What’s New? New “What’s New” Office 2016 Suppression Key

• Changed to reflect new 15.34 key to suppress What’s New dialogs by a boolean, instead of -1
• Update to OneNote now using the same OUIWhatsNewShonItemIds key instead of its own ONWhatsNewShownItemIds key

My previous post, Not much, what’s new with you?, showed how to suppress the “What’s New” banners on updated software versions of the Office 2016 Suite.  While it worked, it _was_ work to get the specific preference key value to block the latest banner from appearing.  Due to the nature of how the values were dynamically created at build time it wasn’t known what those values were until the software was downloaded, installed, launched, then examine the preference file for the new value of OUIWhatsNewLastShownLink.  Blah.

Our good friends at Microsoft recognized the madness and worked on a way to make the suppression easier and more predictable for us admins.  As of version 15.32 there is a new key that takes an array of ints that can be added to the mobileconfig profile —  OUIWhatsNewShownItemIds.  The previous key OUIWhatsNewLastShownLink is still needed to suppress the What’s New dialogs prior to 15.32.

Good News, Bad News, Better News, and Best News

The Good News is that the values of OUIWhatsNewShownItemIds are predictable. It starts at 1 and increases by 1 for every new feature that is to be listed in a What’s New dialog box.  The Bad News is that each application can have its own number of new features to display, so knowing how many values isn’t known ahead of time. The Better News is that there is a bug (VSO #1476177 – Give admins a better way to turn off the What’s New dialog for O365 users) reported by our same Microsoft friends to recognize a value of -1 to mean “Don’t show me any more What’s New dialogs for any new versions ever.”  That feature is on the fast track to be part of the 15.34 release in May.

So, until May, you can add a list of values to the OUIWhatsNewShownItemIds key to suppress dialogs until the -1 value is respected.  The array must be a complete list meaning you can’t just add a value of 10 and have that mean block all values 1-10.

The best new is that as of version 15.34 builds dated 170420 and later there is a new key that will take a -bool false value to suppress all What’s New dialogs going forward. That key is ShowWhatsNewOnLaunch.

Here is an example of the key and values to block all of the first 10 new features starting at version 15.32:



Each application domain (com.microsoft.Excel, com.microsoft.onenote.mac, com.microsoft.Outlook, com.microsoft.Powerpoint, and com.microsoft.Word) will need these values added. The easiest way would be to add these values to the existing mobileconfig profiles from Not much, what’s new with you? and modify it like this example for Word.


Tagged , , , ,

APFS Disk Roles

APFS is Apple’s new file system coming sometime in 2017. In 10.12.x the disk management command line tools have been updated to recognize commands relating to APFS. diskutil has some APFS options, one of which being changeVolumeRole . In that verb there is a reference as to how to set the different roles the volume can be

From the manpage of diskutil:

changeVolumeRole | chrole volumeDevice roles
Change the role metadata flag bits of an existing
APFS Volume.

The roles should be any combination of one or more
of the characters busrvBUSRV in much the same man-
ner as diskutil apfs addVolume above, in which
unspecified flags are left alone, use of lower-case
causes flags to be cleared, and use of upper-case
causes flags to be set. Alternatively, clear will
remove all flags, or 0 can be used as a no-op for
scripting convenience. You should not make any
assumptions about the usage or legal combinations
of role bits.

Ownership of the affected disks is required.

But no where does it state what the roles BUSRV are.

The role of the disk can be observed by running diskutil apfs list

APFS Container (1 found)
+-- Container disk2 9C36DEF6-B883-462B-A227-84F8A60E3551
    APFS Container Reference: disk2
    Capacity Ceiling (Size): 255883108352 B (255.9 GB)
    Capacity In Use By Volumes: 138276864 B (138.3 MB) (0.1% used)
    Capacity Available: 255744831488 B (255.7 GB) (99.9% free)
    +-< Physical Store disk0s4 13E393EF-C27E-44EC-B238-A7CA8A842F50     | -----------------------------------------------------------     | APFS Physical Store Disk: disk0s4     | Size: 255883108352 B (255.9 GB)     |     +-> Volume disk2s1 CC9D66C2-345C-4415-92E4-8CDE3A396180
        APFS Volume Disk (Role): disk2s1 (No specific role)
        Name: apfTest
        Mount Point: /Volumes/apfTest
        Capacity Consumed: 24576 B (24.6 KB)
        Capacity Reserve: None
        Capacity Quota: None
        Cryptographic Security: None

Iterating thru the roles they translate to:

B = "Preboot"
U = "User"
S = "System"
R = "Recovery"
V = "VM"

A volume can be set with any combination of roles according to diskutil.

A volume with all roles set shows

APFS Volume Disk (Role):  disk2s1 (Preboot, User, System, Recovery, VM)

Tagged , , , , , , ,

Office 2016 Preference Management Changes

Starting with Office version 15.33 you’ll have the ability to manage some suite-wide preferences via profile management. Previously, these settings were configurable via defaults commands but weren’t CFPrefs enabled to allow for profile management of the settings. Thanks to the hard work of Paul Bowden and Erik Schwiebert at Microsoft, along with the collaboration and feedback of Mac admins in the macadmins.org slack instance, this request of preference management has been made possible. And this is just the beginning. Now with the foundation for preference management in code this will allow for more management options in future versions.

When an Office 15.33 app is launched for the first time, the existing preferences in ~/Library/Group Containers/UBF8T346G9.Office/com.microsoft.officeprefs.plist will be migrated over to the new preference domain automatically. At that time a key will be set signaling that the migration has occurred.

Paul has put together a new site (http://www.office4mac.com) that showcases a video course educating users and admins of the management changes. Look for more videos to come. This video shows examples of the preference changes, how to manage them, and implementing them through a management system. It’s definitely worth the watch.

For me, the meat and potatoes of these changes are the keys and values that are manageable in the com.microsoft.office domain. Here is an example management profile of all the keys that can be managed.

suite-wide preferences.png

OfficeActivationEmailAddress adds a “Belongs to” value in the About box to list who owns the software.

DefaultsToLocalOpenSave – by default Office offers to open and save documents to OneDrive, however due to data security policies that may not be acceptable and confuse users. This key will set the default open and save dialog boxes of all Office apps to the standard System views.

VisualBasicMacroExecutionState has 3 values that relate to the “GUI settings” in Preferences->Security & Privacty in app:

DisabledWithWarnings – “Disable all macros with notification” (Default)

DisableWithoutWarnings – “Disable all macros without notification”

EnabledWithoutWarnings – “Enable all macros (not recommended; potentially dangerous code can run)”

I don’t recommend managing the HaveMergedOldPrefs key as that is set organically. If you set it to TRUE then the old pref won’t be migrated automatically on first run. If you manage it as FALSE then it will try and migrate on every launch.

The two debug keys msoridEnableLogging and msoridDefaultMinimumSeverity should only be set when debugging an issue and I don’t see a need to manage them centrally. Leaving them enabled isn’t recommended.

Seeing these preference options move to a manageable location is a big plus for us admins, not only for the specifics of these settings, but also in the willingness of Microsoft to make these changes based on admin feedback. This can only mean more good things in the future.

Tagged , , , , ,

How to remove accounts cleanly

When you want to get rid of an account that’s not being used on a computer anymore, how do you do that pragmatically?  Visiting the computer and going thru the System Preferences’ Users & Groups options is time consuming, inconvenient, and sometimes physically not possible.

Previously I’d say use dscl to remove the cached account credentials and rm -r /Users/username to remove the home folder.  However, that leaves behind pieces that has caused some issues.

Enter sysadminctl

This removes any running processes by that user, the home folder, the public share, the cached credentials, and disabling Back To My Mac for that user if set.


bash-3.2# ls /var/db/dslocal/nodes/Default/sharepoints/
Tester's Public Folder.plist eholtam's Public Folder.plist admin's Public Folder.plist

bash-3.2# sysadminctl -deleteUser tester
2017-03-14 21:28:05.241 sysadminctl[2093:60392] Killing all processes for UID 503
2017-03-14 21:28:05.242 sysadminctl[2093:60392] Removing tester's home at /Users/tester
2017-03-14 21:28:05.877 sysadminctl[2093:60392] Deleting Public share point for tester
2017-03-14 21:28:05.903 sysadminctl[2093:60392] Deleting record for tester
2017-03-14 21:28:05.930 sysadminctl[2093:60392] AOSKit INFO: Disabling BTMM for user, no zone found for uid=503, usersToZones: {
 502 = "1234567.members.btmm.icloud.com.";

bash-3.2# ls
eholtam's Public Folder.plist admin's Public Folder.plist

Future me will be using sysadminctl for all account deletion needs.

Tagged , , , , ,

Sierra’s Built-in Storage Management Utility

New with Sierra there is a built-in utility to help keep disk storage space available.  The function is part of the System Information.app and is accessed a few ways:

  1.  => About This Mac => Storage => Manage…
  2. (Hold the option key down)  => System Information… => Window => Storage Mangement (Cmd-U)
  3. /Applications/Utilities/System Information.app => Window => Storage Mangement (Cmd-U)

Once launched it will proceed to gather data sizes of categories of interest. The available and total disk space will be listed in the window’s name.


First you’ll see some recommendations of ways to keep disk space available.  Each has its own set of gotchas so be sure to make note of the implications:

Store in iCloud


There has been some interesting discoveries in the behavior surrounding iCloud Desktop and Documents.  See iCloud Desktop and Documents in macOS Sierra – The Good, The Bad and the Ugly for a full rundown. Even though these checkboxes are checked by default, that doesn’t represent the actual state of the setting.  On my machine I have Desktop and Documents turned off in the iCloud preference pane yet this box shows as checked.

Optimize Storage —


Empty Trash Automatically —


If you’re one of those that can’t commit to deleting things once put in the Trash, let the OS handle it for you.

Reduce Clutter —

This option opens the Documents listing.

Along the left are categories and the amount of space each is taking up.  Accessing those brings up a list sorted by largest on top.  If you want to remove an individual listing, right click and select Delete. Even though Applications are listed, non-admins can’t remove applications without admin credentials.

Thanks to @adamcodega for pointing this tool out.

Tagged , , , , , , ,

Cache Active Directory credentials off-site

A scenario I ran into recently involved an existing user who had their computer re-imaged with OS 10.10.5.  Their user data was backed up and restored prior to returning the system to the user.  To restore data I first use createmobileaccount to create a home directory and cache user information based off of AD, then rsync the data into the local home directory.  Since I don’t know the user’s password I don’t use the -p option leaving the cached account information without a password. Instead, the password is cached the first time the user logs in.  However, that only works when the computer can talk to our AD environment.

This user didn’t log in prior to taking the laptop out of the office for the week (who does that after a computer upgrade?!).  Since no password was cached there was nothing to authorize their credentials against. This could make for a long week for this user.

Since I had already created a home folder with all the user data I didn’t want to erase it or even have to bother with moving it around to a temporary user account.  Instead I did the following to preserve the files and allow the user to log in off-site:

  1. Have the user log in as a local admin.
  2. Have the user log into our company VPN as themselves.
  3. I gained access to the computer via Apple Remote Desktop (ssh, ScreenSharing, or any other means would work as well)
  4. I removed the current cached user info, sans password with sudo dscl . -delete /Users/<username>. This removes the locally cached information for the user from /var/db/dslocal/nodes/Default/users/<username>.plist but leaves the /Users/<username> home folder data alone.
  5. I then issued sudo /System/Library/CoreServices/ManagedClient.app/Contents/Resources/createmobileaccount -n <username> -p <password> . I had the user type their password to match their AD account.

Step 5 recreates the cached user information in /var/db/dslocal/nodes/Default/users/<userid>.plist (as long as the computer can talk to Active Directory), but this time with a cached password. Log out of the admin account and now the user can log in as themselves off-site using their AD credentials and access the already created home directory in /Users/<username>.

Tagged , , , , , , , ,

Flash Player Adds Phone Home Analytics

Update: This issue seems to be isolated to version as subsequent releases do not contain the LaunchDaemon and executable.  

Starting with the Flash Player there are two new files added to the installer that attempt to send anonymous analytic data back to Adobe.  The files are a new LaunchDaemon at /Library/LaunchDaemons/com.adobe.SC.FPFeedbackService-1.0.plist that fires off  /Library/Application Support/Adobe/FPFeedbackService.  Running strings against the FPFeedbackService binary reveals some interesting tidbits:

# Following anonymous information is being collected from your machine.
# OS, OSType
- Operating System details
# UserAgent
- Browser details
# FlashVersion
- Installed Flash Player version
# RenderMode
- Represents the render mode of the SWF content.
# SWFVersions
- It is the list of SWF Versions played in browser and their count.
e.g. SWF10|23 means that SWF file having version 10 have been played 23 times.
# ASVersions
- It is the list of Action Script Versions associated to SWF files and their count.
e.g. AS2|10 means SWF file having Action Script Version 2 have been played 10 times.
# APIList
- The API List represents the collated API and its count in all played SWF files.
API names have been encoded to reduce the network traffic.
e.g. flash.display3D::Context3D will be encoded as 17.


User has disabled the service.Exiting.
Analytics Disabled.Exiting.

I found no option for disabling the analytics in the Flash Player PreferencePane.  Flash Player’s configuration can be managed with a /Library/Application Support/Macromedia/mms.cfg configuration file.  That’s how automatic updates have been suppressed previously. However, there is no mention of the new analytics or how to disable it in the ADOBE® FLASH® PLAYER 20.0 Administration Guide.  There is no mention in the blog post announcing the release, either. I’ve submitted a comment to that post for clarification but it has yet to be approved by a moderator.

The macadmins Slack team discussed, dug in, and and discovered that it can most likely be disabled by adding the entry DisableAnalytics=1 to the mms.cfg file.

To suppress automatic updates and disable analytics, the mms.cfg file should look like:


Tagged , , ,

Microsoft Supported Office 2016 Volume Licensing Method

Below is information provided by @pbowden, who is a software engineer for Office for Mac/iOS at Microsoft, in the MacAdmins Slack instance (@mrexchange on Twitter) regarding the supported way to license Office 2016 with a volume license.  While I recommend joining the macadmin Slack instance to participate in these conversations, it may not be feasible for everyone  Therefore I’m posting this information externally for everyone’s benefit.

It’s completely supportable to download and install the latest SKU-less build from those FWLinks like http://go.microsoft.com/fwlink/?linkid=525133, and simply run the Office15_all_volume_licensing.pkg to license the build for VL. [ Run `pkgutil –expand ~/Downloads/Microsoft_Office_2016_Installer.pkg ~/Desktop/Office2016VL` to expand the flat package and gain access to Office15_all_volume_licensing.pkg in ~/Desktop/Office2016VL ]

Technically, you can just run the Microsoft Office Setup Assistant.app that’s inside the .pkg, but I’d prefer that you install using the .pkg just in case there are things we need to do in the postinstall script. There are code dependencies between Office15_all_volume_licensing.pkg and Office15_all_licensing.pkg, which is why I’d prefer you to deploy the SKU-less build first as it contains Office15_all_licensing.pkg. It’s that same reason why I typically don’t like folks shoe-horning the updater package on a new machine – as the licensing package is not in the updater, and you could end up in a mess with licensing. The licensing code is fairly complex and uses various internal triggers to ‘wake up’ at various times to check that all is well. i.e. just because it might work if you hacked some packages together and tried it once or twice on your machine, it doesn’t mean to say that it’ll ​*stay*​ working after you deploy.

The role of the Microsoft Office Setup Assistant app is to collect various machine identifiers (including hardware serial number and boot disk hashes) and encodes them into /Library/Preferences/com.office.microsoft.office.licensingv2.plist …this is how we tether the license to the machine. Manually copying one of those generated plists and copying it to other machines is absolutely not supported and akin to playing with fire.
However, we ​*do*​ support you moving that plist around volumes on the ​*same*​ machine (e.g. imaging scenario).
In other words, in those times our license code wakes up to check that all is well, we’ll verify that the hashed boot disk that we retrieved when the license was created is still mounted ​*somewhere*​ on your machine, even if it’s not currently the boot disk.

Bottom line is that if you’re copying com.microsoft.office.licensingv2.plist between machines then you are not in a supportable state. The only supportable solution is to have that plist file generated on the machine you intend to use by the Microsoft Office Setup Assistant (MOSA). Up to you how you package this, but MOSA needs to be run and the plist is tethered to the current boot drive of the machine. It’s okay to change boot drives as long as that original drive stays mounted as a volume (it doesn’t have to be the boot drive)

The VL build on the VLSC is old at 15.13.4. While internally we produce full VL installers every month (in fact, it’s every day, but I digress), the VLSC folks haven’t been in a position to take our monthly updates. I’ve been working with that team this week to get their engineering processes to be more agile. The good news is that they will be taking our 15.17 December release build, so what should be a welcome refresh. I’ve also been working hard on fixing your top requests and am confident that 15.17 will be a great release for you. The VLSC folks might need to skip one or two releases after 15.17, but after that they will be in a position to take all our monthly releases.

A follow up question was asked about un-licensing to allow for the Office 365 subscription method again.

Is there a proper way to revert from a VL install backwards to a 365-license?

Yeah, just nuke that one plist we’ve been talking about and the copy of Office goes back to a sku-less state

Tagged , , , , ,

Office 2016 Direct Download links

Update 3-9-17: I just realized I’m doing a disservice by not pointing out all of the hard work Paul Bowden, Software Engineer of Office for Mac, has been doing.  He has a site that curates all the updates.  The updates he points to are the same as those below but in a more orderly fashion.  You should really check out that site at https://macadmins.software

Office 2016 now uses a series of FWLinks that always point to the very latest official builds. The downloads are SKU-less, which means you can use these to activate via Office 365 subscription, Volume License, or Perpetual License. These packages contain the base app, MAU and the licensing helper components.  The following links download the respective software.  While perpetually updated direct links are great to have, there is no way to determine what version it is until the full pkg is downloaded.  That’s an expensive download if you have limited bandwidth.  After the update from 15.15 to 15.16, a few links had lingering 15.15 versions still downloading.

There are 3 CDNs they are available from: Puerto Rico, Dublin, and Singapore.  For the US the Puerto Rico CDN would be quickest.

Puerto Rico CDN

Office Suite

Dublin CDN

Office Suite

Singapore CDN

Office Suite

A big thanks to @talkingmoose for encouraging @pbowden to join our Slack channel #microsoft-office and for @pbowden for providing all these juicy nuggets.  To join us on Slack, head over to http://macadmins.org to request an invite.


Screen Sharing via Apple ID

Screen Sharing.app is a bundled application that lets you observe or control a remote computer.  Typically, the computer is already under your control and either has Screen Sharing enabled in the Sharing settings or a VNC server running.  But having a knack as a Mac whisperer doesn’t go unnoticed by family and friends.  There are times when it’d be really handy to be able to hop on a friend or family member’s computer to actually see what they’re trying to describe instead of talking thru it.  There are 3rd party services out there that can accomplish this but require downloading, installing, and configuring.  This feature just works* as long as the remote computer has an iCloud account setup on it, which at this point most do.

*Of course there are exceptions.  Firewall restrictions may not allow the traffic thru.

To start a session launch the Screen Sharing.app via Spotlight (command-space) and typing “Screen Sharing” or by navigating to /System/Library/CoreServices/Applications/Screen Sharing.app

Once it launches you’ll be presented with a field that asks for a hostname or Apple ID


Start typing a name in your Contacts.  If you have contacts that have Apple IDs they’ll show up in blue text, similar to Messages.  It may take a few seconds for the names to be identified as Apple IDs and have the color change. If you know the Apple ID email address you can enter that directly as well.bluemeansicloud

Click the “Connect” button and the remote machine will get prompted to allow you to connect. Note, the prompt to connect will appear on all the machines that are setup with that Apple ID.


If the Apple ID of the instigating connection is in the receiver’s contacts, when “Accept” is clicked it will immediately allow Observe abilities of the remote screen.  If the Apple ID trying to connect doesn’t match a contact on the receiving machine the receiver will get this prompt.


Upon connection, by default the microphone is engaged so you can talk as well as see the remote screen. The microphone can be muted from menu bar extra if desired.  While connection is active the menu bar extra flashes to remind of that connection.


If you need to control the computer instead of just observe you can request control from the Screen Sharing window.  Once Control is asked for, the remote machine gets a prompt to allow control.

Tagged , , , , ,