Weekly News Summary for Admins — 2021-12-03

News is still a bit slow this week, but we did get a new round of betas for macOS Monterey 12.1, iOS 15.2 and siblings.


(Sponsor: SentinelOne)

[New] The Complete Guide to Understanding Apple Mac Security for Enterprise

Grab the brand new SentinelOne eBook for Mac enterprise security! Learn how attackers are adapting to macOS 12 Monterey and challenges like M1 architecture, Notarization, OCSP, XProtect, and more.

New eBook: Apple Mac Security for Enterprise


This is the fourth beta round for this update release. The release is likely before the holidays, possibly next week. If you haven’t been testing, head to AppleSeed for IT and start now!

If you would rather get the weekly newsletter by email, you can subscribe to the Scripting OS X Weekly Newsletter here!! (Same content, delivered to your Inbox once a week.)

News and Opinion

macOS 12 Monterey and iOS 15

MacAdmins on Twitter

  • mikeymikey: “I don’t know when the last time you tried to search for an Apple support KB article was – but have you tried … -not- using Google? Search has actually gotten pretty darned fast and extensive.” (Thread)
  • Mr. Macintosh: “Apple released: iOS 15.2 Beta 4 (19C5050b), iPadOS 15.2 Beta 4 (19C5050b), watchOS 8.3 Beta 4 (19S5050c), tvOS 15.2 Beta 4 (19K5050a), HomePodOS 15.2 Beta 4 (19K5050a), Monterey 12.1 Beta 4 Full Installer & IPSW, Big Sur 11.6.2 Beta 4 Full Installer”

Security and Privacy

Support and HowTos

Scripting and Automation

Updates and Releases

To Watch

To Listen

Support

If you are enjoying what you are reading here, please spread the word and recommend it to another Mac Admin!

If you want to support me and this website even further, then consider buying one (or all) of my books. It’s like a subscription fee, but you also get a useful book or two extra!

Weekly News Summary for Admins — 2021-11-26

Happy day after US Thanksgiving, everyone!


(Sponsor: SentinelOne)

Looking for some macOS Security Power Tricks?

SentinelOne’s resident macOS security experts compiled this list of 15 power tricks for macOS security tasks. Try these out when you’re writing code, hunting for threats, or recording malware behavior.

Read the 15 Power Tricks for macOS Security


Even though many in the US have a few days off, we still have plenty of news to report. My post on ‘JavaScript for Automation’ from last week is generating a lot of great responses, Apple is suing NSO Group, people are figuring out the cause of some of the memory leaks in Monterey, and we get a refresh on the ‘Awesome MacAdmin Tools List.’

If you would rather get the weekly newsletter by email, you can subscribe to the Scripting OS X Weekly Newsletter here!! (Same content, delivered to your Inbox once a week.)

📰News and Opinion

🐟macOS 12 Monterey and iOS 15

🐦MacAdmins on Twitter

  • Victor (groob): “macOS 12.1 brings EACS = all I ever wanted. Thanks to the Apple folks who listened to this request. EraseDevice now loops into AutoAdvanceSetup via MDM.”
  • Jeremy Reichman: “When the installer says, “about a second remaining” for a minute or more, is it safe to assume it finished “first remaining” already and then went on to longer and more involved “second remaining,” perhaps with an option for more remainings, should additional ones seem necessary?”

🔐Security and Privacy

🔨Support and HowTos

🤖Scripting and Automation

♻️Updates and Releases

📺To Watch

🎧To Listen

📚Support

If you are enjoying what you are reading here, please spread the word and recommend it to another Mac Admin!

If you want to support me and this website even further, then consider buying one (or all) of my books. It’s like a subscription fee, but you also get a useful book or two extra!

Installomator v8.0

We have published an update for Installomator. It is now at version 8.0 and has over 360 labels!

There were some bugs in the script that could make the script stall the Jamf agent, which prevented the client from checking back in with the Jamf server. This might affect other management systems as well. Please test behavior with the new version and report any issues that might remain.

The changes in detail:

  • removed leading 0 from the version because it has lost all meaning (thanks to @grahampugh for the inspiration)
  • Installomator now detects when an app is already installed, and will display notifications correctly the user based on if the app was updated or installed for the first time.
  • New variables for labels that should be installed using CLI: CLIInstaller and CLIArguments. When the installer app is named differently than the installed app, then the variable installerTool should be used to name the app that should be located in the DMG or zip. See the label adobecreativeclouddesktop to see its use.
  • buildLabel.sh has been improved to build GitHub software labels much easier. In essense if the URL contains github.com, then it will try to find if it’s the latest version or if variable archiveName is needed for finding the software. Also improved messaging throughout the script, as well as handling a situation where a pkg does not include a “Distribution” file, but a “PackageInfo”.
  • MDM script extended with caffeinate so Mac will not go to sleep during the time it takes installomator to run. Especially during setup, this can be useful.
  • Microsoft labels with updateTool variable, is updated to run msupdate --list before running the updateTool directly. Problems have been reported that the update would fail if the --list parameter for the command was not run first. This should help with the Jamf agent stalling during installation.
  • Added bunch of new labels (for a total of 364), and improved others

Most of the work for v8 was done by Søren Theilgaard, but we had many, many contributions from the community! Thanks to everyone!

Weekly News Summary for Admins — 2021-11-19

Even though it is mid-November and the US Thanksgiving week is looming next week, we got a lot of great posts and articles in the news summary.


(Sponsor: Mosyle)

The Fusion of Apple MDM, Identity, Patching & Security.

Mosyle Fuse logo

Mosyle Fuse is the first and only product to bring a perfect blend of an Enterprise-grade MDM, an innovative solution for macOS Identity Management, automated application installation and patching, and purpose-built multi-layer endpoint security, all specially designed for Apple devices used at work at a price point that’s almost unexplainable.

Click here to learn more!


We are finding out about some interesting Monterey features and bugs, Apple announced self service repair, new security threats, lots of automation, and MacAdmins are (re-)discovering JavaScript for Automation (including myself).

If that wasn’t enough to try to keep up with, Jamf dropped all the JNUC 2021 session on to YouTube! Many of these sessions are very informative, even when you don’t use a Jamf product. If you want to catch up on different conferences, or schedule your conference participation for 2022, I have updated my conferences page with all the known dates and links to each conference’s session archive.

macOS 12.1 and iOS 15.2 went into the third round of betas. We also got iOS 15.1.1 (and siblings).

To all US American readers: Happy Thanksgiving!

If you would rather get the weekly newsletter by email, you can subscribe to the Scripting OS X Weekly Newsletter here!! (Same content, delivered to your Inbox once a week.)

News and Opinion

macOS 12 Monterey and iOS 15

MacAdmins on Twitter

  • cdros: “ICYMI Mac Evaluation Utility 4: Now available for IT teams on AppleSeed for IT
  • Tom Bridge: “This kind of software is infuriating. it’s unethical as an IT Admin to install on your users machines. If you get asked to install it, you should quit instead.” (Link)
  • Kyle Crawford: “I mean more generally I’d like a batteries-included scripting language built-in like python or ruby. I didn’t expect it would be JavaScript.”
  • Jason Anthony Guy: “Apple developers… did you know that Feedback Assistant is available on non-beta systems? Hidden, but accessible. Read the “Installing the App” section on the Apple Bug Reporting page to learn how to get to it. Bonus! Access it via applefeedback://
  • Daniel Jalkut: “I have been using zsh and scp for a long time, but my mind was moderately blown this evening when I realized I could tab-complete REMOTE filenames. Try it: scp whoever@wherever:<tab> (Have to have a ssh key relationship with the server, obviously)”

Security and Privacy

Support and HowTos

Scripting and Automation

Apple Support

Updates and Releases

To Watch

To Listen

Support

If you are enjoying what you are reading here, please spread the word and recommend it to another Mac Admin!

If you want to support me and this website even further, then consider buying one (or all) of my books. It’s like a subscription fee, but you also get a useful book or two extra!

The unexpected return of JavaScript for Automation

Monterey has deprecated the pre-installed python on macOS. To be precise, built-in python has been deprecated since macOS Catalina, but Monterey will now throw up dialogs warning the user that an app or process using built-in python needs to be updated.

I and others have written about this before:

So far, I have recommended to build native Swift command line tools to replace python calls. However, from discussions in MacAdmins Slack, a new option has emerged. Most of the credit for popularizing and explaining this goes to @Pico (@RandomApps on Twitter) in the #bash and #scripting channels.

(Re-)Introducing JavaScript for Automation

AppleScript has been part of macOS since System 7.1. In the late nineties, there was concern that it wouldn’t make the transition to Mac OS X, but AppleScript made the jump and has happily co-existed with the Terminal and shell scripting as an automation tool on macOS. AppleScript has a very distinct set of strengths (interapplication communication) and weaknesses (awkward syntax and inconsitent application functionality and dictionaries) but it has been serving its purpose well for many users.

With Mac OS X 10.4 Tiger, Apple introduced Automator, which provided a neat UI to put together workflows. Much of Automator was based on AppleScript and users expected a more and improved AppleScript support because of that going forward. Instead, we saw AppleScript’s support from Apple and third parties slowly wane over the years.

AppleScript is stil very much present and functional in recent versions of macOS. It just seems like it hasn’t gotten much love over the last decade or so. Now that Shortcuts has made the jump from iOS, there may be hope for another revival?

The last major changes to AppleScript came with Mavericks and Yosemite. Mavericks (10.9) included a JavaScript syntax for the Open Scripting Architecture (OSA), which is the underlying framework for all AppleScript functionality. Apple called this “JavaScript for Automation.” Because this is a mouthful, it often abbreviated as JXA.

The JavaScript syntax and structure is more like a “real” programming language, than the “english language like” AppleScript. Once again this raised hopes that this could attract more scripters to AppleScript and thus encourage Apple and third party developers to support more AppleScript. But unfortunately, this positive re-inforcement did not take off.

Then Yosemite (10.10) made the AppleScript-Objective-C bridge available everywhere in AppleScript. Previously, the Objective-C bridge was only available when you built AppleScript GUI applications using AppleScript Studio in Xcode. The Objective-C bridge allows scripters to access most of the functionality of the system frameworks using AppleScript or JXA.

The coincidence of these two new features might be the reason that the ObjC bridge works much better using JXA than it does with the native AppleScript syntax.

JXA and Python

What does JXA and the AppleScriptObjC bridge have to do with the Python deprecation in modern macOS?

One reason python became so popular with MacAdmins, was that the pre-installed python on Mac OS X, also came with PyObjC, the Objective-C bridge for python. This allowed python to build applications with a native Cocoa UI, such as AutoDMG and Munki’s Managed Software Center. It also allowed for short python scripts or even one-liners to access system functionality that was otherwise unavailable to shell scripts.

For example, to determine if a preference setting in macOS is enforced with a configuration profile, you can use CFPreferences or NSUserDefaults.

Objective-C/C:

BOOL isManaged =CFPreferencesAppValueIsForced("idleTime", "com.apple.screensaver")

Swift:

let isManaged = CFPreferencesAppValueIsForced("idleTime", "com.apple.screensaver")

The Objective-C bridge allows to use this call from python, as well:

from Foundation import CFPreferencesAppValueIsForced
isManaged=CFPreferencesAppValueIsForced("idleTime", "com.apple.screensaver")

With JXA and the AppleScriptObjC bridge, this will look like this:

ObjC.import('Foundation');
$.CFPreferencesAppValueIsForced(ObjC.wrap('idleTime'), ObjC.wrap('com.apple.screensaver'))

Now, this looks really simple, but working with any Objective-C bridge is always fraught with strange behaviors, inconsistencies and errors and the JXA ObjC implementation is no different.

For example, I wanted to change the code above to return the value of the setting instead of whether it is managed. The CFPreferences function for that is called CFPreferencesCopyAppValue and it works fine in Swift and Python, but using JXA it only ever returned [object Ref]. The easiest solution was to switch from the CFPreferences functions to using the NSUserDefaults object:

ObjC.import('Foundation');
ObjC.unwrap($.NSUserDefaults.alloc.initWithSuiteName('$1').objectForKey('$2'))

(Once again many thanks to @Pico on the MacAdmins Slack for helping me and everyone else with this and also pointing out, that there is a different, somewhat complicated, solution to the object Ref problem. I will keep that one bookmarked for situations where there is no alternative Cocoa object.)

