Posts RSS Comments RSS 48 Posts and 155 Comments till now

Archive for the 'Management' Category

Fixing certificate errors for package installers in 10.7.4 and below

I recently had to build an installer package that used the Apple Developer ID Installer certificate. This is the first time I have signed an installer package and was interested to see how it worked with Gatekeeper. In PackageMaker you click on the “Configuration” tab for the installer then click on “Certificate” to select the appropriate one. Worked exactly as they say, found the cert and added it, no problem.

Next, I tested the installer to make sure it was signed correctly. You do that in Terminal using the spctl command:

sudo spctl -a -v --type install /Users/test/Desktop/MyInstaller.pkg
Password:
/Users/test/Desktop/MyInstaller.pkg: accepted source=Developer ID

Now I ran the package on both a 10.8.2 and 10.7.5 machine. Both of these OS versions have Gatekeeper. The package ran correctly and showed that the signing certificate was correct.

Now, to be certain I ran the package again on a 10.6.8 machine and a 10.7.4 machine since neither of these have Gatekeeper.

On the 10.7.4 machine I get a certificate error warning. It says my certificate isn’t signed by a trusted source and do I want to trust it. Looking at the certificate chain it all seems correct. Running a signed Cisco installer on the same system does not generate the same error, even though the root signing CA is exactly the same. The installer works but has that disturbing error message.

On a 10.6.8 machine the installer runs without a certificate warning but clicking on the cert button in the installer window says the same thing as the 10.7.4 machine, that it isn’t signed by a trusted source.

Cutting to the chase, the issue is with signing the installer using the GUI version of PackageMaker. It works just fine for 10.7.5 and up machines but gives all those errors below that. To get your signed installer to work on all versions of the OS you need to use the productsign tool at the command line. These instructions assume that you’ve already installed your Developer ID certificates.

Use the following steps to do that:

  1. Use the GUI version of PackageMaker to generate your installer but leave it unsigned.
  2. Run the following command to sign that package:
    productsign --sign "Developer ID Installer: My Company" /Users/test/Desktop/MyInstaller.pkg /Users/test/Desktop/Signed/MyInstaller.pkg
    Note:If you are signing an older style non-distribution package it will give you the following error:
    Could not find appropriate signing identity for "Developer ID Installer: My Company". An application signing identity (not an installer identity) is required for signing bundle-style products.

    If you get that error use the following format instead of the one listed above:

    productsign --sign "Developer ID Application: My Company" /Users/test/Desktop/MyInstaller.pkg /Users/test/Desktop/Signed/MyInstaller.pkg

To test if you have successfully signed the package use the spctl command:

sudo spctl -a -v --type install /Users/test/Desktop/Signed/MyInstaller.pkg
/Users/test/Desktop/Signed/MyInstaller.pkg: accepted source=Developer ID

Mountain Lion 10.8 Apple Training and Certification books

All of the Mountain Lion 10.8 Apple Certification and Training books are now available as are all the classes. I thought I’d put up a listing of all the books for those who are looking to get certified or just brush up on their skills. As both an Apple Certified Technical Coordinator and Apple Certified Trainer I can honestly say that taking the classes is the best way to learn these skills. You will get hands on experience and be trained by people who really know their stuff and can answer your questions. However, these books are a great brush up on your skills or to see how much you really know. You can also use these as study guides for the Apple Certification exams. You’ll also notice that the books are broken down into smaller sections and have all of the exercises. If you have the equipment at home you can now go through all of the exercises yourself. Click here if you are interested in the Lion Certification books. To purchase the books for the discontinued Snow Leopard courses such as Deployment click here.

Mountain Lion 101 OS X Support Essentials

Mountain Lion 201 OS Server Essentials 10.8

Quick Applescript to check your Mac for the Flashback infection

There is lots of media exposure on the possibility that multiple Macs may be infected by a trojan called “Flashback“. This involves a vulnerability in Java that malicious websites can exploit.

