macOS Catalina – The Enterprise issue

Once again it’s that time of year when Apple release their next macOS, and once again Mac Admins scramble to block user’s updating.

With Jamf restriced policies in place and communications sent to all Mac users and posts on internal intranets you would of thought users would get the message to hold off updating…..but still they try.

The main issue though is now Catalina is available it will only be weeks until Mac’s ship with it installed as default. Apple confirmed to me either these Mac’s will have updated firmware to prevent downgrading to Mojave or downgrading could void the Apple Care for Enterprise warranty. So like every year Mac Admins have to warn users if they buy a Mac and it ships with Catalina don’t expect to use it and certainly don’t expect to be supported (yet).

It’s a odd situation, shiny new macOS being promoted, possible end of year hardware budget needing to be spent as it may be a case of “use it or loose it” but due to Apple’s history on first release and even second and third release not being Enterprise ready (#iamroot) Admins get stuck, users think they are slow and being awkwark as of course “I updated at home and its fine” but all we are really doing is trying to stop the pain and issues early upgrading will cause.

If Apple really want Mac’s in the Enterprise on ordering Enterprise Mac Teams should be able to state (with some restriction) the OS required, even if its latest version of previous, so Mojave 10.14.6 (18G103)  at least for the first 3-4 months after the new OS is avialable.

Come on Apple make this happen, make Apple in Enterprise great not frustrating.

 

Hoobs – Adding AdGuard Home

Hoobs is a simple Homebridge implementation, takes minuets to get up and running on a Raspberry Pi.

But as its on a Raspberry Pi you can also run other applications, for example AdGuard Home. AdGuard is a DNS AdBlocker, you simply run, configure and then set up your router with DNS IP of your AdGuard install. Your network devices will eventually start using this as their DNS. Its similar to piHole but better 🙂

Simply open your Hoobs Homebridge site which is usually http://hoobs.local/ From the three vertical dots on the far right select Terminal and install AdGuard

My commands are bold and this shows full output:

hoobs@hoobs:/var/lib/homebridge $ cd $HOME
hoobs@hoobs:~ $ wget https://static.adguard.com/adguardhome/release/AdGuardHome_linux_arm.tar.gz
--2019-10-09 13:52:29-- https://static.adguard.com/adguardhome/release/AdGuardHome_linux_arm.tar.gz
Resolving static.adguard.com (static.adguard.com)... 104.20.31.130, 104.20.30.130, 2606:4700:10::6814:1e82, ...
Connecting to static.adguard.com (static.adguard.com)|104.20.31.130|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 5280981 (5.0M) [application/octet-stream]
Saving to: ‘AdGuardHome_linux_arm.tar.gz’

AdGuardHome_linux_arm.tar.gz 100%[========================================================>] 5.04M 6.61MB/s in 0.8s

2019-10-09 13:52:35 (6.61 MB/s) - ‘AdGuardHome_linux_arm.tar.gz’ saved [5280981/5280981]

hoobs@hoobs:~ $ tar xvf AdGuardHome_linux_arm.tar.gz
AdGuardHome/
AdGuardHome/AdGuardHome
AdGuardHome/LICENSE.txt
AdGuardHome/README.md
hoobs@hoobs:~ $ cd AdGuardHome/
hoobs@hoobs:~/AdGuardHome $ sudo ./AdGuardHome -s install
2019/10/09 13:53:03 [info] Service control action: install
2019/10/09 13:53:05 [info] Action install has been done successfully on linux-systemd
2019/10/09 13:53:05 [info] Service has been started
2019/10/09 13:53:05 [info] Almost ready!
AdGuard Home is successfully installed and will automatically start on boot.
There are a few more things that must be configured before you can use it.
Click on the link below and follow the Installation Wizard steps to finish setup.
2019/10/09 13:53:05 [info] AdGuard Home is available on the following addresses:
2019/10/09 13:53:05 [info] Go to http://127.0.0.1:3000
2019/10/09 13:53:05 [info] Go to http://192.168.1.55:3000
hoobs@hoobs:~/AdGuardHome $

Thats’ it. AdGuard is now up and running at the IP address shown i the last output which is obviousy the same as your Hoobs IP. You then configure AdGuard via the web interface. The only setting to change is the interface port number as Hoobs is using 80 and 8080 so just pick something, I used 90. AdGuard will show in red if a conflict.

AdGuard is now running at http://192.168.1.55:90 or http://hoobs.local:90/

Hoobs AdGuard Install
Hoobs AdGuard Install

Clearing out JAMF restricted policies

When you restrict software using a JAMF restricted software policy it can sometimes be difficult to remove the restriction. Removing or excluding the Mac from the policy and a recon or policy update does not seem to always do the trick. The brute force way is to remove the blacklist.xml that contains the restricted policy information on the Mac you are having issues with.

SSH into the Mac and simply do:


1
sudo rm /Library/Application\ Support/JAMF/.blacklist.xml

Now run the manage command to add it back


1
sudo jamf manage

Done.

Obviously this has its drawbacks as in the time it takes to get the new blacklist.xml back on the Mac it’s open to having other restricted software installed. So use with caution.

Check Mojave for 32-bit Apps

Mojave will alert you to any 32-bit apps when you launch them, which is both handy and annoying. However if you want to run a check 32-bit apps, run the following in the Terminal.


1
/usr/sbin/system_profiler SPApplicationsDataType | /usr/bin/grep -A3 "64-Bit (Intel): No" | /usr/bin/sed -n 's/.*Location: \(.*\)/\1/p'

It’s interesting what you might find but commonly Adobe are lagging behind .


1
2
3
4
5
6
7
8
9
10
11
12
13
/Applications/Utilities/Adobe Creative Cloud/HDCore/Install.app
/Applications/Utilities/Adobe Creative Cloud/HDCore/Uninstaller.app
/Applications/Utilities/Adobe Application Manager/DECore/Setup.app
/Applications/Utilities/Adobe Application Manager/DECore/DE5/resources/uninstall/Uninstall Product.app
/Applications/Utilities/Adobe Application Manager/DECore/DE6/resources/uninstall/Uninstall Product.app
/Applications/Utilities/Adobe Application Manager/LWA/AAM Registration Notifier.app
/Applications/Utilities/Adobe Application Manager/P6/AAM Registration Notifier.app
/Applications/Utilities/Adobe Application Manager/P6/adobe_licutil.app
/Applications/Utilities/Adobe Application Manager/UWA/AAM Updates Notifier.app
/Applications/Utilities/Adobe Application Manager/D6/Setup.app
/Applications/Utilities/Adobe Application Manager/core/AAMLauncherUtil.app
/Applications/Utilities/Adobe Application Manager/core/Adobe Application Manager.app
/Applications/Utilities/Adobe Application Manager/DWA/Setup.app

macOS Mojave 10.14.x Update Preferences – Default Writes

Automatic check for updates

1
sudo defaults write /Library/Preferences/com.apple.SoftwareUpdate AutomaticCheckEnabled -bool TRUE

Automatic download new updates when available

1
sudo defaults write /Library/Preferences/com.apple.SoftwareUpdate AutomaticDownload -boolean TRUE

Install macOS updates

1
sudo defaults write /Library/Preferences/com.apple.SoftwareUpdate AutomaticallyInstallMacOSUpdates -boolean TRUE

Install app updates from the App Store

1
sudo defaults write /Library/Preferences/com.apple.commerce AutoUpdate -bool TRUE

Install System Data Files and Security Updates (both writes required)

1
sudo defaults write /Library/Preferences/com.apple.SoftwareUpdate CriticalUpdateInstall -boolean TRUE
1
sudo defaults write /Library/Preferences/com.apple.SoftwareUpdate ConfigDataInstall -boolean TRUE

AppleScript Force Software Updates

I needed a simple way to force Mac’s to run all updates from the Apple App store and then restart but give users notification and an option to defer for a set time.

This is what I came up with.

AppleScript that runs a

1
softwareupdate -l

if anything is found it then runs

1
softwareupdate -i -a

which will install all available updates. After completion it then has kicks off a dialogue box informing the user the Mac needs a restart. They have two options, defer for 5 minutes or restart straight away.

The script will be added to Library/Scripts/ along with the linked company logo via JAMF install on Check-in

It can be run via ssh into the Mac and

1
osascript /Library/Scripts/update_restart_script.scpt

or via a JAMF policy with a Process payload.

Hopefully this will be more reliable that JAMF policies which either stay as pending or fail to restart the Mac even though set to Restart Imemdiately.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
if (do shell script "softwareupdate -l") contains "*" then
    do shell script "softwareupdate -i -a"
    tell application "Finder"
        activate
        repeat -- forever
            set answer to button returned of (display dialog "Mandatory updates have been applied." & return & "Your Mac is ready to restart." & return & return & "Please close all applications and click RESTART." & return & return & "For further information email: support@yourcompany.com" with title "Mandatory Security Update - Restart Required" with icon {"/Library/Scripts/logo.png"} buttons {"Wait 5 minutes", "RESTART"} default button "RESTART")
           
            if answer is equal to "RESTART" then
                tell application "Finder" to restart
                exit repeat
            else
                delay 300 -- time in seconds 300 is 5 minutes
            end if
        end repeat
    end tell
end if

Echo Dot on the Ceiling

I’ve been using an Apple Airport Express for a number of years connected to a Marantz amplifier in the top of a cupboard which is then connected to some ceiling speakers for music via iTunes and more recently Spotify. Earlier this year I bought an Amazon Echo and found it much simpler to control Spotify, so I decided to ditch the Airport Express and replace with an Amazon Echo Dot and use it for voice control of music with the ceiling speakers. I also purchased another Belkin WeMo Switch Smart Plug to turn the amp on and off and a Dot flush ceiling mount kit.

Plan was, Dot to amp and power, amp to ceiling speakers (already in place), amp into Wemo socket. After about an hour or so of cutting and wiring I ended up with the flush ceiling mount in place, the Dot mounted and all wired back to the amp.

The ceiling was really easy to fit, just a case of finding a suitable spot and then cutting a hole. It fitted tightly into the ceiling and the kit comes with a 90degree 3.5mmm jack and also a very long USB power lead. All I had to add was a 3.5mm male jack to left/right phono to plug into the back of the Marantz amp. The Dot fits well into the mount and can’t fall as the wires keep it in place plus the kit comes with some stick pads for extra security, not that it really needs them.

Once all wired in and the Wemo plug setup the Marantz amp can be switched on and off with a simple “Alexa turn on Marantz” command and then Spotify played back with a simple “Alexa play“, so much easier than having to find my iPhone, launch Spotify, turn the amp on, play a track and then choose Airplay.

Proxy Setting for all network devices

An issue that came up recently was the proxy URL and bypass was not being set correctly when connecting a Mac via USB-A or USB-C cable to a network enabled device, like screen, docks or hubs. DisplayLink was installed so they were all making a network connection but as no proxy was set there were a few access issues.

In the past setting network settings via a script had been pretty easy but now Mac’s don’t have a network port and desks are  switching to a single cable solution which is USB-C to a dock which than connects to screens, ethernet and power its got a little harder.

The previous solution was to identify the device and add the settings, for example if it was an ethernet connection then you just specify the connection and the details:

1
2
networksetup -setautoproxyurl "Ethernet" http://urltoyourproxy.pac
networksetup -setproxybypassdomains "Ethernet" "*.local" "169.254/16" "*.adomain.com"

You could add this for various devices that were used to connect to a network:

1
2
3
4
networksetup -setautoproxyurl "Apple USB Ethernet Adapter"
networksetup -setautoproxyurl "Wi-Fi"
networksetup -setautoproxyurl "Thunderbolt Ethernet"
networksetup -setautoproxyurl "USB Ethernet"

The problem was with docks and hubs and screens all being different names and makes and models there  you would have to set each item specifically:

1
networksetup -setautoproxyurl "Philips 231P4U"

Clearly this is not ideal as usually as an Admin you have no idea what is being put on a desk, so another solution was required.

The following script is via a variation from MacMule, this loops through all the devices that have been connected or are connected and regardless of name adds in the required details.

Simply set you values at the top of the script. The script can then be deployed via MDM such as JAMF and set it to run on network change. Now when a Mac changes network connection the script loops through and adds in the the correct proxy URL and proxy bypass details.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
#!/bin/sh
####################################################################################################
#
# More information: https://macmule.com/2014/12/07/how-to-change-the-automatic-proxy-configuration-url-in-system-preferences-via-a-script/
#
# GitRepo: https://github.com/macmule/setAutomaticProxyConfigurationURL
#
# License: http://macmule.com/license/
#
# Updated to add proxyBypass settings by M Griffin October 2017
####################################################################################################

# HARDCODED VALUES ARE SET HERE
autoProxyURL="http://urltoyourproxy.pac"
proxyBypassDomains="*.local 169.254/16 *.adomain.com"

# CHECK TO SEE IF A VALUE WAS PASSED FOR $4, AND IF SO, ASSIGN IT
if [ "$4" != "" ] && [ "$autoProxyURL" == "" ]; then
autoProxyURL=$4
fi

# Detects all network hardware & creates services for all installed network hardware
/usr/sbin/networksetup -detectnewhardware

IFS=$'\n'

#Loops through the list of network services
for i in $(networksetup -listallnetworkservices | tail +2 );
do

# Get a list of all services
proxyBypassDomainsLocal=`/usr/sbin/networksetup -getproxybypassdomains "$i" | head -1 | cut -c 6-`

# Echo's the name of any matching services & the autoproxyURL's set
echo "$i Proxy set to $proxyBypassDomainsLocal"

# If the value returned of $autoProxyURLLocal does not match the value of $autoProxyURL for the interface $i, change it.
if [[ $proxyBypassDomainsLocal != $proxyBypassDomains ]]; then
/usr/sbin/networksetup -setproxybypassdomains $i $proxyBypassDomains
echo "Set proxy bypass for $i to $proxyBypassDomains"
fi

if [[ $autoProxyURLLocal != $autoProxyURL ]]; then
/usr/sbin/networksetup -setautoproxyurl $i $autoProxyURL
echo "Set auto proxy for $i to $autoProxyURL"
fi
# Enable auto proxy once set
/usr/sbin/networksetup -setautoproxystate "$i" on
echo "Turned on auto proxy for $i"

done

unset IFS

# Echo that we're done
echo "Auto proxy present, correct & enabled for all interfaces"

Stop High Sierra Installs and Updates

With High Sierra causing so many issues for Enterprise environments at the moment you may want to block the install. This can be achieved in various ways.

If you are using Jamf MDM then a simple Restricted Software policy can stop the install:

However this won’t stop macOS downloading the updater in the background and prompting the user to install, but there are two other commands we can issues to try and stop auto updates and notifications:

To stop Auto Updates:

1
defaults write /Library/Preferences/com.apple.SoftwareUpdate AutomaticCheckEnabled -bool FALSE

To turn Auto Updates back on:

1
defaults write /Library/Preferences/com.apple.SoftwareUpdate AutomaticCheckEnabled -bool TRUE

To turn off High Sierra notifications

1
sudo softwareupdate --ignore macOS High

An when you do want to allow notifications you can switch it back on with:

1
sudo softwareupdate  --reset-ignored

 

Recent Posts

Recent Comments

    Archives

    Categories

    Meta

    GiottoPress by Enrique Chavez