While I was out at MacIT last week, our Casper server sent me a notification that the “Check for failing hard drive” smart group had a member. Since that’s a club that nobody wants to be a part of, I forwarded the notification to the team at home to let them know. They were able to copy the user’s home folder data off to the server and left the box itself and its failing drive for me to take a look at when I got home.
Once I took a look, the SMART status report of Failing and the weird noises from the drive made me certain that it was only a few steps short of the Choir Eternal. However, I still wanted to see if I could get the maximum amount of data off of it before its final demise. Time for ddrescue.
Way back in 10.3.x, Apple submitted Mac OS X and Mac OS X Server to the National Information Assurance Partnership for Common Criteria certification. Common Criteria certification means that the the covered hardware and software has been tested and evaluated to make sure that it meets an established set of requirements for security and data protection. 10.3.6 and 10.3.6 Server were tested and were found to meet Evaluation Assurance Level 3 (EAL3) for Common Criteria certification.
As part of that certification effort, a new piece of software appeared from Apple: the Common Criteria Tools audit software. This software was OpenBSM, which is an open source implementation of Sun’s Basic Security Module (BSM) security audit API and file format. From 10.3.x – 10.5.x, this software needed to be installed and configured separately. As of 10.6.x and 10.7.x, it’s installed along with the OS. In fact, if you’re running 10.6.x and 10.7.x or their Server equivalents, it’s running now on your box unless you went in and turned it off. If you’re interested in learning more, see below the jump.
Thank you to all the folks who turned out early on a Saturday morning to hear Mike Boylan and myself give our modular OS deployment session. I was very surprised and gratified that it turned out to be a standing room-only session.
For those who attended and want a reference copy, I’ve posted our slides here in PDF format.
One of my users ran into an unusual display issue in Outlook 2011, where emails with attachments will sometimes not be displayed in the reading window.
These messages will show up with the paper clip icon that indicates that there’s an attachment (indicated by the red square in the picture below.)
When opened, the message will not show the attachment line
(Note: the recipients have been redacted from the screenshot below.)
I have not found a fix for this issue, but I’ve found a workaround that allows access to the attachment. See below the jump for the procedure
I was asked by one of our users today how to attach files to a meeting invitation in Outlook 2011. After some research, here’s how you do it:
1. Set up a new meeting invitation in Outlook 2011.
2. Once the meeting invite opens up, drag your file you want to attach into the blank gray area to the right of Duration.
Your attachment will then appear in a newly-appearing attachment line below the start and end time for the meeting.
Interestingly enough, you can’t add files to Outlook 2011 appointments. If you need to add a file attachment to an appointment, click the Invite button in your Appointment window.
The appointment will then turn into a meeting invite and allow you to attach files. Invite your own email address and hit the Send button to add the event to your calendar.
In addition to using FileVault 2 to encrypt your boot partition, it’s possible to encrypt your non-boot storage on 10.7 using the same CoreStorage-based encryption. Apple provided a way to do this via Disk Utility, where you would need to erase the drive and have the new volume be set up as an encrypted volume.
It is also possible to encrypt the drive without erasing it first from the command line. This allows your existing data to stay on your drive while the drive is being encrypted. See below the jump for the procedure.
In a number of Mac environments, it’s advantageous for Mac admins to hide the IT administrator account so that it can’t be deleted or altered by other users on those Macs. In other cases, like Jamf’s Casper, the system management tool needs an account in order to do its work. In both cases, hiding the affected account and its associated home folder is a good strategy to keep unwanted attention from noticing the account.
One way you can hide the account is to create it using a UID that’s lower than 500. Apple uses UIDs of 501 and higher for its accounts. UIDs of 500 and lower are assumed to be system-only accounts and should not show up at either the login window or in the Accounts or Users & Groups listing in System Preferences.
The downside to this is that these hidden accounts may not be migrated when upgrading your Mac to a new OS, which may leave you without your usual administrator account following the upgrade. I first noticed this with 10.7.x, but I’ve heard that it also affects hidden accounts when migrating from 10.5.x to 10.6.x.
How can you tell if your hidden account will be migrated? Here’s what works and doesn’t as of Mac OS X 10.7.x:
Note: In the description below, Visible refers to a user account that shows up and is editable in the Accounts or Users & Groups listing in System Preferences. Hidden refers to an account with a UID that’s lower than 500.
Visible user account, where the home folder is stored in /Users
Hidden user account, where the home folder is stored in /Users
Visible user account, where the home folder is stored somewhere other than /Users
Does not successfully migrate:
Hidden user account, where the home folder is stored somewhere other than /Users
If you have a hidden user account with a home folder stored outside of /Users, there’s a couple of solutions that you may be able to leverage as part of the upgrade process to get those hidden admin accounts back.
1. If you’re upgrading to 10.7.x, use CreateLionUser to build installer packages that recreate your hidden user accounts following the upgrade. These installer packages should be incorporated into your upgrade workflow and set to run after the main 10.7 upgrade process has finished.
2. If the hidden user is needed by your system management tool, check to see if the needed user is created by the agent installer. If it is, then re-running the agent installer should put back the needed hidden user account.