Archive
FileVault 2 status scripts updated for Mavericks
I’ve updated the FileVault 2 status check scripts so that they’re now able to correctly handle Macs running Mavericks. The scripts should now report accurately on the FileVault 2 status of Macs running 10.7.x – 10.9.x.
The changes are now available as part of my regular script. They have also been rolled into both the Casper Extension Attribute and the Absolute Manage Custom Info Item scripts. Use them in good health and please let me know if you find any problems with them.
Keychain Minder on Mavericks
For those folks using Keychain Minder to help your users update their keychain passwords, it continues to work as of 10.9.0.
To show it in operation, I’ve made a short video.
Disabling the iCloud sign-in pop-up message on Lion and later
Starting in 10.7.2, Apple set the iCloud sign-in to pop up on the first login.
10.7.5 iCloud pop-up message
10.8.5 iCloud pop-up message
10.9.0 iCloud pop-up message
Since having this appear may not be desirable in all Mac environments, it makes sense to be able to turn this off for new user accounts. As part of preparing for Mavericks in my own shop, I’ve developed a script that should disable the iCloud pop-up on 10.7.2 – 10.9.0. See below the jump for the details.
Mavericks desktop background picture settings moved from ~/Library/Preferences/com.apple.desktop.plist
While I was preparing for Mavericks’ release, I ran across little details that had changed between Mountain Lion and Mavericks. One such detail is that the desktop background picture settings have moved.
In Mountain Lion, they were stored in the following location:
/Users/username/Library/Preferences/com.apple.desktop.plist
In Mavericks, the settings have been moved to a SQLite database at the following location:
/Users/username/Library/Application Support/Dock/desktoppicture.db
Removing desktoppicture.db causes the desktop picture to reset to whatever image is stored as /System/Library/CoreServices/DefaultDesktop.jpg
Fortunately, there are still ways to manage the desktop background picture if that’s needed. For the details, see below the jump.
Upgrading your FileVault 2 encrypted Mac to Mavericks
One great thing about using FileVault 2 to encrypt your Mac is that Apple’s OS installers are aware of how to work with a FileVault 2-encrypted Mac. For example, you can upgrade from OS X 10.8.5 to OS X 10.9.0 on a FileVault 2-encrypted Mac using the same process that you would use on an unencrypted Mac.
Since this is a process that’s more easily shown than explained, I’ve made a three minute video showing the process as I saw it.
Here’s the procedure I used:
- Logged into my FileVault 2 encrypted Mac
- Verified that I was on 10.8.5 and encrypted
- Launched Install OS X Mavericks.app
- Authenticated when requested
- Selected my boot drive and let it proceed with the upgrade
- The upgrade process restarted the Mac
- After the upgrade process finished, the Mac restarted
- The upgrade process finished
- I clicked the buttons to skip the Apple ID setup
- I then verified that I was now on 10.9.0 and still encrypted
Note: The video has been edited to artificially reduce the amount of time the installer takes to run. Run time of the pre-edited video was 50 minutes.
Did you notice that something was missing from this upgrade procedure?
I was never asked to log in at the FileVault 2 pre boot login screen. Why?
During the upgrade process, an unlock key is being put into the SMC by the Mavericks installer to unlock the encrypted volume at boot. The reboot process then automatically clears the key from the SMC. This process is similar to how fdesetup authrestart works, except that the user is not being prompted to authorize it.
This behavior is convenient, but it’s something that the user should be asked specifically to authorize. As part of that, I’d previously filed a bug report with Apple at bugreport.apple.com about this behavior. If you want to also file a bug report on this, please reference the following bug ID when submitting your report:
14148042
I’ve got the details of my bug report posted at Open Radar:
http://openradar.appspot.com/radar?id=4931511514038272
Enabling users for FileVault 2 with a non-enabled admin user does not work in Mavericks
Over the past few months, I’ve told hundreds of people the following information about fdesetup in Mountain Lion:
“Once the Mac has been fully encrypted with FileVault 2, you can add additional users using fdesetup. To do so, you will need to provide both the username and password of either a previously enabled account or an admin account, as well as the password of the account you want to add.
