Weekly News Summary for Admins — 2018-12-21

Welcome to the last news summary of 2018. I will be taking off next week for the holidays. I don’t expect much will happen, but if it does, you will see it the first news summary of the new year, on (or around) January 4, 2019.

This was the first full year of the News Summary. I wrote 49 summaries this year. The number of subscribers more than quadrupled, which is both exciting and humbling. I am too lazy to whip up a script to get an exact count but that adds up to about 1500 links to tweets, articles, updates and posts.

I merely gather all these links. The summary would not be possible without something to summarize. My never-ending gratitude goes out to all the people who generously share their expertise and time in all these posts, on the different fora, and in person.

Thank you for writing, and thank you all for reading!

I hope you all get to enjoy a break for the holidays and New Year.

Happy Holidays and all the best for the New Year!

News and Opinion

MacAdmins on Twitter

  • Arek Dreyer: “macOS Support Essentials 10.14 Supporting and Troubleshooting macOS Mojave Exam Preparation Guide was posted! It’s posted at the bottom of the course description page, but here’s the direct link. https://training.apple.com/content/dam/appletraining/us/en/2018/documents/macOS_Support_Essentials_10_14_Exam_Preparation_Guide.pdf”
  • Carl Ashley: “Dear macOS software devs. If you build apps that trigger user consent prompts – aka TCC, please thoroughly document ALL affected binaries with the file path & what PPPCP payloads are required to make the prompts go away. Make this info readily available. MacAdmins will love you.”

Bugs and Security

Support and HowTos

Scripting and Automation

Updates and Releases

To Watch

To Listen

Support

There are no ads on my webpage or this newsletter. If you are enjoying what you are reading here, please spread the word and recommend it to another Mac Admin!

If you want to support me and this website even further, then consider buying one (or all) of my books. It’s like a subscription fee, but you also get a useful book or two extra!

Weekly News Summary for Admins — 2018-12-14

Lots of interesting posts this week. Jamf 10.9, MS Office now supports the Dark Side… er dark mode.

The MacAdmins Podcasts got Doug Brooks and Jeremy Butcher from Apple on the show to talk about Apple, deployment and the T2 chip!

If you would rather get the weekly newsletter by email, you can subscribe to the Scripting OS X Weekly Newsletter here!! (Same content, delivered to your Inbox once a week.)

News and Opinion

MacAdmins on Twitter

  • Charles S Edge: “The github.com/jamfit github.com/jamfprofessionalservices && github.com/jamfsupport accounts have now been consolidated into one @JAMFSoftware Open Source Community at github.com/jamf to make it easier to find projects that do things you might need to do”
  • John C. Welch: (Long Thread, worth reading.)
  • William Smith:
    “Microsoft Office 2019 for Mac v 16.20 drops today with Dark Mode for Mojave users! And if that’s a little too stark when using Outlook (or any other app), here’s how to turn it off. defaults write http://com.microsoft.Outlook NSRequiresAquaSystemAppearance -bool yes”
  • Patrick Gallagher Jr: “Well hello XProtect, been a while!” (Note: MRT got an update, too.)
  • Eric Holtam: “News to me so may be news to others. Firefox 63+ supports mobile config policies. Here begins the move away from the great CCK2. Example settings at https://github.com/mozilla/policy-templates”
  • Graham Gilbert: “If you are a fellow #macadmin and want to speak at a conference in 2019, let me know and I’ll try to make that happen. Whether it is making the right introduction, looking over your proposal or being someone to practice your slides on, let me know how I can help.”
  • lamby: “Symlinks.… ”

Bugs and Security

Support and HowTos

Scripting and Automation

Updates and Releases

To Watch

  • Tim Perfitt: “Using a Smart Card out of the box with macOS for login authentication”
  • Tim Perfitt: “Provisioning Certificates on a Smart Card / Yubikey for macOS authentication”
  • Otto the Automator: “My session at the @JAMFSoftware JNUC 2018 showing how to manage iOS devices upon attachment to a Mac. https://www.youtube.com/watch?v=5aSW_47rXKE ”

To Listen

Support

There are no ads on my webpage or this newsletter. If you are enjoying what you are reading here, please spread the word and recommend it to another Mac Admin!

If you want to support me and this website even further, then consider buying one (or all) of my books. It’s like a subscription fee, but you also get a useful book or two extra!

Weekly News Summary for Admins — 2018-12-07

We got the macOS 10.14.2 update this week, along with iOS 12.1.1 and watchOS 5.1.2. Versioning is really weird this time around. One can assume something major is planned for iOS 12.2.

For macOS 10.14.2 looks like a unified build for all current hardware. It’s been a while.

If you would rather get the weekly newsletter by email, you can subscribe to the Scripting OS X Weekly Newsletter here!! (Same content, delivered to your Inbox once a week.)

News and Opinion

MacAdmins on Twitter

  • Jason Broccardo: “10.12.6 + SecUpdate 2018–006 = 16G1710 10.13.6 + SecUpdate 2018–003 = 17G3025 10.14.2 = 18C54”
  • Jason Broccardo: “!!!! 10.13.6 + 2018–003 = 17G4015 !!!”
  • William Smith: “2019 calendar for Microsoft Office 2019 for Mac for 2019 monthly releases is posted. (Subject to change.) https://macadmins.software/calendar/”

Bugs and Security

Support and HowTos

Scripting and Automation

Apple Support

Updates and Releases

To Listen

Support

There are no ads on my webpage or this newsletter. If you are enjoying what you are reading here, please spread the word and recommend it to another Mac Admin!

If you want to support me and this website even further, then consider buying one (or all) of my books. It’s like a subscription fee, but you also get a useful book or two extra!

Weekly News Summary for Admins — 2018-12-01

Just a brief summary this week as I am still travelling through beautiful NZ. Just as a warning: next week’s letter may also be short and late.

If you would rather get the weekly newsletter by email, you can subscribe to the Scripting OS X Weekly Newsletter here!! (Same content, delivered to your Inbox once a week.)

News and Opinion

Bugs and Security

Support and HowTos

Scripting and Automation

Apple Support

Updates and Releases

Support

There are no ads on my webpage or this newsletter. If you are enjoying what you are reading here, please spread the word and recommend it to another Mac Admin!

If you want to support me and this website even further, then consider buying one (or all) of my books. It’s like a subscription fee, but you also get a useful book or two extra!

Weekly News Summary for Admins — 2018-11-23

Just a quick roundup this week. Because of the US Thanksgiving week it is pretty quiet, and I am travelling. I will try writing up a newsletter over the next two weeks, but no promises.

I have put together a few deals. My own books are also on sale through Monday, Nov 27 (Cyber Monday)

If you would rather get the weekly newsletter by email, you can subscribe to the Scripting OS X Weekly Newsletter here!! (Same content, delivered to your Inbox once a week.)

Black Friday Deals for Admins

On Scripting OS X

News and Opinion

MacAdmins on Twitter

  • mikeymikey: “Sounds like some Quicktime codec support changes coming again.… ”
  • Tim Hardwick: “I’ve been testing Folder Actions in macOS Mojave 10.14.1, and the results aren’t good. Apple needs to look at how new security approvals are implemented for workflows containing Apple Event scripts, because the reliability of automated actions has taken a dive.”
  • William Smith: “Microsoft Remote Desktop for Mac 10.2.4 beta introduces… SCRIPTING SUPPORT! See today’s announcement in #microsoft-rdc channel on #MacAdmins Slack for details and usage. Run ”Microsoft Remote http://Desktop.app/Content/macOS/Microsoft … Remote Desktop” –script help
  • Greg Neagle: “Ralph Breaks the Internet opens today in the US and some other markets! Be sure to stay through the credits for mid-credits and post-credits scenes!”

Support and HowTos

Scripting and Automation

Apple Support

Updates and Releases

To Listen

Support

There are no ads on my webpage or this newsletter. If you are enjoying what you are reading here, please spread the word and recommend it to another Mac Admin!

If you want to support me and this website even further, then consider buying one (or all) of my books. It’s like a subscription fee, but you also get a useful book or two extra!

Books Sale for Black Friday and Cyber Monday

My three books will be on sale from now, over Black Friday, through Cyber Monday (Nov 26). This is a great chance to pick the books up at a few dollars or euros less:

Prices shown are for the US Apple Books store, but the prices in all regions where the books are published will be reduced.

Happy Thanksgiving to all of you in the US and happy deal hunting to everyone!

On macOS User Groups

User groups are easy, right? A user is either a member or they are not.

Once you start thinking about the details and want or need to automate some of the aspects of user and group management on macOS, there is a lot of devil in those details.

User Membership

You can easily list all groups a given user is a member of. The id command will show all the groups the current user is a member of. id -Gn will list just the groups. Add a username to the id command to see the information for a different user. The groups command does the same as id -Gn.

You can also run a command to check if a given user is a member of a group:

$ dseditgroup -o checkmember -m user staff
yes user is a member of staff
$ dseditgroup -o checkmember -m user wheel
no user is NOT a member of wheel

Group Membership

So far, so good.

A user is a member of a group when one of these applies:

  • the user’s PrimaryGroupID attribute matches the PrimaryGroupID of the group
  • the user’s UUID is listed in the group’s GroupMembers attribute and the user’s shortname is listed in the group’s GroupMembership
  • the user is a member of a group nested in the group

Note: you should not attempt to manipulate the GroupMembers or GroupMembership attributes directly. Use the dseditgroup -o edit command to manage group membership instead. dseditgroup syntax is weird, but it is a really useful tool. Study its man page.

Listing Group Members

Sometimes (mainly for security audits) you need to list all the members of a group. With the above information, it is easy enough to build a script that checks the PrimaryGroupID, the GroupMembership attribute and the recursively loops through the NestedGroups.

This is confused by the fact that PrimaryGroupID stores the numeric User ID, GroupMembership uses the shortname and NestedGroups uses UUIDs. Nevertheless, you can sort through it.

I have written exactly such a script here:

In most cases this script will work fine. But, (and you knew there would be a “but”) macOS has a very nasty wrench to throw in our wheels.

Calculated Groups

There are a few groups on macOS, that have neither GroupMembers, GroupMembership, nor NestedGroups, but still have members. This is because the system calculates membership dynamically. This is similar to Smart Playlists in iTunes, Smart Folders in Finder, or Smart Groups in Jamf Pro.

You can list all calculated groups on macOS with:

$ dscl . list /Groups Comment | grep "calc"

The most interesting calculated groups are everyone, localaccounts, and netaccounts.

These groups can be very useful in certain environments. For example in a DEP setup you could add localaccounts or everyone to the _lpadmin and _developer groups, before the user has even created their standard account. That way any user created on that Mac will can manage printers and use the developer tools.

However, since these groups are calculated magically, a script cannot list all the members of any of these groups. (My script above will show a warning, when it encounters one of these groups.)

While it would probably not be wise to nest the everybody group in the admin group, a malicious user could do that and hide from detection with the above script (or similar methods).

Other Solution

Instead of recursively listing all users, we can loop through all user accounts and check their member status with dseditgroup -checkmember. This script is actually much simpler and dseditgroup can deal with calculated groups.

This works well enough when run against all local users.

I strongly recommend against running this for all users in a large directory infrastructure. It’ll be very slow and generate a lot of requests to the directory server. Because of this the script above runs only on the local directory node by default.

Summary

  • on macOS users can be assigned to groups thorugh different means
  • you can check membership with dseditgroup -o checkmember
  • you can edit group membership with dseditgroup -o edit
  • macOS has a few groups which are dynamically calculated and difficult to process in scripts

Weekly News Summary for Admins — 2018-11-16

One of the promises at this year’s WWDC was that some high profile Mac apps would return to the Mac App Store. This week, part of that promise was fulfilled as Panic’s Transmit re-appeared in the Mac App Store.

For admins this news is bittersweet. Transmit chose subscription pricing for the App Store. Unlike App purchases, which can be managed with VPP, subscriptions and other in-App-Purchases still cannot be managed. Thankfully, Panic still offers the standalone app, for a fixed price, which can be managed by traditional means.

Don’t miss the MacAdmins podcast this week. I actually talk briefly about the process of building this very newsletter every week.

If you would rather get the weekly newsletter by email, you can subscribe to the Scripting OS X Weekly Newsletter here!! (Same content, delivered to your Inbox once a week.)

On Scripting OS X

News and Opinion

MacAdmins on Twitter

  • Steve Yuroff: “Noting the steps needed to get a never-booted 10.14.beta for testing DEP and SecureToken behaviors. This isn’t fun anymore.”
  • Tim Perfitt: “When searching for something in Spotlight, if you press command-return when an item is selected, it opens the enclosing folder.”

Bugs and Security

Support and HowTos

Scripting and Automation

Apple Support

Updates and Releases

To Watch

To Listen

Support

There are no ads on my webpage or this newsletter. If you are enjoying what you are reading here, please spread the word and recommend it to another Mac Admin!

If you want to support me and this website even further, then consider buying one (or all) of my books. It’s like a subscription fee, but you also get a useful book or two extra!

MacAdmins Podcast, Episode 102: Erase All the Things

I had the honor of being on the MacAdmins podcast again!

In this episode, we talk about the EraseInstall app we built at Pro Warehouse, how much fun it can be to build something in Swift and Xcode, the new Macs, my weekly news summary and a bit about Book #4.

Thanks again to Tom, Charles and Marcus and everyone else who makes the MacAdmins Podcast. You are wonderful hosts!

(Though it was very weird to hear you in single speed…)

Listen to the Episode!

Weekly News Summary for Admins — 2018-11-10

Mac minis are real and being delivered to customers!

Apple sent out some updates for their Apps, Pages can now publish to Apple Books and iMovie on a new iPad pro can power a large external screen.

If you would rather get the weekly newsletter by email, you can subscribe to the Scripting OS X Weekly Newsletter here!! (Same content, delivered to your Inbox once a week.)

On Scripting OS X

News and Opinion

MacAdmins on Twitter

  • James F: “Here’s a script illustrating how to use the #Jamf Pro API I made for my #jnuc2018 interactive lab ”Getting Started with the Jamf Pro API“”
  • Erik Gomez: “To help foster community help, effective today, UMAD and nudge have been moved to my personal GitHub and off the pseudo joke org I made when I developed the tools.”
  • mikeymikey: “Take the hint…”
  • Brian Stucki: “The documents for the new Mac mini were just released. Includes the Essentials, the Quick Start and the Info Guide. Also includes this picture of the Retina display that Apple should definitely make and sell.”

Bugs and Security

Support and HowTos

Scripting and Automation

Apple Support

Updates and Releases

To Watch

Support

There are no ads on my webpage or this newsletter. If you are enjoying what you are reading here, please spread the word and recommend it to another Mac Admin!

If you want to support me and this website even further, then consider buying one (or all) of my books. It’s like a subscription fee, but you also get a useful book or two extra!