MacAdmin Support Pages

For the editions of the newsletter that comes out right after a update for macOS or iOS, there are a set of links to Apple Support pages that I include regularly. Apple updates these support pages with new information after an update.

Some of these “What’s New” pages are fairly well hidden in user guides or the developer documentation. The search on Apple’s support page is often not very effective in finding them, so I have built myself a list of links over time.

I have also included links to some support pages that I frequently use or refer others to, as well as some third party links with great reference pages.

Since I plan on updating this list when necessary, I have made a separate page:

MacAdmin Support Pages

I might have missed something or be unaware of some extra useful links, please let me know in the comments, or ping me on Twitter or in the MacAdmins Slack!

Weekly News Summary for Admins — 2021-04-30

Finally!

After a beta phase that seemed longer than the initial macOS Big Sur beta (it wasn’t) we finally got macOS 11.3 this week. And iOS 14.5 and siblings. I am sure you are all already unlocking your iPhone with a mask on and tracking the AirTags you ordered.

Lot’s of information about macOS 11.3 for MacAdmins, which I have gathered here.

Oh yes, and Apple had a another blow-out quarter…


To support this weekly news summary, please consider:

macOS Terminal and Shell Book Cover

macOS Terminal and Shell:
You have always wanted to ‘learn Terminal,‘ right? This book teaches how (and why) to use the command line on macOS. Get it on Apple Books!

(If you have already bought the book, please leave a review on the Apple Books Store. Thank you!)


📰News and Opinion

🌅macOS Big Sur 11.3 and iOS 14.5

Reactions

🐦MacAdmins on Twitter

  • Tim Perfitt: “If you use Terminal, you must use tab completion. Not so you can look fancy or be faster (which is awesome) but because it checks it while you do it and is FAR more accurate.”
  • Tim Perfitt: “Some very interesting findings for installing macOS on an M1 today by @RandomApps. As you may know, we lost the ability to run startosinstall in recovery on an M1. It turns out you can get back almost all the automation with a couple of carefully placed files.” (Thread)

🔐Security and Privacy

🔨Support and HowTos

🤖Scripting and Automation

♻️Updates and Releases

🎧To Listen

📚 Support

If you are enjoying what you are reading here, please spread the word and recommend it to another Mac Admin!

If you want to support me and this website even further, then consider buying one (or all) of my books. It’s like a subscription fee, but you also get a useful book or two extra!

Weekly News Summary for Admins — 2021-04-23

The Spring Loaded Apple Event delivered: we got a new podcast app with subscriptions, a purple iPhone, AirTags (for when we all can go out and lose things again), new Apple silicon iMacs, and a new iPad Pro. And the M1 Mac mini silently got a new option for 10GigE.

The new iMac comes in seven colors, very reminiscent of the colored G3 iMacs. It’s specs mostly match the current M1 Macs, with a few differences. The low-end model has only two USB-C/Thunderbolt ports. The higher model has two USB-C/Thunderbolt ports, two USB-c ports, and an Ethernet port in the power brick.

Overall, I consider this a promising update for the iMac. But now that Apple has transitioned all the entry level Macs, I am very curious to see how the ‘Pro’ Macs will transition and am looking forward to WWDC.


To support this weekly news summary, please consider:

macOS Terminal and Shell Book Cover

macOS Terminal and Shell:
You have always wanted to ‘learn Terminal,‘ right? This book teaches how (and why) to use the command line on macOS. Get it on Apple Books!

(If you have already bought the book, please leave a review on the Apple Books Store. Thank you!)


📰News and Opinion

🍏Spring Loaded Event

🐦MacAdmins on Twitter

  • tlark: “So Apple patched the Apache vuln in a Big Sur security patch, but did not list it in the security docs. Apple has not patched it for previous OSes. I only know about this b/c we collect vuln scan data. Anything older than Apache 2.4.46 is vuln” (Thread)

🔐Security and Privacy

🔨Support and HowTos

🤖Scripting and Automation

♻️Updates and Releases

🎧To Listen

🎈Just for Fun

📚 Support

If you are enjoying what you are reading here, please spread the word and recommend it to another Mac Admin!

If you want to support me and this website even further, then consider buying one (or all) of my books. It’s like a subscription fee, but you also get a useful book or two extra!

Installomator Updated: v0.5

It has been a while, mainly because I was busy with other things, but there finally is a new release version of Installomator!

The reason work has progressed—quite significantly—even though I was distracted is that Søren Theilgaard and Isaac Ordonez have joined the project as conributors. All of the work from 0.4 to 0.5 was from one of them. We ahve some great plans to move this tool forward, as well.

Many of these new app labels have been provided from others, either through GitHub issues, pull requests, or through comments in the #installomator channel on MacAdmins Slack. Thanks to all who contributed.

What’s new in v0.5:

  • Major update and now with help from @Theile and @Isaac
  • Added additional BLOCKING_PROCESS_ACTION handlings
  • Added additional NOTIFY=all. Usuful if used in Self Service, as the user will be notified before download, before install as well as when it is done.
  • Added variable LOGO for icons in dialogs, use LOGO=appstore (or jamf or mosyleb or mosylem or addigy). It’s also possible to set it to a direct path to a specific icon. Default is appstore.
  • Added variable INSTALL that can be set to INSTALL=force if software needs to be installed even though latest version is already installed (it will be a reinstall).
  • Version control now included. The variable appNewVersion in a label can be used to tell what the latest version from the web is. If this is not given, version checking is done after download.
  • For a label that only installs a pkg without an app in it, a variable packageID can be used for version checking.
  • Labels now sorted alphabetically, except for the Microsoft ones (that are at the end of the list). A bunch of new labels added, and lots of them have either been changed or improved (with appNewVersion og packageID).
  • If an app is asked to be closed down, it will now be opened again after the update.
  • If your MDM cannot call a script with parameters, the label can be set in the top of the script.
  • If your MDM is not Jamf Pro, and you need the script to be installed locally on your managed machines, then take a look at Theiles fork. This fork can be called from the MDM using a small script.
  • Script buildCaseStatement.sh to help with creating labels have been improved.
  • Fixed a bug in a variable name that prevented updateTool to be used
  • added type variable for value "updateronly" if the label should only run an updater tool.

And if you are counting, there are now more than 260 application labels in Installomator. However, that number is a bit inflated, because several vendors have multiple downloads for Intel and Apple Silicon apps.

Get the script and find the instructions on the GitHub repo.

If you have any feedback or questions, please join us in the #installomator channel on MacAdmins Slack.

Thanks again to all those who contributed!

(Installomator Icon credit: Mischa van der Bent)

Weekly News Summary for Admins — 2021-04-16

This week Apple finally sent out the invitations for an event next week. The “Spring Loaded” event will take place next week, April 20, at 10am PDT.

Release of iOS 14.5, macOS 11.3, and siblings are likely on or around that day then. We did get an eighth beta this week. Next week should be interesting.


To support this weekly news summary, please consider:

macOS Terminal and Shell Book Cover

macOS Terminal and Shell:
You have always wanted to ‘learn Terminal,‘ right? This book teaches how (and why) to use the command line on macOS. Get it on Apple Books!

(If you have already bought the book, please leave a review on the Apple Books Store. Thank you!)


In other news, Parallels and Docker now have officially released Apple silicon native solutions. Ironically, Parallels cannot (yet?) host macOS Big Sur guest systems, only Windows 10 for ARM (preview) and ARM Linux systems.

The Docker does not come as a Universal download, but as two seperate downloads, which seems a common thing in this transition. Why is it that so many apps are separate downloads in this transition?

📰News and Opinion

🔐Security and Privacy

🔨Support and HowTos

🤖Scripting and Automation

♻️Updates and Releases

📺To Watch

🎧To Listen

🎈Just for Fun

📚 Support

If you are enjoying what you are reading here, please spread the word and recommend it to another Mac Admin!

If you want to support me and this website even further, then consider buying one (or all) of my books. It’s like a subscription fee, but you also get a useful book or two extra!

Scripting OS X — Weekly News Summary for Admins — 2021-04-09

Another week and no update from Apple. We did get another round of betas (beta7, 20E5229a) for macOS, iOS and siblings.

But we did get an announcement of Apple Tiles… no, wait… third party support for “Find My…” tracking. Apple’s plan to keep releasing something every week continues.


To support this weekly news summary, please consider:

macOS Terminal and Shell Book Cover

macOS Terminal and Shell:
You have always wanted to ‘learn Terminal,‘ right? This book teaches how (and why) to use the command line on macOS. Get it on Apple Books!

(If you have already bought the book, please leave a review on the Apple Books Store. Thank you!)


📰News and Opinion

🐦MacAdmins on Twitter

  • Tim Perfitt: “MDS 4 is coming along. The current build adds a fancy new button.” (Thread)
  • Joel Rennich: “It’s Wednesday… so that means more fun with Single Sign On Extensions! This time we’re doing a bit of an “off-label” use of the SSOE and making it authoritative for a ZTNA service instead of an IdP which lets Xcode use modern auth directly for repos.” (Thread)
  • Kelsey Hightower: “Software isn’t enterprise ready until it has a “contact sales” pricing tier.”

🔐Security and Privacy

🔨Support and HowTos

🤖Scripting and Automation

🍏Apple Support

♻️Updates and Releases

📺To Watch

🎧To Listen

🎈Just for Fun

  • James Thomson: “This isn’t necessarily pretty, but it does work! You can roll dice from an AppleScript, check if they are still rolling, and get the final result. All in a UIKit-based Catalyst app.”

📚 Support

If you are enjoying what you are reading here, please spread the word and recommend it to another Mac Admin!

If you want to support me and this website even further, then consider buying one (or all) of my books. It’s like a subscription fee, but you also get a useful book as well!

Get Password from Keychain in Shell Scripts

MacAdmin scripts often require passwords, mostly for interactions with APIs.

It is easiest to store the password in clear text, but that is obviously a terrible solution from a security perspective. You can pass the password as an argument to your script, but that is inconvenient and may still appear in clear text in the ps output or the shell history.

You can obfuscate the password with base64, but that is easily reversible. You can even try to encrypt the password, but since the script needs to be able to decrypt the password, you are just adding a layer of complexity to the problem.

macOS has a keychain, where the user can store passwords and allow applications and processes to retrieve them. We can have our script retrieve a password from a local keychain.

There are limitations to this approach:

  • the password item has to be created in the keychain
  • the user has to approve access to the password at least once
  • the keychain has to be unlocked when item is created and when the script runs—this usually requires the user to be logged in
  • the user and other scripts can find and read the password in the Keychain Access application or with the security tool

Because of these limitations, this approach is not useful for scripts that run without any user interaction, e.g. from a management system. Since the user can go and inspect the key in the Keychain Access is also not well suited for critical passwords and keys.

However, it is quite useful for workflow scripts that you run interactively on your Mac. This approach has the added benefit, that you do not have to remember to remove or anonymize any keys or passwords when you upload a script to GitHub or a similar service.

Note: Mischa used this in his ‘OnAirScanner’ script.

Update: I didn’t remember this, but Graham Pugh has written about this before.

How to Store a Password in the Keychain

Since adding the password to your keychain is a one-time task, you can create the password manually.

Open the Keychain Access application and choose “New Password Item…” from the Menu. Then enter the Keychain Item Name, Account Name and the password into the fields. The “Keychain Item Name” is what we are going to use later to retrieve the password, so watch that you are typing everything correctly.

You can also add the password from the command line with the security command.

> security add-generic-password -s 'CLI Test'  -a 'armin' -w 'password123' 

This will create an item in the Keychain with the name CLI Test and the account name armin and the horribly poor password password123.

How to Retrieve the Password in the Script

To retrieve a password from the keychain in a script, use the security command.

> security find-generic-password -w -s 'CLI Test' -a 'armin'

This will search for an item in the keychain with a name of CLI Test and an account name of armin. When it finds an item that matches the name and account it will print the password.

The first time you run this command, the system will prompt to allow access to this password. Enter your keychain password and click the ‘Always Allow’ button to approve the access.

This will grant the /usr/bin/security binary access to this password. You can see this in the Keychain Access application in the ‘Access Control’ tab for the item.

When you create the item with the security add-generic-password binary, you can add the -T /usr/bin/security option to immediately grant the security binary access.

Whether you grant access through the UI or with the command, keep in mind that a every other script that uses the security binary will also gain access to this password.

For very sensitive passwords, you can just click ‘Allow’ rather than ‘Always Allow.’ Then the script will prompt interactively for access every time. This is more secure, but also requires more user interaction.

Once you have tested that you can retrieve the password in the interactive shell, and you have granted access to the security binary, you can use command substitution in the script to get the password:

cli_password=$(security find-generic-password -w -s 'CLI Test' -a 'armin')

This command might fail for different reasons. The keychain could be locked, or the password cannot be found. (Because it was either changed, deleted or hasn’t been created yet.) You want to catch that error and exit the script when that happens:

pw_name="CLI Test"
pw_account="armin"

if ! cli_password=$(security find-generic-password -w -s "$pw_name" -a "$pw_account"); then
  echo "could not get password, error $?"
  exit 1
fi

echo "the password is $cli_password"

Scripting OS X — Weekly News Summary for Admins — 2021-04-02

Anther week, another beta release. Apple has released the sixth beta for macOS 11.3 (20E5224a), iOS 14.5, and siblings.

Apple has also announced the dates for WWDC 2021. It will take place June 7–11 “to a screen near you.” I have updated the conference overview on Scripting OS X. So, we have two months left before we enter the next major beta cycle. But, did we ever leave the Big Sur beta cycle?


To support the weekly news summary, please consider:

macOS Terminal and Shell Book Cover

macOS Terminal and Shell:
You have always wanted to ‘learn Terminal,‘ right? This book teaches how (and why) to use the command line on macOS. Get it on Apple Books!


📰News and Opinion

🐦MacAdmins on Twitter

  • Nathaniel Strauss: “We’re 4 months into Big Sur. If your product still doesn’t have support you’ve missed 1/3 of the OS cycle. You’re not behind, you’re slipping into irrelevant.”
  • Edward Marczak: “Big thanks to everyone in the #macadmin community releasing open source solutions. So much thought and care goes into this work that’s not only needed to fill gaps, but also every bit as good as commercial products. Thank you also for sharing documentation and good example code.”
  • James Turner: “Running a mixed fleet I am confident saying that the value in the community and open source solutions available for #macadmin is immeasurable.”
  • Nathaniel Strauss: “First time a DMG has advertised at me. @ReflectorApp Hey, consider not doing this. There are admins out there using your Sparkle feed for automation. Pretty sure that’s not a valid version string.” (Image)

🔐Security and Privacy

🔨Support and HowTos

🤖Scripting and Automation

🍏Apple Support

♻️Updates and Releases

📺To Watch

🎧To Listen

🎈Just for Fun

📚 Support

If you are enjoying what you are reading here, please spread the word and recommend it to another Mac Admin!

If you want to support me and this website even further, then consider buying one (or all) of my books. It’s like a subscription fee, but you also get a useful book or two extra!

Weekly News Summary for Admins — 2021-03-26

No major Apple announcement either this week. We got the fifth beta for macOS 11.3, iOS 14.5 and siblings. Apple also released new versions for the apps formerly known as iWork. Is this the start of the spring release season?

Talking about spring releases, Mac OS X was released twenty years ago this week!


To support the weekly news summary, please consider:

macOS Terminal and Shell Book Cover

macOS Terminal and Shell:
You have always wanted to ‘learn Terminal,‘ right? This book teaches how (and why) to use the command line on macOS. Get it on Apple Books!


List of upcoming conferences, dates, and their video archives on my website:

📰News and Opinion

🌅macOS 11 Big Sur and Apple silicon Macs

🔨Support and HowTos

🤖Scripting and Automation

🍏Apple Support

♻️Updates and Releases

📺To Watch

🎧To Listen

📚 Support

If you are enjoying what you are reading here, please spread the word and recommend it to another Mac Admin!

If you want to support me and this website even further, then consider buying one (or all) of my books. It’s like a subscription fee, but you also get a useful book or two extra!

Twenty Years of Mac OS X

Mac OS X 10.0 was released March 24, 2001. Twenty years ago today.

The PowerBook, iMac, iPod, iPhone, iPad, and Apple Watch are obviously big steps along the way from Apple as a ‘beleagured,’ minor computer maker with an uncertain future to the $2 trillion tera-corp they are today. It is easy to focus on the hardware. But Mac OS X was at least as important.

Back then, it was essential that Apple move forward from ‘classic’ Mac OS. Protected memory, multi-user setups, and support for multiple applications running safely side-by-side were the main advantages of Mac OS X over Mac OS 9. But Mac OS X also brought with it the Unix core (and shell), a new display technology, and the Cocoa frameworks.

The transition was rough for the existing Mac users. The early versions were not as complete and stable as one would have hoped. The processing requirements of early Mac OS X pushed existing Mac hardware to their limits. Many application vendors dragged their feet adopting Mac OS X and the new technologies and features available.

But Mac OS X made the Mac interesting for a whole new group of people. It was the only platform at then time that they had Microsoft and Adobe productivity app as well as the Unix shell and tools available. This was a huge bonus for web designers and developers, but also for scientists.

Apple built some of the best laptops of the time. It might seem strange now, but having a portable, battery-powered Unix workstation, which also ran Word, Excel, Photoshop, and could edit videos, was un-imaginable just a few years before.

Then, Apple stripped down Mac OS X, so it could run on on a phone. Up until then, portable devices had very basic and minimal operating systems. They were also locked down and installing additional software was complicated and often expensive.

The early versions of iPhone OS were also basic and minimal compared to Mac OS X, but they held the promise of extension and growth. The iPhone had potential and Apple delivered on that promise with every system update. They treated the iPhone as a computer, rather than a gadget. It took a few years, but with the iPhone, people went from having one computer, to two computers: one in your pocket and one on your desk or in your bag.

Today, Apple has a range of operating systems from the watch on your wrist to the large screen in your living room, all going back to Mac OS X 10.0 twenty years ago. macOS is just one element in this ecology of devices. We don’t just have one computer, we have many. A spectrum of computers, most of them wireless and battery-powered, each with different strengths. These computers might all be from Apple, or from a variety of vendors.

macOS is part of this spectrum. In the past years, Apple has changed the name and just last year the major version number of their operating system for laptops and desktops.

Sometimes it seems that Apple has lost sight of what makes Macs an important tool. With Apple silicon for Macs, it seems that Apple is re-focusing on the Mac and seeing how they can improve macOS, while also improving the eco-system as a whole.

“macOS 11” holds a promise for continued and even re-newed growth. Like the first “Mac OS X” twenty years ago, and the first iPhone OS, there is potential.

I am looking forward to the next twenty years!