Security Update 2015-002 & mach_kernel file visibility


As posted by Tim Sutton, the installation of  “Security Update 2015-002” on a 10.8.5 or 10.9.5 Mac will leave the /mach_kernel file visible. That’s fine, until someone deletes the file & then can’t boot their Mac.

As ever, Rich Trouton has blogged a method to hide the file via Casper.

However, Rich does love an EA & I’m not so inclined therefore the following is an EA free method to achieve the same end.

Continue reading

Check EFI Password State Extension Attribute


JAMF have a great article on deploying the binary needed to set a firmware password on 2010+ Macs via the Casper Suite, here.

I recently had a chance to play with it, but found that the below command (which is used by the following EA to check EFI Password status) often returns nothing or just 0 after running. Regardless if an EFI password is set or not.

So below is a different version of the before linked Extension Attribute, using “expect” & maybe a inelegant check.. but hey, if it works!

Continue reading

ANNOUNCING: ADPassmon v2 fork

UPDATE: My fork of ADPassMon has now been merged with main & many changes have been made, for more information follow this link. The Wiki on the GitHub project replaces the details below.


Over the past two posts, I have detailed two issues with 10.9

  1. No Password Expiration Warning At The Login Window
  2. The “Local Items” keychain

In looking at resolving issue 1, I revisited Peter Bukowinski’s excellent ADPassMon. This is a great app, but has never quite suited my environment, as such I grabbed the code off of GitHub & got stuck in.

This has resulted in me, on this most foolish of days & with a nervous excitement, announcing my ADPassMon fork. In time I hope this fork joins the is committed to the main release.

So why did I go to all this trouble? What does it do? Read below.

Continue reading

The “Local Items” Keychain In Mavericks


Screen Shot 2014-03-29 at 11.21.15 PM

UPDATE: My fork of ADPassMon has now been merged with main & many changes have been made, for more information follow this link.

The “Local Items” keychain is something that you may have the misfortune of running into when changing passwords via an external directory service due to password expiry or a using forgetting their passwords in Mavericks.

I spent some time tackling it when forking ADPassMon to not only update Users passwords not via the pref pane, just through ADPassMon, & then also updating the users keychain password.

Below are my observations on the new keychain.


Continue reading

Mavericks & Preference Caching


Preference Caching is something that has been within OSX for some time, in Mountain Lion it was quite prominent with plists such as the Dock plist.

When Dockutil 1.1.4 was released it’s major change as noted in the release notes was to restart  this preference caching service called: cfprefsd, without which the settings written to the would later be overwritten.

So why am I mumbling along about this?

Well, recently i’ve been involved in discussions on this & wanted to post something to give others the heads up in case anyone else struggles with it.

Continue reading

Apple Software Update Server Not Serving Mavericks Updates After Being Upgraded To Mavericks


After upgrading my Mac servers to 10.9, I found that my 10.9 clients still were not seeing updates served via Apple Software Update Server (read:ASUS), this was due to the servers only having the catalog URLs for 10.6 – 10.8.

As we cascade our ASUS, I thought this was just an issue due to the fact that I hadn’t updated my Master ASUS to 10.9 from 10.8 (with 10.8 hosting 10.6 – 10.8 updates & 10.9 needed to add 10.9 updates).

However, once I updated the Master ASUS the Replica’s still did not have the Catalog URL. But a bit of Google-Foo & I was presented the answer by someone trying to offer 10.9 updates from a 10.8 ASUS.

Continue reading

How To Change The Apple Software Update Server Sync Interval


By default Apple Software Update Server’s (READ: ASUS) sync daily with Apple at 3am.

But this can be changed, & the below script can be ran to change the interval. You can change either the time of day the sync runs or change it to once a week.

NOTE: As the LaunchDaemon is located within the, you’ll need to run this after every update to

Continue reading

Setup OSX Server as a Time Server



Most of the Macs I support are mobile & it seems that around the with the  release of the “Unibody MacBook Pro” Apple stopped shipping Macs with a battery that would keep the Macs time even when the Macs main battery had died.

This means that if a Macs battery dies during travelling to another office, they’d not be able to login once there as the time would be more than 5 minutes out. Also, we heavily use SSL to secure things like our Wireless & many websites (JSS distribution points included).

So the solution was for me to setup my own NTP, that would both sync with my domains NTP & be externally accessible for those mobile users on the road.

Continue reading