Archive for the ‘iPhone’ Category

We Love The AFP548 Podcast

Friday, March 7th, 2014

Casper Focus Now Available

Monday, April 29th, 2013

For a long time I’ve been saying that the #1 challenge with regard to using iOS is content distribution. Others have mirrored that by saying that the device is a content aggregator, etc. The challenge is keeping everyone on the same page, with the same content and distributing administration of all of that to those who need it.

Well, our friends at JAMF software are, as usual, right in the middle of resolving the more challenging issues of the day with regard to iOS and OS X. In this case they’ve released a new tool called Casper Focus that enables rudimentary administrative tasks by teachers.



Now, I don’t want anyone to take the word rudimentary to be a bad thing. You see, accessing and remotely controlling devices can be a big challenge. The learning curve can be steep. By only giving delegated administrators a few options that learning curve can be drastically reduced. Lock, enable, distribute data. These are the very basic tasks teachers need.

Overall, this is yet another great addition to the Casper family of products and 318 is excited to work with our customers to integrate Casper Focus into the environments for our customers where appropriate. Call your Professional Services Manager today for more information!

LOPSA-East 2013

Monday, March 18th, 2013

For the first year I’ll be speaking at the newly-rebranded League of Extraordinary Gentlemen League of Professional System Administrators conference in New Brunswick, New Jersey! It’s May 3rd and 4th, and should be a change from the Mac-heavy conferences we’ve been associated with as of late. I’ll be giving a training class, Intro to Mac and iOS Lifecycle Management, and a talk on Principled Patch Management with Munki. Registration is open now! Jersey is lovely that time of year, please consider attending!


LOPSA-East '13

If It’s Worth Doing, It’s Worth Doing At Least Three Times

Monday, January 14th, 2013

In my last post about web-driven automation, we took on the creation of Apple IDs in a way that would require a credit card before actually letting you download apps(even free ones.) This is fine to speed up the creation process when actual billing will be applied to each account one at a time, but for education or training purposes where non-volume license purchases wouldn’t be a factor, there is the aforementioned ‘BatchAppleIDCreator‘ applescript. It hasn’t been updated recently, though, and I still had more automation tools I wanted to let have a crack at a repetitive workflow like this use case.

SikuliScript was born out of MIT research in screen reading, which roughly approximates what humans do as they scan the screen for a pattern and then take action. One can build a Sikuli script from scratch by taking screenshots and then tying together the actions you’d like to take in its IDE(which essentially renders HTML pages of the ‘code’.) You can integrate Python or Java, although it needs(system) Java and the Sikuli tools to be in place in the Applications folder to work at all. For Apple ID creation in iTunes, which is the documented way to create an ID with the “None” payment method, Apple endorses the steps in this knowledge base document.Sikuli AutoAppleID Creator Project

When running, the script does a search for iBooks, clicks the “Free” button to trigger Apple ID login, clicks the Create Apple ID button, clicks through a splash screen, accepts the terms and conditions, and proceeds to type in information for you. It gets this info from a spreadsheet(ids.csv) that I adapted from the BatchAppleIDCreator project, but currently hard-codes just the security questions and answers. There is guidance in the first row on how to enter each field, and you must leave that instruction row in, although the NOT IMPLEMENTED section will not be used as of this first version.

It’s fastest to type selections and use the tab and/or arrow keys to navigate between the many fields in the two forms(first the ID selection/password/security question/birthdate options, then the users purchase information,) so I didn’t screenshot every question and make conditionals. It takes less than 45 seconds to do one Apple ID creation, and I made a 12 second timeout between each step in case of a slow network when running. It’s available on Github, please give us feedback with what you think.

…’Til You Make It

Monday, January 7th, 2013

Say you need a bunch of Apple IDs, and you need them pronto. There’s a form you can fill out, a bunch of questions floating in a window in some application, it can feel very… manual. A gentleman on the Enterprise iOS site entered, filling the void with an Applescript that could batch create ID’s with iTunes (and has seen updates thanks to Aaron Friemark.)

That bikeshed, though, was just not quite the color I was looking for. I decided to Fake it. Are we not Professional Computer Operators?

Before I go into the details, a different hypothetical use case: say you just migrated mail servers, and didn’t do quite enough archiving previously. Client-side moves may be impractical or resource-intensive. So you’d rather archive server-side, but can’t manipulate the mail server directly, and the webmail GUI is a touch cumbersome: are we relegated to ‘select all -> move -> choose folder -> confirm’ while our life-force drains away?

Fake is described as a tool for web automation and testing. It’s been around for a bit, but took an ‘Aha!’ moment while pondering these use cases for me to realize its power. What makes it genius is you don’t need to scour html source to find the id of the element you want to interact with! Control-drag to the element, specify what you want to do with it. (There are top-knotch videos describing these options on the website.) And it can loop. And delay(either globally or between tasks,) and the tasks can be grouped and disabled in sections and organized in a workflow and saved for later use. (Can you tell I’m a bit giddy about it?)

Fakeinaction-MailSo that mail archive can loop away while you do dishes. Got to the end of a date range? Pause it, change the destination folder mid-loop, and keep it going. (There is a way to look at the elements and make a conditional when it reads a date stamp, but I didn’t get that crazy with it… yet.)

And now even verifying the email addresses used with the Apple ID can be automated! Blessed be the lazy sysadmin.

The State of Tablets in Schools

Thursday, January 3rd, 2013

Any managed IT environment needs policies. One of the obvious ones is to refresh the hardware on some sort of schedule so that the tools people need are available and they aren’t hampered by running new software on old hardware. Commonly, security updates are available exclusively on the newest release of an operating system. Tablets are just the same, and education has been seeing as much of an influx of iOS devices as anywhere else.

Fraser Speirs has just gone through the process of evaluating replacements for iPads used in education, and discusses the criteria he’s come up with and his conclusions on his blog

iOS Backups Continued, and Configuration Profiles

Friday, December 14th, 2012

In our previous discussion of iOS Backups, the topic of configuration profiles being the ‘closest to the surface’ on a device was hinted at. What that means is, when Apple Configurator restores a backup, that’s the last thing to be applied to the device. For folks hoping to use Web Clips as a kind of app deployment, they need to realize that trying to restore a backup that has the web clip in a particular place doesn’t work – the backup that designates where icons on the home screen line up gets laid down before the web clip gets applied by the profile. It gets bumped to whichever would be the next home screen after the apps take their positions.

This makes a great segue into the topic of configuration profiles. Here’s a ‘secret’ hiding in plain sight: Apple Configurator can make profiles that work on 10.7+ Macs. (But please, don’t use it for that – see below.) iPCU possibly could generate usable ones as well, although one should consider the lack of full screen mode in the interface as a hint: it may not see much in the way of updates on the Mac from now on. iPCU is all you have in the way of an Apple-supported tool on Windows, though. (Protip: activate the iOS device before you try to put profiles on it – credit @bruienne for this reminder.)

Also thanks to @bruienne to the recommendation of the slick p4merge tool

Also thanks to @bruienne to the recommendation of the slick p4merge tool

Now why would you avoid making, for example, a Wi-Fi configuration profile for use on a mac with Apple Configurator? Well there’s one humongous difference between iOS and Macs: individual users. Managing devices with profiles shows Apple tipping their cards: they seem to be saying you should think of only one user per device, and if it’s important enough to manage at all, it should be an always enforced setting. The Profile Manager service in Lion and Mountain Lion Server have an extra twist, though: you can push out settings for Mac users or the devices they own. If you want to manage a setting across all users of a device, you can do so at the Device Group level, which generates extra keys than those that are present in a profile generated by Apple Configurator. The end result is that a Configurator-generated profile will be user-specific, and fail with deployment methods that need to target the System. (Enlarge the above screenshot to see the differences – and yes, there’s a poorly obscured password in there. Bring it on, hax0rs!)

These are just more of the ‘potpourri’ type topics that we find time to share after being caught by peculiarities out in the field.

iOS and Backups

Wednesday, December 12th, 2012

If you’re like us, you’re a fan of our modern era, as we are (for the most part) better off than we previously were for managing iOS devices. One such example is bootstrapping, although we’re still a ways away from traditional ‘imaging’. You don’t need Xcode to update the OS in parallel, iPCU to generate configuration profiles, and iTunes for restoring backups anymore. Nowadays in our Apple Configurator world, you don’t interact with iTunes much at all (although it needs to be present for assisting in loading apps and takes a part in activation.)

So what are backups like now, what are the differences between a restore from, say, iCloud versus Apple Configurator? Well, as it was under the previous administration, iTunes has all our stuff, practically our entire base belongs to it. It knows about our Apple ID, it has the ‘firmware’ or OS itself cached, we can rearrange icons with our pointing human interface device… good times. Backups with iTunes are pretty close to imaging, as an IT admin would possibly define it. The new kids on the block(iCloud, Apple Configurator,) however, have a different approach.

iOS devices maintain a heavily structured and segmented environment. Configuration profiles are bolted on top(more on this in a future episode), ‘Userspace’ and many settings are closer to the surface, apps live further down towards the core, and the OS is the nougat-y center. Apple Configurator interacts with all these modularly, and backups take the stage after the OS and apps have been laid down. This means if your backup includes apps that Apple Configurator did not provide for you… the apps(and their corresponding sandboxed data) are no longer with us, the backup it makes cannot restore the apps or their placement on the home screen.

iCloud therefore stands head and shoulders above the rest(even if iTunes might be faster.) It’s proven to be a reliable repository of backups, while managing a cornucopia of other data – mail, contacts, calendars, etc. It’s a pretty sweet deal that all you need is to plug in to power for a backup to kick off, which makes testing devices by wiping them just about as easy as it can get. (Assuming the apps have the right iCloud-compatibility, so the saved games and other sandbox data can be backed up…) Could it be better? Of course. What’s your radar for restoring a single app? (At this point, that can be accomplished with iTunes and manual interaction only.) How about more control over frequency/retention? Never satisfied, these IT folk.

Connect Casper to Active Directory

Wednesday, November 14th, 2012

Integrating any system into Active Directory can seem like a daunting task, especially for someone who’s not an AD administrator or doesn’t even has access to the directory service. JAMF Software has supported connecting Casper to AD for several versions of its product and has refined the connection process to be simple enough for someone with little or no AD experience to complete.

Connecting Casper to AD allows it to take advantage of existing user and group accounts, eliminating the tedium of creating them manually, and the user himself has one less password to remember. When his password changes the new password works immediately in Casper. Likewise, when a user’s account expires or is disabled then access to Casper ceases.

Gather the following information for the connection process:

  • Service account. This should be an AD account dedicated for Casper to use to authenticate to AD. It should be set not to expire and not to require changing at first login. This requires both the account name and its AD password.
  • The name of an AD Domain Controller (same as a Windows Global Catalog server, which assumes the role of an LDAP server).
  • The name of the organization’s NetBIOS domain.
  • The login names for any two user accounts in AD. Passwords aren’t required; these are used for testing lookups only.
  • The names for any two security groups in AD that include one or both test user accounts. These are used for testing lookups only. (Domain Users and Domain Admins are two common security groups.)

To connect Casper to AD do the following:

  1. Log in to the JAMF Software Server (JSS) for Casper using a local user account.
  2. Navigate to Settings tab –> LDAP Server Connections. Click on the Add LDAP Server Connection button. This begins a process that verifies the service account’s credentials and creates the user and group mappings between Casper and AD.
    New LDAP Server Connection button
  3. Select Active Directory as the LDAP server type and click the Continue button.
    LDAP server connection type
  4. For Host name enter the fully qualified domain name or IP address of the Domain Controller.
  5. For AD Domain enter the Windows NetBIOS domain name. Click the Continue button.
    Domain information
  6. Enter the name of the service account and its password that the JSS will use to authenticate and connect to AD. Click the Continue button.
    Service account
  7. If the Enter Test Accounts page appears then AD has accepted the service account’s credentials. Now, enter the account names of two AD users. These can be your own and a co-worker’s account. For the best results pick two users who are in very different parts of the organization. Click the Continue button.
    Test accounts
  8. The Verify Attribute Mappings page should display information about each user the JSS found in AD. Mappings are the pairing of attributes and values for an object in AD. In this case, verify the Username shown is actually the user’s short account name, verify Real Name shows the user’s first and last name, verify that Email displays the correct email address for each user, etc.New mappings
  9. Some fields may not be populated. That’s typically because the AD information is incomplete. If either user has information for a field but not the other then verify that information is correct or at least in the correct format.
  10. Casper may have wrongly mapped an attribute. For example, the telephoneNumber attribute may actually be phone in AD. To change the mapping click the edit button (ellipsis) to the right of the mapping and review the LDAP Attributes to see if another one is more suitable. Changing the attribute immediately changes the values for each user to help quickly identify better choices. Click the Return to Verify Mappings button when done.
    Edit mappings
  11. The new mappings appear in the list. Click the Continue button.
    New mappings
  12. Enter the two domain security groups and verify whether the test users are members. They may be members of one, both or none. Click the Continue button.
    Verify groups
  13. Finally, click the Save button to save the settings.

Now, when adding new users to Casper, the JSS can pull the user information from AD.

  1. Navigate to Settings tab –> Accounts. Click on the Add Account from LDAP button.
    New Account button
  2. Enter the name of an AD user who should have privileges in the JSS. Click the Next button.
    Add User from LDAP Account
  3. If the lookup returns more than one result then locate the correct result and click the Add… link to the right.
  4. Grant the necessary privileges to the JSS and click the Save button.

At this point the newly added user should be able to log in to the JSS using his AD credentials. The JSS will also use the AD information for email alerts and other functions.

If the LDAP connection is ever deleted then existing LDAP user accounts will fail to work, even if the LDAP connection is recreated. Re-enabling users to log in will require adding their accounts and privileges again under the new LDAP connection.

Video On Setting Up File Sharing In Lion Server

Friday, May 11th, 2012

Video on Setting Up Profile Manager in Lion Server

Wednesday, May 9th, 2012

Emailing A File To

Wednesday, April 18th, 2012 has a number of features that can be used for workflow automation. One such feature is the ability to have an email address that is tied to a folder. Most services support the ability for that email address to be used to inform users of updates to directories. However, a somewhat unique feature is that has the ability to assign an email address to the folder so that any time you send mail to the folder, that file is added to the folder. For example, I scan a contract and email it to a vendor, I can also bcc a folder called contracts and the contract will appear in the folder.

To setup an email address for a folder, open and click on a folder that you’d like to get an email address assigned to. Then click on the disclosure triangle on the right side of the screen for Folder Options and click on Email Options.

At the Email Options tab of the Folder Properties overlay screen, check the box for Allow uploads to this folder via email. Here, you can also use the Only allow uploads from collaborators in this folder checkbox to restrict who is able to email files to the folder.

While emailing files to get them into a folder isn’t for everyone, it is a great new take on a dropbox type of folder. You can also then sync these folders with folders in Mac OS X and Windows. This type of functionality is also a great way to do student submissions of coursework, file-based workflows for iOS and various automated workflows based on emails.

Installing and Configuring Active Directory Certificate Services

Wednesday, March 21st, 2012

This guide assumes that you have a Windows Server 2008 R2 installation on a physical or virtual machine, and that the system is a domain controller of an Active Directory domain:

  1. Open Server Manager. 
  2. Click on Roles on in the tree on the left, then click Add Roles
  3. Choose next to start the wizard. 
  4. Then enable the checkbox for Active Directory Certificate Services
  5.  Choose  next to start the AD CS role configuration
  6. Click on “Add Required Role Services”  to install the IIS and the related tools needed.
  7. Enable the check box for “Certification Authority Web Enrollment and click next.
  8. Choose “Enterprise” and click next.
  9. Choose “Root CA”and click next
  10. Choose “Create a new private key”
  11. Leave the default values for Configure Cryptography for CA and click next.
  12. Ensure that you have the proper values for Configure CA Name for your environment and click next. The default values will usually be right.
  13. Click next to set the default validity period  of 5 years
  14. Configure the locations of the database and logs if needed for your environment and click next
  15. You will now be prompted to configure IIS. 
  16. Make changes if needed, but be sure to leave Windows Authentication as it is required for Web Enrollment.
  17. After the  role configuration is complete, run IIS Manager from Administrative Tools.
  18. From the tree on the left, navigate to the default website. 
  19. Right click Default website, and choose bindings.
  20. Click the Add… button.
  21. Change the type to https, and choose the SSL certificate that matches the server’s FQDN, and click OK.

Hiding Exchange Mailboxes from the Global Address List

Wednesday, February 29th, 2012

By default, users in Exchange 2010 appear in the Global Address List (aka GAL), or are available for lookup by users within the Exchange organization. You can suppress these so that you create a mailbox that is not seen by any old user. You might want to do this so that a sales, info or other generic externally facing mailboxes aren’t used by your internal users.

In order to hide a user from the Exchange Global Address List, open the Exchange Management Console and click on the Organization Configuration node. Click on Mailbox to bring up a list of mailboxes for the forest and then double-click on a mailbox you’d like to hide from the Global Address List. Next, click on the General tab and you will see a checkbox for Hide from Exchange address lists. Check that box and click on Apply to suppress the account from the Global Address List.

Building a Mac and iOS App Store Software Update Service

Wednesday, November 9th, 2011

Let’s say you run a network with a large number of Mac OS X or iOS (or, more likely, both) devices. Software Update and the two App Stores (Mac App Store and iOS App Store) make keeping all those devices up-to-date a pretty straightforward process. They are a huge improvement compared with the rather old-fashioned practice of looking through applications, visiting the web site for each one and manually downloading updated versions. When updating two or more similar machines, of course, one only needed to download the updated version once, then copy it to each other machine. Better, but a process that when performed across a lot of machines requires a lot of work.

However, even though the App Store and Software Update Server in Mac OS X Server make things easier, there’s no simple way to download things once and distribute the downloaded files to multiple machines for items purchased on the App Store. When large updates come out (such as a new version of iOS), you’re essentially downloading huge amounts of data to each and every machine, and if machines are set to automatically download updates, you could even have a large number of them downloading simultaneously.

Of course you can run your own Software Update service in Mac OS X Server, but this requires that every client machine be configured to use the local server. This works well for machines under your control, but for all those people who bring in their own laptops this doesn’t help.

What’s worse is that there’s currently no way whatsoever to run a Software Update-like service for App Store purchases. Imagine if you have a lab of dozens or hundreds of Macs with Final Cut X or iPads (or iPhones, iPod Touches, whatever comes out next with iMovie or ). Any time there’s an update you’re potentially downloading over a gigabyte per machine in the case of Final Cut X or 70 megabytes or so in the case of iMovie. That can easily add up to a tremendous amount of traffic and the congestion, complaints and headaches which go with it..

What’s needed is an easy way to cache App Store downloads. While we’re at it, it would also be nice to transparently have machines use our own Software Update server. Let’s be even a little more ambitious and do this without needing Mac OS X Server. Aw, heck – let’s make it work on any reasonably Unix-like OS.

So how do we do this? The App Stores and Software Update services use http for fetching files. So what we need to do is to capture those http requests and either redirect them to a local store of Software Update files or locally cached App Store files.

Just as an aside, it’d be tremendously difficult to create a local store of App Store files if for no other reason than the fact that there are currently more than half a million applications. Add to this the rate at which updates become available and your machine would probably never be finished attempting to download all of the applications! Considering this, we’re looking at running Apache and squid on our Unix-like machine and doing a little redirection magic on whatever device does NAT or routes for us.

Note: There’s no reason that the same machine can’t do both NAT/routing and Apache/squid, although in most environments we are assuming that the machine would simply be a proxy for Mac or iOS-based devices. To make this example end-to-end though, we’ll run the router on the host.

Our example uses a Mac OS X (non-Server) machine running Leopard which is doing both NAT and running our Apache and squid software. We’re simply using the Internet Sharing service, the public network interface is en0 (which we don’t use anywhere) and the interface which will serve our iOS and Apple clients is en1 and has the address

Everyone has their own favorite way of installing software on Unix-like OSes and a discussion about which is best and why would certainly be outside the scope of this article. In these examples we’re using NetBSD’s pkgsrc for no other reason than the fact that it will compile packages from source with a base directory which is easily configurable (feel free to use ports or some other automated tool according to what platform you are using). Get pkgsrc (usually via cvs; we’ll assume it’s put into /usr which can be as simple as:

cd /usr ; setenv CVSROOT ; cvs checkout -P pkgsrc

And then run /usr/pkgsrc/bootstrap/bootstrap like so:

cd /usr/pkgsrc/bootstrap/
./bootstrap --prefix /usr/local --pkgdbdir /usr/local/var/db/pkg --sysconfdir /usr/local/etc --varbase /usr/local/var --ignore-case-check

