Mac Operations

Talking about EC2 Mac at AWS re:Invent 2024

Mon, 09 Dec 2024 00:00:00 +0000

In 2020, I was in a cab leaving the Square office in SF, where I’d just completed interviewing for a “macOS CI Site Reliability Engineer” role. In that cab, I was told that AWS was secretly developing a product that would allow running Apple hardware directly in EC2. Just a couple of hours prior, my soon-to-be manager and I had discussed the possibility of shifting Square’s self-hosted datacenter Mac CI cluster to some other colo vendor or cloud provider.

MacDevOpsYVR 2023 "Stories and learnings from macOS Continuous Integration at Scale" Session Links

Wed, 21 Jun 2023 08:40:37 -0400

This week is the MacDevOpsYVR 2023 conference in Vancouver. I was thrilled to have the opportunity to speak this year about some of the Mac CI infrastructure at Block and our in-progress migration to EC2 Mac!

Here’s a list of various articles, tools, documentation and videos that have been referenced throughout this talk. Hopefully more to come on this blog as well on some other details I didn’t have time to go into.

Xcode 14's New Simulators Platforms Packaging Format

Tue, 20 Sep 2022 08:21:03 -0400

Nearly ten years ago, I published a post about how to download and deploy the iOS simulator runtimes independently of the Xcode app bundle. This is certainly the oldest post on the blog that I could say was still useful and accurate!

Prior to Xcode 14, one could navigate to the ‘Components’ section of the app preferences and download previous simulators. Under the hood, a “dvtdownloadableindex” plist file would be downloaded from Apple, containing metadata and templated URLs to download installer packages containing the full simulator runtime operating system packages, and then installed directly to the host’s filesystem inside /Library/Developer/CoreSimulator/Profiles/Runtimes. This resulted in a lengthy installation time due to the huge number of files (watchOS 9 simulator alone is over 180K files), and Xcode’s interface provided no method (that I could find, at least) to remove these large runtime packages, leaving you to figure out where they’d been installed and remove them yourself.

Apple Silicon macOS Guest Virtualization Updates, June 2022

Sun, 12 Jun 2022 10:03:24 -0500

It’s been eight months since I published a post with some early experiments and digging into the capabilities of Apple’s new macOS guest VM support on Apple Silicon as of Monterey.

Since then, we’ve seen:

Improved documentation and a sample project from Apple
Lots of new developments in both commercial and open source projects using the framework
New APIs revealed during WWDC week with macOS 13 Ventura and Xcode 14

As with the previous post, since my interest in macOS virtualization is always in the context of continuous integration and ephemeral build/test environments, this article is framed around that particular use case. Let’s dive in!

Changes to Screen Sharing / Remote Desktop Management in macOS Monterey 12.1

Fri, 17 Dec 2021 10:45:44 -0400

During the beta cycle for macOS Monterey 12.1, a new change was added that’s relevant for anyone administering macOS systems and using its built-in Screen Sharing / Remote Management service. Now that 12.1 is publicly available, it’s the 2nd bullet entry in the What’s new for enterprise support document:

I spent the last several days being confused by (1) how the change would impact my environment, (2) Apple’s documentation, (3) mixed reports from others about whether their prior methods for enabling Screen Sharing / Remote Management were still working as usual for them on Monterey 12.1, and (4) disagreement over what components of their existing solutions were even required to have functional Screen Sharing. I came across multiple Slack threads where people were confused by Apple’s documentation not matching their observations about existing solutions involving kickstart and PPPC configuration profiles.

Apple Silicon macOS Virtual Machines in Monterey's Virtualization Framework

Thu, 14 Oct 2021 01:45:44 -0400

Note: Since this article was originally published, there have been exciting new developments. Check out the follow-up article from June 2022 here.

When Apple released the first macOS 12 Monterey betas in June 2021, some interesting new APIs were added to the Virtualization framework developer docs. Here’s the new APIs below (at time of writing, where Monterey’s latest version is beta 10). In particular, notice the VZMac* APIs:

VZAudioDeviceConfiguration
VZAudioInputStreamSource
VZAudioOutputStreamSink
VZDirectoryShare
VZDirectorySharingDevice
VZDirectorySharingDeviceConfiguration
VZGenericPlatformConfiguration
VZGraphicsDeviceConfiguration
VZHostAudioInputStreamSource
VZHostAudioOutputStreamSink
VZKeyboardConfiguration
VZMacAuxiliaryStorage
VZMacGraphicsDeviceConfiguration
VZMacGraphicsDisplayConfiguration
VZMacHardwareModel
VZMacMachineIdentifier
VZMacOSBootLoader
VZMacOSConfigurationRequirements
VZMacOSInstaller
VZMacOSRestoreImage
VZMacPlatformConfiguration
VZMultipleDirectoryShare
VZNetworkDevice
VZPlatformConfiguration
VZPointingDeviceConfiguration
VZSharedDirectory
VZSingleDirectoryShare
VZUSBKeyboardConfiguration
VZUSBScreenCoordinatePointingDeviceConfiguration
VZVirtioFileSystemDevice
VZVirtioFileSystemDeviceConfiguration
VZVirtioSoundDeviceConfiguration
VZVirtioSoundDeviceInputStreamConfiguration
VZVirtioSoundDeviceOutputStreamConfiguration
VZVirtioSoundDeviceStreamConfiguration
VZVirtualMachineView

What’s interesting here is that (I think) it’s the first time we see native Apple APIs for macOS guest virtual machines.

MacDevOpsYVR 2020 "Shipping Python to Mac Clients in 2020" Session Links

Fri, 12 Jun 2020 08:40:37 -0400

I’m proud to have attended all but one of the six MacDevOpsYVR conferences, normally held in Vancouver, Canada. I was looking forward to being there in person this year but am grateful that the crew has kept it going virtually this year!

Today I’m giving a talk on Python delivery to Mac clients. You can grab the slides and video recording on the talks page. Here are links to things referenced in the talk:

MacSysAdmin 2018 "Riding Your Next Mac Admin Wave" Session Links

Mon, 08 Oct 2018 01:00:20 -0700

On October 5, I gave a presentation at my favourite conference - MacSysAdmin in Göteborg, Sweden - titled “Riding Your Next Mac Admin Wave.”

It was the last day and the first talk of the morning after the beer bash event, so bonus points to all of you who made it! This page is a list of references from the talk’s contents.

Links to the slides and video recording can be found on the talks page.

Using VMware Fusion 10 on "old" Mac Pro Intel CPUs

Wed, 12 Sep 2018 16:18:35 -0400

VMware Fusion 10 was released in August 2017. One interesting change is that its minimum system hardware requirements are more discerning in terms of the Intel CPU families supported. Notably, Mac Pro models from earlier than 2010 (i.e. earlier than MacPro5,1) are not supported. Attempting to start a VM on such Mac hardware results in the following dialog (screenshot is of version 10.1.2):

Unrestricted guest

Earlier versions had a more ambiguous dialog wording which didn’t explain the incompatible features, however it seems as though currently they seem to be providing more detailed info, mentioning the “unrestricted guest” capability.

Syntax highlighting in Apple Keynote Using highlight

Sun, 29 Jul 2018 08:00:20 -0700

My presentations often include code examples where having fixed-width fonts and code syntax highlighting is desirable, and Apple Keynote remains my presentation tool of choice for a variety of reasons. I’m still interested to give some other presentation tools a try, but I often find that tools which are Markdown-centric (and seem commonly used for showing code in presentations) lack a lot of the traditional editing, layout, and animation features I use in Keynote. So, I continue to use (and love using) Keynote.

Installing WebDriver as a Feature on Demand in Windows Redstone 5

Tue, 10 Jul 2018 08:00:20 -0700

Historically, Microsoft WebDriver, used for supporting automated testing of Microsoft Edge, has been a separate download that should be matched to the major Edge version used in the OS.

In Windows 10 Redstone 5, WebDriver is now a Feature on Demand. The details in the linked article are helpful to explain where the binary will end up after it is installed as an optional feature (%SystemRoot%\system32), however I was still looking for a way to automatically install the binary without needing to navigate to the Settings app and find the right sub-menu. Windows now has several places where something that could be named an “optional feature” can be added or installed, and as someone who doesn’t administer Windows as a full-time job, I never find the right location on my first try.

MacDevOps 2018 "Owning Your Stuff" Session Links

Thu, 07 Jun 2018 08:00:20 -0700

Here are links to my talk today at MacDevOps 2018, for the session: “Owning Your Stuff: Escaping from Development Dependency Hell.” Thanks to all attendees, and thanks to Mat X and the entire MacDevOps crew for hosting this conference for a fourth year!

You can also download the slides here.

Using Safari Technology Preview with Selenium WebDriver

Sat, 02 Dec 2017 12:08:30 -0800

I recently was attempting to diagnose an issue with the Safari Driver, the component of Safari which allows remote automation using the WebDriver protocol. In order to confirm whether my issue was a bug, I wanted to run the same test using a current Safari Technology Preview build and compare the results to Apple’s released Safari versions. I wasn’t able to find very clear examples or documentation about this, however, and wanted to be able to test it both with a local safaridriver as well as via Selenium.

MacSysAdmin 2017 'Apple's Unified Logging for Sysadmins' Session Links

Thu, 05 Oct 2017 00:00:00 +0000

Here are links and resources related to my MacSysAdmin 2017 talk: ‘Apple’s Unified Logging for Sysadmins’. Enjoying another fantastic conference here in Göteborg, Sweden, and thanks to all who attended! You can find the slides and video recording for this session and all the others at the MacSysAdmin documentation site.

New conference location at Chalmers. Photo courtesy of Mats Schwieger.

Apple Documentation

Developer Documentation: Logging
Bug Reporting: Profiles and Logs (Exhaustive list of logging-related configuration profiles for all Apple OSes)
WWDC 2016: Unified Logging and Activity Tracing
WWDC 2014: Fix Bugs Faster using Activity Tracing

Blog posts

krypted.com - Logs, Logging and Logger (Oh My!)
Eclectic Light Company - Many Sierra logging-related articles
Emily Kausalik - Finding Shutdown Causes in macOS Sierra’s Mind-boggling New Logging
Blackbag Technologies Blog - Accessing Unified Logs from an Image
Henry Stamerjohann and Éric Falconnier - State of logging (for Amsys blog)
Michael Tsai - Log/Console-related articles
Daniel Jalkut - Log Littering
Airbnb Engineering Blog - Introducing Syslog to AWS Kinesis via Osquery

Tools

Eclectic Light Company: MakeLogarchive, Consolation
Unified Logging Support in CocoaLumberjack

Misc

Zachary Waldowski - Apple Configuration Profile for Logging in iOS 10 and macOS Sierra (Well-annotated configuration profile for logging configuration options)
MacAdmins Podcast - Episode 52: Digital Forensics on the Mac with Sarah Edwards
Radar #34351855 - re: Apple’s logging documentation website

What macOS Version Did I Just Download?

Wed, 26 Jul 2017 00:00:00 +0000

When downloading the latest macOS Installer from the App Store, there’s no obvious way to confirm the exact macOS version in the installer from looking at the install assistant application itself. It’s been my experience that while the version of the installer app itself always increments, its version number is in no way related to the version of the macOS install image contained within (even though sometimes Apple seems to follow a certain pattern for a few point releases..)

University of Utah, MacAdmins Meeting April 2017 'Adobe CC - Lost in Translation'

Thu, 20 Apr 2017 00:00:00 +0000

The University of Utah, MacAdmins meeting is a monthly meeting with guest (mostly remote) presenters, and this month I gave a talk titled ‘Adobe Creative Cloud: Lost in Translation’, to cover a handful of the current issues I’ve seen with deploying Adobe Creative Cloud applications.

The recorded presentation can be found on the University’s Marriott Library archives here, where the slides can also be downloaded.

Here are links to items referenced in the presentation:

MacADUK 2017 'Advanced Mac Software Deployment and Configuration' Session Links

Tue, 07 Feb 2017 00:00:00 +0000

Today I’m giving a session at the Mac Admin and Developer UK 2017 conference, called “Advanced Mac Software Deployment and Configuration: Just Make It Work!” This post is a collection of links and resources from the session. Big thanks to Amsys for organizing this great conference!

You can also download the slides here. Now that the recording is available, you can watch it here:

Enabling HiDPI macOS guest VMs in VMware Fusion

Mon, 23 Jan 2017 00:00:00 +0000

There are often times when I’d like to take a retina-quality screenshot of something on a macOS system (for this blog, or a presentation, for example), but I’d like to screenshot something that I’ve got running in a virtual machine. macOS VMs by default run at a standard resolution that’s upscaled to the retina screen, making it look blocky by comparison - and more importantly, any screenshots taken within the guest VM will not be retina-resolution.

Stalling HTTP(S) downloads with VMware Fusion 8 and NAT

Sat, 21 Jan 2017 00:00:00 +0000

Update: This issue has been resolved in the VMware Fusion 8.5.7 update, released in May 2017. The workaround below is no longer necessary. The release notes linked above don’t sufficiently scope the issue, however: it’s not only git clone commands which stall, it’s any HTTPS transfer. git clone just happened to be an easy way to reproduce this with large repositories such as CocoaPods.

VMware Fusion 8 is a great general-purpose virtual machine hypervisor which shares a lot of the same infrastructure as the VMware ESX platform, and is my preferred choice for running macOS guest VMs (on Apple hardware). It has great support for NetBoot, FileVault 2, and some additional advanced configuration support useful for testing Mac-based infrastructure projects.

Preview to Mac Software Deployment Session at MacADUK 2017

Tue, 17 Jan 2017 00:00:00 +0000

This year I’m very excited to be attending and speaking at the Mac Admin & Developer Conference UK 2017 in London, with a session called “Advanced Mac Software Deployment and Configuration: Just Make It Work!”

Amsys have just published a preview post about this session which you can read about here on their blog, to get more of an idea of what I plan to cover.

Though I wasn’t able to attend this conference last year, I heard great things about it. Get a ticket before it sells out!

macOS Installers on the Mac App Store Now Show Date Updated

Fri, 16 Dec 2016 00:00:00 +0000

Since 2011, it’s been possible to obtain the OS installer from the Mac App Store, and one that’s been updated to the latest point version of macOS / OS X. For example, after OS X El Capitan was released on September 30, 2015, it was possible over the subsequent months to download an installer that was updated for versions 10.11.1, 10.11.2, and so on.

Whenever a new point version is officially released, Apple generally updates the Mac App Store version within a few hours, and many admins who are anxious to inspect it, or build new and test new images or installers, begin downloading and checking the build number to see if they’ve got the new version. Sometimes the updated HTML has been posted, but CDNs have not propogated the actual installers. Sometimes the App Store takes longer (a day or two) to post a new build.

Squirrel Updates, the Slack Mac App and User Environment Variables

Fri, 02 Dec 2016 00:00:00 +0000

Update: The workaround described below for disabling Squirrel updates specifically for Slack no longer works, as Slack’s Mac app as of 2.5.1 includes code to actively disable it. If you disagree (as I do), you can use the Slack /feedback command to send feedback to the developers.

Today in the Macadmins Slack #autopkg channel, my friend Ben mentioned he was seeing this update prompt for the non-Mac-App-Store version of Slack. It probably looked something like this:

MacSysAdmin 2016 'Tools and Process for Streamlining Mac Management' Session Links

Fri, 07 Oct 2016 00:00:00 +0000

Here are links and resources I refer to in my MacSysAdmin 2016 talk, ‘Tools and Process for Streamlining Mac Management’ in Göteborg, Sweden. Thanks to Tycho for another great conference!

The video recording and PDF of the slides for this presentation are also now available, along with all the other talks, at the MacSysAdmin documentation site.

macOS builds

NBI creation tools

AutoDSNBI - Per Olofsson
Imagr NBI creation docs - Graham Gilbert
AutoNBI - Pepijn Bruienne
NBICreator - Erik Berglund
AutoImagrNBI and AutoCasperNBI - Ben Toms

Packaging

munkipkg - Greg Neagle
The Luggage - Joe Block
Packages - Stéphane Sudre
Blog post by Pepijn Bruienne on signing packages for MDM InstallApplication
bruienne/pkgsign Docker image

Other

This Is Why You Shouldn’t Distract a Programmer
Munki conditions
munki-facts
Toyota Production System - Wikipedia, Toyota Global website
AutoPkg recipe repo setup script
Writing Robust Bash Shell Scripts - David Pashley
Calling external commands in Ruby and Python

MacDevOps:YVR 2016 'Jenkins CI for MacDevOps' slides and references

Mon, 20 Jun 2016 00:00:00 +0000

Today I’m presenting on the Jenkins CI project for the MacDevOps:YVR 2016 conference in Vancouver, Canada. This post contains links and references from the talk, and you can find the slides here. Here’s a link to the video:

MacAdmin projects mentioned

Jenkins job and config management

Job DSL Plugin
Groovy scripting language
AutoPkg-CI project code
Jenkins Job Builder
Jenkins Job Builder and Jenkins DSL Plugin compared: Part 1, Part 2

Jenkins plugins

Jenkins API wrappers

Pipelines

Other CI projects and platforms

Standalone tools

Hosted (BYO runner for some)

Some other public Jenkins instances

MacDeployment 2016 'Managing the User Experience' slides and references

Thu, 16 Jun 2016 00:00:00 +0000

Here are some references from my “Managing the User Experience” session at the MacDeployment 2016 conference in Calgary, June 2016. Thanks to everyone who attended!

Slides can be downloaded here.

Third-party app preferences

Apple-native Preferences

New Adventures in Automating OS X Installs with startosinstall

Mon, 04 Apr 2016 00:00:00 +0000

OS X El Capitan’s installer includes a nifty new command-line tool called startosinstall, which can be used to automate installations and upgrades of OS X El Capitan via the command line. Since you may be already familiar with the createOSXInstallPkg tool that can also help automate OS X installations, you might be wondering why you should care.

I’ll go into some technical detail about what this tool does and how, but first let’s go back a few years to provide more (and more) context.

Developer Binaries on OS X, xcode-select and xcrun

Sun, 07 Feb 2016 00:00:00 +0000

xcode-select is a command-line utility on OS X that facilitates switching between different sets of command line developer tools provided by Apple. Its primary function is to be a “master switch” for the actual paths resolved when invoking the commands for tools like make, xcodebuild, otool, etc.

From the manpage:

The tool xcode-select(1) is used to set a system default for the active developer directory, and may be overridden by the DEVELOPER_DIR environment variable.

Deploying Xcode - The Trick With Accepting License Agreements

Thu, 26 Nov 2015 20:44:54 +0000

If you’ve ever gone through the process of automating Xcode installations, you’ve no doubt run across the issue of making sure that the license for Xcode and included SDKs has been accepted. An unlicensed Xcode looks like this on first launch, and asks for admin privileges:

Or, try and run a command line utility and get:

➜  ~  strings


Agreeing to the Xcode/iOS license requires admin privileges, please re-run as root via sudo.

For a number of years the Munki wiki has been maintaining a list of actions to “finalize” an Xcode installation. See the script posted here on the Munki wiki, notably this part:

# accept Xcode license
/Applications/Xcode.app/Contents/Developer/usr/bin/xcodebuild -license accept

This useful trick with xcodebuild works if you have only a single Xcode app to deploy, but the situation becomes less clear if you maintain several on a single machine. And, you may have seen from time to time that you install a different version of Xcode (or a Beta version) on your own machine, that you need to re-accept the license again. What exactly is going on here?

Easy Version Comparisons with Python

Thu, 05 Nov 2015 18:52:11 +0000

This is just a little taste of why sysadmins find Python so approachable. If you’ve managed systems for long enough, you’ve probably had a need to compare two versions of something. For example, you want to do one thing if a given application or package is less than 2.0, and another thing if it’s greater. (For example, upgrade the application or package, or configure it differently in either case.)

If you’ve ever tried to do this in Bash, it’s terrible. And you may have seen various installer scripts that attempt to do this. Or even doing this within Installer distribution scripts, despite there being more robust mechanisms already provided by the OS that require no scripting.

The Office for Mac 2016 Volume License Installer, Two Months Later

Wed, 07 Oct 2015 15:24:37 +0000

It is now over two months since Microsoft has made the Office for Mac 2016 Volume License installer available for customers in the VLSC (Volume Licensing Service Center) portal. I have previously documented a couple major issues with the installer that impact those who deploy Office 2016 using automated means (meaning anything that doesn’t involve a user manually running the GUI installer).

In this post I’ll summarize two of the major issues and talk a bit about a conference session that was presented just this past week at MacSysAdmin 2015 by Duncan McCracken.

MacSysAdmin Tools Smörgåsbord

Tue, 29 Sep 2015 10:59:30 +0000

The MacSysAdmin 2015 conference is taking place this week in Göteborg, Sweden. In a session titled MacSysAdmin Tools Smörgåsbord, I’ll be going through a selection of tools that I’ve either written or contributed to and which are available on my GitHub repo.

Theatre entrance to the Folkets Hus. CC Image courtesy of Metro Centric on Flickr.

Here you can find the various links to tools, posts, etc. that appear in the session slides.

What's Wrong with the Office 2016 Volume License Installer?

Wed, 26 Aug 2015 14:19:19 +0000

Office 2016 for Mac comes in an installer package that has been causing several issues for Mac sysadmins deploying it in their organizations. At least a couple posts exist already for how to “fix” the installer and deploy the software, but I haven’t seen anyone actually detail some of these issues publicly. The best way to “fix” the installer is to have Microsoft fix it so that it can be deployed the same way we deploy any other software. Office is probably the most common software suite deployed in organizations, and so it’s a very bad sign that 2016 for Mac has begun its life as an installer that cannot be deployed without workarounds and/or repackaging.

In this post, as usual I’ll go into some detail about this installer’s problems, review some known workarounds and propose some solutions.

Disabling First-run Dialogs in Office 2016 for Mac

Thu, 06 Aug 2015 21:03:56 +0000

This post is part useful tidbit and part lesson in interacting with application preferences on OS X.

Office 2016 for Mac presents “first run” dialogs to the user to market some of its new features. Sysadmins often want to find ways to disable these for certain scenarios. I actually think these are often helpful for individual users, but may be less desirable on shared workstations or kiosk-like machines where users may use Office applications frequently from a “clean” profile that has never launched Office, and the repeated dialog becomes a nuisance.

Python For Mac Admins session resources

Thu, 18 Jun 2015 00:19:53 +0000

On June 18 and 19, I’ll be giving a talk at the MacDeploy and MacDevOpsYVR conferences, respectively in Calgary and Vancouver. The talk is a whirlwind introduction to “Python for Mac Admins” and is mostly based on code snippets and examples that I’ll be talking through in an interactive Python environment.

If you’d like to follow along, I’m putting the code resources up on GitHub, which you can clone or download a zip archive of from the website. I’d recommend cloning it with Git (git clone https://github.com/timsutton/python-macadmins-2015) so that you can pull any changes I add after this post has been published.

Adobe Creative Cloud Deployment - Pushing Installers with Munki

Tue, 02 Jun 2015 20:23:23 +0000

We previously covered a few aspects of Adobe Creative Cloud from the perspective of deploying it to OS X clients. We spent the whole time dealing with the licensing aspects but never talked about the actual installers and updates.

Adobe installers are spoiled

There is a single option available to you for getting the installers: you must use the Adobe Creative Cloud Packager application (CCP for short) to fetch and build OS X installer packages. Because Adobe has reinvented the wheel and opted to use their own custom installer framework, the installer packages that CCP outputs do not use any of OS X’s native installer features - instead the packages simply provide just enough of a mechanism to bundle up Adobe’s own installer tooling (which have actually grown substantially in size in proportion to the actual applications they install) and run them as “preinstall” scripts.

Adobe Creative Cloud Deployment - Managing Licenses with Munki

Fri, 29 May 2015 16:11:09 +0000

Previously we covered some boring details about Adobe Creative Cloud licensing and how this impacts deploying it to managed clients. We also covered a process and script I came up with that makes it slightly less painful to package up device and serial licenses for distribution to clients. Now, how to we manage these in a software management system? Since I use Munki, I’ll use that as a model for how you might manage this license from an administrative standpoint. This is Munki-specific, but the principles should apply elsewhere.

Adobe Creative Cloud Deployment - Packaging a License File

Thu, 28 May 2015 14:45:36 +0000

In the previous post, we covered the scenarios in which you might want to deploy a Creative Cloud device license or serial number separate from the actual applications, as a “License File Package”. Although the Creative Cloud Packager app supports this as a workflow, the problem is that it doesn’t help you out much with regards to the files it outputs.

Adobe has had the APTEE tool around for a while, as a command-line interface to the Creative Suite licensing tools, to aid with deployment automation - it’s a single executable which confusingly does not include “APTEE” anywhere in the name of the binary: adobe_prtk.

Adobe Creative Cloud Deployment - Overview

Wed, 27 May 2015 05:42:23 +0000

Adobe’s Creative Cloud licensing models add some new layers of complexity surrounding large-scale deployment in organizations. As I’ve been planning and testing our rollout in areas with managed, shared workstations I’m routinely uncovering new information, and the parts of this I think might be useful to others I will cover in several posts. There are several aspects here: 1) simply wrapping one’s head around the different licensing models, 2) understanding differences in the mechanisms with which these licenses can be deployed to machines, and 3) how to maintain all of all this using a software management system such as Munki or Casper. While I can only speak with experience with a subset of the licensing types and my management tool of choice (Munki), this may be useful if you have some of these in common, or you may also be able to port some specifics to another management system.

Upcoming conference talks for 2015

Wed, 06 May 2015 13:08:28 +0000

Pepijn Bruienne just posted a nice summary of the Apple administration-focused conferences coming up in 2015. I’m also happy to be a small part of several of those coming up:

Anthony Reimer has organized for its second year the MacDeployment workshop, hosted at the University of Calgary’s Integrated Arts Media Labs. I’m looking forward to visiting as the IAML seems similar to the environment I support at Concordia University’s Faculty of Fine Arts, and the Prairies are one of the only parts of Canada I’ve not yet visited.

Reclaiming inodes from Jenkins

Tue, 05 May 2015 18:19:58 +0000

A pet project I maintain is ci.autopkg.org, a Jenkins instance that runs all AutoPkg recipes in the autopkg/recipes repo on a schedule, and reports any cases where recipes are failing. There are currently 126 jobs, for the 126 recipes in the repo.

These AutoPkg recipes must be run on OS X, so there is always at least one OS X slave connected to by the master, which runs Ubuntu on the cheapest Digital Ocean droplet available. Every time a job runs on a slave (currently about every eight hours), Jenkins logs the results on the master in a set of files on disk, known as a “build.” By default, when a new Jenkins job is created, it is configured for builds to be kept forever, even though they can be deleted manually. Builds may also include “artifacts” - binaries or other output from a job - but in my case a build is mostly just state and console output saved from the build run.

Experiments with AutoDMG, System Image Utility and OS version compatibility

Thu, 09 Apr 2015 14:05:09 +0000

I use AutoDMG to build restorable system images for OS X, which uses a technique similar to System Image Utility’s NetRestore: run the OS X installer on one machine, but targeted at a disk image which is later converted to a read-only disk image, which can be restored to a Mac.

While running the 10.10.3 developer seeds on my build machine I noticed my AutoDMG builds seemed to never complete. After looking more closely at what processes were running, I noticed a suspicious process: /System/Library/Frameworks/Automator.framework/Versions/A/Support/update_automator_cache --system --force, which was called by a postinstall script in the com.apple.pkg.Essentials package. The process wasn’t actually hung - upon inspection using the opensnoop DTrace script, it was continuously re-indexing Automator bundles in an infinite loop.

Security Updates leaving mach_kernel visible

Wed, 11 Mar 2015 14:33:42 +0000

In the past, there have been cases where system updates for 10.8.5 (and possibly earlier versions) leave the OS X kernel (at /mach_kernel) visible to users in the Finder. This file has since moved to /System/Library/Kernels/kernel in OS X Yosemite, but previously to Yosemite it is located at /, and included in the package payload for system updates like OS X Combo/Delta and Security Updates.

OS X installers and updaters typically keep this file hidden in the Finder using a tool called SetFile, which is able to set miscellaneous file flags including the “hidden” flag. The Security Update 2015-002 for Mavericks, released on March 9, 2015, does not include any of the postinstall “actions” (miscellaneous scripts and tools executed by a master script) in the installer that were present in the 2015-001 update.

darwinup, Apple's Darwin Update utility

Wed, 21 Jan 2015 19:46:53 +0000

Yesterday in ##osx-server, Pepijn Bruienne mentioned having stumbled upon an OS X system binary he’d never seen before, which was new to me as well: darwinup. This tool is used (or was used - public development of it seems to have stopped around OS X 10.7) for the purpose of managing versions of OS X system components by installing “roots” distributed in a variety of ways. It abstracts several different archive formats and wraps tools like curl, tar, rsync to perform its tasks.

OS X admins: your clients are not getting background security updates

Thu, 18 Dec 2014 16:50:48 +0000

Have I got your attention? The more accurate (and longer) qualifier for this title should actually be: “admins who configure clients to not automatically check for software updates.”

From recent discussions in ##osx-server, some of us have determined that OS X’s “system data files and security updates” will only install automatically if a client is already configured to automatically check for updates. Many sysadmins managing OS X clients tend to disable this setting so that they can control the distribution of these updates, but aren’t aware that their clients are now no longer receiving Apple’s background updates for at several of its built-in security mechanisms, including XProtect and Gatekeeper.

Rich Trouton beat me to this post with his post yesterday, but it prompted me to do a bit more digging into trying to reproduce an issue that comes up when attempting the most obvious workarounds for this issue, which I’ll outline after giving some more context.

