Thomas Reed: “There appears to be an issue in macOS where removing the ‘restricted’ flag from /Library/StagedExtensions/ causes installation of kernel extensions to always fail.”
Guillaume: “If you’re part of a IT or security team managing Mac, make sure you watch at least one of these talks before every Mac out there has a T2 Chip! https://t.co/1MGo5zqPk1 by @gregneagle And https://t.co/kIdpnP5xwh by @grahamgilbert”
Laurent Guigo:
“after .local now .dev extension not enable for localhost develop built in server (no ssl)”
There are no ads on my webpage or this newsletter. If you are enjoying what you are reading here, please spread the word and recommend it to another Mac Admin!
If you want to support me and this website even further, then consider buying one (or all) of my books. It’s like a subscription fee, but you also get a useful book or two extra!
As MacAdmins our goal is to automate workflows when ever possible. The advantages of automation are great. You immediately reduce the workload, but also reduce the potential for someone to make a mistake, which would mean even more work later.
In nearly all cases, we want the automation to happen “magically” in the background, without any user interaction. User interaction slows down the process as the script is waiting for the user to confirm or enter data. User input also requires validating and checking user entered data.
In most cases, when you believe you need to prompt the user for, well, anything, you should take that moment to re-think your workflow. Maybe you can come up with a different workflow that can provide the data from a source that can be automated without user interaction.
If, however, you really are convinced that user interaction is necessary, then you need be aware there are many potential pitfalls in writing shell scripts with user interaction.
macOS Mojave will introduce even more pitfalls with its increased security features.
Do you really need UI?
A common example for user interaction is to get and set the Computer Name or Asset Tag/ID/Number from manual input.
This is a task that can be fully automated in many situations. As an admin you could provide a text file mapping serial numbers to a name and/or asset tag on a server, that a script can download (curl) and parse. If you have a management system or asset database, there is probably an XML or JSON API, you can use to retrieve this information from a script. You could read or scan the serial numbers from the labels of the Mac’s boxes or even get the list with the purchase order from most vendors. With that data you can pre-fill your text files or databases.
However, in some cases, especially DEP workflows it may be difficult or impossible to predict which computer will end up on which desk, especially with zero-touch deployment workflows, where a device can be sent to a user directly.
In this case, you have to question whether you need a unique, specific computer name or asset tag. Maybe the data which your management system already gathers, such as the user who enrolled the device and its serial number will (have to) be sufficient?
In many cases, however, the reasons to prompt for and set a computer name will not be technical but stem from other, external factors that the IT department may or may not have influence on.
AppleScript’s Moment of Glory
bash was built to run in a text based terminal on many different operating systems. It has (and should have) no concept of a graphical user interface. bash alone is not useful to interact with the user, unless you want to open a terminal window.
However, AppleScript does have some (basic) commands to present dialogs and notifications to the user. We can call AppleScript command from the shell with the osascript command (OSA = open scripting architecture, the underlying framework that AppleScript uses)
There are other tools that allow to display user interface from a shell script. However, they all require an additional installation. AppleScript/osascript is simpler and built-in to the OS, so it is my first choice. That doesn’t mean it is always the appropriate choice, though.
You can go to Terminal and make a dialog appear with
$ osascript -e 'display dialog "Hello from bash!"'
The display dialog AppleScript command is documented in the “StandardAdditions” dictionary. You can see it when you choose ‘Open Dictionary…’ from the File Menu in Script Editor. Then select the “Scripting Additions.osax” dictionary and choose the “User Interaction” category.
This command has a lot of options that allow us to configure the dialog. You can experiment and test with these commands in the Script Editor application. For example, you can change the names of the buttons:
display dialog "Are you sure!?" buttons {"No", "Yes"}
display dialog "The answer is C" buttons {"A", "B", "C"} default button 3
button returned:C
The script will return which button the user clicked. However, instead of parsing the output with shell tools, you should let AppleScript do the work:
button returned of (display dialog "Are you sure!?" buttons {"No", "Yes"})
The choice variable will be No or Yes.
Adding icons
You can also add an icon to the dialog:
display dialog "Hello" with icon note
Will show the current application’s icon. You can also use stop or caution for different icons.
You can also add a path to an icns file:
display dialog "Hello!" with icon POSIX file "/Applications/Notes.app/Contents/Resources/AppIcon.icns"
Asking for Input
In some cases you want to get information back from the user. You can add a text field to the dialog with the default answer argument. The default answer can be an empty string:
display dialog "Who are you?" default answer "nobody"
display dialog "Who are you?" default answer ""
You can get the result of the dialog with the text returned property:
text returned of (display dialog "Who are you?" default answer "nobody")
You can combine the default answer argument with all the above arguments as well.
Notifications
In some case you just want to notify the user that something happened, and not stall everything while the script waits for confirmation. You can use display notification for these situations:
display notification "Hello, again" with title "Hello"
Running from Shell
You can execute AppleScript from the shell with the osascript command.
osascript -e 'display dialog "Hello!" with icon note'
This works well enough. You also use shell variable substitution:
title='Hey, there!'
osascript -e "display dialog \"What's up?\" with title \"$title\""
When you use variable substitution, you have to use double quotes for the command strings. And then you have to escape any additional double quotes in the AppleScript command. With more complex commands and arguments this will get unwieldy very quickly.
In a bash script you can use a here document instead:
title='Hey, there!'
osascript <<-EndOfScript
display dialog "What's Up?" with title "$title"
EndOfScript
You start a here document with the <<- characters followed by a limit string of your choice (I chose EndOfScript). Then all the text until the limit string is repeated will be fed into the osascript command.
Bash variables will be substituted in the here document, so $title will be substituted with its contents.
Note: I prefer the <<- syntax over the << syntax with osascript. The <<- syntax will ignore leading white space in the following lines, allowing me to properly indent the AppleScript code, making the entire script more legible.
The Trouble with root
Management scripts will run with root privileges. They may also be run in situations where no user is logged in. AppleScript requires a user to be logged in (and a window server to be present) to display the alert.
In many situations all of this will ‘just work’ even when the script is executed from a root process, in others, the script will fail. It is generally safer to always check the current user and run the osascript command as the currently logged in user. You can learn about how and why to do this in this article on ‘Root and Scripting’.
This also gives your script an option to continue silently or fail when no user is logged in.
user=$(python -c 'from SystemConfiguration import SCDynamicStoreCopyConsoleUser; import sys; username = (SCDynamicStoreCopyConsoleUser(None, None, None) or [None])[0]; username = [username,""][username in [u"loginwindow", None, u""]]; sys.stdout.write(username + "\n");')
if [[ $user != "" ]]; then
uid=$(id -u "$user")
launchctl asuser $uid /usr/bin/osascript -e "button returned of (display dialog \"Hello\")"
fi
Putting it all Together
While all of these examples are simple enough, you can already see that, once you consider all the possible combinations, everything will get fairly complex.
Over time I have put together a few bash functions that I use in my scripts. Even they only cover quite simple workflows, but can be useful as a sample for more complex needs:
System Events, Privacy and macOS Mojave
In many scripts the author wraps the display dialog command wrapped in a tell statement:
osascript -e 'tell app "System Events" to display dialog "Hello"'
The reason for this is that it will ensure that the dialog is displayed on top of all other windows. The activate command will push the targeted process to the front. Both “System Events” and “Finder” are used frequently.
In most cases this is not necessary, as the dialog will properly display on top of all other windows, even as a standalone command. There may be some weird conditions when other applications are launched in the same time frame, though. In other cases it may be better to use display notification, anyway.
In macOS Mojave, Apple Events (AppleScript Commands) can only be sent to another application with user permission.
When you try this command in macOS Mojave, the user will be prompted to allow the Terminal application to control the System Events application
If the user denies this request, the osascript command will fail with an error:
$ osascript -e 'tell app "System Events" to display dialog "Hello"'
28:50: execution error: Not authorized to send Apple events to System Events. (-1743)
Once a user has denied access, they will not be prompted again. They will have to go to the ‘Privacy’ tab in the ‘Security & Privacy’ pane in System Preferences, search for ‘Automation’ and allow access for Terminal.
However, management scripts will usually not be executed from Terminal, but from within the context of an installation script or management agent. It may be possible to pre-approve configurations with a UAMDM configuration profile, but it will be impossible to anticipate all contexts in which your scripts may run.
For macOS Mojave it will be better to either modify your script to not wrap the command in a tell statement. Alternatively, you can use a different solution for the UI altogether. (e.g. jamfHelper, Yo, Pashua or CocoaDialog)
All of these wrapped commands in scripts will break in macOS Mojave!
MacAdmins need to go through all their management scripts and check for AppleScript UI commands wrapped in tell statements.
When you use the standalone display dialog it will be the AppleScript process itself that displays the dialog. This requires no specific permission.
Even if your dialogs may not appear on top of all the windows, this is a preferable solution.
This will also affect scripts using osascript to control or receive data from other applications.
Summary
question and revisit every use of user interaction in your workflow
when you really have to, you can use osascript with the display AppleScript commands
to be safe, run the commands as the current user
increased macOS Mojave security will require you to verify all your scripts using osascript
Days are getting shorter, summer is starting to wane, and the Apple System release date is getting closer and closer.
Apple released new betas and finally updated the MDM and Configuration Profile References, leaving MacAdmins little time to test and file bugs to be fixed. MacAdmins took to Twitter to complain.
Also Twitter finally turned off many API features, thus crippling third party Twitter apps TweetBot and Twitteriffic.
If you are considering moving away from Twitter – there certainly enough reasons, technical and non-technical – Scripting OS X and this newsletter are available on many other channels, including Micro.blog, Mastodon.social, and Apple News. You can find all ways to follow at the end of this post.
Objective-See: “Announcing ”Objective by the Sea“ a new Mac Security Conference: Nov 3rd/4th in Maui Hawaii @ the stunning Wailea Beach Resort Talks by @thomasareed @iamevltwin @patrickwardle @rrcyrus @jbradley89 & more! …and free for Objective-See patrons”
Erik Gomez: “Apple releases MDM changes on beta 7 and asks for feedback/regression testing. The reports wont be fixed in 10.14.0. Remember when you warned people to get tickets in before beta 2 to ensure they make it into the GM? These changes should be delayed to the Spring Release”
Erik Gomez:
“#macadmin #macadmins – if you’re interested in testing some important changes coming to Mojave, please join the #tcc channel on macadmin’s slack Also here is a google doc for tracking this, much like we did with kexts/32-bit apps https://docs.google.com/spreadsheets/d/1sai3Q8qj9HdyDJfcSAchRELD0mOpik1NPYxr0F9AJRc/edit#gid=0”
Tim Sutton: “If you would ever like the automated creation of a macOS Mojave system image to be possible – (asr imaging or creation of VMs via vfuse or similar).. you may want to dupe Mike’s rdar quoted below, and/or mine: http://www.openradar.me/radar?id=5004136198176768”
Per Olofsson:
“I posted a new beta of AutoDMG with a couple of Mojave workarounds”
mikeymikey: “Honestly – between you and me – with what this bug does and what beta 7 just added, 10.14 feels like it’s shaping up to be “10.13 Part 2” / “The Revenge of 10.13” for #macadmins”
William Smith: “New installs of Office for Mac 16.16 (this month’s release) and higher will install Microsoft AutoUpdate 4.2. Going forward, it will default to Automatically Download and Install. #MacAdmins, if you need to manage this, the best method is use a configuration profile.…”
There are no ads on my webpage or this newsletter. If you are enjoying what you are reading here, please spread the word and recommend it to another Mac Admin!
If you want to support me and this website even further, then consider buying one (or all) of my books. It’s like a subscription fee, but you also get a useful book or two extra!
mikeymikey: “This thread contains a good reminder of one of the few things I’ll tell you mobileconfig profiles are great at… ”
Scott Knight: “I created an osquery extension so #MacAdmins could query 32-bit usage across their fleet once 10.14 is released. Hopefully this makes it even easier to identify software that needs to be upgraded prior to 10.15.”
macshome: “Oh cool! The Apple developer docs now go all the way back to 1985! Presenting Technical Note OS01”
There are no ads on my webpage or this newsletter. If you are enjoying what you are reading here, please spread the word and recommend it to another Mac Admin!
If you want to support me and this website even further, then consider buying one (or all) of my books. It’s like a subscription fee, but you also get a useful book or two extra!
Briefly resurfacing from vacation. Much has happened in the last three weeks. This is a long one: find a nice sunny (or shady) spot to settle down, read, and enjoy.
(Vacation time isn’t over. Updates will remain irregular until the end of August.)
Mojave and iOS 12 are now at beta 5. There may be Photoshop on iPad. Apple had a record quarter (once again) and is the first company to be traded at a market cap of 1 trillion USD. They also cancelled the affiliate program for Apps on iOS and macOS.
About the last topic: I use affiliate links for apps and books in this newsletter and other posts on the weblog. I don’t make much money from them – it adds up to be enough to afford a movie on iTunes every month or so. The affiliate rate for books remains unchanged (for now). Only Apple has the full insight to the numbers involved, but this still seems like a petty move from Apple.
In this time of free services and apps, writing a review or article that convinces someone to part with their money is not easy. If you can pull that off, affiliate links can be a way to earn money from writing (or podcasts, or videos) without filling up your site with obnoxious ads that are not under your control.
Doing so on a scale that the payout is actually worth the effort is incredibly hard. You have to build up a reputation and trustworthiness with your writing (or videos or podcasts). This takes a lot of time and effort. In the end, Apple and the producer (developer, author, etc.) profit from a good review or recommendation. This should have been a win-win-win situation.
Of course, Apple can do what they want and is not and has never been obliged to provide or continue this program. But I am sad that the affiliate program for Apps is going away, as many sites that I enjoy and appreciate will suffer from it. I believe this is a wrong step for the community and eco-system.
If you want to support this newsletter and my weblog (so I can keep buying new movies), buy my books!
In other book- and milestone-related news: This week I sold my 1000th book on the iBooks Store.
A huge “thank you” to everyone who put enough trust in my writing to buy one or more of my books. Even more thanks to those who recommend the books on Slack, conferences, in personal discussion and with reviews on the store. (Seriously, please leave a review!) Writing and publishing continues to be an exhilarating, rewarding and humbling experience.
Otto the Automator: “Simple Automator workflow becomes a Touch Bar Quick Action in macOS Mojave for accessing your entire photo library regardless of which application if frontmost!…”
Otto the Automator: “Automator and AppleScript combine to deliver a macOS Mojave Touch Bar Quick Action for switching the startup disk. A perfect task for automation”
MacAdmins on Twitter
William Smith: “After two days of trying to reformat PDF text and pictures on my #psumac slides to fit all my presenter notes, a simple 2-minute AppleScript fixes my problem. tell application ”Keynote“ to set size of presenter notes of every slide of front document to 18 #voilà”
Nigel Kersten: “It’s been a long time since I last made the NVRAM claw. ⌘ ⌥ O F Never Forget.”
Tim Perfitt: “Ok, so after many tried, this works reliably: power down, then power up. As soon as the apple appears, press control option on left side and shift on right along with power. Keep holding until the machine powers down and a bit more. It then goes into DFU.” (Thread)
Nikolaj Schlej: “macOS 10.13.6 update brings (limited) UEFI SecureBoot support for iMac Pro, so now if SecureBoot is enabled, Windows detects that and acts accordingly. PK, KEK, db and dbx are read-only (hence limited), configured to trust MS 1st-party CA only.…”
Emily St: “Extremely cool macOS information for mega-nerds: If you’re wondering what iCloud Drive is up to in a given moment, a command will tell you all the transactions it’s running: brctl log --wait --shorten Recommend piping that to less because it’s a huge log of output.”
Ryan Govostes: “Early screenshot of System Integrity Protection, MacOS 8.0 (1997)… ”
Jordan Morgan: “A fun bit of #macOS development history I stumbled upon today, Apple Tech Note 2034. Essentially it included a bunch of guidelines and tips on macOS development but contained such inflammatory assertions that Apple straight up pulled it down (2033/5 are still there)!” (Thread)
There are no ads on my webpage or this newsletter. If you are enjoying what you are reading here, please spread the word and recommend it to another Mac Admin!
If you want to support me and this website even further, then consider buying one (or all) of my books. It’s like a subscription fee, but you also get a useful book or two extra!
I am somewhat surprised that neither of the two 10.13 updates since the book was released or the news about macOS Mojave (10.14) at WWDC has led to major changes.
Even the release of the 2018 MacBook Pro last week confirmed our expectations rather than surprising them. Nevertheless, the updates and other new information have added up to the point where I thought it was time for an update. I have listed the changes here. You can also find the list of changes (with links to the relevant sections within the book) in the ’Version History) section of the book itself.
Updated Secure Boot sections to include the 2018 MacBook Pro
Added a few notes on Recovery and Content Caching changes with 10.13.5
Restructured and re-wrote the first section of Chapter 5. It is now two sections with some new figures.
Older macOS Versions: added a link to El Capitan download
APFS: replaced mentions of ‘Flash’ drives with ‘solid-state storage (SSD)’, added a note of Apple’s APFS plans in macOS Mojave
corrected the description of non-removable MDM profiles in ‘Avoiding DEP’
Most of the changes are in anything related to Secure Boot (because of the new MacBook Pro). I also re-wrote and clarified the first section of Chapter 5, the ‘Strange New World’ section and added a few new figures to visualize the workflows better. (You can sample read the original version.)
If you have bought the book, the update is free and you should be notified about it in the iBooks app. If you have not purchased the book yet, you can get in the iBooks Store!
This week started off with the release of the macOS 10.13.6 and iOS 11.4.1 updates – quite unusually posted on a Monday.
Later this week, with another weird scheduling, Apple released new MacBook Pros. The 15“ MacBook Pro can now be configured with a six-core i9, up to 32GB of RAM and up to 4TB of SSD. The 13” MacBook Pro can now be configured with a quad-core, but retains the 16Gb max RAM limit. It also includes the T2 system controller which was so far exclusive to the iMac Pro.
The T2 chip is what controls (among other things) the Secure Boot process and controls the booting off external drives. Apple has updated the support articles and it is official:
Mac computers that have the Apple T2 chip don’t support starting up from network volumes.
Now, Apple has upgraded their flagship product to Secure Boot. Even when so far admins could ignore the limitations of the expensive iMac Pro, soon Secure Boot will be everywhere. Installation-based deployment workflows should be already in place or a top priority for every Mac Admin.
And finally, this newsletter and my website will be going into vacation mode for the next five weeks. That means no newsletters and much fewer blog posts. I hope you all get time to enjoy some summer vacation as well. I will keep gathering interesting links that I find during that time and restart with a summary of the summer time in late August.
Ben Markowitz: “BRB, making Harry Potter spells into Siri Shortcuts.… ”
Rich Trouton: “When and how do you really know that you built a robust deployment solution? When you essentially stop paying attention to it for a month, while it’s in daily 24–7 use by others, and that’s OK; everything worked fine.”
Victor (groob): “Yes, for both commands InstallApplication and InstallEnterpriseApplication no longer appear to have concurrency issues.… ”
Victor (groob): “You thought one @micromdm_io was enough? Not a photoshop #macadmins… ”
Filippo Valsorda: “For when you want to figure out how to apply some macOS preference from the command line, without Googling for hours for out-of-date defaults commands: $ defaults read | pbcopy # make changes in System Preferences.app $ diff -u -F ’^ ”’ <(pbpaste) <(defaults read)”
Graham R Pugh: “I improved my macOS Erase-Install script. Now it can cache macOS installer ready for later use, and it automatically selects the current production version of macOS: https://github.com/grahampugh/erase-install”
Ross Derewianko: “Thanks to @zoocoup here’s the macOS builds if it matters to you 10.11.6 + SecUpdate 2018–004 = 15G22010 10.12.6 + SecUpdate 2018–004 = 16G1510 10.13.6 = 17G65”
John C. Welch: “if you’re on mojave beta 3 and your script menu scripts silently fail, resave them as apps. Then you get the “authorize” dialog. Bug filed.”
Rene Ritchie: “I don’t look at it as buying an app (or song or book or whatever). I look at it as supporting creators who make things I value. If I don’t do that, I risk it becoming unsustainable and not getting the next update or app (or game or movie or whatever.) It’s an investment.… https://t.co/llpRFSZniM”
There are no ads on my webpage or this newsletter. If you are enjoying what you are reading here, please spread the word and recommend it to another Mac Admin!
If you want to support me and this website even further, then consider buying one (or all) of my books. It’s like a subscription fee, but you also get a useful book as well!
The new features, improved RAM and SSD capacity, keyboard (!) and screens are all nice and interesting. Even more remarkable is that Apple mentions the T2 chip in the headline.
Of course, the T2 chip means, that like the iMac Pro, the 2018 MacBook Pros will not NetBoot (at all) or boot from external devices (without going through a convoluted setup process).
So far, it was possible to downgrade 2017 MacBook Pros to Sierra and keep using the same imaging procedures as before. Now, Apple has now moved their flagship Mac model to the new architecture.
If you do not have an installation based deployment based workflow prepared yet, it is high time to get one in place. I explain what you can do and some examples of how you can do it in my new book: “macOS Installation for Apple Administrators” (sample chapter here).
There are no ads on my webpage or this newsletter. If you are enjoying what you are reading here, please spread the word and recommend it to another Mac Admin!
If you want to support me and this website even further, then consider buying one (or all) of my books. It’s like a subscription fee, but you also get a useful book as well!
On macOS dscl is a very useful to access data in the local user directory or another directory the Mac is bound to. For example you can read a user’s UID with:
However, dscl is a treacherous. Its output format changes, depending on the contents of an attribute. When an attribute value contains whitespace, the format of the output has two lines:
With attributes like the UID, it is fairly safe safe to assume that there will be no whitespace in the value. With other attributes, such as RealName or NFSHomeDirectory, you cannot make that prediction with certainty. Real names may or may not have been entered with a space. A user (or management script) may have changed their home directory to something starting with /Volumes/User HD/... and your script may fail.
To remove this output ambiguity, dscl has a -plist option which will print the output as a property list:
The resulting property list is a dict containing a key with the native attribute name and an array containing the values, even when there is only one value.
Having a property list is nice, but parsing property lists in a shell script is challenging. I have found two solutions
Xpath
You can use the xpath tool extract data from the XML output:
Note that the xpath output does not include a final new line character, which makes it look a bit strange.
The xpath argument in detail means:
//string[1]: the first of any string element
/text() the text contents of that stringobject
This syntax makes a lot of assumptions about the property list input. I believe they are safe with the dscl output. (Please test)
If you want to play around with xpath syntax, I recommend using an interactive tool. I used this one from Code Beautify which worked well enough, but frankly I just randomly chose one from the list of search results for ‘xpath tester’. (If you can recommend a great one, let us know in the comments.)
PlistBuddy
As I said, the xpath solution makes a lot of assumptions about the layout of the property list. A safer way of parsing property lists would be a dedicated tool, such as PlistBuddy. However, PlistBuddy does not read from stdin. At least not voluntarily.