Terminal Secure Keyboard Entry and sudo with Touch ID on macOS

Posted on December 2, 2023 by alanysiu

At one point or another, you may have discovered that you can enable Touch ID for sudo in the macOS terminal. You used to have to manually edit the /etc/pam.d/sudo file after every macOS update to re-enable it, but now you can keep it enabled permanently. When you have Touch ID enabled for sudo, you get this cool little prompt for your fingerprint when you use a sudo command: But if you have Secure Keyboard Entry enabled… … you may notice that the Touch ID prompt shows up but is greyed out… … and you’ll have to click on it


launchctl “new” subcommand basics for macOS

Posted on November 15, 2023 by alanysiu

launchd For services running in the background (or foreground), macOS uses launchd (think cron jobs on Linux or scheduled tasks on Windows). Legacy Subcommands If you’ve been managing Macs for a while, you may be familiar with a particular syntax for loading launchd. For launch agents (usually run as user), you may typically have launched them with launchctl load /Library/LaunchAgents/com.domainname.app.plist For launch daemons (usually run as root), you may typically have launched them with sudo launchctl load /Library/LaunchDaemons/com.domainname.app.plist If you read the manual for launchctl (man launchctl), you’ll see load and unload listed as legacy subcommands: Legacy subcommands should still


Using Touch ID for sudo on macOS… even after installing an OS update

Posted on November 8, 2023 by alanysiu

For a while, you were able to use Touch ID for sudo on macOS by editing the /etc/pam.d/sudo file to have a line like auth sufficient pam_tid.so In previous macOS versions, that file would get overwritten when you updated (say, from 13.6 to 13.6.1), but in macOS 14 (Sonoma) and supposedly in future versions, you can now have that persist by setting up a /etc/pam.d/sudo_local file with these contents (only three lines, even if it wraps): # sudo_local: local config file which survives system update and is included for sudo # uncomment following line to enable Touch ID for sudo


Comparison macOS versions using Python

Posted on October 7, 2023 by alanysiu

At some point in a Python script, you may want to compare macOS versions (or, really, any software versions) to each other. Back in the day, you could use Python’s LooseVersion from distutils.version, but that’s now deprecated: >>> from distutils.version import LooseVersion >>> LooseVersion('14.0.0') > LooseVersion('14.0') True >>> LooseVersion('14.0.0') == LooseVersion('14.0') False >>> LooseVersion('14.0') > LooseVersion('13.5.2') True >>> LooseVersion('13.4.1 (c)') > LooseVersion('13.4.1 (a)') True The non-deprecated Version can run into issues, though, for Rapid Security Responses (thanks to @elios on the MacAdmins Slack for pointing this out): >>> from packaging.version import Version >>> Version('14.0.0') > Version('14.0') False >>> Version('14.0.0') ==


UseAdditionalHttpHeaders preference for MunkiReport 5.8.0

Posted on September 13, 2023 by alanysiu

Extra preference to consider If you use authorization headers for your Mac clients to communicate with your MunkiReport server and are upgrading from MunkiReport 5.7.1 (which still uses Python 2) to MunkiReport 5.8.0 (which uses Python 3), be aware that there is an additional preference to set if you want your headers to be used: UseAdditionalHttpHeaders You can see in the 5.7.1 code for reportcommon.py that the UseAdditionalHttpHeaders key isn’t used. And then you can see in the 5.8.0 code for reportcommon.py that the UseAdditionalHttpHeaders key is now used. Note about Python3 branch for modules If you’re updating your MunkiReport


Notes on connecting a Cloud Function to Cloud SQL

Posted on July 24, 2023 by alanysiu

Caveat I’m not a Google Cloud Platform expert, and this isn’t a tutorial. I’m just hoping that if people run into the same errors I ran into and search for those exact error messages, that they’ll find this blog post, and maybe it’ll be helpful to them. What I found Making the connection Google’s documentation on connecting a Cloud Function to Cloud SQL isn’t super straightforward. When I tried to implement their examples, I came across all sorts of errors like: sqlalchemy.exc.InterfaceError: (pg8000.exceptions.InterfaceError) communication error (Background on this error at: https://sqlalche.me/e/20/rvf5) or File "/workspace/main.py", line 58, in postgres_connect sqlalchemy.engine.url.URL.create(AttributeError: type


How to use Google Apps Script to get data from a connected data sheet

Posted on May 13, 2023 by alanysiu

Regular sheets are straightforward For a regular Google Sheets spreadsheet, it’s fairly easy to use Google Apps Script to get the data contained on a worksheet:     var spreadsheet = SpreadsheetApp.getActive();     var regularsheet = spreadsheet.getSheets()[0];     var range = regularsheet.getDataRange();     var values = range.getValues();     for ( j = 0; j < values.length; j++ ){         Logger.log(values[j][0] + ': ' + values[j][1]);     } The nice thing about the getDataRange() function is that it just automatically grabs all the cells have data in them. You don’t have to specify to start at this column or end at this particular row. Connected sheets You can connect


Using Munki to “nudge” for Rapid Security Response updates (like 13.3.1 (a))

Posted on May 4, 2023 by alanysiu

For many MacAdmins, Nudge has been an amazing tool for bothering users to update their Macs to the latest patch. Apple threw a wrench in things by the way it implemented the 13.3.1 (a) Rapid Security Response update, so Nudge doesn’t currently (as of this writing) support Rapid Security Response updates. There would be challenges to the user experience even if Nudge did implement support for Rapid Security Responses (at least the way Apple’s implemented them so far). First of all, the 13.3.1 (a) update is available for only 13.3.1, so two (disruptive) reboots would be necessary for users on


Extracting icons from Assets.car on macOS

Posted on April 24, 2023 by alanysiu

Acknowledgements Thanks to Karen Garner for bringing this problem to my attention, and thanks to Mike Lynn for showing the solution. I’m just expanding on the solution a bit using a specific example. Problem Sometimes, when you look in an app bundle on macOS, you see an .icns file in Contents/Resources, and you can use that or convert it to a .png. For some apps, instead of an .icns file, you get an Assets.car file instead. There doesn’t appear to be an easy, native-to-macOS, point-and-click way to extract icons from the Assets.car file (even though some third-party utilities exist to


Testing a local timezone deadline in Nudge

Posted on March 27, 2023 by alanysiu

In the past year, there have been several requests to have Nudge support local time zones instead of UTC: Feature request: Support the local timezone UTC vs Local Time Feature request: use system local time instead of time for a specific time zone (e.g., Z / GMT) Turns out, as Kevin M. Cox explains in Nudge deadlines in local timezones, the functionality has been there all along, just previously not well documented or used. I tested this out myself, and it really is just a matter of changing <date> to <string>. With a string deadline in my .mobileconfig profile, I