Weekly News Summary for Admins — 2021-05-21

This is the first sponsored News Summary. Some background: I left my job as a Systems Engineer earlier this year. The plan is to focus more on writing books, freelance consulting, and some other ideas. Whether you like it or not, as a freelancer you have to spend your time on things that make money. Since I want to continue this newsletter, taking on sponsors seemed like a good solution.

I want to have sponsors whose offerings are relevant to MacAdmins and I am really grateful that SentinelOne stepped up to give it a go!

(Sponsor) eBook: macOS Threat Hunting & Incident Response

Here’s a detailed eBook from SentinelOne, covering macOS security, including real examples and step-by-step instructions. An essential read about Threat Hunting and Incident Response.

The eBook is provided for free, you can download your copy here.

Just to clarify: I am not sharing any subscriber information directly with the sponsors. But please follow the links and read their offerings carefully, so that they see the worth of sponsoring here! 😉 I think SentinelOne is starting out with an interesting eBook free offer!

I am also looking forward to more interesting sponsors in the future! (If you think your company or product is a good fit to sponsor this newsletter, please contact me!)

In other MacAdmin news this week: we got the first reviews for the M1 iMac and the iPads Pro. Apple is starting to release news ahead of WWDC. (just a bit over two weeks left.) We got an announcement for lossless and spatial audio in Apple Music and an amazing preview for new features for people with disabilities.

On the system update news: macOS 11.4 and iOS 14.6 have not been released yet, but macOS 11.5 beta and iOS 14.7 beta have been released in the beta channels.

If you would rather get the weekly newsletter by email, you can subscribe to the Scripting OS X Weekly Newsletter here!! (Same content, delivered to your Inbox once a week.)

News and Opinion

MacAdmins on Twitter

  • ConfiantIntel: “OSX/Bundlore Loader found (0 detections in VT) compiled for ARM (targeting the new M1 MacBook!) , and notarized by Apple.” (Thread)
  • Nathaniel Strauss: “MDM initiated software update on M1 MacBook Air. Failed twice during download phase. Restarted. Failed at the end of prepare phase. Restarted. Couldn’t get process to run at all. Will not be using MDM software updates in the short term.”
  • Tim Perfitt: “We are pretty much feature complete for MDS 4. Here are the exciting new features.” (Image with text)

Security and Privacy

Support and HowTos

Scripting and Automation

Apple Support

Updates and Releases

To Watch

To Listen

Support

If you are enjoying what you are reading here, please spread the word and recommend it to another Mac Admin!

If you want to support me and this website even further, then consider buying one (or all) of my books. It’s like a subscription fee, but you also get a useful book or two extra!

Weekly News Summary for Admins — 2021–05–14

No new updates this week. Nevertheless, MacAdmins seem to be taking the time to catch up and get some work done, as we got many interesting posts this week. We also got beta3 for 11.4.

MacDeployment is scheduled for June 1–2 and you can register to attend for free! I will be doing “An Online Presentation on Presenting Online.” I have also updated my conference overview page.

To support this weekly news summary, please consider:

macOS Terminal and Shell Book Cover

macOS Terminal and Shell: 
You have always wanted to ‘learn Terminal,’ right? This book teaches how (and why) to use the command line on macOS. Get it on Apple Books!

(If you have already bought the book, please leave a review on the Apple Books Store. Thank you!)

If you are interested in sponsoring this newsletter, please contact me!

Kandji has commissioned Jason Snell of Six Colors to create an Enterprise Report Card for Apple. This is a chance for Mac Admins to give feedback on how they see Apple.

The deadline to add your score and comments is today May 14, 2021. The results will be compiled to run in early June before WWDC. The contact information is for the survey only and you can choose to remain anonymous.

This is a great chance for MacAdmins to provide some feedback!

📰News and Opinion

🐦MacAdmins on Twitter

  • Rich Trouton: “I learned something usefule about macOS login keychain behavior today: When you’re logged in and open Terminal, your login keychain unlocks for that Terminal session. When you’re connecting to your Mac via SSH and provide your password, your login keychain unlocks for that SSH session. When you’re connecting to your Mac via SSH and are using passwordless login, your login keychain does not unlock for that SSH session. Makes sense, right? No password, no automatic unlock. Still caught me off guard when something I was expecting to work did not work.”
  • Brent Simmons: “Right now is actually a pretty great time for Mac apps. Old faves like BBEdit, NetNewsWire, Acorn, OmniOutliner, and many others are still around — and there are amazing newcomers like Sketch and Nova and plenty of others. The best may be yet to come. :)”
  • Marco Arment: “Instead, what we keep hearing from Apple is ‘You owe us for your entire business, you should be thankful for everything we’ve done for you, we don’t need you, we’re doing you a favor by allowing you, and your apps add absolutely no value to our highly profitable hardware.’” (Thread)
  • Tim Perfitt: “M1 Mac mini arrived! I shall use this thread for my findings.” (Thread)

🔐Security and Privacy

🔨Support and HowTos

🤖Scripting and Automation

🍏Apple Support

♻️Updates and Releases

🎧To Listen

🎈Just for Fun

📚 Support

If you are enjoying what you are reading here, please spread the word and recommend it to another Mac Admin!

If you want to support me and this website even further, then consider buying one (or all) of my books. It’s like a subscription fee, but you also get a useful book or two extra!

Weekly News Summary for Admins — 2021-05-07

After the long awaited big updates last week, Apple followed up this week with another, albeit much smaller, update. macOS 11.3.1 et al are security updates for some pretty serious bugs, that may already be exploited.

Less than one month until WWDC!

MacDevOpsYVR has started releasing their speaker list and I am proud to say that I will be doing a 15 minute talk, title ‘The Encyclopedia of Packages.’ You should check out the speaker list, it is very interesting. MacDeployment is now scheduled for June 1-2. I have updated my conference overview page!

To support this weekly news summary, please consider:

macOS Terminal and Shell Book Cover

macOS Terminal and Shell:
You have always wanted to ‘learn Terminal,‘ right? This book teaches how (and why) to use the command line on macOS. Get it on Apple Books!

(If you have already bought the book, please leave a review on the Apple Books Store. Thank you!)

If you are interested in sponsoring this newsletter, please contact me!

Kandji has commissioned Jason Snell of Six Colors to create an Enterprise Report Card for Apple. This is a chance for Mac Admins to give feedback on how they see Apple.

The deadline to add your score and comments is May 14, 2021. The results will be compiled to run in early June before WWDC. The contact information is for the survey only and you can choose to remain anonymous.

This is a great chance for MacAdmins to provide some feedback!

News and Opinion

macOS and iOS Updates

🐦MacAdmins on Twitter

  • Maxwell: “Every system library and framework is in the shared cache, and now there are 4 shared caches in system/library/dyld. x64h, arm, rosetta and x86 for that 1 trash can Mac Pro they still haven’t canned. each about a gig but they compress well.”
  • Craig Hockenberry: “One thing I’ve noticed as of late is Apple locking things down without looking at the bigger picture of how sometimes more security actually makes things less secure. Let me explain…” (Thread)

Security and Privacy

Support and HowTos

Scripting and Automation

Apple Support

Updates and Releases

To Watch

To Listen

Support

If you are enjoying what you are reading here, please spread the word and recommend it to another Mac Admin!

If you want to support me and this website even further, then consider buying one (or all) of my books. It’s like a subscription fee, but you also get a useful book or two extra!

MacAdmin Support Pages

For the editions of the newsletter that comes out right after a update for macOS or iOS, there are a set of links to Apple Support pages that I include regularly. Apple updates these support pages with new information after an update.

Some of these “What’s New” pages are fairly well hidden in user guides or the developer documentation. The search on Apple’s support page is often not very effective in finding them, so I have built myself a list of links over time.

I have also included links to some support pages that I frequently use or refer others to, as well as some third party links with great reference pages.

Since I plan on updating this list when necessary, I have made a separate page:

MacAdmin Support Pages

I might have missed something or be unaware of some extra useful links, please let me know in the comments, or ping me on Twitter or in the MacAdmins Slack!

Weekly News Summary for Admins — 2021-04-30

Finally!

After a beta phase that seemed longer than the initial macOS Big Sur beta (it wasn’t) we finally got macOS 11.3 this week. And iOS 14.5 and siblings. I am sure you are all already unlocking your iPhone with a mask on and tracking the AirTags you ordered.

Lot’s of information about macOS 11.3 for MacAdmins, which I have gathered here.

Oh yes, and Apple had a another blow-out quarter…

To support this weekly news summary, please consider:

macOS Terminal and Shell Book Cover

macOS Terminal and Shell:
You have always wanted to ‘learn Terminal,‘ right? This book teaches how (and why) to use the command line on macOS. Get it on Apple Books!

(If you have already bought the book, please leave a review on the Apple Books Store. Thank you!)

📰News and Opinion

🌅macOS Big Sur 11.3 and iOS 14.5

Reactions

🐦MacAdmins on Twitter

  • Tim Perfitt: “If you use Terminal, you must use tab completion. Not so you can look fancy or be faster (which is awesome) but because it checks it while you do it and is FAR more accurate.”
  • Tim Perfitt: “Some very interesting findings for installing macOS on an M1 today by @RandomApps. As you may know, we lost the ability to run startosinstall in recovery on an M1. It turns out you can get back almost all the automation with a couple of carefully placed files.” (Thread)

🔐Security and Privacy

🔨Support and HowTos

🤖Scripting and Automation

♻️Updates and Releases

🎧To Listen

📚 Support

If you are enjoying what you are reading here, please spread the word and recommend it to another Mac Admin!

If you want to support me and this website even further, then consider buying one (or all) of my books. It’s like a subscription fee, but you also get a useful book or two extra!

Weekly News Summary for Admins — 2021-04-23

The Spring Loaded Apple Event delivered: we got a new podcast app with subscriptions, a purple iPhone, AirTags (for when we all can go out and lose things again), new Apple silicon iMacs, and a new iPad Pro. And the M1 Mac mini silently got a new option for 10GigE.

The new iMac comes in seven colors, very reminiscent of the colored G3 iMacs. It’s specs mostly match the current M1 Macs, with a few differences. The low-end model has only two USB-C/Thunderbolt ports. The higher model has two USB-C/Thunderbolt ports, two USB-c ports, and an Ethernet port in the power brick.

Overall, I consider this a promising update for the iMac. But now that Apple has transitioned all the entry level Macs, I am very curious to see how the ‘Pro’ Macs will transition and am looking forward to WWDC.

To support this weekly news summary, please consider:

macOS Terminal and Shell Book Cover

macOS Terminal and Shell:
You have always wanted to ‘learn Terminal,‘ right? This book teaches how (and why) to use the command line on macOS. Get it on Apple Books!

(If you have already bought the book, please leave a review on the Apple Books Store. Thank you!)

📰News and Opinion

🍏Spring Loaded Event

🐦MacAdmins on Twitter

  • tlark: “So Apple patched the Apache vuln in a Big Sur security patch, but did not list it in the security docs. Apple has not patched it for previous OSes. I only know about this b/c we collect vuln scan data. Anything older than Apache 2.4.46 is vuln” (Thread)

🔐Security and Privacy

🔨Support and HowTos

🤖Scripting and Automation

♻️Updates and Releases

🎧To Listen

🎈Just for Fun

📚 Support

If you are enjoying what you are reading here, please spread the word and recommend it to another Mac Admin!

If you want to support me and this website even further, then consider buying one (or all) of my books. It’s like a subscription fee, but you also get a useful book or two extra!

Installomator Updated: v0.5

It has been a while, mainly because I was busy with other things, but there finally is a new release version of Installomator!

The reason work has progressed—quite significantly—even though I was distracted is that Søren Theilgaard and Isaac Ordonez have joined the project as conributors. All of the work from 0.4 to 0.5 was from one of them. We ahve some great plans to move this tool forward, as well.

Many of these new app labels have been provided from others, either through GitHub issues, pull requests, or through comments in the #installomator channel on MacAdmins Slack. Thanks to all who contributed.

What’s new in v0.5:

  • Major update and now with help from @Theile and @Isaac
  • Added additional BLOCKING_PROCESS_ACTION handlings
  • Added additional NOTIFY=all. Usuful if used in Self Service, as the user will be notified before download, before install as well as when it is done.
  • Added variable LOGO for icons in dialogs, use LOGO=appstore (or jamf or mosyleb or mosylem or addigy). It’s also possible to set it to a direct path to a specific icon. Default is appstore.
  • Added variable INSTALL that can be set to INSTALL=force if software needs to be installed even though latest version is already installed (it will be a reinstall).
  • Version control now included. The variable appNewVersion in a label can be used to tell what the latest version from the web is. If this is not given, version checking is done after download.
  • For a label that only installs a pkg without an app in it, a variable packageID can be used for version checking.
  • Labels now sorted alphabetically, except for the Microsoft ones (that are at the end of the list). A bunch of new labels added, and lots of them have either been changed or improved (with appNewVersion og packageID).
  • If an app is asked to be closed down, it will now be opened again after the update.
  • If your MDM cannot call a script with parameters, the label can be set in the top of the script.
  • If your MDM is not Jamf Pro, and you need the script to be installed locally on your managed machines, then take a look at Theiles fork. This fork can be called from the MDM using a small script.
  • Script buildCaseStatement.sh to help with creating labels have been improved.
  • Fixed a bug in a variable name that prevented updateTool to be used
  • added type variable for value "updateronly" if the label should only run an updater tool.

And if you are counting, there are now more than 260 application labels in Installomator. However, that number is a bit inflated, because several vendors have multiple downloads for Intel and Apple Silicon apps.

Get the script and find the instructions on the GitHub repo.

If you have any feedback or questions, please join us in the #installomator channel on MacAdmins Slack.

Thanks again to all those who contributed!

(Installomator Icon credit: Mischa van der Bent)

Weekly News Summary for Admins — 2021-04-16

This week Apple finally sent out the invitations for an event next week. The “Spring Loaded” event will take place next week, April 20, at 10am PDT.

Release of iOS 14.5, macOS 11.3, and siblings are likely on or around that day then. We did get an eighth beta this week. Next week should be interesting.

To support this weekly news summary, please consider:

macOS Terminal and Shell Book Cover

macOS Terminal and Shell:
You have always wanted to ‘learn Terminal,‘ right? This book teaches how (and why) to use the command line on macOS. Get it on Apple Books!

(If you have already bought the book, please leave a review on the Apple Books Store. Thank you!)

In other news, Parallels and Docker now have officially released Apple silicon native solutions. Ironically, Parallels cannot (yet?) host macOS Big Sur guest systems, only Windows 10 for ARM (preview) and ARM Linux systems.

The Docker does not come as a Universal download, but as two seperate downloads, which seems a common thing in this transition. Why is it that so many apps are separate downloads in this transition?

📰News and Opinion

🔐Security and Privacy

🔨Support and HowTos

🤖Scripting and Automation

♻️Updates and Releases

📺To Watch

🎧To Listen

🎈Just for Fun

📚 Support

If you are enjoying what you are reading here, please spread the word and recommend it to another Mac Admin!

If you want to support me and this website even further, then consider buying one (or all) of my books. It’s like a subscription fee, but you also get a useful book or two extra!

Scripting OS X — Weekly News Summary for Admins — 2021-04-09

Another week and no update from Apple. We did get another round of betas (beta7, 20E5229a) for macOS, iOS and siblings.

But we did get an announcement of Apple Tiles… no, wait… third party support for “Find My…” tracking. Apple’s plan to keep releasing something every week continues.

To support this weekly news summary, please consider:

macOS Terminal and Shell Book Cover

macOS Terminal and Shell:
You have always wanted to ‘learn Terminal,‘ right? This book teaches how (and why) to use the command line on macOS. Get it on Apple Books!

(If you have already bought the book, please leave a review on the Apple Books Store. Thank you!)

📰News and Opinion

🐦MacAdmins on Twitter

  • Tim Perfitt: “MDS 4 is coming along. The current build adds a fancy new button.” (Thread)
  • Joel Rennich: “It’s Wednesday… so that means more fun with Single Sign On Extensions! This time we’re doing a bit of an “off-label” use of the SSOE and making it authoritative for a ZTNA service instead of an IdP which lets Xcode use modern auth directly for repos.” (Thread)
  • Kelsey Hightower: “Software isn’t enterprise ready until it has a “contact sales” pricing tier.”

🔐Security and Privacy

🔨Support and HowTos

🤖Scripting and Automation

🍏Apple Support

♻️Updates and Releases

📺To Watch

🎧To Listen

🎈Just for Fun

  • James Thomson: “This isn’t necessarily pretty, but it does work! You can roll dice from an AppleScript, check if they are still rolling, and get the final result. All in a UIKit-based Catalyst app.”

📚 Support

If you are enjoying what you are reading here, please spread the word and recommend it to another Mac Admin!

If you want to support me and this website even further, then consider buying one (or all) of my books. It’s like a subscription fee, but you also get a useful book as well!

Get Password from Keychain in Shell Scripts

MacAdmin scripts often require passwords, mostly for interactions with APIs.

It is easiest to store the password in clear text, but that is obviously a terrible solution from a security perspective. You can pass the password as an argument to your script, but that is inconvenient and may still appear in clear text in the ps output or the shell history.

You can obfuscate the password with base64, but that is easily reversible. You can even try to encrypt the password, but since the script needs to be able to decrypt the password, you are just adding a layer of complexity to the problem.

macOS has a keychain, where the user can store passwords and allow applications and processes to retrieve them. We can have our script retrieve a password from a local keychain.

There are limitations to this approach:

  • the password item has to be created in the keychain
  • the user has to approve access to the password at least once
  • the keychain has to be unlocked when item is created and when the script runs—this usually requires the user to be logged in
  • the user and other scripts can find and read the password in the Keychain Access application or with the security tool

Because of these limitations, this approach is not useful for scripts that run without any user interaction, e.g. from a management system. Since the user can go and inspect the key in the Keychain Access is also not well suited for critical passwords and keys.

However, it is quite useful for workflow scripts that you run interactively on your Mac. This approach has the added benefit, that you do not have to remember to remove or anonymize any keys or passwords when you upload a script to GitHub or a similar service.

Note: Mischa used this in his ‘OnAirScanner’ script.

Update: I didn’t remember this, but Graham Pugh has written about this before.

How to Store a Password in the Keychain

Since adding the password to your keychain is a one-time task, you can create the password manually.

Open the Keychain Access application and choose “New Password Item…” from the Menu. Then enter the Keychain Item Name, Account Name and the password into the fields. The “Keychain Item Name” is what we are going to use later to retrieve the password, so watch that you are typing everything correctly.

You can also add the password from the command line with the security command.

> security add-generic-password -s 'CLI Test'  -a 'armin' -w 'password123'

This will create an item in the Keychain with the name CLI Test and the account name armin and the horribly poor password password123.

How to Retrieve the Password in the Script

To retrieve a password from the keychain in a script, use the security command.

> security find-generic-password -w -s 'CLI Test' -a 'armin'

This will search for an item in the keychain with a name of CLI Test and an account name of armin. When it finds an item that matches the name and account it will print the password.

The first time you run this command, the system will prompt to allow access to this password. Enter your keychain password and click the ‘Always Allow’ button to approve the access.

This will grant the /usr/bin/security binary access to this password. You can see this in the Keychain Access application in the ‘Access Control’ tab for the item.

When you create the item with the security add-generic-password binary, you can add the -T /usr/bin/security option to immediately grant the security binary access.

Whether you grant access through the UI or with the command, keep in mind that a every other script that uses the security binary will also gain access to this password.

For very sensitive passwords, you can just click ‘Allow’ rather than ‘Always Allow.’ Then the script will prompt interactively for access every time. This is more secure, but also requires more user interaction.

Once you have tested that you can retrieve the password in the interactive shell, and you have granted access to the security binary, you can use command substitution in the script to get the password:

cli_password=$(security find-generic-password -w -s 'CLI Test' -a 'armin')

This command might fail for different reasons. The keychain could be locked, or the password cannot be found. (Because it was either changed, deleted or hasn’t been created yet.) You want to catch that error and exit the script when that happens:

pw_name="CLI Test"
pw_account="armin"

if ! cli_password=$(security find-generic-password -w -s "$pw_name" -a "$pw_account"); then
  echo "could not get password, error $?"
  exit 1
fi

echo "the password is $cli_password"