This puts all files into /usr/local including logs and configuration files, so keeping your system clean is simple and keeping track of the differences between built-in and pkgsrc software is easy. Next, install pkgsrc’s www/squid and www/apache (and net/wget if your Unix doesn’t already have it):

cd /usr/pkgsrc/www/squid
bmake update
cd /usr/pkgsrc/www/apache22
bmake update
cd /usr/pkgsrc/net/wget
bmake update

Note that on systems like Mac OS X which come with GNU make by default, that pkgsrc uses bmake; if you have BSD make already, just use make. Another note is that /usr/local/sbin is not in Mac OS X’s path by default, so add /usr/local/sbin to /etc/paths if you’re going to use it.

Now that the software is installed in consistent locations we can configure it. The squid.conf file only needs one line to be changed; everything else is added. Find the line which says:

http_port 3128

And change it to:

http_port 3128 intercept

Then add the following lines:

maximum_object_size_in_memory 4096 KB
cache_replacement_policy heap LFUDA
cache_dir ufs /usr/local/var/squid/cache 16384 16 256
maximum_object_size 2097152 KB
refresh_pattern -i .ipa$ 360 90% 10800 override-expire ignore-no-cache ignore-no-store ignore-private ignore-reload ignore-must-revalidate
refresh_pattern -i .pkg$ 360 90% 10080 override-expire ignore-no-cache ignore-no-store ignore-private ignore-reload ignore-must-revalidate
acl no_cache_local dstdomain
cache deny no_cache_local
redirect_program /usr/local/bin/

These settings are chosen to cache large files up to 2 gigabytes in size in a 16 gig cache on disk and to ignore cache directives with regards to .pkg and .ipa files. Adjust to your own liking. Of course, replace with the private IP of your machine. The cache deny with that address is used to make sure that redirected Software Update files are not cached in squid which would just take up room which better used for App Store files.

The URL rewriting script (create /usr/local/bin/ just changes Apple Software Update URLs to point to our server:

#!/usr/bin/env perl
while (<>) {

Next we configure Apache. The location you choose for the Software Update files can be anywhere (in our example, they’re on a FireWire attached drive mounted at /Volumes/sw_updates/) which needs to be allowed in the Apache configuration.

Add to /usr/local/etc/httpd/httpd.conf:

<Directory “/Volumes/sw_updates/”>
Options Indexes FollowSymLinks
AllowOverride None
Order allow,deny
Allow from all
<VirtualHost *:80>
DocumentRoot “/Volumes/sw_updates”
ErrorLog “/usr/local/var/log/httpd/swupdate_error_log”
CustomLog “/usr/local/var/log/httpd/swupdate_access_log” common

The log lines are purely optional. If you don’t add them, logs will still be written at /usr/local/var/log/httpd/access_log and error_log.

Next, we configure ipfw (in the case of Mac OS X or FreeBSD) to redirect all port 80 traffic transparently to our squid instance. If you’re using a different device for NAT/routing or different firewalling software such as ipfilter, see the examples listed below.

ipfw add 333 fwd,3128 tcp from any to any 80 recv en1

Note that on Snow Leopard and Lion you’ll need to make this change, too:

sysctl -w net.inet.ip.scopedroute=0

ipfilter would look like this for the same ipfw task from above (if you’re using Linux):

rdr en1 port 80 -> port 3128 tcp

Again, the local private IP is and the local private interface is en1; substitute your IP and interface.

Finally, we need to mirror all Apple Software Updates. A simple shell script can do this. Save this file somewhere (named, for instance) and run it from cron now and then, perhaps once a night:



location=$1 # This is the root of our Software Update tree
mkdir -p $1
cd $1

for index in index-leopard-snowleopard.merged-1.sucatalog index-leopard.merged-1.sucatalog index-lion-snowleopard-leopard.merged-1.sucatalog
wget --mirror$index


for swfile in `cat$index | grep "http://" | awk -F">" '{ print $2 }' | awk -F"<" '{ print $1 }'`
echo $swfile
wget --mirror "$swfile"

Invoke this with the top of the tree of your Software Update files as you’ve used in the Apache config, like so:

./ /Volumes/sw_updates

Expect this to run for a long time the first time you run this because you’ll be downloading around 60 gigabytes of updates. Every time it runs afterwards, though, files won’t be downloaded again unless they change (which they won’t; new updates will show up as new files).

Start squid and Apache, then tail your Apache log and run Software Update to test:

/usr/local/share/examples/rc.d/apache start
/usr/local/share/examples/rc.d/squid start
tail -f /usr/local/var/log/httpd/swupdate_access_log

At this point, you can redirect your software updates to the host. Updates for both the Mac App Store and iOS are also now cached. In the next article we’ll look at using some squid extensions to enable you to block applications from the App Stores or block updates in the event that an update is problematic.

Sandbox in Mac OS X Lion and Apple’s App Store Submissions

Monday, November 7th, 2011

Note: For more information about the information contained in this article, contact us for a professional consultation.

