In working through various issues with JAMF, I’ve noticed that a variety of issues I’ve reported are themselves tied to JAMF’s internal bug-reporting system of defect numbers. At the moment, the only way I get any visibility into progress on those defect numbers is by asking my account manager. My current account manager is pretty responsive, but this seems like a job that can be offloaded from his list of responsibilities. I also don’t always want to open a support call when I notice a bug, sometimes I just want to report it.

Here’s what I would want from JAMF in a bug reporting solution:

• I want a way to report bugs that I’ve noticed.
• I want a way to be able to check for myself the status of the reported bug.
• I also want to know how many other people are reporting this issue. Not just because I’d like to know if I’m filing a duplicate issue, but stats like that may give me some insight into how soon my bug will get fixed.

For a bug report itself, I want:

1. The ability to upload screenshots and screen capture movies and be able to attach them to the bug report.
2. The ability to add additional information to the initial bug report.
3. Email notifications when my bug’s status has changed.
4. A way for the developer working on the bug to be able to reach out and get more details from me directly.
5. The ability to see both open and closed bug reports that I’ve submitted.
6. If I’ve filed a duplicate issue, read-only access to the original filed bug report.

I file bug reports with Apple, so I know the drill. I know not all bugs get fixed as fast as I want them to. Sometimes, they don’t get fixed at all. What I want is more information, and to be able to access that information myself.

As it happens, there’s an existing Feature Request for this already open at JAMF Nation. Please vote it up. Hopefully one day soon, I’ll see that status change from UNDER REVIEW to IMPLEMENTED.

I recently had a situation where I was asked to figure out a way to get a work-owned iCloud-locked phone’s activation lock removed. After doing some research, I was able to find a way to do this and was able to go from having an activation-locked iPhone to having a ready-for-activation iPhone.

If you have a work-owned iPhone that has been activation-locked with an Apple ID, it is possible to contact AppleCare and get the activation lock removed. The key is to be able to provide to Apple a clear chain of ownership of the iPhone by your company, school or institution, usually through providing an electronic copy of the invoice or other proof of purchase. If you can’t prove that your company, school or institution owns the specific iPhone in question, Apple will not unlock it.

Assuming that your work has purchased the activation-locked iPhone directly from Apple, or via a business account with one of the mobile carriers, you should be able to contact the vendor to get proof of purchase.

Here’s the procedure I used to get from an activation-locked iPhone to a ready-for-activation iPhone:

Note: Getting the lock lifted may take a few business days from the time that the request is submitted.

1. Get the IMEI of the iPhone. If possible, also get the serial number and phone number. See the link below for Apple’s KBase article on how to find this information:

http://support.apple.com/kb/HT4061

2. If needed, have one of your workplace’s authorized contacts work with the vendor who sold the iPhone to your company, school or institution and get an electronic copy of the proof of purchase.

The reason to get the proof of purchase is that it will be needed to establish that your company, school or institution purchased and has ownership of the iPhone.

3. Once you have the proof of purchase available to you, verify that it has the following information:

Invoice number

iPhone serial number (may be the same as the IMEI)

iPhone phone number

4. With the proof of purchase readily available for reference, call the relevant AppleCare line for your company, school or institution. See the link below for AppleCare’s contact numbers.

http://support.apple.com/kb/HE57

5. If asked about the device you need support for, say “iPhone“.

6. When connected to the support rep, explain that you have an iCloud-locked phone and that you would like to submit a request to have it unlocked.

7. Tell them that you have the IMEI for the iPhone in question and provide it when asked.

8. Apple may ask you for the invoice number, serial number and/or phone number of the iPhone to help them look it up on their end and verify ownership.

9. Once the Apple rep has provisionally established that your company, school or institution has ownership of the iPhone, they will send you an email with instructions on how to contact the group that handles unlocks of iCloud-locked phones.

10. Follow the instructions in the email and make sure to provide an electronic copy of the proof of purchase.

If all goes well, Apple should unlock the activation-locked work-owned iPhone within a few business days and notify the person who submitted the request to have the lock removed.

While working with a colleague to prepare a FileVault 2 rollout at his institution, he reported that in his testing, the decryption process did not appear to be working correctly when he was booted from the Recovery HD partition and using the command line diskutil-based decryption procedure that I had posted. In his testing, he was finding that the CoreStorage volume that the FileVault 2 encryption process created was not being removed when the diskutil corestorage revert command was run. The drive was being decrypted, but the CoreStorage volume was being left behind. This caused problems in his testing, because he found that rebooting afterwards led to the Mac booting to a prohibited sign.

This symbol at boot means the system has found a bootable installation of Mac OS X on the system, but there is something wrong with it.

After some additional testing, he discovered that he actually needed to run diskutil corestorage revert twice in succession. Running diskutil corestorage revert the first time would decrypt the drive. Running diskutil corestorage revert a second time following the first command would then remove the unencrypted CoreStorage volume. Once the CoreStorage volume was removed, the Mac would then be able to reboot normally to the regular boot drive.

The behavior seems to be tied to the following:

1. Booting from a Mavericks Recovery HD partition (all testing was done with a 10.9.4 Recovery HD partition.)

2. Decrypting either of the following methods:

A. Using Recovery HD‘s Disk Utility to decrypt the FileVault 2-encrypted boot drive. This decryption method is described here.

B. Running diskutil corestorage -revert from the Terminal. This decryption method is described here.

3. Letting the drive get to Conversion Progress: 100% while booted from the Recovery HD partition. Conversion Progress status can be displayed by running the diskutil corestorage list command in Terminal.

4. Rebooting back to the main boot drive once Conversion Progress: has reached 100%.

The end result is a locked CoreStorage volume that will not unlock or mount on boot, or when accessed from a Recovery HD partition or Apple’s Internet Recovery. This was the root cause for the prohibited symbol at boot that my colleague was receiving.

In my testing, I did find it was possible to decrypt the drive via Disk Utility or the command line when it was attached as an external drive (via Target Disk Mode or other means) to a Mac that was booted to a full version of OS X 10.9.x. Once decrypted, I verified that the CoreStorage volume was removed. Once I had verified that, I further verified that I could now boot normally from the previously non-bootable hard drive.

One drawback to decrypting while attached to a regular 10.9.x boot drive is that you are not able to use an Institutional Recovery Key (IRK). Using that kind of recovery key for unlocking or decryption only works when booted from a Recovery HD partition or Internet Recovery. Since that’s precisely where our problem exists, I investigated further to see if there were alternate workarounds for this problem. For more details and the workarounds I found, see below the jump.

In my testing, I identified two workarounds for this issue:

A. Reboot from the Recovery HD partition before the drive fully decrypts

It appears that the issue is specific to completely finishing decryption while booted from a Mavericks Recovery HD partition. However, if you start decryption on a drive, then reboot, decryption will continue after the reboot.

To take advantage of this behavior, I tested and verified that if you start decryption while booted from the Recovery HD partition, then reboot from the Recovery HD partition to a drive running a full version of OS X 10.9.x, decryption will complete normally. As part of the decryption process, the CoreStorage volume is properly removed and the drive is converted back to a normal HFS+ drive.