If you have Java on your Mac you need to make sure you have updated to the latest Java update from Apple to patch this issue. The easiest way is to just run Software Update on your Mac and get the latest updates from Apple. You can download them manually as well from Apple:

If you are concerned that you might already be infected F-Secure has some excellent instructions on how to find out here. The Applescript below will run the commands referenced in the F-Secure article to do a quick and dirty check. If everything comes back clean it will tell you. If it comes back as possibly infected it will direct you (or your user) to the website for more detailed information.

I’m posting it as a script file for download here:
Flashback Checker Script

Or you can copy the code from here and paste it into AppleScript Editor to run:

[codesyntax lang=”applescript”]
–see if this entry exists. If not an error will occur and be trapped
try
do shell script “defaults read /Applications/Safari.app/Contents/Info LSEnvironment”
–set this variable if this entry exists
set LSE to “true”
on error errmsg
–set this variable if the error contains the message “does not exist”
if errmsg contains “does not exist” then
set LSE to “false”
end if
end try

–search Firefox for infections
try
do shell script “defaults read /Applications/Firefox.app/Contents/Info LSEnvironment”
–set this variable if this entry exists
set FLSE to “true”
on error errmsg
–set this variable if the error contains the message “does not exist”
if errmsg contains “does not exist” then
set FLSE to “false”
end if
end try

–see if this entry exists. If not an error will occur and be trapped
try
do shell script “defaults read ~/.MacOSX/environment DYLD_INSERT_LIBRARIES”
set DLib to “true”
on error errmsg
–set this variable if the error contains the message “does not exist”
if errmsg contains “does not exist” then
set DLib to “false”
end if
end try

–if all variables are false then the machine isn’t infected
if LSE is “false” and DLib is “false” and FLSE is “false” then
display dialog “You are not infected with Flashback”

–if any variable is true the machine may be infected and needs closer inspection
else if LSE is “true” or DLib is “true” or FLSE is “true” then
display dialog “You may have the Flashback infection” & return & “Go to following URL for more information:” & return & return & “http://www.f-secure.com/v-descs/trojan-downloader_osx_flashback_i.shtml”
end if
[/codesyntax]

Creating local snapshots in Time Machine in Lion 10.7

With the release of Lion Apple has added a new, somewhat hidden, ability to Time Machine. The ability to do local snapshots. Basically, when you are away from your Time Machine disc and have this enabled Lion will create your hourly snapshots locally instead of on your backup drive. Once you re-connect the drive it will move them over to your drive and wipe them off the local disc.

This is a great service for laptop users. Now you can have those hourly snapshots created no matter where you are. So, if you make some changes to a document while you’re away those changes will still be added to your Time Machine backup.

To enable these local snapshots you have use the new command-line tool for Time Machine named tmutil.

To enable local snapshots:

sudo tmutil enablelocal

To disable them AND clear all the local snapshots:

sudo tmutil disablelocal

You can confirm that you’ve enabled local snapshots by opening System Preferences > Time Machine and looking for the line circled in the image.

Local Time Machine Snapshots

The tmutil utility has a bunch of other useful commands that allow you to enable or disable backups, start and stop backups, choose a new disk, etc. Type man tmutil to see the whole list. I can see this tool being used by lots of system administrators in scripts.

Apple also has a nice KB article explaining this feature here

How to back up Address Book automatically

For quite a while now you’ve been able to manually backup your entire Address Book. This has saved many people massive heartache when they’ve had their machines go down/did an OS re-install or various other scary things (Yeah, I know, if you have MobileMe you don’t need to do this but most people don’t).

The big issue with backing up this way, as with any backup, is getting people to do it and do it regularly. To backup your Address Book all you need to do it copy the /Users/”user name”/Library/Application Support/AddressBook folder in each users home directory. Simple, direct and easy. But you may have noticed that when you do a manual backup via the Address Book application you get a file with the “.abbu” extension. That’s just the AddressBook folder renamed and getting that extension. The beauty of having this file is when you want to restore your Address Book via the menu you can just point to this file. Otherwise you have to drag the backed up folder to the original spot. Again, not hard to do but some users have problems doing things that go outside of clicking on a menu item.

So, to back up your Address Book and put it in nice “.abbu” file for easy restores just do this:
[codesyntax lang=”bash”]
filedate=`/bin/date “+%m-%d-%y”`
cp -R “/Users/username/Library/Application Support/AddressBook” “/Users/username/Documents/Address Book Backups/Address Book Backup $filedate.abbu”
[/codesyntax]

Obviously you change the “username” section to the name of the home directory. Also, you can change the backup folder to what ever you want. This script just appends the current date to the backup so you can keep multiple backups if needed.

To run this you have a bunch of options:

  1. You can run it via cron or launchd. Just put the two lines together and seperated by a “;”.
  2. You can run it as an Automator iCal plug-in. Just drag over the “Run Shell Script” action and paste in the script. Then schedule it via iCal.
  3. You can save it as a script and run it from what ever automation application you prefer.

Check how much disk space is left using AppleScript

This is a fairly simple one but someone out there may need this. My boss recently had a weird problem where his disk was suddenly filling up. A reboot fixed it but we were having a hard time finding the process that was suddenly eating 15 GB of disk space with no warning. So, I came up with this script that just gets how much free space is left on his disk. We ran it as a cron job every 15 minutes so we could hopefully get some warning before things filled up and became unusable. The script displays a warning when the disk has 5% or less of free space. You can edit it for your own uses. It also has the ability to email the report to you. Comment out the section you don’t want to use. To have it send emails when you are not logged in use something like Lingon for a launchd item or Cronnix for a cron job. Save your script in the appropriate location and have the launchd/cron job call it using the “osascript” command. So, if the file was saved in the /Users/Shared folder the line would read:

osascript /Users/Shared/disk_check.scpt

[codesyntax lang=”applescript”]
set mysubject to “Disk Usage Report”
set myrecipient to “sysadmin@example.com”

–get the amount of free space
set dSize to (do shell script “df -h / | grep %”) as text

–pull out the percent used from the result
set theTotal to word 6 in dSize as number

–if the total used space is 95% or more put up a warning. Comment out if running the email section
if theTotal is greater than or equal to 95 then
display dialog “Your disk is ” & theTotal & “% full”
end if

–comment out this section if no email is desired.
set mybody to (“Free Space: ” & theTotal & “%”)
do shell script (“echo \”” & mybody & “\” | mail -s \”” & mysubject & “\” ” & myrecipient)
[/codesyntax]

Click here to download a copy: Disk Check script

Disable Directory Listing for User Sites Folder in Macintosh OS X

I’ve been using the “Sites” folder in my local home directory for some web development testing recently. I had a couple of directories created that didn’t include an “index.html” file. That means that anyone hitting the directory itself could list the contents and see all the other files I was working on in there. Not a major problem for what I was doing but a security issue none the less. After a quick bit of research I found it was quite easy to disable this at the command line.

Open Terminal and type cd /private/etc/apache2/users. Inside the “users” folder will be conf files for each of the users with accounts on the machine. So, if we have a user with the short name of “joe” on the machine there will be a file in there named “joe.conf”.

To edit this file you need to have root permissions. So open it using sudo. I prefer using pico as my editor but use whichever works for you. The command below assumes you are already in the “users” folder.

sudo pico joe.conf

You’ll see something like this:

Options Indexes MultiViews
AllowOverride None
Order allow,deny
Allow from all

Navigate down to the line Options Indexes MultiViews. Carefully delete the Indexes part of the line and save the file. Now restart Apache, either by going to System Preferences and turning off and then back on Web Sharing, or at the command line by typing sudo apachectl restart.

Now navigate to a directory in your “Sites” folder that doesn’t have an index file. You should get a “403 No permissions” error unless you specify a file. Much more secure. Note that you’ll need to do this individually for each account on the machine.

I’ve tested this with Snow Leopard and I’m betting it will work with Leopard. I’m not sure if versions of the OS below 10.5 support this feature.

Getting user login data from Macs using AppleScript

A lab we work with recently upgraded to 10.5 and found that the program they were running to get the user login data for their billing wouldn’t work in 10.5 and wasn’t going to be upgrading. In looking at the data it was grabbing it was clear the same data could be gotten using the last command in Terminal. You can see more about last at my post here. However, these folks were not computer-savvy and needed the information in a comma-delimited file. So, I came up with this script.

When you run the script it asks you which month you want the data for in a list. Select the month and it will generate a file on the desktop with that months data. You can save it out as an application, run it from Script Editor or run it as a launchd/cron job. You can customize the output by changing the line that begins with “write”. For example, replace the “,” with tab and create a tab-delimited file instead.

If you run this script logged in as a regular user you will only get the login information for that user. If you run it as an administrator you’ll get the login information for every account on the machine.

Click here to download the script file:
Monthly Login accounting

[codesyntax lang=”applescript” lines=”no”]
set the_months to {}
set the_total to 0
set the_time to “”
set the_computer to (computer name of (system info))

--get the raw login log information
set the_login to (do shell script “last”) as text

set the_count to the count of paragraphs of the_login

--get the list of all the months login data is available for
repeat with x from 1 to the_count
if paragraph x of the_login contains “console” then
set month_check to (word 4 of paragraph x of the_login) as text
if the_months does not contain month_check then
set end of the_months to month_check
end if
end if
end repeat
set selected_month to choose from list the_months with prompt “Select the month:”

--create the file to write data to
if selected_month is not false then
tell application “Finder”
set file_name to (the_computer & “-” & selected_month & “-” & (year of (current date)) & ” login stats.txt”)
if not (exists file (((path to desktop from user domain as text) & file_name))) then
set login_file to make file with properties {name:file_name, file type:”TEXT”} at (path to desktop from user domain)
else
display dialog “This stats file already exists. Do you want to overwrite it?” buttons {“Yes”, “No”} default button 2
set the_answer to the button returned of the result
if the_answer is “Yes” then
delete file ((path to desktop from user domain as text) & file_name)
set login_file to make file with properties {name:file_name, file type:”TEXT”} at (path to desktop from user domain)
end if
end if
end tell
set login_file to ((path to desktop from user domain) & file_name) as text
end if

--loop through the data and pull out the logins for the selected month
repeat with x from 1 to the_count
if paragraph x of the_login contains selected_month then
if paragraph x of the_login contains “console” then
set the_user to (word 1 of paragraph x of the_login)
set the_month to (word 4 of paragraph x of the_login) as text
set the_logmonth to MonthNumber(the_month)
set the_day to (word 5 of paragraph x of the_login) as text
if (the (count of characters of the_day) is less than 2) then
set the_day to (“0” & the_day)
end if
set the_year to yearCheck(selected_month, the_months)
set log_date to (the_logmonth & “/” & the_day & “/” & the_year)
set login_time to (word 6 of paragraph x of the_login & “:” & word 7 of paragraph x of the_login)
set logout_time to (word 8 of paragraph x of the_login & “:” & word 9 of paragraph x of the_login)

set old_delims to AppleScript’s text item delimiters
set AppleScript’s text item delimiters to “(”
try
set the_time1 to text item 2 of paragraph x of the_login
set AppleScript’s text item delimiters to old_delims
set the_time to (characters 1 through 5 of the_time1) as text
on error
set AppleScript’s text item delimiters to old_delims
end try

–write all the date to the file
write (the_user & “,” & the_computer & “,” & log_date & “,” & login_time & “,” & log_date & “,” & logout_time & “,” & the_time & return) to file login_file starting at eof
end if
end if
end repeat

--if the list contains January see if the selected month comes before or after January. Adjust the year accordingly.
on yearCheck(selected_month, the_months)
if the_months contains “Jan” then
repeat with x from 1 to count of the_months
if item x of the_list contains selected_month then
set the_num to x
else
if item x of the_list contains “Jan” then
set jan_num to x
end if
end if
end repeat
set year_check to (the_num – jan_num)
if year_check is greater than 0 then
set the_year to ((year of (current date)) – 1)
else
set the_year to (year of (current date))
end if
else
set the_year to (year of (current date))
end if
return the_year
end yearCheck

on MonthNumber(the_month)
if the_month = “Jan” then
set the_month to “01”
else
if the_month = “Feb” then
set the_month to “02”
else
if the_month = “Mar” then
set the_month to “03”
else
if the_month = “Apr” then
set the_month to “04”
else
if the_month = “May” then
set the_month to “05”
else
if the_month = “Jun” then
set the_month to “06”
else
if the_month = “Jul” then
set the_month to “07”
else
if the_month = “Aug” then
set the_month to “08”
else
if the_month = “Sep” then
set the_month to “09”
else
if the_month = “Oct” then
set the_month to “10”
else
if the_month = “Nov” then
set the_month to “11”
else
if the_month = “Dec” then
set the_month to “12”
end if
end if
end if
end if
end if
end if
end if
end if
end if
end if
end if
end if
return the_month as string
end MonthNumber
[/codesyntax]

Switching between 32 bit and 64 bit mode in Snow Leopard

Out of the box Snow Leopard defaults to running in 32 bit mode. This is so the drivers for things like printers, scanners, network cards, etc. that have not been ported to 64 bit can run. Applications are unaffected by this. A 64 bit app will run in 32 bit mode and vice versa. If you’re not sure what mode your machine is running Snow Leopard in check out this article at MacObserver on how to tell.

The average user is much better off staying with the 32 bit mode for compatibility and ease of use. However, there may be times, especially for those running scientific software, when you need to run in 64 bit mode. And some servers, as mentioned in this Knowledge Base article do boot directly into 64 bit mode and may need to be set back.

You can choose to hold down the “6” and “4” keys on startup to boot into 64 bit mode. This will boot you into 64 bit for that boot cycle. When you reboot you will fall back to 32 bit again. Likewise, holding down the “3” and “2” keys on boot will put you into 32 bit mode.

If you want to change the mode and make it stick you need to do it at the command line. Fortunately Apple has added a command in the systemsetup tool for just that.

To check which mode you’re currently in run this command in Terminal:
systemsetup -getkernelbootarchitecturesetting

To set your machine to boot into 64 bit mode enter this command and reboot:
sudo systemsetup -setkernelbootarchitecture x86_64

To set your machine to boot into 32 bit mode enter this command and reboot:
sudo systemsetup -setkernelbootarchitecture i386

One oddity I’ve found so far is that on some machines that were upgraded from Leopard to Snow Leopard this command doesn’t appear in systemsetup. Do a man systemsetup before running it to make sure you have the Snow Leopard version of systemsetup

Enabling clear text passwords in Snow Leopard with AppleScript

Update: It appears that clear text passwords for AFP connections only work when booted into 32 bit mode. I’ve updated the script to check for which kernel the user is booted into. If they are running 64 bit it asks them if they want to switch to 32 bit. If they say “Yes” then it makes the switch and reboots the machine for them.

A nice article explaining how to see if you are running in 32 or 64 bit mode is here at MacObserver.

There is an Apple Knowledge base article dealing with servers but with good information on switching kernels here.

The procedure for enabling clear text passwords for AFP connections is the same in Snow Leopard as it is in Leopard with one very critical difference. The details about how and why are already in my post on Leopard. If you want the background information you should check out that page. This post will only deal with the Snow Leopard-specific changes.

The big change for enabling clear text passwords for Snow Leopard is that the .plist file is now a binary. This is something Apple has been moving towards since 10.4 and there is a built-in utility that allows you to change the format back and forth to allow for easy editing called “plutil”. The full path to it is “/usr/bin/plutil”

The flag we need to be aware of in “plutil” is the “-convert” flag. There are two formats that we’ll use for this flag, “xml1” and “binary1”.

To convert the plist file to XML to allow editing we have to run the following command:
/usr/bin/plutil -convert xml1 /Users/joe/Library/Preferences/com.Apple.AppleShareClient.plist

This will convert the file to XML for editing. Now we will do the actual editing. This line is the same as in Leopard.
defaults write com.Apple.AppleShareClient afp_cleartext_allow -bool YES

Now that we have edited the file we have to convert it back to binary form. So we use the “plutil” tool again with a different format:
/usr/bin/plutil -convert binary1 /Users/joe/Library/Preferences/com.Apple.AppleShareClient.plist

Now the preference file is converted back to binary and can be used by the AFP client.

Here is an updated version of the Leopard AppleScript for changing this setting.

If you would prefer to download a pre-complied script file click below:
Snow Leopard Clear Text Script

[codesyntax lang=”applescript” lines=”no”]
set afp_pref_path to ((POSIX path of (path to preferences from user domain)) & “com.Apple.AppleShareClient.plist”)
set OS_version to (do shell script “sw_vers -productVersion”)
set kernel_answer to “”

--check if the user is running 32 or 64 bit kernel.
if OS_version contains “10.6” then
set kernel_version to (do shell script “/usr/sbin/systemsetup -getkernelbootarchitecturesetting”)
if kernel_version contains “x86_64” then
set kernel_answer to button returned of (display dialog “You are currently running in 64 bit mode. Clear text passwords only work in 32 bit mode. Would you like to change to 32 bit mode? This will require a restart.” buttons {“Yes, change it and restart”, “No, just enable clear text”} default button 1)
end if
end if

try
set clearStatus to (do shell script “defaults read com.Apple.AppleShareClient afp_cleartext_allow”) as number
on error
--the first command will throw an error if the afp_cleartext_allow setting does not exist
--if there is an error we’ll assume that the setting isn’t there and set our variable to the disabled setting
set clearStatus to 0
end try
--a status of “1” means it’s enabled. So ask if they want to disable it
if clearStatus is 1 then
display dialog “Do you want to disable clear text passwords?” buttons {“Cancel”, “Disable”} default button 2
if the button returned of the result is “Disable” then
do shell script “/usr/bin/plutil -convert xml1 ” & afp_pref_path
do shell script “defaults write com.Apple.AppleShareClient afp_cleartext_allow -bool NO”
do shell script “/usr/bin/plutil -convert binary1 ” & afp_pref_path
set clearStatus to (do shell script “defaults read com.Apple.AppleShareClient afp_cleartext_allow”) as number
--check to make sure the change really took effect
if clearStatus is 0 then
display dialog “Clear text passwords have been disabled” buttons {“OK”}
else
display dialog “There was an error disabling clear text passwords!” buttons {“OK”}
end if
end if
else
display dialog “Do you want to enable clear text passwords?” buttons {“Cancel”, “Enable”} default button 2
if the button returned of the result is “Enable” then
do shell script “/usr/bin/plutil -convert xml1 ” & afp_pref_path
do shell script “defaults write com.Apple.AppleShareClient afp_cleartext_allow -bool YES”
do shell script “/usr/bin/plutil -convert binary1 ” & afp_pref_path
set clearStatus to (do shell script “defaults read com.Apple.AppleShareClient afp_cleartext_allow”) as number
--check to make sure the change really took effect
if clearStatus is 1 then
display dialog “Clear text passwords have been enabled” buttons {“OK”}
else
display dialog “There was an error enabling clear text passwords!” buttons {“OK”}
end if
end if
end if

if kernel_answer contains “Yes” then
do shell script “/usr/sbin/systemsetup -setkernelbootarchitecture i386” with administrator privileges
do shell script “/sbin/shutdown -r now” with administrator privileges
end if

[/codesyntax]

Next »