In our previous tech journal article, we touched on the history of sandboxing, from its evolution out of the POSIX model to the more granular controls provided by the ACL model and how they are both derived from a concept called Discretionary Access Controls. For this discussion, please check out out previous article “A brief introduction to Mac OS X SandBox Technology.”

New Sandboxing & Privilege Separation in Lion

This article will attempt to clarify and explain the changes in Lion and iOS sandboxing and the upcoming change in requirements for App Store submissions.  Apple has decreed that all applications submitted to the App Store MUST be sandboxed, originally the deadline was November 2011, but the deadline has recently been moved back to March 1, 2012.

iOS sandboxing has been in place for a while now.  iOS applications can only see their own data and documents, cannot alter your devices underlying settings, and generally appear to be isolated from other apps on your iOS device.  Apple has brought this methodology to Macs with 10.7 Lion.

Compared to previous Mac OS security models, Lion has made leaps and bounds in terms of sandbox security, with Apple finally promoting the technology for use by third party developers.  The 2 ways of Apple has increased security is through Sandboxing and Privilege Separation.  Sandboxing refers to the process whereby a developer specifies a list of expected operations an application will perform, while Privilege Separation refers to splitting an application or daemon into more granular pieces where each piece is only given rights to its particular task.  Every sandbox application must include a set of “entitlements,” or a list of resources the application needs to perform its tasks.  Lion has around 30 entitlements ranging from low-level operations (e.g. creating or listening to network connections), to higher level operations (e.g. printing or accessing the camera).

Application Sandboxing

App Sandboxing can help prevent flaws or oversights in programming from becoming security threats via privilege escalation.  By specifying a set of entitlements, a developer tells the OS which operations are allowed and expected.  This way if a user process tries to perform a task that is not entitled, the OS will not allow the task.  This makes executing arbitrary code from a problem like a buffer overflow much less likely.  Listing entitlements also lets the system know to create a container directory for the application itself and runs it inside a sandbox configured for that particular application. If a developer creates an internet browser application and didn’t grant the entitlements to the camera and microphone, a website with malicious code trying to access the camera would be thwarted by the OS.

The container directory is where your sandboxed application can read and write its private files and data, including preferences, autosave info and other information needed by the application itself.  The sandboxed application is prevented from accessing data and files from outside the sandbox with a few exceptions, like the systems Open and Save dialog boxes, which require user intervention to explicitly work outside the sandbox. Upon first launch, the OS creates a container directory in ~/Library/Containers with the application bundle identifier as the directory name (e.g.

Sandboxing an application is not a replacement for good coding practices or testing.  Indeed, sandboxing actually will increase the requirements for testing as each entitlement will need to be verified and tested, but it will provide a valuable line of defense against unanticipated malware or other nefarious activity.

App Store Sandboxing

While not being privy to behind the scenes discussions at Apple, the benefits of requiring Application sandboxing for App Store submissions are fairly intuitive. By requiring sandboxing, Apple will simplify its audit process and can more easily provide security assurances for App Store purchases.  Ars Technica seems to confirm this as well.   By sandboxing all Apps, Apple will greatly reduce the potential for rogue code coming out of the App Store, thereby reducing their potential liability.

Adding Sandboxing to your applications in Xcode

To sandbox an application in Xcode, you will need a couple of things. One is a valid code signing certificate issued by a trusted third certification authority (think Verisign, Thawt or Digicert).  Self-signed certificates won’t work as your Certificate Authority (CA) credentials are not included in either the Mac OS or iOS.  The CA root certificate allows a chain of trust to be built to your code signing certificate. Apple has more info on their Root Certificate program here.

An entitlements .plist, named Info.plist.  You will add this file in your project in Xcode.  The Info.plist must have the following Keys:  CFBundleIndentifier, CFBundleName.  The identifier MUST be globally unique.  To help ensure this, please include your company’s name in the indentifier (e.g. com.318.OurLatestApp).  Apple recommends that the identifer be in reverse DNS notation as well.  Your Info.plist must include all the entitlements your application needs.

In Xcode, please add the following linker flags:

-sectcreate __TEXT __info_plist Info.plist_path

where Info.plist_path is the complete path of the Info.plist file in your project.

These flags should be added to the OTHER_LDFLAGS build variable in Xcode.  Please refer to the documentation for other development environments.

You will also need to go into the summary tab for your Xcode project and check

  • Enable Entitlements
  • Enable App Sandboxing

A comprehensive guide to code signing and entitlements is available from Apple here.


Apple’s new paradigm for security will provide additional protection from malicious code.  This new paradigm will necessitate some additional planning and testing.  It will allow Apple to better ensure that any App from the App Store will not harm your computing experience. Apple has a list of entitlements that must be used, but you must be a developer to access this content. In the writing of this article we have attempted to be cognizant of what is and is not under non-disclosure, so if you need access to that, then please grab a free account at the Apple Developer Connection.

Final Cut Pro X

Tuesday, September 20th, 2011

Version 10.0.1 of Final Cut Pro X is now out. This update returns the ability to use Final Cut Pro X projects and Events on Xsan. This is a must for multi-user environments. Users can now each others media and projects, and edit them from any system on the SAN, as with previous versions of Final Cut.

Additionally, some other new features including custom starting timecode, the new Tribute theme, GPU-accelerated exports, One-step transitions, media stems export and of course, XML support. XML support is very important as it introduces the ability to integrate Final Cut Pro X with asset management systems or APIs from other applications. The ability to interact with other tools helps to plan and implement an automated workflow, reducing the labor for reoccurring tasks common in media environments.

Apple also now provides a free 30 day trial to Final Cut Pro X. If your organization is considering migrating from Final Cut Studio into Final Cut Pro X, or if you have a Final Cut Server based asset management solution that you would like to migrate to something newer and supported, then please feel free to contact your 318 Professional Services Manager, or if you do not yet have one.

Setting Up Additional Google Apps Calendars on an iOS Device

Monday, April 18th, 2011

Syncing and Managing Additional Google Apps Calendars on your iOS Device

Google Apps allows users to easily setup multiple calendars in their account and access other uses calendars via a web browser or calendar client such as iCal or Outlook. Duplicating this functionality on iOS devices requires some additional configuration steps:

1. Configure your device(s) with Exchange Active Sync for your Google Apps account. See for instructions.
2. On your iOS device (iPad, iPhone or iPod Touch) use the Safari web browser to navigate to
3. Scroll to the bottom of the page and tap the Google Apps user? button.
4. A popup will appear prompting you to Enter your Google Apps domain. Enter your domain (everything after the @ in your email address) and tap Go.
5. Sign into your Google Apps account if prompted.
6. A Google Mobile page will load, with buttons for various services. Tap the Sync button.
7. A Manage Devices page will load. Tap to select the device you would like to add/delete calendars from (i.e. your iPhone).
8. Tap to check the box next to each calendar you want to sync. Tap to uncheck any calendar you wish to stop syncing.
9. Click Save.

The calendars for which you enabled sync should now be displayed in the iOS Calendar app. You may have to tap Calendars to return to the calendar selection and turn on the additional calendars if they are not displayed immediately.

Note: these instructions differ slightly from the published Google instructions pertaining to generic Gmail accounts (primarily skipping steps 3 and 4). If you would like to setup additional calendars for your personal Gmail account please follow the steps here:

318 Featured in Archintosh

Monday, March 14th, 2011

318 has been featured in an article in Archintosh, the leading Internet magazine dedicated to Mac CAD and 3D professionals and students worldwide. The article, titled iPad 2: Impact on enterprise, engineering and CAD, is by Anthony Frausto-Robledo and focuses on the impact of iOS (and more specifically on iPad 2) in CAD and 3D graphics environments.

For more, see:

318 Featured in CIO Again

Thursday, March 10th, 2011

CIO ran another article on the iPad featuring 318′s Director of Technology, Charles Edge. This time focusing on preparing enterprises for iPad 2. You can find the article at

If iPad and iPad 2 integration is something you feel your enterprise needs help with then please feel free to contact your 318 PSM or for more information on this exciting aspect of our portfolio of services.

Enable AirPrint On Mac OS X Server

Monday, March 7th, 2011

Since the introduction of AirPrint in iOS version 4.2.1, a handful of shareware and freeware solutions have been introduced that allow iOS devices to use AirPrint to print documents on “unsupported” printers (namely, those printers that do not have the necessary AirPrint features built-in). This typically requires enabling printer sharing on a Mac system, as well as making a slight modification to the CUPS configuration file at /etc/cups/cupsd.conf, which the software typically does for you.

However, one of the more prominent solutions available, AirPrint Activator from, does not work properly on a Mac OS X Server system when following the provided instructions, which appear to be aimed at users running the non-Server version of Mac OS X. Here are the steps you can follow to get Mac OS X Server v10.6 to share printer queues to AirPrint-enabled iOS devices:

Prerequisites: Mac OS X Server v10.6.5 or later (I have only tested on 10.6.6), one or more networked or local printers, and one or more iOS devices running iOS 4.2.1

1. In the System Preferences > Print & Fax preference pane, delete all existing printer queues from the server.

2. Download AirPrint Activator from to the Mac OS X Server system from which you wish to host print queues.

3. Launch the AirPrint Activator program and slide the Activator switch to On (you will be prompted to authenticate).

4. With your favorite text editor, open the file /etc/cups/cupsd.conf

5. Locate the line that reads Browsing Off and change it to read Browsing On. Save the changes.

6. Open Server Admin and enable and Start the Print service.

7. Open the System Preferences > Print & Fax preference pane and add the printers that you wish to share, being sure to give the shared print queue a unique Sharing Name a Location. If you are only using the Print service to connect iOS devices, you may want to include “AirPrint” in the queue or location name (ie, “AirPrint to Accounting Printer”).

8. In the Print service window, select the Queues tab and select the print queue you wish to share.

9. Enable the IPP protocol. You can enable the other protocols if you want to enable printer sharing to platforms beyond just your iOS devices.

10. Follow steps 7 through 9 with the other printers that you wish to use for AirPrint.

11. From an iOS device, open a supported document such as a PDF, JPG, or other printable file.

12. Click the box with a curved arrow pointing to the upper right to invoke the Print command.

13. Select the Printer from the menu and print your documents!

318 Director of Technology Interviewed By V3

Saturday, March 5th, 2011

Charles Edge, Director of Technology at 318, did an interview with Iain Thomson of V3, a popular UK-based technology news site. The article, available at looks at iPads in enterprise environments. While I don’t agree with the fact that iPad 2 provides little reason to upgrade, I do think the article turned out pretty good.

If you are interested in purchasing iPad 2, please contact your 318 professional services manager and we can get a quote out to you asap!

CIO: An Interview with Charles Edge on iPad 2

Friday, March 4th, 2011

Charles Edge, the Director of Technology for 318 was interviewed recently by CIO magazine, shortly after the announcement of the iPad 2. In the interview, enterprise viability of iPad 2 and a number of other items around iOS in the enterprise were discussed.

See the full article here:

An Interview with Kevin Klein

Thursday, March 3rd, 2011

Today, ran an article with an interview from Kevin Klein, the CEO of 318.

With the plethora of Apple iPhones and iPads used for business, security solution providers may be considering expanding their Apple device security offerings. To address this strategy, interviewed Kevin Klein, president and CEO of Santa Monica, Calif.-based solution provider 318 Inc., which specializes in securing Apple devices in its customers’ enterprises.

Click here to read the full article.

Final Cut Server Client for iPad

Wednesday, January 19th, 2011

Yes, you heard that right. You can now browse assets, edit metadata, annotate clips and download clip proxies from Final Cut Server using an iPad.

ClipTouch, from Factorial in New Zealand is a slick, sleek client for Final Cut Server. Per the Factorial website, it supports:

– No server configuration required
– Search and discover assets
– Directly download and view clip proxies
– Supports the default proxy setting
– Clip timecode display
– Change asset metadata
– Browse and add annotations
– Archive and Restore assets to any archive device
– Respects permission sets based on your login
– Supports direct and VPN connections

After using it to view some assets that were optimized using the special compressor settings that Factorial posted, I have to say that I’m impressed with how well it works and with how the interface just looks plain sexy. A job well done! Check it out on the App Store.

iPhone Comes to Verizon

Tuesday, January 11th, 2011

Today Apple announced that the iPhone will be available on Verizon, just in time for Valentines Day! The rumor sites have been predicting this practically since the iPhone was introduced and it is finally a reality. This move will help to open up the iPhone to additional markets and help bring all the things that make the iPhone great to Verizon. To quote Apple:

Beginning February 10, the phone that changed everything will be available on both AT&T and Verizon Wireless in the United States. Qualified Verizon Wireless customers will also have the exclusive opportunity to pre-order iPhone 4 online on February 3, ahead of general availability.

Whichever network you choose, you’ll get FaceTime video calling, the high-resolution Retina display, a 5-megapixel camera, HD video recording, long battery life, and all the other great features of iPhone 4.

If you are planning on, or have embarked on an iPhone integration into your environment and would like to cover the impact that this move has on that integration, then please feel free to contact your 318 Professional Services Manager or if you do not already have one.

318 Gets a Nod from Fierce CIO Magazine

Thursday, January 6th, 2011

Carol Carson, from Fierce CIO, posted some tips from 318 in an article on January 2nd called “Embracing the inevitable tablet onslaught”. The article, which can be found at is a look at some ramifications of consumerization as it eeks its way into mainstream enterprise. As usual, Carol is keen to pick up on enterprise trends in a variety of places: this week, at CES. We hope you enjoy the article!

eWeek Article Featuring Charles Edge

Wednesday, January 5th, 2011

318 is in the news yet again. This time as the central figure in an article from eWeek entitled How Influx of iPhones, iPads Impacting Enterprises. The article is available at and focuses on, as the title references, what enterprises are to do with the infiltration of the iPad and iPhone. While the article is specifically geared towards Apple-based devices, the ideas can be used for any other platform as well. In the article, Chris Preimesberger interviews the 318 Director of Technology, Charles Edge and provides a number of answers to some specific questions that enterprises come to the table with when they approach the Apple platform.

If you are adopting Apple into your enterprise, you may have even more questions that need answering. If so, please feel free to contact your 318 Professional Services Manager or if you do not yet have one.

318 Featured in IT Business Edge

Tuesday, December 28th, 2010

318 has been a leader in bringing iOS into the Enterprise for some time. We have been sitting alongside our customers, working to get iPhones integrated into organizations of all sizes for years. Since the release of the iPad the quantity of projects we are involved with continues to increase. Now, 318 has been featured in a slide show on IT Business Edge illustrating “how 318’s team is advising clients who are trying to bring iPads and iPhones into enterprise environment.”

And if you would like to discuss how your organization can deploy iPhone, iPad or iPod Touch please feel free to contact your 318 Professional Services Manager or for more information.

Book On Enterprise iOS Integration Available

Monday, December 20th, 2010

The 6th book from 318′s staff is now available: Enterprise iPhone and iPad Administrator’s Guide. In this title, Charles Edge, the Director of Technology at 318, takes a look at lessons learned in our numerous iOS integration projects, from procurement to deployment to patch management. Per the publisher, Apress, the following indicates who the book is intended for:

This book is intended for IT staff members that will be charged with planning an iPhone and ipad implementation or pilot program, as well as those that will be charged with ultimately deploying and provisioning the devices and delivering support to iPhone and iPad users. Readers should have an existing background in IT management, systems administration, and end user support working in a medium to large business or enterprise environment.

If you are considering doing a large scale integration or remediation project for iOS-based devices in your environment then contact your 318 Professional Services Manager or for more information on how 318 can assist you in your endeavors.