Inspecting Packages

The macOS installation process installs a pkg file with root credentials. Because of this high level of privileges, it is essential for a Mac system administrator or security expert to be able to inspect the files and scripts.

macOS comes with several tools to work with package files. Most of them are command line tools. pkgutil lets you examine a pkg file and its contents before the actual installation. It also lets you inspect which packages and files have already been installed on a given system.

Installed Packages

You can use the pkgutil command to list packages that have been installed on the system.

$ pkgutil --pkgs

This will list all packages that have been installed on the system. On a freshly installed macOS 15.5 system the list is very short:

com.apple.files.data-template

But depending on the version of macOS and how long the system has been running the list may have hundreds of entries. You can use grep to filter the output, but pkgutil has its own filter option: (I ran this on a system with a few more things installed.)

> pkgutil --pkgs='com.scriptingosx.*'
com.scriptingosx.Installomator
com.scriptingosx.swift-prefs-tools
com.scriptingosx.utiluti
com.scriptingosx.desktoppr

Note that you need to quote the search term otherwise the shell will attempt to expand the wildcard.

Information for an Installed Package

pkgutil --pkgs lists the identifiers of the packages. Identifiers are chosen by developer, but should generally follow the “reverse DNS notation” scheme.

When properly used, identifiers allow the installer process to distinguish between new installations, upgrades and packages that have already been installed. There is another piece of information necessary to determine this and that is the version of a package. To get the version and other information on a specific package run

> pkgutil --info com.scriptingosx.desktoppr 
package-id: com.scriptingosx.desktoppr
version: 0.5-218
volume: /
location: 
install-time: 1720421876 

The install time is logged in epoch time (seconds since January 1, 1970). To convert it into something readable by humans you can use the date command:

> date -r 1720421876
Mon Jul  8 08:57:56 CEST 2024

Note: in earlier versions of Mac OS X the information on installed packages were stored in individual files called receipts. While the information is now stored in a database, the data is still referred to as a receipt.

Listing the Files a Package Installed

The --files option lists all the files that were installed by a package. The file paths are given relative to the packages install-location. Usually, but not always, the install location is the root of the file system/.

> pkgutil --files com.scriptingosx.desktoppr
usr
usr/local
usr/local/bin
usr/local/bin/desktoppr

The --file-info option does the reverse and looks up which package installed a specific file. If a file was placed there by multiple packages with different package identifiers, you will get a list.

> pkgutil --file-info /usr/local/bin/desktoppr
volume: /
path: /usr/local/bin/desktoppr

pkgid: com.scriptingosx.desktoppr
pkg-version: 0.5-218
install-time: 1720421876
uid: 0
gid: 0
mode: 100755

The installer receipt remembers the file’s owner (uid, 0 is root) and group (gid, 0 is wheel) and the permission mode that was stored in the package. Along with the actual files, the installer package also contains the owner, group, and mode (access privileges) for each file.

The metadata in the receipt may not match the file’s metadata on the disk. This indicates that the file was changed since installation. But it is difficult, if not impossible to know whether the change was intentional, accidental or even malicious. You will have to use your good judgement.

Unfortunately, some developers do not know or understand that installation packages also set the metadata for payload files and you often see changes to the owner, group and file mode applied in a postinstall script. When evaluating whether an installed file has been tampered with after installation, it is necessary to check postinstall scripts for such actions.

When a file was not installed by a package installer the --file-info option will return the path and volume, but no package information:

> pkgutil --file-info /Applications/Notes.app       
volume: /
path: /Applications/Notes.app

This is also the case for files that were copied, moved or created by a package’s preinstall or postinstall script. You only get the package data for files that were placed from a package’s payload.

Forgetting an installed package

The installation system on macOS uses the package identifier and version in the receipt to determine if an installation is new to the system, a different or new version of an already installed package, or a re-installation of a package of the same version. The behavior of the installation may change between theses scenarios.

You may notice that when you delete files or apps that were installed from a package and then re-install the same version of the package, that the files may not re-appear on the system. This happens often when you are testing an installation workflow over and over again on the same system.

You can use pkgutil --forget to remove the receipt of a package from the system. The --forget option will not delete any files that were installed on the system. All it removes is the installation receipt. If you then install the same package again, the system will consider it a fresh, new installation and the payload should be installed correctly.

Uninstalling

The macOS installation system does not have an option to uninstall or remove files and apps that were installed with an installation package. You can get a list of files that were installed from the package payload or the receipt. This will be a good starting point, but an app or tool might also create daemons, agents, preferences, configuration files, and other resources in various places across the file system. All these files weren’t part of the package payload and wouldn’t be tracked in the receipt. You will have to inspect all of these and judge whether you need to remove them, as well. Daemon and agents will need to be properly unloaded and quit before deleting their files.

Once you have built a script that performs the un-installation to your satisfaction, you should also run pkgutil --forget and remove the record of the package being installed to ensure a future re-installation will run smoothly.

Inspecting Package Payload Files

Sometimes you want to see what a package file will do without actually installing it. pkgutil has some options for that, too.

Our example file will be the installer I provide for one of my projects: desktoppr. Desktoppr is a command line tool to set the desktop picture or wallpaper on macOS.

You don’t have to actually install desktoppr to inspect the pkg. Though if you want to, you can install the pkg and use pkgutil to determine what it installed and then delete that single file later.

You can download the latest package installer file for desktoppr from the ‘Releases’ section on the GitHub repository. Note that, like many other projects, desktoppr has a pkg and a zip download. For this, we are only interesting in the pkg file.

The file command reports a pkg file is a xar archive:

$ file ~/Downloads/desktoppr-0.5-218.pkg
/Users/armin/Downloads/desktoppr-0.5-218.pkg: xar archive compressed TOC: 4389, SHA-1 checksum

(The exact output of this command may vary depending on your version of macOS and the version of the pkg.)

Packages are compressed into a single archive file. This ‘flat’ package format was introduced in Mac OS X Leopard 10.5 in 2007, replacing and deprecating the previous ‘bundle-style’ packages. Bundle-style packages were finally made defunct in macOS Sequoia 15.0 in 2024. Unless you have to support legacy Macs you should only encounter flat packages.

To expand the package, we can use pkgutil --expand

> pkgutil --expand desktoppr-0.5-218.pkg Desktoppr
> ls Desktoppr
Distribution  desktoppr.pkg

This will create a folder named Desktoppr with the expanded contents of the package file.

Inside this folder, you will see a file named Distribution. Open this file with a text editor. (open -e Desktoppr/Distribution will open the file in TextEdit if you don’t have another editor available.)

This XML file contains the metadata for the installer process. The most interesting elements are pkg-ref, which has the version and the identifier for the package and the components. It also shows the options or components that are available from the user in the Installer application.

There is a sub-folder called desktoppr.pkg inside the expanded folder. The pkgutil --expand command has already expanded this component, so we don’t need to expand it again.

> ls Desktoppr/desktoppr.pkg/
Bom         PackageInfo Payload

Note: When you are inspecting the expanded file structure in Finder, it will show this subdirectory with the package icon. The folder name ends with .pkg which Finder erroneously interprets as a file extension for a bundle-style installation package. If you want to see the contents of this folder in Finder, choose ‘Show Package Contents’ from the context menu.

Inside the sub-directory or component, you will find three more files.

PackageInfo is another XML file with metadata on the component. The most relevant information in here is right in the first pkg-info tag, which has attributes for identifier, version and install-location.

The Payload file is another archive with the actual files inside it. If you wanted to extract the files manually you can do so with:

> tar xvf Desktoppr/desktoppr.pkg/Payload
x .
x ./usr
x ./usr/local
x ./usr/local/bin
x ./usr/local/bin/desktoppr

The folder structure of the payload is relative to the package’s install-location.

Bill of Materials

The last file is called Bom which is short for ‘Bill of material’. It contains an entry for each file in the Payload with additional metadata: owner, group, and file mode (access privileges). It is stored in a binary format, so it cannot be read with a text editor, but you can read the content with the lsbom command.

> lsbom Desktoppr/desktoppr.pkg/Bom
.    40755   0/0
./usr    40755   0/0
./usr/local    40755   0/0
./usr/local/bin    40755   0/0
./usr/local/bin/desktoppr    100755  0/0 271792  550451430

This will output one line per item in the package. The entries or columns per line are: path, file mode, owner id/group id, file size and a CRC 32-bit checksum (only for files).

There are many options to control the output of the lsbom command. You can find them all in its man page.

Since the bill of material (Bom) is very interesting pkgutil provides a shortcut to get it without having to expand the entire pkg file.

> pkgutil --bom desktoppr-0.5-218.pkg
/tmp/desktoppr-0.5-218.pkg.boms.vVNvMz/desktoppr.pkg/Bom

This command will extract the Bom into a temporary file and output the path. You will use this most commonly together with lsbom.

pkgutil also has a --payload-files option:

pkgutil --payload-files desktoppr-0.5-218.pkg 
.
./usr
./usr/local
./usr/local/bin
./usr/local/bin/desktoppr

This output shows only the file path. If you require more information, use the --bom option to export the Bom file and use lsbom.

More Complex Packages

The desktoppr installation package is a very simple package. It installs a single binary file.

For a slightly more complex package, you can download the installer pkg for Setup Manager. Setup Manager is an enrollment tool that works with Jamf Pro and Jamf Connect.

Again, you do not have to actually run the installer to inspect. In this case, the tool will only work on a Mac managed with a Jamf management server at enrollment. Nevertheless inspecting this package will be instructive.

First, use pkgutil to list the payload files.

> pkgutil --payload-files Setup\ Manager-1.3.1-610.pkg
.
./Library
./Library/LaunchAgents
./Library/LaunchAgents/com.jamf.setupmanager.loginwindow.plist
./Library/LaunchDaemons
./Library/LaunchDaemons/com.jamf.setupmanager.plist
./Library/LaunchDaemons/com.jamf.setupmanager.finished.plist
./Applications
./Applications/Utilities
./Applications/Utilities/Setup Manager.app

There are more files that are listed, but they are all files and folders in the Setup Manager.app bundle. This package installs two LaunchDaemons and a LaunchAgent, as well as the Setup Manager application in /Applications/Utilities

To learn more, expand the package file with pkgutil:

> pkgutil --expand Setup\ Manager-1.3.1-610.pkg SetupManager
> ls SetupManager                     
Distribution      Resources         Setup Manager.pkg
> ls SetupManager/Resources        
License.rtf Readme.rtf

We see a new subfolder named Resources which contains two rich text files. These are shown in the respective panes when the pkg file is opened with the Installer application. You can double-click the Setup Manager pkg to open it in the Installer application and see the two panes. You don’t need to follow through with the installation.

When we dig further into the expanded Setup Manager we see another folder we did not have before:

ls SetupManager/Setup\ Manager.pkg/
Bom PackageInfo Payload Scripts
ls SetupManager/Setup\ Manager.pkg/Scripts
postinstall preinstall

The Scripts folder in the component contains two scripts: preinstall and postinstall. The installation process will run these scripts before and after the payload files are installed on the system.

When you open the script files in a text editor, you can see that these unload and load the LaunchAgents and Daemons in the payload.

You can use pkgutil and lsbom to inspect all kinds of packages. If you want to practice, the Microsoft installers are a very good exercise.

Component Packages

There is a simpler type of packages. As an example, download the installer pkg for an early version of desktoppr.

When you expand this pkg file with pkgutil, you will see no Distribution XML file or sub-component folders.

$ pkgutil --expand desktoppr-0.3.pkg Desktoppr0.3
ls Desktoppr0.3/
Bom PackageInfo Payload

Instead you see the three files we saw earlier in the component subfolder of the main pkg: Bom, PackageInfo, and Payload. Nevertheless, if you were to install this package, it would work just fine and install its payload.

This is a component package. Generally, component packages are built as an intermediate step to assemble the distribution package format we saw earlier. Nevertheless, component package files will work fine on their own, as well.

Distribution Packages, Product Archives, and Component Packages

Most of the pkg files you will encounter are distribution packages. Distribution packages do not have a payload or installation scripts of their own. Distribution packages contain one or more components. Each component will have a payload and (possibly) installation scripts.

Distribution packages are wrappers for their components and can have some extra data, such as the License and ReadMe file we saw earlier.

Apple’s developer documentation often refers to “product archives.” Product Archives are a different name for distribution packages with a specific set of metadata. Most relevantly, product archives have an identifier and version set.

Distribution packages and product archives allow the developer to customize the interactive installation process in the Installer application. Product archives are also a requirement for publishing in the Mac App Store. For these reasons, product archives are the recommended choice for developers to distribute their software.

Component packages already provide the most relevant feature for package installers: they install files. They are quite simple to create, which makes them popular with Mac system administrators who often need to build custom installers that are installed silently from a management system. There are, however, some situations where distribution packages are required with management systems, too.

Suspicious Package

Understanding the command line tools and workflows to expand and inspect pkg files is a good exercise and an important foundation to building packages. Nevertheless, it can be tedious when all you want is to just to see the files inside or some metadata for the package.

The application ‘Suspicious Package‘ provides a powerful and useful graphical interface for inspecting installation packages and their payloads. It gives an overview of package’s metadata, including signature and notarization status. It will show a detailed graphical view of the payload, the metadata files and installations scripts. When necessary, you can preview or extract individual files for further analysis

There will still be situations where you will need pkgutil, but Suspicious Package is an indispensable tool for any Mac Admin and Mac security professional. You can download Suspicious Package for free from Mothers Ruin Software.

Weekly News Summary for Admins — 2023-10-13

In my session at MacSysAdmin conference in Gothenburg last week, I announced that the name of this weekly news summary will be changing to “MacAdmins.news“.


(Sponsor: SentinelOne)

macOS MetaStealer | New Family of Obfuscated Go Infostealers Spread in Targeted Attacks

The rise of macOS infostealers continues with the latest entrant aiming to compromise business environments with targeted social engineering lures.

Continue Reading here


Why the change? This news summary has taken on a life of its own from my main Scripting OS X blog. I had been thinking it deserved a name and domain of its own, for a while, but I couldn’t think of one that I liked. When I realized that MacAdmins.news was available and I checked in with the MacAdmins Foundation if they would mind me using it.

I had already been double-posting to the new website for a few weeks to make sure that everything is working. Over the next few weeks, I will be updating everything else. Slowly and carefully, I don’t want to disrupt anything too badly.

If you are receiving this news summary by email and have mail rules by subject or sender you may have to update them, but I will announce the changes here before they take effect in the emails.

Go read this week’s news summary on MacAdmins.news!

If you would rather get the weekly newsletter by email, you can subscribe to the MacAdmins.news here!! (Same content, delivered to your Inbox once a week.)

macOS Ventura 13.5 and iOS 16.6

macOS

iOS and iPadOS

Guides

Other Platforms

Applications

Community

Other updates

Weekly News Summary for Admins — 2023-06-02

This is the Friday before WWDC. Next week we will know more about Apple’s plans for the upcoming platforms, and whether the virtual headset is real or continues to be vaporware. Will there be new Macs? Finally a Apple Silicon Mac Pro!?


(Sponsor: vast limits)

uberAgent Logo

Provide productive AND secure digital employee experiences

uberAgent is an innovative digital employee experience monitoring and endpoint security analytics product for macOS and Windows. uberAgent helps enterprise IT provide fast, reliable, and secure devices & applications that boost employee productivity while strengthening cybersecurity. Try for yourself and get your free 100-user community license at uberagent.com.


Next week Friday we will also have seen the “What’s new for Enterprise” session that is probably hiding behind all those (admittedly quite funny) made up session names in the WWDC Slack for now. This will be the really interesting session for us Apple admins.

But the most interesting things released next week will be the beta of all the platforms. Check your AppleSeed for IT logins. Warm up your internet lines for the gigabytes of downloads. Get Apple Configurator ready in case you need to downgrade devices. Backup important data on the devices you want use for testing. Get the Developer app on your devices updated, so you can watch the videos.

If you would rather get the weekly newsletter by email, you can subscribe to the Scripting OS X Weekly Newsletter here!! (Same content, delivered to your Inbox once a week.)

Focus

I will be presenting at the JamfNation Live events in Wiesbaden and Amsterdam. (Be sure to checkout the events in London and Paris, as well. You can still register.) Attendees to the German event will have the honor of listening to me presenting in German for the first time in nearly two decades. The language for the Amsterdam event will be English, in case you were wondering if it might be worth crossing a border to go there.

We took the opportunity to do our Benelux MacAdmins Meetup the evening before the Amsterdam JNL event (June 19). The event is free but requires registration as the seats are limited and filling up quickly. I will be taking part in a panel discussion on Patch Management. Dean Hager (Jamf CEO) will be the special guest.

Later this year, I will also be presenting at MacSysAdmin in Göteborg, Sweden. The program isn’t published yet, but you can already register!

When you run across me at any of these events, feel free to say hi! I will have some Scripting OS X stickers for those who know to ask…

News and Opinion

Security and Privacy

Support and HowTos

Scripting and Automation

Updates and Releases

To Watch

To Listen

Just for Fun

Support

If you are enjoying what you are reading here, please spread the word and recommend it to another Mac Admin!

If you want to support me and this website even further, then consider buying one (or all) of my books. It’s like a subscription fee, but you also get a useful book or two extra!

MacAdmins Slack: a highly opinionated guide (2023)

I wrote the original opinionated guide to the MacAdmins Slack in 2018, nearly five years ago. I thought it was time for a new, updated guide.

MacAdmins Slack?

I love MacAdmins Slack. I am logged in most workdays. I use it for research, solving problems, camaraderie, and just plain fun. The community there is wonderful. If you are new to Slack or similar chat/community apps, it can be a little strange.

The MacAdmins Slack also stands out due to its unusual size. As of this writing, there are more than 50,000 accounts on the MacAdmins Slack and more than 5000 weekly active users. There are also far more than 1000 channels.

You might be new to Slack, or new to a public Slack of this size. You might also be new to managing Apple devices and have not encountered the MacAdmins community before. The community in the MacAdmins Slack is amazing, but there are also a few things that are particular to this Slack. So, I tried to put this guide together to help new members get some orientation.

This is, as the title says, highly opinionated. The community is large and diverse and you will find differing opinions on nearly everything.

Note: I have also recently had the honor to join the admins group in the MacAdmins Slack. Nevertheless, this post will often reflect my opinion. The Code of Conduct, however, is “important and enforceable. The Mac Admins Slack Admin Team will enforce this code throughout all channels within the Slack.”

What is Slack?

Slack is a popular message board application. It’s a cross between a bulletin board system and a chat room.

Slack has a web interface and clients for most operating systems. The user interface can differ between the different platforms. Instructions in this post will be for the Mac standalone app version, though most advice will be valid for Slack across all platforms.

The MacAdmins Slack is a particular instance which specializes on topics relevant to Apple Administrators. (macOS and iOS, despite the name) You can sign up here. Please read the Code of Conduct here, as well.

The MacAdmins Slack started out in 2015 as an employee sponsored instance, but since 2022 it is funded by the MacAdmins Foundation.

The Lingo

There are a few terms particular with Slack which might be confusing at first.

Slack help has a helpful general glossary, which can be helpful.

An organization can set up a Slack “Workspace.” You can be a member of and logged into multiple workspaces. You may have a workspace for your job, the MacAdmins Slack and maybe some other social workspaces. You will have a different login and username for each workspace.

Channels

Within a workspace, Slack is separated into “channels.” Channels can be public or private. Channel names are prefixed with the symbol #.

When you sign in for the first time, you are be added to the #general and #announcements channels by default.

In the left sidebar at the top of the list, you will find an option labeled “More” and in that submenu is a “All Channels” item that allows you to browse and search existing channels. You can also use the search field at the top of the window to search for channels (and everything else).

When you are typing a message and start a word with the # character Slack will treat this as a link to a channel. When you start typing the channel name Slack will suggest auto-completions. If a channel with the name exists, the word will be linked and users can click it to be taken to that channel.

Public channels in MacAdmins Slack are either on a generic subject (e.g. #security), particular technology (#ios and #macos, and each incarnation, such as #ventura and #monterey), software (e.g. #jamfnation, #microsoft-office, or #adobe), open source projects (#munki, #autopkg, #swiftdialog, or #installomator), regions or countries (#anzmac, #london, #benelux, or #macadminsfr), events (#psumac or #wwdc) or pretty much everything else.

The language on MacAdmins is usually English, though regional channels are often in that region’s language. Be aware that English is not everyone’s first or main language. While this can make communication frustrating on both sides, please remain polite, patient and friendly.

All channels can have a topic which is displayed at the top next to its name. Many channels will use the topic to lay some rules particular for this channel. When you join a channel make sure to read and respect the topic.

To be honest, there are way #toomanychannels. The reason for this is that anyone can create a channel. Before you create a new channel, you should browse and search and maybe ask if there is already a channel for that particular purpose or topic. #general is usually a good place to ask if you can’t find something obvious in the channel browser.

In addition there are private channels, which work basically the same, but cannot be searched and only joined on invitation.

Special Channels

There are a few channels that have special roles or uses:

#general: the “anything” channel, as long as the topic is somewhat MacAdmin related. Questions asked here may are often answered directly or you will be referred to a different channel.

#announcements: used by the team of admins to… well… make announcements. You cannot post in this channel and you cannot leave this channel.

#ask-about-this-slack: for questions to the admins about the MacAdmins Slack (not a support channel on Slack in general)

#gettingstarted: for people new to managing Apple devices. There are quite a few ‘seasoned’ people in this channel ready to answer question you might deem to basic for other channels.

#jobs-board and jobs-chat: The ‘board’ channel is for offering or seeking for jobs. This channels rules state that any discussion about the post and work in general should happen in #jobs-chat. There are some more channels that have this dichotomy, e.g. #blog-feed and #blog-chat.

Emojis

Emojis are an important part of Slack..

You can just insert an Emoji when typing with the standard macOS or iOS emoji picker. You can also type an emoji name or ‘code’ between colon characters:. So :grin: will turn into the grinning smiley. This is usually more convenient than the system pickers.

When you see an emoji, you can hover the mouse over it to learn its name or code.

Reactions

You can react to a post with an emoji with the reaction button. (the smiley with the + symbol). Then the emoji will be shown attached to the post.

Multiple reactions by different users will be shown next to each other, and they will be counted up. When you hover your mouse over a reaction, it will show which users added that particular reaction.

Be generous with reactions: it never hurts to show appreciation.