There’s something that’s interesting to know about this method: the admin user in question does not themselves need to be enabled for FileVault 2. In my testing, I found that an admin user can authorize the enabling of other accounts even if the admin account wasn’t enabled. An admin account can also enable itself using this process, by being both the authorizing admin account and the account being enabled. This is similar to the System Preferences behavior, where an admin account could enable itself by logging in and clicking the lock in the FileVault preference pane.
Since a key has to be involved somewhere, I’ve got an inquiry open with Apple as to why this works but I haven’t heard back yet.”
I’ve now heard back. See below the jump for the details.
Building a Grand Unified Xcode 5.0.1 installer for Mavericks and Mountain Lion
Apple has released Xcode 5.0.1 through the Mac App Store for all Macs running 10.8.4 and higher. The command line tools can be installed separately through the Xcode preferences, in the Downloads section.
For my users who are developers, I wanted to include Xcode 5.0.1 in their new machine builds and also install the command line tools automatically without needing to enter an Apple ID. I also wanted to build this installer as a flat package, so I’m shifting from my previous method using Iceberg to using Packages to build the installer package. With a little help from the Mac App Store, I was able to do this. See below the jump for the details.
create_vmware_osx_install_dmg script updated with Mavericks support
I’ve updated the create_vmware_osx_install_dmg.sh script that I had previously posted about here. The script now includes support for Mavericks, so the script can now be run on 10.7 – 10.9 to create custom OS X 10.7.x, 10.8.x and 10.9.x installers for VMware Fusion and VMware ESXi. See below the jump for the details.
Connections to Juniper Network Connect VPN failing in Safari 6.1 and Safari 7
Along with Mavericks‘ release today, Apple released Safari 7 (included with Mavericks) and Safari 6.1 for Mountain Lion. Both versions of the Safari browser are having issues connecting to my work’s VPN. When connecting to the VPN, it will try to install the Network Connect client software then fail with the following error:
An error occurred while extracting one of the Network Connect components
Mac OS X 10.6.8 and 10.7.5 do not have Safari 6.1 available as an update of this time, so connecting to the VPN using Safari on those OSs should be unaffected.
I’ve verified that connecting to the VPN with Firefox 24 works for both 10.8.x and 10.9.x.
For now, it appears that using Firefox to connect to Juniper VPNs is going to be the workaround for this issue until we can get a fix from either Juniper or Apple. Google Chrome is a 32-bit browser, which prevents it from being able to work with Oracle’s 64-bit Java 7.
Based on what I’m seeing, it looks like Safari 6.1 and Safari 7 introduced a new sandbox for browser plug-ins, replacing the previous Java whitelist. At this time, it does not appear that Juniper’s software is able to work with this sandbox.
Managing Mavericks’ FileVault 2 with fdesetup
With the release of OS X Mavericks, Apple has added additional features to fdesetup, a valuable command-line tool for enabling, administering and disabling Apple’s FileVault 2 encryption. This tool gives Mac administrators the following command-line abilities:
- Enable or disable FileVault 2 encryption on a particular Mac
- Use a personal recovery key, an institutional recovery key, or both kinds of recovery key
- Enable one or multiple user accounts at the time of encryption
- Get a list of FileVault 2-enabled users on a particular machine
- Add additional users after FileVault has been enabled
- Remove users from the list of FileVault enabled accounts
- Add, change or remove individual and institutional recovery keys
- Report which recovery keys are in use
- Perform a one-time reboot that bypasses the FileVault pre-boot login
- Report on the status of FileVault 2 encryption or decryption
I’ll be taking you through all of the capabilities mentioned above, with a focus on showing exactly how they work. See below the jump for the details.
Der Flounder 
Recent Comments