We used this to remove the python dependency from Mischa van der Bent’s CIS-Scripts.

JXA in shell scripts

To call JXA from a shell script, you use the same osascript command as for normal AppleScript, but add the -l option option to switch the language to JavaScript:

osascript -l JavaScript << EndOfScript
     ObjC.import('Foundation');
    ObjC.unwrap($.NSUserDefaults.alloc.initWithSuiteName('idleTime').objectForKey('com.apple.screensaver'))
EndOfScript

For convenience, you can wrap calls like this in a shell function:

function getPrefValue() { # $1: domain, $2: key
      osascript -l JavaScript << EndOfScript
     ObjC.import('Foundation');
    ObjC.unwrap($.NSUserDefaults.alloc.initWithSuiteName('$1').objectForKey('$2'))
EndOfScript
}

function getPrefIsManaged() { # $1: domain, $2: key
     osascript -l JavaScript << EndOfScript
     ObjC.import('Foundation')
     $.CFPreferencesAppValueIsForced(ObjC.wrap('$1'), ObjC.wrap('$2'))
EndOfScript
}

echo $(getPrefValue "com.apple.screensaver" "idleTime")
# -> actual value
echo $(getPrefIsManaged "com.apple.screensaver" "idleTime")
# -> true/false

Note that the $ character does a lot of work here. It does the shell variable substitution for the function arguments in the case of $1 and $2. These are substituted before the here doc is piped into the osascript command. The $. at the beginning of the command is a shortcut where $ stands in for the current application and serves as a root for all ObjC objects.

There is also a $(…) function in JXA which is short for ObjC.unwrap(…) but I would recommend against using that in combination with shell scripts as shell’s command substitution has the same syntax and would happen before the JavaScript is piped into osascript.

There is a GitHub wiki with more detailed documentation on using JXA, and the JXA Objective-C bridge in particular.

JXA for management tasks

I’ll be honest here and admit that working with JXA seems strange, inconsistent, and — in weird way — like a step backwards. Putting together a Command Line Tool written in Swift feels like a much more solid (for lack of a better word) way of solving a problem.

However, the Swift binary command line tool has one huge downside: you have to install the binary on the client before you can use it in scripts and your management system. Now, as MacAdmins, we usually have all the tools and workflows available to install and manage software on the client. That’s what we do.

On the other hand, I have encountered three situations (set default browser, get free disk space, determine if a preference is managed) where I needed to replace some python code in the last few months and I would have no trouble finding a few more if I thought about it. Building, maintaining, and deploying a Swift CLI tool for each of these small tasks would add up to a lot of extra effort, both for me as the developer and any MacAdmin who wants to use the tools.

Alternatively, you can deploy and use a Python 3 runtime with PyObjC, like the MacAdmins Python and continue to use python scripts. That is a valid solution, especially when you use other tools built in python, like Outset or docklib. But it still adds a dependency that you have to install and maintain.

In addition to being extra work, it adds some burden to sharing your solutions with other MacAdmins. You can’t just simply say “here’s a script I use,” but you have to add “it depends on this runtime or tool, which you also have to install.

Dependencies add friction.

This is where JXA has an advantage. Since AppleScript and its Objective-C bridge are present on every Mac (and have been since 2014 when 10.10 was released) there is no extra tool to install and manage. You can “just share” scripts you build this way, and they will work on any Mac.

For example, I recently built a Swift command line tool to determine the free disk space. You can download the pkg, upload it to your management system, deploy it on your clients and then use a script or extension attribute or fact or something like to report this value to your management system. Since there is a possibility that the command line tool is not yet installed when the script runs, you need to add some code to check for that. All-in-all, nothing here is terribly difficult or even a lot of work, but it adds up.

Instead you can use this script (sample code for a Jamf extension attribute):

#!/bin/sh

freespace=$(/usr/bin/osascript -l JavaScript << EndOfScript
    ObjC.import('Foundation')
    var freeSpaceBytesRef=Ref()
    $.NSURL.fileURLWithPath('/').getResourceValueForKeyError(freeSpaceBytesRef, 'NSURLVolumeAvailableCapacityForImportantUsageKey', null)
    ObjC.unwrap(freeSpaceBytesRef[0])
EndOfScript
)

echo "<result>${freespace}</result>"

Just take this and copy/paste it in the field for a Jamf Extension Attribute script and you will get the same same free disk space value as the Finder does. If you are running a different management solution, it shouldn’t be too difficult to adapt this script to work there.

The Swift tool is nice. Once it is deployed, there are some use cases where it could be useful to have a CLI tool available. But most of the time, the JXA code snippet will “do the job” with much less effort.

Note on Swift scripts

Some people will interject with “but you can write scripts with a swift shebang!” And they are correct. However, scripts with a swift shebang will not run on any Mac. They will only run with Xcode, or at least the Developer Command Line Tools, installed. And yes, I understand this is hard for developers to wrap their brains around, but most people don’t have or need Xcode installed.

When neither of these are installed yet, and your management system attempts to run a script with a swift shebang, it will prompt the user to install the Developer command line tools. This is obviously not a good user experience for a managed deployment.

As dependencies go, Xcode is a fairly gigantic installation. The Developer Command Line Tools much less so, but we are back in the realm of “install and manage a dependency.”

Parsing JSON

Another area where JXA is (not surprisingly) extremely useful is JSON parsing. There are no built-in tools in macOS for this so MacAdmins either have to install jq or scout or fall back to parsing the text with sed or awk. Since JSON is native JavaScript, JXA “just works” with it.

For example the new networkQuality command line tool in Monterey has a -c option which returns JSON data instead of printing a table to the screen. In a shell script, we can capture the JSON in a variable and substitute it into a JXA script:

#!/bin/sh

json=$(networkQuality -c)

osascript -l JavaScript << EndOfScript
    var result=$json
    console.log("Download:  " + result.dl_throughput)
    console.log("Upload:    " + result.ul_throughput)
EndOfScript

Update: (2021-11-24) Paul Galow points out that this syntax might allow someone to inject code into my JavaScript. This would be especially problematic with MacAdmin scripts as those often run with root privileges. The way to avoid this injection is too parse the JSON data with JSON.parse :

#!/bin/sh 

json=$(networkQuality -c) 

osascript -l JavaScript << EndOfScript     
  var result=JSON.parse(\`$json\`)     
  console.log("Download:  " + result.dl_throughput)     
  console.log("Upload:    " + result.ul_throughput) 
EndOfScript

(I am leaving the original code up there for comparison.)

Conclusion

After being overlooked for years, JXA now became noticeable again as a useful tool to replace python in MacAdmin scripts, without adding new dependencies. The syntax and implementation is inconsistent, buggy, and frustrating, but the same can be said about the PyObjC bridge, we are just used it. The community knowledge around the PyObjC bridge and solutions goes deeper.

However, as flawed as it is, JXA can be a simple replacement for the classic python “one-liners” to get data out of a macOS system framework. Other interesting use cases are being discovered, such as JSON parsing. As such, JavaScript for Automation or JXA should be part of a MacAdmins tool chest.

Scripting OS X — Weekly News Summary for Admins — 2021-11-12

This week’s newsletter has many links to great posts by MacAdmins. (Thanks to all!) But we also got the surprising announcement that Apple is (re-)entering* the MDM market with “Apple Business Essentials.”


(Sponsor: Mosyle)

The Fusion of Apple MDM, Identity, Patching & Security.

Mosyle Fuse logo

Mosyle Fuse is the first and only product to bring a perfect blend of an Enterprise-grade MDM, an innovative solution for macOS Identity Management, automated application installation and patching, and purpose-built multi-layer endpoint security, all specially designed for Apple devices used at work at a price point that’s almost unexplainable.

Click here to learn more!


First of all, Apple Business Essentials (I am going to risk the scorn of Apple Marketing and abbreviate it as “ABE”) will be in beta until “Spring 2022.” The beta and presumably the release is US only and limited to businesses with less than 500 users, though each user can have up to three Apple devices. The subscription includes extended iCloud storage for the managed Apple IDs (50GB to 2TB) and, after release, can include “prioritized AppleCare support” with onsite repairs. (Prices including the AppleCare support are not known yet.)

The introductory video and page are nice. But there is a lot more information in the Apple Business Essentials User Guide. (You can also find a PDF with some information for the ABE beta program in the AppleSeed for IT downloads.)

Overall, this looks like an interesting new offering from Apple, as long as your business matches the target audience. It looks as if ABE uses MDM commands only, with no local agent other than a “Apple Business Essetials” self-service app. This is standard for iOS and iPadOS, but will make the management options for Macs very limited. For many MacAdmins this will disqualify ABE for “serious” Mac management.

Keep the target audience in mind, though. For many organizations managing iPhones and iPads in business will be the main benefit of ABE and enforcing some management settings on the Macs will be a nice bonus. After all, even the little management possible with MDM commands will be better than no management at all.

From the user guide we can glean a few more interesting facts: the Apple Business Essentials web interface will replace Apple Business Manager for managing business Apple IDs, volume purchase of Apps & Books and assigning devices to MDMs, including MDMs other than Apple Business Manager. It is unclear if all ABM users will get the new interface. I imagine the iCloud storage options for Managed Apple IDs will be available to all ABM accounts, maybe even the business AppleCare subscriptions. In that case, ABE could replace ABM for everyone, even when you use a third party MDM, but the ABE management features will only be unlocked when you get the ABE subscription? We will have to wait and see.

Apple is targeting the “low-end” for device management. They are competing less with Jamf Pro and Workspace One, and more with Jamf Now, SimpleMDM, Mosyle Business, Kandji and Addigy. But when you look at the feature set, Apple’s cannot really compete with any of these, but they provide a minimal or, well, “essential” step up from “no management.” It’ll be up to the vendors to provide features and value above this new, essential, base line.

Overall, I think this is an exciting and promising announcement. There is also the hope, that since Apple is now building and selling their own management system*, this will result in improvements to the MDM protocol and Apple platform management for all. The Spring release of Monterey and iOS 15 should be very interesting.

*Apple has been and still is selling Profile Manager as part of the macOS Server app. Nevertheless, MacAdmins consider this a “reference implementation” at best and Profile Manager is not recommended for use in production at any scale.

Oh yes, we also got new beta2 for macOS 12.1 and iOS 15.2 (and siblings).

If you think your company or product is a good fit to sponsor this newsletter, please contact me!

If you would rather get the weekly newsletter by email, you can subscribe to the Scripting OS X Weekly Newsletter here!! (Same content, delivered to your Inbox once a week.)

Apple Business Essentials

📰News and Opinion

🐟macOS 12 Monterey and iOS 15

⚙️macOS and iOS Updates

🐦MacAdmins on Twitter

  • Mr. Macintosh: “Apple has released a new Intel T2 BridgeOS Update (19.16.10549) The previous version for 11.6.1 and 2021-007 is 19.16.10548. I do not see an associated OS update that goes along with it. Could this BridgeOS update fix the bricking problems for some T2 Macs?”

🔐Security and Privacy

🔨Support and HowTos

🤖Scripting and Automation

🍏Apple Support

♻️Updates and Releases

📺To Watch

🎧To Listen

🎈Just for Fun

📚Support

If you are enjoying what you are reading here, please spread the word and recommend it to another Mac Admin!

If you want to support me and this website even further, then consider buying one (or all) of my books. It’s like a subscription fee, but you also get a useful book or two extra!

Weekly News Summary for Admins — 2021-11-05

The week after a major macOS release, and we got a whole bunch of interesting posts by MacAdmins, clarifying or explaining features and aspects of the the upgrade.

Once again, many thanks to all who write and share their knowledge!


(Sponsor: Mosyle)

Mosyle Fuse logo

The Fusion of Apple MDM, Identity, Patching & Security.

Mosyle Fuse is the first and only product to bring a perfect blend of an Enterprise-grade MDM, an innovative solution for macOS Identity Management, automated application installation and patching, and purpose-built multi-layer endpoint security, all specially designed for Apple devices used at work at a price point that’s almost unexplainable.

Click here to learn more!


If you would rather get the weekly newsletter by email, you can subscribe to the Scripting OS X Weekly Newsletter here!! (Same content, delivered to your Inbox once a week.)

News and Opinion

macOS 12 Monterey and iOS 15

macOS and iOS Updates

  • Mr. Macintosh: “Heads up! Big Sur 11.6.1 & Catalina 2021-007 Security Updates are having problems with the 19.16.10548 T2 BridgeOS Update This affects a small number of Macs (<5%) The BridgeOS update fails = Mac stuck on a black screen” (Thread)

MacAdmins on Twitter

  • Craig Cohen (LinkedIn): Apple: Mac Evaluation Utility 4.0 available in AppleSeed Go to AppleSeed for IT Use your Apple Business Manager or Apple School Manager Managed Apple ID. Head to the downloads tab. Wonderful update Apple.
  • Tim Perfitt: “I saw on Monty that fn-q brings up a new note. So what other shortcuts use the fn key? fn-a: activates item in dock so you can arrow around and space to launch app, fn-n: open sidebar, fn-c: open control center, fn-h: show desktop, fn-q: new note”

Support and HowTos

Scripting and Automation

Apple Support

Updates and Releases

To Watch

To Listen

Just for Fun

Support

If you are enjoying what you are reading here, please spread the word and recommend it to another Mac Admin!

If you want to support me and this website even further, then consider buying one (or all) of my books. It’s like a subscription fee, but you also get a useful book or two extra!

Monterey, python, and free disk space

With Montery, many MacAdmins have been seeing dialogs that state:

“ProcessName” needs to be updated

and often the “ProcessName” is your management system. As others have already pointed out, the process, or scripts this process is calling, is using the pre-installed Python 2.7 at /usr/bin/python.

This is Apple’s next level of warning us that that the pre-installed Python (and Perl and Ruby) is deprecated and going away in “future version of macOS.” I have written about this before.

Even though the management system will be identified as the process that “needs to be updated,” the culprits are scripts and scriptlets that the management system calls for for management tasks (e.g. policies, tasks, scripts) and information gathering (e.g. extension attributes, facts, etc.). Ben Tom’s post above has information on how to identify scripts which may use python in a Jamf Pro server.

You can suppress the warning using a configuration profile. While this a useful measure to avoid confusing users with scary dialogs, you will have to start identifying and fixing scripts that are written entirely in python or just use simple python calls, and replacing them with non-python solutions.

Python 2.7 is not getting any more security patches and I assume Apple is eager to remove it from macOS. The clock is really ticking on this one.

Current User

The most common python call is probably the one which determines the currently logged in user. The python call for this was developed by Mike Lynn and popularized by Ben Toms in this post and has been a reliable MacAdmin tool for years. I have written about this and introduced a shell-based solution discovered by Erik Berglund.

But there are other use cases, where it is not so straight forward to replace the python code. The built-in python is so popular for MacAdmin tasks because it comes with PyObjC which allows access to the macOS system frameworks. With a few python calls you can avoid having to build an Objective-C or Swift command line tool.

Desktop Picture

I built desktoppr for this reason. The standard way to set a desktop picture with locking it down was a line of AppleScript. But, starting in macOS Mojave, sending AppleEvents to another process (in this case Finder) required a PPPC profile. You can also set the desktop picture using a framework call. There were python scripts out there, but the Swift solution will survive them…

Available Disk Space

Yesterday, I came across another such problem. With the recent versions of macOS, getting a value of the available disk space is not as strightforward as it used to be. There are a lot of files and data on the system, which will be cleared out when some process requires more disk space. Most of this is cache data or data that can be restored from cloud storage. But this ‘flexible’ available disk space will not be reported by the traditional tools, such as df or diskutil. The available disk space these tools report will be woefully low.

The available disk space which Finder reports will usually be much higher. There is functionality in the macOS system frameworks where apps can get the values for available that takes the ‘flexible’ files into account. There is even useful sample code!

