Rich Trouton posted today about undocumented options for the asr command-line utility.
On Twitter, Marnin asked:
.@rtrouton The question is what other commands have hidden options?
— Marnin (@gmarnin) April 30, 2013
Lots of OS X utilities have undocumented options. Take for example /usr/sbin/softwareupdate — the command-line Apple Software Update utility.
It’s had several undocumented options for years. (more…)
A follow-up to yesterday’s post on 10.8.3.
I had hoped that the “SupportedModelProperties” list in the InstallESD.dmg’s /System/Library/CoreServices/PlatformSupport.plist would serve as a more-or-less human parseable list of supported models.
But it appears that there are some supported models that do not appear in the “SupportedModelProperties” list, but whose board-ids do appear in the “SupportedBoardIds” list in that same file.
In any case, the _real_ thing that causes the the installer to decide whether or not to proceed is this function in the OSInstall.mpkg’s Distribution file:
function isSupportedPlatform(){
if( isVirtualMachine() ){
return true;
}
var platformSupportValues=["Mac-F42D88C8","Mac-F2218EA9","Mac-F42D86A9","Mac-F22C8AC8","Mac-F22586C8","Mac-AFD8A9D944EA4843","Mac-F227BEC8","Mac-F226BEC8","Mac-7DF2A3B5E5D671ED","Mac-942B59F58194171B","Mac-2E6FAB96566FE58C","Mac-F42D89C8","Mac-00BE6ED71E35EB86","Mac-4B7AC7E43945597E","Mac-F22C89C8","Mac-942459F5819B171B","Mac-F42388C8","Mac-F223BEC8","Mac-F4238CC8","Mac-F222BEC8","Mac-4BC72D62AD45599E","Mac-F2268DC8","Mac-F2208EC8","Mac-66F35F19FE2A0D05","Mac-F4238BC8","Mac-F221BEC8","Mac-C08A6BB70A942AC2","Mac-8ED6AF5B48C039E1","Mac-F2238AC8","Mac-FC02E91DDD3FA6A4","Mac-6F01561E16C75D06","Mac-742912EFDBEE19B3","Mac-F22589C8","Mac-F22587A1","Mac-F22788AA","Mac-F42C86C8","Mac-942C5DF58193131B","Mac-F2238BAE","Mac-F22C86C8","Mac-F2268CC8","Mac-F2218FC8","Mac-7BA5B2794B2CDB12","Mac-F65AE981FFA204ED","Mac-031AEE4D24BFF0B1","Mac-F22587C8","Mac-F42D89A9","Mac-F2268AC8","Mac-F42C89C8","Mac-942452F5819B1C1B","Mac-F2218FA9","Mac-F221DCC8","Mac-94245B3640C91C81","Mac-F42D86C8","Mac-F2268EC8","Mac-F2268DAE","Mac-F42C88C8","Mac-94245A3940C91C80","Mac-F42386C8","Mac-C3EC7CD22292981F","Mac-942B5BF58194151B","Mac-F2218EC8"];
var boardID = system.ioregistry.fromPath('IOService:/')['board-id'];
if( !boardID || platformSupportValues.length == 0 ) {
return false
}
for( var i = 0; i < platformSupportValues.length; i++ ){
if( boardID == platformSupportValues[i] ){
return true;
}
}
return false;
}
Unfortunately, I have not found a reliable resource for mapping board-ids to models.
Today Apple finally released OS X 10.8.3.
This release has been awaited by many Mac admins as the hope was that this version would support all Macs capable of running Mountain Lion. Prior to this release, the Late 2012 Macs (iMacs, 13″ Retina MacBookPros and Mac minis) required a different build of 10.8.2 than did other Macs.
This required having multiple restore images or OS installer pkgs and possibly multiple NetBoot disks to support all the Macs in your organization.
The hope (and assumption) was that 10.8.3 would unify the Mountain Lion builds, and that all recent machines would be able to use the new version.
How, though, to be sure? One way is to look at what Apple says. Mount the InstallESD.dmg disk image inside the 10.8.3 Install OS X Mountain Lion.app and take a look at /System/Library/CoreServices/PlatformSupport.plist.
