John Welch has written passionately about Adobe installers many times over the years. Here’s another to add to the list, though not as colorfully as Mr. Welch might have done…

The Lightroom 2.3 installer is an order of magnitude better than most other Adobe installers:

• It is a standard Apple Installer package.
• It installs just one thing: Adobe Lightroom 2.3.
• It does not secretly install Flash, or Air, or Adobe Reader.
• It stores its registration info in a separate file from the Adobe CS2, CS3, and CS4 apps, so you don’t have to worry about registrations clobbering each other.

But it’s not perfect.

Problem #1: the postinstall script at Contents/Resources/postinstall:

#!/bin/bash
#
# This postinstall script copies the camera raw profiles into the
# application support folder

ditto -kx "$1/Contents/Resources/profiles.zip" "/Library/Application Support/Adobe/CameraRaw/CameraProfiles"

This uses ditto to copy stuff out of a ZIP archive to /Library/Application Support/Adobe/CameraRaw/CameraProfiles/

Why? Why couldn’t this just be in the package payload? Or why couldn’t this be a metapackage, where one package installed Adobe Lightroom and another installed the CameraProfiles?

As an administrator, I don’t want to read scripts to see what else a package has installed – it should be in the bom files for the installer. Worse, we’ll never see a useful uninstall capability as long as software vendors pull this sort of thing. Ideally, we should be able to look at /Library/Receipts to see what has been installed, and in the future, be able to use this same info to uninstall things. Postflight or postinstall scripts that install additional things break this concept.

But it gets worse.

Let’s look at the postflight script at Contents/Resources/postflight:

#!/bin/bash
#
# remove the receipt file, which causes problems if people try to reinstall
# an earlier version

RMPATH="/Library/Receipts/`basename "$1"`"
echo "removing receipt $RMPATH"
rm -rf "$RMPATH"

It removes its own receipt! Now we’re really horked if we want to find out what’s been installed. Adobe destroys the evidence!

Sigh.

Here’s a version of a script we use on all our machines in an attempt to reduce energy usage with a minimum of visible impact on users. Our machines are set to not sleep during the day. This script runs hourly, and if it’s after 7pm and the machine has been idle for 20 minutes or more, it tries to sleep the machine if someone is logged in, or shut it down if no-one is logged in.
The machine is also set to automatically startup or wake at 6am M-F. The net result is that most of our desktop machines go to sleep or shutdown a little after 7pm each weeknight and wake up at 6am each week morning, and our users are none the wiser.

#!/bin/sh

# Sleep or shutdown script
# tryin' to be 'green'.....

# look for exception file
if [ -f "/var/db/.dontSleep" ]; then
	exit 0
fi

# if we're a laptop, exit.
# No shutting down laptops (or waking them up unbidden!)
IS_LAPTOP=`/usr/sbin/system_profiler SPHardwareDataType | grep "Model" | grep "Book"`
if [ "$IS_LAPTOP" != "" ]; then
	exit 0
fi

# check the time; exit if it's between 5 am and 7 pm
current_hour=`/bin/date +%H`
if [ $current_hour -gt 5 -a $current_hour -lt 19 ]; then
	exit 0
fi

# now check idle time;
# exit if we've been idle less than 20 minutes
idleTime=`ioreg -c IOHIDSystem | perl -ane 'if (/Idle/) {$idle=int((pop @F)/1000000000); print $idle,"\n"; last}'`
if [ $idleTime -lt 1200 ]; then
	exit 0
fi

# tell Power Manager to wake us up or turn us on at 6am M-F
pmset repeat wakeorpoweron MTWRF 06:00:00

# check to see if a user's logged into the console
login_status=`/usr/bin/who | /usr/bin/awk '{ print $2 }'`
for i in $login_status; do
  if [ $i = "console" ]; then
       # someone's logged in, sleep
       osascript -e 'tell application "System Events" to sleep'
       exit 0
  fi
done

# if we got this far, it's OK to shut down.
/sbin/shutdown -h now
exit 0

On the MacEnterprise maillist, Arjen van Bochoven wrote of problems with automatic HomeSyncs under Leopard with NFS home directories. Manual syncs worked fine, but the automatic background syncs would fail with errors that looked like this:

1:: [228] Peer "network" is unable to sync. (-[SPeer_FS_PHD mountPeerVolume] (Peer-FS-PHD.m:140): "'((homePath))' is nil")
0:: [228] [2009/02/19 10:45:10.640] Peer "network" is unable to sync. Not enough peers will be available to continue syncing.
0:: [228] [2009/02/19 10:45:10.640] Aborting sync of "HomeSync_Mirror".

I saw the exact same problem in my environment. This also affected login and logout syncs. Here’s the (ugly) fix.

For each mobile account, you’ll need to make two modifications to the account info in the local DS:

/usr/bin/dscl . create /Users/$USERNAME dsAttrTypeStandard:OriginalHomeDirectory "nfs://$NFSEXPORT$USERNAME"

where $USERNAME is the short username, and $NFSEXPORT is the nfsserver and its export.

This gives HomeSync a nfs:// URL to use to mount the network home directory (It shouldn’t have to do this, since the network home is already available at the autofs mountpoint for the network home, and obviously really doesn’t need it since manual syncs work), but we have to do it anyway.

The OriginalHomeDirectory attribute has two parts – a URL describing the mount, and a path describing the path to the actual home dir, relative to the mount. In my case, when I type `mount`, my home autofs mount looks like this:

homeserver:/vol/home/fahome on /home/fahome

and my NFS home path is /home/fahome/gneagle

So the URL is ‘nfs://homeserver/vol/home/fahome/’ and the path is ‘gneagle’.

Depending on how the home mounts are setup in your environment, the division between the URL and the path might be different, for example, we might have had this instead:

URL ‘nfs://homeserver/vol/home/’ with a path of ‘fahome/gneagle’.

The next change:
/usr/bin/dscl . append /Users/$USERNAME dsAttrTypeNative:preserved_attributes dsAttrTypeStandard:OriginalHomeDirectory

This prevents the OriginalHomeDirectory attribute from being overwritten by the empty value presumably coming from the network. (If there was a useful value in the network directory, this hack wouldn’t be needed.)

You may be able to create the accounts “correctly” in the first place by using /System/Library/CoreServices/ManagedClient.app/Contents/Resources/createmobileaccount and passing the syncURL with the -u option in the form “nfs://homeserver/export/home/gneagle”. This didn’t work in my environment, and even if it did, it wasn’t really an option to use createmobileaccount, so I instead wrote a login hook that “fixes” the mobile account if needed. WordPress will cut off the right side of the script when displaying it, but you can select, copy and paste into your favorite text editor for examination:

#!/bin/sh

# Leopard bug workaround as of 10.5.2. March 5 2008
# inserts nfs:// URL into OriginalHomeDirectory attribute
# for mobile accounts so that login/logout/background syncs
# work reliably
#
# Greg Neagle, Walt Disney Animation Studios

# the following is the actual NFS share that is mounted via autofs
NFSEXPORT="homeserver.example.com/vol/home/fahome/"

USERNAME=$1
LOCALACCT=`/usr/bin/dscl . read /Users/$USERNAME 2>/dev/null`
if [ "$LOCALACCT" != "" ]; then
  # $USERNAME is a local account
  NETHOME=`/bin/echo $LOCALACCT | /usr/bin/grep OriginalNFSHomeDirectory`
  if [ "$NETHOME" != "" ]; then
    # $USERNAME is a mobile account
    # in our case, the path and the username are one and the same
    /usr/bin/dscl . create /Users/$USERNAME dsAttrTypeStandard:OriginalHomeDirectory "nfs://$NFSEXPORT$USERNAME"
    PRESERVED_ORIG_HOME=`/usr/bin/dscl . read /Users/$USERNAME dsAttrTypeNative:preserved_attributes | /usr/bin/grep dsAttrTypeStandard:OriginalHomeDirectory`
    if [ "$PRESERVED_ORIG_HOME" = "" ]; then
      /usr/bin/dscl . append /Users/$USERNAME dsAttrTypeNative:preserved_attributes dsAttrTypeStandard:OriginalHomeDirectory
    fi
  fi
fi

The user logs in with their network account. MCX computer group settings cause the user to be asked if they want to create a mobile account, if they agree the mobile account is created and the home directory is encrypted with FileVault. As they log in, the login hook runs and if needed, inserts the additional info into the cached local account info so that automatic HomeSyncs work.

Though this fixed the issue for our environment, I still consider this a bug.

