Archive

Archive for the ‘Mac administration’ Category

Application blacklisting using management profiles

May 20, 2017 2 comments

When deploying Macs for use in classrooms or for training, there is occasionally a requirement that certain applications must be blocked from running. Usually, this is to make sure that the student or test taker using the Mac is not able to use the blocked applications because it would distract them or otherwise cause problems.

On iOS, there is a way to do this via the blacklistedAppBundleIDs key available in the Restrictions payload. However, this key is not available on macOS and Macs will ignore the blacklist.

On macOS, there is the ability to set an application whitelist via Profile Manager but not a blacklist.

Screen Shot 2017 05 20 at 2 45 31 PM

However, the profile specification does include the ability to configure an application blacklist using the pathBlackList key in the settings managed by the com.apple.applicationaccess.new payload.

Screen Shot 2017 05 20 at 2 28 46 PM

For more details, see below the jump.

Read more…

Categories: Mac administration, macOS

Looking up DUNS numbers for Apple’s VPP program

May 18, 2017 Leave a comment

As part of an ongoing project, I needed to set up a new Apple VPP account for use with a test environment. The reason I did this was that I didn’t want to cause conflicts with our production VPP account. When I went to set up the account though, I ran into an interesting problem.

As part of the VPP account setup, I needed to provide a DUNS number. However, the DUNS number I had belongs to a company based outside of the US and Apple’s US VPP enrollment site would only accept DUNS numbers associated with US addresses. Instead, I needed to use the DUNS number for my company’s US subsidiary in place of the DUNS number that I had. The problem was that I had no idea what that DUNS number was.

After some research, I found a way to look up the DUNS number I needed and was able to successfully register my test environment’s VPP account with Apple. For more details, see below the jump.

Read more…

Using base64 encoding to include binary files inside scripts

May 2, 2017 5 comments

When writing scripts, it’s sometimes useful to be able to be able to include and deploy binary files as part of the script run. An example of this would be if you want to use MySQL 5.6 and later’s option for creating a MySQL connection file. This is a file that allows you to store MySQL authentication inside an encrypted file named .mylogin.cnf.

Rather than trying to script the creation of a MySQL connection file, where the creation process would involve placing the MySQL authentication credentials in a readable format inside the script, it is easier and more secure to build the connection file manually on one machine and then encode the encrypted MySQL connection file into ASCII text using base64 encoding. Once encoded, the ASCII text can be decoded as part of a script designed to deploy the still-encrypted MySQL connection file to a desired location.

For more details on how to use base64 encoding, please see below the jump.

Read more…

Office 2016 DefaultsToLocalOpenSave setting change as of Office 2016 15.33.x

April 17, 2017 1 comment

As part of the release of Office 2016 15.33.0, a number of managed preference options have been added and some have changed from what they were before. An example of one that has changed is the DefaultsToLocalOpenSave management setting, which sets the Open and Save options in Office 2016 apps to default to On My Mac instead of Online Locations.

In Microsoft Office 2016 15.32.x and earlier, the  DefaultsToLocalOpenSave setting could only be managed by running a command similar to the one below on the individual user accounts:

/usr/bin/defaults write "/path/to/user/homefolder/Library/Group Containers/UBF8T346G9.Office/"com.microsoft.officeprefs DefaultsToLocalOpenSave -bool true

To set this for all accounts on a particular Mac, I had written the following script:

As of Microsoft Office 2016 15.33.x, this setting can now be set at the global level for all users by running the following command with root privileges:

/usr/bin/defaults write /Library/Preferences/com.microsoft.office DefaultsToLocalOpenSave -bool true

I’ve posted an updated script for manage this setting to GitHub, available via the link below:

https://github.com/rtrouton/rtrouton_scripts/tree/master/rtrouton_scripts/set_office_2016_default_save_option_to_on_my_mac

This setting can now also be managed with a profile, so I’ve created a .mobileconfig file and posted it here on Github:

https://github.com/rtrouton/profiles/tree/master/Office2016DefaultToLocalSave

Creating macOS installer disk images for VMware Fusion and ESXi with create_macos_vm_install_dmg

March 30, 2017 Leave a comment

I’ve had a tool available for a while named create_vmware_osx_install_dmg, but it looks like it has reached the end of the road with macOS 10.12.3. The reason for this is because macOS 10.12.4 has introduced a change that prevents the addition of third-party packages to the OS installer. create_vmware_osx_install_dmg uses the addition of a third-party installer package, so unfortunately this tool cannot be used to generate 10.12.4 or later OS installers.

That said, I still want to be able to create macOS installer disk images for VMware Fusion and ESXi, so I’ve forked create_vmware_osx_install_dmg into a new script named create_macos_vm_install_dmg. create_macos_vm_install_dmg will generate stock OS installer disk images for the following OS versions:

  • Mac OS X 10.7.x
  • OS X 10.8.x
  • OS X 10.9.x
  • OS X 10.10.x
  • OS X 10.11.x
  • OS X 10.12.x

This script does not use a third-party package, so it is able to build a macOS 10.12.4 installer disk image. For more details, see below the jump.

Read more…

Third-party installer packages may not be installable by the macOS 10.12.4 OS installer

March 29, 2017 5 comments

With the release of macOS 10.12.4, it appears that Apple has made a change to the OS installer that blocks the installation of third-party packages which have been added to the OS installer. In my testing, I’ve verified the following tools are affected:

Note: There may be others, this list is what I’ve tested.

In each case, the OS install process proceeds without issues until the OS installer tries to install the third party installer package. At that point, the installation process fails and displays the message shown below:

The package "Package Name Goes Here" is not signed.
Quit the installer to restart your computer and try again.

Screen Shot 2017 03 28 at 8 45 36 AM

The error message displayed is misleading however, as this message may also appear if the package has been signed with a Developer ID Installer certificate.

In testing done by myself and others, we have found that there is one circumstance where you can still add a third-party installer package:

  1. If you are building a NetInstall NetBoot set using System Image Utility
  2. If the package is signed with a Developer ID Installer certificate.

Otherwise, the only installer packages I’ve seen which install correctly are packages which have been signed by Apple itself.

Screen Shot 2017 03 28 at 9 25 52 PM

For more details, see below the jump.

Read more…

Categories: Mac administration, macOS

Disabling iCloud Desktop and Documents syncing

March 27, 2017 4 comments

As part of my pre-release testing of macOS Sierra, I tested iCloud Desktop and Documents syncing and decided I was not going to use it because of the problems I found. However, at that time I could not find a way to disable only iCloud Desktop and Documents without having to disable iCloud Drive entirely.

As part of the release of macOS 10.12.4, Apple has made available a profile option that allows for the specific disabling of iCloud Desktop and Documents syncing without needing to block iCloud Drive.

Screen Shot 2017 03 15 at 9 36 16 AM

For more details, see below the jump.

Read more…

Categories: Mac administration, macOS
%d bloggers like this: