Category Archives: MacDevOps

Zoom in on Privacy and Security

Posted on by
1

Recent attention on video conferencing app Zoom and security exploits brings attention to the various Privacy and Security settings on your Mac. Currently macOS 10.14.5 Mojave defines microphone and camera settings which should be verified periodically if they’re not being managed by MDM (mobile device management) and even in those case, just to verify.

Zoom update

If you’ve ever had Zoom installed you must launch it and then update it manually, unless you have Munki or other patching solution to manage your Mac.

 

Zoom Enable camera access

If you want Zoom to have access to your camera (useful for video conferencing) then enable it or leave it disabled until the moment you actually need it.

Privacy-Camera-OFF-Settings.pngMaybe this is a good time to review what apps have previously been granted access and disable them or not after you review the situation.

Privacy-MIC2-Settings.png

Check your microphone access as well. What apps are in your list?

Further research:

Check out Objective See’s excellent security tools such as Oversight to protect yourself from unwanted access to your camera.

Also check out this past talk at MacDevOps:YVR 2018 by Kolide’s Zach Wasserman about osquery and at the 11min mark where he talks about another app BlueJeans and how to investigate it with osquery.

The MacDevOps:YVR videos from past talks contain many security related talks as well as other awesome troubleshooting tech talks.

 

 

PostLab ❤️ Hedge

Posted on by
Reply

Great news everyone. Hedge has acquired PostLab and with this news the main developer Jasper Siegers joins the Hedge team. Great things will come of this collaboration. The brilliant idea of using version control for FCPX project sharing simplifies the whole process that has usually been left to huge media asset management systems that control data and projects. This is project sharing simplified and it’s about to get a lot more awesome with more developer time and a company to support it.

I am equally excited about Jasper coming to MacDevOps:YVR in June to talk about how and why he developed this app using GitLab and Docker and how version control for editors is useful and necessary.

Hedge is a small company in the Netherlands that makes the Hedge software to securely copy camera cards. I’ve incorporated this software with my Final Cut Pro X clients to secure their original footage on location as well as back in the office. Workflow post explains more.

I first wrote about PostLab last year

Some recent articles published about the news:

Fcp.co

Hedge announcement

No NetBoot, No problem: installr and bootstrappr

Posted on by
Reply

It’s 2019, and NetBoot is almost dead. All new Macs have T2 chips. Sent from the future to protect us from …. ourselves? No more NetBoot, no problem!!

When NetBoot first appeared and I was able to boot entire labs of Macs across the network I was amazed and overjoyed. It was awesome. Spinning globe, spinning…

Netboot-GlobeSpin.jpg

But in the years since I’ve moved on to no-imaging. Using Munki to manage software means no more imaging, just install Munki and a small config change to point to the Munki server, thereafter the software that should be there goes on, and what’s not supposed to be there goes away. Simple. Just install one package, well, maybe two, then you’re good.

Well, what if you want to streamline or automate these things? What if these are new Macs which don’t have users configured? What if we could do all this from recovery mode? Hmm… Enter bootstrappr and installr!!

bootstrappr

This awesome project allows to add packages to install in one step while booted in recovery mode. Plug in a USB stick with the bootstrapr script to run the package install magic or mount a disk image over http. Create a DMG with the included script make_dmg.sh. And now this is the best part: in recovery mode open the Terminal app from Utilities and type:

hdiutil mount http://server/yourDMG.dmg

Then:

/Volumes/bootstrap/run

When it’s done you can Reboot the Mac and you’ll have a set up customized to your liking with Munki installed and configured with custom settings.

installr

The installr script works in the same way but adds the macOS installer to the party. You can also mount the DMG over http and re-image a Mac and then add your custom packages. It’s awesome. Truly amazing.

One note: Added packages in Installr must be in a special format. From the installr site: startosinstall requires that all additional packages be Distribution-style packages (typically built with productbuild) and not component-style packages (typically built with pkgbuild)

productbuild --package component.pkg --version x.y --identifier com.example.component distribution.pkg

In one of my first tests with installr and pycreateuserpkg I was caught up by this, even though it is properly mentioned in the read me. Packages that work in Bootstrappr or munki directly don’t necessarily work when called by the macOS installer (startoinstall). Armin Briegel was helpful in the MacAdmins Slack and reminded me of this. Thanks Armin and thanks everyone on the MacAdmins Slack.

Many Thanks to Greg Neagle for creating these tools and Munki. Looking forward to hearing him speak at the next MacDevOps:YVR conference June 12-14, 2019. Greg will be speaking about his efforts to port some parts of Munki from Python to Swift. More info on the conference and speakers here: https://mdoyvr.com/speakers/

Also a shout out to Graham Gilbert who has worked on Imagr (MDOYVR talk), over the years, an imaging and automation tool which was also an inspiration (along with bootstrappr and installr) to Tim Perfit and his MDS project.

Update: corrected the names of installr and bootstrappr in the title because… autocorrect.

 

Best of 2018: the conferences

Posted on by
2

Part of a series of blog post on the “Best of 2018”

Part 2: the conferences

There was NAB in April and the FCPX Creative Summit in November (see more in my previous best of 2018 post here)

New conferences were the theme this year and I’ll start with one I couldn’t attend but really wanted to:

Query conf

⁃ all about osquery

⁃ Great group of people got together in San Francisco to discuss security with open source project originally from Facebook and now a verifiable industry (Kolide, uptycs etc)

⁃ Videos of the talks were posted on their site.

⁃ I had to miss this conference last year because it was just before MacDevOps: YVR and I could not be I two places at once.

Objective by the Sea

⁃ Awesome location. Maui. First time conference and my first time in Hawaii and it was spectacularly beautiful.

⁃ Great people. What a wonderfully diverse group of IT, Security experts and vendors

⁃ Patrick Wardle love fest. Everyone love Patrick and his Objective See free security tools. Look forward to his future projects with Digita Security

⁃ Looking forward to seeing how this conference evolves in the future. Especially if they end up doing more than one a year in different locations. Mahalo to the organizers for putting this together. As a fellow conference organizer I know it is not easy. It takes lots of love and Patrick and his team have lots of love to give. Thanks everyone!

MacDevOps:YVR

Disclaimer: I am the organizer

In 2018 we had our fourth annual conference and it was an amazing group of speakers and attendees. Many people took up my Quick Talk challenge. It is my firm belief that everyone has solved a problem and has knowledge they can share. I love it when people step up, literally step up on stage, and present a story, a solution to a problem, a tech problem they solved. We cheer them on.

What is MacDevOps:YVR?

Just the facts:

⁃ June 2019 will be the 5th annual conference

⁃ Inspired by DevOpsDays held everywhere all over the world this is an inspirational conference to bring together the creators of open source Mac projects and those in IT that use them.

⁃ Bringing a diverse group from around the world to learn about participating in software projects to manage Mac, the aim is to dispel the fear around version control (git), cloud (AWS, GCP, Azure) and various programming languages (Python, Swift, PHP etc)

⁃ Learn about what’s new in various open source projects we depend on: Munki, MunkiReport, Crypt, etc

⁃ Be inspired to share your our own solutions to problems with Quick Talks

⁃ 2019 will be partly security focused with a diverse group of security talks

⁃ Diversity and Inclusion will be front and centre of our IT panel. We are bringing in an amazing group to discuss.

⁃ Hack night. Working on gathering a team of MunkiReport contributors together to help organize some collaborative hacking and programming.

– Workshop. Learn how to make munkireport plugins. MunkiReport server is in PHP but the plugins are written in anything : bash, Python etc

Speakers for MacDevOps:YVR 2019 are on the MDO website.

June 12-14, 2018 join us in Vancouver, Canada for the firth annual MacDevOps:YVR conference.

Many thanks to the crew that that helps me organize this every year and makes the live event as good as it is. Without you I could not make it happen. Also many thanks to my awesome sponsors for helping us pay for bringing in speakers from around the world and paying for the event. Last but not least, thank you for all those that have attended and spoken at this event in the past. I love you all. You are amazing!

Resources

Use Git/GitHub to contribute to these community resources:

⁃ List of all conference videos Conference videos

⁃ MacAdmins Podcast community calendar GitHub repo

– Charles Edge has compiled a list of conferences and it is a great long list. Thanks Charles!

macOS Server is dead. Long live macOS.

Posted on by
4

Yes, it’s been a hot topic in the MacAdmin community both on Mac Enterprise list (oh no it’s the end of the world!) and MacAdmins Slack (told you it was coming, don’t be surprised).

My professional opinion is: “Don’t panic!”

My MacDevOps conference is all about supporting MacAdmins who have been writing code as infrastructure to manage Macs. And do it while replacing macOS Server in the server room with Linux and other OS.

Xsan is staying in macOS Server so I am happy and that’s my main use for the Mac Mini and macOS Server.

I have other Mac Minis doing file sharing for small work groups and moving that out of Server.app in the last revision was unfortunate (it is in the standard OS and usable there but less manageable). There’s also Synology and QNAP NAS for small workgroup file sharing and so much more And many enterprise storage vendors for larger setups.

Imaging has been dying a slow death for years and has been replaced with a thin or “no imaging” concept supported by tools such as AutoPkg and Munki.

Profile Manager is a demo version of MDM and should not be used to actually manage Macs.

Wikis, DNS and Mail should be hosted on Linux, in VMs, AWS, GCP or anywhere other than macOS Server so no problem.

Overall it might be disconcerting to some. But change is constant. And especially at Apple change comes fast and often. We have to get used to it.

Reference:

Apple Support article

Apple to Deprecate Many macOS Server Services – TidBITS http://tidbits.com/e/17760

MDOYVR 2018

Posted on by
Reply

MacDevOps:YVR 2018 tickets are on sale now. Buy one for everyone in your MacAdmin family.

Seems like just the other day we were hanging out with our friends who came from all over the world to talk Open Source and macOS management, and now we can do it all again!

Tickets are on sale now.

MacDevOps:YVR is the place for Mac Admins interested in integrating DevOps into their IT practise. Developers and IT (Ops) working together to build a better world.

Join us at MacDevOps:YVR 2018, our annual conference, for two days of learning and networking in Vancouver, BC, Canada. With speakers from a diverse group of companies, this year’s conference will be the best place to talk about Open Source projects that matter to the community. Learn from your peers, and connect with fellow Mac Admins.

We will be discussing: munki, imagr, autopkg, chef, puppet and all your favourite Open Source projects. This year we will be discussing MDM and all the changes in macOS. We’re planning another hack night because it was so much fun last year, and if you are interested in a particular workshop topic let us know.

Learn more at https://mdoyvr.com

And because we’re always learning from every conference we’ve organized we’re trying something different this year: tiered pricing for tickets. We want everyone to join us and we want to make it fair for independents, students and others who want to be there. At the same time we want to pay the bills and support a diverse group of speakers and attendees who might not be able to attend due to lack of funds.

We’ve created three tickets: corporate (if your work is paying), independent (if you’re buying you’re own ticket), and education (students and those who work in schools). Last, but not least, the Donation ticket is for those who want to contribute to our financial aid fund. Help those who want to speak and/or attend but need some help.

Ticket sales: https://www.eventbrite.com/e/mdoyvr2018-tickets-38821491125

Screen recording and other tricks

Posted on by
Reply

QuickTime has a neat little trick that some may not know about, it can record your screen.

QT-ScreenRecord

Use it to record a how-to video how to navigate System Preferences, or how to use Final Cut Pro, or record a MacDevOps:YVR talk.

The first two MacDevOps:YVR conferences needed to be converted to a suitable format for YouTube and using QuickTime screen recording + Soundflower is the way I chose to do it.

Note: Soundflower is needed to redirect the audio to QuickTime. Screenrecording with QuickTime does not capture the audio without Soundflower.

MacDevOps Screen recording steps

  1. Install Soundflower (Soundflower-2.0b2.dmg)

https://github.com/mattingalls/Soundflower/releases/tag/2.0b2

  1. Set audio output to SoundFlower 2chSoundFlower
  2. Set QT screen recording to Soundflower audio QT-ScreenRecord-SoundFlower-2ch
  3. Start screen recording (select screen area)
  4. Play website audio / video (Safari / Other )
  5. Stop both. Edit and trim QT video as needed
  6. Upload to YouTube
  7. Tag video (mdoyvr, yvr, MacDevOps, MacAdmin, MacIT), put in proper playlist
  8. Publish

Addendum:

I own Rogue Amoeba’s excellent Audio Hijack application and have used this app for audio capture (podcast interviews, etc), but I couldn’t get it to work in this case. It might have also required their Rogue Amoeba’s Loopback app which I did not own. Since I’ve used Soundflower previously I used it here in this case.

 

MacDevOps:YVR 2017

Posted on by
Reply

wr

We’ve had incredible feedback from the last two events and it was so much fun we’ve decided to do it again. Join us on June 5-6th in Vancouver, BC, Canada. Early bird tickets are on sale now.

As a conference we like to gather to discuss Open Source solutions to manage Macs in the enterprise and everywhere else. This year we focus on the new APFS filesystem and what that means for all of us. How do we manage macOS if it is becoming more closed and like iOS? They’ll be talks on what is MDM?, Is imaging dead?, managing Macs with various open source tools, and how to leverage the cloud.

Join us for the technical talks by speakers from Google, Facebook, Dropbox, Airbnb, Square, Uber and many more. Or hang out in the break room and the hallway track. You’ll meet the awesome community members that make up the MacDevOps family. We are all here to share what we know, and to learn from others.

For more information go to our website:

MacDevOps:YVR website

A limited number of early bird tickets are on sale now at Eventbrite:

Get your early bird ticket now!

Thoughts on Documentation: What are we afraid of?

Posted on by
Reply

People are afraid of documentation… But mostly people just hate it. They don’t like it. They don’t want it. It shouldn’t exist. Fingers in ears. I can’t hear you.

This is about primal fear. And hate. I hate hate. But these are real emotions. Let’s deal with it. What is the reality? Why is documentation is ignored, abandoned, or resisted at all?

As a Sysadmin perhaps you don’t care about documentation, that is, sharing information with others (co workers / bosses), you want to keep it to yourself. But you care very much about building systems. But there’s perhaps no attempt to explain any of this to anyone else. Who else is there really? No one cares. No one is around that would understand if you explained it.

Lesson # 1 – Document for yourself.

Paranoia makes us set up redundant systems for backups. Layers upon layers. Custom scripts and disparate apps. Where was this explained? Documented? Nowhere. Bin dir. Maybe.

If you could replace all that now with one app that did it all then you would. Time is valuable. Easier to monitor. Easier for someone else to monitor and take over.

Lesson # 2 – document for your replacement (job change, bus hit)

Do it continuously. Automate. Or set up systems that work automatically.

Lesson # 3. DevOps.

Integrate systems. IT systems manage computer but maybe they also built Inventory. Automatically. Alert Systems report continuously. Living systems report on the state of everything. Documentation is easier when it is current and relevant.

Lesson # 4. Sustainability

Commercial vs OpenSource. Support vs excellent team, talent retention and documentation. Pro/Con. If your custom solution is not well documented that can be a big problem. If you code is not shared, peer-reviewed, or supported by anyone that could be an issue. If it makes sense to switch to commercial software that is supported then do it. If an OpenSource project or code is supported by a larger community perhaps that makes sense.

Lesson # 5. Improve. Grow. Get better.

Discovery and Documentation lead to suggestions for improvement. Make changes. Code and disparate systems that struggle to be documented make us think about how to replace them or better balance the risks vs cost.

Lesson # 6. Human problems don’t always tech solutions.

Code doesn’t fix broken workflows. Meetings are with people. Talking through systems helps people understand pain points. Don’t forget people want to do their job, meet deadlines, do stuff.

Let’s make their world and our world better.

Love not hate. Peace.

Documentation-MatX

MacDevOps Manifesto

Posted on by
Reply

I was explaining Munki (and autopkg) to some colleagues when I hit on the idea of the MacDevOps manifesto.

Munki and friends (apps used to augment and extend Munki) are helpful automation tools. Setting up automation systems take time and must be maintained and grown but they pay big dividends.  Freeing us to do Dev work or other tasks they automate and iterate and repeat and build our systems in the way we want.

No more 100 machines built in a hundred different ways (unless we want to). But now we can check at a glance in MunkiReport to verify that indeed the latest Adobe Flash patch is installed. That may make our lives better. Especially if we need to satisfy corporate IT or our bosses that we are up to date and patched as required.

The MacDevOps Manifesto Part 1: Munki and friends

Munki is at its core free software created by Greg Neagle at Disney Animation and used worldwide in many different ways but essentially to distribute apps and run scripts on client workstations. There are many ways to customize it and if fits many different workflows. The MacDevOps:YVR conference I ran last June turned out to be a Munki love-in and showed me the many awesome and varied ways organizations are using it.

With AutoPkg, another free Mac open source project, Munki can get the latest updates to any software that it has recipes for and by extension install them on clients immediately. This fits the workflow of having Flash, Java and web browsers (Chrome or FireFox) updated as soon as possible for security patches. Exploits on the Mac are coming from these entry points and if you need to use these apps or plugins then having the latest versions helps. For this feature alone I use Munki. In a few months you will see that Munki with AutoPkg has downloaded dozens of versions of each app and keeping up with this takes time away from other tasks. Automation of simple tasks frees up our time so we can focus on other things. That is MacDevOps.

I also use Munki for installation of any app that is needed everywhere. If I have to download or install one app for one client workstation I put it in Munki and it is ready for installation anywhere with a simple click by the user in a self service portal or automatically by choosing managed installs. Of course if there is an app you don’t want installed (flash or Skype or messenger, etc) add it to Munki and mark it as managed uninstall. Done.

Scripts and files and config Profiles (replacement for mcx, managed preference settings for OS X) can be imported and used to configure workstations to make deployment easy and flexible. Put everything in Munki and then you don’t have to use golden master builds anymore. Buy a new Mac and install the Munki client. Done.

Add to this Munki Report which gives an excellent dashboard for what is installed and a total inventory of your client Macs. Very useful info which will let you know if you 15 different versions of flash or Photoshop or any app you choose to look for.

Last but least I always install Watchman Monitoring which reports to a secure cloud (web portal) to automatically monitor for bad drives, Ram, backups not running etc. It’s a great 50ft overview of all your installs and it can alert you immediately when a machine is having issues that you need to deal with (drives 90% full or Xsan volume not mounted, etc).

I find this combination of Munki and Watchman great for helping me manage my clients and I want to share these ideas about MacDevOps inspired ways of automating systems with everyone. Jump in and get involved with all these projects. You’ll be writing recipes for AutoPkg and sharing cool Munki tips and tricks with all your friends. And maybe like me you will start writing plugins for Watchman to monitor your favourite apps (I’m working on Archiware P5 backup and archive monitoring scripts).

Good luck to everyone and hope to see you at the next MacDevOps:YVR conference in June 2016. If you can’t make it go to your nearest Mac Dev / IT conference or start your own meet up somewhere local.