Port Confusion

This video showed up in my Twitter timeline today:


The video is short, and the juxtaposition with Apple this week is almost painful. Apple is not the underdog it once was – and it hasn’t been for some time – and the marketing machine that was so critical to its success is now, I believe, running the show in ways that are holding back the products that it’s creating.

I no longer believe the design team at Apple is innovating to make the best product experience, rather they’re deep in “pure math” territory, exploring the boundaries of innovation itself. I feel like this can go one of two ways. One of these is a future where Apple is a pillar of the desktop and laptop community, one of these is a future where the Mac is both expensive and underperforms.

I fear that we’re heading toward the second future.

The cost equation for the Mac got a shot in the arm last week at the Jamf Nation User Conference, where IBM revealed that the Mac is substantially cheaper to support. 48 hours ago, Apple essentially raised prices on everything in the field. While the MacBook Air remains on sale, Apple is instead pushing a machine $500 more expensive as a “replacement” to that model.

Couple that with a machine that can only handle 16GB of RAM for “battery and performance reasons”, and a total dearth of desktop updates, I’m left with more questions than answers. The first one is: “Why is thinner and lighter always better?” and I can’t come up with an answer that leaves me satisfied.

In the meantime, I’ll likely line up and replace my MacBook pro, maybe buying another cable case from Skooba to hold all the extra dongles I’ll need. Don’t count me as mourning the Mac just yet, but like any friend who’s started to veer off from the path you’re taking together, I’m starting to wonder what’s up over there, and I hope I’m shown to be foolishly wrong sooner rather than later.

Deploying NoMAD with Configuration Profiles

It feels a little silly to be so excited about something so simple as NoMAD, but there’s nothing simple about NoMAD behind the scenes. It’s doing a lot of heavy lifting that you’d usually need binding to accomplish. Preventing the complication of binding simplifies your Mac environment. On the Macadmins.org Podcast recently, we spent an hour talking with Joel Rennich about just that.

We’ve now deployed NoMAD for a single site, using Munki to deploy the application bundle, but when it comes to deploying the preferences, I’ve decided to take some notes from the tea leaves being read and move my deployment strategy to take advantage of Mobile Configuration Profiles. Rusty Myers has a good meta-repository of Profiles if you’re not familiar with all the options available.

From our testing rig, where we finalized the settings for deployment, we built a good configuration. You can use the system defaults command to play out what NoMAD is setup to do. defaults read com.trusourcelabs.NoMAD will give you the entire contents of the prefs domain, but you don’t need everything from that file. This is what we took forward from that file:


Now, if you want the full payload of preferences, there is a published guide to all of the settings options.

defaults read displays the contents of the preferences file in the old MCX format, which is exactly what we need to generate a profile for upload to MDMs, or deployment directly via Munki. Tim Sutton has written an MCX-to-Profile python script that can take the contents of that file and turn it into a mobileconfig profile. Name the MCX file com.trusourcelabs.NoMAD so that the correct permissions domain is applied – or just change the name once the profile is built.


To get the profile out, we made it an update for the NoMAD installer itself, set as an unattended installation. When NoMAD is installed by Munki, it gets the profile as an upgrade in the background, installed and ready for first run. In this case, we’re using NoMAD even while bound, just to simplify the installation of an X509 identity for use with 802.1X and Cisco ISE for Wi-Fi purposes. There are a lot of good reasons to use NoMAD to simplify your world.

Five Years On: Designing IT Experiences Steve Would Have Liked

There’s a group of people in every IT Department over a certain size that are tasked with “Executive Support”, meant to interact with the high-touch execs of any company, mostly to help them deal with whatever IT policies have been put in place by a CISO or CTO to help make the company more secure, often at the cost of user experiences.

In my first IT job, I was the executive support for a particularly difficult vice president, someone who could make you feel small and useless if you didn’t have the right answer at the right moment. It was a difficult job, being in Sauron’s eye, sometimes. I imagine that working for this person was a bit like working for Steve Jobs: highly demanding, highly sensitive to bad design, highly willing to grab a flamethrower and start marching on the cubes.

I am a better IT professional today because I think to myself every time now: “How will my clients and staffers feel about this particular change?” Will the results of this change be potentially ambiguous, and thus confusing? Will this change affect their user experience? If so, can I justify that change, and present them with the information ahead of their install?

Your staff and your colleagues are counting on a user experience that is comfortable to them, and thus, changes to their environment without clear justifications (valid reasons include security, data safety, and increased functionality; invalid reasons include capricious restrictions and management without explanation) are unwelcome, unfamiliar, and will cost them productivity, and worse, their trust in you.

Your open dialog with your coworkers and clients relies on them to trust you not to mess with their user experience without providing countervailing benefits in other places. Don’t forget that. If you do, your coworkers and clients will do everything they can to undermine your position, work around your protections, and distrust you. This is not the role of good IT.

So if you do something today to mark the passing of Steve, make it something that empowers your coworkers and clients, make it be something that surprises and delights. Be there for your people, because you’d want them to be there for you. Every coworker and client deserves the level of support you give to the executives, from the office admin, to the line manager, to the C-suite. That’s what Steve’s vision of the Mac was all about. It’s our job to carry that legacy onward.

Steve Jobs by Ben Stanfield
Photo of Steve Jobs by Ben Stanfield

Exporting S/MIME Certificate Identities For iOS Use

Cryptographically-signed email is a complicated subject. There’s keys and certificates, there’s signing authorities, all of the wonderful PKI structures that allow us to communicate securely. Securely signed email is an easy way to indicate to other parties that you’re taking some precautions with your email that authenticates the sender in an end-to-end way. A typical free commercial certificate, say, from Comodo, will affirm that the original certificate creator can receive email at a given address. This allows you to sign outgoing emails, which wraps the message in a secure envelope that confirms that you are who you represented yourself to the certifying authority to be.

Generally, these certificates are commissioned on a desktop computer, like any Mac. You end up with a certificate stored in your Login keychain that Mail.app or Outlook use to sign your outgoing messages, or decrypt messages signed with your public certificate. If you open Keychain Access, select your Login Keychain, and then set it to filter by certificates, you will see your email signature.

If you want to sign email with your iPhone or iPad (and you do), you’ll need to move this certificate to your device in a way that your device will be able to work with it.


Normally, you might just drag your certificate out to the desktop and embed it in an MDM Profile, or something similar. Your certificate also contains a private key, and that is a critical element. The drag and drop method won’t work this time. What you need to do is export the certificate in .p12 format (also known as PCKS #12). To do this, right-click on the Certificate and select Export.


Pick a location for the file. I recommend the Desktop, since we’re going to be emailing this file.


You’ll be prompted to pick a password for this .p12 file. You’re going to need this when the certificate gets to the iOS device. This is what lets you securely move the certificate and private key together in a safe package.


Pick a password that you’ll remember and that isn’t just password. If your email is compromised, an attacker could take this .p12, and with suitable equipment, some good luck, and a super computing farm, sign email on your behalf, unless you revoke the certificate at the Certificate Authority. Note the password down carefully, you’ll need it in a moment.


You may be asked to allow access to the private key by the system. You’ll need to allow access in order to export. I think this step might be unnecessary in most cases. If it doesn’t present, don’t worry about it.


Now, attach the .p12 file to an email that your device can receive. Now, what follows is instructions for use with the built-in Mail app on the iPhone. There may be ways to work with S/MIME in other mail clients, but this post will not cover them.


Once you have the .p12 in Mail on your iOS device, tap on the attachment to open it. The Settings app on your iOS device will now open and you’ll go through the standard profile installation process. If you have an iOS Device that is paired with an Apple Watch, you will get prompted to pick whether you want to install the certificate on your Watch or your iPhone. You want it on your iPhone.


Keep in mind – you aren’t working with a signed standard identity certificate, but that doesn’t mean the payload won’t certify up the trust chain.



Accept these dialogs by tapping Install, and continue. You will now have to enter the password for the .p12 container that you wrapped around your certificate and private key. Enter it and tap Next when you’re ready.


Lastly, you’ll need to finalize the profile and confirm the install.


