sysadminctl changes in 10.13 affecting FileVault

Apple has changed how sysadminctl works in 10.13 and it also happens to affect fdesetup. Let’s go over what has changed below.

Continue reading sysadminctl changes in 10.13 affecting FileVault

Advertisements

Update to macOS Upgrade Script

I’ve gone ahead and updated my OS Upgrade script for compatibility with macOS High Sierra (10.13). If you’re curious on how to use it, please read my blog post here. There’s one major change to report on other than the compatibility with the new OS installer app.

Filevault Authenticated Restarts

Currently, the macOS Installer does not support authenticated Filevault restarts. This creates a situation where your user would have to run the installer, wait until the restart, authenticate and then walk away. The process now makes it so that the user is prompted for their Filevault credentials before the upgrade even starts. This is so that the user can walk away and not have to wait for the installer app to prepare the computer for the upgrade.

The script will automatically detect if Filevault is turned on. If it’s not, then the user will not see the authentication prompt. I understand some folks might not like this so with that in mind, if you wish to disable this part of the script, comment out lines 521 – 524. I would have added more JSS parameters and made this an option you could disable, but I ran out of parameters to use (vote up this feature request for more JSS parameters).

Conversion to APFS

I’ve been asked to add an option to allow APFS to be turned off or on. I did enforce conversion to APFS using the command: --converttoapfs YES (if you want to disable it, just put NO instead of YES) early on in my update to my script. But ultimately after asking for feedback from other admins, I opted to not force it and just let the app installer take care of the logic on whether to upgrade the drive to APFS. The reasoning here is that Apple knows what conditions best support APFS and which ones don’t. However, I did make a comment in my script in line 500 for those who want to always enforce it or disable APFS conversion entirely. It would have been nice to make this an option that could be toggled with a JSS parameter, but like I said earlier, I ran out of JSS parameters to use (vote up this feature request for more JSS parameters).

Additional changes include:

  • new dialogs for Filevault authenticated restarts
  • new exit codes
  • code clean up

The script referenced above can be downloaded from my GitHub repo. Please let me know if you run into any issues or have any questions regarding the script.

Using JAMF Helper for policies

Jamf Pro has a couple of triggers, events that cause that computer to check-in with the Jamf Pro server to run policies. Those include: Startup, Login, Logout, Network State Change, Enrollment Complete, Recurring Check-in, and Custom. You can read the description for each of those triggers by creating a new policy (you don’t have to save it) and read the descriptions for each of them in the General policy payload.

Recently, I had a situation where we wanted to run an update that’s pretty big on logout. This has the benefit of ensuring the software isn’t running. There are pros and cons to this trigger which I won’t get into here. However, one thing that I’ve always found unacceptable is the JAMF Helper HUD dialog in the bottom right corner that shows up.

Screen Shot 2017-04-27 at 2.07.18 PM.png

I’ve submitted a feature request on JAMF Nation to improve this functionality: https://www.jamf.com/jamf-nation/feature-requests/5980/login-and-logout-policies-should-have-a-more-descriptive-message

The Jamf Pro administrator will know what the dialog means, but end users will be clueless. It’s not descriptive and quite confusing. You can try to educate your end-users on what this means, but you shouldn’t have to and naturally many of them may not remember.

Continue reading Using JAMF Helper for policies

startosinstall updated in macOS 10.12.4 app installer and can no longer target a volume

I recently blogged about my upgrade process with Jamf Pro. The script I had worked well with 10.12.3. One would assume it would work well with the 10.12.4 macOS app installer as well. However it appears that Apple has removed a flag. Specifically, you can no longer specify what volume you want to target for the installation.

