Accessing More Frameworks with Python

This post is based on a column I wrote for MacTech magazine in 2012. MacTech used to make older columns available online, but they haven’t done that for the past several years for some reason.
I’m planning to go through my older columns and dust off and republish some that I think are still relevant or useful.

Recently, we built a command-line tool using Python and the PyObjC bridge to control display mirroring.
PyObjC supports a lot of OS X frameworks “out-of-the-box”, and accessing them from Python can be as simple as:

include CoreFoundation

But what if the problem you want to solve requires a framework that isn’t included with the PyObjC bindings? In turns out that you can create your own bindings. In this post we’ll explore this aspect of working with Python and OS X frameworks.

OUR SAMPLE PROBLEM

In my organization, we sometimes have a need to set displays to a certain ColorSync profile. The ColorSync profile to use for a given display is a per-user preference, so if you need to set it for all users of a machine, you can’t just manually set it while logged in as one user and call it good.

If you are managing display profiles for a group of machines, or a conference room machine that has network logins, you need a way to manage display profiles for all users. Using MCX or doing some defaults scripting might come to mind. Let’s look at that possibility.

Continue reading “Accessing More Frameworks with Python” →

Command-line tools via Python and Cocoa

This post is based on a column I wrote for MacTech magazine in 2012. MacTech used to make older columns available online, but they haven’t done that for the past several years for some reason.
I’m planning to go through my older columns and dust off and republish some that I think are still relevant or useful.

Cocoa-Python, also referred to as PyObjC, is a set of Python modules and glue code that allow Python programmers to access many of Apple’s Cocoa frameworks. This allows you to do many things from Python scripting that might otherwise require compiling code in C/Objective-C. To access the Cocoa frameworks, you import them by name, just as you might import a regular Python module.

A quick example: the CoreFoundation framework contains methods to work with user preferences, a bit like the /usr/bin/defaults tool. We can use the CFPreferencesCopyAppValue function in Python simply by importing CoreFoundation, and then calling it like we would a function from a “regular” Python module:

#!/usr/bin/python

import CoreFoundation

print CoreFoundation.CFPreferencesCopyAppValue(
          "HomePage", "com.apple.Safari")

If you run the above code, it will print the current home page you have set in Safari. We’ve successfully used an OS X framework from Python!

Continue reading “Command-line tools via Python and Cocoa” →

Gatekeeper Configuration Data and XProtectPlistConfigData and Munki and Reposado, oh my!

If you haven’t read this already, please do:

http://macops.ca/os-x-admins-your-clients-are-not-getting-background-security-updates/

I’ll wait.

Done? OK. Concerned? No? Then you can skip the rest of this post.

If you are concerned, and would like to make sure your managed machines have these security updates, I have a solution for you — if it affects you (and you use Munki and Reposado; so what, about six people?)
Continue reading “Gatekeeper Configuration Data and XProtectPlistConfigData and Munki and Reposado, oh my!” →

“unsetpassword” alternatives

Recently, prolific Mac admin documentation writer Rich Trouton blogged about a new tool available in Yosemite: unsetpassword. It’s a tool with a rather specific purpose: to clear the password for a local admin user account and set it to require a new password.

Rich’s post is here.

Rich’s suggested use-case for this tool is this: you create a local account for a user on a new machine. Instead of then handing the machine over with a password you now know (and the user may not change) or with an empty password (that the user may not replace with a better one), instead, you run unsetpassword before returning the machine to the user. The user now logs in with a blank password and is immediately prompted to change it.

You actually have to run sudo unsetpassword while logged into the account. This limits its functionality to admin accounts — you can’t use this tool to unset the account password if you’ve set up a standard account for a user. It’s pretty common to provide standard accounts — that is, accounts without admin rights — to users in many organizations, so this is a significant limitation.

The tool also leaves the login.keychain and Local Items keychains in place, but does not reset their passwords, leading to an almost certainly confusing prompt when the user logs in after the password is unset.

unsetpassword also forces a shutdown after running. This doesn’t seem strictly needed. Certainly a logout is needed, but it seems annoying to have to go through a restart cycle.

Finally, this tool is available only on Yosemite. If you are still supporting and even deploying machines running older versions of OS X, you can’t use it. But there is good news. You can accomplish the same basic task (“unsetting” a local user account password) with other tools that exist in Yosemite and older versions of OS X.

Here are the commands:

sudo dscl . passwd /Users/username ""
sudo pwpolicy -u username -setpolicy "newPasswordRequired=1"


Where “username” is the short username of the user for whom you wish to “unset” their password.

The dscl command sets the user’s password to an empty string.
The pwpolicy command marks the account as requiring a new password.

If the user account is an admin account capable of running commands with sudo, you can run these commands while logged in as that account. You should then immediately log out. (Shutting down as the unsetpassword command does isn’t required.)

If you have a different admin account available (either locally or via directory services), or you can SSH in as root, you can run these commands for a non-admin user account.

We can also eliminate the keychain prompts. Since the intention here is a new account setup, there shouldn’t be anything of value stored in the login keychain, so we could just delete the login.keychain and Local Items keychains. When the user logs back in, these keychains will be recreated without prompting the user.

sudo rm -r ~username/Library/Keychains/*


As always, you should test these commands on some test accounts to get a feel for how they work. While the unsetpassword command is much easier to remember, the techniques presented here are more flexible and usable in more contexts.

Configuration Profiles and Identity payloads

In today’s MacTech deployment lab, the subject of using Identity payloads in configuration profiles came up.

Here: https://raw.githubusercontent.com/gregneagle/profiles/master/Identity_payload_demo.mobileconfig is a sample/demo configuration profile that contains both an Identity payload and an Email configuration payload.

When installed (by double-clicking the profile, after the normal warnings, the user is presented with a form for entering identification information:

After entering the requested information and clicking Continue, Mail.app gets a new Gmail account added with the information you entered.

MacTech Conference 2014: What’s New with Munki?

Here are links from my MacTech Conference 2014 presentation: “What’s New with Munki?”.

Munki itself:

• http://munki.github.io/munki/
• https://github.com/munki/munki

GUI tools:

• MunkiAdmin: https://github.com/hjuutilainen/munkiadmin

Web interfaces/Web reporting consoles:

• MunkiWebAdmin: https://github.com/munki/munkiwebadmin
• Sal: https://github.com/grahamgilbert/sal
• SalSoftware/Sal+: http://salsoftware.com
• MunkiReport-PHP: https://github.com/munkireport/munkireport-php
• Mandrill: https://github.com/wollardj/Mandrill/

Alternate Munki servers:

• Simian: https://github.com/google/simian
• MunkiServer: https://github.com/jnraine/munkiserver

Update management:

• aamporter: https://github.com/timsutton/aamporter
• AutoPkg: http://autopkg.github.io/autopkg/
• MacSysAdmin 2014 presentation on AutoPkg: http://docs.macsysadmin.se/2014/video/Day2Session5.mp4
• PennState Mac Admins 2014 presentation on AutoPkg: https://www.youtube.com/watch?v=mqK-MAEZekI&list=UUiRYn1OSRv2bvU3enNwoZxg
• MacSysAdmin 2013 presentation on aamporter and AutoPkg: http://docs.macsysadmin.se/2013/video/Day2Session4.mp4
• createOSXinstallPkg: https://github.com/munki/createOSXinstallPkg
• MacSysAdmin 2012 presentation covering createOSXinstallPkg: http://docs.macsysadmin.se/2012/video/Day2Session7.m4v

Miscellaneous tools and add-ons:

• Munki Manifest Selector: https://github.com/buffalo/Munki-Manifest-Selector
• Munki Enroll: https://github.com/edingc/munki-enroll
• Munki-in-a-Box: http://tbridge.github.io/munki-in-a-box/
• Authorization database: http://grahamgilbert.com/blog/2013/12/22/managing-the-authorization-database-with-munki/
• Configuration profiles: https://github.com/timsutton/make-profile-pkg/
• Managing printers: https://code.google.com/p/munki/wiki/ManagingPrintersWithMunki
/

Managed Software Center help page link:

• http://goo.gl/cL0Skr

Munki 2 documentation:

• https://github.com/munki/munki/wiki/Munki2%20Introduction

Munki discussion group:

• https://groups.google.com/forum/#!forum/munki-dev

Munki demonstration setup:

• https://github.com/munki/munki/wiki/Demonstration-Setup

Removing Munki:

• https://github.com/munki/munki/wiki/Removing-Munki

MacTech Conference 2014: What’s New with Munki?

If you are attending my session on Thursday: “What’s new with Munki?” and want to follow along/participate in setting up your own Munki demo, don’t temp the WiFi gods. Download these things in advance:

• Munki tools: https://github.com/munki/munki/releases/download/v2.0.1/munkitools-2.0.1.2253.pkg
• Firefox installer: https://download.mozilla.org/?product=firefox-33.0.2-SSL&os=osx&lang=en-US
• Google Chrome installer: https://dl.google.com/chrome/mac/stable/GGRO/googlechrome.dmg