UPDATE 1/23/09: some commenters asked about cleanup of the LKDC (new in Leopard) – I’ve added that to the script.

At the Macworld Expo 2009 Power Tools System Imaging and Deployment session today, I was asked to share a “checklist” of cleanup steps I use when building images the “classic” way. (The InstaDMG methodology of image building makes cleanup steps unneeded.)

Here’s a cleaned-up version of the script I use, with site-specific stuff removed for the most part.

If you use this, you’ll need to modify the paths to any local user home directories for any local users you have on your image. There are generic examples for a local admin user named “admin” and the root user (which if you never login as root, you shouldn’t have to clean up!)

#!/bin/sh
#this script does some cleanup in preperation for building an image
#best to run this from single user mode, or at least right before you shutdown
#run this as root, or with sudo rights

#set machine names back to generic
/usr/sbin/scutil --set ComputerName "OSX_Standard_Image"
/usr/sbin/scutil --set LocalHostName "osximg"

#delete swapfiles
rm /private/var/vm/swapfile*

#delete volume info DB
rm /private/var/db/volinfo.database

#cleanup local admin's home dir
rm -rf /Users/admin/Desktop/*
rm -rf /Users/admin/Documents/*
rm -rf /Users/admin/Library/Caches/*
rm -rf /Users/admin/Library/Recent\ Servers/*
rm -rf /Users/admin/Library/Logs/*
rm -rf /Users/admin/Library/Keychains/*
rm -rf /Users/admin/Library/Preferences/ByHost/*
rm -f /Users/admin/Library/Preferences/com.apple.recentitems.plist
rm -rf /Users/admin/Movies/*
rm -rf /Users/admin/Music/*
rm -rf /Users/admin/Pictures/*
rm -rf /Users/admin/Public/Drop\ Box/* 

#cleanup root's home dir
rm -rf /private/var/root/Desktop/*
rm -rf /private/var/root/Documents/*
rm -rf /private/var/root/Downloads/*
rm -rf /private/var/root/Library/Caches/*
rm -rf /private/var/root/Library/Recent\ Servers/*
rm -rf /private/var/root/Library/Logs/*
rm -rf /private/var/root/Library/Keychains/*
rm -rf /private/var/root/Library/Preferences/ByHost/*
rm -f /private/var/root/Library/Preferences/com.apple.recentitems.plist
rm -rf /private/var/root/Public/Drop\ Box/*

#clean up global caches and temp data
rm -rf /Library/Caches/*
rm -rf /System/Library/Caches/*
rm -rf /Users/Shared/*
rm -f /private/etc/ssh_host*

#network interfaces - this is regenerated on reboot and can differ on different hardware
rm /Library/Preferences/SystemConfiguration/NetworkInterfaces.plist

#Leopard - cleanup local KDC, see http://support.apple.com/kb/TS1245
/usr/sbin/systemkeychain -k /Library/Keychains/System.keychain -C -f
rm -rf /var/db/krb5kdc
/usr/bin/defaults delete /System/Library/LaunchDaemons/com.apple.configureLocalKDC Disabled

#log cleanup.  We touch the log file after removing it since syslog
#won't create missing logs.
rm /private/var/log/alf.log
touch /private/var/log/alf.log
rm /private/var/log/cups/access_log
touch /private/var/log/cups/access_log
rm /private/var/log/cups/error_log
touch /private/var/log/cups/error_log
rm /private/var/log/cups/page_log
touch /private/var/log/cups/page_log
rm /private/var/log/daily.out
rm /private/var/log/ftp.log*
touch /private/var/log/ftp.log
rm -rf /private/var/log/httpd/*
rm /private/var/log/lastlog
rm /private/var/log/lookupd.log*
rm /private/var/log/lpr.log*
rm /private/var/log/mail.log*
touch /private/var/log/lpr.log
rm /private/var/log/mail.log*
touch /private/var/log/mail.log
rm /private/var/log/monthly.out
rm /private/var/log/run_radmind.log
rm -rf /private/var/log/samba/*
rm /private/var/log/secure.log
touch /private/var/log/secure.log
rm /private/var/log/system.log*
touch /private/var/log/system.log
rm /private/var/log/weekly.out
rm /private/var/log/windowserver.log
touch /private/var/log/windowserver.log
rm /private/var/log/windowserver_last.log
rm /private/var/log/wtmp.*

Here is a slightly modified version of the slides I used at presentation earlier in 2008 on the topic of Network and Portable Home Directories.