Your certificate is now resident on the iOS device, and it’s time to go turn on S/MIME in your Mail Account. Go to Mail Settings, and select your account, and then head to the Advanced Settings. Turn on S/MIME, and turn on the signing settings.


You can confirm that your identity is selected, or select which identity your device is using to sign messages, by tapping on Sign.


You can tap the i at the end of the line to review the signing identities that are configured for your account. If you start using S/MIME certificates, be ready to keep old expired certificates around in the event that you are not just signing messages, but encrypting them. Messages encrypted with your public certificate by other people will only be decrypted by that old, expired certificate and its private key.

If you want to review your S/MIME certificates, you can do so in the Profiles section of Settings. Tap on Settings, then General, then Profiles.


You can get detail on an individual certificate and see more information surrounding the certificate, which should be on your calendar.


Sierra Features & Recommendations

Today, Apple releases the 13th major revision of what began life as Mac OS X, turned into OS X, and is now macOS. Sierra, macOS 12, will appear in the App Store this morning for free. The tentpole features this time out are subdued, and Sierra represents a refinement of the changes that began in OS X Yosemite in 2014, and continued in OS X El Capitan last year.

Our advice, as in previous years, is that discretion is the better part of valor, and waiting until you have a convenient time to be without your computer for an hour or so, after you’ve determined if your working application load is functional in Sierra, is the best way to proceed. This basically means we don’t recommend updating today unless you enjoy pushing the boundaries of the future. We will, of course, support you as best we are able, but our general advice is:

  1. Don’t update without a backup. If you’re not sure if you have a backup, you need to be 100% sure before proceeding.
  2. Don’t update without checking the compatibility of your applications with the new OS. Our management and monitoring systems are compatible at this time, and our tools will work with Sierra. If you’re not sure your tools are compatible, please check. We’re happy to help.
  3. Don’t update without being aware of the new iCloud features listed below, and understanding the consequences of turning them on could include data loss, or being without your data offline.

As always, we take the advice of Salah from Raiders of the Lost Ark.


Please note that we don’t mean you should go first, but rather other intrepid OS explorers, who have the correct safety apparatus and a willingness to explore knowing that loss is possible.

While Sierra is a refinement release, there are a couple of interesting tentpole features for Apple to hang its hat on. The first is the arrival of Siri to the Mac platform. Long a mainstay of iOS, Siri now has access to many of the pieces of your Mac’s environment, including your files, your calendar and your personal information. If you have internet access, Siri can perform tasks for you related to your operating system such as “Create an Appointment tomorrow at 9am to call Tom” or “Find all my emails from Tom Bridge” or “Show me all the pictures of Charlie”, and Siri can do those things. Siri can move files, send messages, and other activities.

I find Siri’s inclusion to be a novelty, and a bit of a disappointment, if only because I can’t imagine myself ever speaking to my computer in an open-plan office, or in a coffee shop, or even my home if others were around. I find the idea a talking interface to your computer to be a bit bizarre, but I recognize I may an outlier. I don’t talk to machines in public, I save my talking to people. Is that weird? Maybe. It is straight up humanist discrimination? Well, yes, it is. This is where the computers come for me, isn’t it?

The second tentpole of Sierra is one that I find both intriguing and horrifying all at once. Apple wants you to trust your Documents folder and Desktop to iCloud, and allow your local operating system to figure out what needs to be stored locally, and what can be stored in the Cloud instead. They’ve prepared us for this reality, of course, and this is just iCloud Photo Library, but applied to your Desktop and Documents folder. This is a great concept, designed to save space on your SSD-based Macs that are very definitely space constrained, but there are pitfalls. I am glad that Rich Trouton has made available his configuration profile that blocks this setting for organizations to use on their computers. I’m not interested in turning this feature on any time soon.

There is one convenience feature that I am enjoying so far, and that is unlocking the phone with my Apple Watch. This feature relies on Apple’s Wi-Fi proximity check scripts, as well as access to your iCloud account, which must be set to use the new Apple Two-Factor Authentication for security purposes. This means you’ll have trusted devices that are capable of providing a 6-digit one-time passcode for granting access to your AppleID. If your Watch and Mac are set to use the same (2FA-enabled) AppleID, the presence of the watch (in an unlocked state, on your wrist) will unlock your Mac.

If you want to learn more about the security of macOS and iOS, I strongly recommend watching Ivan Krstic’s Blackhat talk, which goes into depth about the security behind this unlock procedure (Starts at 24 minutes in). The amount of thought that has gone into this process is staggering, but I would absolutely watch the heist flick, or Mr. Robot season, that takes on trying to break it (and failing).

There are some additional features in Sierra that are of interest, but you’re likely already exposed to their arrival, as they’re in iOS 10. Photos’ Memories features and new search capabilities are on your Mac, the Apple Music experience is now available in iTunes, with enhanced capabilities, and the new iMessage types, responses and animations are available in Messages for view.

There are some additional under-the-hood changes in Sierra that are interesting, including changes to the SIP directories, locking down further portions of the underlying OS-facing file system, and the inclusion of APFS as a disk type that the OS can understand, but neither of these concern users at large, who this guidance is for.

As always, we are happy to answer your questions.

iOS 10 Features & Recommendations

Later today, Apple will release the first fully public distribution of the next version of their mobile operating system, iOS 10. We’ve been using iOS 10 since the early part of the beta period, and it’s been on my “daily driver” phone for a little more than a month at this point. Apple has made a lot of behavioral refinements in this release, but they’ve also made some wholesale changes to the way your iPhone operates.

Our advice: Wait a few days for all your apps to become compatible, but then upgrade if you have an iPhone 5S or later. Maybe Friday?

Continue reading

Something Siri Should Know: Baseball Magic Numbers

I’ve been trying to use Siri more for tasks in the Sierra Beta, and I finally had an obvious one to go looking for tonight. I asked her what the Nationals Magic Number is. This was her response:

Screen Shot 2016-08-29 at 7.15.57 PM

Well, that’s not ideal. Why doesn’t Siri know how to make this calculation? The magic number to win the division in baseball is a known formula. That formula is

(163 - (leading team's wins + second place team's losses))

. As I type this, the Nationals have 75 wins, and the 2nd place Mets have 64 losses. This makes the Nationals’ magic number 24 (163 – (75+64)). This number should be easily calculable for Siri.

Alternatively, for teams in the Wild Card race, there is an alternate formula, that involves removing the division leaders from the standings tree, and combining the rest of the teams into a single table, and subtracting the wins of the leading team and the losses of the third place team to get the result.

Why isn’t this the sort of thing Siri knows about? Given MLBAM’s tight relationship with Apple (and MLBAM’s use of their data throughout various keynotes over the years!), why isn’t this something Siri knows how to do?

Think of the opportunities for fun things to say. You could ask Siri what the Yankees magic number is, and instead of this, you might get something funny like “Well, I’m sorry to tell you John, they’re not getting their 28th this year.”

Screen Shot 2016-08-29 at 7.24.54 PM

I mean, how great would it be if Siri was an inveterate Red Sox fan and just spent the whole time needling Yankees fans?

Anyway, I’ve filed a bug, and if you’d like to dupe it, it’s number 28066166, and it follows here:

Currently, if you ask Siri what the Nationals’ magic number is, she isn’t sure. The magic number to win the division in baseball is a known formula. That formula is 163 – (leading team’s wins + second place team’s losses).

As I type this, the Nationals have 75 wins, and the 2nd place Mets have 64 losses. This makes the Nationals’ magic number 24 (163 – (75+64)). This number should be easily calculable for Siri.

Alternatively, for teams in the Wild Card race, there is an alternate formula, that involves removing the division leaders from the standings tree, and combining the rest of the teams into a single table, and subtracting the wins of the leading team and the losses of the third place team to get the result.

Steps to Reproduce:
1. Ask Siri for the Nationals magic number
2. Be denied.

Expected Results:
1. Ask Siri for the Nationals magic number
2. Be displayed the division standings (good!) and get the correct answer for their magic number for the playoffs.

Actual Results:
1. Ask Siri for the Nationals magic number
2. Be displayed the division standings (good!) and get a noncommittal answer (bad.)

10.12 Beta (16A313a)

Major League Baseball should also be able to furnish this data directly.