Starting with this sample code, I built a command line tool that reports the different levels of ‘available’ disk space. When you run diskspace it will list them all. There are raw and ‘human-readable’ formats.

> diskspace                  
Available:      70621810688
Important:      231802051028
Opportunistic:  214051607271
Total:          494384795648
> diskspace -H              
Available:      70.62 GB
Important:      231.8 GB
Opportunistic:  214.05 GB
Total:          494.38 GB

The ‘Available’ value matches the actually unused disk space that df and diskutil will report. The ‘Important’ value matches what Finder will report as available. The ‘Opportunistic’ value is somewhat lower, and from Apple’s documentation on the developer page, that seems to be what we should use for automated background tasks.

For use in scripts, you can get each raw number with some extra flags:

> diskspace --available               
70628638720
> diskspace --important
231808547284
> diskspace --opportunistic
214057661159
> diskspace --total
494384795648

You can get more detail by running diskspace --help.

In Scripts

If you wanted to check if there is enough space to run the macOS Monterey upgrade (26 GB) you could do something like this:

if [[ $(/usr/local/bin/diskspace --opportunistic ) -gt 26000000000 ]]; then
     echo "go ahead"
else
    echo "not enough free disk space"
fi

Jamf Extension Attributes

Or, you can use diskspace in a Jamf Extension Attribute:

#!/bin/sh

diskspace="/usr/local/bin/diskspace"

# test if diskspace is installed
if [ ! -x "$diskspace" ]; then
    # return a negative value as error
    echo "<result>-1</result>"
fi

echo "<result>$($diskspace --opportunistic)</result>"

Since, this extension attribute relies on the diskspace tool being installed, you should have a ‘sanity check’ to see that the tool is there.

Get and install the tool

You can get the tool from the GitHub repo and I have created a (signed and notarized) installer pkg that will drop the tool in /usr/local/bin/diskspace.

Weekly News Summary for Admins — 2021-10-29

The macOS Monterey release is finally here. We also got iOS 15.1 (and siblings) and the security updates for macOS Big Sur (11.6.1) and iOS 14.8.1. And the new round of betas for macOS 12.1 and iOS 15.2 started.


(Sponsor: Mosyle)

The Fusion of Apple MDM, Identity, Patching & Security.

Mosyle Fuse logo

Mosyle Fuse is the first and only product to bring a perfect blend of an Enterprise-grade MDM, an innovative solution for macOS Identity Management, automated application installation and patching, and purpose-built multi-layer endpoint security, all specially designed for Apple devices used at work at a price point that’s almost unexplainable.

Click here to learn more!


While some features shown at WWDC are still missing, this should keep everyone busy for a while. Many MacAdmins were already busy and published posts on how to work with and manage the new systems.

Settle in, because this is a big summary!

If you would rather get the weekly newsletter by email, you can subscribe to the Scripting OS X Weekly Newsletter here!! (Same content, delivered to your Inbox once a week.)

macOS 12 Monterey and iOS 15.1

macOS Monterey 12.0.1

Deployment

iOS 15.1 and siblings

Security Updates

Apple Support

Reactions

MacAdmins

New Apple Silicon MacBooks Pro

macOS and iOS Updates

MacAdmins on Twitter

  • Eric Holtam: “Live Text works to capture the horribly tiny and shiny Serial Numbers from the bottom of Macs. Never question if it’s a Q or 0 again!”

Security and Privacy

Support and HowTos

Scripting and Automation

Updates and Releases

To Listen

Support

If you are enjoying what you are reading here, please spread the word and recommend it to another Mac Admin!

If you want to support me and this website even further, then consider buying one (or all) of my books. It’s like a subscription fee, but you also get a useful book or two extra!

Download Full Installer update

The small tool to download the InstallAssistant.pkg I built a while back, has been working fine, even on Monterey. However, earlier this week some people started noticing that it would not show the 11.6.1 installer. The reason had me stumped, and I was putting together a minor update with UI fixes and an icon for Monterey installers, when I realized what the problem was and was able to fix it. So you will actually find _two_ new releases on the GitHub repo today, but of course, you only need the latest, v1.1.1 aka “The real Monterey Update”.