Apple released a new white paper this week, dealing with best practices for deploying FileVault 2. The white paper covers FileVault 2 on Lion, so there’s no information covering fdesetup, but it provides a ton of detail that’s relevant for FileVault 2 on both 10.7.x and 10.8.x. For me, Appendix B of this paper was particularly interesting because it provides details of the process that happens between the user hitting the power button and getting access to their desktop.
If you’re planning a FileVault 2 rollout, or you want to get a really good look on what’s going on under FileVault 2’s hood, I recommend checking it out.
One of the mysteries of the fdesetup man page has been the Certificate key of the INPUT PROPERTY LIST example.
The function seemed clear enough; you could populate that key with the institutional recovery key’s public key. The problem was how to properly export the certificate into a text format and get it into that plist key. That part did not seem to be documented anywhere that I could find. After doing some asking around with our Apple SE, see below the jump for a way to get that certificate information into this plist key.
One of the tools that Apple included with Lion and Mountain Lion is the command-line tool pkgbuild. This tool was designed to work by itself or in conjunction with another tool, productbuild, to build Apple installer packages.
pkgbuild has a number of options associated with it (see the man page for details on the available options) and the –nopayload option makes it very useful for building payload-free packages. This option tells pkgbuild that the package being built will be a payload-free package that contains only scripts. See below the jump for an example process.
With 10.8, Apple introduced Gatekeeper as a way to allow users to define which sources they would trust for downloading applications. This functionality was also available by 10.7.x, but not turned on by default.
By default, Gatekeeper allows applications downloaded from the Mac App Store and applications signed by certified Apple developers to be launched. This restriction also applies to application installers. If a downloaded installer package is not signed with an Apple developer certificate, Gatekeeper treats it as an unknown installer and does not allow it to launch without being manually overridden.
As part of supporting OS X 10.8, Casper 8.6 includes the ability to sign Casper QuickAdd agent installer packages. If you need to have signed QuickAdd packages for your own Casper environment, see below the jump for how to obtain the needed certificates.
I’ll be speaking at MacTech Conference 2012, which runs October 17th – 19th in Los Angeles. I’ll be talking about providing security in a BYOD environment and how BYOD can be leveraged to make everyone happy, even the IT department.
One issue that’s come up in the wake of Mat Honan’s troubles has been how Apple has built easy ways to associate your Apple ID with your account on your Mac. One of those associations is an option to use your Apple ID’s credentials to reset your account password on your Mac.
I personally don’t want to have my Apple ID associated with my account on my Macs (especially since I can still set up all the iCloudiness I want using iTunes and the iCloud preference pane), so I don’t set that up. See below the jump for how to avoid associating your Mac’s account with your Apple ID and also how to remove an existing Apple ID from your account entry in System Preference’s Users & Groups preference pane.
We saw an odd issue pop up in our shop (and others) today. In our case, one of our users just could not connect to one of our file servers using SMB. Others reported seeing the same issue with AFP.
The unexpected answer was that it was related to Apple’s now-offline iDisk service. Apple has now shutdown the MobileMe servers as part of the migration to iCloud, but if certain MobileMe-related settings are in ~/Library/Preferences/.GlobalPreferences.plist, Connect to Server also does a lookup for the now-offline iDisk servers in addition to the server you’re trying to connect to. Even though the iDisk service is now offline and unresolvable, the Mac will keep trying to resolve it until it times out.
The result from the user’s perspective?: “I can’t connect to the server.”
The fix is to open the Terminal and run the commands below to delete the iToolsMember and iToolsMemberDomain keys from ~/Library/Preferences/.GlobalPreferences.plist:
defaults delete -g iToolsMember
defaults delete -g iToolsMemberDomain
Once those commands have been run, connecting to your servers should start working again.