The command that you could use previously in 10.12.3 looked like:

"/Applications/Install macOS Sierra.app/Contents/Resources/startosinstall" --applicationpath "/Applications/Install macOS Sierra.app" --volume / --rebootdelay 30 --nointeraction

In 10.12.4, it now looks like:

"/Applications/Install macOS Sierra.app/Contents/Resources/startosinstall" --applicationpath "/Applications/Install macOS Sierra.app" --rebootdelay 30 --nointeraction

Those are just examples of some of the flags you could use. Basically they’ve removed --volume /. All this to say I had to update my script to account for this. This led to a bunch of other code I saw that I could optimize. I have added some additional exit codes and added additional functions to reduce code re-use. The updated script can be downloaded from my GitHub repo. For instructions on how to use it, please refer to my previous blog post.

Caching Service available in macOS 10.12.4 through AssetCacheActivatorUtil

Recently there was a tweet from Hannes Juutilainen about a new tool in macOS 10.12.4 called AssetCacheActivatorUtil. Charles Edge recently wrote a blog post on some new tools that came with the macOS 10.12.4 update. This update introduced AssetCacheActivatorUtil along with a few other related tools: AssetCache, AssetCacheLocatorUtil, AssetCacheTetheratorUtil.

The man page has some basic options on how to use this tool:

NAME

AssetCacheActivatorUtil — control the macOS caching server

 

SYNOPSIS

AssetCacheActivatorUtil activate

AssetCacheActivatorUtil deactivate

AssetCacheActivatorUtil isActivated

AssetCacheActivatorUtil canActivate

AssetCacheActivatorUtil status

 

DESCRIPTION

The caching server built-in to macOS is deactivated by default.  In its first three forms, AssetCacheActivatorUtil activates the built-in caching server, deactivates it, or reports its activation status.  In its fourth form, AssetCacheActivatorUtil reports whether the built-in caching server is eligible for activation.  Installing macOS Server prevents the built-in caching server from activating.  In its fifth form, AssetCacheActivatorUtil reports the built-in caching server’s status.

The benefit to having this baked into macOS is that you no longer need to have the macOS Server app installed. You could take any Mac in your organization and have this service running. For example, if you have Mac Minis in conference rooms, you can have them running this service without having to place a Mac in your server room.

The first thing that came to mind was how exactly do we set the cache limit or manage any other preferences. Thanks to a tip from Clayton Burlison I was able to figure out how to set the Cache Limit.

To activate the caching service, simply enter AssetCacheActivatorUtil activate in the command line. That’s right, no sudo required. AssetCacheActivatorUtil will write its preferences to /Library/Preferences/com.apple.AssetCache.plist and places its cache in /Library/Caches/com.apple.AssetCache. You can also get certain information by running AssetCacheActivatorUtil status. The one caveat here is that if you want to manage the preferences for the caching service, you will need to deactivate the service. Simply type, AssetCacheActivatorUtil deactivate. Once you’ve done this, you can now write to the preference list file.

To set the caching limit simply enter a command like: defaults write /Library/Preferences/com.apple.AssetCache.plist CacheLimit -int 15000000000 where the integer appears to be in bytes (e.g. 15000000000 bytes = 15 gigabytes). I’ve gathered this from some of the values you get when you run AssetCacheActivatorUtil status: TotalBytesDropped, TotalBytesImported, TotalBytesReturned, TotalBytesStored, TotalBytesStoredFromOrigin, TotalBytesStoredFromPeers (these all appear towards the end if the output from this command).

There may be other keys of interest in this plist (note: there are more than these keys, but these are just the ones that stood out to me):
Key = ReservedVolumeSpace; Type = Int
Key = DataPath; Type = String
Key = LocalSubnetsOnly; Type = Bool
Key = PeerLocalSubnetsOnly; Type = Bool
Key = SavedCacheDetailsOrder; Type = Array of Strings which would seem to allow you to pick the data you want to cache: Mac Software, iOS Software, Apple TV Software, iCloud, Books, iTunes U, Movies, Music, Other

The one other thing I did test was to see the ReservedVolumeSpace key could be higher than the CacheLimit key. This would make sense. The ReservedVolumeSpace would be the space on the volume that you want to reserve specifically for caching and the CacheLimit would be how much of that reserved space is allocated to caching. What ends up happening if you try to make the CacheLimit key higher than ReservedVolumeSpace is that the CacheLimit will be set to equal the ReservedVolumeSpace value.

The last thing I want to note is that trying to manage these values with a configuration profile did not work in my testing. You need to write to the plist because that’s where this tool reads from.

I have not tested the the other keys, but feel free to report back in the comments what they do if you’ve tested it.

Lastly, please consider speaking to your networking team if you do decide to turn this service on. When they see so much traffic coming from one Mac, they might start to wonder what’s going on. Communication is important and no one likes surprises.

Disable iCloud Desktop and Documents Sync

Apple is still currently testing 10.12.4 Beta 7 as of the time of this post, but they apparently have introduced a new payload preference that can be managed through a configuration profile. You can read more about this preference key publicly through their documentation (no login required). The new preference key is allowCloudDesktopAndDocuments which accepts a boolean value. If set to false, disallows macOS cloud desktop and document services. Defaults to true. Available only in macOS 10.12.4 and later. For enterprises, this is a rather important preference that should have probably been released when 10.12 first released, but better late than never.

Continue reading Disable iCloud Desktop and Documents Sync

Another method for macOS upgrades via the JSS using Self Service

There are quite a few methods that people use to make macOS updates available to their end users. My method takes a little inspiration from those posts with a few differences. This time around I wanted to use the macOS installer app from Apple which has a neat little command line tool call startosinstall. There was no particular reason to use this method other than there were no requirements to install any particular packages post-install which you can do with a tool like createOSinstallerPKG. We had a few requirements:

  1. Computer has sufficient free drive space.
  2. User is not logged in to avoid the new iCloud Drive Document Sync feature.
  3. Ensure the user is plugged into a power source.
  4. Provide dialogs to give the user feedback such as a time estimate and dialogs on what to expect next.
  5. Make use of the JSS parameter to allow for customization and potential re-use for future operating systems.

Continue reading Another method for macOS upgrades via the JSS using Self Service

JSS Parameters

JSS script parameters are a great feature that allow you to create scripts that can be flexible in the values that are gathered. I’m not sure how often they are used but suffice to say they can be very useful when you have scenarios where common commands are used repeatedly and just need variables changed. Parameter labels can also be assigned to JSS parameters as shown in Rich Trouton’s blog post. Parameter labels can also be set by going to Settings > Computer Management > Scripts > clicking on the script and selecting the Options tab. This allows you to go from the generic Parameter 4, Parameter 5, etc. and have something more descriptive like “Free Space Required” or “Custom Trigger”.

However, JSS parameters have a few limitations. Below I’ll go over some of those limitations and the associated feature requests that would address them.

Continue reading JSS Parameters

Ensuring SIP is enabled

It has been reported that some of the new MacBook Pros (Late 2016) have been shipping with System Integrity Protection (SIP) disabled. Apple has addressed this with the 10.12.2 update release. You can read about SIP on Rich Trouton’s blog.

There is one obvious question that comes to mind, do you trust the computers have not been compromised in shipping, especially with SIP disabled? Perhaps SIP doesn’t play as much into this question if your organization works off the assumption that you cannot trust any bits that come on the drive on new computers and they must all be wiped. After all, if someone intercepts a computer during shipping, it would be just as easy for them to disable and re-enable SIP as needed.

One thing to note here is that if you wipe and image new computers, that alone won’t re-enable SIP as that information is stored in memory. If you don’t wipe and image and instead rely on something like DEP or another no-imaging workflow, you still need to report on SIP’s status and somehow take action against computers that have it disabled to re-enable SIP.

Two ways of re-enabling SIP that come to mind: 1) boot into the Recovery Partition and re-enable SIP and 2) reset the NVRAM. The first you cannot really automate much short of asking all  techs to reset PRAM on every computer coming in. The second can be done manually or via the command line. Our interest will be in doing this via the command line in order to automate this.

Continue reading Ensuring SIP is enabled