Archive for the ‘OS X’ category

“unsetpassword” alternatives

December 20, 2014

Recently, prolific Mac admin documentation writer Rich Trouton blogged about a new tool available in Yosemite: unsetpassword. It’s a tool with a rather specific purpose: to clear the password for a local admin user account and set it to require a new password.

Rich’s post is here.

Rich’s suggested use-case for this tool is this: you create a local account for a user on a new machine. Instead of then handing the machine over with a password you now know (and the user may not change) or with an empty password (that the user may not replace with a better one), instead, you run unsetpassword before returning the machine to the user. The user now logs in with a blank password and is immediately prompted to change it.

You actually have to run sudo unsetpassword while logged into the account. This limits its functionality to admin accounts — you can’t use this tool to unset the account password if you’ve set up a standard account for a user. It’s pretty common to provide standard accounts — that is, accounts without admin rights — to users in many organizations, so this is a significant limitation.

The tool also leaves the login.keychain and Local Items keychains in place, but does not reset their passwords, leading to an almost certainly confusing prompt when the user logs in after the password is unset.

unsetpassword also forces a shutdown after running. This doesn’t seem strictly needed. Certainly a logout is needed, but it seems annoying to have to go through a restart cycle.

Finally, this tool is available only on Yosemite. If you are still supporting and even deploying machines running older versions of OS X, you can’t use it. But there is good news. You can accomplish the same basic task (“unsetting” a local user account password) with other tools that exist in Yosemite and older versions of OS X.

Here are the commands:

sudo dscl . passwd /Users/username ""
sudo pwpolicy -u username -setpolicy "newPasswordRequired=1"

Where “username” is the short username of the user for whom you wish to “unset” their password.

The dscl command sets the user’s password to an empty string.
The pwpolicy command marks the account as requiring a new password.

If the user account is an admin account capable of running commands with sudo, you can run these commands while logged in as that account. You should then immediately log out. (Shutting down as the unsetpassword command does isn’t required.)

If you have a different admin account available (either locally or via directory services), or you can SSH in as root, you can run these commands for a non-admin user account.

We can also eliminate the keychain prompts. Since the intention here is a new account setup, there shouldn’t be anything of value stored in the login keychain, so we could just delete the login.keychain and Local Items keychains. When the user logs back in, these keychains will be recreated without prompting the user.

sudo rm -r ~username/Library/Keychains/*

As always, you should test these commands on some test accounts to get a feel for how they work. While the unsetpassword command is much easier to remember, the techniques presented here are more flexible and usable in more contexts.

Configuration Profiles and Identity payloads

November 6, 2014

In today’s MacTech deployment lab, the subject of using Identity payloads in configuration profiles came up.

Here: https://raw.githubusercontent.com/gregneagle/profiles/master/Identity_payload_demo.mobileconfig is a sample/demo configuration profile that contains both an Identity payload and an Email configuration payload.

When installed (by double-clicking the profile, after the normal warnings, the user is presented with a form for entering identification information:

Profiles identity

After entering the requested information and clicking Continue, Mail.app gets a new Gmail account added with the information you entered.

MacTech Conference 2014: What’s New with Munki?

November 6, 2014

Here are links from my MacTech Conference 2014 presentation: “What’s New with Munki?”.

Munki itself:

GUI tools:

Web interfaces/Web reporting consoles:

Alternate Munki servers:

Update management:

Miscellaneous tools and add-ons:

Managed Software Center help page link:

Munki 2 documentation:

Munki discussion group:

Munki demonstration setup:

Removing Munki:

You Oughta Check Out AutoPkg: Links

July 10, 2014

If you attended my presentation on AutoPkg today, thanks! Here are the links:

AutoPkg:

http://autopkg.github.io/autopkg

https://github.com/autopkg/autopkg

https://github.com/autopkg/autopkg/releases

AutoPkg recipe repos:

http://github.com/autopkg

JSSImporter:

https://github.com/arubdesu/jss-autopkg-addon

AbsoluteManage Processor:

https://github.com/tburgin/autopkg/blob/master/Code/autopkglib/AbsoluteManageExport.py

AutoPkg Change Notifications script:

http://seankaiser.com/blog/2013/12/16/autopkg-change-notifications/

MacSysAdmin 2013 session:

http://docs.macsysadmin.se/2013/video/Day2Session4.mp4

Steve Yuroff’s AutoPkg and Jenkins notes:

http://swytechnotes.wordpress.com/2013/10/21/autopkg-and-jenkins-under-one-admin-account/

AutoPkg Wiki:

https://github.com/autopkg/autopkg/wiki

Post-PSU Mac Admins Pre-Conference Workshop

July 8, 2014

If you attended the workshop today Matt and I led on “Python for Systems Administrators”, thank you! Here are links to some of the additional information and documentation mentioned today:

Course materials:

http://gregneagle.github.io/psumac2014_python/

Cocoa documentation links

Foundation:

https://developer.apple.com/library/mac/documentation/cocoa/reference/foundation/Miscellaneous/Foundation_Functions/Reference/reference.html

CFPreferences:

https://developer.apple.com/library/mac/documentation/CoreFoundation/Reference/CFPreferencesUtils/Reference/reference.html

Plists and Foundation:

https://developer.apple.com/library/mac/documentation/Cocoa/Conceptual/PropertyLists/Introduction/Introduction.html

More documentation:

http://www.python.org/

http://www.diveintopython.net

https://www.coursera.org/course/interactivepython

PSU Mac Admins Pre-Conference Workshop

July 6, 2014

My colleague, Matt Schnittker, and I will be leading a half-day pre-conference workshop on “Python for Systems Administrators” on Tuesday, July 8th at PSU Mac Admins Conference 2014. If you are participating in the workshop, please visit here first to get your class materials:

http://gregneagle.github.io/psumac2014_python/

Hope to see you there!

Preventing users from disabling FileVault 2

May 21, 2014

FileVaultI’ve seen a few online questions about how to prevent users from turning off FileVault 2.

The first line of defense, of course, is to not give admin rights to those users. As of Mavericks, however, there is an additional tool — you can use a configuration profile to prevent turning off FileVault (or at least disable the controls in the Security and Privacy preference pane — very clever users with admin rights might still able to turn it off using Disk Utility or the command-line diskutil tool).

Here is a configuration profile that disables the “Turn off FileVault” button in the FileVault tab of the Security and Privacy preference pane.

Since admin users can also remove configuration profiles, you should probably also lock this profile, requiring a password to remove it. That’s an exercise left for the reader, but here’s a starting point…

Add something like this to the PayloadContent array:

<dict>
    <key>PayloadDescription</key>
    <string>Configures Configuration Profile security</string>
    <key>PayloadDisplayName</key>
    <string>Profile Security</string>
    <key>PayloadIdentifier</key>
    <string>0dc319a0-c331-0131-eeb5-000c294ab81b.alacarte.ProfileSecurity</string>
    <key>PayloadType</key>
    <string>com.apple.profileRemovalPassword</string>
    <key>PayloadUUID</key>
    <string>65a90a90-c331-0131-eeb9-000c294ab81b</string>
    <key>PayloadVersion</key>
    <integer>1</integer>
    <key>RemovalPassword</key>
    <string>PrOf1leReM0v@lPa$$w0rdG0esHere</string>
</dict>

Follow

Get every new post delivered to your Inbox.

Join 191 other followers