Mac Admin Corner

Updated: Send softwareupdate command through ARD

Patrick — Thu, 08 Apr 2010 13:00:51 +0000

This script will run software updates only on machines that are logged out. This ensures you don’t reboot machines that are in use and don’t leave machines in an inconsistent state (by not rebooting after patching). This is not a perfect solution to patching but it’s better than nothing. You can even schedule this to run on a recurring basis.

Update: Added sleep command with random wait. This will help alleviate some load on your SUS and perhaps prevent a DOS attack. Thanks to rsaeks via Twitter.

Copy and paste the following into an Apple Remote Desktop (ARD) “Send Unix Command” window and send as root:

#!/bin/sh
 
<pre lang="bash"># Random number of seconds to wait
# The more machines you use this with, the higher the number should be
sleep `expr $RANDOM % 120`

if who | grep console; then

echo Machine is in use

exit 1

fi
COMMAND_LINE_INSTALL=1 softwareupdate -i -a

shutdown -r now

exit 0

Script to Configure the Mac OS X firewall

Patrick — Wed, 07 Apr 2010 13:54:39 +0000

Here is a script that can be deployed via ARD, Absolute Manage (LANrev), LANDesk or virtually any other method to enable and configure the firewall for 10.4, 10.5 or 10.6. You will need to decide how exactly you want your clients firewalls configured. Pay special attention to the stealth setting. If this is enabled, you will not be able to ping that system which will make discovery difficult if they are on a different subnet than your admin system.

#!/bin/sh
# enable_firewall.sh
#
# Patrick Gallagher
# http://macadmincorner.com
 
# Stealth Mode - Set to 0 to disable
# Stealth mode prevents machine from responding to ping requestst
# Be aware that this would prevent tools such as ARD from discovering
# the machine, though bonjour on the same subnet will still work
 
osversionlong=`sw_vers -productVersion`
osvers=${osversionlong:3:1}
 
# Check if this is being run by root
if [ "$(whoami)" != "root" ] ; then
  echo "Must be root to run this command." &gt;&amp;2
  exit 1
fi
 
# Enable firewall for Tiger
if [ $osvers -eq 4 ]; then
	echo "Setting firewall on a ${osversionlong} machine"
	/usr/bin/defaults write /Library/Preferences/com.apple.sharing.firewall state -bool YES
	# UDP, change to 0 to disable
	/usr/bin/defaults write /Library/Preferences/com.apple.sharing.firewall udpenabled  -int 1
	# Stealth, change to 0 to disable
	/usr/bin/defaults write /Library/Preferences/com.apple.sharing.firewall stealthenabled -int 1
	/usr/libexec/FirewallTool
fi
 
# Enable firewall for Leopard or Snow Leopard
if [ $osvers -ge 5 ]; then
	echo "Setting firewall on a ${osversionlong} machine"
	# Globalstate - Set to 0 for off, 1 for on, 2 for "Block all incoming access"
	/usr/bin/defaults write /Library/Preferences/com.apple.alf globalstate -int 1
	/usr/bin/defaults write /Library/Preferences/com.apple.alf stealthenabled -int 1
fi

Bind to OD Script & Add to Computer Group

Patrick — Wed, 07 Apr 2010 00:36:01 +0000

The following script is what I use to bind machines to Open Directory and it solves the following challenges:

If bound to another OD domain, it removes that binding. If you’re not moving from another domain, you can ignore that part, it won’t hurt that it’s in there.
Adds the computer record to OD. Normally with anonymous binds you have to manually add the computer account. This takes care of that by authenticating as a diradmin. Because of this, keep this script in a safe place.
Fixes the search order if the machine is also bound to AD in a golden triangle (or magic triangle) so that Tiger machines use AD first and Leopard/Snow Leopard machines look to OD first.
Bind machine(s) remotely with tools such as Apple Remote Desktop (ARD), Absolute Manage (LANrev) or LANDesk.

Please be aware this script might not work in all environments. Try to understand how the script works and be prepared to modify for your environment. One issue I frequently find with any type of binding script (OD or AD) is the timing never seems to be perfect. By that I mean that the script runs faster than the directoryservice process can recognize the changes. I try to account for this by putting in “sleep xx” commands in certain places but you may need to play around with this a bit.

What I try to do is follow up the script with a simple “defaults read /Library/Preferences/DirectoryService/SearchNodeConfig “Search Node Custom Path Array” to ensure both OD and AD are in there. If they’re not, I just run the bind script again and it usually gets it the 2nd time.

To download the script, click here.

Or copy/paste:

#!/bin/sh
 
# Patrick Gallagher
# http://www.macadmincorner.com
# Updated 12/11/2009
 
# These variables need to be configured for your env
odAdmin="" #enter your OD admin name between the quotes
odPassword=""  # Enter your OD admin password between the quotes
domain="od.school.edu" # FQDN of your OD domain
oldDomain="oldod.school.edu" # If moving from another OD, enter that FQDN here
oldODip="111.222.333.444" # Enter the IP of your old OD
ADdomain="ad.school.edu" # Enter your AD domain here
computerGroup=computers  # Add appropriate computer group you want machines to be added to, case sensitive 
 
# These variables probably don't need to be changed
computerName=`/usr/sbin/scutil --get LocalHostName`
nicAddress=`ifconfig en0 | grep ether | awk '{print $2}'`
check4OD=`dscl localhost -list /LDAPv3`
check4ODacct=`dscl /LDAPv3/${domain} -read Computers/${computerName} RealName | cut -c 11-`
check4AD=`dscl localhost -list /Active\ Directory`
osversionlong=`sw_vers -productVersion`
osvers=${osversionlong:3:1}
 
# Check if on OD already
if [ "${check4OD}" == "${domain}" ]; then
	echo "This machine is joined to ${domain} already."
	odSearchPath=`defaults read /Library/Preferences/DirectoryService/SearchNodeConfig "Search Node Custom Path Array" | grep $domain`
	if [ "${odSearchPath}" = "" ]; then
		echo "$domain not found in search path. Adding..."
		dscl /Search -append / CSPSearchPath /LDAPv3/$domain
		sleep 10
	fi
else if [ "${check4OD}" == "${oldDomain}" ]; then
	echo "Removing from ${oldDomain}"
	dsconfigldap -r "${oldDomain}"
	dscl /Search -delete / CSPSearchPath /LDAPv3/"${oldDomain}"
	dscl /Search/Contacts -delete / CSPSearchPath /LDAPv3/"${oldDomain}"
	echo "Binding to $domain"
	dsconfigldap -v -a $domain -n $domain
	dscl /Search -create / SearchPolicy CSPSearchPath
	killall DirectoryService
else if [ "${check4OD}" == "${oldODip}" ]; then
	echo "Removing from ${oldODip}"
		dsconfigldap -r "${oldODip}"
		dscl /Search -delete / CSPSearchPath /LDAPv3/"${oldODip}"
		dscl /Search/Contacts -delete / CSPSearchPath /LDAPv3/"${oldODip}"
		echo "Binding to $domain"
		dsconfigldap -v -a $domain -n $domain
		dscl /Search -create / SearchPolicy CSPSearchPath
		killall DirectoryService
else
	echo "No previous OD servers found, binding to $domain"
	dsconfigldap -v -a $domain -n $domain
	dscl /Search -create / SearchPolicy CSPSearchPath
	sleep 10
	dscl /Search -append / CSPSearchPath /LDAPV3/$domain
	echo "Killing DirectoryService"
	killall DirectoryService
	fi
fi
fi
 
if [ "${check4ODacct}" == "${computerName}" ]; then
	echo "This machine has a computer account on ${domain} already."
else
	echo "Adding computer account to ${domain}"
	dscl -u "${odAdmin}" -P "${odPassword}" /LDAPv3/${domain} -create /Computers/${computerName} ENetAddress "$nicAddress"
	dscl -u "${odAdmin}" -P "${odPassword}" /LDAPv3/${domain} -merge /Computers/${computerName} RealName ${computerName}
	# Add computer to ComputerList
	dscl -u "${odAdmin}" -P "${odPassword}" /LDAPv3/${domain} -merge /ComputerLists/${computerGroup} apple-computers ${computerName}		
 
	# Set the GUID
	GUID="$(dscl /LDAPv3/${domain} -read /Computers/${computerName} GeneratedUID | awk '{ print $2 }')"
	# Add to computergroup
	dscl -u "${odAdmin}" -P "${odPassword}" /LDAPv3/${domain} -merge /ComputerGroups/${computerGroup} apple-group-memberguid "${GUID}"
	dscl -u "${odAdmin}" -P "${odPassword}" /LDAPv3/${domain} -merge /ComputerGroups/${computerGroup} memberUid ${computerName}
fi
 
sleep 25 # Give DS a chance to catch up
 
# Fix DS search order
echo "Checking DS search order..."
if [ "${check4AD}" == "${adDomain}" ]; then
	dsconfigad -alldomains enable
	dscl /Search -delete / CSPSearchPath "/Active Directory/${adDomain}"
	dscl /Search/Contacts -delete / CSPSearchPath "/Active Directory/${adDomain}"
	dscl /Search -append / CSPSearchPath "/Active Directory/All Domains"
	if [ $osvers -eq 4 ]; then
		echo "OS detected as ${osversionlong}"
		echo "Setting AD, then OD to search order..."
		dscl localhost changei /Search CSPSearchPath 2 "/Active Directory/All Domains"
		dscl localhost changei /Search CSPSearchPath 3 /LDAPv3/$domain
		dscl /Search/Contacts -append / CSPSearchPath "/Active Directory/All Domains"
	else if [[ ${osvers} -eq 5 || 6 ]]; then
		echo "OS detected as ${osversionlong}"
		echo "Setting OD, then AD to search order..."
		dscl localhost changei /Search CSPSearchPath 3 "/Active Directory/All Domains"
		dscl localhost changei /Search CSPSearchPath 2 /LDAPv3/$domain
		dscl /Search/Contacts -append / CSPSearchPath "/Active Directory/All Domains"
	fi
fi
	else if [ "${check4AD}" == "All Domains" ]; then
	dscl /Search -append / CSPSearchPath "/Active Directory/All Domains"
	sleep 15
		if [ $osvers -eq 4 ]; then
			echo "OS detected as ${osversionlong}"
			echo "Setting AD, then OD to search order..."
			dscl localhost changei /Search CSPSearchPath 1 "/Active Directory/All Domains"
			dscl localhost changei /Search CSPSearchPath 2 /LDAPv3/$domain
		else if [[ ${osvers} -eq 5 || 6 ]]; then
			echo "OS detected as ${osversionlong}"
			echo "Setting OD, then AD to search order..."
			dscl localhost changei /Search CSPSearchPath 2 /LDAPv3/$domain
			dscl localhost changei /Search CSPSearchPath 3 "/Active Directory/All Domains"
			dscl /Search/Contacts -append / CSPSearchPath "/Active Directory/All Domains"
		fi
	fi
fi
fi	
 
echo "Finished. Exiting..."
exit 0

Absolute Manage (LANrev) webinar archive available

Patrick — Thu, 01 Apr 2010 01:51:01 +0000

Edweek.org did a webinar featuring Absolute Manage yesterday and the archive is available online. You can either watch the webinar (bit less than 1 hour) or just download the slides. It featured a case study from a school district with a few thousand managed machines and has a heavy focus on asset management and software license monitoring. It’s worth watching.

http://www.edweek.org/ew/marketplace/webinars/webinars.html

Scroll down to the section titled: Getting a Grasp on Computer Assets to Deliver Maximum Cost Efficiency

Add directory services data to LANDesk inventory

Patrick — Sat, 27 Mar 2010 13:00:25 +0000

I posted over at the LANDesk community site on how I add AD and OD data to inventory, most of which LANDesk does not collect on it’s own. Much of this I did because we were moving from one OD domain to another and needed a way to see which machines remained on the old domain.