One of the keys in this plist looks like this:
<key>SupportedModelProperties</key> <array> <string>MacBookPro4,1</string> <string>Macmini5,3</string> <string>Macmini5,2</string> <string>Macmini5,1</string> <string>MacBookPro5,1</string> <string>MacPro4,1</string> <string>MacBookPro5,2</string> <string>MacBookPro5,5</string> <string>MacBookPro5,4</string> <string>Macmini4,1</string> <string>iMac11,1</string> <string>iMac11,2</string> <string>iMac11,3</string> <string>MacBook7,1</string> <string>MacBookPro3,1</string> <string>MacPro5,1</string> <string>iMac9,1</string> <string>Macmini3,1</string> <string>MacBookPro6,1</string> <string>iMac12,2</string> <string>iMac12,1</string> <string>MacBook5,1</string> <string>MacBook5,2</string> <string>iMac10,1</string> <string>MacBookPro7,1</string> <string>MacBookAir4,1</string> <string>MacBookPro5,3</string> <string>MacBookPro6,2</string> <string>iMac8,1</string> <string>MacBookAir3,1</string> <string>MacBookAir3,2</string> <string>Xserve3,1</string> <string>MacBookAir2,1</string> <string>MacBookPro8,1</string> <string>MacBookPro8,2</string> <string>MacBookPro8,3</string> <string>iMac7,1</string> <string>MacBook6,1</string> <string>MacPro3,1</string> <string>MacBookAir4,2</string> </array>
If your Macs are in this list, they should be supported by 10.8.3.
UPDATE: There are some Macs NOT in this list that are also supported by 10.8.3 — those are the “Late 2012″ Macs. See the follow-up post.
Krypted.com has a new post on disabling iCloud as the default save location for new documents.
This feature affects apps that can save to iCloud, and only if the user has an iCloud account configured for the current login.
Still, you might want to turn this off by default for all users in your organization so they don’t accidentally store company documents on Apple’s servers. The Krypted.com post shows a command-line way to change this setting for a single user. How might you do this for all users?
One way would be to install a computer-level profile that installs the right settings. Here’s one.
If installed as root using the /usr/bin/profiles tool:
sudo profiles -I -F DontSaveNewDocumentsToiCloud.mobileconfig
This setting will be applied Once to all users as they login.
DontSaveNewDocumentsToiCloud.mobileconfig was created using Tim Sutton’s mcxToProfile tool.
I’ve been thinking more about Apple’s Xprotect Updater mechanism in light of the recent updates that have disabled Java web plugins. See yesterday’s post, for example.
In many enterprise environments, admins choose to run their own Software Update server to provide Apple updates. This is done for several reasons. One is to save bandwidth — it’s more efficient for a single machine to download available Apple updates over your Internet connection, then have all the other machines get those updates over the local LAN.
But another reason is to be able to control which updates are offered to your managed computers. Apple may offer an update that causes issues in your organization. For example, we did not deploy the “Java for OS X 2012-006″ update in our environment because it disabled the Java 6 Web Plugin, which we needed.
Yesterday’s Xprotect update essentially did the same thing, this time over a wider range of machines. I quickly put together a workaround, but one of the things the workaround does is to turn off the automatic updates of the XProtect data.
After thinking more about the ramifications of this, I think that this is exactly what most enterprise sites should do. They should treat this update mechanism like all other update mechanisms. I think you should turn this off on most or all of your managed machines.
“But wait,” you are thinking. “Isn’t this risky? Apple is trying to protect users from malware.” If you only turned off the update mechanism on all your machines and did nothing else, you are adding risk. But what you should do is something similar to what an admin that vets Apple Software Updates (or third-party application updates) does before releasing them.
You should enable the update mechanism on an admin machine. When there are new XProtect.meta.plist and/or XProtect.plist files, you should test to see that they don’t cause any issues in your organization, modifying them if needed. You can then use your favorite software deployment system (I like Munki) to distribute these files to your managed machines.
In this way, your managed machines can still get the benefit of updates to Apple’s malware protection mechanism without risking that a component vital to your organization will be blocked without warning.
Today Apple updated the XProtect.meta.plist file, which, among other things, causes XProtect to disable Java Plugins that don’t meet a minimum version.
The net effect was to disable the Java 6 plugin on all browsers, as well as Java 7 plugins older than 1.7.11.22.
