Archive for the ‘Deployment’ category

You Oughta Check Out AutoPkg: Links

July 10, 2014

If you attended my presentation on AutoPkg today, thanks! Here are the links:

AutoPkg:

http://autopkg.github.io/autopkg

https://github.com/autopkg/autopkg

https://github.com/autopkg/autopkg/releases

AutoPkg recipe repos:

http://github.com/autopkg

JSSImporter:

https://github.com/arubdesu/jss-autopkg-addon

AbsoluteManage Processor:

https://github.com/tburgin/autopkg/blob/master/Code/autopkglib/AbsoluteManageExport.py

AutoPkg Change Notifications script:

http://seankaiser.com/blog/2013/12/16/autopkg-change-notifications/

MacSysAdmin 2013 session:

http://docs.macsysadmin.se/2013/video/Day2Session4.mp4

Steve Yuroff’s AutoPkg and Jenkins notes:

http://swytechnotes.wordpress.com/2013/10/21/autopkg-and-jenkins-under-one-admin-account/

AutoPkg Wiki:

https://github.com/autopkg/autopkg/wiki

Preventing users from disabling FileVault 2

May 21, 2014

FileVaultI’ve seen a few online questions about how to prevent users from turning off FileVault 2.

The first line of defense, of course, is to not give admin rights to those users. As of Mavericks, however, there is an additional tool — you can use a configuration profile to prevent turning off FileVault (or at least disable the controls in the Security and Privacy preference pane — very clever users with admin rights might still able to turn it off using Disk Utility or the command-line diskutil tool).

Here is a configuration profile that disables the “Turn off FileVault” button in the FileVault tab of the Security and Privacy preference pane.

Since admin users can also remove configuration profiles, you should probably also lock this profile, requiring a password to remove it. That’s an exercise left for the reader, but here’s a starting point…

Add something like this to the PayloadContent array:

<dict>
    <key>PayloadDescription</key>
    <string>Configures Configuration Profile security</string>
    <key>PayloadDisplayName</key>
    <string>Profile Security</string>
    <key>PayloadIdentifier</key>
    <string>0dc319a0-c331-0131-eeb5-000c294ab81b.alacarte.ProfileSecurity</string>
    <key>PayloadType</key>
    <string>com.apple.profileRemovalPassword</string>
    <key>PayloadUUID</key>
    <string>65a90a90-c331-0131-eeb9-000c294ab81b</string>
    <key>PayloadVersion</key>
    <integer>1</integer>
    <key>RemovalPassword</key>
    <string>PrOf1leReM0v@lPa$$w0rdG0esHere</string>
</dict>

OS X Beta Seed Program

April 22, 2014

Mavericks

I’ve always advocated that Mac admins join the Mac Developer Program in order to get early access to OS X builds for testing and deployment planning.

I still think that’s a good idea. But if for whatever reason you can’t, Apple has a new program of interest:

OS X Beta Seed Program

I think it’s unlikely this will get you access to early builds of 10.10 (or whatever it’s numbered), but you can test 10.9.3…

AutoDMG

October 22, 2013

If you’ve been using InstaDMG to create compiled modular deployment images, you may find it takes some work to get it to work with Mavericks.

Might I suggest a look at AutoDMG?

Works great to build Mountain Lion and Mavericks modular images; comes with a GUI(!) but usable from the command-line as well if you want to automate it!

Congratulations to MagerValp (Per Olofsson) on an excellent tool. It’s still in early development, but is shaping up very quickly.

Mavericks day

October 22, 2013

Mavericks
Apple released OS X Mavericks today. What does that mean for some of your favorite open source tools?

The Munki preview release here is Mavericks-ready.

createOSXInstallPkg here supports packaging a Mavericks install.

And Reposado can replicate Apple Software Updates for Tiger through Mavericks.

10.8.3 supported platforms

March 15, 2013

A follow-up to yesterday’s post on 10.8.3.

I had hoped that the “SupportedModelProperties” list in the InstallESD.dmg’s /System/Library/CoreServices/PlatformSupport.plist would serve as a more-or-less human parseable list of supported models.

But it appears that there are some supported models that do not appear in the “SupportedModelProperties” list, but whose board-ids do appear in the “SupportedBoardIds” list in that same file.

