Archive for the ‘Mac administration’ Category

Gatekeeper automatically re-enables after 30 days on Yosemite and later

July 31, 2015 1 comment

On OS X 10.10.x and later, disabling Gatekeeper does not mean it is permanently off. After a set amount of time (currently 30 days), Gatekeeper will automatically re-enable itself with the Allow apps downloaded from: Mac App Store and identified developers setting.

Screen Shot 2015 07 31 at 4 49 06 AM

I was able to track down which part of the OS this was coming from and it looks like it’s defined as part of syspolicyd:

Screen Shot 2015 07 31 at 7 00 01 AM


After doing some research, it looks like Gatekeeper’s automatic re-enablement function can be disabled by running the following command with root privileges:

defaults write /Library/Preferences/ GKAutoRearm -bool false

This would allow Gatekeeper to be set to Allow apps downloaded from: Anywhere and have it stay that way.

Screen Shot 2015 07 31 at 4 48 58 AM


For those who want to set this with a management profile, I’ve created a .mobileconfig file and posted it here on Github:

Update – 7-31-2015: My colleague Tom Burgin points out that this may not be manageable via a profile after all, due to the way Apple has set the value that it’s reading:

If a management profile isn’t being respected, the defaults command listed above is the way to apply this to machines.

I’ve filed a bug report about this. For those interested in duping this bug, the bug report ID is 22094327. I’ve also cross-posted it to OpenRadar:

Firefox 39.0 showing blank white windows in OS X VMs

July 7, 2015 11 comments

I do a lot of my application testing in VMs, so when Firefox 39.0 came out, it went into my test environment and I built a new VM to check it out.

Firefox 39.0 looked like this when I launched it in my test VM.

Screen Shot 2015 07 06 at 4 03 11 PM

As part of my testing workflow, I also installed Firefox 39.0 onto a couple of actual Macs.

Firefox 39.0 looked like this when I launched it on those machines.

Screen Shot 2015 07 06 at 3 10 57 PM

As you can see, two very different results were discovered as part of my testing. After a few rounds of “It’s broken in the VM, retest, it’s still broken, retest on my laptop, no problem, repeat,” I finally tracked down a Mozilla bug report that indicated that the issue was not specific to my environment and gave me the potential scope of the issue. For more information, see below the jump.

Read more…

Hidden text editing options available in Casper’s script editor

June 29, 2015 Leave a comment

I recently learned that there are hidden text editing options for the Casper JSS’s script editor. To access these options, do the following:

1. Log into your JSS

2. Go to Computer Management: Scripts

Screen Shot 2015 06 29 at 6 31 23 PM

3. Bring up the script editor in your browser

Screen Shot 2015 06 29 at 6 20 16 PM


4. Click inside the text entry area of the script editor

5. Press Command + comma ( + ,)

6. The JAMF script editor’s text editing options will appear.

Screen Shot 2015 06 29 at 6 20 21 PM

There are some issues to be aware of:

  • Changes made are global and will affect all currently logged-in users
  • The settings changes are not persistent across sessions. If you log out or are logged out, you will need to re-setup your settings.

Ideally, changes made to the text editing preferences would be:

A. Per-user instead of affecting all users
B. Persistent, so that changes to these settings would not be lost on logout.

There’s an existing feature request on JAMF Nation which requests these changes. If you agree that this would be beneficial, please vote it up.

Categories: Casper, Mac administration

Revisiting Sophos Enterprise Anti-Virus for Mac 9.2.x deployment

June 17, 2015 4 comments

I had previously written about deploying Sophos Enterprise Anti-Virus for Mac 9.2.x, but I was recently notified that the method I had been using would stop working in a future release of Sophos.

Sophos has a KBase article about pre-configuring their installer application with the AutoUpdate settings, but I also wanted to be able to deploy Sophos using an installer package. Using the information from the KBase article, I was able to update my existing method for building an installer package for deploying Sophos Enterprise Anti-Virus for Mac 9.2.x. For the details, see below the jump.

Read more…

Yosemite’s paused encryption problem fixed in 10.10.3

June 10, 2015 2 comments

When Yosemite was released in October 2014, one of the changes it introduced was including a new FileVault 2 enablement option in Apple’s Setup Assistant. This option encouraged new users of Yosemite to enable FileVault 2 encryption and had the choice to enable FileVault 2 selected by default.