Update: Greg Neagle has come up with a simple but flexible workaround for the issue described below, which he’s implemented in Reposado and documented here. If you use Reposado (and you really should), look into the new --remove-config-data option that can be applied selectively to SUS updates you’re mirroring.

Keeping your OS X VM guest tools current with Munki

Wed, 19 Nov 2014 16:36:31 +0000

I use VMware Fusion to test client software, deployment workflows, and using virtual machines allows me to frequently take and roll back snapshots. Over time, the VMware guest OS tools tend to drift out of date with the version of Fusion, and are reported to need updates/reinstalling. Sometimes when this happens, things like pasteboard synchronization, automatic window resolution resizing and drag-and-drop file transfers stop working. I’d like to not have to manually click “Update VMware tools..” and go install the tools manually every time I notice the tools are out of date between snapshots (which on my system seems to be frequently).

Luckily, I use Munki to manage OS X clients, and it’s great at updating software. In this post I’ll walk through the few steps I did to have all my test machines configured to automatically keep their VMware tools up to date. The same logic should apply for other software management platforms like Casper, Absolute Manage or Puppet, using their respective mechanisms for customizable discoverable attributes. This technique should work for users of Parallels, if they use a sane OS X installer for their tools. VirtualBox has yet to ship with any OS X guest tools.

More about suppressing diagnostics submissions popups in OS X Yosemite

Tue, 18 Nov 2014 19:35:17 +0000

With OS X Yosemite, Apple added an additional phase to the Setup Assistant: the offer to submit diagnostics info to Apple and third-party developers, which is displayed either as part of a initial setup or upon first login (similar to the iCloud prompt).

Those who administer OS X clients typically look to disable such prompts on managed machines, either to avoid annoying users in shared workstation environments or because the organization may not (or may) wish to provide diagnostics information to Apple and third-party developers.

MacTech Deployment Discussion/BOF/Q&A Notes

Fri, 07 Nov 2014 18:46:23 +0000

At MacTech Conference 2014 in Los Angeles, Graham Gilbert and myself conducted a discussion / birds-of-a-feather session on the broad topic of OS and software deployment for OS X and iOS.

Allister Banks was present and dutifully took notes and reference URLs of specifics that were mentioned - solutions, blog posts, and other resources. We thought these would be great to share:

How Do I Contribute? MacTech 2014 presentation links

Wed, 05 Nov 2014 22:20:44 +0000

For everyone at the MacTech Conference in Los Angeles this year, here are links to various resources that are linked and referred to in my talk today on Git and source code collaboration.

Source Control Management:

Learning resources:

GUI Applications:

SourceTree (Atlassian)
Tower (fournova)
GitHub for Mac (GitHub)
GitX-dev by rowanj

GitHub:

Yosemite deployment images and (Beta) Feedback Assistant

Fri, 17 Oct 2014 13:50:39 +0000

Yosemite was released yesterday, October 16, as OS X 10.10 build 14A389. One of the first thing a lot of Mac admins do with new OS releases is build never-booted disk images for deployment using the mighty AutoDMG tool written by Per Olofsson.

While I still wait to see if Apple will offer my machine running the latest Yosemite Public Beta to upgrade to the exact same build number, I yesterday built an image of 14A389 on this system and added my usual handful of packages: creating an admin user, disabling the Setup Assistant and disabling the iCloud welcome dialog for new users.

AutoPkg: Crowd-sourcing Mac packaging and deployment

Wed, 17 Sep 2014 13:53:57 +0000

Thanks to everyone who attended Greg’s and my talk today at MacSysAdmin 2014 in Göteborg! Again, I give my sincere thanks to Tycho and all those who organize the fantastic MacSysAdmin conference every year. I’m honoured to be among such great company, speakers and attendees.

Here are the links for resources that were mentioned in the slides:

AutoPkg:

Getting support:

Other tools:

A Tour of Charles, Your HTTP(S) Swiss Army Knife

Tue, 22 Apr 2014 13:29:33 +0000

There are times when it’s helpful to be able to know exactly what HTTP traffic is being sent or received on your Macs. Perhaps you’re auditing a 3rd-party application to see what connections it makes to outside servers, or maybe you’re interacting with – or writing – a REST API. Perhaps you just want to see every transaction between you and Apple’s servers when you use the Mac App Store to download apps, or use Internet Recovery.

Anyone doing systems administration long enough will have eventually used the packet capture library in some form, usually in the form of tcpdump and/or the Wireshark application, a powerful set of tools for analyzing all types of network traffic. This is very useful if you’re writing a NetBoot server replacement and need to inspect at the packet level, but if we’re only interested in HTTP(S) traffic, there are better, more specialized tools available. In this post I’ll introduce Charles, a web proxy and GUI tool for inspecting and diagnosing HTTP traffic. Since I’m often interested in knowing how software performs update checks, I’ll use this as an example.

Building native extensions since LLVM 5.1

Tue, 15 Apr 2014 16:22:36 +0000

With LLVM / clang 5.1, Apple introduced a change where any unrecognized command option causes a hard failure. Unfortunately, there are many packages in the Python package index that have not yet adapted to this change when building on OS X and include unsupported flags (in my experience it’s usually been -mno-fused-madd). I first started running into this frequently when installing some Python packages using pip. This can also be an issue for other package managers like RubyGems.

How to Package Profiles

Thu, 10 Apr 2014 20:51:38 +0000

Part of a managed Mac’s configuration is often one or more Profiles, either Configuration Profiles, or an Enrollment Profile for an MDM server like Apple’s Profile Manager or Cisco Meraki Systems Manager.

There are multiple ways to install these. You can have users double-click and install these .mobileconfig files themselves via a website or e-mail if they have administrative rights on their machines. You can have DeployStudio install them as part of a workflow and not care how it’s done, or have a management service like the Casper Suite configure and manage them for clients (and again, not need to care how it’s done).

Installing Command Line Tools automatically on Mavericks

Wed, 23 Oct 2013 13:01:01 +0000

In Mavericks, the Xcode Command Line Tools can be downloaded from the ADC downloads page like with previous versions. Now, though, they can be also be installed on-demand in a similar fashion to how Java has been installed since Lion, by simply invoking a command installed by them such as otool, or a new option in the xcode-select utility: --install.

In this post we’ll look at how you can trigger and run this installation in an automated way, eliminating the need for any user interaction.

Deploying Xcode and CLI tools: what's new in Xcode 5

Thu, 19 Sep 2013 19:17:22 +0000

Xcode 5 was released to the public on September 18 along with iOS 7. If you deploy Xcode and the command-line tools, a few things have changed since 4.x. There’ve been a couple other posts on this blog in the past about the steps required to successfully deploy Xcode and/or CLI tools.

In this post we’ll look at what’s new with Xcode 5.

Java 7 web plugin deployment: redux

Wed, 18 Sep 2013 13:56:02 +0000

The Oracle Java 7 JRE (a web plugin) began shipping last year, and has grown a small maze of clever mechanisms to maintain a schedule of checking for updates. It’s a sad tale of the misuse and abuse of launchd schedule re-writes and re-loads, the Sparkle Framework, storing Java properties-like prefs in OS X defaults, and having two different systems that actually check for updates implemented in two different languages and runtimes.

I covered this earlier this year in a couple posts. It also prompted me to write an overly-opinionated recipe for AutoPkg.

Update-checking control in the Java Control Panel

The takeaway from those previous two posts is that the plugin has a mechanism triggered by the applet to check for updates, but because this only runs once the plugin is loaded via a browser, there is also a background-check LaunchAgent that prompts the user to install the latest version via a Sparkle dialog (a process which later goes and re-loads LaunchAgents as root instead of you, but read the earlier blog posts if you care.)

Now that Update 40 has been out for over a week, I’ve taken some time to look at the changes to the installation that should be of interest to anyone deploying it en masse.

Configuring ColorSync display profiles using the command-line

Fri, 16 Aug 2013 13:45:10 +0000

Managing ColorSync ICC profiles for displays is something I do for certain workstations via MCX, and it’s always been a pain. Typically I would manually configure a profile for a display, then open up that user’s ByHost .GlobalPreferences preference stored on disk, extract the keys for the hardware-specific GUID that corresponds to that monitor (something like Device.mntr.00000610-0000-9C6B-0000-000004271AC0), and import them into MCX, ending up with a blob like this:

Java 7: How not to use launchd for your app

Fri, 15 Mar 2013 22:03:06 +0000

The Oracle Java 7 package contains launchd items to support its Sparkle-based background update check app that I complained about previously. In this post we’ll go through its logic exhaustively and use it as an example of how to not deploy a LaunchAgent, and issues when trying clever things in LaunchDaemon scripts.

For some, there should be new information about how launchd works in general, as I think for many admins its behavior is somewhat opaque. Along the way I also learned some new launchctl command options.

Managing Xcode CLI tools

Fri, 15 Mar 2013 14:54:43 +0000

In a previous post on deploying Xcode components, I showed how the iOS Simulators are defined in a metadata file used by Apple, called dvtdownloadableindex, which is a binary plist containing information about all the “Components” available in the Downloads preference area.

What’s useful about this file is that it describes in a human-readable way what Xcode uses to determine what component updates are available and what’s already installed. Up until yesterday, the CLI tools used only SHA-1 sums on specific binaries and libraries to determine whether the package was installed, which was somewhat frustrating to those of us deploying it, because it meant the actual package receipt version numbers were next to useless. Munki, for example, couldn’t use these to determine installed status, but one could at least use these to know what files to use to track the installation. Munki can use MD5 checksums to specify a file’s contents.

Everything you'll wish you didn't know about disabling Java 7 updates

Mon, 25 Feb 2013 01:11:38 +0000

Oracle’s Java 7 JRE for OS X was first officially released in October 2012. As expected, there have been issues deploying and testing it, amidst confusion about Apple’s Java 6 updates and it disabling symlinks to the web plugin, the pre-emptive disabling of Java with XProtect, and more.

And of course, the first thing administrators need to verify is that deployed software won’t periodically nag the user to install an update that they don’t have sufficient rights to install, or that they shouldn’t install for other reasons. I’ll cover a few ideas in this post specifically about the updater mechanisms and approaches to disabling it, and focus on other specific issues with this package in future posts.

New utility: XProtect Packager

Mon, 11 Feb 2013 17:13:58 +0000

Roughly a week after the first widespread panic with the XProtect mechanism disabling Java on OS X, the same thing happened with the Flash plugin, with Apple issuing a definition update blocking all old versions about 3 hours after the latest Flash was available. (At least this time a newer version was available.)

It’s clear that a management strategy could be very useful in environments where users aren’t admins on their computers and can’t install updates themselves. One such strategy is to simply disable the updater, but the definitions should still be pushed to clients as you roll out new plugin versions, to enforce minimum security requirements as well as be able to protect against known malware.

Monitoring Apple's XProtect meta feed for changes

Sat, 02 Feb 2013 20:22:30 +0000

Greg had an interesting blog post yesterday on handling Apple’s XProtect Updater mechanism for managed environments, as admins were still scrambling to resolve clients that suddenly had their Java Web Plugin disabled and no newer version available to install that would satisfy Apple’s minimum version requirements defined in its XProtect blacklist (new versions of Java 6 from Apple for OS X 10.6 and Java 7 from Oracle have since been posted).

Introducing Brigadier, a tool for automated Boot Camp driver download and installation

Tue, 29 Jan 2013 20:15:10 +0000

Anyone doing Windows deployment on Macs, and dealing with getting and installing the Boot Camp drivers, has probably found it to be a pain point. I recently wrote a small tool called Brigadier that I’m now testing in my environment, that will fetch Boot Camp ESD packages for any model from either OS X or Windows.. and even install them automatically on Windows. You can point it to your internal SUS for fast download speeds.

Rolling OS X packages with FPM and Homebrew

Sat, 19 Jan 2013 20:15:54 +0000

Two cool open-source package managers, FPM and Homebrew, recently got some new OS X Installer Package capabilities.

fpm -t osxpkg

Jordan Sissel’s FPM packaging tool was designed for systems administrators to very easily roll packages for RedHat, Debian and other platforms and abstract away the obscure details of the package formats themselves.

