Archive

Archive for the ‘Mac administration’ Category

MacAdmin 101: Using createOSXinstallPkg to build OS X and macOS installer packages

December 6, 2016 2 comments

Providing new installs of macOS, or upgrading to newer versions, can be a challenge in many Mac environments. Apple’s OS distribution model is focused around the Mac App Store (MAS), which may not be an option for a number of managed Mac environments. The MAS-distributed OS installer also does not include the option of adding additional third-party packages to the OS installation process; it only installs the software that Apple itself includes in the OS installer.

To address these needs, an open-source tool named createOSXinstallPkg is available. createOSXinstallPkg allows you to create an Apple installer package from an “Install macOS.app”. You can use this package for the following:

The advantage of using this tool is that a number of system deployment tools for Macs can deploy the installers created by this tool, allowing OS installations or upgrades to be performed by the system management tool already in use by a particular IT shop. One great thing about using this tool is that createOSXinstallPkg will create an installer package that either installs a stock copy of either OS X or macOS, or you can add additional packages to the stock OS install.

When adding packages, there are a couple of guidelines to keep in mind:

  1. There is about 350 megabytes of free space available in the OS installer. This is sufficient space for configuration or bootstrapping packages, but it’s not a good idea to add Microsoft Office or similar large installers.
  2. The limitations of the OS install environment mean that there are a number of installers that won’t install correctly.

In particular, packages that use pre-installation or post-installation scripts may fail to run properly when those packages are run as part of the OS installation process. To help work around this limitation, I’ve developed a solution which I’ll be discussing later in the post. For more details, see below the jump.

Read more…

Deploying and licensing EndNote X8

November 23, 2016 3 comments

As previously discussed, a number of folks in my shop use Clarivate Analytics’s EndNote bibliography software. Clarivate Analytics provides EndNote X8 with an installer application, but I need an installer package in order to easily deploy it to my customers. EndNote X8 was initially problematic in that regard, but I was able to write AutoPkg recipes for EndNote X8 to handle converting Clarivate Analytics’s installer application into a deployable installer package, including a recipe that would automate uploading the latest EndNote installers to my Casper server.

Screen Shot 2016 11 22 at 9 56 17 PM

 

Once AutoPkg was able to provide an EndNote X8 installer package for deployment, the remaining hurdle was that the EndNote X8 installer from AutoPkg installs an unlicensed copy of EndNote and I needed to have installed copies of EndNote automatically use my shop’s EndNote site license.

Screen Shot 2016 11 22 at 9 41 57 PM

 

Fortunately, EndNote X8’s volume license can be deployed just like EndNote X7’s volume license. The volume license is stored in as an invisible file named .license.dat in /Applications/EndNote X8  and it has a format that looks like this:

Company Name
1234567890
V2ZMQT6556P8WMH38MTQ6YSM8UXCCRYQ5MDS4WJGLKMP7RGSWECBCMT77556P8WCE8KMTQ6YSMNXJCCRYQ59MD9WJGLKMCSESSWECBCMB76556P8WCU3NMTQ6YSMLUYCCRYQ5MET8WJGLKMPSMJSWECBCM57F556P8WCU3CMTQ6YSM9DECCRYQ59XSCWJGLKMPNE9SWECBCMB79556P8WCH8KMTQ6YSMDXECCRYQ5MTSMWJGLKMPYRMSWECBCB7W7556P8W

Note: The Company Name part may show up twice in your .license.dat file.

With some additional testing, I found that I could remove an existing .license.dat file (if one was present) and replace it with my shop’s site license’s .license.dat file. That allowed me to use the EndNote X8 installer produced by AutoPkg by having Casper install it, then apply our site license file as a post-installation action. For more details, see below the jump.

Read more…

Preparing EndNote X8 for deployment using AutoPkg

November 15, 2016 3 comments

As previously discussed here, one of the software packages used in my shop is Clarivate Analytics’ EndNote bibliography software.

Recently, EndNote X8 was released. When the new version’s installer was downloaded, it was discovered to be an installer application, which can pose problems for deployment.

Screen Shot 2016 11 14 at 9 09 31 PM

Screen Shot 2016 11 14 at 9 09 27 PM

Screen Shot 2016 11 14 at 9 24 58 PM

By itself, the change to an installer application may not have been a huge problem as long as it had options for running the installation process from the command line. However, when I checked with EndNote support about the new installer, I was told that there was no option for installing EndNote X8 on a Mac using the command line.

Since the EndNote X8 installer does not have the option of command line installation, the only real option I thought I had was to install EndNote X8, then re-package it as either a drag-and-drop install or an installer package. However, when I dug deeper into the installer, I discovered a .zip file buried inside the installer.

Screen Shot 2016 11 14 at 9 10 04 PM

When expanded, this .zip file proved to be a complete install of EndNote X8.

Screen Shot 2016 11 14 at 9 11 41 PM

When I ran the EndNote X8 installer, it appeared to be performing the following functions:

1. Checking for Endnote updates
2. Extracting the .zip file into a new EndNote X8 folder

Screen Shot 2016 11 14 at 9 26 38 PM

3. Moving the new EndNote X8 folder into /Applications

Screen Shot 2016 11 14 at 9 26 40 PM

4. Launching the EndNote X8 application, which automatically loads the EndNote X8 Customizer screen if EndNote hasn’t been configured.

