Preventing users from disabling FileVault 2

I’ve seen a few online questions about how to prevent users from turning off FileVault 2.

The first line of defense, of course, is to not give admin rights to those users. As of Mavericks, however, there is an additional tool — you can use a configuration profile to prevent turning off FileVault (or at least disable the controls in the Security and Privacy preference pane — very clever users with admin rights might still able to turn it off using Disk Utility or the command-line diskutil tool).

Here is a configuration profile that disables the “Turn off FileVault” button in the FileVault tab of the Security and Privacy preference pane.

Since admin users can also remove configuration profiles, you should probably also lock this profile, requiring a password to remove it. That’s an exercise left for the reader, but here’s a starting point…

Add something like this to the PayloadContent array:

<dict>
    <key>PayloadDescription</key>
    <string>Configures Configuration Profile security</string>
    <key>PayloadDisplayName</key>
    <string>Profile Security</string>
    <key>PayloadIdentifier</key>
    <string>0dc319a0-c331-0131-eeb5-000c294ab81b.alacarte.ProfileSecurity</string>
    <key>PayloadType</key>
    <string>com.apple.profileRemovalPassword</string>
    <key>PayloadUUID</key>
    <string>65a90a90-c331-0131-eeb9-000c294ab81b</string>
    <key>PayloadVersion</key>
    <integer>1</integer>
    <key>RemovalPassword</key>
    <string>PrOf1leReM0v@lPa$$w0rdG0esHere</string>
</dict>

Advertisement

Xcode 5 Cocoa-Python Templates

A couple of years ago I made some Xcode 4 project and file templates available to help in creating new projects that use Cocoa-Python, also known as PyObjC.

These templates kind-of, sort-of worked with Xcode 5, but due to changes in how Apple is supporting Python development, required some manual tweaking.

(See https://developer.apple.com/library/mac/technotes/tn2328/_index.html for “Changes To Embedding Python Using Xcode 5.0”)

I’ve updated the templates so they should “just work” with Xcode 5:

https://github.com/gregneagle/Xcode5CocoaPythonTemplates

Enjoy.

OS X Beta Seed Program

I’ve always advocated that Mac admins join the Mac Developer Program in order to get early access to OS X builds for testing and deployment planning.

I still think that’s a good idea. But if for whatever reason you can’t, Apple has a new program of interest:

OS X Beta Seed Program

I think it’s unlikely this will get you access to early builds of 10.10 (or whatever it’s numbered), but you can test 10.9.3…

MacTech Conference 2013

My colleague, Matt Schnittker, and I will be leading a workshop on “Python for Systems Administrators” on Wednesday at MacTech Conference 2013.

If you are planning on participating in the workshop, please visit here first to get your class materials: http://gregneagle.github.io/mtc2013_python/

Hope to see you there!

Mavericks and Multiple Displays

In OS X 10.9 Mavericks, Apple changed multiple display behavior in the most dramatic way since 1987. By default, each display now has its own menu bar. Windows can be dragged from one display to another, but they cannot span displays. And putting an application into full screen mode affects only one display. You can use other displays, either with multiple applications, or with other full-screen applications. Apple describes this behavior as “Displays have separate Spaces”, and indeed the effect is almost like having multiple Macs connected to a single keyboard and mouse. I find that I like the new behavior, as I tend to put different applications on different displays.

This is a very different way of working with multiple displays, and might cause some confusion and annoyance for your users and support staff if they aren’t aware of the change, or if it affects their workflows. If you or your users prefer the “old” pre-Mavericks behavior, it’s simple to revert. Open the Mission Control preference pane in System Preferences, and uncheck “Displays have separate Spaces”. A logout is required to effect the change.

If you think you need to manage this for your users, to revert to pre-Mavericks behavior, set “spans-displays” in the “com.apple.spaces” preferences domain to TRUE.


% defaults write com.apple.spaces spans-displays -bool TRUE


You could probably use MCX or a configuration profile to manage this as well.

VPN menu in Mavericks

If you use Apple’s built-in VPN and rely on the VPN menu bar item, you might have noticed that that in Mavericks the menu item no longer shows the connection time by default.

That can lead people to believe the VPN connection has not been established, or for users to forget they are connected. It’s quite easy to turn the feature back on: just select “Show Time Connected” from the VPN menu item.

If you want to manage this for your users, the preference is stored in the “com.apple.networkConnect” domain as a boolean value under “VPNShowTime”:

% defaults read com.apple.networkConnect
{
VPNShowTime = 1;
}

You could almost certainly set this with MCX or a configuration profile.