Slides from the “AutoPkg in the Cloud” session at Jamf Nation User Conference 2021
For those who wanted a copy of my cloud hosted-AutoPkg talk at at the Jamf Nation User Conference 2021 conference, here are links to the slides in PDF and Keynote format.
Using AutoPkg to create an installer package for SAP GUI
I’ve previously posted guides on how to manually package SAP GUI:
- Building an SAP GUI installer for macOS
- Packaging SAP GUI for macOS with Java 11 support
- Packaging a SAP GUI installer application for macOS
However it’s also possible to automate creating a SAP GUI installer package using AutoPkg. To do this, you’ll need the following:
- AutoPkg
- The SAP GUI recipes from the rtrouton-recipes repo
- The latest SAP GUI installer application’s disk image
- A SAP GUI templates.jar file (optional)
For more details, please see below the jump.
Installer package identifiers and the mystery of the missing Java 11 files
As part of developing new AutoPkg recipes to support SapMachine‘s new Long Term Support (LTS) distribution for Java 17, I ran into a curious problem when testing. When I ran the SapMachine Java 17 LTS installer that was being generated by AutoPkg, I was seeing the following behavior:
- SapMachine Java 17 LTS is installed by itself – no problem
- SapMachine Java 17 LTS installed, then SapMachine Java 11 LTS is installed – no problem
- SapMachine Java 11 LTS installed, then SapMachine Java 17 LTS is installed – SapMachine Java 11 LTS is removed, only SapMachine Java 17 LTS is installed now.
I double-checked the preinstall script for the SapMachine Java 17 LTS installer. It is supposed to remove an existing SapMachine Java 17 LTS installation with the same version info, but it should not have also been removing SapMachine Java 11 LTS. After a re-review of the script and additional testing, I was able to rule out the script as the problem. But what was causing this behavior? Also, why was it happening in this order?
- SapMachine Java 11 LTS installed, then SapMachine Java 17 LTS is installed
But not this order?
- SapMachine Java 17 LTS installed, then SapMachine Java 11 LTS is installed
The answer was in how the package’s package identifier was set up. For more details, please see below the jump.
Slides and video from the “AutoPkg in the Cloud” session at MacSysAdmin 2021
For those who wanted a copy of my cloud hosting for AutoPkg talk at at the MacSysAdmin 2021 conference, here are links to the slides in PDF and Keynote format.
The video of my session is available for download from here:
Enabling full disk access for SSH on macOS Big Sur using a management profile
When connecting via SSH to a remote Mac running macOS Big Sur, Apple’s user-level privacy controls apply. You can access data in the home folder of the account you’re using to connect, but you can’t access or alter protected data in other account’s home folders.
For most use cases, this is fine. However, there may be circumstances when full disk access for SSH connections is desired. To accommodate for this, Apple added an Allow full disk access for remote users checkbox in the Remote Login settings in System Preference’s Sharing preference pane.
This setting can normally only be enabled by the logged-in user sitting at that Mac. However, there is a way to manage this with a configuration profile. For more details, please see below the jump.
Setting up an ad-hoc TCP listener for connection testing using Python’s web service
I recently needed to set up a connection test so that an outside vendor could verify that firewall rules had been set up correctly on both ends and that a connection which originated at a specific IP address on the vendor’s end was able to resolve a DNS address on our end and make a connection.
I remembered that Python has a simple way to set up a web server, so I decided to use this to create a script which creates a connection listener by setting up a web server on the desired port. For more details, please see below the jump.
Setting up software deployment groups using a Jamf Pro Extension Attribute
When setting up software for deployment, it’s usually a good idea to first send it out to a small percentage of the Macs in your environment. That way, if there’s a problem that wasn’t caught in testing, the amount of cleanup required is also small. If that initial deployment works, the software can then be sent out to greater percentages of the Mac population until all of them are eventually covered by the deployment.
This can be a pain to track manually though. New Macs come in, older ones are retired and keeping all Macs covered can turn into a significant investment of time. Fortunately, this is a task which can be automated and enable the Macs to assign themselves to deployment groups based on their machine UUID identifier. For more details, please see below the jump.
