-
Scripting SSH off/on without needing a PPPC/TCC profile
You used to be able to use /usr/sbin/systemsetup -f -setremotelogin off or /usr/sbin/systemsetup -f -setremotelogin on to script disabling or enabling SSH on macOS. Now that macOS has Privacy Preferences Policy Control, which needs a profile delivered by a user-approved MDM, you may get this error: setremotelogin: Turning Remote Login on or off requires Full […]
-
Running daily, weekly, and monthly scripts in macOS using periodic
Background I was looking for time-based project similar to Outset (which runs boot and login scripts stored in various directories), and apparently there’s one already baked into macOS that will run daily, weekly, and monthly scripts. Shoutout to @elios on the MacAdmins Slack for letting me know about periodic Launch Daemons If you run sudo […]
-
The limits of password-protecting a .mobileconfig profile
Three years ago, Rich Trouton wrote Adding password protection to manually installed management profiles, which gives step-by-step instructions for how to make a manually-installed profile prompt for a custom password (in addition to the local admin password) when being removed. I’ve tested this on Catalina, and it still works! That said, it worked only from […]
-
Double-checking details of deployed PPPC/TCC profile from MDM
If you’ve deployed a PPPC/TCC profile from your user-approved MDM to a Mac, and you see the profile in System Preferences > Profiles, you can also verify all the details of the deployed profile on the Mac itself by going to /Library/Application Support/com.apple.TCC/MDMOverrides.plist (which is an SIP-protected directory, by the way).
-
Setting the date/time in macOS (10.14+) recovery mode
Back in ye olde days, you used to be able to run ntpdate -u time.apple.com to update the date/time automatically in recovery mode, but Apple removed ntpdate in Mojave. In regular bootup, you can run sntp -sS time-a.nist.gov and may get an error like kod_init_kod_db(): Cannot open KoD db file /var/db/ntp-kod: No such file or […]
-
Things to keep in mind if using a profile to delay macOS updates
Now that Apple has removed the –ignore flag from softwareupdate, it’s recommending you use the forceDelayedSoftwareUpdates and enforcedSoftwareUpdateDelay flags (more details in Device Management Profile: Restrictions), which are supposed to, in theory, delay an updates user visibility a certain number of days after the update’s release. The number of days delayed may not be precise […]
-
How to deploy a .pkg via Munki if a config file has to be in the same directory
Vendors package software in funny ways sometimes. Every now and then, you might come across a vendor .pkg that comes with some kind of .xml or .cfg or .txt that has to be in the same directory as the .pkg. It’s likely because there’s some postinstall script in the .pkg itself that references that text […]
-
Some basics of DEPNotify and a sample script
If you’ve been doing Munki admin’ing for a short while, you’ve probably heard people talk about DEPNotify, whose README says is “a small light weight notification app that was designed to let your users know what’s going on during a DEP enrollment.” Aforementioned DEPNotify README is fairly comprehensive in terms of going over all the […]
-
Fixing DEPNotify GUI not launching with keyPath error
I’m not sure how my computer got into this funky state, but I was playing around with a DEPNotify script, and after a while, I was suddenly getting these errors every time I tried to run it: DEPNotify[12422:409983] Failed to set (keyPath) user defined inspected property on (DEPNotify.WindowController): [ setValue:forUndefinedKey:]: this class is not key […]
-
Python script to list software available in a Munki repo
I created a small project (for fun) to list out software available in a Munki repo. It’s called MunkiItemsList. On a basic level, it looks for all the items that are listed in any optional installs manifest, and then lists out the display name, description, and highest version available. There are some additional options described […]