As posted by Tim Sutton, the installation of “Security Update 2015-002” on a 10.8.5 or 10.9.5 Mac will leave the /mach_kernel file visible. That’s fine, until someone deletes the file & then can’t boot their Mac.
As ever, Rich Trouton has blogged a method to hide the file via Casper.
However, Rich does love an EA & I’m not so inclined therefore the following is an EA free method to achieve the same end.
Earlier today we started to tighten up one of our wireless networks, moving from PEAP to EAP-TLS authentication. In testing on 10.9.x & win7 clients, all worked well. But when deploying the same config profile that connected the 10.9.x clients to a 10.8.x Mac, the device failed to authenticate.
The 10.8.x clients console log didn’t show much information, so I took a look on the NPS servers logs (which are not a pretty sight) & after a time we came to a solution.
See below for the gory details.
JAMF have a great article on deploying the binary needed to set a firmware password on 2010+ Macs via the Casper Suite, here.
I recently had a chance to play with it, but found that the below command (which is used by the following EA to check EFI Password status) often returns nothing or just 0 after running. Regardless if an EFI password is set or not.
sudo /Library/Application\ Support/JAMF/bin/setregproptool -c
So below is a different version of the before linked Extension Attribute, using “expect” & maybe a inelegant check.. but hey, if it works!
Preference Caching is something that has been within OSX for some time, in Mountain Lion it was quite prominent with plists such as the Dock plist.
When Dockutil 1.1.4 was released it’s major change as noted in the release notes was to restart this preference caching service called: cfprefsd, without which the settings written to the com.apple.dock.plist would later be overwritten.
So why am I mumbling along about this?
Well, recently i’ve been involved in discussions on this & wanted to post something to give others the heads up in case anyone else struggles with it.
By default Apple Software Update Server’s (READ: ASUS) sync daily with Apple at 3am.
But this can be changed, & the below script can be ran to change the interval. You can change either the time of day the sync runs or change it to once a week.
We set our Macs to require a password when woken from sleep or the screensaver.
Around the beginning of November several of our 10.8.x Mac users started to advise that they were seeing the dreaded spinning beachball/pinwheel when trying to wake their Macs.
It appears we were not alone in this issue.
Way back in 2011 I wrote the post: Managing Apple Software Update Server Across Multiple Servers 10.5/10.6/10.7. This itself was based off of an Apple KB article that seems to have disappeared, but the method outlined in the post above is alive & well, just needs some tweaking for 10.8+.
Most of the Macs I support are mobile & it seems that around the with the release of the “Unibody MacBook Pro” Apple stopped shipping Macs with a battery that would keep the Macs time even when the Macs main battery had died.
This means that if a Macs battery dies during travelling to another office, they’d not be able to login once there as the time would be more than 5 minutes out. Also, we heavily use SSL to secure things like our Wireless & many websites (JSS distribution points included).
So the solution was for me to setup my own NTP, that would both sync with my domains NTP & be externally accessible for those mobile users on the road.
I’ve posted How To: Set a Macs Time Server, How To: Sync Time With NTP via Script & How To: Check Your Active Directory Domains Time. They all came about when 1st looking at this issue, this last post in the series with use all those posts.
I use RSYNC over SSH & launchagents to keep my Casper distribution points in sync with the Master.
However on upgrading the master to 10.8.2, the SSH connection would error with the message:
“Permission denied > (publickey,gssapi-keyex,gssapi-with-mic,keyboard-interactive)”
I re-ran through the steps i’d used previously.. reached out to JAMF support, JAMFNation & the MacEnterprise Mailing List.. still no joy..
So, it then started to think that maybe the change in OS for the master meant a change in method.. after Googling “mountain lion authorized_keys” I came across the below blog, with revealed the answer!
For my future deployments, i’ve decided to partition my managed Macs HD’s with 33% for the OS (which i’ve kept as being called Macintosh HD) & the remaining 67% as User data (which i’ve labelled Users HD).
To do this i’ve been using fstab to mount the “Users HD” partition to /Users. Below is how i achieve this, hope it helps.