Archive

Archive for the ‘Mac administration’ Category

Enabling Touch ID authorization for sudo on macOS High Sierra

November 17, 2017 1 comment

My colleague @mikeymikey brought this tweet by Cabel Sasser to my attention yesterday:

I have a Touch ID-enabled MacBook Pro and use sudo frequently, so I’ve implemented this on my own laptop. For more details, see below the jump.

Read more…

Categories: Mac administration, macOS, Unix

APFS encryption status check script

November 13, 2017 1 comment

As part of working Apple File System, I’ve developed a script which is designed to check and report the status of encrypted Apple File System (APFS) drives. Currently, here’s what the script is detecting and reporting:

It first checks to see if a Mac is running 10.13.x or higher. If the Mac is question is running 10.13.x or higher, the script reports if it is using encryption on an APFS drive and gives the encryption or decryption status.

If encrypted, the following message is displayed:

FileVault is On.

Screen Shot 2017 11 12 at 8 38 08 PM

 

If not encrypted, the following message is displayed:

FileVault is Off.

Screen Shot 2017 11 12 at 8 43 07 PM

If encrypting, the following message is displayed:

Encryption in progress:

How much has been encrypted is also displayed.

Screen Shot 2017 11 12 at 8 08 30 PM

 

If decrypting, the following message is displayed without quotes:

Decryption in progress:

How much has been decrypted is also displayed.

Screen Shot 2017 11 12 at 8 38 48 PM

 

 

 

If run on a drive which is not using APFS, the following message is displayed:

Unable to display encryption status for filesystems other than APFS.

Screen Shot 2017 11 12 at 8 44 11 PM

 

The script is available below and here on my GitHub repository:

https://github.com/rtrouton/rtrouton_scripts/tree/master/rtrouton_scripts/check_apfs_encryption

I’ve also built a Jamf Pro Extension Attribute:

https://github.com/rtrouton/rtrouton_scripts/tree/master/rtrouton_scripts/Casper_Extension_Attributes/check_apfs_encryption

Downloading macOS Sierra from the Mac App Store

November 10, 2017 1 comment

Now that macOS High Sierra has been released, it’s become more difficult to access the macOS Sierra installer in the Mac App Store (MAS) for those who still need it.

Previous versions of OS X and Mac OS X which were purchased by an Apple ID will appear in the MAS’s Purchased list for that Apple ID, but macOS Sierra is an exception because it did not need to be purchased using an Apple ID.

Screen shot 2015 11 19 at 2 43 08 pm

Fortunately, Sierra has not been removed from the MAS and it is still available for download. Apple has a KBase article, available via the link below, which shows how to access the macOS Sierra page in the Mac App Store:

https://support.apple.com/HT208202

To access the macOS Sierra page directly, please click on the link below:

https://itunes.apple.com/us/app/macos-sierra/id1127487414?ls=1&mt=12

That link should open the MAS and take you to the macOS Sierra download page.

Screen Shot 2017 11 10 at 11 06 58 AM

In the event that you’re blocked from downloading macOS Sierra, you should be able to download it in a virtual machine. I have a post on how to do this, available via the link below:

https://derflounder.wordpress.com/2017/02/21/downloading-older-os-installers-on-incompatible-hardware-using-vms/

Categories: Mac administration, macOS

Adding installer package code-signing to AutoPkg workflows

November 10, 2017 1 comment

As part of building an AutoPkg workflow to create installer packages, one of the requirements I was given was that any packages that weren’t already signed by the vendor needed to be signed using a Developer ID Installer signing certificate.

Screen Shot 2017 11 09 at 9 58 53 PM

Signing installer package is not usually an outcome of most AutoPkg workflows, since code signature verification can be used at the download end to make sure that the application is what it is supposed to be. However, there were several good reasons for adding a package signing step to the workflow, including:

  1. It is now necessary to sign packages before you’ll be able to use them as part of NetInstall sets
  2. The InstallApplication MDM command requires that macOS installer packages be signed with an appropriate certificate

After some research and testing, I was able to incorporate installer package signing into my AutoPkg workflow and am now able to automatically sign installer package as they’re generated by my package creation workflows. For more details, see below the jump.

Read more…

Unlock an encrypted APFS boot drive using Disk Utility

November 4, 2017 1 comment

In the event that you need to unlock an unbootable boot drive using Apple File System (APFS) encryption, it’s possible to do so using Disk Utility and one of the following authentication credentials:

  1. The password to a FileVault-enabled account on the drive
  2. A personal recovery key

For more details, see below the jump.

Read more…

Unlock or decrypt an encrypted APFS boot drive from the command line

November 4, 2017 1 comment

As part of working with Apple File System (APFS) volumes, it may be necessary to decrypt a boot drive using APFS’s native encryption in order to fix a problem. To decrypt an encrypted APFS boot drive from the command line, you will need to do the following:

  1. Identify the relevant encrypted APFS volume
  2. Unlock the encrypted APFS volume
  3. Decrypt the encrypted APFS volume

For more details, see below the jump.

Read more…

Apple software updates creating APFS snapshots on macOS High Sierra

November 2, 2017 5 comments

As part of macOS High Sierra, Apple has added a new feature to Apple software updates which require a restart. When these updates are installed onto a boot drive which is using Apple File System (APFS), an APFS snapshot is automatically created on the boot drive prior to installing the software update. An APFS snapshot is a read-only copy of the state that the boot drive was in at a certain point in time, so it can be used as a backup in case something goes wrong with the update.


Update 11-2-2017: Apple has a KBase article which references this behavior:

https://support.apple.com/HT204015

The KBase article notes that a snapshot is made before macOS updates are made, which may mean that not all updates that require a restart will generate a snapshot.


 

In the event that the Apple software update causes post-installation issues, you can boot to Recovery HD and use the Time Machine restore functions available in Recovery to access the snapshot and restore the affected drive to the state it was in before the software update was installed.

Screen Shot 2017 11 01 at 9 37 51 PM

Something to be aware of is that this functionality does not apply to all Apple software updates. Instead, the automated snapshot creation appears to be specifically tied to Apple’s macOS updates.

The automated snapshot creation process does not require Time Machine to be configured for the Mac in question and a separate Time Machine backup drive is not needed. The snapshot is stored on the affected boot drive and does not require anything other than sufficient free space on the boot drive to store the snapshot. For more details, see below the jump.

Read more…

%d bloggers like this: