Quand la Freebox bloque les accès aux services Apple

Un de mes clients a constaté un souci étrange : impossible depuis chez lui de se connecter à l’ensemble des services d’Apple : App Store, iTunes Store, etc… tous répondent aux abonnés absents !

La solution n’était pourtant pas très difficile à trouver : c’était le bloqueur de pub intégré à sa Freebox qui faisait des siennes… Pensez donc à désactiver cette option dans les réglages de votre Freebox pour retrouver éventuellement un accès correct aux services Apple depuis votre Mac.

32-bit application alert message in macOS 10.13.4

Starting on April 12, 2018, Macs running macOS 10.13.4 will display a one-time alert when 32-bit applications are opened. This alert will appear once per user account on the Mac, when a relevant 32-bit application is opened.

Screen Shot 2018 04 12 at 12 02 17 AM

When the Learn More… button in the alert window is clicked, the following Apple KBase article opens in your default web browser:

32-bit app compatibility with macOS High Sierra 10.13.4
https://support.apple.com/HT208436

Screen Shot 2018 04 12 at 12 04 34 AM

 

For those who need to stop this alert from being displayed in their environments, I’ve built a management profile to suppress the warning. It is available on GitHub via the link below:

https://github.com/rtrouton/profiles/tree/master/Disable32BitApplicationWarning

Whitelisting third-party kernel extensions using profiles

As part of macOS 10.13.2, Apple introduced the concept of User Approved MDM Enrollment (UAMDM). UAMDM grants mobile device management (MDM) additional management privileges, beyond what is allowed for macOS MDM enrollments which have not been “user approved”.

As of macOS 10.13.4, the only additional management privilege associated with UAMDM is that it allows you to deploy a profile which provides a whitelist for third-party kernel extensions. This profile allows a company, school or institution to avoid the need to have individual users approve the running of approved software.

Without the profile, third-party kernel extensions will need to be approved through the User-Approved Kernel Extension Loading (UAKEL) process. Here’s how that process looks:

1. When a request is made to the OS to load a third-party kernel extension which the user has not yet approved, the load request is denied and macOS presents an alert to the user.

Screen Shot 2018 04 11 at 9 16 13 PM

2. The alert tells the user how to approve the loading of the kernel extension signed by a particular developer or vendor, by following this procedure:

A. Open System Preferences
B. Go to the Security & Privacy preference pane

Screen Shot 2018 04 11 at 9 20 45 PM

C. Click the Allow button.

Screen Shot 2018 04 11 at 9 20 22 PM

Note: This approval is only available for 30 minutes. After that, it disappears until the following happens:

i. The Mac restarts
ii. Another attempt is made to load the kernel extension.

Screen Shot 2018 04 11 at 9 20 25 PM

While waiting for the kernel extension to be approved, a copy of the kernel extension is made by the operating system and stored in the following location:

/Library/StagedExtensions

Once approved, another copy of the kernel extension is made and allowed to load.

Screen Shot 2018 04 11 at 9 19 39 PM

This process is relatively easy for an individual to manage on their own computer, but it would be very difficult to manage when dealing with more than a handful of Macs. To help companies, schools and institutions, Apple has made a management profile option available to centrally approve third-party kernel extensions. For more details, please see below the jump.

To help whitelist all kernel extensions from a particular vendor or whitelist only specific ones, Apple has made two sets of identifying criteria available:

  • Team Identifier
  • Bundle Identifier

Team Identifier

A team identifier is a alphanumeric string which appears similar to the one shown below:

7AGZNQ2S2T

It appears to use a developer or vendor’s Developer ID for Signing Kexts certificate identifier. This certificate would be used by a developer or vendor to sign all or most of their kernel extensions.

Whitelisting using the Team Identifier has the advantage of being able to whitelist multiple third party kernel extensions from a specific developer or vendor. This capability allows Mac admins to identify a particular developer or vendor as being trusted in their environment and have all of the relevant kernel extensions be allowed to load by the whitelist.

Note: The UAKEL process appears to use team identity when approving kernel extensions, which potentially allows multiple kernel extensions to be approved at once.

Bundle Identifier

The Bundle Identifier is specific to a particular kernel extension. It is contained in the Info.plist file stored inside each kernel extension.

Screen Shot 2018 04 11 at 9 36 00 PM

Whitelisting using the bundle identifier allows the Mac admin to get very granular about which kernel extensions from a specific developer or vendor are approved and which are not. If using the bundle identifier as part of the whitelist, both the Team Identifier and the Bundle Identifier need to be specified in the profile.

To help Mac admins, a community-written Google Doc spreadsheet is available here which lists various team identities and their associated bundle identifiers:

https://docs.google.com/spreadsheets/d/1IWrbE8xiau4rU2mtXYji9vSPWDqb56luh0OhD5XS0AM/edit?usp=sharing

(Hat tip to Contains_ENG for creating the document and developing a script to detect the relevant kernel extension info.)

Using Team Identifier by itself in a third-party kernel extension whitelist profile

If you want to use only the Team Identifier when whitelisting kernel extensions, the profile should be written as shown below:

On the individual Macs which receive the profile, it should show up looking similar to this:

Screen Shot 2018 04 11 at 7 44 53 PM

Screen Shot 2018 04 11 at 7 44 57 PM

Using Team Identifier and Bundle Identifier in a third-party kernel extension whitelist profile

If you want to use both Team Identifier and Bundle Identifier when whitelisting specific kernel extensions, the profile should be written as shown below:

On the individual Macs which receive the profile, it should show up looking similar to this:

Screen Shot 2018 04 11 at 7 39 07 PM

Screen Shot 2018 04 11 at 7 39 13 PM

If you’re using Jamf Pro to deploy a third-party kernel extension whitelist profile profile, it should appear as a built-in profile option. Here’s how it should appear if using only team identifiers:

Screen Shot 2018 04 11 at 7 25 19 PM

Screen Shot 2018 04 11 at 7 41 10 PM

If using both team identities and bundle identifiers:

Screen Shot 2018 04 11 at 7 25 19 PM

Screen Shot 2018 04 11 at 7 25 29 PM

Gete.Net Consulting recrute un·e technicien·ne informatique

Dans le cadre de son développement, Gete.Net Consulting recherche un·e technicien·e junior sur l’environnement Apple (macOS, iOS, tvOS).

Votre rôle

Vous maitrisez les différents systèmes d’exploitation Apple et les matériels associés, ainsi que les services proposés par Apple. Vous connaissez les principaux logiciels de l’environnement (Office, Adobe…) et êtes capables de les déployer dans des environnements hétérogènes. Vous prendrez en main des système de gestion de parc évolués et apporterez vos connaissances pour améliorer l’ordinaire des utilisateurs. Vous êtes capable de proposer des solutions originales à des problèmes inédits. Et vous n’avez pas peur d’ouvrir le Terminal pour y taper des lignes obscures de texte.

Gete.Net Consulting souhaite avant tout valoriser vos compétences. Montrez-nous que vous savez comment fonctionne un Mac et un iPhone, et nous verrons si nous pouvons travailler ensemble. La passion sera notre moteur (en plus d’un salaire motivant, cela va de soi).

Attention : une grande partie de votre travail sera effectué en télétravail, une grosse partie de nos interventions n’ayant pas besoin de présence humaine sur site chez les clients. Cela pourra être vu comme un plus… ou un moins, selon le cas. Que cela ne vous empêche pas de postuler. Il y aura également des journées en co-working sur Paris à prévoir et parfois des interventions intempestives (déplacement en urgence pour les cas critiques, si je ne suis pas disponible).

  • Expérience exigée : NON. Tout le monde a le droit de démarrer un jour. Ne ratons pas des talents parce que personne n’a jamais voulu leur mettre le pied à l’étrier. Montrez-moi d’abord et avant tout votre motivation, les projets sur lesquels vous avez travaillé, ce que vous avez déjà réalisé ou avez envie de réaliser.
  • Diplômes exigés : Bac + rien. Et encore.
  • Poste à pourvoir immédiatement. Si vous n’êtes pas dispo très vite, ça risque d’être compliqué pour moi. Si votre profil est vraiment intéressant, je pourrai attendre quand même un peu. Mais idéalement, vous devez être sur le pont au 1er juin grand maximum.

