Screen Sharing via Apple ID

Screen is a bundled application that lets you observe or control a remote computer.  Typically, the computer is already under your control and either has Screen Sharing enabled in the Sharing settings or a VNC server running.  But having a knack as a Mac whisperer doesn’t go unnoticed by family and friends.  There are times when it’d be really handy to be able to hop on a friend or family member’s computer to actually see what they’re trying to describe instead of talking thru it.  There are 3rd party services out there that can accomplish this but require downloading, installing, and configuring.  This feature just works* as long as the remote computer has an iCloud account setup on it, which at this point most do.

*Of course there are exceptions.  Firewall restrictions may not allow the traffic thru.

To start a session launch the Screen via Spotlight (command-space) and typing “Screen Sharing” or by navigating to /System/Library/CoreServices/Applications/Screen

Once it launches you’ll be presented with a field that asks for a hostname or Apple ID


Start typing a name in your Contacts.  If you have contacts that have Apple IDs they’ll show up in blue text, similar to Messages.  It may take a few seconds for the names to be identified as Apple IDs and have the color change. If you know the Apple ID email address you can enter that directly as well.bluemeansicloud

Click the “Connect” button and the remote machine will get prompted to allow you to connect. Note, the prompt to connect will appear on all the machines that are setup with that Apple ID.


If the Apple ID of the instigating connection is in the receiver’s contacts, when “Accept” is clicked it will immediately allow Observe abilities of the remote screen.  If the Apple ID trying to connect doesn’t match a contact on the receiving machine the receiver will get this prompt.


Upon connection, by default the microphone is engaged so you can talk as well as see the remote screen. The microphone can be muted from menu bar extra if desired.  While connection is active the menu bar extra flashes to remind of that connection.


If you need to control the computer instead of just observe you can request control from the Screen Sharing window.  Once Control is asked for, the remote machine gets a prompt to allow control.

Tagged , , , , , 5.0.4, sdmd, and iOS

After upgrading a server to El Capitan and Server 5.0.4 I noticed that a process was constantly taking 50-60% of the CPU and showed no signs of calming down after running a couple of days.  The process is sdmd.


Googling and digging around I discovered those processes, specifically sdmd, are related to File Sharing.  The executable is found at /Applications/ I recruited my super-sleuthing friend @mikeymikey to take a look.  He found

“ generates thumbnails and basically does a lot of prep work for iOS devices that can’t look up all this information themselves for a large directory. It basically looks like “mini Sharepoint” for iOS. If you have huge shares you never intend to make accessible via iOS, I can see how this thing would put a ton of load on your devices. And it looks like it monitors the directories for change, too, so it’ll just keep coming back.”

I don’t want that.

Posts to various forums reported that removing and re-adding all the shares made the problem go away. Instead of going to all that work I discovered that disabling iOS access on the shares made the sdmd process stop.  By default, when upgrading to Server 5 all my shares were enabled to be iOS accessible. Thanks Apple!

To turn off iOS access, open the and navigate to the File Sharing service.  Highlight a shared folder and click the pencil button to edit it.  In the share preferences there is an iOS checkbox.  Uncheck it.  Do that for all shares and the sdmd process will stop.

File Share panel

Tagged , ,

Office 2016 Mac admin resource links

Below is a gathering of all the discoveries fellow Mac admins have documented regarding Office 2016 for Mac; both Office 365 and Volume License varieties.  This post will be updated as new issues are made known.

Discussion and discovery on these topics and all things Microsoft Office are on-going on the Macadmins Slack team in channel #microsoft-office.  You can get an invite to join us on Slack by going to

Office 2016 Direct Download links – Straight from the source and curated by Paul Bowden at Microsoft, this lists all downloads and updates since the first non-preview release on 7/9. The red table lists latest versions available, the green table lists all the permalinks, and the black table has links to all releases and KB articles, plus extra information like build date.

Demystify Office 2016 for Mac – in Slack/Twitter @clburlison – use this excellent guide to distinguish the different installation/license/upgrade options for Office 2016.

Microsoft Office 2016 for Mac serialization changes – in Slack @macmule

Suppressing first launch “What’s New” for Excel, Outlook, Powerpoint, Word & OneNote, and Outlook’s account setup: – in Slack @tvsutton – in Slack @eholtam

Volume License installer issues: – being addressed in the December release – in Slack @tvsutton – @tvsutton

Outlook 2016 setup script: – in Slack @talkingmoose – My fork addressing running the setup script on first launch of Outlook.

Office 2016 Packaging: – in Slack @franton

Suppress Microsoft AutoUpdate launch warning – needs to be run per-user – in Slack @erik

Remove Office 2011 script (and some shared 2016 bits like license, MAU, etc.) – in Slack @talkingmoose

Administering Office 2016 for Mac presentations by @talkingmoose – PSU 2015 – University of Utah 2015 (QT) – University of Utah 2015 (Streaming)

Fun with Microsoft Office 2016 – in Slack @hunty

Tagged ,

Not much, what’s new with you?

Update: See this post for new information on changes to suppressing What’s New dialogs starting with 15.34.

Update: As expected the `OUIWhatsNewLastShowLink` key is being incremented to display new features on subsequent releases. The profiles below will contain the latest values for the currently released versions.

Profiles for Office 2016 version 15.31

Office 2016 offers to show users “What’s New” on first launch.  Tim Sutton has a writeup on how to suppress the initial dialogs on his blog.  However, with version 15.14 of the Office apps there’s new “What’s New”s for Outlook and Powerpoint that sets a key not mentioned in the aforementioned post to suppress the new dialog.  This only affects Powerpoint and Outlook for this version.  Word and Excel didn’t present new prompts on launch this time around.

Along with the “What’s New” keys there are some others of interest:

kSubUIAppCompletedFirstRunSetup1507 – boolean – Controls the original “What’s New” dialog and Office 365 activation prompt on first launch

OUIWhatsNewLastShownLink – string – Controls the “What’s New” dialog on first launch for new prompts offered in subsequent version.

FirstRunExperienceCompletedO15 – boolean – Controls offer to import mailbox or setup an email account. (That’s a cap o15, not zero15)

SendAllTelemetryEnabledboolean – Control the offer to send crash reports to Microsoft

ONWhatsNewShownItemIds – array – Specific to OneNote this value is an array of integers that appears to increment haphazardly.  For just OneNote, this replaces the OUIWhatsNewLastShownLink value.

OUIWhatsNewLastShownLink values

Below are profiles that will suppress the “What’s New” and disable crash reports prompts. These examples are set to “Force” the setting as attempts using Set-Once with a timestamp didn’t seem to be effective.

Outlook – suppress “What’s New” only (see below for suppressing Inbox migration)
Outlook – suppress “What’s New” and mailbox setup*





*There is also a key for Outlook that will suppress the dialog to offer to migrate or setup an email account.  That key is a boolean FirstRunExperienceCompletedO15.  That’s a captial o, not a zero at the end of the key.

 FirstRunExperienceCompletedO15 suppresses this

To extract the values of the OUIWhatsNewLastShownLink I have a script that I run after installing and running each new application.  That script is at OUIWhatsNewLastShownLink Script

Tagged ,

Mac Admin QuickLook Tools

Quicklook has been around for a while and I harness its abilities to help me with my Mac admin life.  Apple advertised it for PDFs, images, and text files, however we admins can partake in the marketing highlight as well.

Below are a few of my favorite QuickLook plugins that I’ve been using for years.  Thankfully they still function.  Some have stopped development but are still available and going strong 7 OS revisions later.

QLStephen – Nothing fancy.  But it does let you view plain text files that don’t have a file extension. It is useful for reading files like README, INSTALL, CHANGELOG, Makefile, etc.

Scriptql – shows AppleScript .script files.  Getting rarer but good to have in a pinch.

QLColorCode – syntax highlighting of code and plist files.  Very handy for peeking in on .plists as the syntax is color coded.

syntax highlight

Much better

Screen Shot 2015-09-14 at 10.47.28 PM


Suspicious Package – My favorite.  It opens up .pkg and .mpkg installers to show the payload, scripts and other meta data about the installer.  It’s saved me so much time being able to peek in on an installer without having to deep dive into it.  I highly recommend it for anyone messing with .pkgs.

Suspicious Package quicklook Screen Shot 2015-09-14 at 10.53.21 PM

Please share your favorites in the comments.

Tagged , ,

Help them help you

I support computers AND users. I’m sure you do, too. My users aren’t expected to know their IP address or how to find it. Occasionally I get in a situation where I can’t pre-fetch a computer name for a user I’m about to call. Once I get the user on the horn I’ll need to have them find that IP and give it to me so I can assist remotely. To make the discovery easier I wrote a quick little Applescript app they can run that outputs the computer’s hostname and current active IP address. It offers to put the name or IP address in their clipboard for easier transfer and avoid typos via IM or email.

