Blog Posts tagged with Apple Mac OS X

Ask a question

My postinstall scripts for after K2000 deployment (works in deploystudio and other options as well) - binds to AD, renames computer, applies many other OS customizations.

Please feel free to add any comments if you have any questions (or comments) - that's how we all learn! Note: this is an ever-evolving script that I'm constantly refining. Some of it's "original work" other parts are cobbled together from older scripts, etc. Tested and working on 10.7.1, 10.7.2, and 10.7.3.

 

__________________________________________

 

#!/bin/bash

 

#setup information

# enter your FQDN below

domain="domain.dom"

 

# enter a username with domain admin privs

diradmin="adbind"

 

# domain admin password

password="password"

 

# container

ou="ou=comp,DC=domain,DC=dom,"

#end of setup information

#################################

 

#rename computer with current DNS name

ip=`ifconfig en0 | grep "inet "|awk '{print $2}'`

asset=`host $ip |awk '{print $5 $6}' |awk -F. '{print $1}'`

echo Updating various computer names.

scutil --set HostName $asset

scutil --set ComputerName $asset

scutil --set LocalHostName $asset

 

# make sure AD is active

defaults write /Library/Preferences/DirectoryService/DirectoryService "Active Directory" "Active"

plutil -convert xml1 /Library/Preferences/DirectoryService/DirectoryService.plist

 

# bind machine to AD

dsconfigad -force -add $domain -computer $asset  -username "$diradmin" -password "$password" -ou "$ou"

 

# add AD to search path

searchpath="/Active Directory/$domain"

dscl /Search -append / CSPSearchPath "$searchpath"

dscl /Search -create / SearchPolicy dsAttrTypeStandard:CSPSearchPath

dscl /Search/Contacts -append / CSPSearchPath "$searchpath"

dscl /Search/Contacts -create / SearchPolicy dsAttrTypeStandard:CSPSearchPath

 

#disable automatic login

defaults delete /Library/Preferences/com.apple.loginwindow autoLoginUser

srm /etc/kcpassword

 

#bind to ntp server, sync time, set timezone

systemsetup -settimezone America/Los_Angeles -setusingnetworktime on -setnetworktimeserver time.nist.gov

 

#adjust sleep cycle

pmset -a displaysleep 30 disksleep 10 sleep 0

 

#disable graphical login; otherwise you can't log into AD accounts

defaults write /Library/Preferences/com.apple.loginwindow HideLocalUsers -bool false

 

#this allows you to point client machines at your desired local OSX update server. We use reposado (ubuntu based OSX software update server)

defaults write com.apple.SoftwareUpdate CatalogURL 'http://yourcatalogs'

 

#disable automatic login

defaults delete /Library/Preferences/com.apple.loginwindow autoLoginUser

srm /etc/kcpassword

 

# Enable the 2D Dock

defaults write com.apple.dock no-glass -bool true

 

# Disable window animations and Get Info animations in Finder

defaults write com.apple.finder DisableAllAnimations -bool true

 

# Automatically open a new Finder window when a volume is mounted - handy for students with external drives

defaults write com.apple.frameworks.diskimages auto-open-ro-root -bool true

defaults write com.apple.frameworks.diskimages auto-open-rw-root -bool true

defaults write com.apple.finder OpenWindowForNewRemovableDisk -bool true

 

# stop reopening windows after a reboot

defaults write com.apple.loginwindow TALLogoutSavesState -bool false

defaults write com.apple.loginwindow LoginwindowLaunchesRelaunchApps -bool false

 

# Empty Trash securely by default

defaults write com.apple.finder EmptyTrashSecurely -bool true

 

# Avoid creating .DS_Store files on network volumes - Windows servers, mac clients - keep those .ds_store files off the servers!!!

defaults write com.apple.desktopservices DSDontWriteNetworkStores -bool true

 

# Disable menu bar transparency

defaults write NSGlobalDomain AppleEnableMenuBarTransparency -bool false

 

#set power on/power off cycle

pmset repeat shutdown MTWRFSU 1:00:00 wakeorpoweron MTWRFSU 08:00:00

 

#reboot machine

reboot

View comments (4)

Issue with Mac OS X Installer certificate expiration, ugh.

I am working on capturing and deploying Lion images, and was thwarted from the get-go. It seems that the certificate bundled with apple packages from before March 23 have expired, and so when I attempted to create Netboot environment I found that it would error out.

http://itninja.com/question/netboot-image-creation-for-lion-failed

This issue is probably resolvable by downloading a newer edition of the installer, but I found another workaround here:

http://managingosx.wordpress.com/2012/03/24/fixing-packages-with-expired-signatures/

"Expanding and reflattening a flat package has a side-effect of removing the package signing. the command-line installer tool will happily (at least as of this writing) install unsigned flat packages."

As the article suggest, this tool

http://dl.dropbox.com/u/8119814/flatpkgfixer.py

can fix entire dmgs. I ran it on my Lion installer disk and was able to create my Netboot image :D 

 

View comments (1)

Apple, XProtect and Flash

Starting with MacOS X 10.6 Apple has included a piece of anti-malware software known as XProtect. XProtect works by blocking certain plugins from running in Safari and has recently been the cause of Java not working for many MacOS users. Unfortunately Apple does not do a good job of notifying users why a plugin was disabled and they either just get a notice that the plugin was blocked or that they need to install a newer version. Most recently, Apple has now required that Flash Player be the most recent version (11.5.502.149 as of this writing). If your KBOX has not received that version of Flash Player for patching then even if your computers have been updated with patching, then your users will be affected by XProtect blocking older versions of the plugin. 

I have put a few things in place to determine versions of Flash Player and XProtect on our systems:

1. Custom inventory rule showing Flash Player version:
I couldn't seem to determine the version of Flash Player installed on our MacOS systems in the inventory so I added a software item with the following custom inventory rule:
PlistValueReturn(/Library/Internet Plug-Ins/Flash Player.plugin/Contents/version.plist, CFBundleShortVersionString, TEXT)

2. Custom inventory rule showing XProtect version and last updated date:
XProtect isn't actually an application so it doesn't show up in the Inventory. It does have a plist file that we can use to get the version, however. The following rule shows the version and when it was last updated:
PlistValueReturn(/System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/XProtect.meta.plist, Version, NUMBER) AND PlistValueReturn(/System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/XProtect.meta.plist, LastModification, TEXT)

Using these two fields you should be able to create a report showing machines that have XProtect that has been updated since February 7th, 2013 (when Apple updated to needing Flash Player  11.5.502.149) and have a version of Flash that is lower than that. 

Some additional notes on XProtect:

XProtect updates itself daily, as far as I can tell by looking at it's LaunchDaemon plist file.

Here are a couple of good posts talking about XProtect:
http://security.thejoshmeister.com/2011/11/how-to-update-apples-safe-downloads.html
http://managingosx.wordpress.com/2013/01/31/disabled-java-plugins-xprotect-updater/

The second one includes a script that changes the XProtect settings to allow older versions of Java and also disables XProtect from updating itself. 

Be the first to comment

Automatically logout of your Mac after being inactive for a while

I have seen a few people miss this feature from Windows and end up spending money on apps like LockMeNow. Most people don't realize about this in-built feature in OSX.

Here is how you would configure it


Automatic log out is easy to overlook, but it’s also very easy to configure:

  1. Go to the Apple menu then launch System Preferences
  2. Choose “Security & Privacy”
  3. Click the “General” tab, then choose the “Advanced” button in the lower corner
  4. Check the box next to “Log out after _ minutes of inactivity” and set your time limit

The default setting is 60 minutes

Note: While you’re in the Security & Privacy control panel, be sure to disable automatic login as well by unchecking it under the “General” tab. That way any user will be required to login with a user account with full credentials and a password – even if they reboot the computer (remember to have the Guest account configured so that you will gain the Find My Mac protection offered through it in the odd event the computer is stolen, making it trackable from the web, another Mac, or iOS device that has Find My iPhone installed.)

Several users confuse this with the Screensaver option. Automatic Log Out will close applications and documents of the logged in user, while saving the last state of OSX so that everything will resume back to where it was once the user is logged again. This frees up system resources for other users, and allows other users to log into the computer if it’s multi-use.

Screensaver locks only bring a protective layer over current actions and don’t log anything out, all apps continue to run in the background and documents remain open. Because the user stays logged in, it does not free up resources by closing out apps of that user, and it also does not allow another user to login to the Mac.

In short, the screensaver approach is perfect for quick away-from-keyboard moments, while the automatic log out is better for extended periods away from a desk, particularly in corporate or educational environments.

Be the first to comment

Script to enable SSH, rename computer, and join AD Domain on Mac (Mountain Lion)

Here is a script we are using as a post-installation task to enable SSH, set the computer name, and then join the computer to our Active Directory managed domain. 

Note: the template we are using to name our Macs is the letter 'M' followed by the serial number. You can edit the script to take out the M before "$SN", or you can append anything else you'd like onto it, such as an asset take or location. 

Please set HOST, DOMAIN, ADUSERNAME, and ADPASS to match the information for your domain. ADUSERNAME and ADPASS should be a user with sufficient privilages to add the computers to the domain. 

#!/bin/bash 

HOST="ADserver.domain.com"

DOMAIN="domain.com"

ADUSERNAME="admin"

ADPASS="secretpassword"

 

# Enable SSH

echo "Enabling SSH"

systemsetup -setremotelogin on

launchctl load -w /System/Library/LaunchDaemons/ssh.plist

 

# Find the serial number

SN=$(system_profiler | grep 'r (system)' | tail -1 | awk '{print $4}')

echo "Serial Number: $SN"

 

# Set HostName, LocalHostName, and ComputerName to M$SN

echo "Setting computer names to M$SN"

scutil --set HostName M$SN

scutil --set LocalHostName M$SN

scutil --set ComputerName M$SN

 

# Add computer to Active Directory

echo "Adding computer to Active Directory"

dsconfigad -preferred $HOST -domain $DOMAIN -u $ADUSERNAME -p $ADPASS

View comments (1)
Showing 1 - 5 of 28 results

Top Contributors

Talk About PowerShell