Archive

Archive for May, 2012

Penn State MacAdmins 2012 sessions now on YouTube

May 29, 2012 Leave a comment

Thanks to the tireless efforts of the Penn State MacAdmin conference folks (Dave Test in particular), the session videos for Penn State MacAdmins 2012 are now online!

If you want to watch the sessions, they are available from here . My FileVault 2 session is available here: http://www.youtube.com/watch?v=rw7fcJcmInI

I take full responsibility for the sub-par audio in the first ten minutes of the FileVault 2 session video. I had forgotten to turn on my lapel mike, so what you’re hearing is from the ceiling mikes. After a bit, I noticed, turned the mike on, and the sound gets noticeably better.

Using Internet Apple Hardware Test

May 25, 2012 7 comments

One of the new features that appeared with Macs that shipped with Lion was Apple’s Internet Recovery. If you encounter a situation in which you cannot start from the Recovery HD, such as where the internal hard drive has failed or when you’ve installed a new disk without an OS on it, Mac models that were released after July 2011 can use Internet Recovery. Internet Recovery lets you start your Mac directly from Apple’s servers using a NetBoot-like process and gives you the same functionality as Recovery HD does.

Apple also made Apple Hardware Test (AHT) available in a similar fashion. Apple now ships most Macs with a hidden AHT partition, which allows you to hold down the D key at startup to boot your Mac using the AHT partition. From there, you can use the available tool to (hopefully) diagnose hardware problems on your Mac. However, if the AHT partition is not available and you have an internet connection, you can use Internet Apple Hardware Test. See below the jump for the details.

Update – May 26: The AHT partition is actually mounted from a disk image stored in the factory-supplied Recovery HD partition. If the factory-supplied Recovery HD partition is removed, or replaced by another Recovery HD (either by using the Mac App Store’s Lion installer or by other means), the AHT disk image is gone and there is no way I’m aware of to bring it back or rebuild it.

Read more…

10.7.4 login window changes for FileVault 2-enabled mobile users

May 24, 2012 Leave a comment

FileVault 2 has a nifty invisible password update procedure for its enabled accounts (i.e. the accounts that show up at the pre-boot login screen) If you change your account’s password, the OS will automatically and invisibly update your FileVault 2 pre-boot login. This helps ensure that your account is consistently using the same password across the board.

However, there was a problem in 10.7.3. If your FileVault 2-enabled account was an Active Directory or Open Directory mobile account (where your password is being managed by the AD or OD directory service), it’s possible to change your password for your account without your Mac’s OS being aware of it. For example, many worksites have a policy that you must change your password every so many days and also provide a website where you can change your password. If your encrypted Mac was offline at the time, it may not receive that password change until the next time you started up.

What could happen in this case is the following:

1. Your account’s password gets changed outside the Mac.

2. You boot your encrypted Mac.

3. The pre-boot login screen would accept your old password.

4. The OS boots, contacts the directory service and finds out about the new password.

5. Your old password doesn’t match the new password.

6. The OS doesn’t allow the login process to complete.

To your users, it would appear that the login process gets stuck and they are not passed on through to their desktop like they’re supposed to be.

The video below shows what happens in 10.7.3 in this scenario:

The workaround was to log in with another authorized account at the pre-boot login screen. The user would then log out to the regular login window, then log in into their account with the new password. The login would succeed, which would in turn update the FileVault 2 pre-boot login to use the new password.

In 10.7.4, this behavior has been addressed with the following updated login process:

1. Your account’s password gets changed outside the Mac.

2. You boot your encrypted Mac.

3. The pre-boot login screen would accept your old password.

4. Next, you get the regular login window and type your account’s new password there. That will allow the login process to complete and also update the FileVault 2 pre-boot login to use the new password.

5. After that, you should get the option to allow you to update your login keychain’s password (just like a regular login where the password is changed.) Once done, your keychain should be using your new password as well.

The video below shows what happens in 10.7.4 in this scenario:

Checking Macs for the Microsoft Office 2011 Jackpot Vulnerability using Casper

May 21, 2012 3 comments

As mentioned previously, the Office 2011 SP 2 14.2.0 volume licensed installer does something bad: it makes the /Applications/Microsoft Office 2011 folder and all of the enclosed files and applications readable and writable by all users on the system. This is otherwise known as setting world-writable permissions.

To help with the task of identifying which Macs are affected by this issue, I’ve written a Casper Extensions Attribute and posted it on my GitHub repo. The Extensions Attribute is available here.

Fixing permissions after installing the Office 2011 SP 2 14.2.0 full installer

May 19, 2012 1 comment

Dave Castelletti found recently that the Office 2011 SP 2 14.2.0 volume licensed installer does something both dangerous and dumb: it makes the /Applications/Microsoft Office 2011 folder and all of the enclosed files and applications readable and writable by all users on the system. This is otherwise known as setting world-writable permissions.

