This morning, Episode 200 of the Mac Admins Podcast dropped, and in eight weeks, we’ll celebrate five years of the pod. Its unofficial birthday is around the original MacADUK conference in 2016, where Charles, Pepijn and I were all speaking. There’d been some Tweeting and Slacking that there was room for another Mac-focused Podcast, one built around the needs of Mac Admins.
There were already plenty of generalist Mac podcasts (ATP, Upgrade, Connected), sources of news and rumor about what Apple was up to, and there were some consulting-focused efforts (Command-Control-Power) that had plenty of great tech and consulting tips, but nothing that really felt like home for the Mac Admins community.
We had a few other folks onboard – Marcus Ransom, Adam Codega, Emily Kausalik-Whittle, Jason Miller – and wanted to setup a rotating panel of hosts who could provide different perspectives from different markets. And off we went! We talked with Kitzy about using the macadmins.org domain, and they graciously assented. James Smith eventually joined us as our sound editor, taking over from Aaron Lippincott. And, of course, Adam Codega wrote our theme the very first time he opened GarageBand.
We’ve held episodes at MacADUK, JNUC, PSU Mac Admins (unofficially!), MacTech, X World and more. We were hoping to make it to MacSysadmin in 2020, before the year of the Pandemic hit.
In those intervening 5 years, we’ve had close to three quarters of a million downloads, sponsorships from a dozen companies, and developed an avid group of backers on Patreon. And last night, we started the third century of the Mac Admins Podcast, talking to favorite guest (or at least most frequent!) Joel Rennich of Jamf.
Here’s to 200 episodes down, and at least 200 to go! Thanks to everyone who’s been on as a guest, everyone who’s written in with questions or feedback, everyone who’s participated in making the podcast on the back-end, and everyone who’s backed our efforts. We couldn’t have done it without you.
What a day. One to remember for all of us. I write to you on days like this so that I have something to show you when you’re older and ask questions. You’re 7 now, and you’ve spent most of the afternoon with your grandparents, working on building a tabletop game and playing Zelda. Grandpa plays a solid Link, it’s true. That’s what I want you to remember about today.
But it’s not the only thing that happened.
For the last three hours, there’s been an armed insurrection at United States Capitol, lead by a group of seditious rioters driven by the rhetoric of the President of the United States. I can’t stress to you enough how disquieting this is. In my 42 years, nothing like this has ever happened. The Capitol Police were assaulted, and at least eight of them were injured. A woman was shot and killed during the incident.
The Senators and Congresspeople and their staffs, and the professional staff of the Capitol and her houses had to be evacuated to shelters via secret tunnels. The Vice President was whisked from the chamber by the Secret Service. Offices were defiled, the Speaker’s podium stolen from her office. These actions are the actions of despots, tyrants and fascists. They are weak cowards who rule by threat because they have no ideas that last on their own. They govern by threat because it’s all they know.
I cannot tell you how distressed I am by these events, taking place in your home town, in the place I have called home for more than 20 years, almost half my life. I have always felt that the American way of governance was unique among the democracies of the world, and that that government belonged to the people, designed with checks and balances to prevent the abuse of power by tyrants. The last four years have given the lie to that principle, and it has killed something in me to watch our nation wane so in the last four years.
I don’t know what comes next.
As I write this, and rewrite this, and rewrite this, our leadership is trying to put things back to right. Congress has been cleared, and they are proceeding to certify the presidential election. Joe Biden will be sworn in on January 20th at noon, as is described in the Constitution.
We ought to be a nation of laws. We ought to be a nation of equal protection — and responsibility — under the law, but we are not. Had the mob today had black or brown skin, they would have been met with the same force that horrified us this summer. But, because this mob was white, the Capitol Police didn’t shoot, didn’t have riot shields, didn’t fire rubbet bullets.
There will always be a percentage of Americans who are white supremacist. Any society sufficiently large will decide to fragment and fracture to protect some magical opinion of purity that is absent fron reality. I had hoped that this ignorant and bigoted behavior was as much on the wane now as it was twenty years ago. Instead, the current moment is full of those who will stoke those fires of resentment and fear based on ignorance and bigotry.
I don’t have an answer for what to do with these people. I don’t think anyone does.
But I know this much: as long as there are those committed to democratic rule here in the United States, there will be a shred of that dream alive somewhere. We have a nation together, these states, of which you have seen half in your short life. We can stand for decency, we can stand for science and knowledge and technology, we can stand up to bullies, we can stand up to tyrants.
We’re not the authority we once were, and we are at odds with ourselves over the very basics of what democratic society are. While this fight goes on, we cannot do the big things we need to do as a nation to lead the world again.
I don’t know if it will happen in my lifetime. The last nine months have felt like so many lifetimes.
But I know that we are capable of greatness, if only we can live up to it. And so often lately, we have failed to live up to our own ideals. As we talk about often, though, tomorrow can be different. We can wake up and make better decisions. We can do more, try more, read more, learn more, experiment more, write more, build more.
Democracy is a process, son. Society is a process. We get up, we live those ideals, we go to bed, we do it again. Each and every day. Every day is a chance to make better choices. To lift up, to promote, to unite, to better us all.
Late yesterday, on the first day of Amazon’s annual AWS Re:invent conference, David Brown, VP of EC2 for Amazon, announced that they have added macOS instances, running on macOS hardware, to AWS’ Elastic Compute Cloud menu of services. This has, of course, lead to a lot of thinking on how this changes things for Mac Admins everywhere.
In late 2005, when we started Technolutionary, our first two servers were G4 Mac minis that ended up in a Winston-Salem data center called Solidspace. These two boxes cost us about $600 each, and we paid around $120/mo for the two spots on their bakers rack of Mac minis inside their secure data center space. As costs went, these machines were phenomenal for us, and I think we retired the last of the original pair in 2015 or so. By then, it was just a Macjordomo server and a FirstClass test instance.
Amazon’s announcement wasn’t a huge surprise. There have been data centers of Mac minis for at least 15 years, and of those, the most notable has been MacStadium. The Mac Admins Podcast, which I host, interviewed their VP of Engineering Chris Chapman last year to talk about Orka, their platform for managing and orchestrating macOS with Kubernetes. The idea being: what if you didn’t have to spend a lot of time managing a huge fleet of remote Macs manually, and instead could manage them with code orchestrators whose job is to render machines from bare metal into a known-good state for code deployment and testing purposes. Orka does this job well, I understand.
So when Amazon announced that you could just spin up new instances of macOS in EC2 — as simple as a short command from your own Mac:
The possibilities become very interesting very quickly!
AutoPkg at AWS! Development machines at a whim! Backed by super connectivity and uptime! All on Elastic Block Storage, which means your startup disk is infinite! Ability to talk directly to AWS Network objects! All tied into AWS’ security and resources!
There’s a lot to like here.
But it’s not what you’d call cheap.
The price, which I didn’t find on their website yet — an artifact of the announcement, I’m sure — works out to be about $1.083/hr. And, since it’s dedicated hosting on Mac hardware, you get to pay Dedicated Instances pricing. And that includes a $48/day per region fee. So, $26/day per mini, plus $48/day per region.
This is the opposite of “the first one’s free.”
The first one is expensive. $27,000 a year expensive.
Now, if your org already has a Dedicated Instance plan, that cost gets amortized out to your instance, and you’re still looking at just a shade under $9,500 per year at list prices. Sure, there’s Savings Plans, which could reduce your costs substantially, but we’re still not talking the $59/month for MacStadium.
Even if you took the weekends off, that’s $6,750 per year per mini.
Unless your org has an AWS-first, AWS-always policy, this isn’t for your singleton AutoPkg server.
Now, there’s exceptions to that statement, and like every case where there are exceptions, the exceptions are what make the case.
EC2 isn’t just any place to put a built-from-code, described-purpose server, it’s the place to put a server. Amazon Web Services is an incredible platform. From a security perspective? It’s the gold standard. You can tie the access control to an individual SSH key, defined by your org’s identity management system, with security groups that help limit access to the right people at the right place from the right zone.
One cool feature that this allows will be the ability to shift a Mac’s booted operating system to a new Amazon Machine Image via command line code. You can provide your own AMI, or use Amazon’s native AMI for Mojave and Catalina, and so segmenting a part of a fleet for beta builds based on a new AMI will be a much simpler task than it otherwise would be.
In the end, what this comes down to is organizational posture. If your organization is big enough to have a bunch of AWS infrastructure that will make this bill an afterthought, you’re big enough to use this for all kinds of things.
One of the major changes for Mac Admins in the forthcoming operating system Big Sur is that, at least until this past week, non-admin users could not permit screen recording permissions. These permissions are required to share your screen in apps like Zoom, or receive remote support using apps like Bomgar/BeyondTrust, Splashtop, or TeamViewer.
This change in posture was deeply hostile to the people that work with any size fleets of devices because it would mean manual admin intervention to permit apps whose basic functionality is critical in the middle of a pandemic to operate.
I understand that Apple has privacy as a human right, and that some IT organizations don’t share that opinion, and that this was a way to help enforce a user’s right to privacy. Hearing the outcry from admins all over, Apple has provided a fix, in the form of an MDM payload key that would allow a user to approve applications that are specified by the user. However, here’s what it’s wrought:
Last night, an intrepid group of admins and engineers worked together to craft a single MDM profile that includes more than 35 individual applications that might ask for this permission, so that it could be deployed to minimize user interruption for what should be a basic task.
A blanket reprieve isn’t good for security, either, Apple, but it is what we need to do in order to focus on our jobs instead of typing in admin passwords all day, or constantly updating a custom profile to make sure our users are both compliant with security posture requirements that are part of key agreements. I don’t think this is good engineering, but Apple bolting this door when we weren’t even asking it to be closed isn’t good user experience.
As with all things, new versions of software causes bugs. Or, it reveals them. Either way, if you have found yourself unable to unlock your Mac with your Apple Watch after upgrading to WatchOS 7, here’s how to fix it:
Open Keychain Access. It’s located in your Applications folder, in the Utilities folder inside of it. From the View menu, click Show Invisible Items.
Once there, search for “Auto Unlock”. If you’re like me, you’re going to see about 50-60 keys. Delete them all.
Now, search for “AutoUnlock”, and you’re going to find four references. Delete all of these, as well.
Go back to the Finder, and from the Go menu, select Go to Folder… (or press Command-Shift-G) and enter this file path: ~/Library/Sharing/AutoUnlock
You will see two .plist files there, delete them both.
Go back to System Preferences > Security & Privacy > General Tab. Check the box to unlock your Mac with your Watch. When prompted, enter your password. It’s going to fail, and that is expected in this case.
Repeat step 6. This time it will work.
Once again, you can unlock your Mac with your watch. Ta-da!
Many thanks to Alex Narvey of Precursor in Winnipeg for the problem exercise, and LongZheng from the MacRumors forums for identifying the solution initially.
What Apple is doing here is using the iCloud Keychain to provide key-based access to your workstation using custom invisible keys that are paired between Watch and Mac, and then verifying that Watch is close enough to the Mac to reasonably unlock it, using time-of-flight Wi-Fi signal checking. This process resets all of the parts of that system to default. The initial attempt to turn it on rebuilds the scaffold entries and keys that are required to be used by the system, and then the second attempt to turn it on uses those now-rebuilt keys and plists to do the job.
Starting early this afternoon, Apple will be releasing major updates for their iPhone, iPad and Apple Watch products. As with all Apple releases, we will support these products starting today. However, we often counsel our clients that while the shiny new features are new and unique and enjoyable, updating on the first day of release can come with challenges. We’d recommend waiting a few days, possibly a week or two, to make sure that your apps are all ready for iOS 14.
You might be asking: what’s in these updates? I’m so glad you asked.
iOS 14 – New Home Screen Options, Translation, Better Maps, Richer Messages
iOS 14 introduces a number of new features, including Apple’s first rethink of the home screen since the iPhone was released. You can now add widgets to your home screen that can display useful information, like your calendar appointments for the day, the weather forecast, your music, a map to your next appointment, and more. Widgets are blocks that appear on your home screen. They take up a 2 x 2 grid of icons, or a 2 x 4 grid of icons. There’s also a smart widget that uses Siri on-device intelligence to show you the right widget for the right moment. So far, that one is my favorite.
When international travel — or even just visiting international neighborhoods! — becomes a thing again, there’s a new translation engine for your iPhone that allows you to do immediate typed translation of a phrase. Need to ask where the bathroom is? You can type that out and then show your new friend who is trying to help you get where you need to go the phrase in native characters, or you can have it directly play the audio.
In addition, Apple has been hard at work adding new features to Apple Maps and iMessage. You can now pin favorite iMessage conversations to the top of your screen so that you won’t lose them. In addition, there are a bunch of new threaded message features, richer app integrations, and more. Apple Maps is adding EV Charging waypoints to your directions, to make sure that you never run out of range on your car, and also they’re adding bicycle directions to three major cities, with more to come. That last one, I’m really excited for when it finally hits DC. My wife Tiffany has become an avid cyclist during the Covid times, and if you want to read about her adventures with her cargo bike, it’s a good read, for parents especially.
Of course, there’s more, but those are the ones I’m most excited about. iOS 14 works on every iPhone since the iPhone 6s, as well as the iPod touch, 7th generation.
iPadOS 14 – All that iOS 14 offers, plus better UI, more places and ways to use Apple Pencil, and richer Notes
iPadOS 14 has all the new features that iOS 14 has, plus it has a whole bunch of really good refinements to the iPad platform as a whole to make it a better experience for everyone.
I absolutely love the new Scribble feature for Apple Pencil with your iPad. Any place that you’d normally tap and type out text, you can tap with the pencil and just start writing. It will convert the handwriting to text on the fly. For those that remember the Newton and eMate, the handwriting recognition is generations better, and I found that it works about 99% of the time. In addition, you can scratch out words and sentences to remove them, or circle text to highlight it!
For the times you’re writing in the Notes app, your iPad will be doing on-device transcription of your handwriting behind the scenes so you can search for what you’ve handwritten out, as well as the ability to copy handwriting and paste it as text, in the note you’re working in, or in any app throughout iPadOS. Writing down a date? Apple’s data detectors features allows you to tap on that date and see your calendar, or tap on an address and see the map, or tap on a phone number and make a call, all without having to do anything special or extra!
iPadOS 14 works on all iPads back to the iPad Air 2 and the iPad mini 4. All iPads Pro, and the 3rd and 4th generation of iPad Air are all supported.
WatchOS 7 – Family Watches, New Faces, Better Widgets
For those who have Apple Watches, WatchOS 7 offers several cool new features that you can use. The biggest was just announced yesterday – and that’s Family Setup. If you have someone in your life who would benefit from an Apple Watch – a child, an older relative – that doesn’t have their own iPhone, you can now help them to setup their own watch. It requires a cellular watch model, but then it will set them up as their own user, fully distinct from your Apple ID, and can give you peace of mind including location tracking, fall detection, and more. They can even call you or other family members direct from the Apple Watch.
In addition, Apple has released a series of new Watch faces that will allow you to customize your Apple Watch more to your liking. Developers can now build groups of complications and surface them directly on your Apple Watch so that you can be more productive with only just your Apple Watch.
Apple has also added sleep tracking to Apple Watch so that you can know how well you’re sleeping! You can set a bedtime and wake time, set sleep goals, and get a good idea of how well you’re resting. This has been super important to me during my recovery, as apparently burning the candle at both ends and in the middle is bad for you. Who knew. I find that the Sleep app’s new Wind Down feature is really helpful for me to transition away from using my devices.
WatchOS 7 works on Apple Watch Series 3, 4, 5, 6 and SE devices.
Recently, I was given an interesting task by one of our clients. They had merged with another organization a few months back, and it’s finally time for their Office 365 accounts to merge. But, because of the way Office 365 is tenanted, you have to migrate the data behind the scenes, switch DNS records, and then setup Outlook from scratch.
That’s not ideal. It’s also a lot to explain over the phone as you help users through the process.
So how could we automate this?
We needed to do a few things:
Unlicense Office 365
Remove the Email account.
Re-license Office
Re-setup the Email account.
Unlicensing things was easy to handle, thanks to Microsoft’s Paul Bowden, there’s an easy-to-run script for that. Re-licensing and setting up the email can be done in chained steps, thanks to how Outlook handles initial user setup. If there’s no Outlook Profile, it creates a new profile, handles licensure, and uses that licensing account to setup the initial email. Cool, that part’s handled. All we need to do is remove the Outlook Profile in its entirety.
Then I remembered that Outlook could have local mail stored in the On My Computer folders that are available if you turn them on. Last thing I wanted was to find out that we’d removed the Outlook Profile and nuked a bunch of archival information that our customer was relying on.
Turns out, Paul was ahead of me there, too, and had written a script that returns the size of those folders! It’s designed for use with a Jamf Extension Attribute, but I could use this on disk to cat out a size value to a text file on disk, and use string comparison to check for a value that is anything other than 0.00.
I wrote a script that let me reference both of those other scripts, but now that’s a lot to expect a non-technical user to do, so what if we could wrap this in an app somehow?
Platypus is a Mac App that creates other Mac Apps out of shell scripts, python scripts, tcl scripts and more, and it will let you string together other files as resources, available to the primary script.
In this case, I chose my short script that references the Unlicense and OutlookFolderSize.sh scripts, re-pathed those references to inside the same folder as the primary script, and added an icon, bundle identifier, and name for the app.
Once I had built the app, it was important to sign it and notarize it, in case we decided to distribute through direct download means:
These three commands sign the application bundle, zip it up, and then submit it for notarization. Once notarized, you can staple the app easily with another command:
xcrun stapler staple OutlookChanges.app
A review of the application with What’s My Sign will show its status:
And now we have an application we can use to do the task! Thanks Platypus!
My friend Ben Mahler posted this graphic to his Facebook the other day, sharing his perspective on the current moment:
Monday night, we came inside at 7pm, to my son’s frustration and anger. Our city was under curfew. We didn’t know what to expect from the visiting national guardsmen and the federal police forces here. Would there be patrolling groups in our neighborhood, as there were in Pittsburgh and in Minneapolis? Would they be shooting rubber bullets at people on their porches, as there were in Pittsburgh and Minneapolis?
So we went inside. And Charlie raged. He was so angry at not being able to go play frisbee in the park, and I was scared to go out. I have lived in the Washington area for 20 years, and lived in the city for 10. At no time was I afraid to leave my home before the federal police and national guard occupation that began on Monday.
I am not afraid of my neighbors. I am not afraid of the protestors. I am not even afraid of those who are engaging in direct action with fire and spray paint. They are my fellow citizens.
Charlie didn’t understand the curfew. He didn’t understand why we needed to be inside when it was perfect out. I can’t blame him. It’s hard to explain big concepts like structural racism, police violence, the dangers of having non-white skin in our broken society.
I can hide behind my whiteness.
I can hide.
He can hide.
My friends and their families cannot. I can’t be silent any longer.
We need to de-escalate the militarization of our police. We need to dismantle the unjust, structurally racist model of policing in America. We need to dismantle the racist outcomes of our charging system. We need to dismantle the racist outcomes of our justice system.
We need to live up to the high ideal that ALL people were created equal in the eyes of the law.
And we can’t be quiet about it any longer.
It is not enough to not be racist. It is a start to be anti-racist.
A year or so ago, I was talking with Chad Swarthout of Alectrona. We were both looking for a platform to put on a single-day learning event for IT people, and we were primarily looking for a way to do it in DC. We each had enough going on in our individual lives to make it a bit of a dreamscape, and not a reality.
Covid-19 has made IT Conference planning difficult for a lot of organizations right now, and I’ve cancelled a lot of my travel plans for 2020 so far. Chad and I started talking with another colleague, Yoann Gini of Abellioni in France, about how the current moment called for something a little bit different. That’s how Futureproof IT came to be.
We’re planning three half-day sessions in the middle of May, to be held via remote meetings, with a shared member space to converse and share ideas, and we’re doing this with a global focus. We’ll have a set of talks each day, along with a panel or two, and include some lightning talk slots for quick talks and subjects.
Our Call For Presenters Is Open!
While we’ve got some really great speakers – I’m excited to welcome my friend Amélie Koran to the virtual stage from Splunk, and my friend Erin Merchant from Spoke, as well as a security panel from my friend Rob Pegoraro – we could always use more of them.
We’ve all got something to say right now. We’ve all dealt with the challenges of the current moment. Maybe you feel like what you’re doing is common sense. Maybe you feel like what you did isn’t extraordinary. Neither of those should preclude you coming to talk about what’s been going on in your environment. We’re here to learn, and we’re here to do it together. This is going to be the safest and friendliest environment, so come on out and tell us what you want to share.
All our proceeds are going to Heart to Heart International, a charity designed to get PPE and medical supplies to communities all over the world. We’ve got varying ticket prices based on who’s going to be footing the cost of the ticket, and we’re always looking for donor sponsors to help us make this a bigger event.
Today, I had to package something up for the first time on my new machine. I fired up stalwart Mac Admin software Packages. I created a new project, built out the file structure, dropped in my content and hit Build.
Unable to copy item at path /Users/tom/Desktop/Identifier.plist because you don’t have permission to create it inside the folder ‘Trend Micro’.
Wait, what?
Did /var/tmp end up in the SIP exclusions list, heaven forfend? Did I forget to strip the quarantine bit from the file I’d downloaded?
Nope. I’d just not given Packages access to the entire disk in the Privacy Preferences Policy Control.
The packages_dispatcher process has to have Full Disk Access in order to get to all the files you may want to package up and deliver.