In any case, the _real_ thing that causes the the installer to decide whether or not to proceed is this function in the OSInstall.mpkg’s Distribution file:

function isSupportedPlatform(){

	if( isVirtualMachine() ){
		return true;
	}
	
	var platformSupportValues=["Mac-F42D88C8","Mac-F2218EA9","Mac-F42D86A9","Mac-F22C8AC8","Mac-F22586C8","Mac-AFD8A9D944EA4843","Mac-F227BEC8","Mac-F226BEC8","Mac-7DF2A3B5E5D671ED","Mac-942B59F58194171B","Mac-2E6FAB96566FE58C","Mac-F42D89C8","Mac-00BE6ED71E35EB86","Mac-4B7AC7E43945597E","Mac-F22C89C8","Mac-942459F5819B171B","Mac-F42388C8","Mac-F223BEC8","Mac-F4238CC8","Mac-F222BEC8","Mac-4BC72D62AD45599E","Mac-F2268DC8","Mac-F2208EC8","Mac-66F35F19FE2A0D05","Mac-F4238BC8","Mac-F221BEC8","Mac-C08A6BB70A942AC2","Mac-8ED6AF5B48C039E1","Mac-F2238AC8","Mac-FC02E91DDD3FA6A4","Mac-6F01561E16C75D06","Mac-742912EFDBEE19B3","Mac-F22589C8","Mac-F22587A1","Mac-F22788AA","Mac-F42C86C8","Mac-942C5DF58193131B","Mac-F2238BAE","Mac-F22C86C8","Mac-F2268CC8","Mac-F2218FC8","Mac-7BA5B2794B2CDB12","Mac-F65AE981FFA204ED","Mac-031AEE4D24BFF0B1","Mac-F22587C8","Mac-F42D89A9","Mac-F2268AC8","Mac-F42C89C8","Mac-942452F5819B1C1B","Mac-F2218FA9","Mac-F221DCC8","Mac-94245B3640C91C81","Mac-F42D86C8","Mac-F2268EC8","Mac-F2268DAE","Mac-F42C88C8","Mac-94245A3940C91C80","Mac-F42386C8","Mac-C3EC7CD22292981F","Mac-942B5BF58194151B","Mac-F2218EC8"];
	var boardID = system.ioregistry.fromPath('IOService:/')['board-id'];
	
	if( !boardID || platformSupportValues.length == 0 ) {
		return false
	}
	for( var i = 0; i &lt; platformSupportValues.length; i++ ){
	 	if( boardID == platformSupportValues[i] ){
				return true;
	  	}	
	}

	return false;
}

Unfortunately, I have not found a reliable resource for mapping board-ids to models.

10.8.3

March 14, 2013

Mountain Lion image

Today Apple finally released OS X 10.8.3.

This release has been awaited by many Mac admins as the hope was that this version would support all Macs capable of running Mountain Lion. Prior to this release, the Late 2012 Macs (iMacs, 13″ Retina MacBookPros and Mac minis) required a different build of 10.8.2 than did other Macs.

This required having multiple restore images or OS installer pkgs and possibly multiple NetBoot disks to support all the Macs in your organization.

The hope (and assumption) was that 10.8.3 would unify the Mountain Lion builds, and that all recent machines would be able to use the new version.

How, though, to be sure? One way is to look at what Apple says. Mount the InstallESD.dmg disk image inside the 10.8.3 Install OS X Mountain Lion.app and take a look at /System/Library/CoreServices/PlatformSupport.plist.

One of the keys in this plist looks like this:

	<key>SupportedModelProperties</key>
	<array>
		<string>MacBookPro4,1</string>
		<string>Macmini5,3</string>
		<string>Macmini5,2</string>
		<string>Macmini5,1</string>
		<string>MacBookPro5,1</string>
		<string>MacPro4,1</string>
		<string>MacBookPro5,2</string>
		<string>MacBookPro5,5</string>
		<string>MacBookPro5,4</string>
		<string>Macmini4,1</string>
		<string>iMac11,1</string>
		<string>iMac11,2</string>
		<string>iMac11,3</string>
		<string>MacBook7,1</string>
		<string>MacBookPro3,1</string>
		<string>MacPro5,1</string>
		<string>iMac9,1</string>
		<string>Macmini3,1</string>
		<string>MacBookPro6,1</string>
		<string>iMac12,2</string>
		<string>iMac12,1</string>
		<string>MacBook5,1</string>
		<string>MacBook5,2</string>
		<string>iMac10,1</string>
		<string>MacBookPro7,1</string>
		<string>MacBookAir4,1</string>
		<string>MacBookPro5,3</string>
		<string>MacBookPro6,2</string>
		<string>iMac8,1</string>
		<string>MacBookAir3,1</string>
		<string>MacBookAir3,2</string>
		<string>Xserve3,1</string>
		<string>MacBookAir2,1</string>
		<string>MacBookPro8,1</string>
		<string>MacBookPro8,2</string>
		<string>MacBookPro8,3</string>
		<string>iMac7,1</string>
		<string>MacBook6,1</string>
		<string>MacPro3,1</string>
		<string>MacBookAir4,2</string>
	</array>

If your Macs are in this list, they should be supported by 10.8.3.

