Scripting SSH off/on without needing a PPPC/TCC profile

Posted on September 2, 2020 by alanysiu

You used to be able to use /usr/sbin/systemsetup -f -setremotelogin off or /usr/sbin/systemsetup -f -setremotelogin on to script disabling or enabling SSH on macOS. Now that macOS has Privacy Preferences Policy Control, which needs a profile delivered by a user-approved MDM, you may get this error: setremotelogin: Turning Remote Login on or off requires Full Disk Access privileges., which can be especially annoying if the script’s parent process isn’t code-signed (and thus can’t be used in a PPPC profile), as /usr/sbin/period isn’t, for example. (Read more at Use the systemsetup command-line utility on macOS Catalina 10.15.) For now, a workaround


Running daily, weekly, and monthly scripts in macOS using periodic

Posted on August 26, 2020 by alanysiu

Background I was looking for time-based project similar to Outset (which runs boot and login scripts stored in various directories), and apparently there’s one already baked into macOS that will run daily, weekly, and monthly scripts. Shoutout to @elios on the MacAdmins Slack for letting me know about periodic Launch Daemons If you run sudo launchctl list | grep periodic-, you’ll see that these launch daemons are running: And, though I don’t love SIP in general, it’s great for this, because you can’t actually disable the launch daemons: sudo launchctl unload /System/Library/LaunchDaemons/ /System/Library/LaunchDaemons/ Operation not permitted while


The limits of password-protecting a .mobileconfig profile

Posted on August 19, 2020 by alanysiu

Three years ago, Rich Trouton wrote Adding password protection to manually installed management profiles, which gives step-by-step instructions for how to make a manually-installed profile prompt for a custom password (in addition to the local admin password) when being removed. I’ve tested this on Catalina, and it still works! That said, it worked only from the GUI (via System Preferences). If you remove the sample profile (sudo profiles remove -identifier 9f9a0b1f-7b17-4656-92aa-b7046ad88d00), it will just remove immediately with no custom password provided. Your best bet for making a profile non-removable is to install it via MDM.


Setting the date/time in macOS (10.14+) recovery mode

Posted on August 5, 2020 by alanysiu

Back in ye olde days, you used to be able to run ntpdate -u to update the date/time automatically in recovery mode, but Apple removed ntpdate in Mojave. In regular bootup, you can run sntp -sS and may get an error like kod_init_kod_db(): Cannot open KoD db file /var/db/ntp-kod: No such file or directory, but the date and time actually will update properly. If you try that command in recovery mode, though, the date and time will not update. Similarly, in regular bootup, you can run systemsetup -setusingnetworktime off && systemsetup -setusingnetworktime on to resync the date/time, and


Things to keep in mind if using a profile to delay macOS updates

Posted on July 29, 2020 by alanysiu

Now that Apple has removed the --ignore flag from softwareupdate, it’s recommending you use the forceDelayedSoftwareUpdates and enforcedSoftwareUpdateDelay flags (more details in Device Management Profile: Restrictions), which are supposed to, in theory, delay an updates user visibility a certain number of days after the update’s release. The number of days delayed may not be precise The number of days delayed is imperfect at best. I tested a 7-day delay and even 6 days after the release of the update, it was suddenly available. And here’s an example of someone last year who didn’t see an update released 10 days before,


How to deploy a .pkg via Munki if a config file has to be in the same directory

Posted on July 22, 2020 by alanysiu

Vendors package software in funny ways sometimes. Every now and then, you might come across a vendor .pkg that comes with some kind of .xml or .cfg or .txt that has to be in the same directory as the .pkg. It’s likely because there’s some postinstall script in the .pkg itself that references that text file via relative path. There are basically two approaches you can take here with Munki. Approach #1 would be to create another .pkg that delivers that .pkg as a payload to a directory of your choosing (e.g., /tmp) and also delivers the config file to


Some basics of DEPNotify and a sample script

Posted on July 15, 2020 by alanysiu

If you’ve been doing Munki admin’ing for a short while, you’ve probably heard people talk about DEPNotify, whose README says is “a small light weight notification app that was designed to let your users know what’s going on during a DEP enrollment.” Aforementioned DEPNotify README is fairly comprehensive in terms of going over all the options. There’s also a project called DEPNotify-Starter, which has a sample script that’s, as of this writing, 827 lines long. If you just want a super simple script to launch up DEPNotify and have it install some Munki stuff, I created a very, very simple


Fixing DEPNotify GUI not launching with keyPath error

Posted on July 8, 2020 by alanysiu

I’m not sure how my computer got into this funky state, but I was playing around with a DEPNotify script, and after a while, I was suddenly getting these errors every time I tried to run it: DEPNotify[12422:409983] Failed to set (keyPath) user defined inspected property on (DEPNotify.WindowController): [ setValue:forUndefinedKey:]: this class is not key value coding-compliant for the key keyPath. DEPNotify[12422:409983] Failed to set (backgroundColor) user defined inspected property on (DEPNotify.ViewController): [ setValue:forUndefinedKey:]: this class is not key value coding-compliant for the key backgroundColor. I tried rebooting my Mac. That didn’t make the problem go away. I tried creating