Enabling least-privilege screensharing using Apple’s Remote Desktop Client and Screen Sharing.app

July 7, 2017 3 comments

In a number of Mac-using environments, there is often a need for IT staff to remotely connect to a Mac’s screen using Apple’s Remote Desktop application and work with the person on the other end to resolve a problem. However, there can be several technical and human-centric issues with enabling remote assistance:

  1. Authentication – To enable access using a username and password, that user account must be granted access rights by belonging to a group or by explicitly granting rights to a local account.
  2. Password rotation – If you’re enabling screensharing via granting access to a local account, the security requirements in most environments mandate that those passwords be changed on a regular basis. However, securely changing the account password on multiple remote Macs can be a management challenge on its own.
  3. Access privileges – A lot of folks don’t like the idea that someone they don’t know can take over access to their keyboards and screens without the remote customer saying it’s OK for them to do so. Frankly, I’ve been on both sides of this fence and I don’t like it either.

However, there is a way to enable screen sharing using Apple’s Remote Desktop Client and Apple’s Screen Sharing.app which does the following:

  • Removes the need for any account to be enabled for screen sharing access
  • Mandates that all screen sharing access be approved by the logged-in user
  • Does not allow screen sharing access if no user is logged in.

For more details, see below the jump.

Read more…

Filesystem session at Penn State MacAdmins 2017

July 3, 2017 Leave a comment

I’ll be speaking at Penn State MacAdmins Conference 2017, which is taking place in State College, PA from July 11th – 14th, 2017. My session will be an overview of Apple’s past and present filesystems, with an introduction to Apple File System (APFS) and a discussion of its current state of development. For those interested, my talk will be on Wednesday, July 12th.

For a description of what I’ll be talking about, please see the Storing our digital lives: Mac filesystems from MFS to APFS session description. You can see the whole list of speakers here on the Speakers page.

Automating the enablement of object versioning on AWS S3 buckets

June 30, 2017 Leave a comment

As part of some work I’ve been doing with Amazon Web Services, I needed to enable object versioning on all S3 buckets in an account.

Screen Shot 2017 06 30 at 1 28 38 PM

However, I had three issues that I needed to accommodate for:

  1. There were a sufficient number of S3 buckets that enabling versioning via the S3 web console would be inconvenient.
  2. Some of the S3 buckets in the list already had object versioning enabled, while others in the list did not.
  3. I had forgotten which ones already had versioning enabled, so I’d have to check each one.

To address all three issues, I’ve written a script that uses the aws command line tool to detect which S3 buckets do not have object versioning enabled and enable it on the detected S3 buckets. For more details, see below the jump.

Read more…

Activating EndNote X8 using management profiles

June 29, 2017 Leave a comment

I’ve moved on from a role where I needed to support Clarivate Analytics’s EndNote bibliography software, but I noticed that my colleague Rusty Myers is now deploying it in his environment.

As part of his work, Rusty discovered that it was possible to bypass the activation process by adding the AcceptedENX7.2EULA key to /Library/Preferences/com.ThomsonResearchSoft.EndNote.plist:

In Rusty’s case, the key is being added by running the following commands with root privileges:

/usr/bin/defaults write "/Library/Preferences/com.ThomsonResearchSoft.EndNote.plist" "AcceptedENX7.2EULA" -string "1"

Reading through Rusty’s post, I wondered if you could apply this setting via a management profile instead of writing the necessary values to /Library/Preferences/com.ThomsonResearchSoft.EndNote.plist. With some testing, I verified that it’s possible to also bypass the activation process with a management profile.

For those who want to bypass EndNoteX8’s activation process using a management profile, I’ve created a .mobileconfig file and posted it here on Github:

https://github.com/rtrouton/profiles/tree/master/ActivateEndNote/EndNoteX8

I’ve also created one for EndNoteX7, since it appears that the setting has not changed since EndNoteX7’s release. However, I do not have access to that version of EndNote and can’t test it to make sure.

If you’re still deploying EndNote X7, please give it a try and let me know. The .mobileconfig file for EndNoteX7 has been posted here on Github:

https://github.com/rtrouton/profiles/tree/master/ActivateEndNote/EndNoteX7

Categories: Mac administration, macOS

VMware Fusion 8.5.8 adds Apple File System (APFS) support

June 27, 2017 3 comments

VMware recently released VMware Fusion 8.5.8, which according to the release notes includes the following:

Screen Shot 2017 06 26 at 10 40 28 PM

Another improvement which is not mentioned in the release notes is that VMware Fusion now includes support for the following:

  • Using the macOS High Sierra beta installer as a valid installation source
  • Booting macOS VMs from Apple File System (APFS) formatted drives.

For more details, see below the jump.

Read more…

Session videos now available from MacDevOpsYVR 2017

June 13, 2017 Leave a comment

The good folks who host the MacDevOpsYVR conference have begun posting the session videos from MacDevOpsYVR 2017. As the session videos are being posted to YouTube, I’ve linked my Storing our digital lives: from MFS to APFS session here:

The other videos from the conference are being posted here:

https://www.youtube.com/channel/UCIZgKKNrG-ty72Bez8b2qHg/videos

AutoPkg recipes for Apple Enterprise Connect

June 12, 2017 4 comments

To help keep on top of software updates, I’ve been using AutoPkg in combination with AutoPkgr and JSSImporter for a while now to upload new software updates to Jamf Pro. However, I recently ran into a challenge when I wanted to build an AutoPkg recipe for Apple’s Enterprise Connect.

AutoPkg recipes usually rely on the vendor having a publicly accessible way to get downloads via HTTP or HTTPS. Apple does not have a publicly accessible download URL for Enterprise Connect and in fact discourages customers from sharing the download link. The fact that there was a download link meant that I could write AutoPkg recipes but at the same time I couldn’t include the URL needed to download the latest update as part of the recipe .

After some thinking and research into AutoPkg’s functionality, I found a way to create AutoPkg recipes for Enterprise Connect while at the same time not sharing Apple’s download URL. For more details, see below the jump.

Read more…

%d bloggers like this: