Archive

Archive for November, 2017

Security Update 2017-001 being pushed to both macOS 10.13.0 and 10.13.1

November 30, 2017 4 comments

To fix the vulnerability popularly referred to as #IAMROOT , Apple has begun pushing Security Update 2017-001 to Macs running the following OS versions:

  • macOS 10.13.0
  • macOS 10.13.1

This update is being deployed using the same automated installation mechanism that Apple previously used to deploy OS X NTP Security Update 1.0 back in 2014, where Security Update 2017-001 is being silently downloaded and installed on vulnerable Macs.

Screen Shot 2017 11 30 at 2 08 59 PM

For more details, please see below the jump.

Read more…

Categories: Mac administration, macOS

Blocking logins to the root account on macOS High Sierra

November 28, 2017 7 comments

A security vulnerability was discovered in macOS High Sierra today, where you could enable and log into the root account without providing a password.


Update 11-29-2017: Apple has released Security Update 2017-001 to fix this issue. Please install this update as soon as possible.



Update 11-30-2017: Apple is now automatically installing Security Update 2017-001 on vulnerable Macs.


To address this this issue until Apple releases an update to fix it, there’s two steps you can take which will block logins to the root account:

  1. Set a password for the root account on your Mac
  2. Change the root’s account’s login shell to /usr/bin/false

When you set the root account’s login shell to /usr/bin/false, the shell is changed to point to a command that does nothing except return a status code which reports an error. The login process will interpret that error status code as being a failed login, so it will stop the login process at that point and prompt for the password again.

Since the login process will always receive the error code from the false command, the login process will never succeed. For more details, see below the jump.

Read more…

Categories: Mac administration, macOS

First Boot Package Install Generator.app now adds product identifier tags to its packages

November 22, 2017 Leave a comment

As a follow-up to Greg Neagle’s discovery that product identifiers are now needed to ensure best results when adding additional packages to macOS High Sierra OS installers, I’ve updated First Boot Package Installer Generator.app to add product identifiers by default to the firstboot packages created by this tool.

The product identifier values will be the user-selected Package Identifier followed by the Version Identifier.

Screen Shot 2017 11 21 at 2 21 13 PM

Screen Shot 2017 11 21 at 2 21 19 PM

These values will appear in the firstboot package’s distribution file as shown below:

Screen Shot 2017 11 21 at 2 22 03 PM

For those who need this capability, an installer for First Boot Package Install Generator.app 1.7 can be downloaded via the link below:

https://github.com/rtrouton/First_Boot_Package_Install_Generator/releases/tag/1.7

Enabling Touch ID authorization for sudo on macOS High Sierra

November 17, 2017 10 comments

My colleague @mikeymikey brought this tweet by Cabel Sasser to my attention yesterday:

I have a Touch ID-enabled MacBook Pro and use sudo frequently, so I’ve implemented this on my own laptop. For more details, see below the jump.

Read more…

Categories: Mac administration, macOS, Unix

APFS encryption status check script

November 13, 2017 3 comments

As part of working Apple File System, I’ve developed a script which is designed to check and report the status of encrypted Apple File System (APFS) drives. Currently, here’s what the script is detecting and reporting:

It first checks to see if a Mac is running 10.13.x or higher. If the Mac is question is running 10.13.x or higher, the script reports if it is using encryption on an APFS drive and gives the encryption or decryption status.

If encrypted, the following message is displayed:

FileVault is On.

Screen Shot 2017 11 12 at 8 38 08 PM

 

If not encrypted, the following message is displayed:

FileVault is Off.

Screen Shot 2017 11 12 at 8 43 07 PM

If encrypting, the following message is displayed:

Encryption in progress:

How much has been encrypted is also displayed.

Screen Shot 2017 11 12 at 8 08 30 PM

 

If decrypting, the following message is displayed without quotes:

Decryption in progress:

How much has been decrypted is also displayed.

Screen Shot 2017 11 12 at 8 38 48 PM

 

 

 

If run on a drive which is not using APFS, the following message is displayed:

Unable to display encryption status for filesystems other than APFS.

Screen Shot 2017 11 12 at 8 44 11 PM

 

The script is available below and here on my GitHub repository:

https://github.com/rtrouton/rtrouton_scripts/tree/master/rtrouton_scripts/check_apfs_encryption

I’ve also built a Jamf Pro Extension Attribute:

https://github.com/rtrouton/rtrouton_scripts/tree/master/rtrouton_scripts/Casper_Extension_Attributes/check_apfs_encryption