If you need to continue to use the Java 6 plugin in your organization, you can revert the changes and disable the mechanism that updates the XProtect.meta.plist by installing this package:
https://dl.dropbox.com/u/8119814/DisableXProtectUpdater.pkg.zip
This is a payload-free package that runs this script as a postflight:
#!/bin/sh # don't check JavaWebComponentVersionMinimum XPROTECT_META_PLIST="$3/System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/XProtect.meta.plist" /usr/libexec/PlistBuddy -c "Delete :JavaWebComponentVersionMinimum" "$XPROTECT_META_PLIST" # disable the xprotectupdater job LAUNCHD_JOB_PLIST="$3/System/Library/LaunchDaemons/com.apple.xprotectupdater.plist" /bin/launchctl unload -w "$LAUNCHD_JOB_PLIST"
I won’t tell you this is a smart thing to install; there are many reasons to leave things as they are. Apple disabled these plugins to protect from known exploits. By re-enabling them, you are opening up your managed machines to these exploits.
But if your org needs the Java 6 Web Plugin, this should get you running again. You should re-enable the XProtect updater as soon as you are able, though:
sudo /bin/launchctl load -w /System/Library/LaunchDaemons/com.apple.xprotectupdater.plist
NOTE: if you need to re-enable an older version of the Oracle Java 1.7 Plugin, you’ll need to edit the postflight script and add something like:
/usr/libexec/PlistBuddy -c "SetlugInBlacklist:10:com.oracle.java.JavaAppletPlugin:MinimumPlugInBundleVersion 1.7.10.19" "$XPROTECT_META_PLIST"
(Sadly, WordPress changes a colon followed by a P into a emoticon, even in pre-formatted text. Not helping…)
This sets the MinimumPlugInBundleVersion for the Oracle Java Web Plugin back to the value it was with the 10 Jan 2013 version of the XProtect.meta.plist. Again, if you do this, you are choosing to expose your machines to a known Java Web Plugin exploit. Do so at your own risk.
(Update 01 Feb 21013)
If you need to run the Oracle Java 1.7 Plugin (or are already running it and it’s been disabled) the best fix is to update the Java install. As of this writing, Java 7 Release 13 for OS X is available here. This installs a web plugin with BundleVersion 1.7.13.20.
(Update 02 Feb 2103)
Apple has released a Java 6 update for Snow Leopard. Installing this update will restore Java 6 web plugin functionality under Mac OS 10.6. This won’t help if you need to use the Java 6 web plugin under OS X 10.7 or later.
Adobe has posted some information and a fix for the recent issue with Adobe Photoshop CS6 registration/activations:
http://blogs.adobe.com/oobe/2013/01/32767-days-left-but-whos-counting.html
This issue appears to have been triggered by the Photoshop CS6 13.0.2 and/or 13.0.3 updates. The official recommendation on a fix is to update Photoshop CS6 to 13.0.4, then use the APTEE tool to remove and reapply serialization. See the above post for more details.
The APTEE tool is not exactly easy to use to deploy this fix in an enterprise environment; you need to install it on all your machines and also run a script (which you must write, test, and debug) on all your machines to perform the unserialization/reserialization.
Later today I will post a tool to help you create a standard Apple package to perform these steps. If you have some way to distribute and install Apple packages on your machines, you’ll be able to do the unserialization/reserialization by installing a package.
Check back later!
MacTech Conference 2012 is a little over two weeks away! If you haven’t registered yet, get $400 off the regular registration price by following this link:
http://www.mactech.com/events/IKnowASpeaker
I’ll be presenting again this year. More exciting, on Wednesday evening, October 17th, MacTech Conference attendees will be guests at a special event at Walt Disney Animation Studios. Not only will they get a behind-the-scenes look at the Animation Studios and talk with Disney technologists and artists, but also have a rare look at how Walt Disney Animation Studios uses advanced technology to create their animated films.
I look forward to seeing you there!
For those attending MacSysAdmin 2012, here are links to various things discussed in my presentations today. Enjoy!
Advanced Munki
Reposado
createOSXinstallPkg
Creating Power Users
XProtect Updater Redux
February 8, 2013In the past 24 hours, Apple has released an update to the XProtect malware definitions. If your Macs have received the latest XProtect definitions, Adobe Flash Player will be blocked unless it is the version current as of yesterday (11.5.502.149).
If you have already updated your clients to that version of the Flash Player, good for you!
If you don’t want to be surprised by this sort of thing and have to scramble to address it, might I point you here?
Categories: Adobe, Commentary, Deployment, OS X
Comments: Be the first to comment