Archive

Archive for February, 2017

Providing access to Apple software updates from Jamf Pro’s Self Service

February 26, 2017 Leave a comment

For shops that want to help their customers stay on top of Apple software updates without forcing those updates to be applied, there is a convenient URL that can be used:

macappstore://showUpdatesPage

When this URL is called from the command line using the open command, the following actions take place:

  1. The App Store application launches
  2. The Updates page loads.
  3. The Mac automatically checks for Apple OS updates and updates for applications purchased through the Mac App Store (MAS).

The relevant command is shown below and can be run without root privileges:

open macappstore://showUpdatesPage

For folks using Jamf Pro (the management solution formerly known as Casper), this command can be leveraged to provide a way for customers to easily check for Apple and MAS software updates on their own schedule. For more details, see below the jump.

Read more…

Using FileVault 2 recovery keys on FileVault 2-encrypted Macs to provide access for local admins

February 23, 2017 1 comment

It can be difficult to provide consistent access for Mac admins when using a local admin account on FileVault 2-encrypted Macs, due to the way password changes are handled for FileVault 2-enabled accounts. The reason for the difficulty is that FileVault 2’s encryption doesn’t care about passwords, it only cares about encryption keys.

When an account on a particular Mac is enabled for FileVault 2, the account’s password is used to generate an key which can be used to unlock the encrypted Core Storage volume that FileVault 2 sets up on the Mac. When the password for the enabled account gets changed, the password and its associated key are updated by first requesting the previous password (and its associated key) to authenticate the change to the new password and associated key.

Assuming that the old password is provided as part of the password change process, no problem. However, if the old password is not provided as part of the password change process, the new password does not get an associated key to unlock FileVault 2 because the old password’s key was not invoked to authorize the change to a new key. The result of this is that the new password can be used to log into the OS and provide whatever password authorization duties are needed for the OS, but you still need the account’s old password to log into the Mac at the FileVault 2 login screen.

The usual fix for this situation is to run the following commands with root privileges:

1. Remove the user from the list of FileVault 2-enabled accounts

fdesetup remove -user username_goes_here

Figure 25 Using fdesetup remove with username


2. Add the user back to the list of FileVault 2-enabled accounts

fdesetup add -usertoadd username_goes_here

Figure 21 Using fdesetup add usertoadd to enable additional accounts


When the account is re-enabled using the fdesetup add -usertoadd command, a new key is set up for the user and the passwords are back in sync. However, there are two drawbacks to this approach if a Mac admin wants to automate this:

  • You need to provide the password in a non-encrypted format of the account being enabled.
  • You need to provide in a non-encrypted format either a recovery key or the password of another FV 2-enabled account on the Mac.

In short, the passwords and/or recovery key used to remove and re-enable the account in question need to be provided “in the clear”, where anyone successfully intercepting the passwords will be able to read them.

Fortunately, for those Mac admins who have a way to capture and escrow FileVault 2 personal recovery keys, there is an alternative to enabling the local admin account. For more details, see below the jump.

Read more…

Burning disk images to optical media in macOS Sierra

February 23, 2017 3 comments

As part of some work I was doing today, I needed to burn an .iso file to a CD. As I have in the past, I opened Disk Utility and looked for the icon for burning a disc only to discover that this option stopped being available as of OS X El Capitan. It is likewise not available in macOS Sierra’s Disk Utility application.

After doing some additional research, it looks like the ability to burn a disc image is now only available through the Finder or by using hdiutil. For more details, see below the jump.

Read more…

Categories: Mac administration, macOS

Downloading older OS installers on incompatible hardware using VMs

February 21, 2017 2 comments

A lot of Mac admins need to test software in their environment against both the shipping version of macOS and older versions of OS X. However, getting older OS installers from the Mac App Store (MAS) can be problematic if the Mac you’re using isn’t able to run the older OS as its own operating system. If the Mac you’re using isn’t itself able to run the older OS, a request to download the OS installer from the MAS will result in an error message like the one shown below.

Screen Shot 2017 02 21 at 1 01 14 PM

If you’re in this situation, but also have VMware Fusion or a similar virtualization solution available, there is a way to download the desired older OS installer using a VM running the shipping version of macOS. For more details, see below the jump.

Read more…

Categories: Mac OS X, macOS, VMware

Slides from the “Storing our digital lives: Mac filesystems from MFS to APFS” session at MacADUK 2017

February 8, 2017 1 comment

For those who wanted a copy of my filesystem talk at the MacADUK 2017 conference, here are links to the slides in PDF and Keynote format.

PDF – http://tinyurl.com/MacADUK2017pdf

Keynote – http://tinyurl.com/MacADUK2017key

Enabling debug logging for Microsoft AutoUpdate

February 3, 2017 Leave a comment

As part of assisting a colleague with a customer today, I needed to figure out how to enable the debug logging for Microsoft AutoUpdate. For Mac admins with a similar need, please see below the jump for details.

Read more…

%d bloggers like this: