Archive
Setting a macOS VM to automatically boot to Recovery HD using VMware Fusion
When testing various security functions, like System Integrity Protection or High Sierra’s new kernel extension functionality, it’s often useful to be able to boot a macOS virtual machine (VM) into the Recovery environment. However, it can be challenging to select the VM and hold down Command+R in time to boot to the Recovery environment. This can result in having to try several or more times before you can successfully boot the VM to Recovery HD.
Fortunately, VMware has a setting that enables a forced boot to Recovery HD. For more details, please see below the jump.
Deploying a pre-configured F5 Big-IP VPN client
As part of a discussion with a colleague, he said that he needed to build an installer for his shop’s F5 Network’s VPN service but wasn’t sure how. I hadn’t built one of these previously either, so I decided to look into it.
Fortunately, F5 Networks has made the process of creating one a fairly straightforward process, assuming that your VPN administrator can provide the needed config_tmp.f5c configuration file. Assuming that you can get that file, all that’s needed is making sure that the config_tmp.f5c file is located in the same directory as the VPN client installer.
The reason for this is that the postinstall scripts of the F5 VPN client installer are set to look for that file in that location, and will automatically import the configuration file’s contents if the file is found.
Once I had both the config_tmp.f5c config file and a copy of the F5 VPN client installer, I was able to create an installer using this method that handled both the installation and the automated configuration of the F5 VPN client. For more details, see below the jump.
Generating printer configurations using payload-free_package_printer_generator.sh
As part of a recent discussion, a colleague posted in the MacAdmins Slack that they needed to deploy printers as part of a DeployStudio workflow. DeployStudio doesn’t natively include this functionality, so that meant developing a way to deploy the desired printers to the appropriate Macs via one of the following methods:
- Using a script
- Using a management profile
As part of the conversation, I pointed to Nick McSpadden‘s PrinterGenerator tool:
https://github.com/nmcspadden/PrinterGenerator
Nick’s tool is designed to create printer configurations for deployment via Munki. However, my colleague wasn’t using Munki in this case and didn’t plan to deploy it. So even though there was a tool that could have solved the problem, adapting it to work for my DeployStudio-using colleague’s needs was going to take some time and effort.
The discussion got me started thinking about the problem of printer deployments and ways to solve it that could work for the vast majority of deployment solutions. After some research and testing, I’ve developed a solution that may work for most deployment needs. For more details, see below the jump.
Enabling least-privilege screensharing using Apple’s Remote Desktop Client and Screen Sharing.app
In a number of Mac-using environments, there is often a need for IT staff to remotely connect to a Mac’s screen using Apple’s Remote Desktop application and work with the person on the other end to resolve a problem. However, there can be several technical and human-centric issues with enabling remote assistance:
- Authentication – To enable access using a username and password, that user account must be granted access rights by belonging to a group or by explicitly granting rights to a local account.
- Password rotation – If you’re enabling screensharing via granting access to a local account, the security requirements in most environments mandate that those passwords be changed on a regular basis. However, securely changing the account password on multiple remote Macs can be a management challenge on its own.
- Access privileges – A lot of folks don’t like the idea that someone they don’t know can take over access to their keyboards and screens without the remote customer saying it’s OK for them to do so. Frankly, I’ve been on both sides of this fence and I don’t like it either.
However, there is a way to enable screen sharing using Apple’s Remote Desktop Client and Apple’s Screen Sharing.app which does the following:
- Removes the need for any account to be enabled for screen sharing access
- Mandates that all screen sharing access be approved by the logged-in user
- Does not allow screen sharing access if no user is logged in.
For more details, see below the jump.
Activating EndNote X8 using management profiles
I’ve moved on from a role where I needed to support Clarivate Analytics’s EndNote bibliography software, but I noticed that my colleague Rusty Myers is now deploying it in his environment.
As part of his work, Rusty discovered that it was possible to bypass the activation process by adding the AcceptedENX7.2EULA key to /Library/Preferences/com.ThomsonResearchSoft.EndNote.plist:
In Rusty’s case, the key is being added by running the following commands with root privileges:
/usr/bin/defaults write "/Library/Preferences/com.ThomsonResearchSoft.EndNote.plist" "AcceptedENX7.2EULA" -string "1"
Reading through Rusty’s post, I wondered if you could apply this setting via a management profile instead of writing the necessary values to /Library/Preferences/com.ThomsonResearchSoft.EndNote.plist. With some testing, I verified that it’s possible to also bypass the activation process with a management profile.
For those who want to bypass EndNoteX8’s activation process using a management profile, I’ve created a .mobileconfig file and posted it here on Github:
https://github.com/rtrouton/profiles/tree/master/ActivateEndNote/EndNoteX8
I’ve also created one for EndNoteX7, since it appears that the setting has not changed since EndNoteX7’s release. However, I do not have access to that version of EndNote and can’t test it to make sure.
If you’re still deploying EndNote X7, please give it a try and let me know. The .mobileconfig file for EndNoteX7 has been posted here on Github:
https://github.com/rtrouton/profiles/tree/master/ActivateEndNote/EndNoteX7
VMware Fusion 8.5.8 adds Apple File System (APFS) support
VMware recently released VMware Fusion 8.5.8, which according to the release notes includes the following:
Another improvement which is not mentioned in the release notes is that VMware Fusion now includes support for the following:
- Using the macOS High Sierra beta installer as a valid installation source
- Booting macOS VMs from Apple File System (APFS) formatted drives.
For more details, see below the jump.
Creating Jamf Pro QuickAdd installer packages which do not install the Jamf Pro management user account
Jamf Pro-managed Macs usually have a management account on the Mac, which is normally created as part of the Mac’s enrollment in the Jamf Pro service. This may cause issues in some Mac environments, where the creation of local user accounts is tightly controlled to help minimize opportunities for malicious third parties to compromise unused accounts.
To help protect against the Jamf Pro management account being compromised, Jamf has added some protections. These protections include including the ability to set a random password for the account on a per-machine basis and the ability to rotate the password on a regular basis.
Depending on your needs though, it is also possible avoid setting up the Jamf Pro management account on Macs. The reason for this is that the Jamf Pro agent by and large does not need the Jamf Pro management account in order to work properly.
As of Jamf Pro 9.99.0, the Jamf Pro management account is used for the following:
- To provide SSH connectivity for Jamf’s Remote application
- To provide the option of enabling the management user account for FileVault 2
If you are not using Jamf’s Remote application for remote screen sharing, or enabling the Jamf Pro management account for FileVault 2, it is not necessary to install the Jamf Pro management account on Jamf Pro-managed Macs at all. For more details, see below the jump.
Recent Comments