Here is a PDF of my presentation at Macworld SF 2008 on Managing OS X Clients with or without Open Directory.

Mac firmware updates generally need some sort of user intervention in order to apply them.

This makes it very difficult to automate the process. I did manage at one point to automate SMC updates, but EFI updates and other hardware (keyboards, trackpads, graphics) each have their own issues.

So I finally decided to just punt on the issue. Here’s what I do now: a script runs at login and checks softwareupdate, looking for available firmware updates. If there are any, the user is notified to call the help desk.

The script follows.

#!/usr/bin/perl -w

use strict;

# change 'com.myorg' to your organization name
my $prefs = "com.myorg.firmwareupdatecheck";

# check the last time we ran on this machine;
# exit if we already ran today so we don't annoy too much
my $now = time;
my $lastChecked =
   `defaults -currentHost read $prefs lastChecked 2>/dev/null`;
chomp $lastChecked;
if ($lastChecked ne "") {
  my $daysSinceLastChecked =
     int(($now-$lastChecked)/(60*60*24));
  exit if ($daysSinceLastChecked < 1);
}

# get list of available updates from softwareupdate
my $allupdates = `softwareupdate -l | grep '^   \\* '`;
chomp $allupdates;
my @updates = split /\n/, $allupdates;
my $firmwareupdates = "";
my $firmwarelist = "";
my $otherupdates = "";

# walk through the list looking for firmware updates
for my $update (@updates) {
  $update = substr($update,5);
  if ((     $update =~ /[F|f]irmware/)
        || ($update =~ /EFI/)
        || ($update =~ /SMC/)) {
    $firmwareupdates .= "$update ";
    $firmwarelist .= "   $update\n";
  } else {
    $otherupdates .= "$update ";
  }
}

# record when we checked and what we found
system "defaults -currentHost write $prefs lastChecked -int $now";
system "defaults -currentHost write $prefs availableUpdates '$firmwareupdates'";

if ($firmwareupdates) {
  # there are available firmware updates
  if ($otherupdates) {
    # hide the non-firmware updates since I don't want users tempted to install them
    system "softwareupdate --ignore $otherupdates >/dev/null 2>&1";
  }

  # are we running under an admin account?
  my $checkAdmin = `dseditgroup -o checkmember admin`;
  if ($checkAdmin =~ /^yes/) {
     # user is an admin, prompt them to install
           my $result = `osascript<<EOFA
try
  tell application "System Events"
    activate
    display alert "Firmware updates available" message "There are firmware updates available for this Mac:" & return & "$firmwarelist" as warning buttons {"Later", "Install"} default button "Install" cancel button "Later" giving up after 120
  end tell
  if button returned of the result is "Install" then
    do shell script "open '/System/Library/CoreServices/Software Update.app'"
  end if
end try
EOFA`;

  } else {
    # user is not an admin, tell them to call help desk
    my $result = `osascript<<EOFB
try
  tell application "System Events"
    activate
    display alert "Firmware updates available" message "There are firmware updates available for this Mac:" & return & "$firmwarelist" & return & "Please call Tech Support at 555-1212 for help in installing these updates." as warning buttons {"OK"} default button "OK" cancel button "OK" giving up after 120
  end tell
end try
EOFB`;
  }
}

Workgroup Manager/MCX supports managing some iTunes preferences if you use the Preference Details and add the Managed Client preference managements.

It turns out there are a few more things you can manage if you look here.

These additional items include:

• disableCheckForUpdates
• disableAutomaticDeviceSync
• disableGetAlbumArtwork
• disablePlugins

and more. These also seem to work as regular default keys. For example:

defaults write com.apple.iTunes disableCheckForUpdates -bool YES

turns off and disables automatic checking for updates. You might want to do that if you manage installation of iTunes updates yourself.

Something I see pop up now and again is questions on how to define certain default settings (proxies, home pages, etc) for all users of Firefox. I was surprised to find that I had never posted on this topic before.

