2011 in review

The WordPress.com stats helper monkeys prepared a 2011 annual report for Der Flounder.

Here’s an excerpt:

The concert hall at the Syndey Opera House holds 2,700 people. This blog was viewed about 50,000 times in 2011. If it were a concert at Sydney Opera House, it would take about 19 sold-out performances for that many people to see it.

Click here to see the complete report.

Clearing the font cache to fix an Outlook 2011 hanging problem

I had an issue today where Outlook 2011 was giving the spinning beachball right after opening. When I looked at the process list in Activity Monitor, I saw that the Microsoft Database Daemon process was using over 50% of CPU and sometimes going as high as 80% while the beachball was spinning. I also noticed that the fontd process was occasionally popping up to the top of the list of active processes, then going back to normal processor usage. After fifteen minutes, the spinning beachball went away and Outlook started behaving normally.

Since the fontd process had caught my attention, I decided to go with a sudden hunch and cleared the font cache system-wide. After that, I logged out of the user’s account and had them log back in. This time, Outlook opened right away. No beachball and no heavy Microsoft Database Daemon CPU usage. Based on that, Outlook was having some issues with something buried in the font cache and forcing a rebuild fixed the issue. In case someone else has a similar issue, here’s the commands I ran:

sudo atsutil databases -remove

(removes all user and system font caches)

sudo atsutil server -shutdown

(stops the Apple Type Services service that manages the font caches)

sudo atsutil server -ping

(restarts the Apple Type Services service)

I’ve also posted a script for automating the font clearing and ATS stop/restart on my GitHub repo. It’s available here.

Checking which accounts on a Mac have administrator rights

Something a number of Mac admins need to know about the Macs in their environment is being able to detect which accounts have admin rights on a particular Mac. This can be particularly important not just in secured networks, but also in schools. Savvy users can be inventive about finding ways to grant themselves admin rights, so admins need to be just as savvy about identifying which accounts have admin rights and shouldn’t.

To help with the task of identifying which accounts have admin rights, I found that Ryan Manly had posted a script-based Extension Attribute for use with Casper to detect which accounts had admin rights on a particular Mac. For those who need it, I’ve posted the Extension Attribute to my own GitHub repo as well as modifying it for use as an Absolute Manage Custom Information Item or as a generic standalone script.

Monitoring the Casper JSS Tomcat on Red Hat Linux

In my Casper setup, Casper’s JSS depends on a Jamf-installed Tomcat 7 installation on both my Casper production and Casper test servers, both of which are hosted on Red Hat Enterprise Linux 6.x VM servers.

To make sure that Tomcat is restarted automatically in case of a problem, a set of scripts has been installed with an accompanying crontab entry to check Tomcat to make sure it’s running. If not, an email with diagnostic information is sent then Tomcat is restarted. See below the jump for the scripts and the root crontab entry I’m using.

Read more…

Repackaging Matlab 2011b with Composer

Since starting to use Casper at my workplace, I’ve wanted to be able to provide a unlicensed Matlab installer via Self Service. The reason I wanted it unlicensed is because, while we have a Matlab network license server, it has a very limited license pool. Instead, most of our labs purchase standalone licenses and register them to the person using it.

However, a showstopper issue I’ve run into has been that Matlab needs to have a license entered as part of the installation process. After some trial and error, I was able to figure out a way to use Jamf Software’s Composer build a Self Service-deployable installer that uses our network license and also an unlicensed installer. See below the jump for the details.

Read more…

NetBooting across subnets

Being able to NetBoot from a server that’s not located on the same subnet as the Mac you’re working on can be an invaluable tool for a Mac admin. I use NetBoot all the time at my shop, both to boot new machines for setup by DeployStudio and also to boot ailing machines from NetBoot-hosted utility disks.

In my case, our network team configured our network infrastructure in order to allow my machines to NetBoot from a server located on a different subnet (in my case, the server’s located in our main datacenter.) However, not everyone has that option available. If you’re one of those folks, here’s the commands you can use to configure your Mac to boot from a specific NetBoot server located outside of the local network.

Short version:


sudo bless --netboot --server bsdp://ip.address.here


This command should (hopefully) tell your Mac to boot from the default NetBoot set available from that NetBoot server.

Long version (should all be one line):


sudo bless --netboot --booter tftp://ip.address.here/NetBoot/NetBootSP0/NetBoot-Set-Name-Here.nbi/i386/booter --kernel tftp://ip.address.here/NetBoot/NetBootSP0/NetBoot-Set-Name-Here.nbi/i386/mach.macosx --kernelcache tftp://ip.address.here/NetBoot/NetBootSP0/NetBoot-Set-Name-Here.nbi/i386/x86_64/kernelcache --options "rp=nfs:ip.address.here:/private/tftpboot/NetBoot/NetBootSP0:NetBoot-Set-Name-Here.nbi/NetInstall.sparseimage"


This should work if the previous command did not, though you’ll need to know the specific NetBoot set’s name.

Hat tip to @gmarnin for posting this and also to @natewalck for helping figure it out.

Making the Contact Group option available in Outlook 2011’s Contacts

One of my users sent in a ticket today asking why the Contact Group option in the Contacts window was grayed out in Outlook 2011. After some googling and testing, I found that the On My Computer folders need to be visible in order for this button to be active. If you need to create contact groups in Outlook 2011, here’s how you do it:

In the Outlook 2011 Preferences, the Hide On My Computer folders option needs to be unchecked. Once that’s done, the option to add a Contact Group should become available in the Contacts window.

Disabling the Hide On My Computer folders option

1. Click on the Outlook menu in the menu bar.
2. Select Preferences…
3. Once the Outlook Preferences window opens, click the General icon.
4. In the General window, uncheck the box next to Hide On My Computer folders.
5. Close the Preferences window.

This information is also available in the Outlook 2011 help files. To find it, go to the Help menu in Outlook 2011 and search for Create a contact group. The directions should be in the If Contact Group is not available section.

Auto-populating the Location info in the Casper JSS inventory

In the past year, my worksite began using Jamf Software‘s Casper Suite system management tool to manage our Macs. One of the great things about it is that it automatically pulls a ton of information about the managed machines. However, it wasn’t set up to automatically show me who was using a particular machine. There’s a Location category, where you can manually query your Active Directory or LDAP directory service and set who’s associated with which machine. However, the fact that the process was manual almost guaranteed it would be out-of-date within a fairly short period of time. As a workaround, I set up an Extension Attribute that showed me who was the last reported user, but I wasn’t really happy with it. I had also set up the Building attribute to automatically update by setting the Building value to correspond to particular IP subnets.

There the situation stayed for a few months. I wasn’t particularly happy, but not unhappy enough to go through and update manually. Fortunately, a thread appeared on the Casper mailing list about this particular topic. After taking a look at the various scripts that were posted in response, I was able to adapt my own from the one that Ben Toms shared. It’s using dscl to query the AD plug-in on my Macs to get information on the currently logged-in user.

From there, I uploaded the script to my JSS and set up a policy to run it once a day.

Final result? I was able to go from this:

To this (some information redacted):

Muuuch better. For those who want the script, I have it posted here on my GitHub repo.