When the encryption process began, a significant issue then appeared for a number of users where the Mac would report Encryption paused during the encryption process, then never resume the encryption process.

Filevault stuck encryption paused


This produced a situation where the Mac could not complete encryption, but would not decrypt either because the encryption process had not completed. The only fix appeared to be deleting the existing CoreStorage volume, which addressed the issue at the cost of deleting everything stored on the boot drive.

Fortunately, OS X 10.10.3 includes a fix that should stop this issue from occurring on OS X 10.10.3 and later. There is also now a procedure that should fix Macs still affected by this problem. For more details, see below the jump.

Read more…

Opening screensharing connections on OS X using pre-set usernames

June 4, 2015 8 comments

I use screensharing quite a bit, both at home and at work, to connect to machines. As part of this, my process for connection has looked something like this:

1. Verify I’m on the right network.

2. On the Mac I’m connecting from, under the Go menu, select Connect to Server…

Screen Shot 2015 06 03 at 7 29 10 AM

3. In the Server Address: line, enter the address of the Mac which I want to remotely connect to:


Screen Shot 2015 06 04 at 8 30 29 AM

4. Logging in by entering my authentication credentials into the screensharing login window’s username and password blanks.

Screen Shot 2015 06 04 at 7 09 27 AM

5. Assuming username and password are accepted, the remote Mac’s screen is displayed.

Screen Shot 2015 06 04 at 7 11 52 AM

As with any task I perform frequently, I wanted to shave some time off of this process but I didn’t want to save the screensharing authentication info to my keychain (personal preference).

Fortunately, there’s an easy way to pre-define the username for the screensharing login window by adding username@ to the vnc:// address:


Screen Shot 2015 06 04 at 7 09 43 AM

The username should now be filled in when the screensharing login window appears.

Screen Shot 2015 06 04 at 7 10 03 AM

Since you can also make bookmarks in the Connect to Server window, my next step was saving a bookmark for the updated screensharing address.

Screen Shot 2015 06 04 at 7 16 43 AM

It’s simple enough to do, but not having to manually enter the username will save me at least a few seconds every time I connect to a remote machine’s screen.

Preparing for a Bad Day – How to write Disaster Recovery documentation

June 1, 2015 Leave a comment

IT disasters are unpleasant, and can take many forms. However overwhelming the idea of a possible disaster may be, it is crucial to have a well-formed plan in place. Many IT professionals don’t have a good grasp on how to write disaster recovery documentation, which can lead to confusion and problems when disaster strikes.

To give an idea of how good disaster recovery documentation can save the day, I’d like to share a story of how good documentation not only saved the day, but also saved my vacation. 

A few years ago, I was riding the airport shuttle on my way to a cruise ship vacation. While en-route, I got a call from my workplace where the person calling said that they had a power outage at our main datacenter. I was gone, my alternate was stuck in traffic, what should they do? I said “Can you find the Mac server rack?” Yes, they found it. “Do you see the packet marked Emergency Server Startup and Shutdown Procedures?” Yes, they did. “OK, open that and start reading. It’ll walk you through the process.” I talked with them for a few more minutes to make sure that they were OK, then I said goodbye, ended the call and prepared to board my plane.

Without that packet attached to the front of the server rack, which I had made sure was updated the day before with the latest information, I might have been trying to talk someone through the shutdown procedure for about fifteen servers and twelve RAID arrays over the phone up until the moment that the flight attendant yanked my phone out of my hand because the plane needed to take off.

There are a few lessons to take from this story.

Q: Where was I when the disaster occurred?
A: Off-site and without access to either a computer or a way to connect back to the work network.

Q: Where was the other person who had been trained on our disaster recovery process?
A: Off-site and unavailable.

Q: Who was the person on the phone?
A: Someone who wasn’t trained in our disaster recovery process.

Q: What allowed the person on the phone to successfully bring down my servers?
A: Accurate and easily-understood documentation that was placed for ready access.

Q: What was not affected by this disaster?
A: My vacation.

With these lessons in mind, see below the jump for my advice on how to write disaster recovery documentation.

Read more…


Get every new post delivered to your Inbox.

Join 224 other followers

%d bloggers like this: