For a long time I’ve been saying that the #1 challenge with regard to using iOS is content distribution. Others have mirrored that by saying that the device is a content aggregator, etc. The challenge is keeping everyone on the same page, with the same content and distributing administration of all of that to those who need it.
Well, our friends at JAMF software are, as usual, right in the middle of resolving the more challenging issues of the day with regard to iOS and OS X. In this case they’ve released a new tool called Casper Focus that enables rudimentary administrative tasks by teachers.
Now, I don’t want anyone to take the word rudimentary to be a bad thing. You see, accessing and remotely controlling devices can be a big challenge. The learning curve can be steep. By only giving delegated administrators a few options that learning curve can be drastically reduced. Lock, enable, distribute data. These are the very basic tasks teachers need.
Overall, this is yet another great addition to the Casper family of products and 318 is excited to work with our customers to integrate Casper Focus into the environments for our customers where appropriate. Call your Professional Services Manager today for more information!
Some helpful tips (in the form of keyboard combinations) on getting wizardly fast with navigating around Windows 8:
Windows key: Brings up the Start menu. On a touch screen keyboard you can then swipe through the charms in the Start menu.
Windows-x: Brings up a menu with many of the systems administration tools you’ll need in Windows 8, including Disk Management, a command prompt, device manager, etc.
Windows-r: Brings up a Run dialog
Windows-c: Bring up the sidebar that allows you to search, access devices or tap/click on Settings to bring up a Shut-Down menu.
Windows-l: Lock the screen
Windows-k: Bring up Devices
Windows-h: Bring up Sharing
Windows-f: Bring up Files in the Start Menu search
Windows-i: Bring up Settings (Control panel, personalization, desktop, Power menu, network selection for Wi-Fi, etc)
Windows-Q: Brings up the apps screen so you can select a program to open
And for your extra credit, most of the alt keys still work, but I find I now use Alt-F4 more than I used to, which closes a window
There’s a product out there called SANFusion that can allow Media Composer to read disk images on Xsan as though each were a separate workspace in AvidFS. This allows environments to leverage existing pools of storage sitting on Xsan as though they were sitting on an Isis or a Terablock. Check it out at SANFusion:
SAN Fusion is an easy and cost-effective solution that allows you to use Avid Media Composer with your existing Xsan infrastructure.
By using an existing Xsan volume as a backing-store for SAN Fusion’s virtualized workspaces, editors can experience authentic Unity-style bin sharing and locking from within Media Composer 5.5.3 or later. Unlike other solutions that purport to make Avid work with Xsan, SAN Fusion is a client-side application with no additional server or minimum number of seats to buy.
SAN Fusion clients mount and unmount workspaces on demand through our intuitive GUI to provide Media Composer a real-time translation layer between it and Apple’s Xsan filesystem. The end result is the best of both worlds: Avid’s first class bin and media sharing combined with Apple’s storage-agnostic low (or no) cost cluster filesystem.
The $1,500 price tag shouldn’t scare you off. Just compare the cost of a Promise X30 to the same amount of storage from Avid and you’ll get the idea why. And if you need any help with such things, give us a shout at sales@318.com.
OpenXenManager is a nice graphical environment for managing the Xen virtualization environment. You still need to use QEMU or virt-install/virt-manager to manager domains themselves, but OpenXenManager takes some of the guessing games out of things. Having said that, xm is still the way to go for the most part.
Before you install OpenXenManager, you’ll need svn, which isn’t baked into a default Ubuntu 12.04 or 12.10 installation. We’ll just use apt-get to build subversion and some python frameworks required for openxenmanager:
Starts with a replay of the Google Glass commercial, but then an uncomfortable founder of an internet company rambles uncomfortably. 13:12 in he jokes about recording from the stage without people knowing. Strange times we live in.
OS X Server has the ability to bcc mail that flows through it. This can be a good way to keep a copy of mail for the purposes of things like legal requirements. To enable this feature, once upon a time you could use the GUI in OS X Server. These days, the feature is still there but is now accessed through the command line as the always_bcc_enabled option within serveradmin’s mail settings. To enable this option, use the following command:
sudo serveradmin stop mail
sudo serveradmin start mail
Finally, if there are any issues, putting the postfix logging facility into debug mode can help you triangulate, done using the following command (and restarting the mail service again):
Just a note for those folks with well-worn bookmarks to this post on Ed Marczak’s blog, Radiotope.com, for authenticating VPN connections with Mac OS X Server’s Open Directory, which is still valid today. When trying to use the System Preferences VPN client/network adapter with the built-in L2TP server in Sonicwall, though, I was curious why OD auth wasn’t working for me, but users that were local to the Sonicwall were. Having been a while since the last time I’d set it up, I went on a search engine spelunking and found a link that did the trick.
In particular, a comment by Ted Dively brought to my attention the fact you need to change the order(in the VPN sidebar item, L2TP Server, when the Configure button pop-up is clicked, it’s under the PPP tab) that the L2TP service is configured to use for authentication type, PAP instead of the more standard MSCHAPv2.
We hope that is of help to current and future generations.
For the first year I’ll be speaking at the newly-rebranded League of Extraordinary Gentlemen League of Professional System Administrators conference in New Brunswick, New Jersey! It’s May 3rd and 4th, and should be a change from the Mac-heavy conferences we’ve been associated with as of late. I’ll be giving a training class, Intro to Mac and iOS Lifecycle Management, and a talk on Principled Patch Management with Munki. Registration is open now! Jersey is lovely that time of year, please consider attending!
For the third year, I’ll be presenting at PSU MacAdmins Conference! This year I’m lucky enough to be able to present two talks, “Backup, Front to Back” and “Enough Networking to be Dangerous”. But I’m really looking forward to what I can learn from those speaking for the first time, like Pepijn Bruienne and Graham Gilbert among others. The setting and venue is top-notch. It’s taking place May 22nd through the 24th, with a Boot Camp for more foundational topics May 21st. Hope you can join us!
We routinely need to change our administrative passwords on multiple computers as part of our security policy. Since we already have remote access to many of our Mac OS X computers through Apple Remote Desktop (ARD), changing that administrator password is quick and simple.
if [ $? = 0 ] ; then
echo "Password reset."
else
echo "Password not reset."
fi
In ARD, click the Send UNIX Command button and paste the script into the top field. Choose to run this command as a specific user and specify root.
From the Template drop down menu in the upper right corner select Save as Template… and save these settings with a descriptive name such as Spin ladmin password.
To use and reuse this template, select the workstations with the old account password and click the Send UNIX Command button in ARD’s toolbar. Choose the Spin ladmin password template from the Template drop down menu. Adjust the account name and password accordingly in the script and then click the Send button.
ARD can spin dozens or hundreds of account passwords in just a few seconds without having to know the original.
While visiting our Santa Monica office I called on a client having difficulties connecting his Windows 7 computer to his file server. I expected this to be a pretty straight-forward issue since the environment was pretty simple:
Only his PC wouldn’t connect—everyone else was connecting without issue
Just a handful of users (about five)
All wired connections (no wireless)
A Windows Server 2003 file server
No domain—just a workgroup
A small simple router for DHCP and Internet
I went through basic troubleshooting steps and verified that the client could indeed browse devices on the network (including the server), had no unusual ping times or network settings and that his account password for the server was correct. Every attempt to connect prompted for his name and password but the server wouldn’t accept his credentials. He was repeatedly prompted for his credentials.
Likewise, a new server account that I created myself would work on other PCs but not his. I narrowed my focus to his machine and started asking questions:
Q: Was this a new machine?
A: Yes, pretty new.
Q: Had it ever connected to the server?
A: Yes, it had.
Q: Any recent unusual activity in the office?
A: Yes, the office had to be shut down for some recent power maintenance in the building a week ago. When he restarted the server it wouldn’t power up. Hardware technicians had diagnosed a few failed components. Only yesterday afternoon had the server been back online.
Q: Did he have the only Windows 7 PC in the office?
A: Yes.
The last question led me to believe he was having an issue with security negotiations between his PC and the server because the two OS versions were nearly 10 years apart and Windows 7 has considerably stricter security. Nothing in the PC’s local policy nor the server’s local policy for Microsoft Networking looked unusual. I tested a little registry change that seemed logical:
Go to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA
Create Dword LmCompatibilityLevel with a value of 1
Restart computer and try to connect again.
No change.
After more research I found another potential solution on Microsoft Answers but was skeptical it would solve my issue since the computers were in a workgroup and not a domain. Check the time.
Just as soon as I was ready to pursue that idea the office manager asked me to check the backups on the server because they were reporting dates from October 2010. That was a smack to the face!
A quick resync to the time.windows.com NTP server corrected the time and the Windows 7 user logged in immediately.
False-positive errors muddy our view, so just as many strive to quiet noisy syslogs, we can easily overcome a common complaint we see Retrospect make when doing differential SQL backups: ‘the master DB can’t be DIFF’d’.
Complicating matters is Retro’s SQL connector doesn’t seem to allow you to exclude that one as a source. Simply make an exclusion for ‘file or folder name matches: master’ and you’ll see it get to the master in the log and decide no files necessary to backup, keeping the result of that script error-free.
Xen is one of those cool open source projects which seems like the kind of thing you’d probably want to run if it weren’t for the fact that everyone forces you to run ESX(i). It’s free, it’s well documented, and no matter how irrational salespeople can be, nobody can say there’s no support or documentation for it. So how does Xen work, and how does it compare with ESXi?
For starters, there’s no need to be overly concerned with what hardware is supported. Instead of being dependent on a specific OS, Xen is a driverless hypervisor which runs in conjunction with a host OS. This host OS might be GNU/Linux, NetBSD, Solaris or others. Since the host OS handles talking with hardware, any hardware which is supported by the host OS can be used with Xen. In a nutshell, Xen can be run on any x86 box, although full virtualization requires Intel’s VT-x or AMD’s AMD-V hardware support.
So let’s say you want to set up Xen. How? In many instances it’s as simple as installing a GNU/Linux distribution or a NetBSD distribution. Straightforward directions can be found here:
Let’s say you’ve already done all of that and you’re sitting at the command prompt of your Xen dom0. How do we create virtual machines? We’ll make an example using Windows 2012 Server since that just happens to be what I’m installing today.
Just like the how-to for installing a Xen dom0 instance, there are lots of how-tos for installing Windows and other OSes under Xen. We’ll summarize the important points using a minimal VM configuration file:
# boot on floppy (a), hard disk (c) or CD-ROM (d)
# default: hard disk, cd-rom, floppy
boot="cd"
usbdevice = 'tablet' # Helps with mouse pointer positioning
Some of the options are pretty self-explanatory such as name, memory, vcpus, on_reboot and on_crash. Others may need a little explanation. Builder identifies the kind of virtualization. For paravirtualization, no builder need be specified, but you must be running a Xen-aware domu. For full virtualization, use hvm. device_model determines the executable run to emulate devices which the virtual machine will use. The default Xen qemu device model appears to work well nowadays with all versions of Windows. The disk line should make sense, but be aware that you’ll need to make the disk image yourself. If you wish to preallocate the entire file, use something like:
vif is the virtual network interface. A bridge to a real NIC is simplest, although other options are available if desired.
sdl is some other way of presenting the graphics screen, but I don’t know how that works. vnc, on the other hand, can be run on localhost and sent over X11 very easily. My options above create a vnc listener on display 12 (localhost:5912) with a simple password. One can forward X11, with compression if preferred, and run vncviewer on the Xen dom0. If X11 scares you, you can also use ssh to forward port 5912 from localhost of the dom0 to a port on your local machine and run VNC or Screen Sharing on your local machine.
There are great reasons to do something like this, like the ability to talk directly to the ssh daemon on the dom0 instance… But whatever… Blah blah blah. We’re now running Windows in Xen…
Back in the old days of unix there was an easy way to start a daemon or script every time a computer booted. Simply put it in one of the /etc/rc.? text files and it would start all the services in the order specified. Later, it was made more flexible by having different startup folders based on which runlevel you were on. Even later still scripts these rc[1-6].d startup folders became deprecated yet are still used to some extent by legacy programs and now things are all managed with new commands.
To put it bluntly, it’s messy, non intuitive and definitely not as easy as it should be. There is hope however and getting a script or daemon to run “the right way” at startup isn’t too terribly daunting and I’ll walk you through the process now.
In our instance we need a program called splunkmysqlmonitor.py to run on boot. It takes one of 3 arguments, start, stop, restart, and is located in /opt/splunk/etc/apps/mysqlmonitor/bin/daemon/. It’s almost ready to run at startup but first we should look at the command we’re using to call splunkmysqlmonitor.py and that’s the chkconfig command.
The chkconfig command takes a script that’s located in /etc/init.d and creates all the necessary symlinks for it in the rc[1-6].d folders that tell the system what order to start all the services and which runlevels start which services. Runlevels are mostly deprecated in linux these days but just as an FYI, the runlevels you need to pay attention to are 2,3,4 and 5 and they are amost always identical. The only thing you really need to worry about is the order in the boot process that the scripts get started and and less so the order that the script gets shutdown when rebooted. For example, a program that relies on nfs to be on when running started necessarily needs to be run after the nfs command mounts the drives successfully. Numbers lower in the list start first and the list goes from 1 – 99. Since splunk is at priority 90 and this monitor needs to start after splunk I’ll give it a priority of 95. As for shutdown, this service should turn off quickly since it relies on other services to run and may spit out errors if these dependent services are turned off before it. I’ll give this shutdown a priority of 5 which means it’ll be one of the first processes to shutdown.
So now that we know when in the boot process the script should run and at (priority 95) which run levels it should run from (2,3,4,5) we just need to put this info into the system somehow. We do this by adding specially formatted comment lines into our script located in /etc/init.d. Here’s what our example looks like with the new comments added
#!/usr/bin/env python
# run level startup shutdown
# chkconfig: 2345 95 5
# description: monitors local mysql processes for splunk
# processname: splunkmysqlmonitor
#
import sys, time, os, socket...
Now we have to put the script into the /etc/init.d folder and that is best done with a symlink.
Now that we have Splunk generating reports and turning raw data into useful information, let’s use that information to trigger something to happen automatically such as sending an email alert.
In the prior posts a Splunk Forwarder was gathering information using a shell script and sending the results to the Splunk Receiver. To find those results we used this search string:
Using the timechart function of Splunk we extracted the MySQLCPU field to get its value 23.2 and put that into a graph for easier viewing.
Returning to view that graph every few minutes, hours or days can get tedious if nothing really changes or the data isn’t out of the ordinary. Ideally, Splunk would watch the data and alert us when something is out of the ordinary. That’s where alerts are useful.
For example, the graph above shows the highest spike in activity to be around 45% and we can assume that a spike at 65% would be unusual. We want to know about that before processor usage gets out of control.
Configuring Splunk for email alerts
Before Splunk can send email alerts it needs basic email server settings for outgoing mail (SMTP). Click the Manager link in the upper right corner and then click System Settings. Click on Email alert settings. Enter public or private outgoing mail server settings for Splunk. If using a public mail server such as Gmail then include a user name and password to authenticate to the server and select the option for either SSL or TLS. Be sure to append port number 465 for SSL or 587 for TLS to the mail server name.
In the same settings area Splunk includes some additional basic settings. Modify them as needed or just accept the defaults.
Click the Save button when done.
Refining the search
Next, select Search from the App menu. Let’s refine the search to find only those results that may be out of the ordinary. Our first search found all results for the MySQLCPU field but now we want to limit its results to anything at 65% or higher. The where function is our new friend.
hosts="TMI" source="/Applications/splunkforwarder/etc/apps/talkingmoose/bin/counters.sh" | where MySQLCPU >= 65
This takes the result from the Forwarder and pipes it into an operation that returns only values of the MySQLCPU field that are greater than or equal to “65″. The search results, we hope, are empty. To verify the search is working correctly, change the value temporarily from “65″ to something lower such as “30″ or “40″. The lower values should return multiple results.
On a side note but unrelated to our need, if we wanted an alert for a range of values an AND operator connecting two statements will limit the results to something between values:
hosts="TMI" source="/Applications/splunkforwarder/etc/apps/talkingmoose/bin/counters.sh" | where MySQLCPU >= 55 AND MySQLCPU <=65
Creating an alert
An alert will evaluate this search as frequently as Splunk receives new data and if it spots any results other than nothing then it can do something automatically.
With the search results in view (or lack of them), select Alert… from the Create drop down menu in the upper right corner. Name the search “MySQL CPU Usage Over 65%” or something that’s recognizable later. One drawback with Splunk is that it won’t allow renaming the search later. To do that requires editing more .conf files. Leave the Schedule at its default Trigger in real-time whenever a result matches. Click the Next button.
Enable Send email and enter one or more addresses to receive the alerts. Also, enable Throttling by selecting Suppress for results with the same field value and enter the MySQLCPU field name. Set the suppression time to five minutes, which is pretty aggressive. Remember, the script on the Forwarder server is sending new values every minute. Without throttling Splunk would send an alert every minute as well. This will allow an administrator to keep some sanity. Click the Next button.
Finally, select whether to keep the alert private or share it with other users on the Splunk system. This only applies to the Enterprise version of Splunk. Click the Finish button.
Splunk is now looking for new data to come from a Forwarder and as it receives that new data it’s going to evaluate it against the saved search. Any result other than no results found will trigger an email.
Note that alerts don’t need to just trigger emails. They can also run scripts. For example, an advanced Splunk search may look for multiple Java processes on a server running a Java-based application. If it found more than 20 spawned processes it could trigger a script to send a killall command to stop them before they consumed the server’s resources and then issue a start command to the application.
Getting Splunk running and monitoring common log formats, such as apache logs and system logs, is a pretty straightforward process. Some would even call it intuitive but setting up some of the optional plugins can be tricky the first time you set it up. The following is a quick and dirty guide to getting the MySQL monitor from remora up and running in your splunk instance.
This article assumes you have a splunk server as well as a separate database server running a splunk forwarder that is pushing logs to the main splunk server.
The first step is to prepare your splunk server for the incoming mysql stats. We’ll need to make a custom index (called mysql in our case) on both the server and the database host. See below:
Once that’s done we’ll also need to create a custom tcp listener on the splunk server. This is different from the standard listener that runs on port 9997. Go to the manager and then data inputs to create:
As you see we used port 9936 to be a listener that automatically imports into the mysql index. You’ll want to ensure that this port is reachable from your database server to ensure there are no firewalls blocking your connection. You can test this with a simple telnet command. If you see a prompt that says “Escape character is” then you’re good to go.
Once we have verified the listener is up and running the next step is to get the mysql monitor installed on all the machines. It’s easily available via the splunk marketplace. All you need is to create a username and password.
Once in the market place locate the Mysql monitor
And then restart splunk
Now that that’s installed we need to make sure all the dependencies for the mysql monitor are setup on the database servers that will be pushing data to the main splunk server.
To install on a debian based os use this command:
apt-get install python-mysqldb
For a redhat based os use this
yum install MySQL-python
Accept all the dependencies and assuming there were no issues you’re just about ready.
Next on the list is to make sure your splunk monitoring daemon can talk to the local mysql server. On the machine in our test, we only have mysql running on the internal ip and have to ensure that the mysql user splunk@172.16.154.141 can connect and has permission. You may need to run the following command to grant yourself permission.
grant all privileges on *.* to 'splunk'@'mysql_ip' identified by 'your-password';
To verify that splunk can access your tables use the following command
mysql -u splunk -h mysql_ip -p
Once you’ve got that down the last step is to configure the mysql monitor’s config.ini. Here’s the config.ini we used:
The Godfather of FileVault, Rich Trouton, has probably encrypted more Macs than you. It’s literally a safe bet, horrible pun intended. But even he hadn’t taken into account a particular method of institution-wide deployment of recovery keys: disk-based passwords.
As an exercise, imagine you have tier one techs that need to get into machines as part of their duties. They would rather not target-diskrecovery partition boot(thanks to Greg Neagle for clearing up confusion regarding how to apply that method) and slide a valuable certificate into place and whisper an incantation into its ear to operate on an un-booted volume, nor do they don’t want to reset someone’s password with a ‘license plate’ code, they just want to unlock a machine that doesn’t necessarily have your admin enabled for FV2 on it. Back in 10.7, before the csfde command line tool, the process of adding users was labor-intensive as well. Even in fdesetup times, you cannot specify multiple users without having their passwords and passing them in a unencrypted plist or stdin.
In this scenario, it’s less a ‘get out of jail free’ card for users that forget passwords, and more of a functional, day-to-day let-me-in secret knock. How do I get me one of those?
Enter the disk password. (Meaning like Enter the Dragon or Enter the Wu, not really ‘enter your disk password’, this is a webpage, not the actual pre-boot authentication screen.)
How did we get here? No advanced black magic, we just run diskutil cs(short for coreStorage, the name of the quacks-like-a-duck-so-call-it-a-duck logical volume manager built in to 10.7 Lion and later) with the convert and -passphrase options, pointing it at root. We could encrypt any accessible drive, but the changes to login are what we’re focusing on now.
The end result, once the process finishes and the machine reboots next, is this(un-customizable) icon appears at the login window:
Remember that this scenario is about ‘shave and a haircut, two bits’, not necessarily the institution-wide systems meant to securely manage recovery options. Why haven’t you(or the Godfather) heard of this having been implemented for institutions until now-ish? (Was he too busy meticulously grooming his links to anything a mac admin could possibly need to know, or composing the copious content to later link to? Say that three times fast!) (Yes, the disk password functionality has been around for a bit, but we’ve gotten a report of this being deployed, which prompted this post.) Well, there are two less attractive parts of this setup that systems like Cauliflower Vest and commercial solutions like Credant or Casper sidestep:
1. The password (for one or many hosts) needs to be sent TO a shell on the local workstations command line in some way, and rotating the password requires the previous one to be passed to stdin
2. It can be confusing at the pre-boot login window that there seems to be a user account called Disk Password visible
What’s the huge advantage over the other systems? Need to rotate the password? No decrypt/re-encrypt time! (Unlike the ‘license plate’ method.) Old passwords are properly ‘expired’! (Unlike the ‘Institutional Recovery Key’ method of using a certificate.) I hope this can be of use to the environments that may be looking for more ‘middle ground’ between complex systems and manual interaction. Usability is always a factor when discussing security products, so the additional method is a welcome one to consider the benefits of and, as always, test.
IT needs to have a way to access FileVault 2(just called FV2 from here on) encrypted volumes in the case of a forgotten password or just getting control over a machine we’re asked to support. Usually an institution will employ a key escrow system to manage FDE(Full Disk Encryption) when working at scale. One technique, employed by Google’s previously mentioned Cauliflower Vest, is based on the ‘personal’ recovery key(a format I’ll refer to as the ‘license plate’, since it looks like this: RZ89-A79X-PZ6M-LTW5-EEHL-45BY.) The other involves putting a certificate in place, and is documented in Apple’s white paper on the topic. That paper only goes into the technical details later in the appendix, and I thought I’d review some of the salient points briefly.
There are three layers to the FV2 cake, divided by the keys interacted with when unlocking the drive:
Derived Encryption Keys(plural), the Key Encrypting Key(from the department of redundancy department) and the Volume Encrypting Key. Let’s use a (well-worn) abstraction so your eyes don’t glaze over. There’s the guest list and party promoter(DEKs), the bouncer(KEK), and the key to the FV2 VIP lounge(VEK). User accounts on the system can get on the (DEK) guest list for eventual entry to the VIP, and the promoter may remove those folks with skinny jeans, ironic nerd glasses without lenses, or Ugg boots with those silly salt-stained, crumpled-looking heels from the guest list, since they have that authority.
The club owner has his name on the lease(the ‘license plate’ key or cert-based recovery), and the bouncer’s paycheck. Until drama pop off, and the cops raid the joint, and they call the ambulance and they burn the club down… and there’s a new lease and ownership and staff, the bouncer knows which side of his bread is buttered.
The bouncer is a simple lad. He gets the message when folks are removed from the guest list, but if you tell him there’s a new owner(cert or license plate), he’s still going to allow the old owner to sneak anybody into the VIP for bottle service like it’s your birthday, shorty. Sorry about the strained analogy, but I hope you get the spirit of the issue at hand.
The moral of the story is, there’s an expiration method(re-wrapping the KEK based on added/modified/removed DEKs) for the(in this case, user…) passphrase-based unlock. ONLY. The FilevaultMaster.keychain cert has a password you can change, but if access has been granted to a previous version with a known password, that combination will continue to work until the drive is decrypted and re-encrypted. And the license plate version can’t be regenerated or invalidated after initial encryption.
So the two institutional-scale methods previously mentioned still get through the bouncer unlock the drive until you tear the roof of the mofotear the club up de- and re-encrypt the volume.
But here’s an interesting point, there’s another type of DEK/passphrase-based unlock that can be expired/rotated besides per-user: a disk-based passphrase. I’ll get to describing that in Part Deux…
We all have our favorite epithets to invoke for certain software vendors and the practices they use. Some of our peers go downright apoplectic when speaking about those companies and the lack of advances we perceive in the name of manageable platforms. Not good, life is too short.
I wouldn’t have even imagined APC would be forgiving in this respect, they are quite obviously a hardware company. You may ask yourself, though, ‘is your refrigerator running’ is the software actually listening for a safe shutdown signal from the network card installed in the UPS? Complicating matters is:
- The reason we install this Network Shutdown software from APC on our server is to receive this signal over ethernet, not USB, so it’s not detected by Energy Saver like other, directly cabled models
- The shutdown notifier client doesn’t have a windowed process/menubar icon
- The process itself identifies as “Java” in Activity Monitor (just like… CrashPlan – although we can kindof guess which one is using 400+ MBs of virtual memory idle…)
Which sucks. (Seriously, it installs in /Users/Shared/Applications! And runs at boot with a StartupItem! In 2013! OMGWTFBBQ!)
Calm, calm, not to fear! ps sprinkled with awk to the rescue:
To explain the ps flags, first it allows for all users processes, prints in long format with more criteria, and the x is for even if they have no ‘controlling console.’ Then awk looks for both Java and the ‘Notifier’ jar name, minus our awk itself, and prints the relevant fields, highlighted below(trimmed and rewrapped for readability):
:./comp/pcns.jar:./comp/Notifier.jar:
com.apcc.m11.arch.application.Application
So at least we can tell that something is running, and appreciate the thoughtful development process APC followed, at least while we aren’t fashioning our own replacement with booster serial cables and middleware. Thanks to the googles and the overflown’ stacks for the proper flags to pass ps.
“One change happens and I need to redo the whole thing”
“I copy-paste the newest catalogs I see posted on the web, the formatting breaks, and I continually have to go back and check to make sure it’s the newest one”
These are the issues commonly experienced with those who want to take advantage of InstaDMG, and to some, it may be enough to prevent them from being rid of their Golden Master ways. Of course there are a few options to address each of these, in turn, but you may have noticed a theme on blog posts I’ve penned recently, and that is:
BETTER LIVING THROUGH AUTOMATION!
(We’ll get to how automation takes over shortly.) First, to review, a customized InstaDMG build commonly consists of a few parts: the user account, a function to answer the setup assistant steps, and the bootstrap parts for your patch and/or configuration management system. To take advantage of the(hopefully) well-QA’d vanilla catalogs, you can nest it in your custom catalog via an include-file line, and you only update your custom software parts listed above in one place. (And preferably you keep those projects and catalog under version control as well.)
All the concerns paraphrased at the start of this post just happen to be discussed recently on The Graham Gilbert Dot Com. Go there now, and hear what he has to say about it. Check out his other posts, I can wait.
Back? Cool. Now you may think those are all the answers you need. You’re mostly right, you smarty you! SSDs are not so out-of-reach for normal folk, and they really do help to speed the I/O bound process up, so there’s less cost to create and repeat builds in general. But then there’s the other manual interaction and regular repetition parts – how can we limit it to as little as possible? Yes, the InstaDMG robot’s going to do the heavy lifting for us by speedily building an image, and using version control on our catalogs help us track change over time, but what if Integrating the changes from the vanilla catalogs was Continuous? (Answers within!) Read the rest of this entry »
The latest Java 7 installer for OS X places a new control panel on the system, replacing the Java Preferences app. If you disable Java, the server console for FileMaker Server 12 will not open and no log entries are created.
If Java has previously been customized, you can resolve this issue by turning Java back on. There is a new System Preferences pane for Java 7. Click on the Java icon in System Preferences and unlike many software packages, a new Java Control Panel application opens.
At the new Java Control Panel application, make sure that “Enable Java content in the browser” is checked.
This is an important note to consider for FileMaker Server 12 administrators as Java 6 is reaching End Of Life next month, prompting many vendors to update their code in the recent past and not so distant future. Disabling java in Safari has no impact on using FileMaker Server.
In my last post about web-driven automation, we took on the creation of Apple IDs in a way that would require a credit card before actually letting you download apps(even free ones.) This is fine to speed up the creation process when actual billing will be applied to each account one at a time, but for education or training purposes where non-volume license purchases wouldn’t be a factor, there is the aforementioned ‘BatchAppleIDCreator‘ applescript. It hasn’t been updated recently, though, and I still had more automation tools I wanted to let have a crack at a repetitive workflow like this use case.
SikuliScript was born out of MIT research in screen reading, which roughly approximates what humans do as they scan the screen for a pattern and then take action. One can build a Sikuli script from scratch by taking screenshots and then tying together the actions you’d like to take in its IDE(which essentially renders HTML pages of the ‘code’.) You can integrate Python or Java, although it needs(system) Java and the Sikuli tools to be in place in the Applications folder to work at all. For Apple ID creation in iTunes, which is the documented way to create an ID with the “None” payment method, Apple endorses the steps in this knowledge base document.
When running, the script does a search for iBooks, clicks the “Free” button to trigger Apple ID login, clicks the Create Apple ID button, clicks through a splash screen, accepts the terms and conditions, and proceeds to type in information for you. It gets this info from a spreadsheet(ids.csv) that I adapted from the BatchAppleIDCreator project, but currently hard-codes just the security questions and answers. There is guidance in the first row on how to enter each field, and you must leave that instruction row in, although the NOT IMPLEMENTED section will not be used as of this first version.
It’s fastest to type selections and use the tab and/or arrow keys to navigate between the many fields in the two forms(first the ID selection/password/security question/birthdate options, then the users purchase information,) so I didn’t screenshot every question and make conditionals. It takes less than 45 seconds to do one Apple ID creation, and I made a 12 second timeout between each step in case of a slow network when running. It’s available on Github, please give us feedback with what you think.
PresStore by Archiware is a multi-platform data backup and archive solution. Rather than writing a GUI control panel application for each platform Archiware uses a web-based front end.
By default PresStore uses port 8000 for access:
http://localhost:8000
This is a common port number, though, for many applications such as Splunk, HTTP proxies, games and applications that communicate with remote server services. 8000 isn’t a special port—it’s just a common port.
If PresStore is installed on a UNIX-based server with another application also using port 8000, changing its port number to something else is as simple as renaming a file. This file is located in PresStore’s install directory and is called lexxserv:8000:
/usr/local/aw/conf/lexxserv:8000
A local administrator can change the name of this file using the mv command. Assuming he wants to change it to port 8001, he’d use:
At 318, we write a pretty good amount of content. We have 5 or so authors on staff, write tons of technical documentation for customers and develop a fair amount of courseware. These days, I edit almost as much as I write. And in doing so, I’ve picked up on some interesting trends in how people write, prompting me to write up some tips for the blossoming technical writer out there:
Define the goal. What do you want to say? The text on the back jacket of most of my books was written before I ever wrote an outline. Sometimes I update the text when I’m done with a book because the message can change slightly with technical writing as you realize some things you’d hoped to accomplish aren’t technically possible (or maybe not in the amount of time you need to use).
Make an outline. Before you sit down to write a single word, you should know a goal and have an outline that matches to that goal. The outline should be broken down in much the same way you’d lay out chapters and then sections within the chapter.
Keep your topics separate. A common trap is to point at other chapters too frequently. Technical writing does have a little bit of the find your own adventure aspect, but referencing other chapters is often overused.
Clearly differentiate between section orders within a chapter. Most every modern word processing tool (from WordPress to Word) provides the ability to have a Header or Heading 1 and a Header or Heading 2. Be careful not to confuse yourself. I like to take my outline and put it into my word processing program and then build out my headers from the very beginning. When I do so, I like for each section to have a verb and a subject that defines what we’re going to be doing. For example, I might have Header 1 as Install OS X, with Header 2 as Formatting Drives followed by Header 2 as Using the Recovery Partition followed by Header 3 of Installing the Operating System.
Keep your paragraphs and sentences structured. Beyond the headings structure, make sure that each sentence only has one thought (and that sentences aren’t running on and on and on). Also, make sure that each paragraph illustrates a sequence of thoughts. Structure is much more important with technical writing than with, let’s say, science fiction. Varying sentence structure can keep people awake.
Use good grammar. Bad grammar makes things hard to read and most importantly gets in the way of your message getting to your intended audience. Strunk and White’s Elements of Style is very useful if you hit a place where you’re not sure what to write. Grammar rules are a lot less stringent with online writing, such as a website. When it comes to purposefully breaking grammatical rules, I like to make an analogy with fashion. If you show up to a very formal company in $400 jeans, they don’t care that your jeans cost more than most of their slacks; they just get cranky you’re wearing jeans. Not everyone will pick up on purposeful grammatical lapses. Many will just judge you harshly. Especially if they hail from the midwest.
Define your audience. Are you writing for non-technical users trying to use a technical product? Are you writing for seasoned Unix veterans trying to get acquainted with a new version of Linux? Are you writing for hardened programmers? The more clearly you define the audience the easier it is to target a message to that audience. The wider the scope of the audience the more people are going to get lost, feel they’re reading content below their level, etc.
Know your style guide. According to who you are writing for, they probably have a style guide of some sort. This style guide will lay out how you write, specific grammar styles they want used, hopefully a template with styles pre-defined, etc. I’ve completed several writing gigs, only to discover I need to go back and reapply styles to the entire content. When you do that, something will always get missed…
Quoting is important when writing code. It’s also important to quote some text. If you have a button or text on a screen with one word that begins with a capped letter, you don’t need to quote that in most style guides. But if there’s only one word and any of the words use a non-capped letter or have a special character then the text should all be quoted. It’s also important to quote and attribute text from other locations. Each style guide does this differently.
Be active. No, I’m not saying you should run on a treadmill while trying to dictate the chapter of a book to Siri. Use an active voice. For example, don’t say “When installing an operating system on a Mac you should maybe consider using a computer that is capable of running that operating system.” Instead say something like “Check the hardware compatibility list for the operating system before installation.”
Be careful with pronouns. When I’m done writing a long document I’ll do a find for all instances of it (and a few other common pronouns) and look for places to replace with the correct noun.
Use examples. Examples help to explain an otherwise intangible idea. It’s easy to tell a reader they should enable alerts on a system, but much more impactful to show a reader how to receive an alert when a system exceeds 80 percent of disk capacity.
Use bullets or numbered lists. I love writing in numbered lists and bullets (as with these tips). Doing so allows an author to most succinctly go through steps and portray a lot of information that is easily digestible to the audience. Also, if one of your bullets ends with a period, they all must. And the tense of each must match.
Use tables. If bullets are awesome then tables are the coolest. You can impart a lot of information using tables. Each needs some text explaining what is in the table and a point that you’re usually trying to make by including the table.
Judiciously use screen shots. If there’s only one button in a screen shot then you probably don’t need the screen shot. If there are two buttons you still probably don’t need the screen shot. If there are 20 and it isn’t clear in the text which to use, you might want to show the screen. It’s easy to use too many or not enough screen shots. I find most of my editors have asked for more and more screens until we get to the point that we’re cutting actual content to fit within a certain page count window. But I usually have a good idea of what I want to be a screen shot and what I don’t want to be a screen shot from the minute I look at the outline for a given chapter. Each screen shot should usually be called out within your text.
Repetition is not a bad thing. This is one of those spots where I disagree with some of my editors from time to time. Editors will say “but you said that earlier” and I’ll say “it’s important.” Repetition can be a bad thing, if you’re just rehashing content, but if you intentionally repeat something to drive home a point then repetition isn’t always a bad thing. Note: I like to use notes/callouts when I repeat things.
White space is your friend. Margins, space between headers, kerning of fonts. Don’t pack too much crap into too little space or the reader won’t be able to see what you want them to see.
Proofread, proofread, proofread. And have someone else proofread your stuff.
Jargon, acronyms and abbreviations need to be explained. If you use APNS you only have to define it once, but it needs to be defined.
I keep having editors say “put some personality into it” but then they invariably edit out the personality. Not sure if this just means I have a crappy personality, but it brings up a point: while you may want to liven up text, don’t take away from the meaning by doing so.
Don’t reinvent the wheel. Today I was asked again to have an article from krypted included in a book. I never have a problem with contributing an article to a book, especially since I know how long it takes to write all this stuff. If I can save another author a few hours or days then they can push the envelope of their book that much further.
Technical writing is not a conversation. Commas are probably bad. The word um is definitely bad. Technical writing should not ramble but be somewhat formal. You can put some flourish in, but make sure the sentences and arguments are meaningful, as with a thesis.
Be accurate. Technical reviewers or technical editors help to make sure you’re accurate, but test everything. Code, steps, etc. Make sure that what you’re saying is correct up to the patch level and not just for a specific environment, like your company or school.
Use smooth transitions between chapters. This means a conclusion that at least introduces the next chapter in each. Don’t overdo the transitions or get into the weeds of explaining an entire topic again.
Real writers publish. If you write a 300 page document and no one ever sees it, did that document happen? If the document isn’t released in a timely manner then the content might be out of date before getting into a readers hands. I like to take my outline (step 2) and establish a budget (a week, 20 hours, or something like that).
Forwarding an email message is fairly simple but forwarding multiple messages can be inconvenient for either the sender or the receiver.
If the sender forwards multiple messages as attachments then the recipient receives one message with a variety of potentially unrelated information. This also makes sorting by subject or Date Sent impossible. If the recipient wants individual messages then the forwarder has no option but to send each message individually. This is time consuming.
Like most email clients for Mac OS X, Outlook for Mac can forward messages but it has a unique feature that makes automating forwarding individual messages easy without resorting to scripting—it can forward using a rule.
But Apple’s Mail, Thunderbird and practically any other email client for Mac has rules too! What makes Outlook different?
Outlook can run disabled rules individually. Both Mail and Thunderbird support creating rules and then disabling them so that they won’t be applied to incoming messages, however, for either to run a single rule manually it must run all rules whether they’re enabled or disabled. Running a long list of rules is potentially troublesome.
To configure a fule in Outlook:
Select Tools menu –> Rules… and select the type of email account using this rule (POP, IMAP or Exchange).
Click the + (plus) button to add a new rule.
Give the rule a descriptive name such as “Forward to <email address>”.
Set the rule to apply to All Messages.
Set the rule to Forward To <email address>.
Deselect the Enabled option. This prevents the rule from firing when new mail arrives.
To use this rule to forward multiple messages individually:
Select one or more messages in Outlook’s message list.
Right-click or Control-click anywhere within the selected messages.
Select Rules –> Apply –> Forward to <email address>.
The rule will run for each message and should take only a few seconds to run. The recipient will receive individually forwarded messages. Both sides save time.
Say you need a bunch of Apple IDs, and you need them pronto. There’s a form you can fill out, a bunch of questions floating in a window in some application, it can feel very… manual. A gentleman on the Enterprise iOS site entered, filling the void with an Applescript that could batch create ID’s with iTunes (and has seen updates thanks to Aaron Friemark.)
That bikeshed, though, was just not quite the color I was looking for. I decided to Fake it. Are we not Professional Computer Operators?
Before I go into the details, a different hypothetical use case: say you just migrated mail servers, and didn’t do quite enough archiving previously. Client-side moves may be impractical or resource-intensive. So you’d rather archive server-side, but can’t manipulate the mail server directly, and the webmail GUI is a touch cumbersome: are we relegated to ‘select all -> move -> choose folder -> confirm’ while our life-force drains away?
Fake is described as a tool for web automation and testing. It’s been around for a bit, but took an ‘Aha!’ moment while pondering these use cases for me to realize its power. What makes it genius is you don’t need to scour html source to find the id of the element you want to interact with! Control-drag to the element, specify what you want to do with it. (There are top-knotch videos describing these options on the website.) And it can loop. And delay(either globally or between tasks,) and the tasks can be grouped and disabled in sections and organized in a workflow and saved for later use. (Can you tell I’m a bit giddy about it?)
So that mail archive can loop away while you do dishes. Got to the end of a date range? Pause it, change the destination folder mid-loop, and keep it going. (There is a way to look at the elements and make a conditional when it reads a date stamp, but I didn’t get that crazy with it… yet.)
And now even verifying the email addresses used with the Apple ID can be automated! Blessed be the lazy sysadmin.
Any managed IT environment needs policies. One of the obvious ones is to refresh the hardware on some sort of schedule so that the tools people need are available and they aren’t hampered by running new software on old hardware. Commonly, security updates are available exclusively on the newest release of an operating system. Tablets are just the same, and education has been seeing as much of an influx of iOS devices as anywhere else.
Fraser Speirs has just gone through the process of evaluating replacements for iPads used in education, and discusses the criteria he’s come up with and his conclusions on his blog
While we don’t normally cover web development security basics, or find much to report when poking around in iOS apps, a great example of independent investigative tech journalism related to these topics broke late last week. On Nick Arnott(@noir‘s) blog Neglected Potential, he expands on a previous post involving how data is stored within an app(nice shout-out to a personal fave, PhoneView by Ecamm,) to talk about how it communicates with whatever services it may be hooked up to. Generally speaking, SSL and PKI don’t magically solve all our issues(as comically referred to here: This is 2012 and we’re still stitching together little microcomputers with HTTPS and ssh and calling it revolutionary,) and end users reflexively clicking ‘accept’ on self-signed cert warnings is the front lines of the convenience vs. security battle. No, you shouldn’t send auth in plaintext just ’cause it’s SSL. (Yes, you should be seeding any straggler self-signed certs on the devices in your purview so you don’t need to say ‘just for this ONE sites self-signed cert, please just click Continue’.) The fact that a banking users SSN number was being sent to the app on every communication was… surprising, and corrected immediately after the heightened interest resulting from the aforementioned blog post.
Security via public trust
After the publicity surrounding the post, however, folks were reassured by getting an immediate audience with the Director of Engineering at Simple, Brian Merritt(@btmerr.) Perhaps the flaw may have been considered too contrived a process for traditional(read: an email to their security team) channels at Simple to respond in a way that satisfied Mr. Arnott before he went ahead and published his post. “If only Jimmy had gone to the police,” the saying goes, “none of this would have happened” – please do note that while responsible disclosure was attempted, the issue is with PKI and not Simple itself, and updates were added to the post when clarifications were worth mentioning to present the facts in an even-handed manner. A key take-away is the fact that there is no live, zero-day exploit going on, just the relative ineffectiveness of PKI being exposed.
Although a process can enable the snooping of traffic, by default proxy’d SSL wouldn’t be allowed to start a session
But even more importantly, the fact that observing the traffic was even possible (thanks to CharlesProxy, also recently mentioned on @tvsutton‘s MacOps blog) highlights the ease with which basic internet security can be thwarted, and how much progress is left to be made. Of the improvements out there, Certificate Pinning is one of those ‘new to me’ concept enhancements regarding PKI, which luckily already has proposals in for review with the IETF. (An interesting contender from about a year ago is expounded on at the tack.io site.) There are quite a few variables involved that make intelligent discussion of the topic difficult for amateurs, but the take-away should be that you can inspect these things yourselves, as convoluted as it may be to get to the root cause of security issues. Hopefully we’ll have easier-to-deploy systems that’ll enable us to never ‘give up’ and use autosign again.
Thanks to Mr. Merritt, Michael Lynn and Jeff McCune for reviewing drafts of this post.
By default Splunk doesn’t delete the logging data that it’s gathered. Without taking some action to remove data it will continue to process all results from Day 1 if doing an All time search. That may be desirable in some cases where preserving and searching the data for historical purposes is necessary, but when using Splunk only as a monitoring tool the older data becomes superfluous after time.
Manually deleting information from Splunk is irreversible and doesn’t necessarily free disk space. Splunk users should only delete when they’ve verified their search results return the information they expect.
Enabling “can_delete”
No user can delete data until he’s been provided the can_delete role. Not even the admin account in the free version of Splunk has this capability enabled. To enable can_delete:
Click the Manager link and then click the Access Controls link in the Users and authentication section.
Click the Users link. If running the free version of Splunk then the admin account is the only account available. Click the admin link. Otherwise, consider creating a special account just for sensitive procedures, such as deleting data, and assigning the can_delete role only to that user.
For the admin account move the can_delete role from the Available roles to the Selected roles section.
Click the Save button to keep the changes.
Finding data
Before deleting data be sure that a search returns the exact data to be deleted. This is as simple as performing a regular search using the Time range drop down menu to the right of the Search field.
The Time range menu offers numerous choices for limiting results by time including Week to date, Year to date and Yesterday. In this case, let’s search for data from the Previous month:
Wait for the search to complete then verify the results returned at the results that need deleting.
Deleting data
Deleting the found data is as simple as performing a search and then piping it into a delete command:
This runs the search again, deleting found results on the fly, which is why searching first before deleting is important. Keep in mind that a “delete and search” routine takes as long or longer to run as the initial search and consumes processing power on the Splunk server. If deleting numerous records proceed with one search/delete at a time to avoid overtaxing the server.
In a recent Twitter conversation with other folks supporting Macs we discussed ways to programmatically deploy printers. Larger environments that have a management solution like JAMF Software’s Casper can take advantage of its ability to capture printer information and push to machines. Smaller environments, though, may only have Apple Remote Desktop or even nothing at all.
Because Mac OS X incorporates CUPS printing, administrators can utilize the lpadmin and lpoptions command line tools to programmatically configure new printers for users.
lpadmin
A basic command for configuring a new printer using lpadmin looks something like this:
-p = Printer name (queue name if sharing the printer)
-v = IP address or DNS name of the printer
-D = Description of the printer (appears in the Printers list)
-L = Location of the printer
-P = Path the the printer PPD file
-E = Enable this printer
The result of running this command in the Terminal application as an administrator looks like this:
lpoptions
Advanced printer models may have duplex options, multiple trays, additional memory or special features such as stapling or binding. Consult the printer’s guide or its built-in web page for a list of these installed printer features.
After installing a test printer, use the lpoptions command with the -l option in the Terminal to “list” the feature names from the printer:
lpoptions -p "salesbw" -l
The result is usually a long list of features that may look something like:
Each line is an option. The first line above displays the option for Tray 4 and shows the default setting is False. If the printer has the optional Tray 4 drawer installed then enable this option when running the lpadmin command by following it with:
-o HPOption_Tray4=True
Be sure to use the option name to the left of the slash not the friendly name with spaces after the slash.
To add the duplex option listed on the third line add:
-o HPOption_Duplexer=True
And to add the envelope feeder option listed on the fifth line add:
-o HPOption_Envelope_Feeder=True
Add as many options as necessary by stringing them together at the end of the lpadmin command:
So that mail archive can loop away while you do dishes. Got to the end of a date range? Pause it, change the destination folder mid-loop, and keep it going. (There is a way to look at the elements and make a conditional when it reads a date stamp, but I didn’t get that crazy with it… yet.)
