Blog Posts tagged with Apple Mac OS X

Ask a question

Dell KACE and Deep Freeze: Using Scripting to Freeze and Thaw Systems

Introduction

 

Customers who use Deep Freeze need a way to unfreeze their systems in order to do patching and system maintenance and then refreeze the system to allow for normal day to day operation. This guide covers creating scripts for enabling and disabling Deep Freeze for both Windows and Mac systems via the KACE Systems Management Appliance.

After completing this document, you should be able to:

·         Understand the process for creating scripts for freezing and unfreezing Windows computers

·         Understand the process for creating scripts for freezing and unfreezing Macintosh computers


 

Deep Freeze for Windows

 

Thawing Your System

 

Before changes can be made to a computer secured by Deep Freeze, it must be put into a writeable state. This process is known as “Thawing” and can be accomplished with a simple KScript.

·         In the Scripting module, click “Choose Action”, then click “New

QwLTD4.png

 

·         Name your script “Deep Freeze – Boot Thawed” and select Online Kscript from the Type dropdown. You can also input a description of what the script does.

·         Under the Deploy section, uncheck the Select Specific Operating Systems box and then click “Microsoft Windows”. You can also choose what systems to deploy the script to from this section.

·         In the Tasks section, find the Verify option and click “Add”.

·         Choose “Verify a directory exists” and input “%PROGRAMFILES(X86)%” in the text box (without quotes) and click “Save Changes”

·         Go to the On Success section and click “Add”, then select “Launch a program” from the dropdown and enter the following information into the fields:

o   Directory: $(KACE_SYS_DIR)\syswow64

o   File: DFC.exe

o   Check the “Wait for completion” box

o   Parameters: dellkace /BOOTTHAWED

o   Click “Save Changes”

·         Go to the Remediation section and click “Add”, then select “Launch a program” from the dropdown and enter the following information into the fields:

o   Directory: $(KACE_SYS_DIR)\system32

o   File: DFC.exe

o   Check the “Wait for completion” box

o   Parameters: dellkace /BOOTTHAWED

o   Click “Save Changes”

 

Note:

The dellkace entry in the Parameters field is the password for  the thaw command. Replace that entry with the password for your DeepFreeze software.

 

·         Scroll to the bottom of the page and click “Save”

Twr96N.png

You may run this script on demand by choosing the “Run Now” option, or schedule it to run on whatever schedule you prefer.

 

 


 

Freezing Your System

 

Once changes have been made to the system, it will need to be placed back in a “Frozen” state. Use the following steps to create a script to freeze the target PC.

 

·         In the Scripting module, click “Choose Action”, then click “New

·         Name your script “Deep Freeze – Boot Frozen” and select Online Kscript from the Type dropdown. You can also input a description of what the script does.

·         Under the Deploy section, uncheck the Select Specific Operating Systems box and then click “Microsoft Windows”. You can also choose what systems to deploy the script to from this section.

·         In the Tasks section, find the Verify option and click “Add”.

·         Choose “Verify a directory exists” and input “%PROGRAMFILES(X86)%” in the text box (without quotes) and click “Save Changes”

·         Go to the On Success section and click “Add”, then select “Launch a program” from the dropdown and enter the following information into the fields:

o   Directory: $(KACE_SYS_DIR)\syswow64

o   File: DFC.exe

o   Check the “Wait for completion” box

o   Parameters: dellkace /BOOTFROZEN

o   Click “Save Changes”

·         Go to the Remediation section and click “Add”, then select “Launch a program” from the dropdown and enter the following information into the fields:

o   Directory: $(KACE_SYS_DIR)\system32

o   File: DFC.exe

o   Check the “Wait for completion” box

o   Parameters: dellkace /BOOTFROZEN

o   Click “Save Changes”

·         Scroll to the bottom of the page and click “Save”

vZ7Jdv.png

You may run this script on demand by choosing the “Run Now” option, or schedule it to run on whatever schedule you prefer.

Deep Freeze for Macintosh

 

Thawing Your System

 

·         In the Scripting module, click “Choose Action”, then click “New

·         Name your script “Deep Freeze – Boot Thawed” and select Online Shell Script from the Type dropdown. You can also input a description of what the script does.

·         Under the Deploy section, uncheck the Select Specific Operating Systems box and then click “Mac OS X”. You can also choose what systems to deploy the script to from this section.

·         In the Script section, input the following commands:

#! /bin/sh

 

# Thaw Deep Freeze Mac Client

 

echo - Deep Freeze Mac Thaw Executing

 

DFXPSWD=dellkace /Library/Application\ Support/Faronics/Deep\ Freeze/deepfreeze -u dellkace -p bootThawed

 

echo - Rebooting system

shutdown -r now

 

·         In the Script File Name box, name the script DPM_Thawed.sh

·         Scroll to the bottom of the page and click “Save”

 

krzv92.png

You may run this script on demand by choosing the “Run Now” option, or schedule it to run on whatever schedule you prefer.

Freezing Your System

 

·         In the Scripting module, click “Choose Action”, then click “New

·         Name your script “Deep Freeze – Boot Frozen” and select Online Shell Script from the Type dropdown. You can also input a description of what the script does.

·         Under the Deploy section, uncheck the Select Specific Operating Systems box and then click “Mac OS X”. You can also choose what systems to deploy the script to from this section.

·         In the Script section, input the following commands:

#! /bin/sh

 

# Thaw Deep Freeze Mac Client

 

echo - Deep Freeze Mac Freeze Executing

 

DFXPSWD=dellkace /Library/Application\ Support/Faronics/Deep\ Freeze/deepfreeze -u dellkace -p bootFrozen

 

echo - Rebooting system

 

shutdown -r now

 

·         In the Script File Name box, name the script DPM_Frozen.sh

·         Scroll to the bottom of the page and click “Save”

zk39Nt.png

You may run this script on demand by choosing the “Run Now” option, or schedule it to run on whatever schedule you prefer.

Conclusion

 

By following the steps in this guide, you should be able to create the scripts necessary for freezing and thawing your computers. This will allow you to manage your systems, update security patches and deploy software to the computers without sacrificing the security provided by the Deep Freeze application. 
View comments (4)

Deploying MacOS X Upgrades with the Dell K1000

At work we will be deploying Office 2016 to campus this summer and it requires at least MacOS X version 10.10. In our environment we normally don't upgrade operating systems in place so we have a fair number of computers with earlier versions installed. This presents a problem. Our initial thought was that we would need to deploy the sneaker net and get to work. I realized that the K1000 detects Mac OS X as an installed program so I wondered if I could setup a managed install to deploy it and it turns out you can. I used the following procedure to deploy Mac OS X 10.11 El Capitan but it should also work for other versions.


Step 1: Download the OS Installer from the AppStore

If you don't already have a copy of the Install OS X El Capitan application from the Apple AppStore login and download a copy of it. You can leave it in the /Applications folder.


Step 2: Build a Mac OS X install package

Download createOSXInstallPkg script from GitHub and store it somewhere on your computer.

https://github.com/munki/createOSXinstallPkg

Open a terminal window and change to the location of the script.

The documentation for the script is well written but there isn't too much necessary for a basic package. The following command will create the package in the same location as the script:

sudo ./createOSXInstallPkg --source /Applications/Install\ OS\ X\ El\ Capitan.app/


You should end up with a file named something like InstallOSX_10.11.3_15D21.pkg. The version and build number (10.11.3 and 15D21 respectively) will depend on when you download the installer from the App Store.


Step 3: Create a disk image to hold the package

The K1000 appliance will deploy packages stored on a disk image and I have found this method to be the most reliable for uploading packages to the appliance.

Open Disk Utility

Click New Image

Give the disk image a name, I called mine MacOSX_10.11.3_15D21.dmg.

For the size you need to make the image larger than the size of the package because once the disk is formatted it will loose some space. My install package was 6.1GB so I made the disk image 7.5GB.

Leave the Format, Encryption, Partitions and Image Format defaults.

Click Create


Step 4: Copy the install package to the newly created disk image

The disk image should be mounted when created, but if it isn't mount it and then copy the file to the volume. Once it is copied, unmount the disk.


Step 5: Copy the disk image to the K1000 appliance

The web interface won't allow you to upload files more than 2GB so you will need to mount the clientdrop share on your K1000 and copy the file there. If you have not already enabled the SAMBA share on your appliance login to the admin interface and browse to Settings, Security.


Step 6: Associate the disk image with the software title

When creating a managed install it is very important that you associate the installer with the correct title. If you have any doubt about which software title to use then I strongly recommend that you use the installer to update one machine in your environment manually and then associate the file with the software title found in that machines software inventory after the setup is complete and the machine has checked into the K1000 again.

Once you are satisfied that you have the correct software title select the disk image from the Upload and Associate Client Drop File menu.

In the Supported Operating Systems list select the operating systems that you will be upgrading to 10.11.

Save the software title.


Step 7: Create the managed install

In the K1000 interface click Distribution

Under Managed Installs click Choose Action, New

Give your MI a name, I called mine Mac OS X El Capitan Install

Select 10.11.3 software title from the dropdown

Set the execution option based on whether or not you want to interrupt users with the installation or not.

Leave the Default installation option selected

For the notification options we setup both Alert user before run and Completion messages. This is what we have set for our environment:

Alert user before run:

Your computer has been scheduled to be upgraded to OS X El Capitan (10.11). You can continue to use the computer and will be notified when the first phase is complete.

Completion message:

The first phase of your upgrade to Mac OS X El Capitan is complete. Please restart your computer to begin the next phase. Phase two will take about half an hour to complete.

Save the managed install.


You should now be able to target computers with the installation and they will receive the upgrade. Note that the first phase of the installation (before the computer restarts) is silent. Unless you use a completion message the user will not be prompted to restart. Once the computer does restart the installation will proceed. I have had varied reports of whether or not there is interaction required during this phase of the upgrade.


The installation of 10.11 has been resetting the Sharing preferences in our environment. We normally have remote login and remote desktop enabled for certain users and after the upgrade those options are turned off. Thankfully the KACE agent is still checking in so you can use a script to set those options. Here is our script:

#!/bin/sh

# start here

sudo /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -activate -configure -allowAccessFor -specifiedUsers

sudo /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -configure -users admin -access -on -privs -DeleteFiles -ControlObserve -TextMessages -OpenQuitApps -GenerateReports -RestartShutDown -SendFiles -ChangeSettings

sudo /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -configure -clientopts -setmenuextra -menuextra no

sudo /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -configure -clientopts -setvnclegacy -vnclegacy yes -clientopts -setvncpw -vncpw VNCPasswordHere

sudo /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -restart -agent -menu -console

sudo systemsetup -setremotelogin on

exit 0

This post was also shared on my personal blog. http://chucksteel.blogspot.com/2016/03/deploying-macos-x-upgrades-with-dell.html

View comments (6)

My postinstall scripts for after K2000 deployment (works in deploystudio and other options as well) - binds to AD, renames computer, applies many other OS customizations.

Please feel free to add any comments if you have any questions (or comments) - that's how we all learn! Note: this is an ever-evolving script that I'm constantly refining. Some of it's "original work" other parts are cobbled together from older scripts, etc. Tested and working on 10.7.1, 10.7.2, and 10.7.3.

 

__________________________________________

 

#!/bin/bash

 

#setup information

# enter your FQDN below

domain="domain.dom"

 

# enter a username with domain admin privs

diradmin="adbind"

 

# domain admin password

password="password"

 

# container

ou="ou=comp,DC=domain,DC=dom,"

#end of setup information

#################################

 

#rename computer with current DNS name

ip=`ifconfig en0 | grep "inet "|awk '{print $2}'`

asset=`host $ip |awk '{print $5 $6}' |awk -F. '{print $1}'`

echo Updating various computer names.

scutil --set HostName $asset

scutil --set ComputerName $asset

scutil --set LocalHostName $asset

 

# make sure AD is active

defaults write /Library/Preferences/DirectoryService/DirectoryService "Active Directory" "Active"

plutil -convert xml1 /Library/Preferences/DirectoryService/DirectoryService.plist

 

# bind machine to AD

dsconfigad -force -add $domain -computer $asset  -username "$diradmin" -password "$password" -ou "$ou"

 

# add AD to search path

searchpath="/Active Directory/$domain"

dscl /Search -append / CSPSearchPath "$searchpath"

dscl /Search -create / SearchPolicy dsAttrTypeStandard:CSPSearchPath

dscl /Search/Contacts -append / CSPSearchPath "$searchpath"

dscl /Search/Contacts -create / SearchPolicy dsAttrTypeStandard:CSPSearchPath

 

#disable automatic login

defaults delete /Library/Preferences/com.apple.loginwindow autoLoginUser

srm /etc/kcpassword

 

#bind to ntp server, sync time, set timezone

systemsetup -settimezone America/Los_Angeles -setusingnetworktime on -setnetworktimeserver time.nist.gov

 

#adjust sleep cycle

pmset -a displaysleep 30 disksleep 10 sleep 0

 

#disable graphical login; otherwise you can't log into AD accounts

defaults write /Library/Preferences/com.apple.loginwindow HideLocalUsers -bool false

 

#this allows you to point client machines at your desired local OSX update server. We use reposado (ubuntu based OSX software update server)

defaults write com.apple.SoftwareUpdate CatalogURL 'http://yourcatalogs'

 

#disable automatic login

defaults delete /Library/Preferences/com.apple.loginwindow autoLoginUser

srm /etc/kcpassword

 

# Enable the 2D Dock

defaults write com.apple.dock no-glass -bool true

 

# Disable window animations and Get Info animations in Finder

defaults write com.apple.finder DisableAllAnimations -bool true

 

# Automatically open a new Finder window when a volume is mounted - handy for students with external drives

defaults write com.apple.frameworks.diskimages auto-open-ro-root -bool true

defaults write com.apple.frameworks.diskimages auto-open-rw-root -bool true

defaults write com.apple.finder OpenWindowForNewRemovableDisk -bool true

 

# stop reopening windows after a reboot

defaults write com.apple.loginwindow TALLogoutSavesState -bool false

defaults write com.apple.loginwindow LoginwindowLaunchesRelaunchApps -bool false

 

# Empty Trash securely by default

defaults write com.apple.finder EmptyTrashSecurely -bool true

 

# Avoid creating .DS_Store files on network volumes - Windows servers, mac clients - keep those .ds_store files off the servers!!!

defaults write com.apple.desktopservices DSDontWriteNetworkStores -bool true

 

# Disable menu bar transparency

defaults write NSGlobalDomain AppleEnableMenuBarTransparency -bool false

 

#set power on/power off cycle

pmset repeat shutdown MTWRFSU 1:00:00 wakeorpoweron MTWRFSU 08:00:00

 

#reboot machine

reboot

View comments (4)

Issue with Mac OS X Installer certificate expiration, ugh.

I am working on capturing and deploying Lion images, and was thwarted from the get-go. It seems that the certificate bundled with apple packages from before March 23 have expired, and so when I attempted to create Netboot environment I found that it would error out.

http://itninja.com/question/netboot-image-creation-for-lion-failed

This issue is probably resolvable by downloading a newer edition of the installer, but I found another workaround here:

http://managingosx.wordpress.com/2012/03/24/fixing-packages-with-expired-signatures/

"Expanding and reflattening a flat package has a side-effect of removing the package signing. the command-line installer tool will happily (at least as of this writing) install unsigned flat packages."

As the article suggest, this tool

http://dl.dropbox.com/u/8119814/flatpkgfixer.py

can fix entire dmgs. I ran it on my Lion installer disk and was able to create my Netboot image :D 

 

View comments (1)

Apple, XProtect and Flash

Starting with MacOS X 10.6 Apple has included a piece of anti-malware software known as XProtect. XProtect works by blocking certain plugins from running in Safari and has recently been the cause of Java not working for many MacOS users. Unfortunately Apple does not do a good job of notifying users why a plugin was disabled and they either just get a notice that the plugin was blocked or that they need to install a newer version. Most recently, Apple has now required that Flash Player be the most recent version (11.5.502.149 as of this writing). If your KBOX has not received that version of Flash Player for patching then even if your computers have been updated with patching, then your users will be affected by XProtect blocking older versions of the plugin. 

I have put a few things in place to determine versions of Flash Player and XProtect on our systems:

1. Custom inventory rule showing Flash Player version:
I couldn't seem to determine the version of Flash Player installed on our MacOS systems in the inventory so I added a software item with the following custom inventory rule:
PlistValueReturn(/Library/Internet Plug-Ins/Flash Player.plugin/Contents/version.plist, CFBundleShortVersionString, TEXT)

2. Custom inventory rule showing XProtect version and last updated date:
XProtect isn't actually an application so it doesn't show up in the Inventory. It does have a plist file that we can use to get the version, however. The following rule shows the version and when it was last updated:
PlistValueReturn(/System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/XProtect.meta.plist, Version, NUMBER) AND PlistValueReturn(/System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/XProtect.meta.plist, LastModification, TEXT)

Using these two fields you should be able to create a report showing machines that have XProtect that has been updated since February 7th, 2013 (when Apple updated to needing Flash Player  11.5.502.149) and have a version of Flash that is lower than that. 

Some additional notes on XProtect:

XProtect updates itself daily, as far as I can tell by looking at it's LaunchDaemon plist file.

Here are a couple of good posts talking about XProtect:
http://security.thejoshmeister.com/2011/11/how-to-update-apples-safe-downloads.html
http://managingosx.wordpress.com/2013/01/31/disabled-java-plugins-xprotect-updater/

The second one includes a script that changes the XProtect settings to allow older versions of Java and also disables XProtect from updating itself. 

Be the first to comment
Showing 1 - 5 of 28 results

Top Contributors

Talk About K1000 Smart Labels