10.8.3 supported platforms

A follow-up to yesterday’s post on 10.8.3.

I had hoped that the “SupportedModelProperties” list in the InstallESD.dmg’s /System/Library/CoreServices/PlatformSupport.plist would serve as a more-or-less human parseable list of supported models.

But it appears that there are some supported models that do not appear in the “SupportedModelProperties” list, but whose board-ids do appear in the “SupportedBoardIds” list in that same file.

In any case, the _real_ thing that causes the the installer to decide whether or not to proceed is this function in the OSInstall.mpkg’s Distribution file:

function isSupportedPlatform(){

	if( isVirtualMachine() ){
		return true;
	}
	
	var platformSupportValues=["Mac-F42D88C8","Mac-F2218EA9","Mac-F42D86A9","Mac-F22C8AC8","Mac-F22586C8","Mac-AFD8A9D944EA4843","Mac-F227BEC8","Mac-F226BEC8","Mac-7DF2A3B5E5D671ED","Mac-942B59F58194171B","Mac-2E6FAB96566FE58C","Mac-F42D89C8","Mac-00BE6ED71E35EB86","Mac-4B7AC7E43945597E","Mac-F22C89C8","Mac-942459F5819B171B","Mac-F42388C8","Mac-F223BEC8","Mac-F4238CC8","Mac-F222BEC8","Mac-4BC72D62AD45599E","Mac-F2268DC8","Mac-F2208EC8","Mac-66F35F19FE2A0D05","Mac-F4238BC8","Mac-F221BEC8","Mac-C08A6BB70A942AC2","Mac-8ED6AF5B48C039E1","Mac-F2238AC8","Mac-FC02E91DDD3FA6A4","Mac-6F01561E16C75D06","Mac-742912EFDBEE19B3","Mac-F22589C8","Mac-F22587A1","Mac-F22788AA","Mac-F42C86C8","Mac-942C5DF58193131B","Mac-F2238BAE","Mac-F22C86C8","Mac-F2268CC8","Mac-F2218FC8","Mac-7BA5B2794B2CDB12","Mac-F65AE981FFA204ED","Mac-031AEE4D24BFF0B1","Mac-F22587C8","Mac-F42D89A9","Mac-F2268AC8","Mac-F42C89C8","Mac-942452F5819B1C1B","Mac-F2218FA9","Mac-F221DCC8","Mac-94245B3640C91C81","Mac-F42D86C8","Mac-F2268EC8","Mac-F2268DAE","Mac-F42C88C8","Mac-94245A3940C91C80","Mac-F42386C8","Mac-C3EC7CD22292981F","Mac-942B5BF58194151B","Mac-F2218EC8"];
	var boardID = system.ioregistry.fromPath('IOService:/')['board-id'];
	
	if( !boardID || platformSupportValues.length == 0 ) {
		return false
	}
	for( var i = 0; i < platformSupportValues.length; i++ ){
	 	if( boardID == platformSupportValues[i] ){
				return true;
	  	}	
	}

	return false;
}

Unfortunately, I have not found a reliable resource for mapping board-ids to models.

Disabled Java Plugins, XProtect Updater

Today Apple updated the XProtect.meta.plist file, which, among other things, causes XProtect to disable Java Plugins that don’t meet a minimum version.

The net effect was to disable the Java 6 plugin on all browsers, as well as Java 7 plugins older than 1.7.11.22.

If you need to continue to use the Java 6 plugin in your organization, you can revert the changes and disable the mechanism that updates the XProtect.meta.plist by installing this package:

https://dl.dropbox.com/u/8119814/DisableXProtectUpdater.pkg.zip

This is a payload-free package that runs this script as a postflight:

#!/bin/sh

# don't check JavaWebComponentVersionMinimum
XPROTECT_META_PLIST="$3/System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/XProtect.meta.plist"
/usr/libexec/PlistBuddy -c "Delete :JavaWebComponentVersionMinimum" "$XPROTECT_META_PLIST"

# disable the xprotectupdater job
LAUNCHD_JOB_PLIST="$3/System/Library/LaunchDaemons/com.apple.xprotectupdater.plist"
/bin/launchctl unload -w "$LAUNCHD_JOB_PLIST"

I won’t tell you this is a smart thing to install; there are many reasons to leave things as they are. Apple disabled these plugins to protect from known exploits. By re-enabling them, you are opening up your managed machines to these exploits.

But if your org needs the Java 6 Web Plugin, this should get you running again. You should re-enable the XProtect updater as soon as you are able, though:

sudo /bin/launchctl load -w /System/Library/LaunchDaemons/com.apple.xprotectupdater.plist

NOTE: if you need to re-enable an older version of the Oracle Java 1.7 Plugin, you’ll need to edit the postflight script and add something like:

/usr/libexec/PlistBuddy -c "Set  lugInBlacklist:10:com.oracle.java.JavaAppletPlugin:MinimumPlugInBundleVersion 1.7.10.19" "$XPROTECT_META_PLIST"

(Sadly, WordPress changes a colon followed by a P into a emoticon, even in pre-formatted text. Not helping…)

This sets the MinimumPlugInBundleVersion for the Oracle Java Web Plugin back to the value it was with the 10 Jan 2013 version of the XProtect.meta.plist. Again, if you do this, you are choosing to expose your machines to a known Java Web Plugin exploit. Do so at your own risk.

(Update 01 Feb 21013)
If you need to run the Oracle Java 1.7 Plugin (or are already running it and it’s been disabled) the best fix is to update the Java install. As of this writing, Java 7 Release 13 for OS X is available here. This installs a web plugin with BundleVersion 1.7.13.20.

(Update 02 Feb 2103)
Apple has released a Java 6 update for Snow Leopard. Installing this update will restore Java 6 web plugin functionality under Mac OS 10.6. This won’t help if you need to use the Java 6 web plugin under OS X 10.7 or later.

Adobe reserialization tool

Here’s the tool I promised earlier:

https://github.com/gregneagle/makereserializationpkg

Enjoy.

Fix for Adobe CS6 activation issue

Adobe has posted some information and a fix for the recent issue with Adobe Photoshop CS6 registration/activations:

http://blogs.adobe.com/oobe/2013/01/32767-days-left-but-whos-counting.html

This issue appears to have been triggered by the Photoshop CS6 13.0.2 and/or 13.0.3 updates. The official recommendation on a fix is to update Photoshop CS6 to 13.0.4, then use the APTEE tool to remove and reapply serialization. See the above post for more details.

The APTEE tool is not exactly easy to use to deploy this fix in an enterprise environment; you need to install it on all your machines and also run a script (which you must write, test, and debug) on all your machines to perform the unserialization/reserialization.

Later today I will post a tool to help you create a standard Apple package to perform these steps. If you have some way to distribute and install Apple packages on your machines, you’ll be able to do the unserialization/reserialization by installing a package.

Check back later!

Adobe CS6 Serialization fun

Recently (starting some time after the first of the year), we’ve started having users call and tell us that their formerly working install of Adobe Photoshop CS6 was now asking for a sign-in:

We could not figure out why this was happening. An uninstall and reinstall of our AAMEE3-generated installation package seemed to get things working. But then the same users would call back the next day with the same issue.

(more…)

Still more on Flash Installers

A follow up from today’s earlier post: some commenters mention that the disk image they downloaded contains a package like “normal”.

I’ve found at least five versions of the 11.5.502.146 installer:

All of these were downloaded today. Which version you get seems to depend on which browser you use!

Safari may lead you to one (if you decline the suggestion to also install Chrome you get a different one); Chrome returns another, and Firefox returns still another! And if you register to redistribute Flash and use the special URL you are given if/when you are approved for redistribution, you get yet another version.

And yet none of these are simply Apple packages. Sigh. They are either disk images that contain an application that contains a package, or disk images that contain an application that downloads another disk image that contains an application that contains a package.

On a related note, I recently watched Inception.

New Year, New Flash Post

Today Adobe released yet another Flash update. If you need to deploy it in an enterprise environment and head to
http://get2.adobe.com/flashplayer/
to grab it, you might be surprised that what you download no longer includes an Apple package, and if you aren’t careful, the thing you download will try to install Google Chrome as well.

If you want the previous installer format, which was a disk image containing an application that contained an Apple package, you can still get it.

If you have not yet, you need to sign up to redistribute Adobe Flash here. Once you are approved, you’ll get a special link to download versions of the Flash installer that act like the previous ones.

At least for now.

Flashpoint and Counterpoint

TGB is back with more interesting comments.

Thanks for your comments, TGB! Let me respond to a few:

Vendor-supplied DMGs are standard for distribution, however they are not standard for deployment.

You say that only because your deployment software doesn’t support deploying  directly from a drag-n-drop disk image. I think this is a case where we should bow to reality — since a lot of software is distributed this way, your software deployment system should make it easy to deploy software distributed in this format.

Default settings are part of deployment. They simply are.

Most consumers seem to be able to purchase, install and use third-party software with the default settings as chosen by the vendor. We find that also to be the case in our environment — we don’t have to customize settings very often. But when we do, we have lots of available tools to do so. Not having to (re)package the software itself gives us more time to spend on adding value for our organization.

I’m completely comfortable packaging Flash by hand.

That’s great. So am I. But not every admin is, judging by all the packaging questions I’ve seen. More importantly, what’s the value of hundreds or thousands of admins repeating the same task, but perhaps doing it slightly differently? Let’s have the vendor do that work.

I don’t work in a rigid corporate environment.

Neither do I!