It turns out that you can edit a few files inside the Firefox bundle to set default preference values.
Here’s what I do…

Edit /Applications/Firefox.app/Contents/MacOS/greprefs/all.js

Add the following to the end:

// MyOrganization additions
pref("general.config.obscure_value", 0);
pref("general.config.filename", "firefox_AA.cfg");

Create a file /Applications/Firefox.app/Contents/MacOS/firefox_AA.cfg with the following contents:

// This file sets some default prefs for use at MyOrganization
// and locks down some other prefs.
//

// proxy
pref("network.proxy.autoconfig_url", "http://myorg.com/auto.proxy");
pref("network.proxy.type", 2);

// application updates
lockPref("app.update.enabled", false);
lockPref("app.update.autoUpdateEnabled", false);
lockPref("extensions.update.autoUpdate", false);
lockPref("extensions.update.enabled", false);
lockPref("browser.search.update", false);

// Password Manager
pref("signon.rememberSignons", false);

// Default browser check
pref("browser.shell.checkDefaultBrowser", false);

Edit /Applications/Firefox.app/Contents/MacOS/browserconfig.properties to read:

browser.startup.homepage=http://myorg.com
browser.startup.homepage_reset=http://myorg.com

Radmind, being a set of UNIX tools, originally supported only case-sensitive transcripts. Mac OS X’s HFS+ filesystem, developed by Apple pre-NeXT purchase, is a case-preserving, case-insensitive filesystem.

Support for case-insensitive transcripts was later added to the radmind tools.

As it turns out, it is perfectly possible to use radmind with case-sensitive transcripts to manage an OS X HFS+ filesystem. There are sometimes a few annoyances, but it generally works OK. Worst case, you might have to run the radmind tools twice to get the filesystem update when there is a case change: the first run might remove the lowercase version of the file, and the second run would install the uppercase version. Or a sharp radmind admin might be able to avoid the problem altogether by renaming files in troublesome transcripts.

One situation where needing multiple runs of the radmind tools to get to a complete filesystem is problematic is during OS updates. You really want to have a completely successful lapply run so that the filesystem is in a consistent, bootable state. If lapply fails halfway through, you might end up with an unbootable startup disk.

So when doing major updates, like, say, from 10.4.x to 10.5.x, you need to minimize all failure modes. While working on getting radmind to update our Macs from Tiger to Leopard, lapply would consistently fail because of case changes in filesystem objects. Instead of playing whack-a-mole trying to find and rename all the changed case filesystem objects, I decided to make the transition to case-insensitive transcripts.

This was not trivial. We have very modular transcripts, typically describing a single application or single set of configuration changes. In fact, right now, there are 961 transcripts sitting in the top level of my /var/radmind/transcript directory. So I needed a way to convert all of them to case-insensitive — simply recreating them from scratch was not an option.

It certainly is possible to convert existing case-sensitive transcripts to case-insensitive. The lsort tool that is part of the radmind tool set will resort transcripts either case-sensitively or case-insensitively. The bigger problem occurs when the transcript contains hard links. Given a transcript like this:


f /Z 0644 0 0 1088185725 0 2jmj7l5rSw0yVb/vlWAYkK/YBwk=
h /a /Z
h /m /Z


If you run it through lsort -I, you get this:


h /a /Z
h /m /Z
f /Z 0644 0 0 1088185725 0 2jmj7l5rSw0yVb/vlWAYkK/YBwk=


which won’t lapply correctly, since you are creating hard links to files that don’t exist yet. Instead, you need it to look like this:


f /a 0644 0 0 1088185725 0 2jmj7l5rSw0yVb/vlWAYkK/YBwk=
h /m /a
h /Z /a


AND you need the actual files under /var/radmind/file moved around so that they match the transcript. Yuck. So I banged out a script that does all this. It’s a bit of a mess, and probably relies on assumptions about my environment that don’t apply in yours. Still, you may be able to modify it to fit your needs.

The usage is:

converttocaseinsensitive transcript.T

which results in a new case-insensitive loadset at

/var/radmind/transcript/caseinsensitive/transcript.T

and

/var/radmind/files/caseinsensitive/transcript.T/

To minimize disk usage, I symlink where possible, for example, in cases where the case-insensitive transcript is the same as the case-sensitive one, or where the file set has no hard links (and therefore needs no modifications). The assumption is that you are using an HFS+ volume for your radmind data storage; if you are using a case-sensitive volume you’ll need to do more work to rename the actual files…

Here is the script.