Why is this bad?

The short version, since everything in the folder is owned ultimately by the root user, is that it can lead to programs running with root permissions which shouldn’t be. The worst case I can think of is if a user modifies a program or script inside that directory (which he/she can do because of the global writing-permissions), but root does not know about the changes and runs the application with root privileges. Depending on what that change is, all sorts of Bad Things could result.

In summary, world-writable Office 2011 folder and apps = possible bad day for an sysadmin.

Going by the permissions used by previous Office installations, the permissions should look like this:

Owner: system (aka root): read/write/execute permissions

Group: admin: read/write/execute permissions

Everyone else: read/execute permissions

Screen Shot 2012-05-19 at 8.01.39 AM

When installed by the Office 2011 SP 2 14.2.0 installer, the permissions look like this:

Owner: system (aka root): read/write/execute permissions

Group: wheel: read/write/execute permissions

Everyone else: read/write/execute permissions

Screen Shot 2012-05-19 at 8.32.10 AM

I’ve written a script that should find and fix the incorrect group and world-writable permissions and set them to the following permissions:

Owner: system (aka root): read/write/execute permissions

Group: admin: read/write/execute permissions

Everyone: read/execute permissions

This script needs to be run with root privileges and may take a couple of minutes to execute. I’ve also built a script-only installer package for this, to help folks who want to automate running this.


#!/bin/sh

if [ -d /Applications/Microsoft\ Office\ 2011 ]; then
   /usr/sbin/chown root:admin /Applications/Microsoft\ Office\ 2011
   /bin/chmod 775 /Applications/Microsoft\ Office\ 2011
   /usr/bin/find /Applications/Microsoft\ Office\ 2011 ! -group admin -exec chown root:admin {} \;
   /usr/bin/find /Applications/Microsoft\ Office\ 2011 ! -perm 775 -exec chmod 775 {} \;
fi

Both the script and installer package are available here on my GitHub repo.

Making VMWare View’s right-click work on a trackpad

May 18, 2012 Leave a comment

In the current VMWare View 5 client, there is not a setting to enable right-click functionality. Instead, the client relies on the Mac’s settings to set what is a “right click”.

For Mac desktops, this should be pretty straightforward with an external mouse. On a Mac laptop with a trackpad, you need to make sure that the Secondary Click option is turned on in the Trackpad preference pane. Secondary Click allows you to right-click by clicking on the trackpad with two side-by-side fingers.

To verify that the Secondary Click option is enabled, use the following procedure:

1. Open System Preferences

2. Click on Trackpad

Screen Shot 2012-05-17 at 11.30.59 AM

3. Click on the Point & Click tab and verify that Secondary Click is checked. If not checked, click on the checkbox to enable it.

Screen Shot 2012-05-17 at 11.31.13 AM

10.7.4 command line installer tool can now install installer packages with expired certificates

May 17, 2012 3 comments

One of the unpleasant surprises that popped up in March 2012 was that the certificate that Apple embedded in various Apple software installers expired. When using Installer.app, people started getting warnings about the certificate being invalid but were given the option of installing the package anyway.

However, the command line installer tool did not have the option of “certificate invalid, install anyway”. Instead, installations run with the installer tool failed when the installers were signed with expired certificates. This affected all scripts and system management tools that used Apple’s installer tool via the command line to install packages.

Fortunately, as part of the release of Mac OS X 10.7.4 in May 2012, Apple has now released a fix for this by including this new flag among installer‘s various functions.


-allowUntrusted
Allow install of a package signed by an untrusted (or expired) certificate.

The new function worked as advertised when I used it with installer to install an iLife ’11 installer which had expired certificates. Here’s the command I used (-dumplog and -verbose were also included to give me maximum logging to /var/log/install.log):


sudo installer -dumplog -verbose -allowUntrusted -pkg "path/to/iLife.pkg" -target /

Creating an updated Office 2011 SP 2 installer

May 9, 2012 16 comments

I’ve been working on getting Office 2011 SP 2 added to my work’s Casper Self Service, but I was hitting a problem. When I tried putting Microsoft’s unmodified Office 2011 SP 2 installer into Self Service and then installing it, the policy was failing. I didn’t want to repackage with Composer, as I’m generally a believer in using the standard installer whenever possible. Fortunately, after mulling it over for a bit, I realized that I had already solved this problem. As an added bonus, I should be able to include the latest Office updates and thus be able to deploy a fully up-to-date Office 2011 SP 2 installer. See below the jump for the details.

Read more…

Slides from the FileVault 2 Decoded Session at Penn State MacAdmins Conference 2012

For those who wanted a copy of my FileVault 2 Decoded session slides from Penn State’s MacAdmins Conference 2012, here are links to the slides in PDF and Keynote format.

PDF document link:

http://tinyurl.com/MacAdmin2012PDF

Keynote slides link:

http://tinyurl.com/MacAdmin2012key