iCloud: Is it being used in your environment?

With the introduction of Sierra, Apple has introduced a few new features to iCloud Drive that business environments may want to gather data on in order to remediate. Rich Trouton has documented the inner workings of the Desktop and Documents Folder sync feature on his blog so I will spare you the details on that. The other feature that Apple introduced is the ability to optimize storage which Anandtech covers.

Depending on your environment there may also be other concerns with employees using iCloud accounts on their company equipment. For example, Find My Mac is a service that could allow a person to locate a device and erase/lock the device. Perhaps a disgruntled employee sends the Lock/Erase command to the device or maybe the employee’s account gets compromised because they didn’t have 2 Factor Authentication enabled on their Apple ID. Whatever the reason, only Apple will be able to unlock the device for you after meeting their requirements (which may include proof purchase, identification, etc.) and perhaps you want to remediate against that.

There may be additional iCloud features that you might also want to disable such as “Back to My Mac” which allows a person to remote into their device.

You can draw your own conclusions as to whether these are important in your business environment, but the short of it is that if you have requirements that company data stay on company managed devices or managed cloud services then some of these iCloud features are going to be non-starting propositions in your environment.

And that’s not to even mention, no brand new OS release is without its share of bugs. There have been some few reported issues online that seem to be linked with users upgrading to Sierra while their iCloud accounts are enabled.

With some of the iCloud features that Apple has introduced, I thought it might be prudent to collect some information on computers before we start deploying Sierra so that we can gather information on whether iCloud is being used and if so what features that may matter to a business are enabled.

I currently work in a Casper environment and decided to write extension attributes that would gather this information which would then allow us to create smart groups that make use of this specific criteria (results from those extension attributes). Extension attributes are essentially scripts that run on a computer when inventory on the computer is collected. Therefore, if you work with other inventory/management systems it shouldn’t be too hard to modify these scripts so that it feeds into your management system of choice. I tried to comment as best as possible each script.

Here are the ones that I cared about:

  1. Determine iCloud account status
  2. Determine iCloud account details
  3. Determine iCloud Drive status
  4. Determine iCloud Document Sync status
  5. Determine iCloud Drive optimization status
  6. Determine Find My Mac status
  7. Determine Back to My Mac status

Some of these features feed off each other, but they do not necessarily have to be used all together. For example, you can’t have iCloud Drive enabled without your iCloud account being signed in and therefore none of the Drive Optimization or Document Sync features will be enabled.

I don’t blog often and this blog post actually prompted me to use Github for the first time so let me know if you’ve got any feedback. Hopefully you find this somewhat helpful.

Edit: One thing to note, is that some of these extension attributes do look for the logged in user to pick up the iCloud preferences. So the assumption here is that usually a user will be logged in when recon/inventory is collected from the computer and that there is one single user typically using the computer. It wouldn’t be too far fetched to go further and perhaps create arrays to get respective iCloud values for each user accounts through a loop.


Launchctl 2.0 Syntax

The other day I found myself looking to learn how to load and unload launch agents and launch daemons in OS X 10.11. I found myself on the MacAdmins Slack asking the syntax launchctl in OS X 10.11. And searching online just led me to this discussion on GitHub. The documentation for launchctl left a lot to be desired and it wasn’t very clear how to use it so I was encouraged to join the exciting world of blogging.

Before getting into the syntax, some basic understanding is probably appropriate. Starting with OS X 10.10, Apple re-wrote launchd and added new sub-commands and deprecated some familiar ones that we’ve come to trust over the years. In short, at some point Apple may break the use of the deprecated commands forcing you to use the new syntax. A good read up on launchd 2.0 can be found by Jonathan Levin’s presentation at MacSysAdmin in 2014.

With that out the way, lets get into the syntax.

Continue reading Launchctl 2.0 Syntax