Exploitation

  • Installation et configuration des postes de travail et appareils associés (MacOS, iOS, Windows occasionnellement. Mais pas trop.)
  • Installation de serveurs et NAS.
  • Configuration et suivi d’appareils iOS et tvOS.
  • Maintien en conditions opérationnelles du parc informatique.
  • Création et suivi des comptes utilisateurs (messagerie, accès aux serveurs, configuration des imprimantes, des logiciels…).
  • Réalisation des rapports d’intervention, des guides d’utilisation, des procédures.
  • Suivi pro-actif du parc (il faudra parfois appeler le client pour lui parler des problèmes qu’il ne voit pas encore sur son parc).

Support

  • Hotline Informatique, réception des demandes utilisateurs (par téléphone, par logiciel de suivi des demandes utilisateurs, par e-mails). Attention : cette partie support constituera sûrement une grosse partie de votre travail. Si pour vous, parler dans un téléphone constitue le summum de l’horreur, inutile de postuler…
  • Support applicatif et système aux utilisateurs (niveau 1 puis 2).
  • Aide à l’utilisation des applications métiers (dans une certaine mesure : on ne vous demande pas de connaître tous les logiciels par cœur, mais au moins de les lancer).

Vos qualités

Vous devrez être :

  • autonome ;
  • rigoureux-se ;
  • organisé·e ;
  • doté·e d’un bon esprit d’analyse
  • doté·e d’un bon sens du relationnel (ne pas envoyer paître les clients, même quand on est énervé, c’est important).

Vous devrez connaître un minimum le Mac. Je ne vous demande pas de savoir manier le Terminal à la perfection, mais au moins de savoir à quoi ça sert, et  comprendre un minimum comment fonctionne un Mac. Pour le reste, vous apprendrez. On apprend tous les jours.

Par ailleurs, des connaissances des environnements Windows ou Linux et de réseau/sécurité seront un plus apprécié.

Vous travaillerez très rapidement en autonomie, pour assurer le support technique à distance ou sur site des clients de Gete.Net Consulting en région parisienne (Paris et petite couronne, rarement grande couronne)… Tout en restant sous ma supervision.

Type d’emploi, salaire et avantages

  • Type d’emploi : Temps plein (35h)
  • Type d’emploi : CDI
  • Matériel Apple fourni (Mac + iPhone), abonnement téléphonique pris en charge.
  • Salaire : 2200€ brut, + intéressement aux résultats / primes.
  • Abonnement Internet à domicile pris en charge à hauteur de 50% dans le cadre du télétravail.
  • Prise en charge Navigo à 50%
  • Tickets restaurant

Et le plus grand, le plus énorme des bonus : vous travaillerez avec moi. Si ça, ça ne vous fait pas rêver…

Toujours motivé·e ?

Alors envoyez CV + lettre / mail de motivation (au format PDF uniquement) à candidature at gete point net. Si votre profil me plait, on prendra rendez-vous très rapidement. Je vous garantis dans tous les cas une réponse (positive ou négative) dans les 7 jours. PS : je suis déjà TRÈS chargé, donc inutile de me contacter par téléphone ou SMS. N’envoyez votre demande que par mail. J’insiste.

Merci… et bonne chance :-)

Reclaiming drive space by thinning Apple File System snapshot backups

As part of a recent clean-up of my Apple File System-formatted (APFS) boot drive, I deleted a number of files. However, I noticed that deleting files did not free up nearly as much space as I thought it should. When I investigated, I noticed that my boot drive had a number of Time Machine snapshots stored on it.

Screen Shot 2018 04 07 at 2 04 39 PM

A quick way to reclaim space from a particular snapshot immediately would be to delete the snapshot using the tmutil command line tool, using the command shown below:

tmutil deletelocalsnapshots snapshot-name-here

However, I didn’t want to delete backups if I could avoid it since I might need something stored in one of them. After some research, I was able to find a tmutil command that did what I needed. For more details, please see below the jump:

The tmutil command line tool on macOS High Sierra includes a thinlocalsnapshots function, which has the options shown below:

tmutil thinlocalsnapshots mount_point [purge_amount] [urgency]

Purge amounts are represented as bytes, so specifying 20 gigabytes of space would be represented by the number below:

21474836480

Urgency levels are 1 through 4, with the default urgency setting being 1.

Urgency level 4

Most urgent: Any current backup processes are stopped and thinning is performed immediately. The largest available backup will be the first thinned, with thinning proceeding through the next largest backups.

Urgency level 1

Least urgent: Current backup processes will be completed before the thinning process begins. The oldest available backup will be thinned first, with thinning proceeding through the next oldest backups.

To free up 20 gigabytes of space from the snapshots stored on the boot drive at maximum urgency, you would use the command shown below:

tmutil thinlocalsnapshots / 21474836480 4

The command may take a while to run, depending on what would need to be done to free up the requested space.

Note: The thinning process may actually free up more than the requested space, but it should free up the requested space as a minimum if the stored snapshots are taking up at least that amount of drive space.

Before snapshot thinning

Screen Shot 2018 04 07 at 2 02 44 PM

Snapshot thinning

Screen Shot 2018 04 07 at 2 05 37 PM

After snapshot thinning

Screen Shot 2018 04 07 at 2 06 13 PM

 

Quand Word 2016 refuse de se lancer

La dernière version en date de Word 2016 16.11.18031100  souffre parfois d’un problème curieux, vécu chez deux de mes clients sur certains postes : l’impossibilité de lancer le logiciel, qui semble attendre quelque chose qui ne vient jamais. Il rebondit dans le Dock, puis s’arrête. Et aucun message d’erreur. Réinstaller Office ne fait rien, pas plus que nettoyer les caches ou supprimer les préférences de Word.

Solution trouvée sur le canal Microsoft-Office de Macadmins sur Slack : 

– Fermez toutes les connexions réseau en déconnectant le câble Ethernet ou en coupant le Wi-Fi ;

– Lancez Word ;

– Reconnectez le réseau.

Testé et approuvé, et sûrement corrigé dans une version future. Pas impossible cependant que le bug revienne de temps en temps de façon aléatoire.

Suppressing the Data & Privacy pop-up window on macOS High Sierra

Starting with Mac OS X 10.7.2, Apple set the iCloud sign-in to pop up on the first login.

Lwscreenshot 2016 09 20 at 10 38 00 am

In OS X 10.10, Apple added a Diagnostics & Usage window that pops up at first login after the iCloud sign-in.

Lwscreenshot 2016 09 20 at 7 35 05 am

In macOS 10.12, Apple added another pop-up window for Siri.

Lwscreenshot 2016 09 20 at 10 39 04 am

In macOS 10.13.4, Apple has added a Data & Privacy pop-up window for their data privacy information.

Data and privacy pop up

To stop the Data & Privacy pop-up window from appearing for your home folder, run the command shown below:

defaults write com.apple.SetupAssistant DidSeePrivacy -bool TRUE

Since you normally will be able to run this command only after you’ve seen the Data & Privacy pop-up window, I’ve updated my script for suppressing the various pop-up windows to now also suppress the Data & Privacy pop-up window. For more details, see below the jump.

The script is below and is also available on my GitHub repo.

https://github.com/rtrouton/rtrouton_scripts/tree/master/rtrouton_scripts/disable_apple_icloud_data_privacy_diagnostic_and_siri_pop_ups

This script is also available as a payload-free package on my GitHub repo, available for download from the payload_free_package directory available from the link above.

For those who prefer to suppress the Data & Privacy pop-up window using a profile, a .mobileconfig file is available via the link below:

https://github.com/rtrouton/profiles/tree/master/SkipDataAndPrivacy

macOS 10.13.4 : effacer et installer d’un coup depuis le logiciel d’installation

Depuis la nuit des temps, réinstaller macOS à zéro impliquait systématiquement de redémarrer le Mac sur une autre partition ou sur la partition Recovery, d’effacer le disque avec Utilitaire de disque, puis d’installer macOS.

La dernière version de macOS, alias macOS 10.13.4 très précisément, apporte une petite révolution.

Imaginez : vous avez besoin de remettre à neuf un Mac déjà bien utilisé. Ou vous souhaitez tout réinstaller en mode clean install. Dans ce cas, après avoir téléchargé la version 10.13.4 complète de macOS depuis l’App Store, et si vous étiez déjà sur une version de macOS égale ou supérieure à 10.13.4, vous pourrez ré-installer directement macOS en effaçant intégralement le disque sur lequel vous êtes en train de travailler. Pratique si vous devez remettre un parc à neuf depuis Jamf Pro, Munki, Filewave ou autre.

Pour utiliser la commande d’effacement avant installation, il ne faut pas passer par l’interface graphique. Lancez le Terminal et tapez la commande suivante :

/Applications/Install\ macOS\ High\ Sierra.app/Contents/Resources/startosinstall --applicationpath /Applications/Install\ macOS\ High\ Sierra.app --eraseinstall --agreetolicense --nointeraction

La nouvelle option –eraseinstall permet d’effacer le volume en cours avant de réinstaller macOS par dessus. Une méthode archi-pratique pour remettre rapidement à neuf un ou plusieurs Mac.

Quelques trucs importants à savoir :

– Evidemment la commande implique d’avoir l’application d’installation macOS High Sierra dans le dossier /Applications.

– Par ailleurs elle ne fonctionnera que sur les disques APFS.

– Selon la documentation intégrée, l’option –eraseinstall supprime TOUS les volumes du Mac. Pas que le volume de démarrage. Alors que la doc d’Apple stipule que seul le volume de démarrage est affecté. Bon… Vous testez et vous me dites hein :)

– Vous ne pouvez effectuer l’effacement que sur le disque en cours d’utilisation (donc impossible d’utiliser en même temps l’option –volume.

– Enfin, et je le répète, il faut que le Mac d’où vous lancez la commande soit en train de faire tourner macOS 10.13.4 minimum.

De quoi faire presque oublier la disparition programmée du Netboot / NetInstall sur tous les Mac.

Et évidemment, en cas de perte de données, l’auteur nie toute responsabilité, etc. Pensez à faire des sauvegardes.

Source

Using QuickAdd-based user-initiated enrollment on macOS High Sierra with Jamf Pro 10.3

Starting with Jamf Pro 10.3, user-initiated computer enrollment now has two modes:

  • macOS High Sierra: Uses an MDM profile to enroll the Mac, with the Jamf Pro agent being installed once MDM enrollment is complete.
  • macOS Sierra and earlier: Uses a QuickAdd installer package to enroll the Mac, with MDM enrollment and installation of the Jamf Pro agent being handled by the QuickAdd package.

However, it is still possible to get a QuickAdd installer package to enroll a Mac running macOS High Sierra. For more details, please see below the jump.

In order to obtain a QuickAdd package from user-initiated enrollment from a Mac running macOS High Sierra, you will need to enroll using the address shown below:

https://server.name.here:8443/enroll/?type=QuickAdd

Note: The Q and the A in QuickAdd are case-sensitive and must be capitalized.

 

To enroll with a Jamf Pro using a QuickAdd package on macOS High Sierra, please use the procedure shown below:

1. Go to https://server.name.here:8443/enroll/?type=QuickAdd
2. Enter your username and password, then click the Login button.

Screen Shot 2018 03 29 at 7 08 11 PM

3. Click the Enroll button.

Screen Shot 2018 03 29 at 7 09 15 PM

4. When prompted to download and install the package, click the Download button.

Screen Shot 2018 03 31 at 10 56 03 PM

5. Verify that the QuickAdd downloads.

Screen Shot 2018 03 31 at 10 56 54 PM
6. Run the QuickAdd installer.

Screen Shot 2018 03 31 at 10 57 05 PM

 

Note: Enrolling with a Jamf Pro server using a QuickAdd package does not enable user-approved MDM. If this is necessary in your environment, I recommend using the MDM profile method to enroll the Mac in question.

User-initiated computer enrollment now using MDM profile enrollment in Jamf Pro 10.3

One of the changes introduced in Jamf Pro 10.3 is that user-initiated computer enrollment now has two modes:

  • macOS High Sierra: Uses an MDM profile to enroll the Mac, with the Jamf Pro agent being installed once MDM enrollment is complete.
  • macOS Sierra and earlier: Uses a QuickAdd installer package to enroll the Mac, with MDM enrollment and installation of the Jamf Pro agent being handled by the QuickAdd package.

Why the difference?

Using the MDM enrollment method on macOS High Sierra will automatically enable User Approved MDM, which is necessary for full management privileges on the Mac in question. The reason is that since the user is installing the MDM profile, the user is also logically approving the MDM management and satisfying Apple’s conditions for enabling User Approved MDM.

For more details, please see below the jump.

The installation of the MDM profile can be configured two ways:

  1. The installation of a CA certificate, followed by an MDM profile
  2. The installation of the MDM profile only.

The difference between the two depends on if your Jamf Pro server is using a trusted third-party SSL certificate, either directly on your Jamf Pro server or on a load balancer which is handling SSL termination for the Jamf Pro server.

If one of the two conditions mentioned above applies, where your Jamf Pro server is using a trusted third-party SSL certificate, you can set the CA certificate installation to be skipped using the following procedure:

1. Log into your Jamf Pro server using an account with administrator privileges.
2. Go to the management settings
3. Click on Global Management
4. Select User-Initiated Enrollment

Screen Shot 2018 03 29 at 6 56 42 PM

5. Check the Skip certificate installation during enrollment checkbox.

Screen Shot 2018 03 29 at 6 57 45 PM

If you’re not sure, leave the Skip certificate installation during enrollment checkbox unchecked. This will allow the installation of the CA certificate before the installation of the MDM profile.

Screen Shot 2018 03 29 at 6 57 42 PM

Enrolling by installing a CA certificate, followed by an MDM profile

Pre-requisites

  • macOS 10.13.0 or later

1. Go to https://server.name.here:8443/enroll
2. Enter your username and password, then click the Login button.

Screen Shot 2018 03 29 at 7 08 11 PM

3. Click the Enroll button.

Screen Shot 2018 03 29 at 7 09 15 PM

4. When notified that you’ll need to install the CA certificate, click the Continue button.

Screen Shot 2018 03 29 at 7 09 50 PM

5. When prompted to install the CA certificate, click the Continue button.

Screen Shot 2018 03 29 at 7 10 28 PM

6. When asked to verify that you want to install the CA certificate, click the Install button.

Screen Shot 2018 03 29 at 7 12 18 PM

A new CA Certificate profile should now appear in the User Profiles section of the Profiles preference pane.

Screen Shot 2018 03 29 at 7 12 35 PM

7. When prompted to enroll the MDM profile, click the Continue button.

Screen Shot 2018 03 29 at 7 12 49 PM

8. When prompted to install the Profile Service Enrollment profile, click the Install button.

Screen Shot 2018 03 29 at 7 13 08 PM

9. When prompted to configure your Mac using a certificate, mobile device management and SCEP enrollment, click the Continue button.

Screen Shot 2018 03 29 at 7 13 26 PM

10. When prompted to enroll the MDM profile, click the Install button.

Screen Shot 2018 03 29 at 7 13 41 PM

11. When prompted for admin credentials, provide the username and password of a user with admin credentials.

Screen Shot 2018 03 29 at 7 14 05 PM

The profile will install and should appear as verified.

Screen Shot 2018 03 29 at 7 14 06 PM

Screen Shot 2018 03 29 at 7 14 07 PM

The enrollment page should report that enrollment is complete.

Screen Shot 2018 03 29 at 7 14 08 PM

Enrolling by installing an MDM profile

Pre-requisites

  • macOS 10.13.0 or later

1. Go to https://server.name.here:8443/enroll
2. Enter your username and password, then click the Login button.

Screen Shot 2018 03 29 at 7 08 11 PM

3. Click the Enroll button.

Screen Shot 2018 03 29 at 7 09 15 PM

4. When prompted to enroll the MDM profile, click the Continue button.

Screen Shot 2018 03 31 at 4 53 29 PM

5. When prompted to install the Profile Service Enrollment profile, click the Install button.

Screen Shot 2018 03 31 at 4 53 37 PM

6. When prompted to configure your Mac using a certificate, mobile device management and SCEP enrollment, click the Continue button.

Screen Shot 2018 03 31 at 4 53 55 PM

7. When prompted to enroll the MDM profile, click the Install button.

Screen Shot 2018 03 31 at 4 54 21 PM

8. When prompted for admin credentials, provide the username and password of a user with admin credentials.

Screen Shot 2018 03 29 at 7 14 05 PM

The profile will install and should appear as verified.

Screen Shot 2018 03 29 at 7 14 06 PM

Screen Shot 2018 03 29 at 7 14 07 PM

The enrollment page should report that enrollment is complete.

Screen Shot 2018 03 29 at 7 14 08 PM