The slides, notes and links for my MacAD.UK presentation from this morning: “Modern Deployment Workflows for Business” are available now.
Modern Deployment Workflows for Business
Despite the title, I think there should be some choice moments and things to learn in there for everyone. Once the sessions videos are posted I will update the page.
I am having a great time here at MacAD.UK. If you are here as well, be sure to say hi!
Apple flooded us with new releases this week. We got a new iPad Air and new iPad mini, a long-awaited update to the iMac, new Airpods, changes to the BTO pricing for iMac Pro and MacBook Pro, Apple School Manager Federated authentication, and some software updates. As Steven Troughton-Smith pointed out, there have been keynotes for less news.
Not everyone is happy about the “new” iMacs, though: No T2 System Controller and 1TB 5400rpm spinning disks in the base models. I will have some thoughts about the “new” iMacs in my presentation at MacADUK next week! (See you there, if you are going, there may be a few tickets left.)
If you would rather get the weekly newsletter by email, you can subscribe to the Scripting OS X Weekly Newsletter here!! (Same content, delivered to your Inbox once a week.)
There are no ads on my webpage or this newsletter. If you are enjoying what you are reading here, please spread the word and recommend it to another Mac Admin!
If you want to support me and this website even further, then consider buying one (or all) of my books. It’s like a subscription fee, but you also get a useful book or two extra!
Lot’s of news for important conferences this week. JamfNation User Conference, MacSysAdmin, and WWDC are getting obviously closer. Also, MacADUK has sold out of tickets! (10 days and counting…)
If you would rather get the weekly newsletter by email, you can subscribe to the Scripting OS X Weekly Newsletter here!! (Same content, delivered to your Inbox once a week.)
There are no ads on my webpage or this newsletter. If you are enjoying what you are reading here, please spread the word and recommend it to another Mac Admin!
If you want to support me and this website even further, then consider buying one (or all) of my books. It’s like a subscription fee, but you also get a useful book or two extra!
Happy Pi day!
Explanation for those who live in countries with sensible units and date notations: Americans – aside from using weird non-metric units – also have the odd habit of putting the month first in dates, then the day, then the year. So: ‘Mar 14, 2019’ or 3/14/2019. Instead of the more sensible 14.3.2019.
On the other hand, once every year, this weird notation will spell out 3.14, or the first three digits of the circle number, π (pi). And since non-mathematicians seem to love the (non-deserved) quasi-mystical nature of Pi and mathematicians are happy that at least once a year people are paying attention, Pi-day has become kind of a thing.
It’s also an excuse to bake tasty pies as a real-world dad joke manifestation, so overall, fun can be had!
But since we are talking about date notations…
While the day.month.year notation common in the rest of the world is arguably better than the American month/day/year, it is still not an ideal notation. Even better is year-month-day, especially when used with fixed digit lengths: YYYY-MM-DD, e.g. 2019-03-14.
While we will have to wait 1122 years before this notation approximates π, it has many other benefits. First, it sensibly and obviously sorts the components of date and time from largest (years) to lowest (seconds or even fractions of a second). It is fairly easy to parse in scripts and languages. When you sort ISO 8601 date strings alphanumerically, they will be in the correct order for dates. No other notation does that.
This is the reason this notation is enshrined as ISO 8601 and used in many places on your computer. For example, property lists encode timestamps in ISO 8601.
Learn more about property lists in my book: “Property Lists, Preferences and Profiles for Apple Administrators”
Jamf Extension Attributes can also be parsed properly as dates when returned in ISO 8601 format.
When working in shell scripts on macOS, you can use the date command to get the current date or for other date operations. Other flavors of unix-like operating systems have a specific flag to get ISO 8601 output, but in macOS you have to format manually:
$ date -u +"%F"
2019-03-14
$ date -u +"%FT%T"
2019-03-14T08:00:15
When you want a file’s creation, access, or modification date you can use the stat command:
$ stat -f 'Created: %Sc Modified: %Sm Accessed: %Sa' pi-day
Created: Mar 14 08:43:07 2019 Modified: Mar 14 08:43:06 2019 Accessed: Mar 14 08:43:06 2019
You can use the -t option to format the time:
$ stat -f 'Created: %Sc Modified: %Sm Accessed: %Sa' -t "%FT%T" pi-day
Created: 2019-03-14T08:43:07 Modified: 2019-03-14T08:43:06 Accessed: 2019-03-14T08:43:06
You can teach Finder an approximation of ISO 8601. Go to System Preferences > Language & Region and click on the ‘Advanced…’ button and select the ‘Dates’ tab:
AppleScript will use the system’s date formatter (set in System Preferences) to parse and print dates. It will use the “Full date format” to show date objects by default, which is quite elaborate.
You can declare date variables with the short format, but as soon as you “compile” the script, it will be replaced by the full format. So, this:
set thedate to date "2019-03-14"
will turn into this
set thedate to date "Thursday, 14 March, 2019 at 00:00:00"
AppleScript uses the date format defined in System Preferences, so you have to have this set up. This format will also be used when AppleScript extracts a date object to a string, but again it will use the full date format by default:
get date string of thedate
"Thursday, 14 March, 2019"
There is, however, a short date string property you can use:
get short date string of thedate
"2019-03-14"
Again, the output will depend on the format set in System Preferences.
Getting and parsing ISO dates with Python is (not surprisingly) easy.
$ python
>>> import datetime
>>> datetime.date.today().isoformat()
'2019-03-14'
>>> datetime.datetime.now().isoformat()
'2019-03-14T09:03:24.107317'
>>> datetime.datetime.now().replace(microsecond=0).isoformat()
'2019-03-14T09:04:10'
You can also parse an ISO string with python:
>>> datetime.datetime.strptime("2019-03-14T10:09:12", "%Y-%m-%dT%H:%M:%S")
datetime.datetime(2019, 3, 14, 10, 9, 12)
Swift uses the Date class to represent dates and times. There is a DateFormatter object which can convert Date objects to strings and back. There is also a dedicated, if awkwardly named, ISO8601DateFormatter class just for ISO dates and times.
let now = Date()
print(ISO8601DateFormatter().string(from: now))
let pidaywithtime = ISO8601DateFormatter().date(from: "2019-03-14T15:09:26Z")
You can even customize the behavior of the ISO8601DateFormatter:
let dateISOFormatter = ISO8601DateFormatter()
dateISOFormatter.formatOptions = [ .withFullDate, .withDashSeparatorInDate]
let piday = dateISOFormatter.date(from: "2019-03-14")
Steve Troughton-Smith gave us all a glimpse of the future this week as he documented how to already use the “Marzipan” framework that allows UIKit (iPad) apps to run on macOS. Even if you don’t develop it is worth browsing through those posts. You will get an interesting look at the features and limitations that ported apps will have.
If you would rather get the weekly newsletter by email, you can subscribe to the Scripting OS X Weekly Newsletter here!! (Same content, delivered to your Inbox once a week.)
There are no ads on my webpage or this newsletter. If you are enjoying what you are reading here, please spread the word and recommend it to another Mac Admin!
If you want to support me and this website even further, then consider buying one (or all) of my books. It’s like a subscription fee, but you also get a useful book or two extra!
This week we got great posts from MacAdmins on bash, snapshots, bootstrappr, MDS, Fleetsmith, Intune with Munki, AutoPkgr with Jamf Cloud and more.
I am always intrigued at how diverse the MacAdmin community can be. Of course, all our lives rotate around the Apple platforms, but the approaches and tools today are more varied than they have ever been.
Apple may be drastically changing how we deploy Macs, but there are so many tools, both open and commercial, that are being created to fill the gaps or improve on existing tools. It is an exciting time to be a MacAdmin!
If you would rather get the weekly newsletter by email, you can subscribe to the Scripting OS X Weekly Newsletter here!! (Same content, delivered to your Inbox once a week.)
gcloud kms encrypt and newlines – Tim SuttonThere are no ads on my webpage or this newsletter. If you are enjoying what you are reading here, please spread the word and recommend it to another Mac Admin!
If you want to support me and this website even further, then consider buying one (or all) of my books. It’s like a subscription fee, but you also get a useful book or two extra!
The default bash on macOS is still bash v3:
$ bash --version
GNU bash, version 3.2.57(1)-release (x86_64-apple-darwin18)
Copyright (C) 2007 Free Software Foundation, Inc.
Just recently, bash v5 was released. The discrepancy comes from the fact that bash has been licensed as GPL v3 since version 4. Apple does not include GPL v3 licensed tools with macOS.
However, nothing is keeping you from downloading and installing the latest bash version.
New features include, among many other things, associated arrays (i.e. dictionaries) and better auto-completion setup.
While you would think this is a common desire, most pages I have found will simply point to Homebrew to download and install a newer bash version.
The main challenge with using brew is that it does not work on the scale that MacAdmins require. brew is designed for single user installation, where the user has administrator privileges. brew’s workflows do not scale to large deployments controlled with a management system.
Ideally, there would be package installer for the latest bash version. Unfortunately, the bash project does not provide one.
In this post, I will show how you can install the latest bash version without brew and how to build an installer package for deployment.
This requires Xcode or the Developer Command Line Tools to be installed.
First, download the source for the latest bash version from this page. As of this writing the latest version is bash-5.0 and the file you want is bash-5.0.tar.gz. Once downloaded, you can expand the archive in Finder by double-clicking.
Update: I have a post with some updated instructions to include the patches to bash 5.0.
Open a Terminal window and change directory to the newly expanded bash-5.0 directory. Then run the configure script there.
$ cd ~/Downloads/bash-5.0
$ ./configure
The configure process will take a while, there will be plenty of messages showing progress.
Once the configure process is complete. You can build bash with the make command.
$ make
This will build the bash binary and the supporting files in the current directory. That’s not where we want it in the end, but it is probably a good idea see if the build process works. This will (again) take a while. There will be some odd looking warnings, but you can ignore those.
When make succeeds, you can actually install bash v5 with
$ sudo make install
This will build and install the bash binary and supporting files in /usr/local/bin and /usr/local. sudo is required to modify /usr/local.
If you were just looking for a way to install bash v5 without brew, you are done!
There is more useful information in the rest of the post, though, so keep reading!
By default, the bash v5 binary is called bash and will be installed in /usr/local/bin. The macOS default PATH lists /usr/local/bin before /bin where the default bash v3 binary, also called bash, is located.
This means, that when a user types bash in to a shell, the version in /usr/local/bin will be preferred over the pre-installed bash v3.
You can test this behavior in Terminal. Since the default shell has not yet been changed from /bin/bash the Terminal still opens to bash v3. You can test this by showing the BASH_VERSION environment variable:
$ echo $BASH_VERSION
3.2.57(1)-release
But when you then run bash it will invoke /usr/local/bin/bash, so it will run the new bash v5. It will show this in the prompt, but you can also verify the BASH_VERSION.
$ bash
bash-5.0$ echo $BASH_VERSION
5.0.0(2)-release
This might be the setup you want, when you want to use bash v5 always. It might lead to some unexpected behavior for some users, though.
One option to avoid this ambiguity is to rename the binary in /usr/local/bin to bash5. But then other tools such as env (mentioned below) will not find the binary any more.
Note: the PATH in other contexts will likely not contain /usr/local/bin and further confuse matters.
Scripts using bash, should have the full path to the binary in the shebang. This way, the script author can control whether a script is executed by the default bash v3 (/bin/bash) or the newer bash v5 (/usr/local/bin/bash or /usr/local/bin/bash5).
It is often recommended to use the env command in the shebang:
#!/usr/bin/env bash
The env command will determine the path to the bash binary in the current environment. (i.e. using the current PATH) This is useful when the script has to run in various environments where the location of the bash binary is unknown, in other words across multiple Unix and Unix-like platforms. However, this renders the actual version of bash that will interpret the script unpredictable.
For example, assume you have bash v5 installed in the default configuration (as /usr/local/bin/bash. A script with the shebang #!/usr/bin/env bash launched in the user environment (i.e. from Terminal) will use the newer bash, as /usr/local/bin comes before /bin in the search order.
When you launch the same script in a different context, e.g. as an installation script, an AppleScript, or a management system, /usr/local/bin will likely not be part of the PATH in that environment. Then the env shebang will choose /bin/bash (v3). The script will be interpreted and might behave differently.
Administrators prefer certainty in their managed environments. Administrators should know the location and versions of the binaries on their systems. For management scripts, you should avoid env and use the proper full path to the desired interpreter binary.
The solutions to resolve the ambiguity are
bash with a management systembash binary to bash5 or bash4 (this also allows you to have bash v4 and bash v5 available on the same system)Even though we have installed bash v5, the default shell of a new Terminal window will still use the built-in bash v3.
The path to the default shell is stored in the user record. You can directly change the UserShell attribute with dscl, in the ‘Advanced Options’ of the ‘Users & Groups’ preference pane, or in Directory Utility.
There is also a command to set the default shell:
$ chsh -s /usr/local/bin/bash
Changing shell for armin.
Password for armin:
chsh: /usr/local/bin/bash: non-standard shell
The chsh (change shell) command will check for allowed shells in the /etc/shells file. You can easily append a line with /usr/local/bin/bash to this file, and then chsh will work fine.
$ chsh -s /usr/local/bin/bash
Changing shell for armin.
Password for armin:
Note: if you choose to rename the bash binary, you have to use the changed name in /etc/shells and with chsh.
Remember that just running chsh will not change the shell in the current Terminal window. It is best to close the old Terminal window and open a new one to get the new shell.
While these steps to install and configure bash v5 on a single Mac are simple enough, they would not work well with a management system for hundreds or thousands of Macs. We want to wrap all the files that make install creates into a package installer payload.
The --help option of the configure script yields this useful information:
By default,
make install' will install all the files in/usr/local/bin,/usr/local/libetc. You can specify an installation prefix other than/usr/localusing–prefix, for instance–prefix=$HOME`.
When we run the configure script with the --prefix option it creates a folder suitable as a payload for a package installer. We can then use pkgbuild to build to create an installer pkg:
$ cd ~/Downloads/bash-5.0
$ mkdir payload
$ ./configure --prefix=/Users/armin/Downloads/bash-5.0/payload
$ make install
$ pkgbuild --root payload --install-location /usr/local --identifier org.gnu.bash --version 5.0 bash-5.0.pkg
pkgbuild: Inferring bundle components from contents of payload
pkgbuild: Wrote package to bash-5.0.pkg
(Note: the --prefix argument requires an absolute path.)
So, we have our workflow for building an installer package to distribute and configure bash v5:
configure with the --prefix argumentmake install to create the files in a payload folderbash binary to bash5 to avoid conflictspostinstall script that adds /usr/local/bin/bash[5] to /etc/shells if not yet presentpkgbuildThis sounds like a workflow ripe for automation. You can get the script from this repository.
You can pass a different (valid) bash version number as an argument to the script, e.g. 4.4.18. (I did not test anything significantly older.) The script does not autodetect the latest version and defaults to version 5.0 when no argument is given. When an update to bash v5 is published, you will have to modify the version line or run the script with an argument.
I have not (yet) figured out how to detect the latest version from the download web page. An autopkg recipe will have to wait for that. (If someone else wants to tackle that, please do!)
Some more rumors this week, which keep foreshadowing an “interesting” year for Mac Admins.
We also have mandatory two-factor authentication, some audio bugs, interesting documentation from Microsoft, lots of great posts from fellow admins (as usual, many thanks!), and a few updates and releases.
If you would rather get the weekly newsletter by email, you can subscribe to the Scripting OS X Weekly Newsletter here!! (Same content, delivered to your Inbox once a week.)
Apple sent an email to developers, stating that later this months, two-factor authentication will be required for Apple IDs used for developer accounts.
If you, like me, use separate Apple IDs for your personal iCloud and your developer accounts, this will pose some kind of challenge. There is a solution, however Apple does not document it very well.
Update: Apple now has a very detailed support page for this topic.
Assumption: you have two-factor authentication (2FA) enabled on your primary, personal Apple ID, and are logged in to that account on your Mac(s) and iOS devices. If you haven’t done that yet, do it now. 2FA does increase your account security significantly.
You can enable 2FA on any device logged in to the account in the iCloud Settings or preference pane. As part of the setup you can provide one or more phone numbers as a fall back mechanism. If no devices can be prompted through Apple’s built-in 2FA, it will send an SMS to the trusted phone numbers. You can use the same phone number for multiple Apple IDs, but there seems to be some limit on how often you can do that.
Assumption: The secondary account is your developer Apple ID, you don’t use it for iCloud storage, device backups, mail etc. You use it to log in to developer.apple.com and iTunes Connect, and to get all the certificates and other resources you need as a developer.
The challenge here is that you can only enable 2FA on the first account logged in to iCloud on a device. You could log out of your primary iCloud account, and the log in with the secondary, but this will disrupt a lot of things on your device. I’d rather avoid that.
On a Mac, you can have a separate iCloud account for each local user. So, it is easiest to create a second user account, log out of your first account, log in to the new second account and set up iCloud and 2FA for the developer Apple ID on this second local account.
You can sign in to the secondary Apple ID enable 2FA in System Preferences -> iCloud -> Account Details -> Security as described in Apple’s Support Article.
Follow the prompts to set up 2FA, you can re-use the same phone number as a trusted number. (There seem to be limits to how often you use the same phone number, but two accounts works fine for me.)
Once 2FA is set up, we don’t need the second user account on the Mac any more. Sign out of iCloud, log out of the second account and back in to your normal user account.
If you are ok with using SMS authentication (Apple calls this ‘two-step authentication’, rather than ‘two-factor authentication’) then you are done. However, many will argue codes over SMS are not good enough for secondary authentication, so we want go to ‘full’ 2FA.
As it turns out, you can be logged in to multiple iCloud accounts on the same device or account. Certain services, such as iCloud storage, or the Photo Library, will only work with the primary iCloud account, but other services, including 2FA, will work for all iCloud accounts.
On your iOS device go to Settings > Passwords & Accounts > Add Account, and choose to add another iCloud account. You probably want to turn off all services, like Mail, Calendar, etc. secondary account.
On the Mac you can do the same in System Preferences > Internet Accounts. You can use both your Mac and iOS devices for 2FA.
Now the secondary Apple ID will prompt the devices you are logged in as for 2FA.
Lots of interesting posts this week.
But most interesting for MacAdmins fighting with SecureToken, read Rich Trouton’s two posts which might help you get out of situations that were so far considered dead ends.
MacRumors points to the week of June 3 for WWDC this year (no big surprise) and Bloomberg (the other Mac rumors site) points to March 25 for a ‘subscription service’ event. Since MacADUK starts on March 26, this event could lead to some last minute slide shuffling.
If you would rather get the weekly newsletter by email, you can subscribe to the Scripting OS X Weekly Newsletter here!! (Same content, delivered to your Inbox once a week.)
sftp -a is a mostly drop-in replacement for scp that allows resuming an interrupted download.”^(iMac1[3-8]|iMacPro|MacBook[8-9]|MacBook10|MacBookAir[5-7]|MacBookPro9|MacBookPro1[0-5]|MacMini[6-7]|MacPro[5-6])”There are no ads on my webpage or this newsletter. If you are enjoying what you are reading here, please spread the word and recommend it to another Mac Admin!
If you want to support me and this website even further, then consider buying one (or all) of my books. It’s like a subscription fee, but you also get a useful book or two extra!