UPDATE: There are some Macs NOT in this list that are also supported by 10.8.3 — those are the “Late 2012″ Macs. See the follow-up post.

XProtect Updater Redux

February 8, 2013

In the past 24 hours, Apple has released an update to the XProtect malware definitions. If your Macs have received the latest XProtect definitions, Adobe Flash Player will be blocked unless it is the version current as of yesterday (11.5.502.149).

If you have already updated your clients to that version of the Flash Player, good for you!

If you don’t want to be surprised by this sort of thing and have to scramble to address it, might I point you here?

Disabling iCloud as default save location

February 5, 2013

icloud-logo
Krypted.com has a new post on disabling iCloud as the default save location for new documents.

This feature affects apps that can save to iCloud, and only if the user has an iCloud account configured for the current login.

Still, you might want to turn this off by default for all users in your organization so they don’t accidentally store company documents on Apple’s servers. The Krypted.com post shows a command-line way to change this setting for a single user. How might you do this for all users?

One way would be to install a computer-level profile that installs the right settings. Here’s one.

If installed as root using the /usr/bin/profiles tool:

sudo profiles -I -F DontSaveNewDocumentsToiCloud.mobileconfig

This setting will be applied Once to all users as they login.

DontSaveNewDocumentsToiCloud.mobileconfig was created using Tim Sutton’s mcxToProfile tool.

Still more on the XProtect Updater

February 4, 2013

Mike Boylan writes in a reply to my previous post:

…I have to respectfully disagree that disabling the auto-update mechanism for Xprotect should be done in organizations with managed machines. Do you disable the automatic update mechanism for your anti-virus software? Do you manually test every definition update and push each one out through Munki? I’d assume not. Xprotect (clearly) isn’t serving the same type of updates as Apple software update. It’s a malware prevention/blocking (and in some cases, removal) system. I won’t argue that Xprotect’s disabling of Java plugins will almost certainly have a larger impact across organizations than say something like a Sophos definition update, but nonetheless, the intent is still to protect systems. Xprotect and anti-virus software together are meant to serve complimentary roles. These Java plugins are being disabled because serious known exploits are being used in the wild. For a company that cannot function without version xyx of the Java plugin, does it make sense to make changes so that it can continue to operate effectively? Sure. But I doubt most organizations rely that heavily on a single plugin. Also, how many different types of updaters should we as admins be responsible for managing? There are already too many. For most admins, I don’t think it’d be a responsible decision to add Xprotect to the list.

Mike:

If Xprotect’s disabling of web plugins has not caused your organization any issues, or you are willing to react to any issues such disabling might occur in the future, it may well make sense to leave things as they are for your organization.

In my organization, the Java 6 web plugin is required to perform vital, daily business functions. When it doesn’t work, business functions are seriously impacted.

My argument might be subtle.

Apple is acting as systems administrator for machines by updating the XProtect plists. As long as you are content to let Apple make those changes, and won’t complain if Apple makes a change that breaks things for you, by all means, leave the XProtect updater mechanism alone.

If, on the other hand, _you_ are taking responsibility for managing your machines, making sure they are functional for your organization, and keeping them safe from malware, you’ll want to disable _Apple’s_ update of the XProtect malware definitions, and take over updating them yourself.

If you do not want to be surprised that one morning Java or Flash or some other plugin has been disabled on all the Macs you manage, you cannot let Apple update these definitions without your review. You must take responsibility for reviewing and implementing Apple’s changes, or a modification thereof.

Is this more work? Yes. Does it add risk to your organization? Probably. All security is a trade-off between functionality and protection. Malware protection that prevents my users from doing their work is not an acceptable trade-off. Apple has made one decision about the trade-offs, one that protects a great number of Mac users while negatively affecting a very small number of them. That is not the correct decision for my organization.

The only way I can ensure the correct decisions are made for my organization is to not leave the decision making process solely to Apple, but to instead review Apple’s changes and alter them if needed for the benefit of my organization.

Each organization needs to weigh this decision for themselves.


Follow

Get every new post delivered to your Inbox.

Join 176 other followers