Ensuring SIP is enabled

It has been reported that some of the new MacBook Pros (Late 2016) have been shipping with System Integrity Protection (SIP) disabled. Apple has addressed this with the 10.12.2 update release. You can read about SIP on Rich Trouton’s blog.

There is one obvious question that comes to mind, do you trust the computers have not been compromised in shipping, especially with SIP disabled? Perhaps SIP doesn’t play as much into this question if your organization works off the assumption that you cannot trust any bits that come on the drive on new computers and they must all be wiped. After all, if someone intercepts a computer during shipping, it would be just as easy for them to disable and re-enable SIP as needed.

One thing to note here is that if you wipe and image new computers, that alone won’t re-enable SIP as that information is stored in memory. If you don’t wipe and image and instead rely on something like DEP or another no-imaging workflow, you still need to report on SIP’s status and somehow take action against computers that have it disabled to re-enable SIP.

Two ways of re-enabling SIP that come to mind: 1) boot into the Recovery Partition and re-enable SIP and 2) reset the NVRAM. The first you cannot really automate much short of asking all  techs to reset PRAM on every computer coming in. The second can be done manually or via the command line. Our interest will be in doing this via the command line in order to automate this.

Continue reading Ensuring SIP is enabled

Cables, Adapters, Devices For A Brave New Mac World

The announcement of the new MacBook Pros which only have USB-C ports will begin a frustrating, but needed transition to new devices that are USB-C capable. There’s a lot that USB-C can do, but it won’t be covered here. Here is one article I did find insightful by Stephen Foskett. I won’t try to guess how long this transition will take, but the prospect of having to only use one cable for connecting and powering devices is really exciting even if there is some initial confusion.

The purpose of this post is to get you to think about what you might need to transition with a spreadsheet linked at the end with links to the cables, adapters, and devices in question. Just note, that I have not tested and may not get to test all the devices I’ve linked in the spreadsheet. Prices may vary as well. The goal was to try and get the best value for functionality. I am also not affiliated with any of the vendors and sellers that I’ve linked to. With that all said, let’s get to the questions you should be thinking about.

Continue reading Cables, Adapters, Devices For A Brave New Mac World

Launchctl 2.0 Syntax

The other day I found myself looking to learn how to load and unload launch agents and launch daemons in OS X 10.11. I found myself on the MacAdmins Slack asking the syntax launchctl in OS X 10.11. And searching online just led me to this discussion on GitHub. The documentation for launchctl left a lot to be desired and it wasn’t very clear how to use it so I was encouraged to join the exciting world of blogging.

Before getting into the syntax, some basic understanding is probably appropriate. Starting with OS X 10.10, Apple re-wrote launchd and added new sub-commands and deprecated some familiar ones that we’ve come to trust over the years. In short, at some point Apple may break the use of the deprecated commands forcing you to use the new syntax. A good read up on launchd 2.0 can be found by Jonathan Levin’s presentation at MacSysAdmin in 2014.

With that out the way, lets get into the syntax.

Continue reading Launchctl 2.0 Syntax