One of the challenges Mac admins have to deal with are Mac application installers which don’t follow one of the following models:
In many cases, these alternate installers take the form of applications which may or may not have options for installing via command line. For those that do not have the option of command line installation, the only real option is to install the application in question, then re-package it as either a drag-and-drop install or an installer package.
However, for those installer applications that do support command line installation, this opens up the option of embedding the installer application inside an installer package and using a postinstall script to run the necessary commands for the installer application to install its files onto the Mac. I’ve used this workflow several times in the past, with some examples linked below:
- Creating a DNAStar Lasergene 13.x installer
- Revisiting Sophos Enterprise Anti-Virus for Mac 9.2.x deployment
- Deploying Sophos Anti-Virus Home Edition for Mac 9.2.x for personal use
These examples have been manually built by me on an as-needed basis as new versions are released, but wherever possible, I want to automate this process using AutoPkg. Thanks to being able to study a recently-built .pkg recipe for AccuBarcodePro created by @foigus, I was able to build recipes for AutoPkg which handle downloading and packaging the following installer applications:
For more details, see below the jump.
As part of providing support for the Macs in my shop, I build and use utility disks which contain useful utilities like DiskWarrior and Carbon Copy Cloner. My shop’s network supports NetBoot across subnets, so I also build NetBoot sets from the utility disks. The reasons I do this are the following:
- Having a utility disk available via NetBoot means I always have access to a utility disk when needed.
- The other members of my team also have access to the same utility disk when they need it.
- Nobody needs to carry around external drives with the utility software.
- Updates to the utility disk can be made in a centralized fashion.
For details on how I’m building NetBoot sets from utility disks, please see below the jump.
When working with AppleScripts that other folks have written, it’s often useful to be able to look at the source of the AppleScript. One quick way to do this via the command line is to use the osadecompile command. This command is designed to output the source of a compiled AppleScript or other OSA language scripts to standard output. For more details, see below the jump.
I’ll be speaking about virtualization, with a focus on VMware solutions, at MacSysAdmin 2016, which is being held from October 4th – 7th, 2016 in Göteborg, Sweden. For those interested, my talk will be on Thursday, October 6th.
For a description of what I’ll be talking about, please see the Thursday program page.
As part of rolling out Office 2016 for my shop, I noticed that Office 2011’s Microsoft Document Connection application was no longer included with Office. A number of folks in my shop had been using this application to access documents on our Sharepoint servers, so its absence meant I needed to learn how to access Sharepoint sites using Office 2016.
After some research and discussion with colleagues, I was able to figure out how to connect to Sharepoint from within Office 2016 applications. For more details, see below the jump.
As mentioned previously, I needed to migrate my Casper server from using the Apple Push Notification Service (APNS) certificate generated by one Apple ID to now using another APNS certificate generated by another Apple ID.
This project is fairly straightforward, thanks to a couple of factors:
- The Casper server in question is managing only OS X devices.
- I have a way to identify via a Casper Extension Attribute which Macs have MDM profiles associated with the APNS certificate which is no longer active.
I was able to set up a Casper smart group to look for machines that fit the following criteria:
- Criteria: Extension Attribute name (In this case, the EA is named Apple Push Notification Service certificate identifier.)
- Operator: Like
- Value: com.apple.mgmt.External.uuid_of_former_apns_certificate_goes_here
From there, I set up a policy that is scoped to run on the members of that smart group. For more details, see below the jump.
A few years ago, I set up my Casper server with an Apple Push Notification Service (APNS) certificate. That by itself is not remarkable, but the way I did it would be frowned upon these days. That’s because I used an Apple ID tied to my work email address to generate it.
The reason that I did this was that back then, you needed to have a paid membership in the Apple iOS Developer Program in order to get an APNS certificate. I was not part of an enterprise team, so the Apple ID I was using to log into my ADC account was tied to my own work email address. Consequently, I generated my initial APNS certificate for my Casper server using an Apple ID tied to my work email address.
Fast forward to 2016 and the world of the Apple Push Certificates Portal, where it’s no longer necessary to have an Apple Developer Connection account to have an APNS certificate. In fact, it’s not a great idea at all because people come and go, but hopefully the Apple ID used to generate your APNS certificate (also known as an MDM certificate or push notification certificate) does not. That’s because you can’t transfer an Apple ID to another email address and only the Apple ID used to generate your initial APNS certificate can generate the new certificate needed for the annual APNS certificate renewal.
For iOS devices, where everything is managed via MDM, changing the Apple ID used to generate your APNS certificate means that you are going to have to re-enroll all of your devices. This is usually a sizable effort and one that should be avoided if at all possible.
For OS X devices, where MDM-only management is still fairly rare, changing Apple IDs (and APNS certificates) is less problematic. You will also need to re-enroll your devices but it should be possible to use alternate means to remove your old MDM profile(s) and make the Mac pull down a new set of MDM management profiles that would incorporate the new APNS certificate for the Mac’s push notifications.
Fortunately, I’m in the situation of having to change out my Apple ID and APNS certificate only on OS X devices. These devices are also managed by my Casper server, so I can automate a fix for the issue using a script like the one below:
However, I still had one issue – identifying which machines had the “old” MDM profiles associated with the APNS certificate which I was trying to move away from. For details on how this was addressed, see below the jump.