Identifying an AWS RDS-hosted database by its tag information
Recently, I was working on a task where I wanted to set up an automated process to create manual database snapshots for a database hosted in Amazon’s RDS service. Normally this is a straightforward process because you can use the database’s unique identifier when requesting the database snapshot to be created.
However in this case, the database was being created as part of an Elastic Beanstalk configuration. This meant that there was the potential for the database in question to be removed from RDS and a new one set up, which meant a new unique identifier for the database I wanted to create manual database snapshots from.
The Elastic Beanstalk configuration does tag the database, using a Name tag specified in the Elastic Beanstalk configuration, so the answer seemed obvious: Use the tag information to identify the database. That way, even if the database identifier changed (because a new database had been created), the automated process could find the new database on its own and continue to make snapshots.
One hitch: Within the AWS API, RDS lists only the following three API calls to interact with tags.
ListTagsForResource would seem to be the answer, but the hitch there is that you have to have the database’s Amazon Resource Name (ARN) identifier available first and then use that to list the tags associated with the database:
aws rds add-tags-to-resource --resource-name arn:aws:rds:us-east-1:123456789102:db:dev-test-db-instance --tags Key=Name
I was coming at it from the other end – I wanted to use the tag information to find the database. RDS’s API doesn’t support that.
Fortunately, the RDS API is not the only way to read tags from an RDS database. For more details, please see below the jump.
Using the Jamf Pro API to report on which Macs are assigned to a particular person
Every so often, it may be necessary to generate a report from Jamf Pro on which computers are assigned to a particular person. To assist with this task, I’ve written a script which uses the Jamf Pro Classic API to search through the computer inventory records and generate a report in .tsv format.
For more details, please see below the jump.
Codesigning, untrusted certificate authorities and why certain apps aren’t launching
A number of folks noticed that certain older applications they use on macOS stopped working as of August 24th, 2021. As of this date, this appears to affect the following applications among others:
Note: This list is not complete, it’s just the ones I’m aware of as of August 24, 2021.
Why this is happening goes back to an episode in 2018, where Symantec had to get out of the PKI certificate issuing business because of a number of issues discovered with how Symantec had been issuing certificates.
As part of these issues, Apple issued an advisory that a number of Symantec Certificate Authority (CA) root certificates were to be distrusted by Apple on a timeline which concluded with the full distrust of Symantec CAs on February 25, 2020.
While this primarily affected website operators, Symantec also issued certificates from the affected Symantec CAs which were used to provide code signing for applications. An example of this is RSA SecurID Software Token 4.2.1.
Update 8-26-2021: RSA has released RSA SecurID Software Token 4.2.2 to resolve the issue with RSA SecurID Software Token 4.2.1. For more details, please see the link below:
In the case of SecureID, this app relies on Qt Core for user interface support and ships copies of the QT Core framework along with the SecureID app. SecurID stores this in the following location:
/Library/Frameworks/stauto32.framework
If you take a look at the installer, you can see where the files are supposed to go.
However, the actual file which is causing the issue is buried further down in the following location:
/Library/Frameworks/stauto32.framework/Versions/4/QtCore.cire
This file is important because the QT Core framework is shipped without Apple’s code signing, which is to say that QT is not using an Apple Developer ID signing certificate to sign QT Core. Instead, QT ships a code signing certificate chain and that information is stored in the QtCore.cire file.
One of the certificates in the code signing certificate chain is using VeriSign Class 3 Public Primary Certification Authority – G5 as its root certificate authority (root CA). That root CA is one of the Symantec CAs which is no longer trusted by Apple.
To summarize: the SecureID app has a component which is signed by a not-trusted certificate. This is causing SecureID to not trust that component, which then prevents the app from launching correctly.
Why is this happening now?
Apple released updates on August 23, 2021 for both XProtect (now version 2150) and Malware Removal Tool (now version 1.82). My assumption is that XProtect’s update included instructions to no longer accept code signing from the distrusted Symantec CAs. XProtect checks executable code on launch, so it would be working with Gatekeeper to detect and block the no-longer-trusted code signing.
What should you do?
See if your vendor has released an updated version of the app which is having problems. If they haven’t yet, I recommend contacting them to make sure they’re aware of the problem.
Hat tip to all the folks working on this issue in the MacAdmins Slack for helping diagnose the issue and why it is happening.
Recent Comments