Zoom in on Privacy and Security

Recent attention on video conferencing app Zoom and security exploits brings attention to the various Privacy and Security settings on your Mac. Currently macOS 10.14.5 Mojave defines microphone and camera settings which should be verified periodically if they’re not being managed by MDM (mobile device management) and even in those case, just to verify.

Zoom update

If you’ve ever had Zoom installed you must launch it and then update it manually, unless you have Munki or other patching solution to manage your Mac.

 

Zoom Enable camera access

If you want Zoom to have access to your camera (useful for video conferencing) then enable it or leave it disabled until the moment you actually need it.

Privacy-Camera-OFF-Settings.pngMaybe this is a good time to review what apps have previously been granted access and disable them or not after you review the situation.

Privacy-MIC2-Settings.png

Check your microphone access as well. What apps are in your list?

Further research:

Check out Objective See’s excellent security tools such as Oversight to protect yourself from unwanted access to your camera.

Also check out this past talk at MacDevOps:YVR 2018 by Kolide’s Zach Wasserman about osquery and at the 11min mark where he talks about another app BlueJeans and how to investigate it with osquery.

The MacDevOps:YVR videos from past talks contain many security related talks as well as other awesome troubleshooting tech talks.

 

 

PostLab ❤️ Hedge

Great news everyone. Hedge has acquired PostLab and with this news the main developer Jasper Siegers joins the Hedge team. Great things will come of this collaboration. The brilliant idea of using version control for FCPX project sharing simplifies the whole process that has usually been left to huge media asset management systems that control data and projects. This is project sharing simplified and it’s about to get a lot more awesome with more developer time and a company to support it.

I am equally excited about Jasper coming to MacDevOps:YVR in June to talk about how and why he developed this app using GitLab and Docker and how version control for editors is useful and necessary.

Hedge is a small company in the Netherlands that makes the Hedge software to securely copy camera cards. I’ve incorporated this software with my Final Cut Pro X clients to secure their original footage on location as well as back in the office. Workflow post explains more.

I first wrote about PostLab last year

Some recent articles published about the news:

Fcp.co

Hedge announcement

No NetBoot, No problem: installr and bootstrappr

It’s 2019, and NetBoot is almost dead. All new Macs have T2 chips. Sent from the future to protect us from …. ourselves? No more NetBoot, no problem!!

When NetBoot first appeared and I was able to boot entire labs of Macs across the network I was amazed and overjoyed. It was awesome. Spinning globe, spinning…

Netboot-GlobeSpin.jpg

But in the years since I’ve moved on to no-imaging. Using Munki to manage software means no more imaging, just install Munki and a small config change to point to the Munki server, thereafter the software that should be there goes on, and what’s not supposed to be there goes away. Simple. Just install one package, well, maybe two, then you’re good.

Well, what if you want to streamline or automate these things? What if these are new Macs which don’t have users configured? What if we could do all this from recovery mode? Hmm… Enter bootstrappr and installr!!

bootstrappr

This awesome project allows to add packages to install in one step while booted in recovery mode. Plug in a USB stick with the bootstrapr script to run the package install magic or mount a disk image over http. Create a DMG with the included script make_dmg.sh. And now this is the best part: in recovery mode open the Terminal app from Utilities and type:

hdiutil mount http://server/yourDMG.dmg

Then:

/Volumes/bootstrap/run

When it’s done you can Reboot the Mac and you’ll have a set up customized to your liking with Munki installed and configured with custom settings.

installr

The installr script works in the same way but adds the macOS installer to the party. You can also mount the DMG over http and re-image a Mac and then add your custom packages. It’s awesome. Truly amazing.

One note: Added packages in Installr must be in a special format. From the installr site: startosinstall requires that all additional packages be Distribution-style packages (typically built with productbuild) and not component-style packages (typically built with pkgbuild)

productbuild --package component.pkg --version x.y --identifier com.example.component distribution.pkg

In one of my first tests with installr and pycreateuserpkg I was caught up by this, even though it is properly mentioned in the read me. Packages that work in Bootstrappr or munki directly don’t necessarily work when called by the macOS installer (startoinstall). Armin Briegel was helpful in the MacAdmins Slack and reminded me of this. Thanks Armin and thanks everyone on the MacAdmins Slack.

Many Thanks to Greg Neagle for creating these tools and Munki. Looking forward to hearing him speak at the next MacDevOps:YVR conference June 12-14, 2019. Greg will be speaking about his efforts to port some parts of Munki from Python to Swift. More info on the conference and speakers here: https://mdoyvr.com/speakers/

Also a shout out to Graham Gilbert who has worked on Imagr (MDOYVR talk), over the years, an imaging and automation tool which was also an inspiration (along with bootstrappr and installr) to Tim Perfit and his MDS project.

Update: corrected the names of installr and bootstrappr in the title because… autocorrect.

 

Best of 2018: the conferences

Part of a series of blog post on the “Best of 2018”

Part 2: the conferences

There was NAB in April and the FCPX Creative Summit in November (see more in my previous best of 2018 post here)

New conferences were the theme this year and I’ll start with one I couldn’t attend but really wanted to:

Query conf

⁃ all about osquery

⁃ Great group of people got together in San Francisco to discuss security with open source project originally from Facebook and now a verifiable industry (Kolide, uptycs etc)

⁃ Videos of the talks were posted on their site.

⁃ I had to miss this conference last year because it was just before MacDevOps: YVR and I could not be I two places at once.

Objective by the Sea

⁃ Awesome location. Maui. First time conference and my first time in Hawaii and it was spectacularly beautiful.

⁃ Great people. What a wonderfully diverse group of IT, Security experts and vendors

⁃ Patrick Wardle love fest. Everyone love Patrick and his Objective See free security tools. Look forward to his future projects with Digita Security

⁃ Looking forward to seeing how this conference evolves in the future. Especially if they end up doing more than one a year in different locations. Mahalo to the organizers for putting this together. As a fellow conference organizer I know it is not easy. It takes lots of love and Patrick and his team have lots of love to give. Thanks everyone!

MacDevOps:YVR

Disclaimer: I am the organizer

In 2018 we had our fourth annual conference and it was an amazing group of speakers and attendees. Many people took up my Quick Talk challenge. It is my firm belief that everyone has solved a problem and has knowledge they can share. I love it when people step up, literally step up on stage, and present a story, a solution to a problem, a tech problem they solved. We cheer them on.

What is MacDevOps:YVR?

Just the facts:

⁃ June 2019 will be the 5th annual conference

⁃ Inspired by DevOpsDays held everywhere all over the world this is an inspirational conference to bring together the creators of open source Mac projects and those in IT that use them.

⁃ Bringing a diverse group from around the world to learn about participating in software projects to manage Mac, the aim is to dispel the fear around version control (git), cloud (AWS, GCP, Azure) and various programming languages (Python, Swift, PHP etc)

⁃ Learn about what’s new in various open source projects we depend on: Munki, MunkiReport, Crypt, etc

⁃ Be inspired to share your our own solutions to problems with Quick Talks

⁃ 2019 will be partly security focused with a diverse group of security talks

⁃ Diversity and Inclusion will be front and centre of our IT panel. We are bringing in an amazing group to discuss.

⁃ Hack night. Working on gathering a team of MunkiReport contributors together to help organize some collaborative hacking and programming.

– Workshop. Learn how to make munkireport plugins. MunkiReport server is in PHP but the plugins are written in anything : bash, Python etc

Speakers for MacDevOps:YVR 2019 are on the MDO website.

June 12-14, 2018 join us in Vancouver, Canada for the firth annual MacDevOps:YVR conference.

Many thanks to the crew that that helps me organize this every year and makes the live event as good as it is. Without you I could not make it happen. Also many thanks to my awesome sponsors for helping us pay for bringing in speakers from around the world and paying for the event. Last but not least, thank you for all those that have attended and spoken at this event in the past. I love you all. You are amazing!

Resources

Use Git/GitHub to contribute to these community resources:

⁃ List of all conference videos Conference videos

⁃ MacAdmins Podcast community calendar GitHub repo

– Charles Edge has compiled a list of conferences and it is a great long list. Thanks Charles!

macOS Server is dead. Long live macOS.

Yes, it’s been a hot topic in the MacAdmin community both on Mac Enterprise list (oh no it’s the end of the world!) and MacAdmins Slack (told you it was coming, don’t be surprised).

My professional opinion is: “Don’t panic!”

My MacDevOps conference is all about supporting MacAdmins who have been writing code as infrastructure to manage Macs. And do it while replacing macOS Server in the server room with Linux and other OS.

Xsan is staying in macOS Server so I am happy and that’s my main use for the Mac Mini and macOS Server.

I have other Mac Minis doing file sharing for small work groups and moving that out of Server.app in the last revision was unfortunate (it is in the standard OS and usable there but less manageable). There’s also Synology and QNAP NAS for small workgroup file sharing and so much more And many enterprise storage vendors for larger setups.

Imaging has been dying a slow death for years and has been replaced with a thin or “no imaging” concept supported by tools such as AutoPkg and Munki.

Profile Manager is a demo version of MDM and should not be used to actually manage Macs.

Wikis, DNS and Mail should be hosted on Linux, in VMs, AWS, GCP or anywhere other than macOS Server so no problem.

Overall it might be disconcerting to some. But change is constant. And especially at Apple change comes fast and often. We have to get used to it.

Reference:

Apple Support article

Apple to Deprecate Many macOS Server Services – TidBITS http://tidbits.com/e/17760

MDOYVR 2018

MacDevOps:YVR 2018 tickets are on sale now. Buy one for everyone in your MacAdmin family.

Seems like just the other day we were hanging out with our friends who came from all over the world to talk Open Source and macOS management, and now we can do it all again!

Tickets are on sale now.

MacDevOps:YVR is the place for Mac Admins interested in integrating DevOps into their IT practise. Developers and IT (Ops) working together to build a better world.

Join us at MacDevOps:YVR 2018, our annual conference, for two days of learning and networking in Vancouver, BC, Canada. With speakers from a diverse group of companies, this year’s conference will be the best place to talk about Open Source projects that matter to the community. Learn from your peers, and connect with fellow Mac Admins.

We will be discussing: munki, imagr, autopkg, chef, puppet and all your favourite Open Source projects. This year we will be discussing MDM and all the changes in macOS. We’re planning another hack night because it was so much fun last year, and if you are interested in a particular workshop topic let us know.

Learn more at https://mdoyvr.com

And because we’re always learning from every conference we’ve organized we’re trying something different this year: tiered pricing for tickets. We want everyone to join us and we want to make it fair for independents, students and others who want to be there. At the same time we want to pay the bills and support a diverse group of speakers and attendees who might not be able to attend due to lack of funds.

We’ve created three tickets: corporate (if your work is paying), independent (if you’re buying you’re own ticket), and education (students and those who work in schools). Last, but not least, the Donation ticket is for those who want to contribute to our financial aid fund. Help those who want to speak and/or attend but need some help.

Ticket sales: https://www.eventbrite.com/e/mdoyvr2018-tickets-38821491125

Screen recording and other tricks

QuickTime has a neat little trick that some may not know about, it can record your screen.

QT-ScreenRecord

Use it to record a how-to video how to navigate System Preferences, or how to use Final Cut Pro, or record a MacDevOps:YVR talk.

The first two MacDevOps:YVR conferences needed to be converted to a suitable format for YouTube and using QuickTime screen recording + Soundflower is the way I chose to do it.

Note: Soundflower is needed to redirect the audio to QuickTime. Screenrecording with QuickTime does not capture the audio without Soundflower.

MacDevOps Screen recording steps

  1. Install Soundflower (Soundflower-2.0b2.dmg)

https://github.com/mattingalls/Soundflower/releases/tag/2.0b2

  1. Set audio output to SoundFlower 2chSoundFlower
  2. Set QT screen recording to Soundflower audio QT-ScreenRecord-SoundFlower-2ch
  3. Start screen recording (select screen area)
  4. Play website audio / video (Safari / Other )
  5. Stop both. Edit and trim QT video as needed
  6. Upload to YouTube
  7. Tag video (mdoyvr, yvr, MacDevOps, MacAdmin, MacIT), put in proper playlist
  8. Publish

Addendum:

I own Rogue Amoeba’s excellent Audio Hijack application and have used this app for audio capture (podcast interviews, etc), but I couldn’t get it to work in this case. It might have also required their Rogue Amoeba’s Loopback app which I did not own. Since I’ve used Soundflower previously I used it here in this case.