Fix for VirtualBox Extension Pack postinstall script hanging in Munki

The problem If you’ve been running the VirtualBoxExtPack.munki.recipe AutoPkg recipe, and you’ve noticed the VirtualBox Extension Pack postinstall script in Munki hanging indefinitely (30 minutes and beyond), it’s because the license hash has changed. The fix According to @jessepeterson (the maintainer of that AutoPkg recipe), the license hash doesn’t change very often, but it did… Continue reading Fix for VirtualBox Extension Pack postinstall script hanging in Munki

Allowing Outset-run scripts to have access to user folders

Because of TCC/PPPC, which Apple introduced in macOS 10.14, scripts and applications have to ask for permissions to do certain things, especially things like reading user home directory files. If you have an Outset login script that tries to access something in the home directory, you may find in the ~/Library/Logs/outset.log that you get a… Continue reading Allowing Outset-run scripts to have access to user folders

If Jamf recon is launching a du process that causes a CPU spike

If Jamf inventory (jamf recon) causes an extended CPU spike specifically related to the du command, you can fix that by going, in the Jamf settings, to Computer Management > Computer Management – Management Framework > Inventory Collection, and then uncheck the Include home directory sizes checkbox. That is a system-wide setting, but especially if… Continue reading If Jamf recon is launching a du process that causes a CPU spike

Terminal command to tell if a macOS directory is SIP-protected

Starting with El Capitan (OS X 10.11), Apple started using System Integrity Protection (SIP) in macOS, so that certain directories would be not writable, even by root. Here’s a quick reference for a couple of commands you can use to see if a directory or file is SIP-protected, as that may change from macOS version… Continue reading Terminal command to tell if a macOS directory is SIP-protected

Scripting SSH off/on without needing a PPPC/TCC profile

You used to be able to use /usr/sbin/systemsetup -f -setremotelogin off or /usr/sbin/systemsetup -f -setremotelogin on to script disabling or enabling SSH on macOS. Now that macOS has Privacy Preferences Policy Control, which needs a profile delivered by a user-approved MDM, you may get this error: setremotelogin: Turning Remote Login on or off requires Full… Continue reading Scripting SSH off/on without needing a PPPC/TCC profile

Running daily, weekly, and monthly scripts in macOS using periodic

Background I was looking for time-based project similar to Outset (which runs boot and login scripts stored in various directories), and apparently there’s one already baked into macOS that will run daily, weekly, and monthly scripts. Shoutout to @elios on the MacAdmins Slack for letting me know about periodic Launch Daemons If you run sudo… Continue reading Running daily, weekly, and monthly scripts in macOS using periodic

The limits of password-protecting a .mobileconfig profile

Three years ago, Rich Trouton wrote Adding password protection to manually installed management profiles, which gives step-by-step instructions for how to make a manually-installed profile prompt for a custom password (in addition to the local admin password) when being removed. I’ve tested this on Catalina, and it still works! That said, it worked only from… Continue reading The limits of password-protecting a .mobileconfig profile

Double-checking details of deployed PPPC/TCC profile from MDM

If you’ve deployed a PPPC/TCC profile from your user-approved MDM to a Mac, and you see the profile in System Preferences > Profiles, you can also verify all the details of the deployed profile on the Mac itself by going to /Library/Application Support/com.apple.TCC/MDMOverrides.plist (which is an SIP-protected directory, by the way).

Setting the date/time in macOS (10.14+) recovery mode

Back in ye olde days, you used to be able to run ntpdate -u time.apple.com to update the date/time automatically in recovery mode, but Apple removed ntpdate in Mojave. In regular bootup, you can run sntp -sS time-a.nist.gov and may get an error like kod_init_kod_db(): Cannot open KoD db file /var/db/ntp-kod: No such file or… Continue reading Setting the date/time in macOS (10.14+) recovery mode

Things to keep in mind if using a profile to delay macOS updates

Now that Apple has removed the –ignore flag from softwareupdate, it’s recommending you use the forceDelayedSoftwareUpdates and enforcedSoftwareUpdateDelay flags (more details in Device Management Profile: Restrictions), which are supposed to, in theory, delay an updates user visibility a certain number of days after the update’s release. The number of days delayed may not be precise… Continue reading Things to keep in mind if using a profile to delay macOS updates