Flash Dance

In comments on my previous post here, TGB makes some interesting points:

While you’re not wrong that Flash Player deployment isn’t ideal, and it should be as easy as dragging and dropping a pkg, I don’t see how the repackaging route is any more of a waste of time than any other product. Adium, Mactracker, Firefox, Chrome and a whole bucket of other apps all require packaging to be deployed. Sure, they might auto-update, but you have to get an initial version out there, not to mention getting your preferred default settings out too.

Most, if not all the items mentioned (Adium, Mactracker, Firefox, and Chrome) are distributed as “drag-n-drop” disk images where the user is expected to drag the application to the /Applications folder. I’d argue that is an industry standard deployment method. The software deployment system I use (Munki) can install items like this without the need to package them. If your software deployment mechanism does not, perhaps you should be requesting that feature from your vendor, since this is a very common distribution format, and code-wise, requires  little effort to support. When a new version of Firefox or Chrome comes out, I just download the disk image and directly import it into Munki — no packaging needed.

Adobe Flayer Player cannot be distributed as a drag-n-drop application disk image — it’s not an application. So the “correct” distribution format for this software is the Apple package format.

Preferred default settings is a completely different issue. As long as vendors use Apple’s preference file format, this is solved with MCX or Lion/Mountain Lion profiles.

TGB also writes:

Not to mention, with any of these products, testing them (yes?) is more time and effort-intensive than any actual packaging. 3/4 of deployment and integration is non-technical work. A couple of minutes difference doesn’t really matter in the scheme of QA, UAT and change management process (or are others just not doing that?).

Flash is not needed by any business-critical application where I work, yet our users demand (or at least expect) it and Apple and Mozilla demand it stay up-to-date, or they will disable the plug-in. So for us at least, testing is quite minimal for Flash. If it installs and can display some Flash content, it’s good.

But yes, I do understand and sympathize with admins that must test each release of Flash with business-critical applications — and Adobe’s distribution format is not the key issue here; frequency of releases is. I’d argue that this is an impetus to reduce or eliminate your internal dependency on Flash.

Where I disagree with TGB: Adobe’s non-standard distribution adds more than a “couple of minutes” to preparing a new release of Flash for enterprise distribution. If we could be sure that Adobe will never change anything about their installer and updater, we could just figure out a process and repeat it for each new release. But Adobe can and has changed things, so for each release we must also test that our packaging/repackaging/custom deployment steps actually end up with the desired results. This is usually not a huge deal, but also cannot be ignored. But more importantly, theirs is a one-off solution. If we have to keep track of and test different deployment solutions for each vendor and product, we end up wasting a lot of time and effort, and making a lot of mistakes. Where would it end? Unique software deployment methods for each vendor? (Oh that there was only ONE unique deployment method for Adobe software!)

No, a line must be drawn. Here. No farther.

Flash Mob

My recent posts on deploying Flash Player 11.3 and 11.4 have generated a lot of comments. Some frequent themes: “Why are you bothering with all this? Just deploy the embedded package and be done with it!” and “Just repackage it with PackageMaker/Composer/etc and push that package!” These are certainly valid approaches you might decide to use in your organization.

But I worry that the larger point is being missed.

By recommending and supporting a non-standard deployment mechanism, Adobe is forcing enterprise admins to make choices about how to deploy their software. Some of those choices break the auto-update mechanism. Some are cumbersome to implement. Even Adobe’s recommended solution has several failure modes. But most importantly, it creates more work for the admin, since Adobe’s Flash distribution is not deployable as-is.

This is a colossal waste of time in the aggregate. Not only do I have to waste time packaging, repackaging or otherwise wrapping or modifying the Flash installer in order to deploy it; I must do so for each new release of Flash. And so must thousands of other admins all over the world.

Worse, because of all the possible choices (and no clear winner among them), there’s going to be many different permutations of what gets installed and how. This lack of consistency is a real problem, and must create additional support burdens, not only for local support, but for Adobe itself, as Adobe can’t even count on what is installed. I’m sure Adobe would like to get new releases of Flash out there as fast as possible; their choices actually make that harder to accomplish.

The only real path out of this madness is for Adobe to adopt and support a standard software distribution mechanism on Mac OS X: Apple packages. Enterprise admins should be able to take a Flash Player package and import it into their software distribution system without additional modification.

Part of the issue here is that there appears to be two parts to Adobe Flash Player: the actual Flash plugin, and the auto-update mechanism. These appear to be developed by two different teams. The team developing the Flash plugin itself seems to be doing (mostly) the right thing — they ship the Flash Player plugin as an Apple package that works perfectly with enterprise deployment tools.

The team responsible for the updater, however, is using non-standard deployment tools, leaving us with a mess. Not only is the installation a problem, but the updater doesn’t work when no-one is logged in. This was a nasty problem with Flash Player 11.3; the “fix” in Flash Player 11.4 seems to be that the updater just refuses to run if no-one is logged in. Here’s hoping that’s a temporary/quick fix until the “real” fix is in.