B. Decrypt using the command line and run diskutil corestorage revert twice

In my testing, I verified my colleague’s finding that running diskutil corestorage revert will decrypt the drive. Once Conversion Progress: has reached 100%, running a second diskutil corestorage revert command will result in the the CoreStorage volume being removed and converting the drive back to a normal HFS+ drive. On reboot, the formerly encrypted drive will boot normally.

When you run the first diskutil corestorage revert command, you should see output like this:

Started CoreStorage operation on disk14 Macintosh HD
Core Storage LV UUID: D28C59B2-3720-4A3F-BCB0-6731338CEE44
Core Storage disk: disk0s2
Finished CoreStorage operation on disk14 Mac HD
Decryption in progress; use `diskutil coreStorage list` for status

Once Conversion Progress: has reached 100% and you run the second diskutil corestorage revert command, you should see output like this:

Started CoreStorage operation on disk14 Macintosh HD
Switching partition from Core Storage type to original type
Reclaiming space formerly used by Core Storage metadata
Ejected Logical Volume
Removing Physical Volume
Destroying Logical Volume Group
Remounting former Physical Volume as normal disk
Core Storage LV UUID: D28C59B2-3720-4A3F-BCB0-6731338CEE44
Core Storage disk: disk0s2
Finished CoreStorage operation on disk14 Macintosh HD
Decryption in progress; use `diskutil coreStorage list` for status

See below for screenshots showing how this should look for the following commands:

diskutil corestorage revert UUID_here -stdinpassphrase

diskutil corestorage revert UUID_here -passphrase recoverykey_here

diskutil corestorage revert UUID_here -recoveryKeychain /path/to/FileVaultMaster.keychain

I’ve filed a bug report with Apple about this issue. If you want to duplicate it, the bug ID number is available below:

17985943

For those who want more details on the bug report, I’ve also posted the bug report information at OpenRadar:

http://openradar.appspot.com/radar?id=5885738759487488

As part of Apple’s FileVault 2 encryption, Apple has provided for the use of recovery keys. These keys are a backup method to unlock FileVault 2’s encryption in the event that the usual method of logging using a user’s account password is not available.

There are two main types of recovery keys available:

1. Personal recovery keys – These are recovery keys that are automatically generated at the time of encryption. These keys are generated as an alphanumeric string and are unique to the machine being encrypted. In the event that an encrypted Mac is decrypted and then re-encrypted, the existing personal recovery key would be invalidated and a new personal recovery key would be created as part of the encryption process.

2. Institutional recovery keys – These are pre-made recovery keys that can be installed on a system prior to encryption and most often used by a company, school or institution to have one common recovery key that can unlock their managed encrypted systems.

Institutional keys are not automatically created and will need to be properly generated before they can be used. For more information on institutional recovery keys, see below the jump.

To help understand why institutional recovery keys work the way they do, here’s some historical background on institutional recovery keys and how they came to be used in FileVault 2.

FileVault 1 and the FileVaultMaster.keychain file

The sole part of Apple’s FileVault 1 (also known as legacy FileVault) that was carried over into FileVault 2 was the ability to use the FileVaultMaster.keychain file (stored in /Library/Keychains) as an institutional recovery key.

In FileVault 1 deployments, you were asked to set a Master Password when turning on FileVault 1’s encryption. When you set the Master Password, the FileVault 1 encryption process set the password that was entered as the password on the /Library/Keychains/FileVaultMaster.keychain file. In turn, the FileVaultMaster.keychain file contained two keys used for PKI certificate-based authentication (one public key and one private key). When the public and private keys are both stored in one keychain, the keychain can be used to unlock your FileVault 1-encrypted home folder in the event that the password to open it was lost or forgotten. The Master Password only unlocked the keychain and allowed the system to access those two PKI keys. This is the reason why you needed to set the Master Password before encrypting and why it was also important to use the same FileVaultMaster.keychain file across the machines where you wanted to make sure that the same recovery key was being used.

If you were deploying the same recovery key for your FileVault-encrypted Macs, Apple consistently recommended that you go into the FileVaultMaster.keychain file, remove the PKI private key, put the private key somewhere secure and deploy the FileVaultMaster.keychain file with only the public key inside. The reason was that, in the event that the password to the FileVaultMaster.keychain file was compromised, all the compromiser got was one half of the keypair (the public key half.) The private key would not be on the machine and thus not available to compromise the FileVault 1-encrypted homes on the machine. However, FileVault 1 would work with both the public and private keys stored in /Library/Keychains/FileVaultMaster.keychain.

In FileVault 2, Apple changed removing the private key from being a suggested best practice to being a technical requirement. If you want to use an institutional recovery key, your FileVaultMaster.keychain file needs to have just the public key in it. If both public and private keys are stored in the /Library/Keychains/FileVaultMaster.keychain file on a Mac, FileVault 2 will ignore the keychain and not use it as an institutional recovery key. In this case, enabling FileVault 2 encryption will automatically generate a personal recovery key.

Creating an Institutional Recovery Key

If you want to use an institutional recovery key on FileVault 2 encrypted Macs, you will need to create and configure a FileVaultMaster keychain. Apple has provided a way to create this keychain by using the security command’s create-filevaultmaster-keychain function. To create a FileVaultMaster.keychain file, run the following command:

security create-filevaultmaster-keychain /path/to/FileVaultMaster.keychain

You’ll be prompted for a password for the keychain. When provided, the keychain will be created and will contain both the private and public keys needed for recovering a FileVault 2-encrypted drive that uses this institutional recovery key. Make copies of the keychain and store them in a safe place. Also make sure to securely store copies of the password you used to create the keychain.

If you want to create the FileVaultMaster keychain in its proper place, run the security command with root privileges and use /Library/Keychains for the destination path.

Once you’ve made your copies, make another copy and remove the private key from that copy of the keychain. Once the private key is removed, the FileVaultMaster.keychain file is ready to be used for encrypting Macs with FileVault 2 with the institutional recovery key.

It doesn’t appear that the security main page includes information about the create-filevaultmaster-keychain function, but you can see what it does by running the security help command in Terminal and checking at the bottom of the list that appears.

A way to modify /Library/Keychains/FileVaultMaster.keychain so that it only has the public key inside would be to do the following:

1. Create the FileVaultMaster.keychain file using the security command.

2. Next, make several copies of the FileVaultMaster.keychain file that you just created and store the copies separately in secure locations. A locked safe would be a good place, or in an encrypted disk image that is on an access-restricted file share.

3. Next, unlock the newly-created FileVaultMaster.keychain file by running the following command and entering the keychain’s password when prompted for the password:

security unlock-keychain /Library/Keychains/FileVaultMaster.keychain

Note: The FileVaultMaster keychain will need to be unlocked from the command-line as the keychain will not unlock in Keychain Access by clicking on the lock.

4. If it succeeds, you’ll get the next system prompt. If not, get another copy of the FileVaultMaster.keychain file and try again. A FileVaultMaster.keychain file with an unknown password should not be used because there is no way to use it for recovery purposes without first knowing the keychain’s current password.

5. Once you’ve unlocked the FileVaultMaster.keychain file, open the Keychain Access application from /Applications/Utilities/.

6. In Keychain Access, go to File: Add Keychain… and add /Library/Keychains/FileVaultMaster.keychain.

7. Assuming you previously unlocked the FileVaultMaster.keychain file using the security command, it should show up as unlocked in Keychain Access.

8. Go into the FileVaultMaster keychain and remove the private key. (It should be called FileVault Master Password Key and its kind should be listed as private key.)

9. Relock the FileVaultMaster keychain

10. Copy the modified FileVaultMaster.keychain file (now with only the public key inside) to the /Library/Keychains directory of the Macs you want to encrypt with FileVault 2. For ease of deployment, you can package the FileVaultMaster.keychain file into an installer package. That installer package can then be deployed ahead of encryption to multiple machines using the system management tools used in your environment.

When deployed to /Library/Keychains on the Macs you want to encrypt with FileVault 2, the FileVaultMaster.keychain file should have the following permissions set:

Owner: root

Permissions: read and write

Group: wheel

Permissions: read only

Everyone

Permissions: read-only

Once the institutional recovery key is deployed to a unencrypted machine, enabling FileVault 2 via System Preferences should produce a message stating that “A recovery key has been set by your company, school or institution” instead of displaying the personal recovery key.

Using FileVaultMaster.keychain to recover your data

At this time, it’s not possible to unlock the encryption at the pre-boot login screen using a recovery key that’s been set with FileVaultMaster.keychain. Here’s an example of how to recover data from a system with an institutional recovery key that has both the private and public keys inside.

In this case, we’re assuming that the machine isn’t booting and you don’t know the password of a user authorized to unlock the encryption:

1. Boot the encrypted Mac from a Recovery HD partition or from Apple’s Internet Recovery.

2. Open Terminal.

3. Run the following command to get the Logical Volume UUID of the Mac’s encrypted partition:

diskutil corestorage list

4. With the UUID information acquired, run the following command to unlock the FileVaultMaster keychain:

security unlock-keychain /path/to/FileVaultMaster.keychain

5. Enter the keychain’s password when prompted to unlock the keychain.

6. Run the following command to unlock the encrypted Core Storage volume on the encrypted Mac, substituting the appropriate Logical Volume UUID for UUID_here:

diskutil corestorage unlockVolume UUID_here -recoveryKeychain /path/to/FileVaultMaster.keychain

7. You should then see output similar to the following.

Started CoreStorage operation
Logical Volume successfully unlocked
Logical Volume successfully attached as disk4
Logical Volume successfully mounted as /Volumes/Macintosh HD
Core Storage disk: disk4

If you open the Disk Utility application after this point, you should see the encrypted Mac’s hard drive as being mounted. At this point, with the disk unlocked and mounted, you should be able to recover your data using whatever tools you prefer.

Once you’ve unlocked the disk, you can also then decrypt the encrypted volume by using the FileVaultMaster.keychain file to authorize it.

To decrypt, run the following command on the encrypted Mac, substituting the appropriate Logical Volume UUID for UUID_here:

diskutil corestorage revert UUID_here –recoveryKeychain /path/to/FileVaultMaster.keychain

Note: A FileVault 2-encrypted drive must be unlocked before it can be decrypted.

When decrypting while booted from the Recovery HD partition on 10.9.x, there is a decryption-related bug to be aware of. See this post for more details.

Institutional recovery keys and fdesetup

fdesetup is a multifunctional tool for enabling and managing FileVault 2 in Mavericks. When used with an institutional recovery key, fdesetup can perform the following functions:

• Enable FileVault 2 encryption
• Support multiple recovery keys for FileVault 2, giving Mac admins more options for handling recovery situations.
• Rotate or remove both personal and institutional recovery keys on an as-needed basis.

Enabling FileVault 2 encryption with fdesetup using an institutional recovery key

In OS X 10.9.x, you are able to use the institutional recovery key with the fdesetup command line tool for managing FileVault 2 encryption to perform various actions. Among its various functions, fdesetup provides the ability to encrypt using the alphanumeric personal recovery key, an institutional recovery key using /Library/Keychains/FileVaultMaster.keychain, or both kinds of recovery key at the same time.

fdesetup will provide the alphanumeric personal recovery key by default. To use the institutional recovery key, the -keychain flag needs to be used when enabling encryption:

sudo fdesetup enable –keychain

The alphanumeric personal recovery key is displayed, but the encryption will also use the /Library/Keychains/FileVaultMaster.keychain file as an institutional recovery key. In case recovery is needed, either recovery key will work to unlock or decrypt the encrypted drive.

If you want to specify that only the FileVaultMaster.keychain institutional recovery key be used, both the -keychain and -norecoverykey flags need to be used when enabling encryption:

sudo fdesetup enable -keychain –norecoverykey

fdesetup is also capable of creating an institutional recovery key, using the -certificate flag to import an existing FileVault 2 public key. Once imported, fdesetup will automatically create a FileVaultMaster.keychain file to store the public key and save the keychain to /Library/Keychains.

The public key will need to be available as a DER encoded .cer certificate file. This certificate file can be created using the following procedure:

1. Access the FileVaultMaster keychain via the Keychain Access application.

2. Select the public key in the FileVaultMaster keychain.

3. In Keychain Access, select the File menu.

4. Under the File menu, select Export Items…

5. Set the File Format: export option to be Certificate (.cer)

6. Name and save the .cer file to a convenient location.

Once the certificate is available, the following command can be run to enable FileVault 2, automatically create the institutional recovery key with the supplied public key and store it as /Library/Keychains/FileVaultMaster.keychain:

sudo fdesetup enable -certificate /path/to/filename.cer

To specify that only the FileVaultMaster.keychain institutional recovery key be used, add the -norecoverykey flag to the command:

sudo fdesetup enable -certificate /path/to/filename.cer -norecoverykey

It is also possible to include the public key data in a plist file, which allows the use of a plist to set up the institutional recovery key. The plist needs to follow the format below:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>Username</key>
<string>username</string>
<key>Password</key>
<string>password</string>
<key>AdditionalUsers</key>
<array>
 <dict>
  <key>Username</key>
  <string>username</string>
  <key>Password</key>
  <string>password</string>
 </dict>
 <dict>
  <key>Username</key>
  <string>username</string>
  <key>Password</key>
  <string>password</string>
 </dict>
</array>
<key>Certificate</key>
<data>
(Certificate data goes here…)
</data>
</dict>
</plist>

Using a DER encoded certificate file that contains the public key, the public key data for the plist can be obtained using the base64 tool by using the following command:

base64 /path/to/filename.cer > /path/to/filename.txt

At this point, you would copy the data string contained in the text file and place it into the Certificate <data></data> value area of the plist file. You would store either the password of an existing FileVault 2-enabled user or (if available) an existing personal recovery key in the Password key in the plist.

Managing institutional recovery keys with fdesetup

fdesetup in Mavericks adds the new ability to change, add and remove institutional recovery keys. This gives Mac admins much greater ability to manage recovery keys, including the capability to quickly update or remove compromised institutional recovery keys in the event of a data breach or other problem.

You can add or change recovery keys using fdesetup changerecovery. To change to a new institutional recovery key, you will need to have the new public key available. If you have a new institutional public key available as a DER encoded certificate file, you can run the following command to replace the current institutional key:

sudo fdesetup changerecovery -institutional -certificate /path/to/filename.cer

If an institutional keychain is being used on this Mac, you will see a message that an existing FileVault Master keychain was found and moved. The reason for this is that, as part of this process, the current institutional key’s /Library/Keychains/FileVaultMaster.keychain file is replaced with a new /Library/Keychains/FileVaultMaster.keychain file that includes the new institutional recovery key’s public key.

While the former institutional key’s /Library/Keychains/FileVaultMaster.keychain was moved and not deleted, the former institutional recovery key will no longer work.

For those who want to automate the process, fdesetup also supports importing a properly formatted plist via a standard input stream (stdin). The plist needs to follow the format below:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>Password</key>
<string>password</string>
<key>Certificate</key>
<data>
(Certificate data goes here…)
</data>
</dict>
</plist>

You can also use the current institutional recovery key to authenticate the change to the new institutional key. If you have a keychain file available containing the private key of the current institutional key, you can run the following command to replace the current institutional key:

sudo fdesetup changerecovery -institutional -keychain -certificate /path/to/filename.cer -key /path/to/filename.keychain

You’ll be prompted for the keychain’s password. Once entered, the current institutional key will be replaced with the new one.

In the event that the Mac in question does not have an institutional recovery key, running the commands above (with the exception of using the current institutional key for authentication) will add an institutional recovery key instead of changing an existing one.

Removing institutional recovery keys

You can remove recovery keys using fdesetup removerecovery. To remove institutional recovery keys, run the following command:

sudo fdesetup removerecovery -institutional

You’ll be prompted for the password of an existing FileVault 2-enabled user. Once entered, the institutional recovery key will be removed from the system and will no longer work.

The removal of the institutional key can also be automated using a properly formatted plist via a standard input stream (stdin). The plist is the same as the one used for removing the personal key.

Once the plist has been set up and properly formatted, run the following command to remove the institutional recovery key and reference the password or recovery key in the plist file:

sudo fdesetup removerecovery -institutional -inputplist < /path/to/filename.plist

You can also use the recovery key associated with an institutional key to authenticate the removal of that institutional key. Once authenticated, the institutional key is removed from the system and will no longer work.

If you have a keychain file containing the private key for the current institutional key available, you can run the following command to remove the current institutional key:

sudo fdesetup removerecovery -institutional -key /path/to/filename.keychain

It is possible to use fdesetup removerecovery to remove one or both recovery keys on a particular Mac. Once the recovery keys are removed, the only way to unlock the FileVault 2 encryption is by using the password of an enabled account. That said, you can use fdesetup changerecovery to add one or both types of recovery keys back to the encrypted Mac.

Referencing an institutional recovery key in a fdesetup plist file

As part of the man page for fdesetup in OS X 10.9.x, Apple provides a sample plist file as a guide for those who want to import authentication credentials as part of running commands with fdesetup. As part of the plist, there are two plist keys that reference using a keychain that contains the private key for an institutional recovery key:

KeychainPath

KeychainPassword

For KeychainPath, you will need to provide the file path to the keychain as the plist value. For KeychainPassword, you will need to provide the password that unlocks that keychain.

For example, if you put the keychain into the /tmp directory, you would reference /tmp/filename.keychain as the KeychainPath plist value. If the password for unlocking that keychain is seKritPassword, you would reference seKritPassword as the KeychainPassword plist value. In my testing, it appears that you can leverage the KeychainPath and KeychainPassword plist keys with the following fdesetup commands.

fdesetup changerecovery

fdesetup removerecovery

If using the current institutional key to authenticate, the plist needs to follow the format shown below:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>KeychainPath</key>
<string>/path/to/filename.keychain</string>
<key>KeychainPassword</key>
<string>password</string>
</dict>
</plist>

If you are using the current institutional key to authenticate a change to a new institutional recovery key, you can also embed the public key of the new institutional recovery key in the plist. In that case, the plist needs to follow the format shown below:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>KeychainPath</key>
<string>/path/to/filename.keychain</string>
<key>KeychainPassword</key>
<string>password</string>
<key>Certificate</key>
<data>
(Certificate data goes here.)
</data>
</dict>
</plist>

Recovery key reporting

To go along with the ability to manage recovery keys, fdesetup enables Mac admins to detect which types of recovery keys are in use on a particular Mac. To check if an institutional recovery key is in use, run the following command:

sudo fdesetup hasinstitutionalrecoverykey

If FileVault 2 is using an institutional recovery key, this command will return true. Otherwise it will return false.

Security considerations

Institutional recovery keys have a weakness from the cryptographic point of view, which is that the concept inherently uses one private and public key pair to unlock the encryption of more than one encrypted volume. A malicious party who compromises the private key of an institutional recovery key means that all Macs encrypted using that institutional recovery key are vulnerable. In order to maintain their encryption protection, those Macs must have their institutional key changed to a new one.

That said, Apple has taken the following steps in FileVault 2 as of OS X 10.9.x to mitigate the possible vulnerability of a compromised private key:

1. Making it a technical requirement that the FileVaultMaster.keychain file only contain the public key when deployed to Macs that will be using the institutional recovery key for FileVault 2 encryption.

The public key is not sensitive information and was designed as such. You can post the contents of a public key to a public billboard without compromising the security of the encrypted volume.

2. Providing a way to replace a compromised recovery key.

Before OS X 10.9.x, you would need to decrypt an encrypted Mac before being able to change an existing institutional recovery key. In 10.9.x, fdesetup can be leveraged to assist in this situation in the following ways:

• Changing the compromised institutional key to a new one with fdesetup‘s changerecovery function
• End the use of an institutional key with fdesetup‘s removerecovery function

Conclusion

Every shop must consider its own security requirements and make its own judgments based on that. If you are thinking of using an institutional recovery key for your FileVault 2 deployment, hopefully the information provided here provides you with the needed knowledge to get you started.

Something I’ve wanted to do for a while was to write a script to download and install the latest Java 7 update from Oracle. I’ve been using AutoPkg to download the latest Java 7 updates using AutoPkg’s OracleJava7 recipes, but I wanted to develop a script that would do the following:

1. Download the latest Java 7 installer from Oracle’s website
2. Install the latest Java 7 update
3. Clean up after itself

Oracle didn’t make this an easy task, as the download URL seems to change on a per-update version. AutoPkg handles its update task by scraping Oracle’s manual download page for the current correct URL to use.

Oracle does provide a Sparkle-based update mechanism for Java 7 on OS X, so I wanted to see if there was a way to leverage that to pull down updates. The only address I could find in that regard was the SUFeedURL value included in Java 7’s /Library/Internet Plug-Ins/JavaAppletPlugin.plugin/Contents/Info.plist file. I checked that value using the following command:

defaults read "/Library/Internet Plug-Ins/JavaAppletPlugin.plugin/Contents/Info" SUFeedURL

The output I received for Java 7 Update 67 was the following:

https://javadl-esd-secure.oracle.com/update/mac/au-1.7.0_67.xml

I decided to see what output would come back from Oracle’s site when accessed, so I used the following curl command to see what was returned:

/usr/bin/curl --silent https://javadl-esd-secure.oracle.com/update/mac/au-1.7.0_67.xml 

The following XML was returned and I was gratified to see that it contained a download link to a Java 7 Update 67 disk image.

One of the important things I was able to establish is that the XML address embedded with Java 7 Update 67 is not special in this regard. As part of my testing, I verified that using the SUFeedURL value for Java 7 Update 15 and 65 will also work to pull the address of the latest Oracle Java 7 installer disk image.

Using this information, I was able to build a script that can download and install the latest Java 7 update. See below the jump for details.

The script below will download a disk image containing the latest version of Java 7 from Oracle and install Java 7 using the installer package stored inside the downloaded disk image.

How the script works:

1. Uses curl to download a disk image containing the latest Java 7 installer from Oracle’s web site.
2. Renames the downloaded disk image to java_seven.dmg and stores it in /tmp.
3. Mounts the disk image silently in /tmp. The mounted disk image will not be visible to any logged-in user.
4. Installs the latest version of Java 7 using the installer package stored on the disk image.
5. After installation, unmounts the disk image and removes it from the Mac in question.

I’ve posted the script to my GitHub repo at the following address:

https://github.com/rtrouton/rtrouton_scripts/tree/master/rtrouton_scripts/install_latest_oracle_java_7

This script is also available as a payload-free installer package, stored as a .zip file in the payload_free_installer directory.

To go along with my earlier post about automating Oracle Java 7 updates, I’ve also posted a script to download and install the latest Java 8 update from Oracle. The method is identical, with the exception of referring to Java 8’s SUFeedURL value in Java 8’s /Library/Internet Plug-Ins/JavaAppletPlugin.plugin/Contents/Info.plist file.

For more information, see below the jump.

The script below will download a disk image containing the latest version of Java 8 from Oracle and install Java 8 using the installer package stored inside the downloaded disk image.

How the script works:

1. Uses curl to download a disk image containing the latest Java 8 installer from Oracle’s web site.
2. Renames the downloaded disk image to java_eight.dmg and stores it in /tmp.
3. Mounts the disk image silently in /tmp. The mounted disk image will not be visible to any logged-in user.
4. Installs the latest Java 8 using the installer package stored on the disk image.
5. After installation, unmounts the disk image and removes it from the Mac in question.

I’ve posted the script to my GitHub repo at the following address:

https://github.com/rtrouton/rtrouton_scripts/tree/master/rtrouton_scripts/install_latest_oracle_java_8

This script is also available as a payload-free installer package, stored as a .zip file in the payload_free_installer directory.

Over the weekend, Rasmus Sten posted to Twitter about an interesting uninstall command line utility that he had found while testing 10.10.

On investigation, it became apparent that this uninstall utility was not new and was available starting in 10.7.x and later. It also appears to be undocumented and has neither a man page or help pages available.

To use the uninstall tool:

1. Log into the Mac in question

2. Verify that your application was installed by the App Store

3. Open Terminal

4. Run the following command with root privileges:

uninstall file:///Applications/Application_Name_Here.app

5. You will be prompted to authenticate with an administrator’s username and password

6. The application should then be uninstalled.

After working with this tool, it does have some limitations. For more details, see below the jump.

It appears that the uninstall tool can only be used to uninstall applications that were installed by the App Store and only when logged in. When I tried to uninstall an App Store-installed application while the Mac was logged out, I received this message.

My working assumption is that the authentication dialog window is a necessary part of the process. Even when run with root privileges, the separate authentication is needed or the uninstall daemon cannot be contacted.

I also tried to uninstall an application that had not been installed via the App Store. In that case, the application was not uninstalled. Instead, I received the following message:

I was able to uninstall an App Store-installed application while logged in as a different user account than the account who installed the applications from the App Store. In my testing of this, I had also not signed into the App Store while logged into the different user account.

Even though I was logged in as a different user and hadn’t signed into the App Store, I was still able to uninstall App Store-install applications.

Based on this testing, it appears that the uninstall tool has the following requirements:

1. The uninstall tool must be run from a account that is logged in at the console.
2. The uninstall tool must be able to display the authentication dialog window.
3. The application being uninstalled must have originally been installed by the App Store.
4. The account running the uninstall tool must have both administrative rights and sudo privileges, in order to run the command with root privileges and properly authenticate at the authentication dialog window.

Since the uninstall tool itself appears to be undocumented, that’s all the information I currently know about it.

Have any more information? Please let me know in the comments.

To go along with my use of AutoPkg, I’ve started relying on AutoPkgr to automate running AutoPkg and notifying me when I had new updates. While I was checking over my current list of AutoPkg receipes today, I went to look for a recipe for AutoPkgr. To my surprise, no such recipe appeared to exist.

Thanks in large part to Tim Sutton‘s GitHubReleasesInfoProvider for AutoPkg, I’ve now been able to post download and package recipes for AutoPkgr. The recipes and support files are available from here on my GitHub repo:

https://github.com/rtrouton/AutoPkg

Following up on a pull request by Matthew Kweskin, I’ve updated First Boot Package Install so that it now reports whether an installation has succeeded or failed. This error reporting is in addition to the error logging recorded by OS X’s installer tool to /var/log/install.log.

For those interested, here are the changes to First Boot Package Install‘s firstbootpackageinstall.sh script.

I’ve updated the First Boot Package Install GitHub repo with the new First Boot Package Install installer package, along with updating the posted firstbootpackageinstall.sh script and the Iceberg project files with the changes.

While working recently on First Boot Package Install.pkg, I decided to implement a way to automatically install all available Apple software updates along with enabling other packages to be installed at first boot. After some work and testing, I’m happy to announce the release of First Boot Package Install With Automated Apple Software Update.pkg.

The main difference between First Boot Package Install.pkg and First Boot Package Install With Automated Apple Software Update.pkg is that before installing the user-selected packages, all available Apple software updates are downloaded and installed. By design, the First Boot Package Install With Automated Apple Software Update.pkg script will use Apple’s softwareupdate tool to check for and install available updates, then reboot the Mac automatically until all available updates have been installed.

As not all shops that may want to use First Boot Package Install.pkg will find this functionality to be needed or desirable, I’ve set up a new repo on Github for First Boot Package Install With Automated Apple Software Update.pkg. That way, Mac admins will be able to choose which one they want to use.

All First Boot Package Install With Automated Apple Software Update.pkg components and scripts are available at my GitHub repo:

https://github.com/rtrouton/First-Boot-Package-Install-With-Automated-Apple-Software-Update

Please see the README available at the repo for how to use First Boot Package Install With Automated Apple Software Update.pkg. The Iceberg project files are also available via the link above if you want to build a customized First Boot Package Install With Automated Apple Software Update.pkg for your own environment.

For the past few major releases, Sophos used a standard installer package to install both their free and paid antivirus solution. With the release of Sophos Anti-Virus 9.x though, Sophos changed how their antivirus solution for Macs was installed. Sophos has now switched to using an application to install their antivirus. However, for their customers using Sophos Enterprise Console, Sophos still provides an installer metapackage. This is good news for Mac admins, but the configuration and login credentials that used to be stored in /Library/Preferences/com.sophos.sau.plist in Sophos 8.x has been overhauled in Sophos 9.x. /Library/Preferences/com.sophos.sau.plist in Sophos 9.x now no longer contains login information, only server locations.

The login credentials no longer being available in /Library/Preferences/com.sophos.sau.plist meant that the Sophos Anti-Virus client was not able to connect back to the Sophos enterprise console and receive either management or updates. Since those login credentials were working in my shop for machines in Active Directory OUs that the Sophos enterprise console was managing, that meant that those credentials were available somewhere on the system. After working on the problem in his own shop, Tim Kimpton figured out that both of the following files were needed:

/Library/Preferences/com.sophos.sau.plist

/Library/Sophos Anti-Virus/Sophos.keychain

Once I had this information and understood what was going on, I was able to build and deploy a Sophos Enterprise Anti-Virus for Mac OS X 9.x installer that was able to install a pre-configured set of auto-update settings. For more details, see below the jump.

Prerequisites

Packages

A copy of the Sophos Anti-Virus.mpkg installer package from your Sophos enterprise server.

A copy of the Sophos.keychain file, which will need to be taken from the following location on a Sophos Enterprise-managed machine:

/Library/Sophos Anti-Virus/Sophos.keychain

A copy of the com.sophos.sau.plist file, which will need to be taken from the following location on a Sophos Enterprise-managed machine:

/Library/Preferences/com.sophos.sau.plist

1. Set up a new Packages project and select Raw Package.

2. In this case, I’m naming the project Sophos Enterprise AntiVirus 9.1.6.

3. Once the Packages project opens, click on the Project tab. You’ll want to make sure that the your information is correctly set here (if you don’t know what to put in, check the Help menu for the Packages User Guide. The information you need is in Chapter 4 – Configuring a project.)

In this example, I’m not changing any of the options from what is set by default.

4. Next, click on the Settings tab. In the case of my project, I want to install with root privileges and not require a logout, restart or shutdown.

To accomplish this, I’m choosing the following options in the Settings section:

In the Post-Installation Behavior section, set On Success: to Do Nothing

In the Options section, check the box for Require admin password for installation

5. Click on the Scripts tab in your Packages project.

6. Select the Sophos installer metapackage and drag it into the Additional Resources section of your Packages project.

7. Select the Sophos.keychain file and drag it into the Additional Resources section of your Packages project.

8. The last piece is doing an automated uninstall of any existing Sophos installations, then installing a fresh copy of Sophos with the pre-configured autoupdate settings. For this, you’ll need a preinstall script and postinstall script.

Here are the preinstall and postinstall scripts that I’m using:

Preinstall

Postinstall

9. Once you’ve got the preinstall and postinstall scripts built, run the following command to make the script executable:

sudo chmod a+x /path/to/preinstall

sudo chmod a+x /path/to/postinstall

10. Once completed, add the preinstall and postinstall scripts to your Packages project.

11. Last step, go ahead and build the package. (If you don’t know to build, check the Help menu for the Packages User Guide. The information you need is in Chapter 3 – Creating a raw package project and Chapter 10 – Building a project.)

Testing the installer

Once the package has been built, test it by taking it to a test machine that does not have Sophos and install it. The end result should be that Sophos Anti-Virus installs properly and has the pre-configured settings for your Sophos Enterprise server included automatically.

As part of standing up a new DeployStudio server on Mavericks Server in my shop, I noticed that I had a lot of errors showing up in /var/log/system.log that looked like this:

September 5 10:21:16 servername_here collabd[240]: [CSConnectionPool.m:196 fa7d000 +9998ms] Could not open a connection to Postgres. Please make sure it is running and has the correct access.
September 5 10:21:16 servername_here collabd[240]: [CSXCWorkSchedulerService.m:196 fa7d000 +0ms] Failed to open DB connection, retrying in 10s: [CSDatabaseError] Connection to DB failed

This error is caused by OS X Server’s wiki service trying and failing to get a database connection. Googling for those errors led me to a lot of results on how to fix a busted Wiki on OS X Server, but I wasn’t interested in running OS X’s wiki service on this box. If you’re in a similar situation, the collabd service can be stopped via Mavericks Server’s serveradmin tool to fix this issue.

To stop the collabd service, run the following command:

sudo serveradmin stop collabd

After a few minutes, you should see the following output:

collabd:state = "STOPPED"

The errors should also stop appearing in /var/log/system.log.

As part of preparing for Yosemite, I’ve started testing Casper 9.5.1. As part of my testing, I wanted to address an issue that first appeared for me in Casper 9.4: The blue Featured banner in Self Service.

I use the Featured setting to publish items to the Self Service landing page. When I upgraded my test environment to Casper 9.4, I noticed that all of my Featured items now had a blue Featured banner. Since everything on the main landing page is set to be Featured, in my opinion the banner is distracting and does not add value.

I have submitted a feature request to be able to turn off the blue Featured banner, but as of 9.5.1 this feature request is marked as UNDER REVIEW and has not been implemented. Since I anticipate that I’ll have Macs running Yosemite within the next month, I’ll likely need to deploy Casper 9.5.1 and I wanted to be able to stop this banner from appearing in 9.5.1’s Self Service.

The approach I adopted was to take a copy of the appropriate PNG file on the Casper server and use Preview’s Instant Alpha tool to make all content in the image transparent. In effect, I wanted to have the Featured banner file still be there (to help avoid failures in the event that something in Self Service was checking for the file’s presence) but have the banner itself be completely invisible to my users. This approach worked just fine in my testing and it appears to be similar to what Christopher Collins is using in his shop.

For those who want a copy of the transparent PNG file that I created, I have it available for download here. Once downloaded and uncompressed, it’ll be a PNG file named casper_95_featured.png.

Using the downloaded PNG file, here’s how to deploy on a Casper server to make the Featured banner transparent:

NOTE: The instructions below are for a Casper server running on Red Hat Enterprise Linux, where the JSS Tomcat directory is stored in /usr/local/jss and the Tomcat server has an associated tomcat7 user. The JSS Tomcat directory may be installed in a different location and the Tomcat user may not be named tomcat7 on operating systems other than RHEL . When in doubt, contact JAMF Support for assistance.

1. Log into the Casper server using an account that can use root privileges.

2. Copy casper_95_featured.png into /usr/local/jss/tomcat/webapps/ROOT/images/selfservice2

3. Rename the existing featured.png in /usr/local/jss/tomcat/webapps/ROOT/images/selfservice2 to now be named featured_bak.png

4. Rename casper_95_featured.png to now be named featured.png

5. Run the following command with root privileges:

chown tomcat7:tomcat7 /usr/local/jss/tomcat/webapps/ROOT/images/selfservice2/featured.png

6. Start Self Service and verify that the blue Featured image does not appear.

If the blue Featured banner is still appearing in Self Service, the Featured banner may be cached on individual Macs To fix this, you can clear the Self Service cache on the affected machines by following the procedure below:

1. Quit Self Service

2. Remove the com.jamfsoftware.selfservice folder from /Users/username/Library/Caches/

3. Relaunch Self Service

The blue Featured banner should no longer appear in Self Service.

I’ll be speaking about how to leverage virtualization in your test environments at JAMF Nation User Conference 2014, which is being held from October 21st – 23rd, 2014 in Minneapolis, MN. For those interested, my talk will be on Tuesday, October 21st.

For a description of what I’ll be talking about, please see the Bringing the Casper Suite to Life with Virtual Test Environments session description. You can see the whole list of JNUC sessions here on the Conference Events page.

Something that has usually been a manually-driven process for me has been FileVault 2 decryption when using an institutional recovery key. In large part, this is because you need to boot to either Recovery HD or Apple’s Internet Recovery. When you combine that with this known issue with decrypting when booted from Recovery HD or Apple’s Internet Recovery, it made me wish for a scripted process for decrypting when using an institutional recovery key.

Apparently, I should wish for things more often because @ttaniguti has developed a script that does precisely that. FileVault Rescue’s decrypt.sh script is designed to properly decrypt a FileVault 2-encrypted Mac using an institutional recovery key while the Mac is booted to Mavericks’ Recovery HD or Apple’s Internet Recovery.

In my testing, the script works fine on a FileVault 2-encrypted Mac running 10.9.5 and it avoids the known issues with decrypting while booted from Recovery HD by running diskutil cs revert twice at the proper times in the decryption process.

To use this script, you will need the following:

1. A FileVaultMaster.keychain file that contains the private key of your institutional recovery key.

2. The unlock password for the FileVaultMaster.keychain file stored in a plaintext file named pass.txt

Once you have both of these, copy the two files along with the decrypt.sh script to something that you’ll be able to access while booted to Mavericks’ Recovery HD or Apple’s Internet Recovery. A USB flash drive would work well here.

A YouTube video is available to show you how to use the script and I’ve linked it below:

Hat tip to Allister Banks for letting me know about this script.

Starting in 10.7.2, Apple has set the iCloud sign-in to pop up on the first login.

In 10.10, Apple added a new Diagnostics & Usage window that pops up at first login after the iCloud sign-in.

Since having these pop-up windows appear may not be desirable in all Mac environments, it makes sense to be able to turn this off for new user accounts. As part of preparing for Yosemite in my own shop, I’ve developed a script that should disable both the iCloud and Diagnostics pop-ups on 10.7.2 – 10.10.0. See below the jump for the details.

Apple is using /Users/username/Library/Preferences/com.apple.SetupAssistant.plist to store the settings that indicate whether or not the iCloud sign-in and Diagnostics agreement processes have run. Building on work done by the folks behind DeployStudio, I’ve built a script that pre-sets those values for new and existing accounts on a particular Mac. In turn, that should stop the iCloud and Diagnostics pop-up messages from appearing on that Mac.

The script is below and is also available on my GitHub repo. This script is also available as a payload-free package on my GitHub repo, available for download from the payload_free_package directory available from the link above.

With the release of Yosemite, Apple has apparently made an undocumented change to the way it allows packages to be added to the OS installer. If you add any additional packages for installation as part of the OS install/upgrade, they must all be distribution-style flat packages. You can convert a component flat package to be a distribution-style flat packages by running the command below:

productbuild –package /path/to/component.pkg /path/to/distribution.pkg

This change is a problem for First Boot Package Install.pkg and First Boot Package Install With Automated Apple Software Update.pkg, as they are both built as a bundle-style package and not as flat packages. While both First Boot Package Install.pkg and First Boot Package Install With Automated Apple Software Update.pkg run fine on Yosemite, they cannot be added to customized NetInstall images created with System Image Utility or to createOSXinstallPkg-built Yosemite OS installer packages.

  

To address this issue, I’ve developed First Boot Package Install Generator.app, an Automator application that will allow the selection of a folder containing installer packages and then generate a distribution-style flat package that enables the selected packages to be installed at startup. It’s designed for use with createOSXinstallPkg with the goal of allowing installer packages that can’t run in the OS X Install environment to be used as part of a createOSXinstallPkg deployment workflow. See below the jump for the details.

OS Compatibility:

First Boot Package Install Generator.app has been tested and verified to run on the following versions of OS X:

OS X 10.8.x

OS X 10.9.x

OS X 10.10.x

First Boot Package Install Generator.app has been tested and verified that it does not run on the following version of OS X:

Mac OS X 10.7.x

Not tested:

Mac OS X10.6.x or earlier

The packages generated by First Boot Package Install Generator.app have been tested and verified to work with the following versions of OS X:

Mac OS X 10.7.5

OS X 10.8.5

OS X 10.9.5

OS X 10.0.0

Preparing installers for use with First Boot Package Install Generator.app

1. Set up a folder to hold your installers.

NOTE: createOSXinstallPkg has an upper limit of 350 MBs of available space for added packages. This is sufficient space for basic configuration, payload-free or bootstrapping packages, but it’s not a good idea to add Microsoft Office or similar large installers to this installer.

2. Create numbered directories inside that folder, with 00 being the first and proceeding on to as many as you need. For numbers less than 10, make sure to label the directory with a leading zero (For example, 06).

3. Add one installer package to each numbered directory. The number of the directory indicates the install order, with 00 being the first.

Note: If installing more than 100 packages, be aware that this was beyond the scope of my testing. I recommend adding another leading zero where appropriate.

4. Once finished adding installers to the numbered directories, use First Boot Package Install Generator.app to generate a first boot installer package.

Using First Boot Package Install Generator.app

1. If needed, download the First Boot Package Install Generator.app installer from the installer directory in my GitHub repo and install the application on your Mac.

2. Once downloaded and installed, double-click on the First Boot Package Install Generator application. You’ll be prompted to select the directory that contains the installers you want to have installed at first boot.

3. Once you’ve selected the folder with your installers, you’ll be prompted to name the installer package. By default, the name filled in will be First Boot Package Install, but this name can be changed as desired.

4. Once you’ve entered a name for the installer package, you’ll be prompted for a package identifier. By default, the name filled in will be com.github.first_boot, but this name should be changed to be something unique.

5. Once you’ve entered an identifier for the installer package, you’ll be prompted for a version number. By default, the value filled in will be 1.0, but this value can be changed as needed.

6. You will be prompted to choose if you want to have all available Apple software updates applied before your packages are installed. Choose Yes or No as appropriate.

7. Once the package name, package identifier, package version and software update choice have been set, First Boot Package Install Generator.app will prompt for an administrator’s username and password.

8. Once the admin username and password are provided, First Boot Package Install Generator.app will create the installer package and prompt you when it’s finished.

9. Click OK at the prompt and a new Finder window will open and display the newly-created first boot installer package.

10. Once the new package has been displayed, First Boot Package Install Generator.app will automatically exit. The package is now ready for use.

How First Boot Package Install Generator.app works

First Boot Package Install Generator.app is an Automator application that uses AppleScript, shell scripting, pkgbuild and productbuild behind the scenes to create installer packages that are designed to serve as a delivery mechanism to install other packages during a Mac’s startup process. When a script is selected, the following process takes place:

1. The directory with the user-selected packages is copied to /tmp as a zip archive named fb_installers, to give the package-building script a consistent value to work with.

2. After the package name, package identifier and package version are set, /tmp is checked to make sure that there is not an existing directory that is named the same as the chosen name. If a matching directory is found, it is removed.

3. A new directory is created in /tmp that matches the chosen name of the package. This directory will be used for building the first boot package.

4. Next, the installer_build_components.tgz and xmlstarlet.tgz tar files are copied into /tmp from the Contents/Resources directory inside First Boot Package Install Generator.app and then un-tar’d into the build directory inside /tmp.

5. Using the choice of whether to run Apple software updates or not, the appropriate script is moved into the build directory and renamed firstbootpackageinstall.sh.

6. The fb_installers directory with the user-selected packages is moved into the correct location in the build directory for inclusion in the package when it’s created.

7. The new first boot installer package is built first as a component flat package by pkgbuild.

8. A new distribution XML file is synthesized using productbuild for the first boot component package.

9. xmlstarlet is used to add a title field to the distribution XML file.

10. The component package is converted to a distribution-style flat package using productbuild and the edited distribution XML file

11. The installer_build_components.tgz and xmlstarlet.tgz tar files are removed from /tmp.

12. The finished installer package is stored in /tmp/package_name_here and the user is prompted that the process is finished.

13. Once the user is notified and clicks OK, a new Finder window opens for /tmp/package_name_here. The package is ready to be added to a createOSXinstallPkg-built OS installer.

How First Boot Package Install Generator.app-generated installer packages work

When the First Boot Package Install Generator.app-generated installer package is installed via createOSXinstallPkg, it does the following:

1. Installs the folder containing the user-selected installers to /var/fb_installers.

2. Installs /Library/LaunchDaemons/com.company.firstbootpackageinstall.plist

3. Installs /var/firstbootpackageinstall.sh.

4. Installs /Library/LaunchAgents/com.company.LoginLog.plist

5. Installs /Library/PrivilegedHelperTools/LoginLog.app

After OS X is installed by createOSXinstallPkg and reboots, the following process occurs:

1. The com.company.firstbootpackageinstall LaunchDaemon triggers /var/firstbootpackageinstall.sh to run.

2. /var/firstbootpackageinstall.sh stops the login window from loading and checks for the existence of /var/fb_installers.

If /var/fb_installers is not found, the following actions take place:

A. The login window is allowed to load

B. /Library/LaunchDaemons/com.company.firstbootpackageinstall.plist is deleted

C. /var/firstbootpackageinstall.sh is deleted

D. /Library/LaunchAgents/com.company.LoginLog.plist is deleted

E. /Library/PrivilegedHelperTools/LoginLog.app is deleted.

F. /var/firstbootpackageinstall.sh checks for an existing /var/log/firstbootpackageinstall.log logfile and renames the existing logfile to include the current date and time.

G. /var/firstbootpackageinstall.sh deletes itself.

If /var/fb_installers is present, the following actions take place:

A. If /var/fb_installers exists, the login window is allowed to load

B. A log is created to record the actions taken by /var/firstbootpackageinstall.sh. By default, this logfile named firstbootpackageinstall.log and is stored in /var/log.

C. /Library/LaunchAgents/com.company.LoginLog.plist loads and launches /Library/PrivilegedHelperTools/LoginLog.app.

D. /Library/PrivilegedHelperTools/LoginLog.app opens a window over the Mac’s login window and displays the logfile.

E. A network check is run, to ensure that the Mac has a network address other than 127.0.0.1 or 0.0.0.0 (which are otherwise known as loopback addresses.) This network check will check every five seconds for the next 60 minutes for a working network connection.

Network check fails – If only loopback addresses are detected within 60 minutes, the script will take the following actions:

• Log a failure message to the log
• Delete /var/fb_installers
• Restart

On restart, the “if /var/fb_installers is not found” actions occur.

Network check succeeds – If a non-loopback address is detected, the script will take the following actions:

• Log a success message to the log and proceed with the rest of the script.

F. If the option to install Apple software updates was selected, all available Apple software updates are downloaded and installed prior to installing the user-selected packages.

G. The user-selected packages are installed, using the numbered subdirectories to set the order of installation

H. Once installation has finished, /var/fb_installers is deleted

I. The Mac is restarted

J. On restart, the “if /var/fb_installers is not found” actions occur and all remaining traces of the first boot package are removed from the Mac.

For those who want to build a customized First Boot Package Install Generator.app, the components and scripts are available on my Github repo.

To address this issue that caused problems for folks decrypting from Mavericks’ Recovery HD and Internet Recovery, Apple has made a change to Yosemite’s Recovery HD and Apple Internet Recovery with regards to FileVault 2 decryption. As of 10.10, you can initiate the decryption process from Yosemite’s Recovery HD and Internet Recovery, but the actual decryption will not proceed until you have booted from a drive that is running a regular Yosemite OS install.

When you decrypt from Yosemite’s Recovery HD, you will be notified that decryption is in progress and to run the following command to check on its progress:

diskutil cs list

When checked, you should see output for Conversion Status, Conversion Direction and Conversion Progress similar to what’s shown below:

• Conversion Status: Converting
• Conversion Direction: -none-
• Conversion Progress: -none-

These statuses will not change while you’re booted from Yosemite’s Recovery HD. If you reboot and boot back to Yosemite’s Recovery HD, you should see output for Conversion Status, Conversion Direction and Conversion Progress similar to what’s shown below:

• Conversion Status: Converting
• Conversion Direction: -none-
  
• Conversion Progress: Paused
  

Once booted from a regular Yosemite OS install, you should see decryption proceed.

I had filed a bug report about the decryption behavior in Mavericks’s Recovery HD which evolved into a bug report about this behavior. The bug report has been closed by Apple and I’ve posted the bug report at Open Radar now that the Yosemite NDA has been lifted. For those interested, the details are available via the link below:

http://openradar.appspot.com/radar?id=5885738759487488

For those who wanted a copy of my virtualization talk at JAMF Nation User Conference 2014, here are links to the slides in PDF and Keynote format.

PDF: http://tinyurl.com/jnuc2014vmPDF

Keynote: http://tinyurl.com/jnuc2014vmkeynote

One new window that appears in Apple’s Setup Assistant application for Yosemite is one that encourages new users of Yosemite to enable FileVault 2 encryption.

However, this Setup Assistant window appears to be selective as it appears for some users but not others. After some digging with the strings command, it looks like the FileVault 2 option in Setup Assistant does not appear in the following conditions:

1. The Mac is not a laptop.
2. The OS is unable to check the processor for certain features.
3. The processor does not support AES-NI.
4. The OS is booting from an external drive.
5. There’s more than one user account on the system.
6. The boot drive does not have a CoreStorage logical volume set up on it.
7. The boot drive is already encrypted.
8. The Mac was configured by the Device Enrollment Program to not display this option.
9. This window had already appeared for this drive and user account.
10. The user’s home folder is located somewhere other than the boot drive.
11. The user has not logged into iCloud on this machine.

These criteria can be examined using the following procedure:

1. Install Xcode or the Xcode Command Line Tools.
2. Once Xcode or the Xcode Command Line Tools are installed, open Terminal and run the following command:

strings /System/Library/CoreServices/Setup\ Assistant.app/Contents/SharedSupport/MiniLauncher | grep "FDE upsell"

On a 10.10.0 system, that should produce the following output:

Skipping FDE upsell,  machine is not a portable
Skipping FDE upsell, unable to inspect cpu features
Skipping FDE upsell, unable to gather cpu features
Skipping FDE upsell, CPU doesn't have AES instruction set
Skipping FDE upsell, somehow running buddy on a disk image
Skipping FDE upsell, not an internal volume
Skipping FDE upsell, not a single user system
Skipping FDE upsell, root disk is not a CSLV
Skipping FDE upsell, root disk is already FDE
Skipping FDE upsell, system was opted out via Device Enrollment Program setting
Skipping FDE upsell, already occurred for this volume and user
Skipping FDE upsell, user home volume is separate from the system volume
Skipping FDE upsell, not logged into iCloud