Special Reactions

Some emojis/reactions are unique to Slack or carry special meaning:

:+1: displays as the ‘thumbs up’ emoji, which is commonly used to show approval or support, though some prefer :plus1: or :heavy_plus_sign:

:protip: highlights a great tip; a bot gathers all posts with this reaction in the #protips channel

:raccoon: notify that an ongoing discussion might be better suited for another channel (Why is it a raccoon?)

:dolphin: when leaving a channel states that you are merely leaving to prune your channel list and not because something has upset you. It is a reference to Douglas Adam’s “So long and thanks for all the fish.” You do not have to use this every time you leave a channel. In high volume channels, it would be very annoying. Save this emoji for situations where it makes sense

Custom Emojis

You can upload your own emoji. Or add new names for existing ones.

To Thread or not to Thread

You can reply to a post directly in a channel’s timeline or create a ‘thread’ where the replies are collapsed or sorted with the original post. Use the speech bubble icon to create a thread. When replying in a thread, you have the option to show the reply in the channel’s main timeline as well.

Replying in a thread has the advantage of keeping the message timeline of the channel clean, especially in busy channels where multiple discussions on different topics may be going on at the same time. You can also reply to your own post to supply more detail on your post when you don’t want to clutter the main timeline.

You will be notified of new replies to a thread when you wrote the original post, replied to it, or were mentioned in it. You should be aware of this, especially when the discussion in the thread drifts away from the original question. Be mindful of all the people in the thread that will be getting notifications for something they may no longer be interested in and consider moving the discussion to a new thread. You can turn off notifications for a particular thread you not interested in anymore.

In the MacAdmins Slack there is no general rule on whether you should reply in threads or not. In general, you should prefer replying in threads in busy channels and avoid them in quieter channels. Mostly, you want to follow the lead of other channel members.

Notifications

Set up Do not Disturb

To avoid excessive notifications, you can set Slack to ‘Do not Disturb‘ mode by clicking on the bell icon next to the Workspace name. You can snooze the Slack for a certain and setup a recurring schedule to mute notifications overnight.

A user who mentions you while have the ‘Do not Disturb’ mode enabled will be informed why you may not be reacting.

Manage your Notifications

Aside from the ‘Do not Disturb’ feature you can further manage the notifications Slack can send to you.

In addition to be notified when you are mentioned (@ed) you can add certain keywords that may be interesting to you. (e.g., I have keywords for my books and some of the projects)

Use the ‘@’ Wisely

You can ‘mention‘ another user with the @ symbol and their username. With Slack’s default setting the user will get notified of a mention. When you use @scriptingosx in a post, it will notify me, even when I am not in the channel.

This can be very useful to ‘summon’ someone into a channel, because they might be interested or able to contribute to a discussion. Be very mindful with mentions. Remember that you may be ringing all of someone’s devices with it.

Slack is not Email

The MacAdmins Slack can get very busy. You may have the urge to keep up with every message in every channel you follow. This may be possible when you are in just a few channels. However, I have gotten used to just hitting ‘shift-escape’ (Mark all as read) in the morning and maybe again in the afternoon. I try to keep up with discussions and threads I am part of, and have learnt to be ok with missing most others.

You can prune the list of channels to a manageable size, but even so there will probably be more than you can read. You can also sort the channels into customized sections in the sidebar, which can help a bit.

Formatting Posts

You can use a simplified MarkDown-like syntax to format your posts. Enclosing a word or sentence in underscores _ will turn it italic, asterisks * will turn it bold.

If you have trouble remembering the syntax, you can also see the most common formatting options in small text under the message entry field.

Posting Code

Since MacAdmins Slack is a technical forum, posting commands or pieces of code will be fairly common. When you enclose a sequence of words with single backticks it will be shown in monospace font, which others will usually understand to be a command.

When you use triple backticks, Slack will interpret the text in between as a code block. Other special characters and white space (multiple space, tabs, new lines) will be shown as is. This is useful to share short code blocks or log sections.

You can also use the code and code block options from the formatting toolbar.

To share full scripts or longer log files, use Slack Snippets. You can create a snippet with the big ‘+’ button next to the text entry or by just dragging a script or text file into the slack window.

Editing and deleting

Other Slack workspaces may allow you to delete your own posts or edit them indefinitely. In the MacAdmins Slack, you cannot delete posts and only edit them for a short time after they have been created. The goal is to reduce trolling and gaslighting.

When you accidentally posted information you want to be removed, like the password you entered in the wrong app or personal information in a screen shot, you can ping one of the @admins for help.

Asking questions

We all use Slack to ask for help when we are stuck. The willingness to help each other out it one of the strengths of the MacAdmin community. However, when you do have to ask for help, there are a few common courtesies you should follow. (These hold true for any request for help, like a support incident.)

Don’t just say “Help, XYZ is broken!” Don’t ask if “anyone knows ABC?”

Vague questions will, at best, yield vague or very generic replies. But usually it will not receive any reply. Most readers of this questions will be careful to reply. Once you reply to a question, even if it just with the request for clarification, there is an expectation that you will follow-up with a proper reply. But if the question is vague, I cannot judge how much effort that will add up to be, or maybe the question might move out of my area of competence entirely… It is far less effort to not reply at all.

Don’t ask permission to ask a question. Just ask.

Be respectful

Keep in mind that everyone on the MacAdmins Slack has a job, which is not answering your questions. We are all volunteering our time to help each other out.

Don’t @ or DM people just because they have helped you before, unless you want to follow-up on something very specific and/or they have made it clear you are welcome to do so. This also applies to prominent contributors or owners of tools and projects.

There is a much larger audience of potential helpers in the relevant channel. There is a much higher likelihood of a response when you are not annoying.

