As a related task to my Boot Camp partition detection, I also wanted to see if I could get information on the OS running in VMWare Fusion VMs without the VM actually being up and running. After some poking, I saw that I could get information on running VMs by using the vmrun list command. However, there didn’t see to be a way to pull information on non-running VMs using VMWare Fusion 5′s vmrun command.

After some additional investigation, it looked like the data I wanted was stored in /Users/username_here/Library/Preferences/com.vmware.fusion.plist in the VMFavoritesListDefaults2 plist key. In that plist key, the information I wanted was stored in the guestOS dict. With that information, I was able to use grep and awk to pull just the OS information I wanted. The command I used was:

defaults read com.vmware.fusion VMFavoritesListDefaults2 | grep guestOS | awk '{print $3}' | sed 's/"//g' | sed 's/;//g'

When I did that against my own VMs, here’s the output I received.

Note: One thing to be aware of is that OS X VMs will report their Darwin OS info.

Because this information is stored on a per-user basis, you would need to check each user account to pull the VMs associated with each account.

One of the issues you can run across with systems management tools is doing an automated uninstall and reinstall of the agent software. The dilemma is that you can tell the agent to uninstall itself, but after that there’s no agent software on the machine to run the reinstall command. Most management tools include the ability to scan your network and install agents on machines automatically, but that may not be appropriate for all environments as you may have some machines where you don’t want to install the systems management agent.

I ran across a situation like that recently in my own environment. For details, see below the jump.

My workplace runs both JAMF Software’s Casper and Dell Kace’s KBox 1000 agents on our Macs. We recently updated our KBox to version 5.4, but Kace has the following known issue listed in the 5.4 release notes:

11002: Client machines running Mac OS 10.8 and K1000 Agent version 5.3 cannot upgrade to Agent version 5.4. Dell KACE recommends that you either upgrade to Agent version 5.4 before installing Mac OS 10.8, or uninstall and reinstall the Agent software manually.

Since I already had a number of 10.8 Macs in my environment with the 5.3 agent installed, I wanted to have Casper handle the uninstall and reinstall of the KBox agent for me, rather than doing it manually on the affected machines. I also wanted to target just the 10.8 Macs with the 5.3 agents. After doing some poking around, I saw that the KBox agent had the version number stored in the /Library/Application Support/Dell/KACE/data/version text file.

Once I had that information, I wrote the following Casper extension attribute to check for that file and pull the agent version information from it:

#!/bin/sh

# Check to see if the KBox agent is installed.
# If the agent is installed, report the agent
# version.

if [ -f "/Library/Application Support/Dell/KACE/data/version" ]; then
   result=`cat "/Library/Application Support/Dell/KACE/data/version" | grep 5`
   echo "<result>$result</result>"
else
   echo "<result>Not installed</result>"
fi

For those interested, the extension attribute is available here on my GitHub repo:

https://github.com/rtrouton/rtrouton_scripts/tree/master/rtrouton_scripts/Casper_Extension_Attributes/check_kbox_1000_agent_version

Once I had the version information available, I then set up a smart group that only included 10.8 Macs with the 5.3 version of the KBox agent. From there, I built a new Casper policy that uninstalls the older KBox agent, then installs the new 5.4 agent and set the policy scope to target the machines in the previously-mentioned smart group. After that, Casper took care of the automated uninstall and reinstall of the KBox agents during the affected machines’ next check-in with the Casper server.

The WordPress.com stats helper monkeys prepared a 2012 annual report for this blog.

Here’s an excerpt:

About 55,000 tourists visit Liechtenstein every year. This blog was viewed about 350,000 times in 2012. If it were Liechtenstein, it would take about 6 years for that many people to see it. Your blog had more visits than a small country in Europe!

Click here to see the complete report.

Since the release of Google’s Cauliflower Vest, one of the wishlist items that a number of Mac admins have wanted is to use Cauliflower Vest’s capabilities without needing to use Google App Engine as the server backend. Crypt, a new open-source project being developed by Graham Gilbert, looks like a step in the right direction. See below the jump for details.

Like Cauliflower Vest, Crypt is designed to:

• Allow individual recovery keys to be automatically generated and escrowed for each Mac
• Force-enable FileVault 2 encryption on a Mac
• Provide secure access to recovery keys

Crypt comes in two parts. Crypt is a client application that would be installed on your Mac(s). Crypt-Server is a Django web app that receives and stores the escrowed FileVault 2 recovery keys.

Prep work

Before starting with anything else, I set up an Ubuntu 12.0.4 LTS server to act as the Crypt-Server key escrow server. Crypt should be able to run on anything that supports Python and Django, but the Crypt-Server setup instructions assume that the host OS is Ubuntu 12.0.x LTS.

Setting up the Crypt-Server software

Installing the foundation software

1. Log into the Ubuntu server using an account that has sudo privileges

2. Check to see if git is installed on the Ubuntu server by running the following command.

which git

3. If git is not installed, install it by running the following command:

sudo apt-get install git

4. Following the installation of git, install the Python setup tools

sudo apt-get install python-setuptools

5. After installing the Python setup tools, check to see if virtualenv is installed. virtualenv is a tool to create isolated Python environments and it’s used by Crypt-Server.

To check for virtualenv, run the following command:

virtualenv –version

6. If virtualenv is not installed, install it using the following command:

sudo easy_install virtualenv

7. Once installed, verify that virtualenv is now installed by running the following command:

virtualenv –version

Creating a non-admin service account and group for Crypt-Server

8. Create the Crypt cryptuser service account by running the following command:

sudo useradd cryptuser

9. Create the Crypt cryptgroup group by running the following command:

sudo groupadd cryptgroup

10. Add the cryptuser service account to the cryptgroup group by running the following command:

sudo usermod -g cryptgroup cryptuser

11. Verify that the cryptuser service account is now a member of the cryptgroup group by running the following command:

id cryptuser

The gid and groups values should both report cryptgroup.

Create the Python virtual environment

Next, we’ll be using virtualenv to create a Python virtual environment for Crypt-Server. This will allow the Django software to be installed in a contained environment that won’t interfere with the system Python installation’s packages.

12. Change directories to /usr/local, as that’s where we’ll be installing the virtual environment, by running the following command:

cd /usr/local

13. Create the Python virtual environment for Crypt-Server by running the following command:

sudo virtualenv crypt_env

14. Give the cryptuser service account read and write access to the crypt_env virtual environment by running the following command:

sudo chown -R cryptuser crypt_env

15. Verify that the cryptuser service account is set as the owner of the crypt_env directory by running the following command:

ls -al

At this point, because we’ll be switching into the cryptuser service account and running it with a bash shell, it’s a good idea to use sudo to drop into a root shell first. That will simplify the various account and shell switching we’ll need to do because the root user has total access to the system.

16. To switch to a root shell, run the following command:

sudo -s

17. Switch to the cryptuser service account by running the following command:

su cryptuser

18. The virtualenv tool is expecting to be run from bash, so switch to a bash shell by running the following command:

bash

19. Change directories to the crypt_env directory by running the following command:

cd crypt_env

20. Activate the virtual environment by running the following command:

source bin/activate

21. Install Django in the virtual environment by running the following command:

pip install django

22. Install South in the virtual environment by running the following command:

pip install south

23. Install the Django Bootstrap Toolkit in the virtual environment by running the following command:

pip install django-bootstrap_toolkit

Installing Crypt-Server from Github and configuring it

At this point, all the software that Crypt-Server runs on has been installed, so it’s time to install the actual Crypt-Server software and configure it.

24. While still inside the crypt_env virtual environment, use git to clone the current version of Crypt-Server by running the following command:

git clone https://github.com/grahamgilbert/Crypt-Server.git crypt

25. Change directories to the fvserver directory inside of the newly-cloned crypt directory by running the following command:

cd crypt/fvserver

26. Copy the example_settings.py sample configuration file to a new settings.py file by running the following command:

cp example_settings.py settings.py

The settings.py file is used by Crypt-Server to store its config settings.

27. Open settings.py for editing by using the following command:

nano settings.py

While in settings.py, edit the following settings:

Set ADMINS to an administrative name and email

Set TIME_ZONE to the appropriate timezone

See the screenshots below for how I edited mine.

Initializing the Django database and creating an admin user

28. Change directories to the crypt directory by running the following command:

cd /usr/local/crypt_env/crypt

29. Initialize the the Django database by running the following command:

python manage.py syncdb

When prompted, create an admin user.

I used cryptuser for mine.

29. Migrate the database by running the following command:

python manage.py migrate

30. Stage the static files by running the following command:

python manage.py collectstatic

When prompted about overwriting existing files, type yes.

31. Exit out of the virtual environment. To do this, type exit at the prompts until you’re back at the root@servername prompt.

Web Server setup

To run Crypt in a production environment, a webserver needs to be setup and configured. Ubuntu uses Apache, so we’ll be using that. The Apache libapache2-mod-wsgi module will need to be installed in order to allow Django to communicate correctly with Apache.

32. Install libapache2-mod-wsgi by running the following command:

apt-get install libapache2-mod-wsgi

Creating an Apache virtualhost

The term “Virtual Host” refers to the practice of running more than one web site on a single machine. Since Crypt-Server may not be running on a dedicated server, it’s a good idea to set up an Apache virtualhost for Crypt-Server.

To set up a new virtualhost for Crypt-Server on Ubuntu, make a new file called crypt.conf at /etc/apache2/sites-available. You can do this by running the following command:

nano /etc/apache2/sites-available/crypt.conf

Here’s an example virtualhost that accepts connections from any IP on port 80:

<VirtualHost *:80>
ServerName crypt.yourdomain.com
WSGIScriptAlias / /usr/local/crypt_env/crypt/crypt.wsgi
WSGIDaemonProcess crypt user=cryptuser group=cryptgroup
Alias /static/ /usr/local/crypt_env/crypt/static/
<Directory /usr/local/crypt_env/crypt>
       WSGIProcessGroup crypt
        WSGIApplicationGroup %{GLOBAL}
        Order deny,allow
        Allow from all
</Directory>
</VirtualHost>

Final stretch

Once the virtualhost file has been created, the last part will be configuring a .wsgi file to to get our Django-powered Crypt-Server site running under Apache.

33. Switch back to the cryptuser service account by running the following command:

su cryptuser

34. Switch to a bash shell by running the following command:

bash

35. Running the following command to create a new crypt.wsgi file inside /usr/local/crypt_env/crypt/:

nano /usr/local/crypt_env/crypt/crypt.wsgi

The crypt.wsgi file should have the following contents:

import os, sys
import site

CRYPT_ENV_DIR = '/usr/local/crypt_env'

# Use site to load the site-packages directory of our virtualenv
site.addsitedir(os.path.join(CRYPT_ENV_DIR, 'lib/python2.7/site-packages'))

# Make sure we have the virtualenv and the Django app itself added to our path
sys.path.append(CRYPT_ENV_DIR)
sys.path.append(os.path.join(CRYPT_ENV_DIR, 'crypt'))
os.environ.setdefault("DJANGO_SETTINGS_MODULE", "fvserver.settings")
import django.core.handlers.wsgi
application = django.core.handlers.wsgi.WSGIHandler()

36. Enable the crypt.conf virtualhost configuration by running the following command:

a2ensite crypt.conf

37. Restart Apache and have it re-read its configuration settings by running the following command:

service apache2 reload

38. Verify that you can access the Crypt server website by going to your server’s DNS address in a web browser.

Setting up the Crypt client

Once the server end is set up, it’s time to set up the client end. The Crypt project folks have a pre-made Crypt_Client.pkg installer available at the following location:

https://github.com/grahamgilbert/Crypt/raw/master/Build/Crypt_Client.pkg

The Crypt client will need to be launched by some outside source. The Crypt project folks recommend using a loginhook for this. I used their pre-written loginhook script and it worked well for my test setup.

Encrypting the Mac using Crypt

To set up your Mac to be encrypted, you’ll need to install the Crypt installer package, set the location of your Crypt server and also set up your loginhook.

To set the location of the Crypt server for the Crypt client, I ran the following command:


sudo defaults write /Library/Preferences/FVServer ServerURL "http://crypt.domain.com"


Once the server location was set, I stored my loginhook script in /Library/Scripts and named it filevault.sh.

Next, I ran the following command to set my loginhook:


sudo defaults write com.apple.loginwindow LoginHook /Library/Scripts/filevault.sh


Last, but not least, I installed the Crypt client software in my test VM.

Once the software was installed, I restarted my VM and then logged in with my rtrouton account at the login screen. This triggered the loginhook to run /Library/Scripts/filevault.sh.

The script detected that my Mac was not encrypted, so the Crypt warning came up and I was then prompted to authenticate

After authenticating, Crypt initialized FileVault 2 encryption on my Mac and automatically restarted it.

On restart, my rtrouton account was enabled and showed up at the FileVault 2 pre-boot login screen

I logged in at the pre-boot login screen with my account credentials and the boot process continued.

Once my desktop came up, I checked the FileVault preference pane and saw that encryption was proceeding normally.

Getting my recovery key

Since encryption is only half of what I want to accomplish here, I went next to my Crypt website to get my Mac’s recovery key.

After authenticating with the cryptuser account’s username and password, I was given access to a listing for my encrypted Mac with the recovery key displayed.

Wrap up

Overall, I’m happy with what I’m seeing so far with Crypt. It’s not ready for production as it stands, but it works as advertised and I was able to get it running by following the directions on the wiki. As a work in progress, the project itself shows a lot of promise.

One of the new features that appeared with Macs that shipped with Lion and Mountain Lion was Apple’s Internet Recovery. If you encounter a situation in which you cannot start from the Mac’s Recovery HD partition, such as where the internal hard drive has failed or when you’ve installed a new disk without an OS on it, Mac models that were released after July 2011 can use Internet Recovery. Internet Recovery lets you start your Mac directly from Apple’s servers using a NetBoot-like process and gives you the same functionality that Recovery HD does.

Because Internet Recovery has the same capabilities as your Mac’s Recovery HD partition, it can be used to unlock or decrypt a FileVault 2-encrypted Mac. This is potentially valuable in case of emergency, as it means that you can do recovery of a FileVault-encrypted drive even in a situation where the Mac’s Recovery HD partition has been damaged or corrupted in some way.

To boot to Internet Recovery, start up your Mac and hold down Command-Option-R on your keyboard.

You should see a gray screen with an animated globe appear. It should say something like “Starting Internet Recovery. This may take a while.” Depending on your connection speed, it may also switch to a countdown clock to show you how long until it’s fully booted.

Once booted to Internet Recovery, you should see the Recovery interface.

From there, you use the methods described in the links below to unlock or decrypt your FileVault 2 encrypted Mac:

Using Disk Utility to unlock or decrypt your FileVault 2-encrypted boot drive  

Unlock or decrypt your FileVault 2-encrypted boot drive from the command line

As part of server and storage changes, you may find that you’ve got obsolete bookmarks stored in Connect to Server‘s Favorite Servers: list. This is usually an inconvenience more than anything else, but I wanted to see if I could script a fix in the aftermath of a couple of shares moving from one server to another at work.

In my case, I wanted to update the Connect to Server server bookmarks for our local admin account. These bookmarks are stored in /Users/username/Library/Preferences/com.apple.sidebarlists.plist. I didn’t want to replace the existing com.apple.sidebarlists.plist file and I didn’t want to disturb any of the other settings in the file. I just wanted to change the values of a couple of keys in the plist without worrying about the order in which they were stored.

Thanks to the sed command, there is a way to do this. After some trial and error with the syntax, I found that this command did what I wanted:

/usr/bin/sed -i "" -e 's/smb:\/\/oldservername\/oldsharename/smb:\/\/newservername\/newsharename/g' /Users/username/Library/Preferences/com.apple.sidebarlists.plist

In order to be able to run sed on the file, I needed to convert it to XML first. Also, since the search and replace work is being done by the root account, I needed to fix the permissions on the file once sed had finished its work. To this, I’ve written the following script:

Update – January 16, 2013: I made some updates to the script to include OS and error checking.

#!/bin/sh

# Determine OS version
osvers=$(sw_vers -productVersion | awk -F. '{print $2}')

# Get current date
FILE_DATE=`date +%Y%m%d`


# If the Mac is running 10.5.8 or lower, the script should exit

if [[ ${osvers} -lt 6 ]]; then
   exit 0
fi

# If the Mac is running 10.6.0 or higher, the script should should run

if [[ ${osvers} -ge 6 ]]; then
   
   # Check for the /Users/username/Library/Preferences/com.apple.sidebarlists.plist file

   if [ -f /Users/username/Library/Preferences/com.apple.sidebarlists.plist ]; then
      
      # Back up the existing file

      /bin/cp /Users/username/Library/Preferences/com.apple.sidebarlists.plist /Users/username/Library/Preferences/com.apple.sidebarlists-$FILE_DATE.plist

      # Fix permissions on backup file

      /usr/sbin/chown username /Users/username/Library/Preferences/com.apple.sidebarlists-$FILE_DATE.plist
      
      # Convert plist to XML

      /usr/bin/plutil -convert xml1 /Users/username/Library/Preferences/com.apple.sidebarlists.plist

      # Search and replace in /Users/username/Library/Preferences/com.apple.sidebarlists.plist
      /usr/bin/sed -i "" -e 's/smb:\/\/oldservername\/oldsharename/smb:\/\/newservername\/newsharename/g' /Users/username/Library/Preferences/com.apple.sidebarlists.plist

      # Fix permissions on file
      
      /usr/sbin/chown username /Users/username/Library/Preferences/com.apple.sidebarlists.plist

   fi
fi

exit 0

As written, the script does a find and replace on /Users/username/Library/Preferences/com.apple.sidebarlists.plist as follows:

Find: smb://oldserver/oldsharename

Replace with: smb://newserver/newsharename

I’ve tested on Mac OS X 10.6.8, 10.7.5 and 10.8.2 and the scripted search and replace works on all three OSs. You will need to log out and log back in to see the changes.

For those interested, the script is available here on my GitHub repo:
https://github.com/rtrouton/rtrouton_scripts/tree/master/rtrouton_scripts/updating_connect_to_server_favorites

A few months back, I saw that I was running out of space on my home theater Mac Mini. This was a 2007 Mac Mini with 2 GBs of RAM running 10.6.8, with a 1 TB drive that held media content and 2 TB backup drive connected via FireWire 400. I also noticed that it was struggling to play the latest HD movies from the iTunes Store.

This Mini also acted as my Tivo2Go server and DVD player, so I couldn’t just replace the Mini with an Apple TV and call it a day. So I pitched to my wife the idea of replacing the 2007 Mac Mini with a newer Mini and upgrading the storage with a 2 TB drive to hold media content and 4 TB backup drive connected via FireWire 800. To help future-proof it against future storage needs, I also wanted to get a Mini with Thunderbolt capability.

“Fine, but it needs to be able to run Front Row.”

That was a problem. The first Mini models to come with Thunderbolt were the 2011 Mac Minis. The 2011 Mac Minis were among the first Mac models that supported only 10.7.0 and higher. Front Row is noticeably absent in 10.7.0 and higher .

In short, I needed a 2011 Mac Mini to run Mac OS X 10.6.8.

After a bit of research and head-scratching, I was able to get both what I wanted and what my wife wanted. See below the jump for the details.

I did have one lucky break, in that the early 2011 MacBook Pros and the 2011 Mac Minis are almost identical hardware-wise. The early 2011 MacBook Pros ran 10.6.8 because they were released before 10.7.0′s release in July 2011, so (theoretically) the 2011 Mac Minis could as well.

When I researched the subject, I found a lot of people online trying to run 10.6.8 on 2011 Mac Minis with varying degrees of success. The most common issues were lower performance, video that displayed a very pinkish hue on the screen and Thunderbolt not working. However, I hit pay dirt when I came across this Apple discussion forum thread because someone in the thread named newfoundglory had not only figured out the necessary driver support; they had also been nice enough to package up the drivers into one installer package: the NFG Mac Mini 2011 installer

This installer package turned out to be the key. It installed the correct drivers to make Thunderbolt work, make the video work normally and installed the correct hardware profiles to allow the Mini’s hardware performance on Snow Leopard to be on-par with Lion.

With this driver package available, here’s how to install Mac OS X 10.6.8 on a 2011 Mac Mini.

1. Start the Mini in Target Disk Mode and attach it to a Mac that can itself run 10.6.8.

2. Erase the Mini’s boot drive.

3. Install Mac OS X 10.6.x onto the Mini’s boot drive via Target Disk Mode. (For this, I used the 10.6.7 install disks that came with my early 2011 MacBook Pro.)

4. Once the installation is finished, install the 10.6.8 v1.1 Combo Update onto the Mini’s boot drive via Target Disk Mode.

5. Once 10.6.8 is on the Mini’s boot drive, disconnect the Mini from the other Mac and boot the Mini from its own boot drive.

At this point, you’ll see the pink video output, Thunderbolt not work and everything else because the Mini doesn’t have the right 10.6.8 drivers for its hardware.

6. Install the NFG Mac Mini 2011 installer package and reboot.

This installer adds the needed driver support to the Mini, so you should see the pink video and other problems go away.

7. To be on the safe side, I reinstalled the 10.6.8 v1.1 Combo Update at this point and rebooted again. I’m not certain it was necessary, but it did not hurt.

8. Ran Software Update to get all available updates for 10.6.8.

Following Software Update’s final run of updates, I started working with the Mini and everything looked like it was working, including the all-important Front Row. Front Row was able to communicate with iTunes 11.x, so it looked like I was set until I attached an Apple USB SuperDrive and tried to play a movie DVD. No go; neither Front Row nor Apple’s DVD Player application recognized it as a valid DVD drive.

Why was this? After all, the 2011 Mini never came with an internal DVD player. This should have worked; except for the fact that the 2011 Mini was never supposed to run 10.6.8 either. All of the 2011 Macs that ran 10.6.8 were laptops that came with internal optical drives.

What fixed it was some additional driver modification. Using information found here on MacOSXHints, I edited /System/Library/Frameworks/DVDPlayback.framework/Versions/A/DVDPlayback with the 0xED hex editor. What I was doing was updating DVDPlayback‘s definition of an acceptable DVD player by finding the word Internal and replacing it with External, by searching for (hex) 496E7465726E616C and replacing with (hex) 45787465726E616C.

Once this part was complete, I restarted and put a movie into the DVD drive. Front Row accepted it and started playing the movie.

It’s now been a couple of days since getting all of this set up and so far, it’s been fairly trouble-free. Hopefully, this helps the next person who wants to get a similar setup going.

It appears Apple has blocked Safari on 10.7 and 10.8 Macs from running Oracle’s Java 7 in the wake of a zero-day exploit for Java:

New Year Java Zero-Day Attacks Under Way

Update – January 13, 2013: Oracle has released Java 7 Update 11 to address the vulnerabilities in Java 7 Update 10. Once Java 7 Update 11 has been installed, Safari will no longer block the Java plug-in.

You can download the latest Java installer for OS X from here: http://www.java.com/en/download/mac_download.jsp?locale=en

To verify this on your own machine:

1. Open Safari on a 10.7.x or 10.8.x Mac

2. Go to http://www.java.com/en/download/testjava.jsp to test your Java browser plug-in.

Instead of a report that Java is working, you’ll receive a Blocked Plug-In message.

I’ve verified that 10.5.x and 10.6.x Macs do not appear to be affected by this, as they are not running Java 7.

Oracle has not yet released an updated Java 7 installer, so there’s nothing currently available to fix this issue. The latest Java installer for OS X was released in November 2012 and contains the vulnerability.

The best workaround at this time is to use Firefox. I tested with Firefox 18 and Firefox is not blocking the Java plug-in at this time.

Update – January 12, 2013: Mozilla has announced that they are also now blocking the Java plug-in unless the user specifically authorizes it to run by clicking on the warning message for the plug-in.

Chrome will not work as an alternate browser, as Oracle’s Java 7 browser plug-in only works with 64-bit applications. Firefox and Safari are both 64-bit, but Google Chrome is a 32-bit application.

If the Java application you need to run does not require Java 7, you can also re-enable the Apple Java 6 browser plug-in. You can do this using the procedure in this post.

Update: The blocking was done by Apple’s built-in malware protection. For those interested, the list of acceptable browser plug-in versions is stored at /System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/XProtect.meta.plist

As of 12:26 PM on Friday, January 11th, XProtect.meta.plist on my 10.7.5 workstation had the following contents

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
	<key>LastModification</key>
	<string>Thu, 10 Jan 2013 22:48:02 GMT</string>
	<key>PlugInBlacklist</key>
	<dict>
		<key>10</key>
		<dict>
			<key>com.macromedia.Flash Player.plugin</key>
			<dict>
				<key>MinimumPlugInBundleVersion</key>
				<string>11.3.300.271</string>
			</dict>
			<key>com.oracle.java.JavaAppletPlugin</key>
			<dict>
				<key>MinimumPlugInBundleVersion</key>
				<string>1.7.10.19</string>
			</dict>
		</dict>
	</dict>
	<key>Version</key>
	<integer>1037</integer>
</dict>
</plist>

The plugin version installed by the current Oracle Java 7 Update 10 installer is 1.7.10.18. The plug-in blacklist is specifying that 1.7.10.19 or higher is required, so 1.7.10.18 is being blocked automatically.

On occasion, I need to run a single remote command on a single system, but don’t have a tool handy (like Apple Remote Desktop’s Send Unix function) to do it. If the machine in question has SSH enabled though, there’s a simple way to do this.

1. Open Terminal

2. Run the following command:

ssh username@server.domain.com "your command here"

For example, if you wanted to use tail to display the latest entries to /var/log/system.log, you would run the following command:

ssh username@server.domain.com "tail -f /var/log/system.log"

You’ll be prompted for a password, which will be used by SSH to log into the remote system. If the password is accepted, tail should start displaying the latest entries to /var/log/system.log as they’re written. To stop, you would hit Control-C as usual. That will stop the command’s execution and close the SSH connection automatically.

When running commands that require elevated privileges, you’ll need to add the -t flag to your SSH command. -t tells SSH to force pseudo-tty allocation, which in turn provides a way to feed your account’s password to the remote server and run the command via sudo.

For example, if you wanted to restart opendirectoryd on a remote Mac running 10.8.x, you would run the following command:

ssh -t username@server.domain.com "sudo killall opendirectoryd"

You’ll be prompted for a password, which will be used by SSH to log into the remote system. You’ll then be prompted again for a password, which will be used by sudo to authenticate that your account is authorized to run the command with sudo. Once the command is run and completes successfully, the SSH connection closes automatically.

One thing I’ve wanted to do for a while is virtualizing my home server setup, as well as making it easier to stand up (and take down) test servers as needed.

I’ve been doing a lot of work with VMWare Fusion on my Mac and could have gone that way, but I wanted to do the virtualization with VMWare’s free ESXi software. I hadn’t previously set up a dedicated hypervisor, so I wanted to learn how to do that.

I have a 2011 Mac Mini Server, which is fortunate because setting up ESXi on that Mini model has been well-documented in a number of places. The latest available version as of this date is ESXi 5.1, so I decided to install that. After some work, I now have ESX 5.1 running on my Mini Server. See below the jump for the details.

One thing to keep in mind is that ESXi is not officially supported on the Mac Mini. It works, but getting it running will take some work. Specifically, you will need to add the following ethernet driver to the ESXi install ISO file:

VMware ESXi 5.0 Driver CD for Broadcom NetXtreme I Gigabit Ethernet including support for 5717/5718/5719/5720

The way I found out that this driver is needed is that I first tried installing the stock ESXi 5.1 install without slipstreaming the driver into the installer ISO. What happened? Everything installed fine, but networking didn’t work.

Building the ESXi installer

For the second round, I started up a Windows 7 VM and downloaded a copy of ESXi-Customizer  as well as a copy of the following files from VMWare’s site:

VMware-VMvisor-Installer-5.1.0-799733.x86_64.iso

VMware ESXi 5.0 Driver CD for Broadcom NetXtreme I Gigabit Ethernet including support for 5717/5718/5719/5720

Once I had the VMWare installer files downloaded, I then used ESXi-Customizer to slipstream using the following procedure:

1. Launched ESXi-Customizer by double-clicking on the ESXi-Customizer batch file script.

2. In the Select the original VMWare ESXi ISO: section, selected VMware-VMvisor-Installer-5.1.0-799733.x86_64.iso

3. In the Select an OEM.tgz, a VIB file or an Offline Bundle: section, selected tg3-3.123cv50.1-offline_bundle-841079.zip (corresponds to the Broadcom ethernet driver.)

4. In the Select the working directory (needs to be on a local NTFS-formatted drive): section, selected the Documents directory of my account.

5. Checked off the Create (U)EFI-bootable ISO (ESXi 5.0 only) checkbox, in order to enable the new ISO to boot the Mini.

6. Clicked the Run! button.

I received a warning that the (U)EFI-bootable ISO could not be further customized. That was fine, so I clicked the OK button.

ESXi-Customizer went to work and prompted me about replacing the ethernet driver. I wanted to do this, so I clicked the Yes button.

Once finished, the newly-created ISO was available in my account’s Documents directory as an ISO file named ESXi-5.x-Custom.iso.

My next action was to copy the ISO file from my Windows VM back into my Mac. From there, I used Disk Utility to burn the ISO file to a CD.

Installing ESXi 5.1 on the Mini

From there, I hooked up an Apple USB SuperDrive to the Mini, popped the newly-burned CD in and rebooted the Mini. When rebooting, I held down the Option key to allow the various boot drive options to appear, then selected the CD. The CD showed up with EFI Boot and Windows partitions, so I selected EFI Boot.

NOTE: All screenshots of this process are from ESXi running inside of VMWare Fusion, but the Mac Mini install process was identical.

Once booted from the CD, I was asked to select the ESXi 5.1 installer. Once selected, the ESXi installer boot process began.

1. When asked to begin the installation process, I hit the Enter key.

2. I hit F11 to accept the license agreement.

At this point, the installer took a few minutes to scan the machine.

3. Once scanning completed, I was asked to select the drive I wanted to install on. I selected the drive I wanted and hit the Enter key.

4. I selected US Default for the keyboard layout.

5. When prompted, I set a password for the root account. This is the user account that you’ll initially use to log into your ESXi server.

At this point, the installer took a few minutes to scan the machine again.

6. The installer then confirms that you want to install using the options you’ve selected. You’re also warned that the disk will be repartitioned.

NOTE: Repartitioning will wipe everything on the drive. If you have data you need to get off of this drive, hit the Escape key to back out at this point.

7. ESXi 5.1 will then install. When finished, the installer will request that you remove the installation disc and then reboot. Once you’ve removed it, hit the Enter key to reboot.

Booting ESXi 5.1 on the Mini and changing network settings

On reboot, the Mini should now boot from the newly-created ESXi boot drive. Once up at the server display screen, you should see that it’s picked up a dynamic IP from your DHCP server and has the hostname of localhost.

Here’s how to change to a static IP and a new hostname:

1. Click the F2 key.

2. Log in as the root account, using the password you set during the install process.

3. You should be now at the System Customization screen. Select Configure Management Network.

5. In the IP Configuration settings, Select Set static IP address and network configuration: and hit the space bar to make that option active.

5. Set the static IP, subnet mask and gateway address.

6. In the DNS Configuration settings, set the address(es) of your DNS server(s) and also set your desired hostname. In my case, I set a fully qualified DNS name.

7. In the Custom DNS Suffixes settings, you may need to set a DNS suffix. In my case, my domain was already filled in.

8. Once you’ve made all of your changes, hit the Escape key to exit back to the System Customization screen. You’ll be asked to confirm the changes you’ve made to your network settings and warned that there will be a brief network outage for the ESXi server and any VMs running on it. Hit the Y key to apply the new settings.

9. At the System Customization screen, you should now see your static IP and hostname displayed under Configure Management Network.

10. Hit the Escape key to exit to the server display screen. It should now be displaying your hostname and your static IP address.

Logging to your ESXi server

To log into your ESXi server, you will need to have access to a Windows VM or a Windows PC.

1. Install the vSphere client on the Windows box.

2. Launch the vSphere client and enter the following information:

IP Address / Name: IP or DNS address of your ESXi server

User name: root

Password: the password you set during the install process

3. You’ll be warned that an untrusted SSL certificate is installed. Click the Ignore button.

If everything worked right, at this point you should be in! You’ll be warned that you’re using a 60 day evaluation license.

If you have a VMWare account, you can log in to the VMWare website and download a free ESXi license to use with your Mini ESXi server.

Wrap-up

Overall, once I got all the pieces I needed, I found the installation and network configuration process to be fairly intuitive (which is not something you can say for all enterprise-grade software.)

There were two main issues I ran into. The first was the Broadcom network driver, which the stock ESX 5.1 install does not include. I was able to fix that by slipstreaming the driver into the ESXi installer.

The second problem was outside the ESXi server and was an issue I had with my 2012 Airport Express. Here’s the details on this issue:

I have my boxes in a couple of places. The first location is over by my TV, where the cable modem is. I have a TiVo, a home theater Mini and my main 802.11n dual-band wireless access point located there.

My office is in another room. The machines there are hooked into a gigabit switch and use an Airport Express connected to the switch to act as a wireless bridge back to the internet connection provided by the cable modem. After I set up two VMs on the ESXi server, there were now three IP addresses associated with the Mini. The Airport Express started only accepting two IP addresses from the ESXi Mini, and dropping the other.

I was able to identify the Airport Express as the problem because I could ping the third address from other machines located on that same switch. After trying to fix it a few ways, the ultimate fix was to get the Airport Express out of the loop. I did this by relocating the ESXi Mini to be stacked underneath the home theater Mini in the TV cabinet. Once the Airport Express was no longer providing the network connection, the ESXi server’s three IP addresses were all available.

When new software appears, Mac admins need test boxes that match their standard configuration in order to verify that the new software doesn’t adversely affect anything in their environment. In the past, this has usually meant that admins needed to either have an available test box, or go find one when they needed to test something.

The advent of good virtualization solutions meant it was easier to build test boxes without needing additional hardware, but getting the VM to match your standard could take some time and effort.

In VMWare Fusion 5.x, VMWare added NetBoot support for virtual machines running Mac OS X. This proved to be an enormous boon to Mac admins who used NetBoot to help set up their machines: They could now build VMs using the exact same processes that were used to build their user’s Macs. They could also leverage tools like createOSXinstallPkg to set up template VMs with either the latest available OS X installer from the Mac App Store or custom builds of OS X that ship with new hardware.

See below the jump for example of how you can leverage VMWare’s NetBoot support, createOSXinstallPkg and DeployStudio to set up a new Mac VM with a factory-fresh install of OS X Mountain Lion.

Pre-requisites:

DeployStudio rc135 or higher

createOSXinstallPkg-built Mountain Lion installer package

VMWare Fusion 5.0.2 or higher

DeployStudio NetBoot drive running 10.7.x or higher set as default NetBoot set

Before anything else, you’ll need to set up a DeployStudio workflow that will allow the createOSXinstallPkg-built 10.8 installer to be installed as a non-postponed installation. I have a post on how to do that here:

http://derflounder.wordpress.com/2012/07/25/installing-mac-os-x-10-8-x-on-an-erased-hard-drive-using-deploystudio-and-createosxinstallpkg/

Once you have that built, let’s set up a VM with a completely empty boot drive.

Configuring the VM

1. Launch VMWare Fusion 5.x

2. In VMWare Fusion, select New… under the File menu to set up a new VM

3. In the Create New Virtual Machine window, select Continue without disc

4. In the Installation Media window, select Create a custom virtual machine

5. In the Choose Operating System window, set OS as appropriate. In this example, I’m setting it as follows:

Operating System: Apple Mac OS X

Version: Mac OS X 10.8 64-bit

6. In the Finish window, select Customize Settings

7. Save the VM file in a convenient location.

8. In your VM settings, select Network Adapter.

9. In the Network Adapter settings, select Autodetect under Bridged Networking

Note: You may also want to adjust the VM’s available RAM in the Processors & Memory settings at this point, but that’s up to you.

The VM is now configured. It’s set up for OS X 10.8.x, but has a formatted and completely empty boot drive.

Booting to DeployStudio

1. To boot the VM from the DeployStudio boot set, start the VM and then do nothing.

If the DeployStudio boot set is set as the default boot set on the NetBoot server, the VM should boot to DeployStudio automatically after failing to boot from the VM’s hard drive or CD-ROM.

2. Once booted to DeployStudio, log in as you normally would.

3. Select the workflow with your 10.8 installer.

4. Run the workflow to install the 10.8 installer onto the VM’s empty boot drive.

5. When the workflow is finished, hit the Quit button.

The VM will restart from its hard drive and automatically install 10.8 on the VM’s boot drive. Once finished, you’ll have a factory-fresh install of 10.8.x on your VM.

VM Customization

The example described above will set up a VM with only OS X 10.8.x installed, but you can customize further. Depending on your process, you could reboot back to DeployStudio and run additional workflows on the VM.

Another approach would be to modify the createOSXinstallPkg-built 10.8 installer to add additional packages. This would allow you to add a systems management agent like Casper, Munki, Puppet or others to the 10.8 OS installer. Once the agent reported in, the systems management tool could have its agent install additional software and scripts to configure the VM.

If your workflow is built around laying down an image with DeployStudio, you can also use DeployStudio to install that image in your VM. In this case, you would be treating the VM like you would any other physical Mac.

I’ve made some updates to the daily server report scripts that I host on my GitHub repo, as I recently tested them on 10.7.x and 10.8.x Server. The existing 10.5.x – 10.6.x script runs fine as-is on 10.7.x Server, but I needed to make a few changes for 10.8.x Server.

I updated the following parts to support 10.8 Server:

PATH

Added /Applications/Server.app/Contents/ServerRoot/usr/sbin to the PATH export, as serveradmin has moved to /Applications/Server.app/Contents/ServerRoot/usr/sbin/serveradmin

Changes to the UNSUCCESSFUL ATTEMPTS TO LOGIN VIA SSH section

In 10.8, /var/log/secure.log‘s functions have been moved to Apple System Log. The script is running syslog -k Time ge -24h | grep 'sshd' to check ASL for SSH activity in the last 24 hours. The SSH activity is exported to /private/tmp/ssh-status.txt, then ssh-status.txt is scraped for SSH errors.

You can access the scripts here on my GitHub repo:

https://github.com/rtrouton/rtrouton_scripts/tree/master/rtrouton_scripts/daily_server_report_script

After recently participating in a discussion about disabling the Sleep command in the Apple menu, I wanted to document how to do this. This may be most useful for Mac terminal services, which was the context where I learned how to do this.

1. Log in with an account that has admin privileges

2. Open Terminal and run the following command:

sudo defaults write /Library/Preferences/SystemConfiguration/com.apple.PowerManagement SystemPowerSettings -dict SleepDisabled -bool YES

3. You should see that the Sleep command is now grayed-out in the Apple menu.

To revert back, you’ll need to do the following:

1. Log in with an account that has admin privileges

2. Open Terminal and run the following command:

sudo defaults write /Library/Preferences/SystemConfiguration/com.apple.PowerManagement SystemPowerSettings -dict SleepDisabled -bool NO

3. Restart the Mac (this is necessary to apply the change.)

After the restart, you should see that the Sleep command is available again in the Apple menu.

I’ve updated the FileVault 2 status check scripts so that they’re now able to correctly handle unencrypted Fusion drives. The scripts should now report accurately on 10.8.x Macs that use Fusion drives, as well as other 10.7.x and 10.8.x Macs.

The changes are now available as part of my regular script. They have also been rolled into both the Casper Extension Attribute and the Absolute Manage Custom Info Item scripts. Use them in good health and please let me know if you find any problems with them.

As of January 31st, it appears that Apple has blocked both Java 6 and Java 7 Update 11 from running in Safari.

To verify this on your own machine:

1. Open Safari on a Mac running 10.6.x or higher.

2. Go to http://www.java.com/en/download/testjava.jsp to test your Java browser plug-in.

Instead of a report that Java is working, you’ll receive a Blocked Plug-In message.

The best workaround at this time is to use Firefox. I tested with Firefox 18 and Firefox is not blocking the Java plug-in at this time.

Current Status:

Java 6 on 10.6.x: Apple has not yet released a Java update for Java 6 on 10.6.x, so there’s nothing currently available to fix this issue.

Java 7 on 10.7.x and 10.8.x: Oracle has not yet released an updated Java 7 installer, so there’s nothing currently available to fix this issue.

The blocking was done by Apple’s built-in malware protection. For those interested, the list of acceptable browser plug-in versions is stored at /System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/XProtect.meta.plist

As of 7:07 AM on Thursday, January 31st, XProtect.meta.plist on my 10.8.2 laptop had the following contents:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
	<key>JavaWebComponentVersionMinimum</key>
	<string>1.6.0_37-b06-435</string>
	<key>LastModification</key>
	<string>Thu, 31 Jan 2013 04:41:14 GMT</string>
	<key>PlugInBlacklist</key>
	<dict>
		<key>10</key>
		<dict>
			<key>com.macromedia.Flash Player.plugin</key>
			<dict>
				<key>MinimumPlugInBundleVersion</key>
				<string>11.3.300.271</string>
			</dict>
			<key>com.oracle.java.JavaAppletPlugin</key>
			<dict>
				<key>MinimumPlugInBundleVersion</key>
				<string>1.7.11.22</string>
			</dict>
		</dict>
	</dict>
	<key>Version</key>
	<integer>2028</integer>
</dict>
</plist>

Java 6 plug-in
The plugin version installed by Apple is 1.6.0_37-b06-434. The plug-in blacklist is specifying that 1.6.0_37-b06-435 or higher is required, so 1.6.0_37-b06-434 is being blocked automatically.

Java 7 plug-in
The plugin version installed by the current Oracle Java 7 Update 10 installer is 1.7.11.21. The plug-in blacklist is specifying that 1.7.11.22 or higher is required, so 1.7.11.21 is being blocked automatically.

For those who wanted a copy of my FileVault 2 talk at MacIT 2013, here are links to the slides in PDF and Keynote format.

PDF: http://tinyurl.com/MacIT2013PDF

Keynote slides: http://tinyurl.com/MacIT2013key

With the latest round of Java browser blockages and updates being released, I wanted a way to deploy Apple’s Java for Mac OS X 10.6 Update 12 to those 10.6.x Macs that needed it. However, I wanted to make sure that I wasn’t deploying to machines that already had it. I also didn’t want to do a general Apple software update, I just wanted to update Java.

Fortunately, Apple’s softwareupdate command-line tool gives me a way to do this. I’m able to use the softwareupdate tool to list all available updates, then grep the list to see if the Java update I want is included:

softwareupdate -l | grep "Java"

For Macs that haven’t had Java for Mac OS X 10.6 Update 12 installed, the update should be named and described as follows:

   * JavaForMacOSX10.6-12.0
	Java for Mac OS X 10.6 Update 12 (12.0), 70724K [recommended]

The name that softwareupdate uses for the update will appear as the first item listed. In this case, it’s JavaForMacOSX10.6-12.0. I can also use softwareupdate to specify and install that update:

softwareupdate --install JavaForMacOSX10.6-12.0

I then wrote the following script that uses softwareupdate to install Java for Mac OS X 10.6 Update 12. It does the following:

1. Verify that Java for Mac OS X 10.6 Update 12 is an available update for this Mac.

2. If Java for Mac OS X 10.6 Update 12 is an available update, the script logs that the update is being installed. Apple’s softwareupdate tool then installs that update silently in the background.

3. If Java for Mac OS X 10.6 Update 12 is not an available update, the script logs that information then exits silently.

#!/bin/sh

#
# Using the softwareupdate tool
# to detect if the Mac has
# Java for Mac OS X 10.6 Update 12
# as an available update.
#

JAVA_UPDATE_DETECT=$( softwareupdate -l | grep -o "JavaForMacOSX10.6-12.0" )

#
# If Java for Mac OS X 10.6 Update 12
# is an available update, script installs
# the update. If Java for Mac OS X 10.6 Update 12 is
# not an available update, script reports that and
# exits.
#

if [[ "${JAVA_UPDATE_DETECT}" = "JavaForMacOSX10.6-12.0" ]]; then
      logger "Installing Java for Mac OS X 10.6 Update 12"
      softwareupdate --install JavaForMacOSX10.6-12.0
   else
      logger "Java for Mac OS X 10.6 Update 12 not an available update. Exiting."
fi

exit 0

This script is available here on my GitHub repo:

https://github.com/rtrouton/rtrouton_scripts/tree/master/rtrouton_scripts/install_apple_java_updates

As more servers and services move off of physical servers and onto virtual servers, there’s been an issue that Mac admins have run into more than once:

“I’m trying to set up Open Directory in this VM, but the service won’t enable.”

Another related issue has to do with Profile Manager, where Profile Manager crashes when you try to set it up in a VM. The root cause is the same: Profile Manager needs to have Open Directory running and Open Directory won’t turn on.

The fix is simple – give your VM more than one processor. Once you give the VM multiple processors (two is fine), Open Directory should begin working. This will also fix the Profile Manager crashing issue, as Open Directory should now enable properly.

As far as I can tell, this is an issue no matter what virtualization solution is being used. It’s been reported on Parallels, VMWare Fusion and VMWare ESXi.

Once you have a VM built, you may want to edit it to emulate a specific Mac model. One reason for doing this would be to test model-specific updates from Apple’s Software Update.

To set your VM to report itself as a specific Mac model, you would need to add the hw.model flag to your VM’s .vmx configuration settings. See below the jump for how to do this.

Note: Always test first on a copy of your VM

1. Launch VMWare Fusion

2. Verify that the virtual machine you want to edit is completely shut down. (Do not edit a suspended VM.)

3. In VMware Fusion, go to the Window menu and select Virtual Machine Library.

4. Select the VM you want.

5. Hold down the Option key on your keyboard and right-click the virtual machine.

6. Select Open Config File in Editor. This will open up the VM’s .vmx configuration file for editing.

7. Locate the model identifier of the Mac you want to emulate.

Note: You can find this by opening System Profiler on the model you want to emulate, selecting Hardware and looking for Model Identifier on the right side of the window.

8. In the .vmx editing window, add the following line:

hw.model = "model_here"

9. Once your edits are finished, go up to the File menu and select Save to save your changes.

Here’s an example of how to set a VM to identify itself as a 2011 MacBook Pro.

1. Launch System Profiler on a 2011 MacBook Pro and check the model identifier. In this case, the model identifier is MacBookPro8,1

2. Launch VMWare Fusion

3. In VMware Fusion, go to the Window menu and select Virtual Machine Library.

4. Select the VM you want.

5. Hold the Option key on your keyboard and right-click the VM.

6. Select Open Config File in Editor. This will open up the VM’s .vmx configuration file for editing.

7. In the .vmx editing window, add the following line:

hw.model = "MacBookPro8,1"

8. Save changes.

When you launch the VM, it should now identify itself as a MacBook Pro in System Profiler.

Hat tip: Pepijn Bruienne and Tim Sutton for their assistance with this.

Want to file a bug report about an issue having to do with Java 7 for OS X? It can be tricky to find the right place to submit it, so here’s some guidance for filing it in the right place.

Update: I’ve been informed that it is necessary to install the current JRE of Java 7 from the Oracle JDK7 test site before Oracle will accept bug reports from you.

JDK7 is available from http://jdk7.java.net/, with the download site being http://jdk7.java.net/download.html.

The reason that Oracle does it this way is that they want customers to use Oracle Java SE Support. This is for-pay support and Oracle’s preferred way for non-developer customers to get support.

All that said, if the issue you’re running into also occurs on the JRE from the Oracle JDK site, file a bug using the procedure below.

For example, here’s how to file a bug report for the Java 7 installer for OS X.

1. Go to http://bugreport.sun.com/bugreport/

2. Scroll down to the Submit a Bug section

3. Check the box for Check this box to indicate that you understand this is not a place to receive support….

4. Click the Start a new Report button.

5. On the next page, go to the Start A Report: section

6. For an installer bug, select the following:

Type: Bug

Product/Category: Java Platform Standard Edition (JDK/JRE)

Subcategory: JDK/JRE installation (install)

Release: Java Platform Standard Edition 7

Operating System: Mac OS X 10.7 (Oracle VM)

7. When ready to proceed, click the Continue button.

8. On the next page, provide the information requested to file your bug report and click the Submit button when completed.

Good luck! Filing bug reports doesn’t guarantee that your problem will be fixed, but it raises the odds that it will be. Not filing it may mean that Oracle is completely unaware of the problem and thus will never fix it.