FPM is written in Ruby, and I decided (somehow) it could be a fun learning exercise to look at implementing support in it for building OS X packages. FPM version 0.4.27 was released a few days ago, available as a gem install, and now supports OS X package input and output, at least on OS X platforms with pkgbuild installed (built-in on OS X 10.8 and 10.7, for 10.6 requires an installation of Xcode 3.2.6 or later).

Flat packages: persisting obsolescence

Tue, 18 Dec 2012 00:22:20 +0000

Packaging is somewhat of a black art on OS X. The Flat Package format has been in existence since 10.5, but only recently are more 3rd-party packaging tools like JAMF Composer starting to move to this format by default. PackageMaker’s days as a hidden download in the Apple Developer Center Auxiliary Downloads package are numbered. In this post I’ll look at one aspect of the package system that’s perhaps less widely known, the “ownership” of a file to a package, and how this affects behaviour that can be tweaked when building flat packages, using pkgbuild as the reference package-building tool.

Customizing hardware model filters for NetBoot

Fri, 07 Dec 2012 02:19:03 +0000

Until the release of Lion, differentiating NetBoot images for DeployStudio Runtime to support different models was fairly simple. You’d have a Universal 10.5 image for booting PowerPC machines, and a 10.6 Intel image for Intel machines.

Then Lion was released, and supported nearly every Intel Mac, leaving only the first generation models with 32-bit Core processors behind. Then Mountain Lion was released, and the compatibility matrix became more complex. With Apple announcing at the same time that they would be releasing a major new version of OS X every year, we can expect this trend to continue, and that we’ll need to know exactly which models can boot which versions of OS X. We’ll take a look at how we can offload this decision to the NetBoot server to make the process as simple as possible on the client end.

Interfacing with DeployStudio using HTTP

Sun, 02 Dec 2012 23:51:22 +0000

DeployStudio is frequently a starting place for deploying and configuring Mac systems. It has a computer database that can store information like computer/host names, default workflows, management settings and custom properties that can be leveraged by workflow scripts and inventory systems.

It’s well-known that all this database information is stored in plain XML plist files in the DeployStudio repository, one per computer, named after the value of the computer’s primary key (serial number or MAC address). Sometimes people have wanted to manage this data from an external source like a web form or script that can be used by technicians deploying new hardware, but run up against the fact that changes to these files can only be loaded by restarting the DeployStudioServer service. That’s by design. These plists are DeployStudio’s database, and we don’t directly interact with an applications’s database if we can ever help it; that’s what APIs are for, and DeployStudio has a basic REST-style API which it uses to perform all its communications between the server, admin client and runtime instances. This post will show some basic examples of how simple it is to interact with DeployStudio via command-line tools, and a Python example for setting arbitrary properties in the computer database.

Xcode deployment: The dvtdownloadableindex and iOS Simulators/SDKs

Mon, 19 Nov 2012 13:45:19 +0000

Around the time of the release of OS X Mountain Lion, Xcode moved to a single drag ’n drop .dmg model to simplify the user installation experience, and Apple was nice enough to make the Command Line tools a separate download. Unfortunately, this hasn’t simplified the process of mass deployment, and we now have more moving pieces to keep track of than ever before. Anyone who’s deployed Xcode recently may be familiar with its laundry list of post-installation tasks.

Some downloads, like the Command-Line Tools and earlier iOS Simulator/SDK versions, show up in a new “Components” download area located in Xcode’s Preferences. We’ll look at where this index comes from, how we can inspect it to get the iOS simulator .dmg download URLs, and one method of modifying the simulator installer packages so that they install to the correct location via any standard package distribution method like Munki or Casper. If you manage installing the Command-Line Tools as well, you’ll find metadata here that will help with tracking version installs (anyone who’s tried to manage deploying/updating them knows they don’t use Apple package versioning).

Xcode Preferences: Downloads

We’ll also quickly review the other steps typically required to “finalize” the Xcode installation for most deployment scenarios. Big thanks to Nate Walck for testing what I’d originally documented for the iOS Simulator installation and determining that I’d skipped an important step!

Modifying the TCC database

Sat, 10 Nov 2012 13:27:33 +0000

Mountain Lion introduced a new iOS-like feature to allow users to be notified when an application requests access to that user’s contacts:

…and to be able to modify this access later:

Why does Final Cut Pro 7 want to access contacts? Final Cut Pro 7 introduced a feature that uses iChat (which doesn’t even really exist in Mountain Lion), therefore when a user first launches FCP, OS X will ask permission to allow FCP to access that user’s contacts.

It might be nice to be able to pre-allow or -disallow access for applications without user intervention, especially in scenarios where user Library data isn’t persistent across logins in a multi-user environment, where users would otherwise be nagged frequently to access what’s likely an empty Contacts database.

Disabling updates in Acrobat Pro X: A case study in wasted effort

Sun, 26 Aug 2012 15:32:59 +0000

Adobe’s Acrobat family of products has been historically painful for IT to distribute and manage. While this article focuses on a simple management setting – suppressing update checks and notifications for all users – it’s an example of how configuring even the simplest, arguably most universally required management setting for an Acrobat-deploying IT department is an exercise in frustration at every turn, largely due to Adobe’s Acrobat team insisting on reinventing the wheel for basic functionality already provided by native OS APIs and frameworks, compounded by many technical errors in their documentation.

On OS X, Acrobat Pro X and Reader 10 became distributable in the standard Apple pkg format, and this was generally a huge improvement for the deployment and update process. Acrobat Pro 9 currently requires twenty sequential patches required to bring Acrobat Pro 9 to an up-to-date version.

Too many updates.

Things are much better now, but configuring a common setting such as disabling update checks for all users has remained unnecessarily complicated, for despite Adobe using a property list to store these parameters, they were per-user only, requiring these to be managed either using MCX/Profiles or a manual script to apply the appropriate preference in every user’s Library folder (ie. at login time with a LaunchAgent).