You can get the script here: http://community.landesk.com/support/docs/DOC-9232.

Changed RSS feed to show full posts

Patrick — Mon, 18 Jan 2010 21:52:39 +0000

Lately, I’ve been reading more and more of my daily news from my iPhone and I’ve started to get pissed off at blogs that I like that only show a short summary in the RSS feed. This drove me nuts. Then today I just realized that I was doing the exact same thing! My bad.

So if you were cursing me for only showing the summaries and stopped subscribing, fear not, that should be fixed for future posts.

Subscribe to my feed from here.

Ten blogs every Mac admin should know about

Patrick — Sun, 17 Jan 2010 02:55:28 +0000

Need to load up your RSS reader with loads of Mac goodness? Mac Admin Corner just not quite enough for you? There are plenty of Mac experts out there sharing their knowledge with the world. Here’s a list of sites that I follow.

Krypted.com
Charles Edge has written many Mac Server Books including the Enterprise Mac Administrator’s Guide and Beginning Mac OS X Snow Leopard Server: From Solo Install to Enterprise Integration. Charles also frequently updates his blog over at Krypted.com.
SystemsBoy.com
Very interesting to read, he has a great writing style.
Managing OS X
Greg is one of the top contributors and well respected guru’s on many of the Mac lists. He has written many useful articles including MCX, dslocal, and Leopard and managing Office 2008 with MCX, and much more.
IrisInk
Intelligent posts, great to read.
AFP548.com
One of the most well known Mac IT sites, run by a couple Apple SE’s (I don’t remember their exact titles), this site is also home to a couple useful tools including InstaDMG and KeyMinder. Their forums are also pretty lively. Summarizing everything this site, and the next one on the list would require entire articles.
MacEnterprise.org
Originally macosxlabs.org, this site is the combined efforts of several businesses as well as higher education instututions to provide a central repository of collaborations. I’m not sure it’s considered a “blog” but it’s worth making the list anyway. Best known for their [usually] monthly webcasts as well as the mailing list.
Unflying Object
He claims it’s not a blog, but it sure looks, smells and tastes like one to me. Useful posts too.
eWeek
Mostly IT corporate related news, their Mac section occasionally posts some interesting commentary.
ComputerWorld
Ryan Faas, the author of iPhone for Work: Increasing Productivity for Busy Professionals (Books for Professionals by Professionals) and other books is a regular columnist at ComputerWorld.
Explanatory Gap
Nigel Kersten is a sysadmin with Google and a Mac wiz to say the least.

I know there are a ton of other relevant bloggers out there but I limited this list to those that have been posting recently. My site would not have made the list since I took close to a year off, but it’s my site and I make (or break) the rules.

Quite honestly, when you look at the number of competing Windows and Linux IT sites, we are definitely in the minority. I expect to see more and more resources (blog or otherwise) become available to the Mac management community.

Have I missed any that should be noted? Do you have a blog of your own you’d like to share? Share your comments!

Can Open Directory be used enterprise wide?

Patrick — Sat, 16 Jan 2010 03:27:45 +0000

A few years ago, before I started at my employer, a project was started for an enterprise-wide Open Directory setup. Each business unit within the university has a decent number of Macs that were mostly unmanaged. The project passed governance and a budget was set aside to fund the implementation. This was back in the Tiger days and for some reason, everyone involved decided to wait for Leopard to be released. In the mean time, I had a Tiger OD setup so we could manage a handful of classrooms that needed to be managed.

When we were ready to get the project going again well after Leopards release, I built an evaluation OD setup and kicked it around a bit. Apple added a great new (at the time) feature that allows computer groups to be members of other computer groups. As well as allowing computers to be members of multiple computer groups. However, because of this, there is no feasible way to manage delegated administration. Computer group nesting is nothing like Active Directory OU’s, there’s no hierarchy structure. Whereas Tiger Server had the ability to give an admin control to only certain computer lists. The change to Leopard meant that if someone needs to manage preferences, add computer accounts or anything else having to do with computer groups, the admin would need to be given full domain admin rights.

In our non-centralized environment, this wouldn’t work. I came to the conclusion that Apple did not design Open Directory for the enterprise. Apple’s typical target market is K-12 and departments within an enterprise (higher education or corporate). We all throw out states like “if Apple wants to compete in the enterprise, they need to do….”. Apple is not an enterprise company, and they don’t pretend to be. Apple makes assumptions about how their customers will use their products. In the case of OD, they assume the IT departments involved are either small and localized or centralized and that everyone works well together.

Often times, enterprises that implement Macs try to bend Apple’s server offerings to fit their environment. Then complain to Apple when it doesn’t bend the way they think it should. This is especially true in higher education, where the customers (faculty and staff) get to choose their platform. Many are going to choose Macs and it is our job to do what we need to do in order to manage them. In the case of OD, it’s just not something that can easily be centralized unless you’re willing to give every admin the equivalent of domain admin. Could you imagine doing that with Active Directory?

So everyone involved decided to not use a central offering. We have recently implemented OD in our area and it’s working really well for us for the most part. Delegation is still an issue as we don’t want everyone to be a domain admin but I’ve developed some methods for computer accounts to be added without granting admin rights on the domain. Stay tuned, I’ll be posting that script soon.

How have you implemented OD in your enviornment? Have you centralized, or localized?

Migrate Local User to Domain Account

Patrick — Thu, 14 Jan 2010 17:02:03 +0000

If you are migrating your machines to authenticate via Active Directory, you may need to convert your local user accounts and their home folders to an AD user account and retain the home folder. I had a script posted here but that version was Tiger only because it used NI* commands.

The following script is written in bash and can be run by double clicking (it’s a .command) as a user with sudo rights (all admin users have this right by default). It will prompt for your admin password, then present a list of numbered local users. Enter a number from the list for the user you want to migrate, then it will ask for the network ID. It runs in a loop until you select the option for “Finished” which will exit the script.

This should work with Tiger, Leopard or Snow Leopard and can easily be modified to work with OD user accounts (change the check4AD variable to check for OD instead).

To download the script, click here.

#!/bin/sh
Version=1.0
# Modified 1/14/2009
 
# MigrateLocalUserToDomainAcct.command
# Patrick Gallagher
# http://macadmincorner.com
#
 
# This script should not need any modification in most enviornments. 
# If the script does not execute when run, you may need to 'chmod +x /path/to/thisScript' to make it executable
 
clear
 
netIDprompt="Please enter the network ID for this user: "
listUsers="$(/usr/bin/dscl . list /Users | grep -v eccsadmin | grep -v _ | grep -v root | grep -v uucp | grep -v amavisd | grep -v nobody | grep -v messagebus | grep -v daemon | grep -v www | grep -v Guest | grep -v xgrid | grep -v windowserver | grep -v unknown | grep -v unknown | grep -v tokend | grep -v sshd | grep -v securityagent | grep -v mailman | grep -v mysql | grep -v postfix | grep -v qtss | grep -v jabber | grep -v cyrusimap | grep -v clamav | grep -v appserver | grep -v appowner) FINISHED"
FullScriptName=`basename "$0"`
ShowVersion="$FullScriptName $Version"
check4AD=`/usr/bin/dscl localhost -list . | grep "Active Directory"`
osversionlong=`sw_vers -productVersion`
osvers=${osversionlong:3:1}
 
echo "********* Running $FullScriptName Version $Version *********"
 
# If the machine is not bound to AD, then there's no purpose going any further. 
if [ "${check4AD}" != "Active Directory" ]; then
	echo "This machine is not bound to Active Directory.\nPlease bind to AD first. "; exit 1
fi
 
RunAsRoot()
{
        ##  Pass in the full path to the executable as $1
        if [[ "${USER}" != "root" ]] ; then
                echo
                echo "***  This application must be run as root.  Please authenticate below.  ***"
                echo
                sudo "${1}" && exit 0
        fi
}
 
RunAsRoot "${0}"
 
until [ "$user" == "FINISHED" ]; do
 
	printf "%b" "\a\n\nSelect a user to convert or select FINISHED:\n" >&2
	select user in $listUsers; do
 
		if [ "$user" = "FINISHED" ]; then
			echo "Finshied converting users to AD"
			break
		elif [ -n "$user" ]; then
			if [ `who | grep console | awk '{print $1}'` == "$user" ]; then
				echo "This user is logged in.\nPlease log this user out and log in as another admin"
				exit 1
			fi
 
			# Determine location of the users home folder
			userHome=`/usr/bin/dscl . read /Users/$user NFSHomeDirectory | cut -c 19-`
 
			# Get list of groups
			echo "Checking group memberships for local user $user"
			lgroups="$(/usr/bin/id -Gn $user)"
 
 
			if [[ $? -eq 0 ]] && [[ -n "$(/usr/bin/dscl . -search /Groups GroupMembership "$user")" ]]; then 
			# Delete user from each group it is a member of
				for lg in $lgroups; 
					do
						/usr/bin/dscl . -delete /Groups/${lg} GroupMembership $user >&/dev/null
					done
			fi
			# Delete the primary group
			if [[ -n "$(/usr/bin/dscl . -search /Groups name "$user")" ]]; then
  				/usr/sbin/dseditgroup -o delete "$user"
			fi
			# Get the users guid and set it as a var
			guid="$(/usr/bin/dscl . -read "/Users/$user" GeneratedUID | /usr/bin/awk '{print $NF;}')"
			if [[ -f "/private/var/db/shadow/hash/$guid" ]]; then
 				/bin/rm -f /private/var/db/shadow/hash/$guid
			fi
			# Delete the user
			/usr/bin/dscl . -delete "/Users/$user"
 
 
				# Verify NetID
				printf "\e[1m$netIDprompt"
				read netname
				/usr/bin/killall DirectoryService
				sleep 10
				/usr/bin/id $netname
				# Check if there's a home folder there already, if there is, exit before we wipe it
				if [ -f /Users/$netname ]; then
					echo "Oops, theres a home folder there already for $netname.\nIf you don't want that one, delete it in the Finder first,\nthen run this script again."
					exit 1
				else
					/bin/mv $userHome /Users/$netname
					/usr/sbin/chown -R ${netname} /Users/$netname
					echo "Home for $netname now located at /Users/$netname"			
				fi
			break
		else
			echo "Invalid selection!"
		fi
	done
done

Add user to admin group with Applescript

Patrick — Tue, 12 Jan 2010 23:58:30 +0000

Need a way for your team to easily make a network or local user an admin? Copy and paste the code below into Script Editor (Applescript Editor in 10.6) and save it as an application. This can be used before deploying a machine to the user, or after they’ve logged in.

(*
Add user to admin group
 
This script should not need any modification, unless you want to "brand" it. 
 
http://macadmincorner.com
*)
 
tell application "System Events"
	set shortName to name of current user
end tell
 
set userName to text returned of (display dialog "Enter the users shortname" default answer shortName)
 
do shell script "dseditgroup -o edit -a " & userName & " -t user admin" with administrator privileges
 
 
display dialog (do shell script "dscl . -read /Groups/admin users") with title "The following users are admins on this machine" buttons "Ok" default button 1