Screen Shot 2016 11 14 at 9 26 01 PM

For more details, see below the jump.

Read more…

Providing website links via Casper Self Service policies

November 10, 2016 Leave a comment

It’s often useful to provide a way for everyone in your shop to be able to look up commonly used websites. Methods I’ve seen of doing this include:

  • Wiki pages
  • Bookmarks deployed to browsers
  • Browser extensions

Another method is to use Casper’s Self Service plug-ins feature.

Screen Shot 2016 11 10 at 9 57 09 AM

Screen Shot 2016 11 10 at 9 56 55 AM

This makes it easy to set up website bookmarks, which then appear in a sidebar of Self Service.

Self Service URL plug in

The main drawback to this method is you can’t scope these bookmarks to appear only to certain users or computers. These will appear on on all managed computers and to all users. If you need to have one set of bookmarks available to Group A in your organization, and a different set of bookmarks appearing to Group B, the Self Service plug-ins feature may not be the best solution.

Fortunately, you can solve this scoping issue using Casper policies and Self Service. For more details, see below the jump.

Read more…

Race condition vulnerability fixed in CasperCheck

November 7, 2016 Leave a comment

Recently, I was alerted by Todd Houle that his infosec folks had identified an vulnerability with CasperCheck that should be addressed.

The problem:

CasperCheck downloads a QuickAdd installer from a web server inside a .zip file and initially stores it in the /tmp directory. All users on the system have access to /tmp, so it was possible for an malicious unprivileged user to leverage a race condition to replace the downloaded .zip file with another .zip file with the same name.

Assuming that the replaced .zip file was valid and passed the check for being a valid .zip file, CasperCheck would then expand the contents of the replaced .zip file into the /var/root/quickadd directory. Assuming that the malicious unprivileged user had their own installer package stored inside the replaced .zip file, the next time that CasperCheck would determine that it needs to install the Casper agent via its cached QuickAdd installer, it would instead install that installer package in place of the expected QuickAdd package.

The fix:

The vulnerability assumes that the QuickAdd package is being downloaded to a place where an unprivileged user can access it, so the implemented fix to this problem is to download it to a place where only root has access. Todd fixed the issue by changing the designated download location to the following:

From: /tmp/quickadd.zip
To: $quickadd_dir/quickadd.zip, where the value of $quickadd_dir is /var/root/quickadd

Moving the download location to /var/root/quickadd means that the download is going to a location inside the root account’s home directory. Only root has write access to its home directory, which stops an account which doesn’t have root privileges from being able to swap out the .zip file.

Changes to CasperCheck:

Fortunately, the changes needed to implement this fix are minor and are in two places:

The quickadd_zip variable has changed:

From: /tmp/quickadd.zip
To: $quickadd_dir/quickadd.zip, where the value of $quickadd_dir is /var/root/quickadd

Screen Shot 2016 11 07 at 9 57 13 AM

 

The update_quickadd function has been updated, to move the following actions to be first:

  • The creation of the /var/root/quickadd directory, if that directory is not already present
  • The removal of existing files from the /var/root/quickadd directory
 
Screen Shot 2016 11 07 at 9 57 52 AM
 

I’ve posted an updated CasperCheck script with the described changes to the following location:

https://github.com/rtrouton/CasperCheck/blob/master/script/caspercheck.sh

If you’re a CasperCheck user, I recommend updating to the latest version at your earliest convenience.

The changes to the script can be seen here:

https://github.com/rtrouton/CasperCheck/commit/35e4e1d6ba9f363b894b36535b151637eb70602e

 

Hat tip: Thanks to Todd to alerting me to this issue and providing help to fix it.

Not all installed fonts may be displayed in some applications’ font menu lists

November 3, 2016 Leave a comment

Recently, one of my customers had a problem with the font he needed not showing up in all applications. In this particular case, he wanted to use the Symbol font as part of a Keynote presentation he was preparing but it did not appear in Keynote’s font list.

Screen Shot 2016 11 03 at 9 12 28 AM

Meanwhile, the Symbol font did appear in PowerPoint 2016’s font list.

Screen Shot 2016 11 03 at 9 33 06 AM

Meanwhile, it was possible to copy and paste text using that font from PowerPoint and into Keynote, but then the font list in Keynote showed a blank entry in place of the name of the font.

Screen Shot 2016 11 03 at 9 34 59 AM

Screen Shot 2016 11 03 at 9 35 14 AM

What was going on? For more details, see below the jump.

Read more…

Fixing server connection issues by changing network interface order

October 25, 2016 1 comment

I had one of my customers report a problem today after applying software updates to his Mac. His Mac had been able to automount certain network shares via NFS before the updates, but was unable to access those shares following the updates.

I connected remotely to the Mac and verified that I was unable to manually mount the NFS mounts.

When I tried to run the showmount command to get a list of the available NFS mounts on the server, I also received a timeout message:

I was about to send this on to the team that handled our NFS shares, when I remembered I hadn’t verified that I could access the server. Sure enough, I couldn’t:

I could ping Yahoo however, so I could contact the internet.

So I couldn’t access an internal network resource, but I could access the internet. What made this puzzling was that I was connecting remotely to the Mac via the IP address associated with this person’s Ethernet address. This IP address should not have had issues accessing internal network resources. What had happened? For more, see below the jump.

Read more…

%d bloggers like this: