Books Sale for Black Friday and Cyber Monday

My three books will be on sale from now, over Black Friday, through Cyber Monday (Nov 26). This is great chance to pick the books up at a few dollars or euros less:

Prices shown are for the US Apple Books store, but the prices in all regions where the books are published will be reduced.

Happy Thanksgiving to all of you in the US and happy deal hunting to everyone!

On macOS User Groups

User groups are easy, right? A user is either a member or they are not.

Once you start thinking about the deatils and want or need to automate some of the aspects of user and group management on macOS, there is a lot of devil in those details.

User Membership

You can easily list all groups a given user is a member of. The id command will show all the groups the current user is a member of. id -Gn will list just the groups. Add a username to the id command to see the information for a different user. The groups command does the same as id -Gn.

You can also run a command to check if a given user is a member of a group:

$ dseditgroup -o checkmember -m user staff
yes user is a member of staff
$ dseditgroup -o checkmember -m user wheel
no user is NOT a member of wheel

Group Membership

So far, so good.

A user is a member of a group when one of these applies:

  • the user’s PrimaryGroupID attribute matches the PrimaryGroupID of the group
  • the user’s UUID is listed in the group’s GroupMembers attribute and the user’s shortname is listed in the group’s GroupMembership
  • the user is a member of a group nested in the group

Note: you should not attempt to manipulate the GroupMembers or GroupMembership attributes directly. Use the dseditgroup -o edit command to manage group membership instead. dseditgroup syntax is weird, but it is a really useful tool. Study its man page.

Listing Group Members

Sometimes (mainly for security audits) you need to list all the members of a group. With the above information, it is easy enough to build a script that checks the PrimaryGroupID, the GroupMembership attribute and the recursively loops through the NestedGroups.

This is confused by the fact that PrimaryGroupID stores the numeric User ID, GroupMembership uses the shortname and NestedGroups uses UUIDs. Nevertheless, you can sort through it.

I have written exactly such a script here:

In most cases this script will work fine. But, (and you knew there would be a “but”) macOS has a very nasty wrench to throw in our wheels.

Calculated Groups

There are a few groups on macOS, that have neither GroupMembers, GroupMembership, nor NestedGroups, but still have members. This is because the system calculates membership dynamically. This is similar to Smart Playlists in iTunes, Smart Folders in Finder, or Smart Groups in Jamf Pro.

You can list all calculated groups on macOS with:

$ dscl . list /Groups Comment | grep "calc"

The most interesting calculated groups are everyone, localaccounts, and netaccounts.

These groups can be very useful in certain environments. For example in a DEP setup you could add localaccounts or everyone to the _lpadmin and _developer groups, before the user has even created their standard account. That way any user created on that Mac will can manage printers and use the developer tools.

However, since these groups are calculated magically, a script cannot list all the members of any of these groups. (My script above will show a warning, when it encounters one of these groups.)

While it would probably not be wise to nest the everybody group in the admin group, a malicious user could do that and hide from detection with the above script (or similar methods).

Other Solution

Instead of recursively listing all users, we can loop through all user accounts and check their member status with dseditgroup -checkmember. This script is actually much simpler and dseditgroup can deal with calculated groups.

This works well enough when run against all local users.

I strongly recommend against running this for all users in a large directory infrastructure. It’ll be very slow and generate a lot of requests to the directory server. Because of this the script above runs only on the local directory node by default.

Summary

  • on macOS users can be assigned to groups thorugh different means
  • you can check membership with dseditgroup -o checkmember
  • you can edit group membership with dseditgroup -o edit
  • macOS has a few groups which are dynamically calculated and difficult to process in scripts

Weekly News Summary for Admins — 2018-11-16

One of the promises at this year’s WWDC was that some high profile Mac apps would return to the Mac App Store. This week, part of that promise was fulfilled as Panic’s Transmit re-appeared in the Mac App Store.

For admins this news is bittersweet. Transmit chose subscription pricing for the App Store. Unlike App purchases, which can be managed with VPP, subscriptions and other in-App-Purchases still cannot be managed. Thankfully, Panic still offers the standalone app, for a fixed price, which can be managed by traditional means.

Don’t miss the MacAdmins podcast this week. I actually talk briefly about the process of building this very newsletter every week.

If you would rather get the weekly newsletter by email, you can subscribe to the Scripting OS X Weekly Newsletter here!! (Same content, delivered to your Inbox once a week.)

On Scripting OS X

News and Opinion

MacAdmins on Twitter

  • Steve Yuroff: “Noting the steps needed to get a never-booted 10.14.beta for testing DEP and SecureToken behaviors. This isn’t fun anymore.”
  • Tim Perfitt: “When searching for something in Spotlight, if you press command-return when an item is selected, it opens the enclosing folder.”

Bugs and Security

Support and HowTos

Scripting and Automation

Apple Support

Updates and Releases

To Watch

To Listen

Support

There are no ads on my webpage or this newsletter. If you are enjoying what you are reading here, please spread the word and recommend it to another Mac Admin!

If you want to support me and this website even further, then consider buying one (or all) of my books. It’s like a subscription fee, but you also get a useful book or two extra!

MacAdmins Podcast, Episode 102: Erase All the Things

I had the honor of being on the MacAdmins podcast again!

In this episode, we talk about the EraseInstall app we built at Pro Warehouse, how much fun it can be to build something in Swift and Xcode, the new Macs, my weekly news summary and a bit about Book #4.

Thanks again to Tom, Charles and Marcus and everyone else who makes the MacAdmins Podcast. You are wonderful hosts!

(Though it was very weird to hear you in single speed…)

Listen to the Episode!

Weekly News Summary for Admins — 2018-11-10

Mac minis are real and being delivered to customers!

Apple sent out some updates for their Apps, Pages can now publish to Apple Books and iMovie on a new iPad pro can power a large external screen.

If you would rather get the weekly newsletter by email, you can subscribe to the Scripting OS X Weekly Newsletter here!! (Same content, delivered to your Inbox once a week.)

On Scripting OS X

News and Opinion

MacAdmins on Twitter

  • James F: “Here’s a script illustrating how to use the #Jamf Pro API I made for my #jnuc2018 interactive lab ”Getting Started with the Jamf Pro API“”
  • Erik Gomez: “To help foster community help, effective today, UMAD and nudge have been moved to my personal GitHub and off the pseudo joke org I made when I developed the tools.”
  • mikeymikey: “Take the hint…”
  • Brian Stucki: “The documents for the new Mac mini were just released. Includes the Essentials, the Quick Start and the Info Guide. Also includes this picture of the Retina display that Apple should definitely make and sell.”

Bugs and Security

Support and HowTos

Scripting and Automation

Apple Support

Updates and Releases

To Watch

Support

There are no ads on my webpage or this newsletter. If you are enjoying what you are reading here, please spread the word and recommend it to another Mac Admin!

If you want to support me and this website even further, then consider buying one (or all) of my books. It’s like a subscription fee, but you also get a useful book or two extra!

Mojave Quick Action to Package Apps

One of the new macOS features in Mojave are “Finder Quick Actions.”

They show as action buttons in the Finder in Column View and the new Gallery View. You can also access Quick Actions in any view from an item’s context menu.

You can configure Quick Actions in the ‘Finder’ section of the ‘Extensions’ Preference Pane. The four sample actions that come with Mojave are ‘Rotate,’ ‘Markup,’ ‘Create PDF,’ and ‘Trim’. While these are certainly useful, they are oriented towards media.

You can, however, build your own Quick Actions with Automator!

Custom Quick Action

When you look at it closely, Quick Actions are re-branded Automator Service Workflows. They are even stored in ~/Library/Services.

Let’s build a useful Quick Action for admins.

Quick Packaging

Recap: You can quickly build an installer package from an application bundle with pkgbuild:

$ pkgbuild --component /Applications/Firefox.app Firefox-63.0.pkg

This even works when the application is not installed on the current system, but then you have to add the --install-location argument:

$ pkgbuild --component /Volumes/Firefox/Firefox.app/ --install-location /Applications Firefox-63.0.pkg

This allows you to build an installer package from a disk image without having to install it.

Note: this method works well with ‘drag to install’ type applications. For many other applications, re-packaging is more elaborate. Learn all the details of packaging in my book: “Packaging for Apple Adminstrators

To make this simple process even simpler, I wrote a small script a while back called quickpkg, which simplifies this even further:

$ quickpkg "~/Downloads/Firefox 63.0.dmg"

(For help with downloading and installing scripts like quickpkg see this post.)

This seems like a good candidate for a Quick Action.

Bring in the Robot

Open the Automator application and create a new Workflow. Choose “Quick Action” as the type of Workflow.

New Workflow Window for a Quick Action in Finder

This will present an empty workflow window with a list of categories and actions on the left and the area where you assemble the workflow on the right. Above the workflow area is a panel where you define the input for our Quick Action. Change the popups to match this image:

Input for our QuickAction
Input for our QuickAction

Then add a ‘Run Shell Script’ action from the list on the left. The easiest way to locate the action is with the search box, or you can find the ‘Run Shell Script’ action in the ‘Utilities’ category. Drag it to the workflow area, labelled ‘Drag actions or file here to build your Workflow.’

Make sure that the shell popup is set to /bin/bash and the ‘Pass input’ popup is set to ‘to stdin’. With these settings, the selected file(s) will be passed as a list of paths, one per line to the stdin stream of the bash code we enter in the text area.

Add the following code:

destination="$HOME/Documents/"

while read -r file; do
    /usr/local/bin/quickpkg --output "$destination" "$file"
done

Your action should look like this:

First, we set a bash variable for the destination folder. You can change this to another path if you want to, but the destination folder has to exist before the workflow runs, otherwise you’ll get an error.

Then we use a while loop with the read command to read the stdin input line by line. Then we run the quickpkg tool once for each line.

You can now save the Workflow (it will be saved in ~/Library/Services/) and then ‘QuickPkg’ (or whatever name you chose) will appear in Finder, for any selected item. Unfortunately, the Automator input controls don’t allow to filter for file types other than the few given ones.

Select a dmg with an application in it, such as the dmg downloaded from the Firefox website and wait a moment. Then check the ~/Documents folder for the result.

(A rotating gear wheel will appear in the menu bar while the action is running. This is all the feedback you can get.)

Revealing the Result

It is annoying that we have to manually open the destination folder to see our result. But the nice thing is that we can let the workflow take care of that. In the action list on the left, search for ‘Reveal Finder Items’ or locate this action in the ‘Files & Folders’ category. You can drag it to the end of your workflow, below the ‘Run Shell Script’ action or just double-click in the list to add to the end of your workflow.

The extended Workflow

Save and run again from the Finder. It should now reveal the pkg file automatically.

You can add more actions to the workflow. For example, you can add actions to

  • open with Pacifist or Suspicious Package
  • tag the pkg file
  • add a comment
  • append the date to the file name
  • copy the pkg to a file share

Improving the Workflow

You may have noticed during testing that in its current form the workflow doesn’t really react well when something goes wrong.

quickpkg can work with .app, .dmg, and .zip files. Unfortunatly, Automator does not let us filter for just those file types in the input setup. The script will report an error when you try to run it against a different file type, but the error is not displayed in Finder.

It is not that difficult to extend our short script to make it a bit more resilient. Change the code in the ‘Run Shell Script’ action to this:

destination="$HOME/Documents/"

while read -r file; do
    result=$(/usr/local/bin/quickpkg --output "$destination" "$file")

    if [[ $? != 0 ]]; then
        osascript -e "display alert \"QuickPkg: An error occured: $result\""
    else
        echo "$result"
    fi
done

With this code we check result code $? of the quickpkg command for an error. If the code is non-zero we display an alert with osascript. If all went well, we echo the result (the path to the new pkg) to stdout, so that Automator can pass that into the following actions.

This is still a fairly crude error handling, but much better than nothing.

Summary

It is quite easy to turn simple shell commands into Automator workflows and Finder Quick Actions. Keep this in mind, when you find yourself performing repetetive tasks in Finder or in Terminal.

Weekly News Summary for Admins — 2018-11-02

New Mac mini! We finally got a new Mac mini!

Oh, and a new MacBook Air and some iPad Pros, too. iOS 12.1 and macOS Mojave 10.14.1, as well. But seriously, did you see the new Mac mini!?

The new Macs have the T2. Now, the majority of new Mac models and quite likely the majority of Macs units sold have Secure Boot and don’t support traditional deployment workflows any more.

The Mac mini and the new MacBook Air also require Mojave 10.14.1 and will likely have a forked build of Mojave.

If you need to learn about the new installation workflows available with High Sierra and Mojave, you can buy my book: “macOS Installation for Apple Administrators

Talking about Secure Boot and T2: among all the other new around the new Macs, iPads, macOS 10.14.1 and iOS 12.1, Apple also released a whitepaper on the T2 Chip. If you don’t read anything else this week, read this. (or at at least Rich’s or David’s summaries)

If you would rather get the weekly newsletter by email, you can subscribe to the Scripting OS X Weekly Newsletter here!! (Same content, delivered to your Inbox once a week.)

Apple October Event

On Scripting OS X

News and Opinion

MacAdmins on Twitter

  • Chapin Bryce:up – cli tool that allows you to manipulate and interact with streams to prototype modification cmds (ie grep, cut, awk). It’s easier to watch the gif then for me to describe in 140 chars” (via Erik Gomez:)
  • mikeymikey: “Heads up macadmins – if you have devices in your fleet where people installed 10.14.0 ”not labeled as beta“ build 18A389 aka ”people thought it was GM but it didn’t say GM“, the 10.14.1 update does not upgrade it.”
  • mikeymikey: “Hey #macadmins This was published in June. But you should probably look at it again. Soon.”
  • Bill Amend:
    “20 years ago I did one of my favorite strips ever. #HappyHalloween… ”

Bugs and Security

Support and HowTos

Scripting and Automation

Apple Support

To Listen

Support

There are no ads on my webpage or this newsletter. If you are enjoying what you are reading here, please spread the word and recommend it to another Mac Admin!

If you want to support me and this website even further, then consider buying one (or all) of my books. It’s like a subscription fee, but you also get a useful book or two extra!

Include Assets in External macOS Installer Drives

Apple has included a tool to build a bootable external installer drive with the macOS Installer application for a while now. Apple actually has documentation for this tool.

The tool is called createinstallmedia and can be found in /Applications/Install macOS [[High ]Sierra | Mojave].app/Contents/Resources/.

When run, the tool requires a path to an external volume or partition, which will be erased and replaced with a bootable installer volume.

Note: Secure Boot Macs with the T2 chip cannot boot from external drives in the default configuration. As of this writing this affects the iMac Pro and the 2018 MacBook Pro. But it is expected that any new Macs released from now on (as in maybe at the Apple Event tomorrow?) will also have Secure Boot.
Nevertheless, having an bootable external installer is still every useful for ‘legacy’ (i.e. non-secure boot) Macs. Also, while it not a good general configuration, it can be very useful to enable external boot on machines that you frequently re-install for testing.

While the support article covers the basics, the tool gained a new feature in Mojave which is not documented in the article.

When you run the Mojave createinstallmedia tool without arguments you get the usage documentation:

$ /Applications/Install\ macOS\ Mojave.app/Contents/Resources/createinstallmedia 
Usage: createinstallmedia --volume <path to volume to convert>

Arguments
--volume, A path to a volume that can be unmounted and erased to create the install media.
--nointeraction, Erase the disk pointed to by volume without prompting for confirmation.
--downloadassets, Download on-demand assets that may be required for installation.

Example: createinstallmedia --volume /Volumes/Untitled

This tool must be run as root.

The new argument in the Mojave is called --downloadassets. The description is a bit sparse, but from what I gather this is download additional assets, like firmware installers and bundle them with the other installer files on the installer drive instead of downloading them on-demand during installation.

This will not remove the requirement for the Mac to be connected to the internet during the installation process but it should speed up the process quite a bit.

If you want to learn more about how to create external installers and how to use the macOS Installer app most effectively in your workflows, you can buy my book ‘macOS Installation for Apple Administrators

Weekly News Summary for Admins — 2018-10-27

Somewhat delayed summery this week-end again. Quiet week while nearly everybody was at JNUC having fun.

If you would rather get the weekly newsletter by email, you can subscribe to the Scripting OS X Weekly Newsletter here!! (Same content, delivered to your Inbox once a week.)

On Scripting OS X

News and Opinion

MacAdmins on Twitter

  • Julia Evans: “New zine: Oh shit, git! It’s based on ohshitgit.com and it tells you how to get out of git messes. By me and the amazing @ksylor.”

Support and HowTos

Updates and Releases

To Listen

Support

There are no ads on my webpage or this newsletter. If you are enjoying what you are reading here, please spread the word and recommend it to another Mac Admin!

If you want to support me and this website even further, then consider buying one (or all) of my books. It’s like a subscription fee, but you also get a useful book or two extra!

Changing a User’s Login Picture

Nick asked a question in the comments recently:

Now only if there was as simple a tool for setting the profile pic!

There is no simple tool, but it is not that hard really.

When an individual user wants to change their login picture, they open the Users & Groups preference pane. But if want to pre-set or change it for multiple Computers or Users, then we need to script.

Where is it stored?

The data for the user picture is stored in the user record in the directory. If the user is stored locally the directory is just a bunch of property list files in /var/db/dslocal/nodes. However, we do not want to, nor should we manipulate them directly. The tool to interface with directory data is dscl (directory service command line, pronounced diskel)

You can get a user’s record data like this:

$ dscl . read /Users/username

This will dump a lot of data, some of it binary. When you look more closely at the data, you can see that the binary data is in an attribute JPEGPhoto. This is promising, but converting an image file into some binary code and writing it into the attribute does not sound fun.

When you look around the user record some more, you can find another attribute labeled Picture which contains a decent file path (it may be empty on your machine). When JPEGPhoto contains data, Picture will be ignored. But when we delete the JPEGPhoto attribute, then the system will use the file path set in the Picture attribute.

Let’s Change It!

Deleting the JPEGPhoto attribute is easy:

$ dscl . delete /Users/username JPEGPhoto

And so is setting the Picture attribute to a new value:

$ dscl . create /Users/username Picture "/Library/User Pictures/Flowers/Sunflower.tif"

With this you can create a script that resets all user pictures by looping through all the available pictures in the /Library/User Pictures folder.

(Since you are affecting other users’ records, this script needs to be run as root.)

Custom Images

Of course, you don’t have to use the pre-installed User Picture images, but can install your own.

To demonstrate how this would work, I conceived of a little fun exercise. I wanted to write a script that sets the user picture to an image from the ‘User Pictures’ folder which starts with the same letter as the username.

The set of images in the default cover 19 of the 26 letters in the latin alphabet. I created images for the seven missing letters (A, I, J, K, Q, U, and X).

To run the script at login, I created a LaunchAgent. And finally a script which will set the Picture to the appropriate path.

Since LaunchAgents run as the user, we need to be a bit more careful when changing the attributes. While a user has privileges to modify and delete the JPEGPhoto and Picture attribute, they cannot create the attributes, so our sledgehammer method to overwrite any existing value from the script above will not work.

The dscl . change verb, which modifies an attribute has a weird syntax which requires you to pass the previous value as well as the new value. To get the previous value, which may contain spaces, I use the same PlistBuddy trick from this post.

Finally, I built an installer package which installs all the parts (the additional images, the LaunchAgent plist and the script) in the right places. You can get the project here. Run the buildAlphabetUserPkg.sh script to build an installer package.

Since the LaunchAgent will trigger at a user’s login, you will have to logout and back in, before you can see any changes. You could add a postinstall script that loads the launchagent for the current user (when a user is logged in), but I will leave that as an exercise for the attentive student.

You can get all the pointers on how to build installer packages with postinstall scripts in my book: “Packaging for Apple Administrators