Category Archive

Mac admin'ing

Terminal Secure Keyboard Entry and sudo with Touch ID on macOS

Posted on December 2, 2023 by alanysiu

At one point or another, you may have discovered that you can enable Touch ID for sudo in the macOS terminal. You used to have to manually edit the /etc/pam.d/sudo file after every macOS update to re-enable it, but now you can keep it enabled permanently. When you have Touch ID enabled for sudo, you get this cool little prompt for your fingerprint when you use a sudo command: But if you have Secure Keyboard Entry enabled… … you may notice that the Touch ID prompt shows up but is greyed out… … and you’ll have to click on it


launchctl “new” subcommand basics for macOS

Posted on November 15, 2023 by alanysiu

launchd For services running in the background (or foreground), macOS uses launchd (think cron jobs on Linux or scheduled tasks on Windows). Legacy Subcommands If you’ve been managing Macs for a while, you may be familiar with a particular syntax for loading launchd. For launch agents (usually run as user), you may typically have launched them with launchctl load /Library/LaunchAgents/ For launch daemons (usually run as root), you may typically have launched them with sudo launchctl load /Library/LaunchDaemons/ If you read the manual for launchctl (man launchctl), you’ll see load and unload listed as legacy subcommands: Legacy subcommands should still


Using Touch ID for sudo on macOS… even after installing an OS update

Posted on November 8, 2023 by alanysiu

For a while, you were able to use Touch ID for sudo on macOS by editing the /etc/pam.d/sudo file to have a line like auth sufficient In previous macOS versions, that file would get overwritten when you updated (say, from 13.6 to 13.6.1), but in macOS 14 (Sonoma) and supposedly in future versions, you can now have that persist by setting up a /etc/pam.d/sudo_local file with these contents (only three lines, even if it wraps): # sudo_local: local config file which survives system update and is included for sudo # uncomment following line to enable Touch ID for sudo


Comparison macOS versions using Python

Posted on October 7, 2023 by alanysiu

At some point in a Python script, you may want to compare macOS versions (or, really, any software versions) to each other. Back in the day, you could use Python’s LooseVersion from distutils.version, but that’s now deprecated: >>> from distutils.version import LooseVersion >>> LooseVersion('14.0.0') > LooseVersion('14.0') True >>> LooseVersion('14.0.0') == LooseVersion('14.0') False >>> LooseVersion('14.0') > LooseVersion('13.5.2') True >>> LooseVersion('13.4.1 (c)') > LooseVersion('13.4.1 (a)') True The non-deprecated Version can run into issues, though, for Rapid Security Responses (thanks to @elios on the MacAdmins Slack for pointing this out): >>> from packaging.version import Version >>> Version('14.0.0') > Version('14.0') False >>> Version('14.0.0') ==


UseAdditionalHttpHeaders preference for MunkiReport 5.8.0

Posted on September 13, 2023 by alanysiu

Extra preference to consider If you use authorization headers for your Mac clients to communicate with your MunkiReport server and are upgrading from MunkiReport 5.7.1 (which still uses Python 2) to MunkiReport 5.8.0 (which uses Python 3), be aware that there is an additional preference to set if you want your headers to be used: UseAdditionalHttpHeaders You can see in the 5.7.1 code for that the UseAdditionalHttpHeaders key isn’t used. And then you can see in the 5.8.0 code for that the UseAdditionalHttpHeaders key is now used. Note about Python3 branch for modules If you’re updating your MunkiReport


Using Munki to “nudge” for Rapid Security Response updates (like 13.3.1 (a))

Posted on May 4, 2023 by alanysiu

For many MacAdmins, Nudge has been an amazing tool for bothering users to update their Macs to the latest patch. Apple threw a wrench in things by the way it implemented the 13.3.1 (a) Rapid Security Response update, so Nudge doesn’t currently (as of this writing) support Rapid Security Response updates. There would be challenges to the user experience even if Nudge did implement support for Rapid Security Responses (at least the way Apple’s implemented them so far). First of all, the 13.3.1 (a) update is available for only 13.3.1, so two (disruptive) reboots would be necessary for users on


Extracting icons from on macOS

Posted on April 24, 2023 by alanysiu

Acknowledgements Thanks to Karen Garner for bringing this problem to my attention, and thanks to Mike Lynn for showing the solution. I’m just expanding on the solution a bit using a specific example. Problem Sometimes, when you look in an app bundle on macOS, you see an .icns file in Contents/Resources, and you can use that or convert it to a .png. For some apps, instead of an .icns file, you get an file instead. There doesn’t appear to be an easy, native-to-macOS, point-and-click way to extract icons from the file (even though some third-party utilities exist to


Testing a local timezone deadline in Nudge

Posted on March 27, 2023 by alanysiu

In the past year, there have been several requests to have Nudge support local time zones instead of UTC: Feature request: Support the local timezone UTC vs Local Time Feature request: use system local time instead of time for a specific time zone (e.g., Z / GMT) Turns out, as Kevin M. Cox explains in Nudge deadlines in local timezones, the functionality has been there all along, just previously not well documented or used. I tested this out myself, and it really is just a matter of changing <date> to <string>. With a string deadline in my .mobileconfig profile, I


Enforcing an older force_install_after_date when importing a new Munki item version

Posted on March 10, 2023 by alanysiu

Problem Munki has the ability to force updates to install by a certain date, using the force_install_after_date flag, but what do you do when you have an older version you want enforced, but you also want to import a newer version into the Munki repo? If you have Slack 4.29 you want force-installed in two weeks, and then you import version 4.30 a week later (with the same catalogs), Munki will see that 4.30 is the highest version available, and then it will completely ignore the force_install_after_date flag in the Slack 4.29 version. Possible workarounds So what can you do


“Origin checking failed … does not match any trusted origins” CSRF errors in Crypt Server

Posted on February 24, 2023 by alanysiu

Recent changes to Crypt Server have included guards against cross-site request forgery (CSRF) attacks. If you don’t have your Crypt Server configured correctly, you may run into issues when trying to view a secret (Get Key). You can get an error like: Forbidden (403) CSRF verification failed. With DEBUG = True passed as an environment variable, you may see a little more detail but not much helpful: Origin checking failed - does not match any trusted origins. Despite the fact you should be able to do so (based on the Crypt Server README), when I ran into this and