Keep your question relevant

Sometimes a question might just drown in another ongoing conversation. Sometimes, especially on the less busy channels, no-one will be around to answer. Be patient before you start cross-posting to other channels. When you feel you have to cross-post to another channel, you can share or forward the original post to another channel. This has the benefit that a discussion will not be split between two channels with two different audiences and avoid repetition and redundancy.

If you feel your question drowned in some other discussion, it’s ok to repeat your question, once the ongoing discussion subsides. You can share or forward the original post with a remark to the same channel. But don’t spam, maybe it’s just that no-one really has an answer. Maybe try re-formulating the question with more detail. Or ask if there is another, more appropriate channel to share the question with.

Watch the (world) clock

While there are MacAdmins logging in from around the world, the MacAdmins Slack is still busiest during North American office hours. Keep that in mind when posting questions, especially if you are hoping for a specific person to reply. Be aware of time zones when you post in regional channels, as well.

You can see a user’s local time in their profile. This might give you an idea of when they might be online or not. You can get to any user’s profile by clicking on their icon.

Be Descriptive and Specific

Explain what you are trying to achieve, in which context. Show what you already tried to fix the problem. (you did try to solve it yourself first, didn’t you?) I find, that often the act of formulating the question properly helps me figure out the solution myself, or at least get closer to a solution.

People who want to help you will follow-up with those questions, but will be more likely to help when the request is well formulated and has (most of) the necessary context. Don’t make people have to guess or make assumptions.

Examples:

Bad:

Does anyone know policy scripts?

or

My policy script does not work! Can anybody help?

Better:

I am trying to build a policy script that prompts the user for a computer name and sets it. I am using osascript, but it is failing with a strange error and I don't understand why?

Even better: add the script (or the relevant part of the script) and errors you are seeing.

What do you want to accomplish?

Even when you ask questions properly and with detail, you may get the the counter-question: “What is it you actually want to accomplish?” or some similar phrase. This is a recurring question on the MacAdmins Slack.

When you get this question, someone believes that you may be narrowing down on a dead end and a completely different approach may be more appropriate. They want to get your ‘big picture’ to understand the context. The problem of focussing on a detail of the solution rather than the actual problem is also called the “XY Problem.”

Take this time to step back, explain your goals and let the MacAdmins community help you gain some new perspective. It may be hard to let go of what you are doing but resist the temptation to double down on the vexing detail. This question can lead to the most interesting discussions.

Provide the solution

Sometimes you might ask a question and then figure out the solution yourself before someone answers. That’s great. But be sure to let people know you have solved the problem and share the solution you found. When someone searches the Slack for the same question, they might just find your solution!

Join the Slack and Enjoy!

Overall I feel the MacAdmins Slack is a great place to share and receive knowledge for MacAdmins. I you still haven’t signed up, go and do it here!

If you already are a member, I hope you learnt something useful here. If you think I missed something important, then let me know! (My user name on the MacAdmins Slack is @scriptingosx.)

Weekly News Summary for Admins — 2023-02-10

Even though Apple still hasn’t released a beta for macOS 13.3 and iOS 16.4, there are several updates for tools from the MacAdmins community, be sure to check out that section.


(Sponsor: Mosyle)

Mosyle Logo

The only Apple Unified Platform for Business

Mosyle is the only solution that fully integrates Enhanced MDM, Endpoint Security, Internet Privacy & Security, Single Sign-On, and Application Management on a single Apple-only platform.

Click here to learn why Mosyle is all you need to work with Apple.


If you would rather get the weekly newsletter by email, you can subscribe to the Scripting OS X Weekly Newsletter here!! (Same content, delivered to your Inbox once a week.)

📸Focus

The MacAdmins Foundation has announced that they can now provide Apple Developer ID signing identities to MacAdmin open source projects.

Open source projects for the Mac usually have the choice between not signing their software releases, or signing them with a personal or organizational Apple Developer ID, which cost a yearly subscription and, in the case of the personal ID, literally puts the name of the main lead in the signature.

The MacAdmins Foundation certificates now provide another option, that will be very attractive for some projects. Nudge is the first tool that has been released with a MacAdmins Foundation signature.

📰News and Opinion

⚙️Software Updates

🦣Social Media

  • Kristian Harstad: “You don’t need a photo background removal app if you run MacOS. Right-click a photo in Finder, click Quick Actions, choose Remove Background. Your Mac does the rest perfectly, and produces a background-removed copy of your photo with “Background Removed” suffixed to the filename.”

🔐Security and Privacy

🔨Support and HowTos

🤖Scripting and Automation

♻️Updates and Releases

📺To Watch

🎧To Listen

📚Support

If you are enjoying what you are reading here, please spread the word and recommend it to another Mac Admin!

If you want to support me and this website even further, then consider buying one (or all) of my books. It’s like a subscription fee, but you also get a useful book or two extra!

Weekly News Summary for Admins — 2023-02-03

How is it February already? Didn’t we just do New Year’s and that January thing?


(Sponsor: SentinelOne)

macOS Payloads: 7 Prevalent and Emerging Obfuscation Techniquese

Learn about the techniques behind the latest macOS threats and stay ahead of the game in protecting your enterprise. From hidden scripts and shell script compilers to obfuscated Python, Cobalt Strike and more.

Continue Reading Here >>


A week has passed since the release of macOS 13.2 and iOS 16.3 and no beta for 13.3 and 16.4 yet. I don’t think we should read too much into this, but it is unusual.

If you would rather get the weekly newsletter by email, you can subscribe to the Scripting OS X Weekly Newsletter here!! (Same content, delivered to your Inbox once a week.)

Focus

Congratulations to all who got (or will get) the scholarship certifications and many thanks to the Mac Admins Foundation for making this possible!

The Penn State MacAdmins conference announced the date this week. Also, JNUC opened their registration. If you are planning to present at conferences, now is the time to start making plans. You can find a list of the conferences so far along with links to their information, registration, and ‘call for sessions’ pages on my conference page.

After three years of mostly virtual presentations, fun as they were, I have to remember that participating on-site in four or more conferences is probably not a wise choice…

News and Opinion

Social Media

  • Kris Nóva: “So we (GitHub) just rolled out support for Mastodon profiles.”

Security and Privacy

Support and HowTos

Scripting and Automation

Updates and Releases

To Listen

Just for Fun

Support

If you are enjoying what you are reading here, please spread the word and recommend it to another Mac Admin!

If you want to support me and this website even further, then consider buying one (or all) of my books. It’s like a subscription fee, but you also get a useful book or two extra!

Weekly News Summary for Admins — 2023-01-20

Not only did we get release candidates for the iOS 16.3 and macOS 13.2 updates next week, but Apple also released new MacBooks Pro and a new Mac mini with M2 and M2 Pro and Max chips. Also, they released a second generation big HomePod.


(Sponsor: SentinelOne)

Top 10 macOS Malware Discoveries in 2022

How did threat actors change their TTPs in 2022? What new trends did we observe? Improve your defenses by understanding the most recent macOS malware families.

Continue Reading Here >>


The Mac mini with the M2 Pro chip closes an annoying gap that Apple has had in their Mac portfolio. In the Intel Mac era, the use case for a powerful desktop Mac was covered by the high-end iMac and Mac mini, as well as the low-end Mac Pro. With M1 chips the Mac mini and iMac with M1 maxed out at 16Gb of RAM. The Mac Studio starts with the M1 Max chip at a higher price point. The Intel Mac mini sort had to fill that particular gap.

But the new Mac mini with the M2 Pro Chip nicely fills this slot, where is provides more CPU, GPU, RAM, and SSD than the ‘plain’ M1/M2 while staying below the Mac Studio’s price range.

I can see many uses for this “Mac mini Pro” especially for users who prefer the size, battery life, and price point of the MacBook Air over the more powerful 14″ and 16″ MacBooks Pro, but may want just that more power on their desktop connected to a multi-display setup. Also, lightweight video and audio editing stations that may have been limited by the ‘plain’ M1’s RAM limitation, should be fine with the Mac mini with the M2 Pro. One of the amazing aspects of the Mac mini is that its particular design has been nearly unchanged since 2010.

With the introduction of the Mac mini with the M2 Pro chip, Apple has also removed this second-to-last remaining Intel Mac, the 2018 space gray Mac mini with a 6-core Intel core i5 chip, from the store. The 2019 Mac Pro is now the last remaining Intel Mac.

There are still some weird empty spots left in the product line up. The iMac 24″ still has the ‘plain’ M1, and the ‘M2 or M2 Pro’ options would fit the iMac line nicely, too. Many are hoping for a larger iMac display option, but I am not so sure this is in Apple’s plans (I’d love to be wrong). The option to connect a second, external display on a potential ‘iMac with M2 Pro,’ could be a workable alternative, leaving the high-end, multi-screen setups to the Mac Studio and Mac Pro.

The other empty spots in the Mac line-up are at the extreme ends. The Apple silicon Mac Pro will be a challenge and come under intense scrutiny from the Pro users that need that level of power and expandability and those that claim to. A new, smaller MacBook in the style of the 12″ MacBook, or 11″ MacBook Air, which gives up some processing power in favor of size, portability, battery life and (maybe) price, would be quite interesting. I’d also like Apple to take a stab at a ‘Mac nano’ closer in size to the Apple TV, which can be powered over USB-C/Thunderbolt and connected to a display or dock with a single cable.

It is also rare that Apple revives a product after discontinuation, which makes the new 2nd generation HomePod quite intriguing. The original HomePod was never for sale in my region, so I set up two pair of IKEA’s Symfonisk speakers in our house, which work fine. But I wish the Sonos software which powers the Symfonisk speakers would support HomeKit and Shortcuts better, or at all. I also have a single HomePod mini. The options to ‘move’ music (and radio and podcasts) from the phone or Mac to the HomePod are more powerful than on the Sonos software, but the Siri-only interface is still bewildering to me. There is also an interface to control the HomePod in the Home app, but that also seems quite unintuitive. On the other hand, the size of the HomePod mini allows me to take it on travels, which I think is wonderful.

In non-hardware news, the X World conference has announced dates for their conference in Melbourne, Australia on March 30 and 31 making it the next upcoming MacAdmin conference.

As always, you can find an overview on my conference page.

If you would rather get the weekly newsletter by email, you can subscribe to the Scripting OS X Weekly Newsletter here!! (Same content, delivered to your Inbox once a week.)

Focus

I want to take this as chance to explain my treatment of Twitter going forward for now:

I have always used third-party Twitter clients (mostly Tweetbot) over the web interface or their native app. I have always found the web interface confusing, grating, and just too much attention-seeking. I had stopped interacting on Twitter after the takeover and only used it to catch up with some accounts which I have not found to be elsewhere.

I was expecting the worst for Twitter after the takeover, but even so, the utter lack of respect, decency, and humanity shown to employees, advertisers, users/creators, and now third-party developers has been shocking.

I understand that Twitter as a business was probably in for some tough times either way. But economic pressure is no excuse for this crass, and cowardly behavior. You should not assume malice where incompetence is an explanation. In this case, though, it just might be both.

I have stopped reading Twitter entirely. I am in the process of removing Twitter references from my pages. (Though I might not have found every reference yet.) Weblog entries will still automatically post to Twitter, but I will not engage there any more, at all.

It used to be that Twitter would provide a majority of the traffic going to my weblog, second only to search engines. This started to change earlier last year with a significant drop in November, which continues to this day. Other social media such as the Mastodon Fediverse and LinkedIn seem to making up for that drop and I am active and engaged there, as well as the MacAdmins Slack.

News and Opinion

Social Media

Security and Privacy

Support and HowTos

Scripting and Automation

Updates and Releases

To Listen

Support

If you are enjoying what you are reading here, please spread the word and recommend it to another Mac Admin!

If you want to support me and this website even further, then consider buying one (or all) of my books. It’s like a subscription fee, but you also get a useful book or two extra!

Weekly News Summary for Admins — 2022-12-16

The holidays are near, the year is approaching its end. But for MacAdmins, this remained a busy week. The first update for macOS Ventura was released alongside iOS and iPadOS 16.2 many other updates.


(Sponsor: iMazing)

Your favorite tool for configuring & provisioning fleets of Apple mobile devices

Automatically back up devices, restore, wipe, set up, supervise, and enroll with your MDM provider—locally and easily with iMazing Configurator.

And don’t miss iMazing Profile Editor, our free and well-loved utility for composing comprehensive configuration profiles for iPhones, iPads, and Macs.


This is the first macOS update after the “special measures” to avoid a bug in the macOS software update system present in 12.3 though 12.6 that would consider upgrades to 13.x as updates with regard to managed deferrals. Now, Monterey client in that version range will present 13.1 to the end user, even if major updates are managed to be deferred. Apple has updated the support article on this.

The new updates bring some new features, as well. The new Freeform app seems like a nice tool. I have actually used Keynote for similar tasks, but I think Freeform is a bit, well, free-er and creative. We also got the new Advanced Data Security for iCloud, network locations make a return to macOS Ventura, and “Apple Music Sing”…

This is the last news summary for the year 2022. Many thanks to all of you readers!

Happy Holidays and all the best for the new year 2023!

The news summary will return on 13 January 2023. See you then!

If you would rather get the weekly newsletter by email, you can subscribe to the Scripting OS X Weekly Newsletter here!! (Same content, delivered to your Inbox once a week.)

News and Opinion

macOS Ventura 13.1 and iOS 16.2

macOS Ventura 13.1

iOS 16.2 and iPadOS 16.2

Apple Platform Deployment Guide

Other Systems

Applications

Apple Support

Community

Social Media

  • @mikeymikey@hachyderm.io: “JUST A REMINDER: 13.1 is the first Ventura update past the 30 day hold for OTA major upgrades for MDM managed macOS devices. If you have devices on 12.3-12.6 still and you DO NOT have a minor deferral in addition to a major deferral – on these buggy versions of macOS (12.6.1+ fixes the bug), 13.1 OTA will be seen as a -minor- update, not major and as such will NOT be deferred by only having a major deferral in place.” (Thread)
  • @scriptingosx@mastodon.social: “Apple’s new Freeform app seems nice. I can see myself using this. However, there are no Shortcuts actions and no AppleScript dictionary. (I know… what was I expecting…) I can think of several workflows where Freeform would fit in wonderfully. Now imagine you could add buttons with shortcuts or Apple scripts in Freeform!”

Security and Privacy

🔨Support and HowTos

Scripting and Automation

Updates and Releases

To Listen

Support

If you are enjoying what you are reading here, please spread the word and recommend it to another Mac Admin!

If you want to support me and this website even further, then consider buying one (or all) of my books. It’s like a subscription fee, but you also get a useful book or two extra!

Weekly News Summary for Admins — 2022-12-02

We got another round of betas for macOS Ventura 13.1 and iOS/iPadOS 16.2. If the schedule from previous years can be taken as guidance, next week is a good guess for the release date. Maybe a week more, since this week’s release was not labeled as release candidate.


(Sponsor: iMazing)

Your favorite tool for configuring & provisioning fleets of Apple mobile devices

Automatically back up devices, restore, wipe, set up, supervise, and enroll with your MDM provider—locally and easily with iMazing Configurator.

And don’t miss iMazing Profile Editor, our free and well-loved utility for composing comprehensive configuration profiles for iPhones, iPads, and Macs.


Jamf has released the session recordings from the Jamf Nation User Conference earlier this year on YouTube, accessible to all! There are 151 videos, many of which should be interesting, even when you don’t use Jamf as your management server. I have updated the resources page for my session, as well as my conferences overview page.

If you would rather get the weekly newsletter by email, you can subscribe to the Scripting OS X Weekly Newsletter here!! (Same content, delivered to your Inbox once a week.)

News and Opinion

macOS Ventura and iOS 16

macOS and iOS Updates

Social Media

  • SentinelOne on Twitter: “10 wrong assumptions about #macOS #security A thread”
  • Basic Apple Guy on Twitter: “iCloud Storage Over the Years” (Image)
  • MartinLang on Twitter: “The SAPTechEd 2022 keynotes had lots of ‘Mobile Moments’ in them. Native Mobile apps are definitely a thing across SAP’s entire Solution and Tech portfolio. I wanted to share some of these mobile moments in this thread.”
  • Mr. Macintosh on Twitter: “Apple uses the terms ‘Shipping OS’ or ‘version of macOS that came with your Mac’ Purchased: M1 16″ MBP on 10/18/21 = Monterey 12.0.1 M1 16″ MBP on 11/30/22 = Ventura 13.0 The 16″ was shipped with Ventura, but it can still be downgraded to 12.0.1 My Apple Silicon macOS chart” (click for chart and short thread)

Security and Privacy

Support and HowTos

Scripting and Automation

Apple Support

Updates and Releases

To Watch

To Listen

Just for Fun

Support

If you are enjoying what you are reading here, please spread the word and recommend it to another Mac Admin!

If you want to support me and this website even further, then consider buying one (or all) of my books. It’s like a subscription fee, but you also get a useful book or two extra!