Session videos and slides available from MacSysAdmin 2018

The documentation from MacSysAdmin 2018 is available, with the session slides and videos being accessible from the link below:

http://documentation.macsysadmin.se

The video of my session is available for download from here:

I also like to thank Tycho Sjögren and Apoio AB for inviting me to speak again at this year’s MacSysAdmin.

Building an SAP GUI installer for macOS

Since I’ve started working for my current employer, my colleagues and I have occasionally received the following question from various Mac admins:

“I’m using SAP in my environment. How do I deploy the Mac software for SAP?”

When we’ve followed up for more details, the “Mac software for SAP” usually means the SAP GUI software. SAP GUI comes in two flavors:

SAP GUI for Java supports the following operating systems:

  • openSUSE
  • Fedora
  • macOS
  • Microsoft Windows
  • AIX
  • Ubuntu

The SAP GUI for Java is what’s available for macOS, so how to get it and deploy it? For more details, please see below the jump.

Pre-requisite

SAP GUI is a Java application, so Java must be installed before proceeding further. As of October 11, 2018, I recommend installing the latest Oracle Java 8 JDK for macOS.

The Java JDK can be downloaded from the following website:

https://www.oracle.com/technetwork/java/javase/downloads/jdk8-downloads-2133151.html

Getting the SAP GUI for Java software

1. Go to the following link:

https://support.sap.com/en/my-support/software-downloads.html

2. Click on Support Packages & Patches

3. Click on Access Downloads

Screen Shot 2018 10 11 at 8 44 59 AM

4. Select By Category

Screen Shot 2018 10 11 at 8 45 46 AM

5. Select SAP Frontend Components

Screen Shot 2018 10 11 at 8 46 07 AM

6. Select SAP GUI for Java

Screen Shot 2018 10 11 at 8 47 59 AM

7. Click on the latest SAP GUI for Java

As of October 11, 2018, this will be SAP GUI for Java 7.50

8. Verify that the Items Available to Download drop-down menu is set to MAC OS

Screen Shot 2018 10 11 at 8 51 23 AM

9. Select and download the latest available PlatinGUI .jar file.

Screen Shot 2018 10 11 at 8 51 25 AM

Building configuration files

Along with the SAP GUI application, you can also prepare a set of pre-configured settings files for SAP GUI. These configuration files are described as part of the documentation for SAP GUI, in the Administration: Configuration Files section

Once you have your connections and settings files configured the way you want them, export them and name them as follows:

Connections: connections.template
Settings: settings.template

If you have additional exported settings, also follow the .template naming scheme.

Once you have your .template files ready, use the following Java command to create a file named templates.jar:

jar -cf /path/to/templates.jar /path/to/filename1.template /path/to/filename2.template /path/to/filename3.template

For example, if I have a settings.template file and a trustClassification.template file stored in my home folder, I would use the following Java command to create a templates.jar file on my user account’s Downloads folder:

jar -cf /Users/username/Downloads/templates.jar /Users/username/settings.template /Users/username/trustClassification.template

Screen Shot 2018 10 11 at 4 12 42 PM

Screen Shot 2018 10 10 at 3 20 44 PM

The .template files are stored inside the templates.jar file:

Screen Shot 2018 10 10 at 3 23 43 PM

Screen Shot 2018 10 10 at 3 23 40 PM

If the templates.jar file is in the same directory as the PlatinGUI .jar file when the installation process is run, the .template files will be installed along with the SAP GUI application and stored in SAP GUI.app/Contents/Resources.

Screen Shot 2018 10 11 at 2 24 23 PM

When a user launches the SAP GUI application, if they do not already have an ~/Library/Preferences/SAP directory, the settings.template and trustClassification.template files will be copied to the ~/Library/Preferences/SAP directory with the following filenames:

  • ~/Library/Preferences/SAP/settings
  • ~/Library/Preferences/SAP/trustClassification

Screen Shot 2018 10 11 at 2 28 02 PM

Building the SAP GUI installer

Pre-requisites:

  • Packages
  • SAP GUI for Java installer (this is the PlatinGUI .jar file)
  • templates.jar file (optional)

1. Set up a new Packages project and select Raw Package.

Screen Shot 2018 10 11 at 2 35 44 PM

2. In this case, I’m naming the project SAP GUI 7.50 rev4.

Screen Shot 2018 10 11 at 2 35 50 PM

3. Once the Packages project opens, click on the Project tab. You’ll want to make sure that the your information is correctly set here (if you don’t know what to put in, check the Help menu for the Packages User Guide. The information you need is in Chapter 4 – Configuring a project.)

Screen Shot 2018 10 11 at 2 36 16 PM

In this example, I’m not changing any of the options from what is set by default.

4. Next, click on the Settings tab. In the case of my project, I want to install with root privileges and not require a logout, restart or shutdown.

To accomplish this, I’m choosing the following options in the Settings section:

In the Tag section:

Identifier: set as appropriate (for my installer, I’m using com.sap.pkg.SAPGUI750rev4)
Version: set as appropriate (for my installer, I’m using 7.50.04 )

In the Post-installation Behavior section:

On Success: should be set to Do Nothing

In the Options section:

Require admin password for installation should be checked
Relocatable should be unchecked
Overwrite directory permissions should be unchecked
Follow symbolic links should be unchecked

Screen Shot 2018 10 11 at 2 36 54 PM

5. Select the Payload tab. Nothing here should be changed from the defaults.

Screen Shot 2018 10 11 at 2 37 03 PM

6. Select the Scripts tab. Under the Additional Resources section, add the following file:

The SAP GUI for Java installer (this is the PlatinGUI .jar file)

Screen Shot 2018 10 11 at 2 39 02 PM

Screen Shot 2018 10 11 at 2 39 10 PM

If you have a templates.jar file, also add that file.

Screen Shot 2018 10 11 at 11 32 53 AM

Screen Shot 2018 10 11 at 2 39 32 PM

Screen Shot 2018 10 11 at 3 57 33 PM

7. The last part is telling the SAP GUI for Java installer to run with the correct options selected. For this, you’ll need a postinstall script.

Screen Shot 2018 10 11 at 2 47 37 PM

See below the postinstall script being used for this installer package:

Once created, select the postinstall script and add it to the project.

Screen Shot 2018 10 11 at 2 48 39 PM

Screen Shot 2018 10 11 at 4 03 28 PM

8. Build the package. (If you don’t know to build, check the Help menu for the Packages User Guide. The information you need is in Chapter 3 – Creating a raw package project and Chapter 10 – Building a project.)

Screen Shot 2018 10 11 at 2 49 16 PM

Screen Shot 2018 10 11 at 2 49 57 PM

Testing the installer

Once the package has been built, test it by installing it on a test machine which has the following:

  • Java installed
  • Does not have the SAP GUI client installed

The end result should be that the SAP GUI client installs into /Applications.

Screen Shot 2018 10 11 at 3 05 49 PM

Screen Shot 2018 10 11 at 3 06 15 PM

If a templates.jar was included with the installer, the SAP GUI configuration template files specified by the templates.jar file should also be installed.

Screen Shot 2018 10 11 at 2 24 23 PM

Slides from the “Getting Started with Amazon Web Services” session at MacSysAdmin 2018

For those who wanted a copy of my Amazon Web Services talk at at the MacSysAdmin 2018 conference, here are links to the slides in PDF and Keynote format.

PDF – http://tinyurl.com/MSA2018AWSPDF

Keynote – http://tinyurl.com/MSA2018AWSKeynote

DiskMaker X 8 for Mojave est disponible

Si vous avez besoin de créer une clé de démarrage de macOS, et que vous avez envie de vous jeter su le nouvel OS d’Apple ce soir comme la misère sur le pauvre monde, pensez à sortir couvert ! DiskMaker X est mis à jour dans une nouvelle version pour la modique somme de ce que vous voulez.

Toutes les infos nécessaires sont sur le site http://diskmakerx.com. Qu’il va falloir qu’un jour je me prenne la tête à remettre en VF, suite à une mauvaise manip de ma part qui avait fait sauter les différentes langues, WOUHOUUUUUUU !!!

Et je reste à l’écoute de vos commentaires et suggestions à l’adresse ldm@gete.net.

Bonne migration, et n’oubliez pas le plus important avec de passer sur un nouvel OS :

SAUVEGARDEZ !!!

 

BACKUP

Réinitialiser la liste des Services de macOS

Une des fonctions les plus sous-utilisées de macOS reste les Services. Accessibles via le menu du nom de l’application en cours (à côté du menu Pomme) > Services, ou via un clic droit > Services, ce menu contextuel permet de lancer différentes actions définies par rapport à la sélection en cours. Par exemple, j’avais créé il y a pas mal de temps un service pour compter les signes de la sélection en cours (script toujours fonctionnel d’ailleurs).

Automator permet depuis quelques versions de macOS de créer ses propres services, comme très bien expliqué par Sylvain Gamel dans son livre Automatisez sous Mac1. Vous trouverez d’ailleurs plein d’exemples de services à créer avec Automator sur son site automatisez.net.

Mais j’étais confronté depuis quelques jours à un petit problème agaçant : les menus étaient toujours dans le désordre, et surtout, après avoir tenté de renommer un service, celui-ci continuait à s’afficher avec son ancien nom. Virer des préférences ou supprimer des caches ne servait à rien, même après reboot.

Un message posté sur Slack m’a donné la piste : lancez le Terminal et tapez :

/System/Library/CoreServices/pbs -update

Le menu des Services devrait être proprement réinitialisé. L’ordre alphabétique sera quand à lui partiellement rétabli, macOS préférant à priori classer les services d’abord par application, puis par ordre alphabétique au sein de ces mêmes applications. Enfin je crois, c’est pas si évident (surtout que l’ordre n’est pas le même que dans le menu de l’application > Services). Mais au moins, les noms sont à nouveau corrects, toujours ça de pris.

 

MacOS Reinitialiser Services

/System/Li



bdfrary/CoreServices/pbs -update

  1. Dont je ne peux que vous recommander la lecture, et surtout la superbe préface.

Phantom groups, MySQL queries and Jamf Pro 10.7

On September 13th, Jamf released a new KBase article for Jamf Pro customers who hosted Jamf Pro themselves instead of hosting in Jamf Cloud:

On-Prem Jamf Pro Customers Upgrading to 10.7.0: https://www.jamf.com/jamf-nation/articles/552/on-prem-jamf-pro-customers-upgrading-to-10-7-0

In the KBase article, Jamf provides a couple of MySQL commands to run:

select computer_group_id,criteria,criteria_display from smart_computer_group_criteria where criteria not in (select computer_group_name from computer_groups) and search_field="Computer Group";
select computer_group_id,criteria,criteria_display from smart_computer_group_criteria where binary criteria not in (select binary computer_group_name from computer_groups) and search_field="Computer Group";

If either query returned data, the KBase directs you to contact Jamf Support. This was my output:

What had happened? For more details, please see below the jump.

When I looked at the list, the fact that all of the results returned Testing rang a bell. I’m using JSSImporter, which uses .jss AutoPkg recipes to upload software to my Jamf Pro server. By default, most .jss AutoPkg recipes create smart groups which include the following criteria:

Computer Group: Member of: Testing

Jssimporter created smart group

However, there is not a static or smart group named Testing on my Jamf Pro server, so that meant the smart groups generated by my .jss AutoPkg recipes contain Computer Group criteria which isn’t valid. This is the issue that Jamf Pro 10.7 has difficulty with and what the MySQL queries were meant to find.

So the fix is to do one of two things:

  • Identify the relevant smart groups and either remove or update the criteria.
  • Delete the relevant smart groups.

In my case, I’m not actually using the smart groups generated by JSSImporter and my .jss recipes. My own fix for this issue was to do the following:

A. Update the .jss recipes used with my Jamf Pro server to remove the section which creates smart groups.

Screen Shot 2018 09 18 at 6 08 49 PM

B. Delete the existing smart groups from my Jamf Pro server.

C. Run a complete AutoPkg run to verify the following:

i. My JSSImporter-created policies now showed no scoping (previously, they were scoped to the smart groups)
ii. The smart groups were not recreated on my Jamf Pro server.

Screen Shot 2018 09 18 at 6 20 04 PM

Once I did that and deleted the JSSImporter-created smart groups from my Jamf Pro server, I re-ran the MySQL commands and received the following results back:

I confirmed with Jamf Support that the output above indicated that the problem was fixed.

Note: I have not edited my publicly-available .jss AutoPkg recipes to remove the section which creates smart groups. If you’re using my .jss recipes and want to remove the section which creates smart groups, please do the following:

1. Make copies of the .jss recipes in question.
2. Assign the copies a new and unique AutoPkg recipe identifier
3. Remove the following section of the .jss recipe:

Screen Shot 2018 09 18 at 6 08 49 PM

[Test] Fibaro, un détecteur d’ouverture de porte compatible HomeKit

Drame il y a quelques jours : un Velux resté ouvert, un orage un peu violent, une manette GamePad Wii U laissé sur le canapé… sous le Velux.

Et plouf le Gamepad.

Après avoir déboursé la rondelette somme de 80€ pour un nouveau GamePad (ouch), il a fallu trouver une solution pour éviter que le problème se reproduise. Et comme je n’en suis pas encore à lancer un Leetchi pour me faire offrir un nouvel iPhone remplacer le Velux par un modèle à détection de pluie, j’ai du chercher une solution pour au moins être alerté quand la fenêtre est ouverte.

Je n’ai donc pas encore trouvé la solution idéale, mais j’ai trouvé un détecteur de porte efficace chez Fibaro : le Door/Window Sensor (référence FGBHDW-002).

FIbaro Home door detection

Attention, il n’est pas donné : à 67,90€ chez Amazon, on n’est pas dans du produit d’entrée de gamme. L’indispensable Pierre Dandumont a lui testé deux autres solutions sur son blog.

La mise en route est normalement simplissime : on allume l’accessoire (en retirant le petit papier qui bloque la pile), et on scanne le code HomeKit (à bien conserver précieusement) avec l’application Maison. Puis…

Rien. Accessoire non détecté.

Grumpf.

Mais est-ce que le souci ne viendrait pas d’iOS ? Car je venais juste de faire le passage vers la GM d’iOS 12…

Nouveau test, avec un iPad encore en iOS 11 et des brouettes…

Eureka ! Le jumelage se fait du premier coup, et l’accessoire est ajouté et visible dans l’application Maison.

IMG 5210

Et désormais, quand la fenêtre est ouverte, je reçois une alerte sur mon iPhone ! Enfin presque : il a fallu que je décolle et recolle l’accessoire dans le bon sens (on peut le visser). Après, c’est bon.

IMG 5210

… Et même sur l’Apple Watch !

IMG 5211

Idem quand elle est fermée : on reçoit alors une nouvelle alerte.

IMG 5212

Et dans l’app Maison, le détecteur est visible et son état indiqué.

IMG 5208

Cependant, HomeKit reste limité : impossible de rajouter un appareil détecteur de pluie, comme une station météo, pour déclencher une alerte si le détecteur de porte est en position ouverte ET il commence à tomber de la pluie. Mais c’est peut-être faisable avec des solutions comme Homebridge. À suivre donc…

Creating Privacy Preferences Policy Control profiles for macOS

As part of the pre-release announcements about macOS Mojave, Apple released the following KBase article:

Prepare your institution for iOS 12 or macOS Mojave:

https://support.apple.com/HT209028

Screen Shot 2018 08 31 at 2 38 58 PM

As part of the KBase article, Apple included a Changes introduced in macOS Mojave section which featured this note:

You can allow apps to access certain files used for system administration, and to allow access to application data. For example, if an app requests access to your Calendar data, you can allow or deny the request. MDM administrators can manage these requests using the Privacy Preferences Policy Control payload, as documented in the Configuration Profile Reference.

Screen Shot 2018 08 31 at 2 39 12 PM

What’s all this mean? For more details, see below the jump.

As part of macOS Mojave, Apple introduced new controls for accessing data in the individual user home folders. For more details about these changes, I recommend that you check out the following video and blog posts. Don’t worry about me, I’ll wait:

Back? OK, now that you’re familiar with what Apple was talking about with that section of the KBase, let’s discuss this section:

MDM administrators can manage these requests using the Privacy Preferences Policy Control payload, as documented in the Configuration Profile Reference.

What this means is that you may be able to whitelist your most common interactions and prevent them from displaying dialogs. Unfortunately, as of this date, Apple has provided only the following as documentation:

https://developer.apple.com/enterprise/documentation/Configuration-Profile-Reference.pdf (see the Privacy Preferences Policy Control Payload section.)

Apple refers to these as Privacy Preferences Policy Control Payload profiles, with a com.apple.TCC.configuration-profile-policy payload type. TCC stands for transparency consent and control and was discussed as part of the How iOS Security Really Works session at WWDC 2016:

https://developer.apple.com/videos/play/wwdc2016/705/?time=674

These profiles can only be deployed to macOS Mojave and must be deployed by an user-approved MDM solution.

Screen Shot 2018 08 31 at 4 42 36 PM

While the current documentation doesn’t provide a lot of detail, based on my research, here is how the whitelist appears to work:

1. The item being whitelisted must be code-signed

As part of the profile, there is an entry for code signature so that the OS can verify that the whitelist entry matches up against the app requesting the action. How do you find out what the code signature of a particular app is? Run the following command against the application or other item that you want to whitelist:

codesign -dr - /path/to/Application.app

That said, there’s two ways that you can do this for third-party applications. As an example, if you’re using Jamf Pro 10.x to manage your Macs, the following application should be installed on your Mac:

/Library/Application Support/JAMF/Jamf.app

Screen Shot 2018 08 31 at 3 18 17 PM

If you run the following command, you should get the code signature for the app:

codesign -dr - "/Library/Application Support/JAMF/Jamf.app"

There’s two ways you can add this information to the profile:

Example A:

identifier "com.jamf.management.Jamf" and anchor apple generic

Example B:

identifier "com.jamf.management.Jamf" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "483DWKW443"

Example A should be considered the least secure as it is very generic in how it reads the code signature, while Example B is the most secure because the full code signature is specified.

However, if Jamf ever needed to fundamentally change the code signature it was using for Jamf.app, Example A’s code signature would continue to match while Example B’s would not. Code signature fundamentals don’t change that often, but it is something to be aware of when creating the profiles.

One other thing to watch out for is multiple lines being returned by the code signature check, as I ran into this when checking an application produced by McAfee.

codesign -dr - "/Library/Application Support/McAfee/MSS/Applications/Menulet.app"

Screen Shot 2018 08 31 at 2 11 05 PM

The needed code signing is what’s listed on the designated => line of output:

identifier "com.yourcompany.Menulet" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = GT8P3H7SPW

Screen Shot 2018 08 31 at 2 11 06 PM

2. The whitelist covers the parent process which is performing the action

Note: Here we’re heading off into territory that I can’t get confirmation about yet from Apple’s documentation. My research has lead me to the belief that the information below is right, but I don’t know for sure. Deploy appropriate levels of skepticism.

When creating the whitelist, you’re likely going to need to do a lot of testing to figure out what is actually calling an action that needs to be permitted by the user via a dialog window which appears. In many cases, you’ll need to whitelist the parent process which is asking for X, which in turn is running Y, which is executing Z and Z is what is actually causing the dialog window to appear.

A good example is when using Jamf’s Self Service to install software. A Self Service policy might include the following:

  1. The policy which installs the software.
  2. A notification that tells you “Hey, the software’s installed”
  3. A script that pops up its own dialog window to say “Hey, we’ve installed this software but it’s unlicensed and we need you to now enter the license code you got from the help desk.”

Jamf has a couple of applications involved in this process to help it go smoothly:

/usr/local/jamf/bin/jamf
/usr/local/jamf/bin/jamfAgent

The notification and dialog window may trigger a dialog window which asks you if you want to allow a particular thing to happen. Depending on which application triggered it, you may see a notification that jamf (or jamfAgent) is the one requesting it. However, it may seem senseless: that “Hey, the software’s installed” notification is clearly an AppleScript dialog; why isn’t AppleScript the one being referred to as the requester?

The reason is that whichever application was named was the process that started the chain of events going. If jamfAgent is the one referenced, that means that the jamfAgent process is the process that asked AppleScript “Hey, mind showing that to my friend sitting between the keyboard and chair? Thanks.” So in this situation, even though it’s ultimately an AppleScript dialog window that appears, you would need to whitelist /usr/local/jamf/bin/jamfAgent.

3. There are filesystem permissions and there are application permissions

There are a number of dictionary keys available to the whitelist profiles:

  • AddressBook
  • Calendar
  • Reminders
  • Photos
  • Camera
  • Microphone
  • Accessibility
  • PostEvent
  • SystemPolicyAllFiles
  • SystemPolicySysAdminFiles
  • AppleEvents

For whitelisting things like dialog messages and allowing access to data, there are two that seem to matter most:

  • SystemPolicyAllFiles
  • AppleEvents

SystemPolicyAllFiles allows the whitelisted application access to all protected files. As an example, your antivirus software may pop up dialog messages like crazy because it’s trying to scan areas of your home folder that Apple has now marked as protected. Once you identify the process which is actually running the scan and whitelist it using SystemPolicyAllFiles, the scans should now succeed without dialog messages because the scanning process has now been authorized by the whitelist to go into those areas.

AppleEvents allows the whitelisted application the ability to send an AppleEvent to an otherwise restricted application. For example, you may have a script which includes the following command:

osascript -e 'display dialog "Hey there!" with title "Hello"'

Screen Shot 2018 08 31 at 4 04 35 PM

You may get a dialog window requesting permission to let osascript control the Finder. If you add an entry to your whitelist for /usr/bin/osascript, to authorize it to be able to send AppleEvents to com.apple.Finder, now you won’t get the permission request because now osascript is authorized to send requests to the Finder.

Creating the profiles

When creating my own profiles, I found a great tool created by Carl Ashley:

https://github.com/carlashley/tccprofile

This tool allowed me to plug in what I needed to whitelist and generated a profile for me. For example, I wanted to generate a profile for McAfee Endpoint Security with the following criteria:

Full Disk Access:

/Library/Application Support/McAfee/MSS/Applications/Menulet.app
/usr/local/McAfee/fmp/bin/fmpd

Note: /usr/local/McAfee/fmp/bin/fmpd is the McAfee file scanner

Able to send restricted AppleEvents:

/Library/Application Support/McAfee/MSS/Applications/Menulet.app – Send AppleEvents to SystemEvents, SystemUIServer and Finder

I was able to use the following command with the tccprofile tool to generate the profile I needed:

However, there was a problem with the profile because of McAfee’s extra code-signing line.

Screen Shot 2018 08 31 at 4 26 43 PM

Once the profile was edited to remove the extra code signature information, the profile was ready to go.

Screen Shot 2018 08 31 at 4 27 43 PM

Reference Examples

Since this is a new area for Mac admins, I’ve posted several profiles for reference at the following location:

https://github.com/rtrouton/privacy_preferences_control_profiles

All were generated by the tccprofile tool and I’ve included README files that describe the individual profiles and the commands used to create the profile in question.

Using directory membership to manage Apple Remote Desktop permissions

Apple Remote Desktop (ARD) is a screen sharing and remote administration tool that just about every Mac admin uses at some point. Configuring access permissions for it can be done in several ways:

  1. Using System Preferences’ Sharing preference pane to configure the Remote Management settings.
  2. Using the kickstart command line utility to grant permissions to all or specified users
  3. Using the kickstart command line utility to grant permissions to members of specified directories.

The last item may be the least-known method of assigning permissions, but it can be the most powerful because it allows ARD’s management agent to be configured once then use group membership to assign ARD permissions. For more details, please see below the jump.

As documented in the Apple Remote Desktop administrator guide, Apple’s directory-based permissions model looks like this:

Screen Shot 2018 08 21 at 2 04 29 PM

 

In the past, these rights could be assigned via Apple’s Workgroup Manager using MCX, using a configuration like the one shown below:

ARD3 AdminGuide page64

 

However, this MCX-based method does not seem to work on macOS High Sierra. I have not yet been successful when assigning them using a management profile.

A secondary method using local groups on the Mac still works as of macOS High Sierra.

ARD 3 Admin Guide v3 3 page 73

 

To configure ARD permission management via assignment to a local group, the following procedure should be used:

1. Create the following groups on your Mac:

com.apple.local.ard_admin
com.apple.local.ard_interact
com.apple.local.ard_manage
com.apple.local.ard_reports

2. Add the desired user(s) or groups to the relevant com.apple.local.ard_ group.

3. Configure ARD using the kickstart utility to recognize and use directory-based logins.

For example, the command shown below will enable the ARD management agent and configure it to use directory-based logins:

/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -activate -configure -clientopts -setdirlogins -dirlogins yes

Once configured, ARD permissions can be assigned by adding and removing from the relevant com.apple.local.ard_ groups. For example, adding a local user account named Administrator to the local com.apple.local.ard_admin group produces the following results.

Without any other configuration, the Administrator account now appears listed in the Remote Management settings.

Screen Shot 2018 08 22 at 8 40 26 AM

The account also has the following ARD permissions assigned, with the permissions grayed out so that they can’t be changed:

  • Generate reports
  • Open and quit applications
  • Change settings
  • Copy Items
  • Delete and replace items
  • Send messages
  • Restart and Shut down
  • Control
  • Observe
  • Show being observed

Screen Shot 2018 08 22 at 8 40 20 AM

 

Adding a local user account named User Name to the com.apple.local.ard_interact group produces the following results.

Without any other configuration, the User Name account now appears listed in the Remote Management settings.

Screen Shot 2018 08 22 at 8 41 37 AM

 

The account also has the following ARD permissions assigned, with the permissions grayed out so that they can’t be changed:

  • Control
  • Observe
  • Show being observed

Screen Shot 2018 08 22 at 8 41 42 AM

 

To assist with creating these groups and assigning user accounts to them, I’ve written the following script. It does the following:

  1. Allows a username and group to be specified for ARD permissions
  2. Verifies that the username exists on the Mac
  3. Creates all four ARD permissions management groups
  4. Adds the specified user account to the specified management group
  5. Turns on ARD’s management agent and configures it to use ARD’s directory-based management to assign permissions

The script is available below. It’s also available from GitHub using the following link:

https://github.com/rtrouton/rtrouton_scripts/tree/master/rtrouton_scripts/set_apple_remote_desktop_to_use_directory_based_management_permissions

The T2 Macs, the end of NetBoot and deploying from macOS Recovery

In late 2017, Apple released the iMac Pro. Along with the new Secure Enclave protection provided by Apple’s T2 chip, the iMac Pro brought another notable development: It did not support booting from a network volume, otherwise known as NetBoot.

The one exception was Apple’s Internet Recovery, where Apple is providing a NetBoot-like service to provide access to macOS Recovery. The iMac Pro is still able to boot to Internet Recovery, which provides a way to repair the Mac or reinstall the operating system in situations where the Mac’s own Recovery volume is missing or not working properly.

With NetBoot not being available for the iMac Pro but still available for other models, it wasn’t yet clear if NetBoot-based workflows for setting up new Macs or rebuilding existing ones were on the way out. However, Apple’s release of of T2-equipped MacBook Pros in July 2018 which also could not use NetBoot has made Apple’s direction clear. As Apple releases new Mac models equipped with T2 chips and Secure Enclave, it is unlikely that these future Mac releases will be supporting NetBoot.

Screen Shot 2018 08 15 at 10 23 19 AM

For Mac admins using NetBoot-based workflows to set up their Macs, what are the alternatives? Apple has been encouraging the use of Apple’s Device Enrollment Program, which leverages a company, school or institutions’ mobile device management (MDM) service. In this case, you would need to arrange with Apple or an Apple reseller to purchase Macs that are enrolled in your organization’s DEP.

When a DEP-enrolled Mac is started for the first time (or started after an OS reinstall), it is automatically configured to use your organizations’ MDM service and the device checks in with the MDM service. The MDM service then configures the Mac as desired with your organization’s software and configuration settings. A good example of what this process may look like can be seen here.

What if you don’t have DEP, or you don’t have MDM? In that case, you may still be able to leverage Recovery-based deployment methods, which would allow you install the desired software and configuration settings onto the Mac’s existing OS, or install a new OS along with software and configuration settings. For more details on these methods, please see below the jump.

To help facilitate deploying software and settings from the Recovery environment, Greg Neagle has released a couple of tools:

bootstrappr: https://github.com/munki/bootstrappr
installr: https://github.com/munki/installr

Both bootstrappr and installr can run in the macOS Recovery environment and work in similar ways. The main difference between the two is the following:

  • bootstrappr: Installs one or more packages onto a target volume
  • installr: Installs macOS and one or more additional packages onto a target volume

As an example of how bootstrappr works, please see below. In this case, I’ve set up a disk image using the instructions provided at the bootstrappr GitHub repo and copied it to an external drive named Provisioning.

On the disk image, I’ve included one installer package named First Boot Package Install, which was generated by my First Boot Package Install Generator tool.

1. Boot to macOS Recovery

Screen Shot 2018 08 15 at 9 31 47 AM

2. Launch Terminal

Screen Shot 2018 08 15 at 9 32 44 AM

3. Run the following command:

hdiutil mount /Volumes/Provisioning/bootstrap.dmg

Screen Shot 2018 08 15 at 9 33 31 AM

The bootstrap disk image mounts as a new volume named bootstrap.

Screen Shot 2018 08 15 at 9 33 42 AM

4. Run the following command:

/Volumes/bootstrap/run

Screen Shot 2018 08 15 at 9 34 33 AM

5. Select the volume to install on (in this example, the volume is named Macintosh HD.)

Screen Shot 2018 08 15 at 9 34 59 AM

The First Boot Package Install package included in the disk image is installed.

Screen Shot 2018 08 15 at 9 35 13 AM

6. Once installation is completed, select the option to restart.

Screen Shot 2018 08 15 at 9 35 46 AM

On restart, the First Boot Package Install package is able to run its own workflow, which is able to suppress the Apple Setup Assistant and run its assigned installation task. In this case, I’m only having it check for and install all available Apple software updates but it could be installing any desired package. This could include all software needed to set up a particular Mac, or installing a management agent to handle software installation and configuration.

Screen Shot 2018 08 15 at 9 40 52 AM