Posted on September 2, 2020 by alanysiu
You used to be able to use /usr/sbin/systemsetup -f -setremotelogin off or /usr/sbin/systemsetup -f -setremotelogin on to script disabling or enabling SSH on macOS. Now that macOS has Privacy Preferences Policy Control, which needs a profile delivered by a user-approved MDM, you may get this error: setremotelogin: Turning Remote Login on or off requires Full Disk Access privileges., which can be especially annoying if the script’s parent process isn’t code-signed (and thus can’t be used in a PPPC profile), as /usr/sbin/period isn’t, for example. (Read more at Use the systemsetup command-line utility on macOS Catalina 10.15.) For now, a workaround
Posted on August 26, 2020 by alanysiu
Background I was looking for time-based project similar to Outset (which runs boot and login scripts stored in various directories), and apparently there’s one already baked into macOS that will run daily, weekly, and monthly scripts. Shoutout to @elios on the MacAdmins Slack for letting me know about periodic Launch Daemons If you run sudo launchctl list | grep periodic-, you’ll see that these launch daemons are running: com.apple.periodic-monthly com.apple.periodic-weekly com.apple.periodic-daily And, though I don’t love SIP in general, it’s great for this, because you can’t actually disable the launch daemons: sudo launchctl unload /System/Library/LaunchDaemons/com.apple.periodic-daily.plist /System/Library/LaunchDaemons/com.apple.periodic-daily.plist: Operation not permitted while
Posted on August 19, 2020 by alanysiu
Three years ago, Rich Trouton wrote Adding password protection to manually installed management profiles, which gives step-by-step instructions for how to make a manually-installed profile prompt for a custom password (in addition to the local admin password) when being removed. I’ve tested this on Catalina, and it still works! That said, it worked only from the GUI (via System Preferences). If you remove the sample profile (sudo profiles remove -identifier 9f9a0b1f-7b17-4656-92aa-b7046ad88d00), it will just remove immediately with no custom password provided. Your best bet for making a profile non-removable is to install it via MDM.
Posted on August 12, 2020 by alanysiu
If you’ve deployed a PPPC/TCC profile from your user-approved MDM to a Mac, and you see the profile in System Preferences > Profiles, you can also verify all the details of the deployed profile on the Mac itself by going to /Library/Application Support/com.apple.TCC/MDMOverrides.plist (which is an SIP-protected directory, by the way).
Posted on August 5, 2020 by alanysiu
Back in ye olde days, you used to be able to run ntpdate -u time.apple.com to update the date/time automatically in recovery mode, but Apple removed ntpdate in Mojave. In regular bootup, you can run sntp -sS time-a.nist.gov and may get an error like kod_init_kod_db(): Cannot open KoD db file /var/db/ntp-kod: No such file or directory, but the date and time actually will update properly. If you try that command in recovery mode, though, the date and time will not update. Similarly, in regular bootup, you can run systemsetup -setusingnetworktime off && systemsetup -setusingnetworktime on to resync the date/time, and
Posted on July 29, 2020 by alanysiu
Now that Apple has removed the --ignore flag from softwareupdate, it’s recommending you use the forceDelayedSoftwareUpdates and enforcedSoftwareUpdateDelay flags (more details in Device Management Profile: Restrictions), which are supposed to, in theory, delay an updates user visibility a certain number of days after the update’s release. The number of days delayed may not be precise The number of days delayed is imperfect at best. I tested a 7-day delay and even 6 days after the release of the update, it was suddenly available. And here’s an example of someone last year who didn’t see an update released 10 days before,
Posted on July 22, 2020 by alanysiu
Vendors package software in funny ways sometimes. Every now and then, you might come across a vendor .pkg that comes with some kind of .xml or .cfg or .txt that has to be in the same directory as the .pkg. It’s likely because there’s some postinstall script in the .pkg itself that references that text file via relative path. There are basically two approaches you can take here with Munki. Approach #1 would be to create another .pkg that delivers that .pkg as a payload to a directory of your choosing (e.g., /tmp) and also delivers the config file to
Posted on July 15, 2020 by alanysiu
If you’ve been doing Munki admin’ing for a short while, you’ve probably heard people talk about DEPNotify, whose README says is “a small light weight notification app that was designed to let your users know what’s going on during a DEP enrollment.” Aforementioned DEPNotify README is fairly comprehensive in terms of going over all the options. There’s also a project called DEPNotify-Starter, which has a sample script that’s, as of this writing, 827 lines long. If you just want a super simple script to launch up DEPNotify and have it install some Munki stuff, I created a very, very simple
Posted on July 8, 2020 by alanysiu
I’m not sure how my computer got into this funky state, but I was playing around with a DEPNotify script, and after a while, I was suddenly getting these errors every time I tried to run it: DEPNotify[12422:409983] Failed to set (keyPath) user defined inspected property on (DEPNotify.WindowController): [ setValue:forUndefinedKey:]: this class is not key value coding-compliant for the key keyPath. DEPNotify[12422:409983] Failed to set (backgroundColor) user defined inspected property on (DEPNotify.ViewController): [ setValue:forUndefinedKey:]: this class is not key value coding-compliant for the key backgroundColor. I tried rebooting my Mac. That didn’t make the problem go away. I tried creating
Posted on July 1, 2020 by alanysiu
I created a small project (for fun) to list out software available in a Munki repo. It’s called MunkiItemsList. On a basic level, it looks for all the items that are listed in any optional installs manifest, and then lists out the display name, description, and highest version available. There are some additional options described in detail in the README.