | –list List all appropriate update labels (options: –no-scan, –product-types) | |
| -d | –download Download Only | |
| -i | –install Install | |
| <label> … specific updates | |
| -a | –all All appropriate updates | |
| -R | –restart Automatically restart (or shut down) if required to complete installation. | |
| -r | –recommended Only recommended updates | |
| –list-full-installers List the available macOS Installers | |
| –fetch-full-installer Install the latest recommended macOS Installer | |
| –full-installer-version The version of macOS to install. Ex: –full-installer-version 10.15 | |
| –install-rosetta Install Rosetta 2 | |
| –background Trigger a background scan and update operation | |
| ** Other Tools: | |
| –dump-state Log the internal state of the SU daemon to /var/log/install.log | |
| –evaluate-products Evaluate a list of product keys specified by the –products option | |
| –history Show the install history. By default, only displays updates installed by softwareupdate. | |
| –all Include all processes in history (including App installs) | |
| ** Options: | |
| –no-scan Do not scan when listing or installing updates (use available updates previously scanned) | |
| –product-types <type> Limit a scan to a particular product type only – ignoring all others | |
| Ex: –product-types macOS || –product-types macOS,Safari | |
| –products A comma-separated (no spaces) list of product keys to operate on. | |
| –force Force an operation to complete. Use with –background to trigger a background scan regardless of "Automatically check" pref | |
| –agree-to-license Agree to the software license agreement without user interaction. | |
| –verbose Enable verbose output | |
| –help Print this help |
Among the changes is the ability to scan Apple’s Software Update feed and display a list of the currently available full OS installers. To access this list, run the command below with root privileges:
softwareupdate --list-full-installers
The list you receive will be dependent on whether or not your Mac can run a particular OS version. As an example, here’s the list you would receive inside of a VMware VM as of March 3rd, 2021.
Once you have the right macOS installer identified, you can use the softwareupdate tool to download it.
One thing to be aware of is that multiple versions of a macOS full installer may show up in the Software Update feed. As an example of this, the list above includes multiple entries for macOS 10.15.6 and 10.15.7. These installers would be for hardware-specific builds of that macOS version’s full installer. Unfortunately, it’s not easy to tell the various installers apart using the softwareupdate command because the build number is not included.
If you do need to be able to download an installer with a specific build number, I recommend using the installinstallmacos.py tool. This tool also references the Apple Software Update feed, so the information you get back should be similar but also include the relevant build numbers for the macOS full installers.
Backing up Der Flounder Revisited
Nine years ago, I wrote a post on how I backup this blog. Overall, the reasons I’m backing up haven’t changed:
- I like this blog and don’t want to see it or its data disappear because of data loss.
- WordPress.com’s free hosting doesn’t provide me with an automated backup method.
To create the backups, I make a nightly mirror using HTTrack. As time has passed and host machines were replaced, I’ve moved the backup host a few times. For the last move, I decided for budgetary reasons to move off of using Macs and onto a Raspberry Pi. For those wanting to know more, please see below the jump.
FileVault login screen differences between Intel and Apple Silicon Macs
As new Apple Silicon Macs (ASM) have begun making their way to organizations which use FileVault encryption to secure their fleets, a difference between Intel Macs and ASMs has become apparent.
Intel Macs:
- Supports account icons and password blanks at the FileVault login screen
- Unable to support username blanks at the FileVault login screen
- Unable to support smart cards for login at the FileVault login screen
ASMs:
- Supports account icons and password blanks at the FileVault login screen
- Supports username and password blanks at the FileVault login screen
- Supports smart cards for login at the FileVault login screen
Why the differences between platforms? For more details, please see below the jump.
Adobe Flash is dead – let’s get it removed
After 24 years and 1078 known security vulnerabilities, Adobe Flash has reached end of life status as of December 31, 2020.
To assist with the process of removing Adobe Flash, I’ve written an uninstall script which will completely remove Adobe Flash. For more details, please see below the jump.
Setting up AutoPkg, AutoPkgr and JSSImporter on an Amazon Web Services macOS EC2 instance
One of the outcomes of the recent Amazon Web Service’s Insight conference was AWS’s announcement that, as of November 30th, macOS EC2 instances were going to be available as on-demand instances or as part of one of AWS’s reduced cost plans for those who needed them long-term.
There are a few differences about AWS’s macOS offerings, as opposed to their Linux and Windows offerings. macOS EC2 instances are set up to run on actual Apple hardware, as opposed to being completely virtualized. This means that there are the following dependencies to be aware of:
- macOS EC2 instances must run on dedicated hosts (AWS has stated these are Mac Minis)
- One macOS EC2 instance can be provisioned per dedicated host.
AWS has also stipulated that that dedicated hosts for macOS EC2 instances have a minimum billing duration of 24 hours. That means that even if your dedicated host was only up and running for one hour, you will be billed as if it was running for 24 hours.
For now, only certain AWS regions have EC2 Mac instances available. As of December 20th, 2020, macOS EC2 instances are available in the following AWS Regions:
- US-East-1 (Northern Virginia)
- US-East-2 (Ohio)
- US-West-2 (Oregon)
- EU-West-1 (Ireland)
- AP-Southeast-1 (Singapore)
The macOS EC2 instances at this time support two versions of macOS:
macOS Big Sur is not yet supported as of December 20th, 2020, but AWS has stated that Big Sur support will be coming shortly.
By default, macOS EC2 instances will include the following pre-installed software:
- ENA drivers
- EC2 macOS Init
- EC2 System Monitoring for macOS
- Systems Manager SSM Agent for macOS
- AWS Command Line Interface (AWS CLI) version 2
- Xcode Command Line Tools
- Homebrew
For folks looking to build services or do continuous integration testing on macOS, it’s clear that AWS went to considerable lengths to have macOS EC2 instances be as fully-featured as their other EC2 offerings. Amazon has also either made it possible to install the tools you need or just went ahead and installed them for you. They’ve also included drivers for their faster networking options and made it possible to manage and monitor Mac EC2 instances using AWS’s tools just like their Linux and Windows EC2 instances.
That said, all of this comes with a price tag. Here’s how it works out (all figures expressed in US dollars):
mac1 Dedicated Hosts (on-demand pricing):
$1.083/hour (currently with a 24 hour minimum charge, after which billing is by the second.)
$25.99/day
$181.93/week
$9493.58/year
Now, you can sign up for an AWS Savings Plan and save some money by paying up-front for one year or three years. Paying for three years, all cash up front is the cheapest option currently available:
$0.764/hour
$18.33/day
$128.31/week
$6697.22/year
Now some folks are going to look at that and have a heart attack, while others are going to shrug because the money involved amounts to a rounding error on their existing AWS bill. I’m mainly going through this to point out that hosting Mac services on AWS is going to come with costs. None of AWS’s existing Mac offerings are part of AWS’s Free Tier.
OK, so we’ve discussed a lot of the background but let’s get to the point: How do you set up AutoPkg to run in the AWS cloud? For more details, please see below the jump.
Recent Comments