Updated MigrateADMobileAccounttoLocalAccount script now available to fix migration bug

A couple of years back, I wrote a script to assist with migrating AD mobile users to local users. In my testing in 2016, everything seemed to work right and I didn’t see any problems with it on OS X El Capitan.

Fast forward a couple of years and a colleague of mine, Per Oloffson, began running into a weird problem with upgrading Macs from Sierra to High Sierra. When he upgraded Macs from macOS Sierra to macOS High Sierra, he was finding that Macs that had been migrated from AD mobile accounts to local accounts were having those same accounts break.

After a considerable amount of troubleshooting, he was able to narrow it down to the macOS High Sierra installer changing the password hash on those accounts. But why was it changing them?

In short, it was changing them because of a bug in my original MigrateADMobileAccounttoLocalAccount.command interactive migration script. Sorry, Per. For more details, please see below the jump.

The problematic sections are highlighted below. When the script backed up the AD mobile account’s password and then restored it, it was adding single quotes to the beginning and end of the password hash string.

Screen Shot 2018 06 15 at 7 32 06 PM

The password hash string should have looked like this:

Screenshot 2018 06 15 13 31 17

Instead, it looked like this:

Screenshot 2018 06 15 13 31 18

The odd part of the situation is that macOS Sierra was seemingly OK with the extra characters in the password string. It wasn’t until the macOS High Sierra installer re-checked and altered the account plist that the problem occurred.

To fix the migration process, I’ve updated the script to better handle the account password backup and restoration process. The backup process is now querying dscl for the correct XML output and restoring it, which should address the problem with the script.

Screen Shot 2018 06 15 at 7 55 24 PM

In my testing, the password hash is now appearing correctly in the account’s plist file.

Screen Shot 2018 06 15 at 8 23 03 PM

Testing

This script has been tested and verified to migrate AD mobile accounts to local accounts on the following versions of macOS:

  • macOS 10.13.5

In that testing, I did the following:

Testing on logged-in AD mobile user account:

  1. I set up an AD-bound VM and created an AD mobile account with admin privileges.
  2. I logged into the AD mobile account and ran the script while logged in as that account.
  3. Once the account had been migrated, I rebooted and verified that I could log in at the OS login window.
  4. I changed the password for the local account to a new one and rebooted.
  5. I verified that I could log in at the OS login window with the new password.

Testing on logged-out AD mobile user account:

  1. I set up an AD-bound VM and created an AD mobile account with admin privileges.
  2. I logged into the VM using a local account which was not the AD mobile account and ran the script while logged in as that account.
  3. Once the account had been migrated, I logged out and verified that I could log in at the OS login window with the just-migrated account.
  4. I changed the password for the newly-migrated local account to a new one and rebooted.
  5. I verified that I could log in at the OS login window with the new password.

Note: I did not test with FileVault-enabled accounts.

Advisory: Older versions of OS X and macOS were not tested and I have no idea if the script will work on those older OS versions.

Warning: I was able to test in my shop’s AD environment and verified that everything worked. That does not guarantee it will work in your environment. Test thoroughly before deploying in your own AD environment.

The updated script is available below, and also available on GitHub at the following address:

https://github.com/rtrouton/rtrouton_scripts/tree/master/rtrouton_scripts/migrate_ad_mobile_account_to_local_account

Sending Jamf Pro notifications to Slack

One of the features offered by Jamf Pro is the ability to send notifications of various events to specified email addresses. Any Jamf Pro user account can be set up to receive these emails, so they’re a convenient way to be notified about events affecting your Jamf Pro service.

These notifications include the following:

  • An instance of the Jamf Pro web application in a clustered environment fails
  • An updated patch reporting software title is available
  • Computer is enrolled using PreStage
  • Database backup fails
  • Database backup succeeds
  • Error occurs during imaging
  • Error occurs when policy runs
  • Jamf Pro account is locked out because of excessive failed log in attempts
  • Jamf Pro fails to add file to JDS instance or cloud distribution point
  • License limit is exceeded
  • One or more Memcached Endpoint(s) are not reachable
  • Restricted software violation occurs
  • Smart computer group membership changes
  • Smart mobile device group membership changes
  • Smart user group membership changes
  • SSL certificate verification is disabled
  • Tomcat is started or stopped
  • VPP token is approaching expiration date

Screen Shot 2018 06 14 at 9 26 49 AM

That said, I get enough emails on a daily basis that I’d prefer to have these notifications go to a channel in Slack. That way, my whole team can be notified about issues and there’s a searchable log of when events occurred.

There are solutions for sending notifications directly to Slack, but I wanted to avoid using middleware in favor of using the built-in notifications in Jamf Pro. Fortunately, there’s a way to do that using tools available from Slack. For more details, see below the jump.

As part of its paid plans, Slack includes an app integration called Email. This Slack app will give you an email address to send to and allow you to select a channel where the emails should appear.

As an example, you may want to set up a channel in your team’s Slack instance named #jamfpro-notifications and then configure the Email app so that it provides an email address associated with the #jamfpro-notifications channel.

Any emails sent to the specified address would appear in the #jamfpro-notifications channel. You can also configure a specific icon to be associated with the posted messages.

Screen Shot 2018 06 13 at 8 34 20 PM

Once you have the Slack email address, you can then set up a local user in Jamf Pro to send the notifications. This user account can have no account privileges at all, as no privileges are needed to receive email notifications. To set up the user, please use the procedure below:

1. Log into your Jamf Pro server using an account with administrator rights.
2. Go into Management: System Settings: Jamf Pro User Accounts & Groups

Screen Shot 2018 06 14 at 10 17 01 AM

3. Click the New button.

Screen Shot 2018 06 13 at 8 41 19 PM

4. Select Create Standard Account and click the Next button.

Screen Shot 2018 06 13 at 8 41 24 PM

5. Set up a new account, with the email address from Slack as the account’s email address.

Note:No account privileges need to be assigned to this account.

Screen Shot 2018 06 13 at 8 42 42 PM

6. Once the new account has been set up and configured as desired, click the Save button.

Screen Shot 2018 06 13 at 8 42 43 PM

7. Log out of your Jamf Pro admin account and log into the newly-created account.

Screen Shot 2018 06 13 at 8 44 17 PM

8. If no privileges were set for the account, verify that everything is coming up as Access Denied.

Screen Shot 2018 06 13 at 8 44 33 PM

Screen Shot 2018 06 13 at 8 44 35 PM

Screen Shot 2018 06 13 at 8 44 38 PM

9. Click the account drop-down menu and select Notifications.

Screen Shot 2018 06 13 at 8 44 51 PM

10. Select your desired notification options. Once finished, click the Save button.

Screen Shot 2018 06 13 at 8 45 29 PM

11. Log out of Jamf Pro.

Once that this has been configured, you can go to your Slack channel and see the notifications appear.

IMG 8956

Updated Xcode command line tools installer script now available

A while back, I developed a script that will download and install the Xcode Command Line Tools on Macs running 10.7.x and higher.

Most of the time it works fine. However, starting with macOS Sierra and continuing on with macOS High Sierra, I occasionally ran into an odd problem. Apple would sometimes have both the latest available Xcode Command Line Tools installer and the just-previous version available on Apple’s Software Update feed.

Screen Shot 2018 06 09 at 12 11 06 PM

The original script was written with the assumption that there would only be one qualifying Xcode Command Line Tools install option available at any one time. When more than one is available, the script isn’t able to correctly identify which Xcode Command Line Tools it should be installing. The result is that the script ends without installing anything.

Apple usually removes the previous version from the Software Update feed within a few days, which allows the script to work normally again. But when it happened this time, I decided to update the script to hopefully fix this issue once and for all. For more details, please see below the jump.

The fix was to add the following section to the script:

This section helps identify if Apple’s softwareupdate command line tool has returned more than one Xcode command line tool installation option. If more than one is available, the script will identify the last one listed and install that one.

Note: It is possible that a future release by Apple could result in the latest Xcode command line tool installer not being the one listed. This design decision was based on observation of past results.

The updated script is available below. It’s also available from my Github repo from the following link:

https://github.com/rtrouton/rtrouton_scripts/tree/master/rtrouton_scripts/install_xcode_command_line_tools

Disabling Jamf Pro LDAP wildcard searches to speed up user and group lookups

When setting up Jamf Pro, one of the options you have is to integrate it with your company, school or institution’s LDAP-based directory service. Connecting Jamf Pro to LDAP allows you to query your organization’s directory service for information and also allows the use of your existing user accounts and groups when requiring logins or scoping policies.

When setting up Jamf Pro to connect to a directory service, there’s a Use Wildcards When Searching setting with the following description:

Allow partial matches to be returned when searching the LDAP directory

Screen Shot 2018 05 27 at 12 19 00 PM

What this setting does is that it allows Jamf Pro to use wildcards when making LDAP searches of your directory service. That allows Jamf Pro to return search results that may only partially match what you told it to search the directory service for.

For directory services with fewer than five thousand user accounts and/or groups, having this option enabled is usually fine. However, once the directory service is larger than that, disabling the Use Wildcards When Searching setting may dramatically speed up user and group lookups. For more details, please see below the jump.

In my own shop, the directory service used by Jamf Pro has far more than five thousand users and groups. With the Use Wildcards When Searching setting enabled, lookups usually take a minimum of five seconds and a maximum of seven seconds.

Screen Shot 2018 05 27 at 12 19 24 PM

With the Use Wildcards When Searching setting disabled, lookups now take between 0.03 and 0.001 seconds.

Screen Shot 2018 05 27 at 12 19 58 PM

The downside to disabling wildcard searching is that you will need to search your directory service using the exact user or group name you want as your search criteria. Any result which is not an exact match will not be returned by the search. That said, the performance improvement usually makes this a worthwhile trade-off for losing the ability to search using wildcards.

To disable wildcard searching, use the following procedure:

1. Log into Jamf Pro.
2. Go into your Jamf Pro management settings:

Settings: System Settings: LDAP Servers: Your Directory Service Name Here (substitute your actual settings for Your Directory Service Name Here.)

Screen Shot 2018-05-27 at 1.26.55 PM

4. Click the Edit button to edit the Your Directory Service Name Here settings.
3. Scroll to the bottom and locate the Use Wildcards When Searching setting.

Screen-Shot-2018-05-27-at-12.19.00-PM.png

4. If the setting is checked, uncheck it.

Screen Shot 2018-05-27 at 12.19.59 PM

5. Click the Save button to save your changes.

 

 

Using the Jamf Pro API to mass-delete computers and mobile devices

Periodically, it may be necessary to delete a large number of computers or mobile devices from a Jamf Pro server. However, there is currently a problem in Jamf Pro 10 where trying to delete multiple devices can fail. Jamf is aware of the issue and has assigned it a product issue code (PI-004957), but it has not yet been resolved and remains a known issue as of Jamf Pro 10.4.1.

To work around this issue, you can delete computers and mobile devices one at a time. This does not trigger the performance issues seen with PI-004957, but this can get tedious if you have multiple devices to delete. To help with this, I’ve adapted an earlier script written by Randy Saeks to help automate the deletion process by using a list of Jamf IDs and the API to delete the relevant computers or mobile devices one by one. For more details, please see below the jump.

I’ve adapted Randy’s original script into two scripts, one for deleting computers and the other for deleting mobile devices. Both scripts work with a text file of Jamf Pro IDs, and also include error checking to make sure that the text file’s entries contained only positive numbers.

To use these scripts, you will need four things:

  1. A text file containing the Jamf Pro computer or mobile device IDs you wish to delete.
  2. The address of the appropriate Jamf Pro server
  3. The username of an account on the Jamf Pro server which has the necessary privileges to delete computers and/or mobile devices.
  4. The password to that account.

The test file should contain only the relevant Jamf Pro IDs and its contents should appear similar to this:

Once you have the text file and the other prerequisites, the scripts can be run using the following commands:

To delete computers:

/path/to/delete_Jamf_Pro_Computers.sh /path/to/text_filename_here.txt

To delete mobile devices:

/path/to/delete_Jamf_Pro_Mobile_Devices.sh /path/to/text_filename_here.txt

For authentication, the scripts can accept manual input or values stored in a ~/Library/Preferences/com.github.jamfpro-info.plist file.

The plist file can be created by running the following commands and substituting your own values where appropriate:

To store the Jamf Pro URL in the plist file:

defaults write com.github.jamfpro-info jamfpro_url https://jamf.pro.server.goes.here:port_number_goes_here

To store the account username in the plist file:

defaults write com.github.jamfpro-info jamfpro_user account_username_goes_here

To store the account password in the plist file:

defaults write com.github.jamfpro-info jamfpro_password account_password_goes_here

Screen Shot 2018 05 19 at 3 45 57 PM

It is also possible to simulate a run of the script, to make sure everything is working before running the actual deletion. To put the script into simulation mode, comment out the following line of the script.

Screen Shot 2018 05 19 at 10 57 20 AM

To take it out of simulation mode, uncomment the line.

Screen Shot 2018 05 19 at 10 57 49 AM

In simulation mode, you can test out if the script is reading the text file properly and the authentication method. For example, the following output should be seen in simulation mode if the text file is being read properly and manual input is being used.

Screen Shot 2018 05 19 at 3 20 18 PM

The following output should be seen in simulation mode if the text file is being read properly and the needed values are being read from a ~/Library/Preferences/com.github.jamfpro-info.plist file.

Screen Shot 2018-05-19 at 11.09.52 AM

The scripts are available below, and at the following addresses on GitHub:

https://github.com/rtrouton/rtrouton_scripts/tree/master/rtrouton_scripts/Casper_Scripts/delete_Jamf_Pro_Computers

https://github.com/rtrouton/rtrouton_scripts/tree/master/rtrouton_scripts/Casper_Scripts/delete_Jamf_Pro_Mobile_Devices

delete_Jamf_Pro_Computers.sh:

delete_Jamf_Pro_Mobile_Devices.sh:

Upgrading from ESXi 6.5 to ESXi 6.7 via SSH and esxcli

Following VMware’s release of ESXi 6.7, I upgraded my ESXi 6.5 server to ESXi 6.7 using SSH and esxcli. For those interested, see below the jump for the details of the process I used.

Screen Shot 2018 05 15 at 3 31 55 PM

To upgrade from ESXi 6.5 to 6.7 using esxcli

 

1. Shut down all VMs running on your ESXi host machine.

2. Enable SSH on your ESXi server, if it is not already enabled.

3. Connect via SSH.

Screen Shot 2018 05 15 at 2 59 08 PM

4. Once logged in, run the following command to enter maintenance mode:

vim-cmd /hostsvc/maintenance_mode_enter

 

Screen Shot 2018 05 15 at 3 00 20 PM

 

5. After putting ESXi into maintenance mode, run the following command to set the correct firewall rules for the httpClient:

esxcli network firewall ruleset set -e true -r httpClient

 

Screen Shot 2018 05 15 at 3 01 06 PM

 

6. Next, run the following command to list the ESXi 6.7 updates available. You want the latest one that ends in -standard for your version of VMware.

esxcli software sources profile list -d https://hostupdate.vmware.com/software/VUM/PRODUCTION/main/vmw-depot-index.xml | grep ESXi-6.7

 

Screen Shot 2018 05 15 at 3 03 39 PM

 

7. Once you’ve identified the correct version of VMware (as of 5-18-2018, this is ESXi-6.7.0-8169922-standard), run the following command to download and install the update.

esxcli software profile update -d https://hostupdate.vmware.com/software/VUM/PRODUCTION/main/vmw-depot-index.xml -p ESXi-6.7.0-8169922-standard

 

Screen Shot 2018 05 15 at 3 45 50 PM

 

Note: It is very important that you run esxcli software profile update here. Running esxcli software profile install may overwrite drivers that your ESXi host needs.

 

8. Once the update has been installed and prompts you to reboot, run the following command to restart:

reboot

 

Screen Shot 2018 05 15 at 3 46 57 PM

9. After your ESXi host restarts, connect via SSH and run the following command to exit maintenance mode:

vim-cmd /hostsvc/maintenance_mode_exit

 

Screen Shot 2018 05 15 at 3 49 38 PM

 

At this point, your ESXi host should be upgraded to ESXi 6.7.0.

Screen Shot 2018 05 15 at 3 50 44 PM

Detecting if a logged-in user on a FileVault-encrypted Mac has a Secure Token associated with their account

A challenge many Mac admins have been dealing with is the introduction of the Secure Token attribute, which is now required to be added to a user account before that account can be enabled for FileVault on an encrypted Apple File System (APFS) volume.

In my own shop, we wanted to be able to identify if the primary user of a Mac had a Secure Token associated with their account. The reason we did this was:

  1. We could alert the affected help desk staff.
  2. We could work with our users to rebuild their Macs on an agreed-upon schedule where their data was preserved.
  3. We could hopefully avoid working with our users on an emergency basis where their data could be lost.

To help with this, we developed a detection script. For more details, please see below the jump.

This script checks for the following:

  1. If the Mac is running 10.13.x or later.
  2. If the boot drive is using Apple File System (APFS) for its filesystem.
  3. If FileVault is enabled or not.

If the Mac passes the following checks:

  • Running 10.13.0 or later
  • The boot drive is using APFS
  • FileVault is enabled

Then the following action takes place:

  1. The logged-in user is checked to see if it can be determined.
  2. If it can be determined and it is not the root user, the sysadminctl tool is used to check to see if the account has the Secure Token attribute associated with it.

If the logged-in user account should have a Secure Token attribute associated with it and does not, the script will report the following:

1

Any other outcome, the script will report the following:

0

The script is available below, and at the following address on GitHub:

https://github.com/rtrouton/rtrouton_scripts/tree/master/rtrouton_scripts/detect_missing_secure_token

A complementary Jamf Pro Extension Attribute is available at the following address on GitHub:

https://github.com/rtrouton/rtrouton_scripts/tree/master/rtrouton_scripts/Casper_Extension_Attributes/detect_missing_secure_token

iMac : la rupture d’Apple

Il fallait vraiment avoir la foi pour croire au retour possible d’Apple en mai 1998. Steve Jobs a repris les rênes de la société depuis moins d’un an, et il a mis en chantier un plan ambitieux, axé durant les premiers mois autour de l’image de la marque, et de Mac OS (pas encore macOS), son joyau. Apple n’avait pas encore cependant marqué les esprits, et Mac OS X n’existait alors que virtuellement, le chantier de l’adaptation de NextSTEP au Mac ayant à peine commencé. La seule grande raison pour laquelle Apple avait fait parler d’elle quelques mois auparavant dans les médias, c’était lorsque Bill Gates avait daigné mettre 150 millions de dollars dans la boite (« Microsoft rachète Apple »), en actions sans droit de vote. Ce qui a permis surtout d’étouffer les procès en cours…

Mais il manquait une vraie annonce, capable de marquer durablement les esprits. Un produit capable de remettre Apple au centre de la scène. Capable de créer une déflagration.

IMac

L’iMac a été cette déflagration. Un vrai choc. Son annonce a été scrutée, analysée, disséquée. C’était un produit clivant, mais capable aussi de rassembler. Sa couleur (le fameux Bondi Blue, du nom de la plage de Bondi en Australie) ne laissait jamais indifférent

Je me souviens des débats sans fin sur fr.comp.sys.mac autour de cette annonce, de ce produit fou, sorti de nulle part, ressemblant à aucun autre. Et surtout de la rupture technologique qu’il a constitué, avec un processeur G3 performant, et l’abandon de technologies historiques comme l’ADB ou le port série, ou encore le SCSI, et l’adoption de l’USB, standard émergeant de l’époque. La fin du syndrome NIH : Not Invented Here. Des choix très critiqués à l’époque, mais finalement justifiés et qui ont permis à Apple de se relancer. Et puis, le début de la fin pour le lecteur de disquettes, alors que les clés de stockage USB n’étaient même pas un concept pour l’époque.

C’était aussi le vrai retour d’Apple sur le marché grand public et dans l’éducation, avec un ordinateur doté d’un port Ethernet (très rare en standard à l’époque), et d’un modem 33,6k en standard. Ce point avait tellement fait râler qu’Apple l’a corrigé avant la sortie de l’iMac, en intégrant finalement un modem à 56k, plus dans l’air du temps.

L’iMac a créé une rupture technologique et une rupture financière avec la fin du cycle infernal des baisses des ventes (il me semble qu’il n’y a eu ensuite qu’un ou deux trimestres où elle a vraiment bu la tasse ensuite, pas merci le G4 Cube…).

Mais surtout, l’iMac a créé une rupture émotionnelle, avec l’arrivée d’un ordinateur vraiment design, en rondeur, un véritable OVNI (« it comes from another planet… a good planet, with better designers, ajoutera-t-il malicieusement) dans le triste design industriel de l’époque. C’était la véritable arrivée de Johnny Ive aux commandes de l’Apple Industrial Design Group.

Qu’on l’aime ou pas, l’iMac aura été le symbole pour Apple d’un retour sur le devant de la scène, de sa renaissance, et le terme n’est pas trop fort. Et il est toujours amusant de constater qu’il s’agit sûrement du seul produit Apple à n’avoir jamais changé de nom depuis 20 ans, malgré ses différentes itérations qui l’ont petit à petit éloigné du concept original dans la forme, mais pas dans le fond : un ordinateur tout-en-un, pour tous.

Alors, joyeux anniversaire iMac. Le monde (et Apple) aurait été un peu moins sympa sans toi.

Et si vous avez envie d’en savoir plus sur le design des produits Apple, vous pouvez revoir ma conférence « Apple et le design », où je parle de l’iMac à partir de 24:30.

Oracle Java 10 JDK and JRE installation scripts for macOS

Oracle has started to release Java 10 for macOS, so I’m posting a couple of scripts to download and install the following:

Oracle has been releasing two separate versions of Java 8 simultaneously and may do the same for Java 10, so these Java 10-focused scripts are designed to allow the user to set which version they want to install: the CPU release or the PSU release.

The difference between CPU and PSU releases is as follows:

  • Critical Patch Update (CPU): contains both fixes to security vulnerabilities and critical bug fixes.
  • Patch Set Update (PSU): contains all the fixes in the corresponding CPU, plus additional fixes to non-critical problems.

For more details on the differences between CPU and PSU updates, please see the link below:

http://www.oracle.com/technetwork/java/javase/cpu-psu-explained-2331472.html

For more information, please see below the jump.

The scripts are available on GitHub via the links below:

Oracle Java 10 JDK: https://github.com/rtrouton/rtrouton_scripts/tree/master/rtrouton_scripts/install_latest_oracle_java_jdk_10
Oracle Java 10 JRE: https://github.com/rtrouton/rtrouton_scripts/tree/master/rtrouton_scripts/install_latest_oracle_java_jre_10

The scripts are also available as payload-free packages, compressed and stored as .zip files in the payload_free_package directory available via the links above.

Oracle Java 10 JDK script:

The script below will download a disk image containing the latest version of the Java 10 JDK from Oracle and install the JDK using the installer package stored inside the downloaded disk image.

How the script works:

  1. Verifies that the Mac is running a Java 10-compatible operating system
  2. Uses curl to download a disk image containing the latest Java 10 JDK installer from Oracle’s web site
  3. Renames the downloaded disk image to java_ten_jdk.dmg and stores it in /tmp.
  4. Mounts the disk image silently in /tmp. The mounted disk image will not be visible to any logged-in user.
  5. Installs the latest Java 10 JDK using the installer package stored inside the disk image.
  6. After installation, unmounts the disk image and removes it from the Mac in question.

Oracle Java 10 JRE script:

The script below will download a disk image containing the latest version of the Java 10 JRE from Oracle and install the JRE using the installer package stored inside the downloaded disk image.

How the script works:

  1. Verifies that the Mac is running a Java 10-compatible operating system
  2. Uses curl to download a disk image containing the latest Java 10 JRE installer from Oracle’s web site
  3. Renames the downloaded disk image to java_ten_jre.dmg and stores it in /tmp.
  4. Mounts the disk image silently in /tmp. The mounted disk image will not be visible to any logged-in user.
  5. Installs the latest Java 10 JRE using the installer package stored inside the disk image.
  6. After installation, unmounts the disk image and removes it from the Mac in question.

Quand la Freebox bloque les accès aux services Apple

Un de mes clients a constaté un souci étrange : impossible depuis chez lui de se connecter à l’ensemble des services d’Apple : App Store, iTunes Store, etc… tous répondent aux abonnés absents !

La solution n’était pourtant pas très difficile à trouver : c’était le bloqueur de pub intégré à sa Freebox qui faisait des siennes… Pensez donc à désactiver cette option dans les réglages de votre Freebox pour retrouver éventuellement un accès correct aux services Apple depuis votre Mac.