#!/bin/bash
osvers_major=$(sw_vers -productVersion | awk -F. '{print $1}')
osvers_minor=$(sw_vers -productVersion | awk -F. '{print $2}')
ERROR=0
# Checks to see if the OS on the Mac is 10.x.x. If it is not, the
# following message is displayed without quotes:
#
# "Unknown Version Of macOS"
if [[ ${osvers_major} -ne 10 ]]; then
echo "Unknown Version Of macOS"
fi
# Checks to see if the OS on the Mac is 10.13 or higher.
# If it is not, the following message is displayed without quotes:
#
# "APFS Encryption Not Available For This Version Of macOS"
if [[ ${osvers_major} -eq 10 ]] && [[ ${osvers_minor} -lt 13 ]]; then
echo "APFS Encryption Not Available For This Version Of macOS"
fi
if [[ ${osvers_major} -eq 10 ]] && [[ ${osvers_minor} -ge 13 ]]; then
# If the OS on the Mac is 10.13 or higher, check to see if the
# boot drive is formatted with APFS or HFS+
boot_filesystem_check=$(/usr/sbin/diskutil info / | awk '/Type \(Bundle\)/ {print $3}')
# If the drive is formatted with APFS, the fdesetup tool will
# be available and is able to display the encryption status.
if [[ "$boot_filesystem_check" = "apfs" ]]; then
# If encrypted, the following message is
# displayed without quotes:
# "FileVault is On."
#
# If encrypting, the following message is
# displayed without quotes:
# "Encryption in progress:"
# How much has been encrypted of of the total
# amount of space is also displayed.
#
# If decrypting, the following message is
# displayed without quotes:
# "Decryption in progress:"
# How much has been decrypted of of the total
# amount of space is also displayed
#
# If not encrypted, the following message is
# displayed without quotes:
# "FileVault is Off."
ENCRYPTSTATUS=$(fdesetup status | xargs)
if [[ -z $(echo "$ENCRYPTSTATUS" | awk '/Encryption | Decryption/') ]]; then
ENCRYPTSTATUS=$(fdesetup status | head -1)
echo "$ENCRYPTSTATUS"
else
ENCRYPTSTATUS=$(fdesetup status | tail -1)
echo "$ENCRYPTSTATUS"
fi
else
echo "Unable to display encryption status for filesystems other than APFS."
fi
fi
exit $ERROR

view raw
gistfile1.txt
hosted with ❤ by GitHub

Downloading macOS Sierra from the Mac App Store

November 10, 2017 3 comments

Now that macOS High Sierra has been released, it’s become more difficult to access the macOS Sierra installer in the Mac App Store (MAS) for those who still need it.

Previous versions of OS X and Mac OS X which were purchased by an Apple ID will appear in the MAS’s Purchased list for that Apple ID, but macOS Sierra is an exception because it did not need to be purchased using an Apple ID.

Screen shot 2015 11 19 at 2 43 08 pm

Fortunately, Sierra has not been removed from the MAS and it is still available for download. Apple has a KBase article, available via the link below, which shows how to access the macOS Sierra page in the Mac App Store:

https://support.apple.com/HT208202

To access the macOS Sierra page directly, please click on the link below:

https://itunes.apple.com/us/app/macos-sierra/id1127487414?ls=1&mt=12

That link should open the MAS and take you to the macOS Sierra download page.

Screen Shot 2017 11 10 at 11 06 58 AM

In the event that you’re blocked from downloading macOS Sierra, you should be able to download it in a virtual machine. I have a post on how to do this, available via the link below:

https://derflounder.wordpress.com/2017/02/21/downloading-older-os-installers-on-incompatible-hardware-using-vms/

Categories: Mac administration, macOS

Session videos from Jamf Nation User Conference 2017 now available

November 10, 2017 1 comment

Jamf has posted the session videos for from JAMF Nation User Conference 2017, including the video for my Apple File System session.

For those interested, all of the JNUC 2017 session videos are available on YouTube. For convenience, I’ve linked my session here.

Adding installer package code-signing to AutoPkg workflows

November 10, 2017 2 comments

As part of building an AutoPkg workflow to create installer packages, one of the requirements I was given was that any packages that weren’t already signed by the vendor needed to be signed using a Developer ID Installer signing certificate.

Screen Shot 2017 11 09 at 9 58 53 PM

Signing installer package is not usually an outcome of most AutoPkg workflows, since code signature verification can be used at the download end to make sure that the application is what it is supposed to be. However, there were several good reasons for adding a package signing step to the workflow, including:

  1. It is now necessary to sign packages before you’ll be able to use them as part of NetInstall sets
  2. The InstallApplication MDM command requires that macOS installer packages be signed with an appropriate certificate

After some research and testing, I was able to incorporate installer package signing into my AutoPkg workflow and am now able to automatically sign installer package as they’re generated by my package creation workflows. For more details, see below the jump.

Read more…

Implementing log rotation for the Jamf Infrastructure Manager logs on Red Hat Enterprise Linux

November 4, 2017 Leave a comment

A while back, I had set up the Jamf Infrastructure Manager (JIM) in a VM running Red Hat Enterprise Linux (RHEL) to provide a way for a Jamf Pro server hosted outside a company’s network to be able to talk to an otherwise inaccessible Active Directory domain. The JIM software has been running fine since I configured it, but I recently needed to take a look at the JIM logs as part of diagnosing another issue.

For those not familiar with the JIM software, it has several log files and those logs are available in the following location on RHEL:

/var/log/jamf-im-launcher.log
/var/log/jamf-im.log
/var/log/jamf-im-pre-enroll.log

Screen shot 2017 04 29 at 5 32 52 pm

When I checked the logs, I noticed that /var/log/jamf-im.log had grown to almost 500 MBs in size.

Considering this log is a plaintext file, that’s a big log file and it seemingly had been not been rotated or otherwise changed since I first installed the JIM software. To help make sure that the host VM would not eventually run out of space because of this growing log file, I needed to implement log rotation for the JIM logs. For more details, see below the jump.

Read more…

Unlock an encrypted APFS boot drive using Disk Utility

November 4, 2017 1 comment

In the event that you need to unlock an unbootable boot drive using Apple File System (APFS) encryption, it’s possible to do so using Disk Utility and one of the following authentication credentials:

  1. The password to a FileVault-enabled account on the drive
  2. A personal recovery key

For more details, see below the jump.

Read more…

%d bloggers like this: