Sierra’s Built-in Storage Management Utility

New with Sierra there is a built-in utility to help keep disk storage space available.  The function is part of the System Information.app and is accessed a few ways:

  1.  => About This Mac => Storage => Manage…
  2. (Hold the option key down)  => System Information… => Window => Storage Mangement (Cmd-U)
  3. /Applications/Utilities/System Information.app => Window => Storage Mangement (Cmd-U)

Once launched it will proceed to gather data sizes of categories of interest. The available and total disk space will be listed in the window’s name.

main-overview

First you’ll see some recommendations of ways to keep disk space available.  Each has its own set of gotchas so be sure to make note of the implications:

Store in iCloud

store-in-icloud-options

There has been some interesting discoveries in the behavior surrounding iCloud Desktop and Documents.  See iCloud Desktop and Documents in macOS Sierra – The Good, The Bad and the Ugly for a full rundown. Even though these checkboxes are checked by default, that doesn’t represent the actual state of the setting.  On my machine I have Desktop and Documents turned off in the iCloud preference pane yet this box shows as checked.

Optimize Storage —

optimize-storage-options

Empty Trash Automatically —

empty-trash-automatically

If you’re one of those that can’t commit to deleting things once put in the Trash, let the OS handle it for you.

Reduce Clutter —

This option opens the Documents listing.

Along the left are categories and the amount of space each is taking up.  Accessing those brings up a list sorted by largest on top.  If you want to remove an individual listing, right click and select Delete. Even though Applications are listed, non-admins can’t remove applications without admin credentials.

Thanks to @adamcodega for pointing this tool out.

Tagged , , , , , , ,

Cache Active Directory credentials off-site

A scenario I ran into recently involved an existing user who had their computer re-imaged with OS 10.10.5.  Their user data was backed up and restored prior to returning the system to the user.  To restore data I first use createmobileaccount to create a home directory and cache user information based off of AD, then rsync the data into the local home directory.  Since I don’t know the user’s password I don’t use the -p option leaving the cached account information without a password. Instead, the password is cached the first time the user logs in.  However, that only works when the computer can talk to our AD environment.

This user didn’t log in prior to taking the laptop out of the office for the week (who does that after a computer upgrade?!).  Since no password was cached there was nothing to authorize their credentials against. This could make for a long week for this user.

Since I had already created a home folder with all the user data I didn’t want to erase it or even have to bother with moving it around to a temporary user account.  Instead I did the following to preserve the files and allow the user to log in off-site:

  1. Have the user log in as a local admin.
  2. Have the user log into our company VPN as themselves.
  3. I gained access to the computer via Apple Remote Desktop (ssh, ScreenSharing, or any other means would work as well)
  4. I removed the current cached user info, sans password with sudo dscl . -delete /Users/<username>. This removes the locally cached information for the user from /var/db/dslocal/nodes/Default/users/<username>.plist but leaves the /Users/<username> home folder data alone.
  5. I then issued sudo /System/Library/CoreServices/ManagedClient.app/Contents/Resources/createmobileaccount -n <username> -p <password> . I had the user type their password to match their AD account.

Step 5 recreates the cached user information in /var/db/dslocal/nodes/Default/users/<userid>.plist (as long as the computer can talk to Active Directory), but this time with a cached password. Log out of the admin account and now the user can log in as themselves off-site using their AD credentials and access the already created home directory in /Users/<username>.

Tagged , , , , , , , ,

Flash Player 20.0.0.235 Adds Phone Home Analytics

Update: This issue seems to be isolated to version 20.0.0.235 as subsequent releases do not contain the LaunchDaemon and executable.  

Starting with the Flash Player 20.0.0.235 there are two new files added to the installer that attempt to send anonymous analytic data back to Adobe.  The files are a new LaunchDaemon at /Library/LaunchDaemons/com.adobe.SC.FPFeedbackService-1.0.plist that fires off  /Library/Application Support/Adobe/FPFeedbackService.  Running strings against the FPFeedbackService binary reveals some interesting tidbits:

# Following anonymous information is being collected from your machine.
# OS, OSType
- Operating System details
# UserAgent
- Browser details
# FlashVersion
- Installed Flash Player version
# RenderMode
- Represents the render mode of the SWF content.
# SWFVersions
- It is the list of SWF Versions played in browser and their count.
e.g. SWF10|23 means that SWF file having version 10 have been played 23 times.
# ASVersions
- It is the list of Action Script Versions associated to SWF files and their count.
e.g. AS2|10 means SWF file having Action Script Version 2 have been played 10 times.
# APIList
- The API List represents the collated API and its count in all played SWF files.
API names have been encoded to reduce the network traffic.
e.g. flash.display3D::Context3D will be encoded as 17.

and

User has disabled the service.Exiting.
Analytics Disabled.Exiting.

I found no option for disabling the analytics in the Flash Player PreferencePane.  Flash Player’s configuration can be managed with a /Library/Application Support/Macromedia/mms.cfg configuration file.  That’s how automatic updates have been suppressed previously. However, there is no mention of the new analytics or how to disable it in the ADOBE® FLASH® PLAYER 20.0 Administration Guide.  There is no mention in the blog post announcing the release, either. I’ve submitted a comment to that post for clarification but it has yet to be approved by a moderator.

The macadmins Slack team discussed, dug in, and and discovered that it can most likely be disabled by adding the entry DisableAnalytics=1 to the mms.cfg file.

To suppress automatic updates and disable analytics, the mms.cfg file should look like:

AutoUpdateDisable=1
SilentAutoUpdateEnable=0
DisableAnalytics=1

Tagged , , ,

Microsoft Supported Office 2016 Volume Licensing Method

Below is information provided by @pbowden, who is a software engineer for Office for Mac/iOS at Microsoft, in the MacAdmins Slack instance (@mrexchange on Twitter) regarding the supported way to license Office 2016 with a volume license.  While I recommend joining the macadmin Slack instance to participate in these conversations, it may not be feasible for everyone  Therefore I’m posting this information externally for everyone’s benefit.

It’s completely supportable to download and install the latest SKU-less build from those FWLinks like http://go.microsoft.com/fwlink/?linkid=525133, and simply run the Office15_all_volume_licensing.pkg to license the build for VL. [ Run `pkgutil –expand ~/Downloads/Microsoft_Office_2016_Installer.pkg ~/Desktop/Office2016VL` to expand the flat package and gain access to Office15_all_volume_licensing.pkg in ~/Desktop/Office2016VL ]

Technically, you can just run the Microsoft Office Setup Assistant.app that’s inside the .pkg, but I’d prefer that you install using the .pkg just in case there are things we need to do in the postinstall script. There are code dependencies between Office15_all_volume_licensing.pkg and Office15_all_licensing.pkg, which is why I’d prefer you to deploy the SKU-less build first as it contains Office15_all_licensing.pkg. It’s that same reason why I typically don’t like folks shoe-horning the updater package on a new machine – as the licensing package is not in the updater, and you could end up in a mess with licensing. The licensing code is fairly complex and uses various internal triggers to ‘wake up’ at various times to check that all is well. i.e. just because it might work if you hacked some packages together and tried it once or twice on your machine, it doesn’t mean to say that it’ll ​*stay*​ working after you deploy.

The role of the Microsoft Office Setup Assistant app is to collect various machine identifiers (including hardware serial number and boot disk hashes) and encodes them into /Library/Preferences/com.office.microsoft.office.licensingv2.plist …this is how we tether the license to the machine. Manually copying one of those generated plists and copying it to other machines is absolutely not supported and akin to playing with fire.
However, we ​*do*​ support you moving that plist around volumes on the ​*same*​ machine (e.g. imaging scenario).
In other words, in those times our license code wakes up to check that all is well, we’ll verify that the hashed boot disk that we retrieved when the license was created is still mounted ​*somewhere*​ on your machine, even if it’s not currently the boot disk.

Bottom line is that if you’re copying com.microsoft.office.licensingv2.plist between machines then you are not in a supportable state. The only supportable solution is to have that plist file generated on the machine you intend to use by the Microsoft Office Setup Assistant (MOSA). Up to you how you package this, but MOSA needs to be run and the plist is tethered to the current boot drive of the machine. It’s okay to change boot drives as long as that original drive stays mounted as a volume (it doesn’t have to be the boot drive)

The VL build on the VLSC is old at 15.13.4. While internally we produce full VL installers every month (in fact, it’s every day, but I digress), the VLSC folks haven’t been in a position to take our monthly updates. I’ve been working with that team this week to get their engineering processes to be more agile. The good news is that they will be taking our 15.17 December release build, so what should be a welcome refresh. I’ve also been working hard on fixing your top requests and am confident that 15.17 will be a great release for you. The VLSC folks might need to skip one or two releases after 15.17, but after that they will be in a position to take all our monthly releases.

A follow up question was asked about un-licensing to allow for the Office 365 subscription method again.

Is there a proper way to revert from a VL install backwards to a 365-license?

Yeah, just nuke that one plist we’ve been talking about and the copy of Office goes back to a sku-less state

Tagged , , , , ,

Office 2016 Direct Download links

Office 2016 now uses a series of FWLinks that always point to the very latest official builds. The downloads are SKU-less, which means you can use these to activate via Office 365 subscription, Volume License, or Perpetual License. These packages contain the base app, MAU and the licensing helper components.  The following links download the respective software.  While perpetually updated direct links are great to have, there is no way to determine what version it is until the full pkg is downloaded.  That’s an expensive download if you have limited bandwidth.  After the update from 15.15 to 15.16, a few links had lingering 15.15 versions still downloading.

There are 3 CDNs they are available from: Puerto Rico, Dublin, and Singapore.  For the US the Puerto Rico CDN would be quickest.

Puerto Rico CDN

Office Suite
http://go.microsoft.com/fwlink/?linkid=525133
Word
http://go.microsoft.com/fwlink/?linkid=525134
Excel
http://go.microsoft.com/fwlink/?linkid=525135
Powerpoint
http://go.microsoft.com/fwlink/?linkid=525136
Outlook
http://go.microsoft.com/fwlink/?linkid=525137

Dublin CDN

Office Suite
http://go.microsoft.com/fwlink/?linkid=532572
Word
http://go.microsoft.com/fwlink/?linkid=532573
Excel
http://go.microsoft.com/fwlink/?linkid=532574
Powerpoint
http://go.microsoft.com/fwlink/?linkid=532575
Outlook
http://go.microsoft.com/fwlink/?linkid=532576

Singapore CDN

Office Suite
http://go.microsoft.com/fwlink/?linkid=532577
Word
http://go.microsoft.com/fwlink/?linkid=532579
Excel
http://go.microsoft.com/fwlink/?linkid=532582
Powerpoint
http://go.microsoft.com/fwlink/?linkid=532583
Outlook
http://go.microsoft.com/fwlink/?linkid=532584

A big thanks to @talkingmoose for encouraging @pbowden to join our Slack channel #microsoft-office and for @pbowden for providing all these juicy nuggets.  To join us on Slack, head over to http://macadmins.org to request an invite.

Tagged

Screen Sharing via Apple ID

Screen Sharing.app is a bundled application that lets you observe or control a remote computer.  Typically, the computer is already under your control and either has Screen Sharing enabled in the Sharing settings or a VNC server running.  But having a knack as a Mac whisperer doesn’t go unnoticed by family and friends.  There are times when it’d be really handy to be able to hop on a friend or family member’s computer to actually see what they’re trying to describe instead of talking thru it.  There are 3rd party services out there that can accomplish this but require downloading, installing, and configuring.  This feature just works* as long as the remote computer has an iCloud account setup on it, which at this point most do.

*Of course there are exceptions.  Firewall restrictions may not allow the traffic thru.

To start a session launch the Screen Sharing.app via Spotlight (command-space) and typing “Screen Sharing” or by navigating to /System/Library/CoreServices/Applications/Screen Sharing.app

Once it launches you’ll be presented with a field that asks for a hostname or Apple ID

hostnameorappleid

Start typing a name in your Contacts.  If you have contacts that have Apple IDs they’ll show up in blue text, similar to Messages.  It may take a few seconds for the names to be identified as Apple IDs and have the color change. If you know the Apple ID email address you can enter that directly as well.bluemeansicloud

Click the “Connect” button and the remote machine will get prompted to allow you to connect. Note, the prompt to connect will appear on all the machines that are setup with that Apple ID.

prompttoconnect

If the Apple ID of the instigating connection is in the receiver’s contacts, when “Accept” is clicked it will immediately allow Observe abilities of the remote screen.  If the Apple ID trying to connect doesn’t match a contact on the receiving machine the receiver will get this prompt.

notincontacts

Upon connection, by default the microphone is engaged so you can talk as well as see the remote screen. The microphone can be muted from menu bar extra if desired.  While connection is active the menu bar extra flashes to remind of that connection.

screensharingmenuextra

If you need to control the computer instead of just observe you can request control from the Screen Sharing window.  Once Control is asked for, the remote machine gets a prompt to allow control.

Tagged , , , , ,

Server.app 5.0.4, sdmd, and iOS

After upgrading a server to El Capitan and Server 5.0.4 I noticed that a process was constantly taking 50-60% of the CPU and showed no signs of calming down after running a couple of days.  The process is sdmd.

sdmd-postgres-procs

Googling and digging around I discovered those processes, specifically sdmd, are related to File Sharing.  The executable is found at /Applications/Server.app/Contents/ServerRoot/System/Library/PrivateFrameworks/ServerDocsMaster.framework/sdmd. I recruited my super-sleuthing friend @mikeymikey to take a look.  He found

“..it generates thumbnails and basically does a lot of prep work for iOS devices that can’t look up all this information themselves for a large directory. It basically looks like “mini Sharepoint” for iOS. If you have huge shares you never intend to make accessible via iOS, I can see how this thing would put a ton of load on your devices. And it looks like it monitors the directories for change, too, so it’ll just keep coming back.”

I don’t want that.

Posts to various forums reported that removing and re-adding all the shares made the problem go away. Instead of going to all that work I discovered that disabling iOS access on the shares made the sdmd process stop.  By default, when upgrading to Server 5 all my shares were enabled to be iOS accessible. Thanks Apple!

To turn off iOS access, open the Server.app and navigate to the File Sharing service.  Highlight a shared folder and click the pencil button to edit it.  In the share preferences there is an iOS checkbox.  Uncheck it.  Do that for all shares and the sdmd process will stop.

File Share panel

Tagged , ,

Office 2016 Mac admin resource links

Below is a gathering of all the discoveries fellow Mac admins have documented regarding Office 2016 for Mac; both Office 365 and Volume License varieties.  This post will be updated as new issues are made known.

Discussion and discovery on these topics and all things Microsoft Office are on-going on the Macadmins Slack team in channel #microsoft-office.  You can get an invite to join us on Slack by going to http://macadmins.org

Office 2016 Direct Download links

http://macadmins.software – Straight from the source and curated by Paul Bowden at Microsoft, this lists all downloads and updates since the first non-preview release on 7/9. The red table lists latest versions available, the green table lists all the permalinks, and the black table has links to all releases and KB articles, plus extra information like build date.

https://osxbytes.wordpress.com/2015/11/12/office-2016-direct-download-links/


Demystify Office 2016 for Mac 

https://clburlison.com/demystify-office2016/ – in Slack/Twitter @clburlison – use this excellent guide to distinguish the different installation/license/upgrade options for Office 2016.


Microsoft Office 2016 for Mac serialization changes  https://macmule.com/2015/12/11/microsoft-office-2016-for-mac-serialisation-changes – in Slack @macmule


Suppressing first launch “What’s New” for Excel, Outlook, Powerpoint, Word & OneNote, and Outlook’s account setup:

http://macops.ca/disabling-first-run-dialogs-in-office-2016-for-mac/ – in Slack @tvsutton
https://osxbytes.wordpress.com/2015/09/17/not-much-whats-new-with-you/ – in Slack @eholtam


Volume License installer issues: – being addressed in the December release

http://macops.ca/whats-wrong-with-the-office-2016-volume-license-installer/ – in Slack @tvsutton
http://macops.ca/the-office-for-mac-2016-volume-license-installer-two-months-later/ – @tvsutton


Outlook 2016 setup script:

https://github.com/talkingmoose/Oulook-Exchange-Setup-5.0 – in Slack @talkingmoose
https://github.com/poundbangbash/Outlook-Exchange-Setup-5.0-Meredith@eholtam – My fork addressing running the setup script on first launch of Outlook.


Office 2016 Packaging:

http://www.richard-purves.com/?p=79 – in Slack @franton


Suppress Microsoft AutoUpdate launch warning – needs to be run per-user

https://gist.github.com/erikng/7cede5be1c0ae2f85435 – in Slack @erik


Remove Office 2011 script (and some shared 2016 bits like license, MAU, etc.)

http://www.officeformachelp.com/office/install/remove-office/ – in Slack @talkingmoose


Administering Office 2016 for Mac presentations by @talkingmoose

https://www.youtube.com/watch?v=4-EtZizWJdQ – PSU 2015

http://bit.ly/1HgsqJE – University of Utah 2015 (QT)
https://stream.lib.utah.edu/index.php?c=details&id=11446 – University of Utah 2015 (Streaming)


Fun with Microsoft Office 2016

https://themacwrangler.wordpress.com/2015/11/17/fun-with-microsoft-office-2016/ – in Slack @hunty

Tagged ,

Not much, what’s new with you?

Update: As expected the `OUIWhatsNewLastShowLink` key is being incremented to display new features on subsequent releases. The profiles below will contain the latest values for the currently released versions.

Profiles for Office 2016 version 15.30

Office 2016 offers to show users “What’s New” on first launch.  Tim Sutton has a writeup on how to suppress the initial dialogs on his blog.  However, with version 15.14 of the Office apps there’s new “What’s New”s for Outlook and Powerpoint that sets a key not mentioned in the aforementioned post to suppress the new dialog.  This only affects Powerpoint and Outlook for this version.  Word and Excel didn’t present new prompts on launch this time around.

Along with the “What’s New” keys there are some others of interest:

kSubUIAppCompletedFirstRunSetup1507 – boolean – Suppresses the “What’s New” dialog on first launch starting in Office 15.13

OUIWhatsNewLastShownLink – string – Suppresses the “What’s New” dialog on first launch for new prompts offered in subsequent version.

FirstRunExperienceCompletedO15 – boolean – Suppresses offer to import mailbox or setup an email account. (That’s a cap o15, not zero15)

SendAllTelemetryEnabledboolean – Suppress the offer to send crash reports to Microsoft

ONWhatsNewShownItemIds – array – Specific to OneNote this value is an array of integers that appears to increment haphazardly.  For just OneNote, this replaces the OUIWhatsNewLastShownLink value.

OUIWhatsNewLastShownLink values

Profiles
Below are profiles that will suppress the “What’s New” and disable crash reports prompts. These examples are set to “Force” the setting as attempts using Set-Once with a timestamp didn’t seem to be effective.

Outlook – suppress “What’s New” only (see below for suppressing Inbox migration)
Outlook – suppress “What’s New” and mailbox setup*

Powerpoint

OneNote

Word

Excel

*There is also a key for Outlook that will suppress the dialog to offer to migrate or setup an email account.  That key is a boolean FirstRunExperienceCompletedO15.  That’s a captial o, not a zero at the end of the key.

 FirstRunExperienceCompletedO15 suppresses this

To extract the values of the OUIWhatsNewLastShownLink I have a script that I run after installing and running each new application.  That script is at OUIWhatsNewLastShownLink Script

Tagged ,

Mac Admin QuickLook Tools

Quicklook has been around for a while and I harness its abilities to help me with my Mac admin life.  Apple advertised it for PDFs, images, and text files, however we admins can partake in the marketing highlight as well.

Below are a few of my favorite QuickLook plugins that I’ve been using for years.  Thankfully they still function.  Some have stopped development but are still available and going strong 7 OS revisions later.

QLStephen – Nothing fancy.  But it does let you view plain text files that don’t have a file extension. It is useful for reading files like README, INSTALL, CHANGELOG, Makefile, etc.

Scriptql – shows AppleScript .script files.  Getting rarer but good to have in a pinch.

QLColorCode – syntax highlighting of code and plist files.  Very handy for peeking in on .plists as the syntax is color coded.

syntax highlight

Much better

Screen Shot 2015-09-14 at 10.47.28 PM

 

Suspicious Package – My favorite.  It opens up .pkg and .mpkg installers to show the payload, scripts and other meta data about the installer.  It’s saved me so much time being able to peek in on an installer without having to deep dive into it.  I highly recommend it for anyone messing with .pkgs.

Suspicious Package quicklook Screen Shot 2015-09-14 at 10.53.21 PM

Please share your favorites in the comments.

Tagged , ,