Archive

Archive for the ‘Scripting’ Category

Expanding partition size in an ESXi-hosted macOS VM

April 9, 2017 Leave a comment

As part of working on a project recently, I ran into an unexpected problem with ESXi-hosted Mac VMs. For these VMs, I was creating VMDK files from AutoDMG-generated disk images, using vfuse to convert the disk image into a VM with ESXi-compatible VMDK disk image files.

My workflow looked like this:

1. Create disk image using AutoDMG.
2. Use vfuse to create VMDK files using a command similar to the one shown below:

sudo vfuse -i /path/to/autodmg_created_disk_image_here --esx

Screen Shot 2017 04 09 at 12 08 22 PM

3. Upload the VMDK files to a convenient location on my ESXi server
4. Set up a new VM, using copies of uploaded VMDK files for the VM boot disk.
5. Resize the new VM to the desired size using VMware’s vmkfstools utility.
6. Start up the VM.

After logging in, I ran the following command to enable macOS to recognize and use the unallocated space from the VM resizing:

diskutil resizeVolume / R

Normally, this command is able to do a live re-sizing of the boot partition to use all available unallocated space. However, this time the re-sizing process failed and the following error was displayed:

Screen Shot 2017 04 09 at 10 20 53 AM

Screen Shot 2017 04 09 at 10 21 37 AM

How to fix this? For more details, see below the jump.

Read more…

Running multiple Jamf Pro policies via custom trigger

April 8, 2017 3 comments
Categories: Casper, Jamf Pro, Scripting

Running all Jamf Pro policies in a specified category via the API

April 6, 2017 2 comments

As part of a project I’m working on, I need to run several policies from a Jamf Pro server using a script which is using the Jamf Pro agent to run policies. However, I also want to maintain maximum flexibility and retain the ability to add, remove or change policies as required without needing to change the script.

My colleague Marc provided a solution for this by letting me know that it was possible to use the Jamf Pro API to pull down a list of policies associated with a specific category and then running those policies in the order provided by the API. For more details, see below the jump.

Read more…

Categories: Casper, Jamf Pro, Scripting

Creating macOS installer disk images for VMware Fusion and ESXi with create_macos_vm_install_dmg

March 30, 2017 Leave a comment

I’ve had a tool available for a while named create_vmware_osx_install_dmg, but it looks like it has reached the end of the road with macOS 10.12.3. The reason for this is because macOS 10.12.4 has introduced a change that prevents the addition of third-party packages to the OS installer. create_vmware_osx_install_dmg uses the addition of a third-party installer package, so unfortunately this tool cannot be used to generate 10.12.4 or later OS installers.

That said, I still want to be able to create macOS installer disk images for VMware Fusion and ESXi, so I’ve forked create_vmware_osx_install_dmg into a new script named create_macos_vm_install_dmg. create_macos_vm_install_dmg will generate stock OS installer disk images for the following OS versions:

  • Mac OS X 10.7.x
  • OS X 10.8.x
  • OS X 10.9.x
  • OS X 10.10.x
  • OS X 10.11.x
  • OS X 10.12.x

This script does not use a third-party package, so it is able to build a macOS 10.12.4 installer disk image. For more details, see below the jump.

Read more…

Creating multiline login banners

March 25, 2017 2 comments

In a number of Mac environments, there is a need or requirement for a login banner (otherwise known as a lock message). This message appears in the following locations:

  • FileVault 2 pre-boot login screen
  • OS login window
  • Screensaver lock window

Brevity is best, as staying within a maximum of three lines permits the banner text to be displayed consistently in all three locations. Exceeding the three-line limit may result in the text being cut off and not fully displayed.

You can set this banner text from the command line using the following defaults command, which should be run with root privileges:

/usr/bin/defaults write /Library/Preferences/com.apple.loginwindow LoginwindowText "My Login Window Text Goes Here"

LWScreenShot 2017 03 25 at 11 31 14 AM

Being able to consistently set when lines begin and end can be challenging though, as the defaults command is not able to interpret a newline command natively. However, it is possible to set a multi-line login banner and be able to consistently set when lines begin and end. For more details, see below the jump.

Read more…

Resizing a virtual machine’s boot drive to use all available space

March 3, 2017 2 comments

Every so often, it’s necessary to resize the boot drive of an existing virtual machine. The process of resizing the VM’s boot disk from outside the VM is usually pretty straightforward:

1. Shut down the VM
2. Go into the VM’s drive settings

Screen Shot 2017 03 02 at 5 02 10 PM

3. Resize it to the desired size

Screen Shot 2017 03 02 at 5 02 23 PM

Screen Shot 2017 03 02 at 5 05 45 PM

4. Power on the VM.

However, when the VM boots up, the disk space used by the OS won’t have changed.

Screen Shot 2017 03 02 at 5 07 55 PM

However, the OS can detect that there is available unallocated disk space that it isn’t using.

Screen Shot 2017 03 02 at 5 08 58 PM

Fortunately, this is a correctable condition and the fix can be applied without needing to shut down the VM or boot from another drive. For more details, see below the jump.

Read more…

Migrating AD mobile accounts to local user accounts

December 21, 2016 3 comments

One of the practices that has historically helped Macs fit better into enterprise environments has been to bind Macs to Active Directory (AD) domains and use AD mobile accounts, using either Apple’s own AD directory service plug-in or a third-party product like Centrify. However, this practice has meant that the password for the mobile account is being controlled by a service located outside of the AD-bound Mac. This has led to problems in the following areas:

With the recent availability of tools like Apple’s Enterprise Connect and NoMAD, it’s now possible to provide the advantages of being connected to Active Directory to your Mac without actually having to bind your Mac to an AD domain. This has led to more environments not binding their Macs to AD and using either Enterprise Connect or NoMAD with local accounts.

With local accounts, all password management is done on the individual Mac. This means that problems with keychain and FileVault password synchronization are vastly reduced because the password change mechanism for a local account includes updating both the keychain and FileVault 2 automatically with the new authentication credentials.

For those shops that have been binding their Macs and using mobile accounts, but want to switch to the new local accounts + Enterprise Connect / NoMAD model, there is an account-related challenge to overcome:

How to transition from an AD mobile account, where the password is managed by AD, to a local account, where the password is managed by the individual Mac, with the least amount of disruption for your users?

To assist with this process, I’ve developed a script that can take an existing AD mobile account and migrate it to being a local account with the same username, password, UID, and GID. For more details, see below the jump.

Read more…

%d bloggers like this: