The T2 Macs, the end of NetBoot and deploying from macOS Recovery

In late 2017, Apple released the iMac Pro. Along with the new Secure Enclave protection provided by Apple’s T2 chip, the iMac Pro brought another notable development: It did not support booting from a network volume, otherwise known as NetBoot.

The one exception was Apple’s Internet Recovery, where Apple is providing a NetBoot-like service to provide access to macOS Recovery. The iMac Pro is still able to boot to Internet Recovery, which provides a way to repair the Mac or reinstall the operating system in situations where the Mac’s own Recovery volume is missing or not working properly.

With NetBoot not being available for the iMac Pro but still available for other models, it wasn’t yet clear if NetBoot-based workflows for setting up new Macs or rebuilding existing ones were on the way out. However, Apple’s release of of T2-equipped MacBook Pros in July 2018 which also could not use NetBoot has made Apple’s direction clear. As Apple releases new Mac models equipped with T2 chips and Secure Enclave, it is unlikely that these future Mac releases will be supporting NetBoot.

Screen Shot 2018 08 15 at 10 23 19 AM

For Mac admins using NetBoot-based workflows to set up their Macs, what are the alternatives? Apple has been encouraging the use of Apple’s Device Enrollment Program, which leverages a company, school or institutions’ mobile device management (MDM) service. In this case, you would need to arrange with Apple or an Apple reseller to purchase Macs that are enrolled in your organization’s DEP.

When a DEP-enrolled Mac is started for the first time (or started after an OS reinstall), it is automatically configured to use your organizations’ MDM service and the device checks in with the MDM service. The MDM service then configures the Mac as desired with your organization’s software and configuration settings. A good example of what this process may look like can be seen here.

What if you don’t have DEP, or you don’t have MDM? In that case, you may still be able to leverage Recovery-based deployment methods, which would allow you install the desired software and configuration settings onto the Mac’s existing OS, or install a new OS along with software and configuration settings. For more details on these methods, please see below the jump.

To help facilitate deploying software and settings from the Recovery environment, Greg Neagle has released a couple of tools:

bootstrappr: https://github.com/munki/bootstrappr
installr: https://github.com/munki/installr

Both bootstrappr and installr can run in the macOS Recovery environment and work in similar ways. The main difference between the two is the following:

  • bootstrappr: Installs one or more packages onto a target volume
  • installr: Installs macOS and one or more additional packages onto a target volume

As an example of how bootstrappr works, please see below. In this case, I’ve set up a disk image using the instructions provided at the bootstrappr GitHub repo and copied it to an external drive named Provisioning.

On the disk image, I’ve included one installer package named First Boot Package Install, which was generated by my First Boot Package Install Generator tool.

1. Boot to macOS Recovery

Screen Shot 2018 08 15 at 9 31 47 AM

2. Launch Terminal

Screen Shot 2018 08 15 at 9 32 44 AM

3. Run the following command:

hdiutil mount /Volumes/Provisioning/bootstrap.dmg

Screen Shot 2018 08 15 at 9 33 31 AM

The bootstrap disk image mounts as a new volume named bootstrap.

Screen Shot 2018 08 15 at 9 33 42 AM

4. Run the following command:

/Volumes/bootstrap/run

Screen Shot 2018 08 15 at 9 34 33 AM

5. Select the volume to install on (in this example, the volume is named Macintosh HD.)

Screen Shot 2018 08 15 at 9 34 59 AM

The First Boot Package Install package included in the disk image is installed.

Screen Shot 2018 08 15 at 9 35 13 AM

6. Once installation is completed, select the option to restart.

Screen Shot 2018 08 15 at 9 35 46 AM

On restart, the First Boot Package Install package is able to run its own workflow, which is able to suppress the Apple Setup Assistant and run its assigned installation task. In this case, I’m only having it check for and install all available Apple software updates but it could be installing any desired package. This could include all software needed to set up a particular Mac, or installing a management agent to handle software installation and configuration.

Screen Shot 2018 08 15 at 9 40 52 AM

Staying notified about Apple developer software releases

Keeping up on Apple developer betas and other developer software releases is a necessary part of many Mac admins’ regular routine. It’s especially important during the period between WWDC in June and the annual OS release in the fall. Fortunately, Apple provides a way to help tracking developer releases easier by publishing a notification to the following address:

https://developer.apple.com/news/releases/

Screen Shot 2018 08 08 at 2 41 29 PM

This publicly-accessible notification doesn’t discuss what’s included in the newly-released software and you will still need an Apple Developer Connection account in order to get the details. For many Mac admins though, having an easy and quick way to track if the latest developer beta has been released is valuable information in itself.

To make it even more convenient, Apple also offers a RSS feed for the Developer Releases page:

https://developer.apple.com/news/releases/rss/releases.rss

Screen Shot 2018 08 08 at 2 41 30 PM

 

You can add this feed into your RSS reader and it’ll keep you up to date. If you use Slack, another approach is to use Slack’s ability to post content from an RSS feed to a Slack channel. For more details, please see below the jump:

To enable Slack to post from the Developer Releases RSS feed to a Slack channel, you’ll need to enable the RSS application on your Slack.

Screen Shot 2018 08 08 at 2 52 50 PM

The procedure on how to do this is linked below:

https://get.slack.help/hc/articles/218688467-Add-RSS-feeds-to-Slack

Once you have the RSS application installed for your Slack instance, follow the procedure below:

1. Set up a channel in Slack to receive the content from the RSS feed.

For this example, I’ve set up a channel named #apple-developer-feed.

2. In the RSS application, click the Add RSS integration button.

Screen Shot 2018 08 08 at 2 53 03 PM

3. In the Feed URL blank, enter the following URL:

https://developer.apple.com/news/releases/rss/releases.rss

Screen Shot 2018 08 08 at 2 53 11 PM

Screen Shot 2018 08 08 at 2 53 18 PM

 

 

4. Select the channel you want the RSS feed’s content to post to from the Post to Channel drop-down menu.

Screen Shot 2018 08 08 at 2 53 19 PM

In this case, it’ll be posted to the #apple-developer-feed channel.

Screen Shot 2018 08 08 at 2 53 23 PM

5. Once the RSS feed and channel have been properly set up, click the Subscribe to this feed button.

Screen Shot 2018 08 08 at 2 53 24 PM

 

The RSS feed will now show as being posted to the selected channel.

Screen Shot 2018 08 08 at 2 53 35 PM

 

Once this is configured, Slack will now post any new content from the RSS feed to the specified Slack channel.

Screen Shot 2018 08 08 at 2 46 00 PM

Session videos now available from Penn State MacAdmins Conference 2018

The good folks at Penn State have begun posting the session videos from the Penn State MacAdmins Conference 2018. The sessions slides and currently-available videos are all accessible from the Penn State MacAdmins’ Resources page at the link below:

http://macadmins.psu.edu/conference/resources/

As all the session videos have been posted to YouTube [https://www.youtube.com/user/psumacconf], I’ve linked my Providing the best Mac experience possible from the Mac CoE team with ❤ session here:

The Escaping the Tech Whisperer Trap session I co-hosted with Nikki Lewandowski is linked here:

Putain, vingt ans…

Il y a dix ans, j’ai publié un article sur ce blog, sobrement intitulé… Dix ans !

Dix ans plus tard, ce site affiche donc vingt années au compteur. Ça commence à faire beaucoup. Je ne referai pas toute l’histoire du site, tout a été dit dans le susdit article, ainsi que dans cet autre billet.

Soyons cependant honnête : gete.net a bien perdu de sa superbe. Je n’ai plus la même énergie à écrire sur le web, étant plus présent sur les réseaux sociaux et en particulier Twitter comme tant d’autres. J’ai également été absorbé par l’écriture de différents bouquins (dont je suis particulièrement fier, j’avoue). D’autres projets m’ont également accaparé, comme DiskMaker X (oui, une mise à jour ne saurait tarder, et oui, il y aura sûrement une version pour macoS Mojave).

J’ai un peu (beaucoup) perdu la fibre de l’écriture au long court. Peut-être qu’elle reviendra. Qui sait ?

Malgré tout, j’ai toujours un petit peu de nostalgie de cette époque où j’étais capable de rédiger des longs dossiers techniques, de traiter en profondeur certains sujets. Et j’arrive encore à alimenter de temps en temps ce qui est peut-être à ce jour le plus vieux site Mac francophone (y’en a peut-être un autre, mais là comme ça je ne vois pas. Ah si, la page des Logiciels Internet Macintosh en français de l’inestimable Jean-Pierre Kuypers, que je salue bien bas s’il me lit par ici..

J’ai aussi pas mal de projets inachevés. Parce que s’il y a un mot que je déteste parmi tous, je pense, c’est le mot FIN.

Ce blog, ce site, ne seront donc jamais totalement finis. Ils resteront pour toujours un morceau essentiel de mon passage sur cette chic planète. C’est aussi grâce à gete.net que ma vie a basculé, comme je l’expliquais il y a quelques mois.

Alors, je voudrais juste vous remercier, vous tous les fans d’Apple depuis vingt ans ou plus, les gens qui m’ont lu sur fr.comp.sys.mac, qui m’ont soutenu, ceux qui m’ont fait confiance pour écrire sur leurs sites web, dans leurs magazines, ou dans leurs émissions. Vous qui êtes souvent devenus des amis, des proches. Tous ceux qui ont aimé lire mes conneries, qui ont pu être dépannés par les centaines d’astuces publiées ici ou là. Qui continuent de venir de temps en temps voir si y’a pas un nouvel article sur ce site. J’aime à me dire qu’à travers gete.net, j’ai pu aider des centaines (milliers ? millions) d’utilisateurs Apple dans le monde entier. Et que j’ai peut-être contribué à rendre l’Univers un poil meilleur (c’est très présomptueux, je sais).

Et je vous donne donc rendez-vous dans dix ans…

Qui sait.

5266821

Slides from the “Providing the best Mac experience possible, from the Apple CoE team with ♥” session at Penn State MacAdmins 2018

For those who wanted a copy of my Mac management session at at the Penn State MacAdmins 2018 conference, here are links to the slides in PDF and Keynote format.

PDF – http://tinyurl.com/PSU2018SAPPDF

Keynote – http://tinyurl.com/PSU2018SAPKeynote

Automating AutoPkg and JSSImporter setup

As part of building my autopkg-conductor solution for automating AutoPkg runs, I also wanted to automate the setup of AutoPkg and JSSImporter. My colleague Graham Pugh has written a setup script for his environment, which I was able to adapt and extend for my own needs. For more details, please see below the jump.

This script is designed to set up a Mac running macOS 10.13.x or later with the following:

  • AutoPkg
  • JSSImporter
  • The AutoPkg recipe repos defined in the script.

The script checks to see if the following components are installed. If any are missing, they’re installed on an as-needed basis:

It also installs the following Python tools and modules on an as-needed basis:

The script also includes the following features:

  • The ability to set JSSImporter to use a Jamf Pro cloud distribution point as the master distribution point

Screen Shot 2018 07 10 at 9 37 35 AM

  • The ability to install either the latest release of JSSImporter or JSSImporter 0.5.1.

Screen Shot 2018 07 10 at 9 37 49 AM

 

The reason that JSSImporter 0.5.1 is set as a specific install option is that JSSImporter 1.0 does not currently support uploading to a Jamf Pro cloud distribution point. JSSImporter 0.5.1 does support uploading to a cloud distribution point, so while the upload issues are being worked out with JSSImporter 1.x, using the older JSSImporter 0.5.1 is the currently recommended workaround.

Once these tools and modules are installed, the script does the following:

1. Configures AutoPkg to use the recipe repos defined in the AutoPkg repos section.

Autopkg repos variable

 

2. Configures JSSImporter to connect to the desired Jamf Pro server with the correct distribution point settings.

This script should not be run with root privileges or you will receive the following warning:

Screen Shot 2018 07 10 at 10 46 07 AM

Instead, the script should be run by an account with sudo privileges, so that entering the account’s password will allow sudo to run specified processes with root privileges. If you try to run this script using an account without sudo privileges, you will receive the following warning:

Screen Shot 2018 07 10 at 11 33 52 AM

If the script is successfully run, the script output should look similar to what is shown below.

If a Jamf Pro cloud distribution point is set as the master distribution point:

Screen Shot 2018 07 13 at 6 11 00 AM

If a Jamf Pro file share distribution point is set as the master distribution point:

Screen Shot 2018 07 13 at 5 44 19 AM

The script is available below. It’s also available from GitHub using the following link:

https://github.com/rtrouton/autopkg_setup_for_jamf_pro

Joining Apple’s AppleSeed testing program

In addition to Apple’s Developer Connection program for developers, Apple also has a program called AppleSeed for IT, which is geared towards working with enterprise customers to help them test new Apple software.

During recent conversations about AppleSeed for IT, I was told that it was better for AppleSeed members to submit bug reports and feature requests through AppleSeed’s Feedback Assistant. This would be in place of sending those bug reports and feature requests through Apple’s regular bug reporting at bugreport.apple.com.

Why? Two reasons:

  1. Bug reports and feature requests sent through AppleSeed’s Feedback Assistant are routed to a dedicated queue for IT.
  2. There’s a smaller absolute number of items being sent through AppleSeed’s Feedback Assistant, which means that there’s less communication volume for Apple to sort through to get to your issue.

How to join AppleSeed for IT

There’s no cost to join AppleSeed for IT and you will not be asked to pay for anything, but you do need to be invited by Apple. This takes the form of an invitation code that you must provide when registering for AppleSeed.

If your company, school or institution has purchased an AppleCare Preferred, AppleCare Alliance and AppleCare Enterprise support plan, you should be given an opportunity to enroll into AppleSeed. If you haven’t been asked already, contact the Apple rep for your support plan and request an invitation.

What if your shop hasn’t purchased an AppleCare support plan? You are still able to request an invitation. To do so, use the following procedure:

  1. Log into the MacAdmins Slack. If you’re not familiar with the MacAdmins Slack, please see this post by my colleague Armin Briegel.
  2. Go to the #appleseed channel.
  3. Politely ask how you can get an invitation to join AppleSeed.

Note:

One thing that’s important to know is that discussions about AppleSeed-provided software should not take place in the #appleseed channel. The reason is that AppleSeed software is covered by Apple’s NDA for AppleSeed, where participants in the program agree not to publicly discuss the software or their experiences with it.

 

Slides from the “Escaping the ‘Tech Whisperer’ Trap” session at Penn State MacAdmins 2018

For those who want a copy of the documentation talk given by myself and my colleague Nikki Lewandowski at the Penn State MacAdmins 2018 conference, here is a link to the slides in Keynote format.

Keynote slides: https://goo.gl/nHWg3Z

Automating AutoPkg runs with autopkg-conductor

About two weeks ago, I noticed I had an SSL error cropping up with one of my AutoPkg recipes:

[Errno socket error] EOF occurred in violation of protocol (_ssl.c:590)

When I investigated what it meant, I wound up at this lengthy issue opened for Python’s requests module. In the end, it seemed to boil down to four issues:

  1. I was running AutoPkg on macOS Sierra 10.12.6.
  2. The recipe I was running used a processor which called Python’s urllib2 library.
  3. Python’s urllib2 library was calling the OS’s installed version of OpenSSL to connect to a server using TLSv1.2 .
  4. The version of OpenSSL included with 10.12.6 does not support TLSv1.2 for the urllib2 library.

When I looked into the situation on macOS High Sierra 10.13.5, Apple had addressed the problem by replacing OpenSSL with LibreSSL. Among other improvements, LibreSSL allowed Python’s urllib2 library to be able to connect to servers using TLSv1.2. Problem solved!

Until I ran into another problem.

I had been using AutoPkgr as my way of managing AutoPkg and scheduling AutoPkg runs. However, when I set up AutoPkgr on a 10.13.5 VM and scheduled my AutoPkg nightly run, nothing happened except my CPU spiked to 100% and AutoPkgr locked up with the pinwheel of patience.

OK, maybe it was something with my VM. No problem, set up a new macOS 10.13.5 VM.

Same problem.

Maybe it was because I was trying to run the VM on VMware’s ESXi? Set up a new VM running in VMware Fusion. Same problem.

Maybe AutoPkgr was getting confused by Apple File System? I set up a 10.13.5 VM which used an HFS+ boot volume. Same problem, replicated on both ESXi and Fusion.

No matter what I tried, trying to run recipes using AutoPkgr on macOS 10.13.x resulted in the following:

  • The VM’s CPU spiking to 100%
  • AutoPkgr locking up with the pinwheel of patience
  • My AutoPkg recipes not running

I was able to eliminate AutoPkg itself as being the issue, as running recipes from the command line using AutoPkg worked fine. With that information in mind, I decided to see if I could replicate what I most liked about using AutoPkgr into another form. In the end, my needs boiled down to three:

  1. I wanted to be able to run a list of AutoPkg recipes on a scheduled basis. These recipes would be .jss recipes for uploading to a Jamf Pro server.
  2. I wanted to be able to post information about those AutoPkg recipes to a Slack channel
  3. I wanted all the error messages from an AutoPkg run, but I didn’t care about all the information that came from a successful AutoPkg run.

With that, I decided to draw on some earlier work done by Sean Kaiser, a colleague who had written a script for managing AutoPkg in the pre-AutoPkgr days. For more details, please see below the jump.

Sean’s solution relies on a script and LaunchDaemon running on a Mac, where it runs hourly and is set up to only send him emails if the AutoPkg logs are different from previous runs. The email notifications are a diff against the previous logs, so only the true differences get sent.

For those interested, Sean’s script is available from here:

https://github.com/seankaiser/automation-scripts/tree/master/autopkg

I was more focused on a once-daily run, so I didn’t want to use the diff methodology. After some more research, I found that my colleague Graham Pugh had written pretty much exactly what I needed: An AutoPkg post-processor named Slacker which could be used with an AutoPkg recipe list of .jss recipes to post the results to a Slack channel.

I forked a copy of the Slacker post-processor and (with Graham’s help) made some edits to it to have the output appear exactly the way I wanted it to.

New package message:

AutoPkg new package message

No new package message:

AutoPkg no new package message

Along with the Slacker post-processor, I also found a script for sending multiline output to a Slack channel. This would allow me to send the complete error log from an AutoPkg run to a specified Slack webhook.

Using all of this, I wrote a script named autopkg-conductor which is designed to do the following:

1. Detect a list of AutoPkg recipes at a defined location and verify that the list is readable.
2. If the AutoPkg recipe list is readable and available, run the following actions:

A. Verify that AutoPkg is installed.
B. Update all available AutoPkg repos with the latest recipes.
C. Run the AutoPkg recipes in the list.

The AutoPkg run has all actions logged to ~/Library/Logs, with the logfiles being named autopkg-run-for- followed by the date.

Screen Shot 2018 07 05 at 10 38 32 PM

If the optional slack_post_processor and slack_webhook variables are both populated, any AutoPkg .jss recipes should have their output sent to the Slack webhook specified in the slack_webhook variable.

Screen Shot 2018 07 05 at 10 13 10 PM

If only the slack_webhook variable is populated, all output from the AutoPkg run is sent to the Slack channel. No filtering is applied, everything is sent.

Screen Shot 2018 07 05 at 9 14 08 PM

If neither the slack_post_processor or slack_webhook variables are populated, no information is sent to Slack. All AutoPkg run information will be in the logs stored in ~/Library Logs.

Screen Shot 2018 07 05 at 10 38 32 PM

For scheduled runs, I recommend the following:

  1. Set up a user account named autopkg to run AutoPkg in.
  2. Copy the autopkg-conductor script to /usr/local/bin/autopkg-conductor.sh and set the autopkg-conductor.sh script to be executable.
  3. Set up a LaunchDaemon to run /usr/local/bin/autopkg-conductor.sh at a pre-determined time or interval.

For this example, the LaunchDaemon shown below will run /usr/local/bin/autopkg-conductor.sh as the autopkg user once a day at 2:00 AM.

The autopkg-conductor script is available below. It’s also available from GitHub using the following link:

https://github.com/rtrouton/autopkg-conductor

Automating Jamf Infrastructure Manager setups on Red Hat Enterprise Linux

As part of a project, I needed to build an automated setup process for a Jamf Infrastructure Manager (JIM). Thanks to the help of some folks at Jamf, I have a process which runs non-interactively and which does the following on Red Hat Enterprise Linux 7.x:

  1. Installs the JIM software
  2. Enrolls the JIM with a Jamf Pro server

For more details, please see below the jump.

The key information I needed from Jamf was how to run an non-interactive enrollment of the JIM with a Jamf Pro server. This can be done with the following command:

/path/to/jamf-im enroll --hostname jim_hostname_goes_here --jss-url https://jamf.pro.server.here --password jamf_pro_account_password_goes_here --username jamf_pro_account_username_goes_here

This does require placing a password in the clear, so I recommend setting up an account on your Jamf Pro server which only has the required rights to enroll a JIM.

Once you’ve enrolled, you should be able to check /var/log/jamf-im.log and verify that enrollment has been successful. If it was successful, you should see log entries similar to what’s shown below:

You should also see the new JIM appear listed in your Jamf Pro server. To check this, use the following process:

1. Log into the Jamf Pro server using an admin account.
2. Go to Management: Server Infrastructure and select Infrastructure Managers.

Screen Shot 2018 06 22 at 10 16 30 PM

3. You should see the new JIM listed there.

Screen Shot 2018 06 22 at 10 14 29 PM

Screen Shot 2018 06 22 at 10 14 39 PM

 

To help automate the process, I’ve written a script for CentOS 7.x / RedHat Enterprise Linux 7.x which does the following:

  1. Checks to see if Java is installed and installs OpenJDK 8.x if it isn’t.
  2. Checks for the JIM installer at a defined location
  3. If the JIM installer is available, installs the JIM software.
  4. Verifies that the JIM software has been installed.
  5. Enrolls the JIM with a specified Jamf Pro server, using credentials provided in the script.

Pre-requisites

  • A JIM installer .rpm file for CentOS / RedHat Enterprise Linux stored in the location defined in the script.
  • Credentials for the specified Jamf Pro server

When successfully run, the output of the script should appear similar to that shown below:

Screen Shot 2018 06 22 at 9 26 25 PM

The script is available below, and also available on GitHub at the following address:

https://github.com/rtrouton/rtrouton_scripts/tree/master/rtrouton_scripts/Casper_Scripts/jamf_infrastructure_manager_automated_setup