Below is the code and output:

Computer Name display

Tagged , ,

Netboot compatibility chart for Thunderbolt adapters and docks – community feedback requested

Since Apple’s laptops have gotten thinner there’s less room for IT-important things like Ethernet ports.  Many of us use a network based imaging process to get machines ready for our respective environments.  The lack of a built-in Ethernet port forces us to use Ethernet adapters whether it be USB2.0, USB3.0, Thunderbolt, or Thunderbolt Docks.  Unfortunately the vendors that make these devices don’t seem to worry about the Netbootability of their adapters or docks.  That functionality is a big unknown.  At $2-300/dock guessing wrong isn’t cheap.  Some work if you hold down the “n” or “Option” key on boot but don’t provide Netboot options when trying to set it via the Startup Disk Preference Pane or using the ‘bless’ command from the command line and vice versa.  In my environment it is important to be able to send a command remotely to have the computer Netboot.  Physically holding a key is as good as not having it at all.

I’m sending a call out to all Mac admins willing and able to report back what has and has not worked for you with the adapters you’ve tried.  I’ve started a publicly accessible spreadsheet at Google Sheets trying to detail all the pertinent information.  I’m sure there are others out there that have tried and tested other adapters and docks with varied success.  All could benefit from this gathered information so please contribute if you can.

To supply feedback on different adapters and docks please do the following.  The Netboot columns require specific tests be run as the method matters:

  1. “Netboot ‘n’ on boot” : Hold the ‘n’ key down when powering on the computer.
    Success = booting to the NBI.
  2. “Netboot Boot Picker (option key) : Hold the ‘option’ key down when powering on the computer.
    Success = if you see NBI(s) to pick from the boot picker interface
  3. “Netboot ‘bless’ command” : With the computer booted to the internal drive issue the command ‘sudo bless --netboot --server bsdp://‘ and reboot.
    Success = booting to the NBI
  4. “Netboot Startup Disk” : Boot up the computer to the internal disk and log in.  Open the Startup Disk System Preference.
    Success = if you see NBI(s) to pick as the startup disk

The other columns like Vendor ID, Product ID, etc., can be found by running ‘system_profiler SPUSBDataType‘ or ‘system_profiler SPThunderboltDataType‘ depending on what type of adapter you’re using.

Thanks, and go team!

Tagged , ,

Installing VMWare Tools on a Netboot NBI

Netboot is great.  VMWare Fusion is great. Yosemite is….Netboot and VMWare are great. I use VMs to test things on our builds at work.  To get those VMs setup I use our imaging process that utilizes Netboot.  However, I discovered that, new with Yosemite, when the VM Netbooted to our Yosemite NBI I wasn’t able to login to OS X. After typing in the username and password the login attempt would just hang with the spinning gear turned beachball.  No bueno. Turns out all it requires is getting the VMWare Tools installed on the NBI.  No problem right? But VMWare’s installer (read: .app) doesn’t allow installing on a non-boot volume.  Crap.  This wouldn’t be a very interesting post if we stopped here so…

TL;DR: you need to mount the NBI and install the tools via the CLI ‘installer’ command.

First, make sure that your existing NBI is read/write when mounted.  In my case the NBI is actually a .sparseimage but renamed to .dmg for Netboot use.  When mounting the image named .dmg it mounts as read-only.  Renaming the .dmg to .sparseimage mounts the volume as read-write. YMMV. There are ways to convert disk images to read-write. I’ll leave that discovery up to you if your environment requires it.

VMWare Tools acquisition/installation:

There are a couple ways to get the tools.  I prefer to pull the tools from the VMWare bundle itself to guarantee that the version of VMWare Fusion you’re running is compatible with the tools. If you want an automated way using AutoPkg to get the latest tools check out Rich Trouton’s post at Der Flounder.  You can also download the tools if you know what version you need at VMWare’s repository.

Locally, the tools are located in the application bundle found at /Applications/VMware\


Mounting that image results in the installer and uninstaller.


However attempting to use the .app installer will fail as it won’t let you target the install on a non-boot drive.  Since it’s a .app “installer” there must be a .pkg buried in the bundle. To get the actual installer .pkg right click on “Install VMWare” and choose “Show Package Contents”.  Navigate to the /Volumes/VMware\ Tools/Install\ VMware\ directory.  There you’ll find “VMWare Tools.pkg”. Jackpot.


Copy the “VMWare Tools.pkg” to the computer where the NBI is mounted and run ‘installer’ pointing the target at the mounted Netboot NBI.

 sudo installer -pkg /Volumes/VMware\ Tools/Install\ VMware\\ Tools.pkg -target /Volumes/Yosemite\ NetBoot -verbose

That will install on the mounted volume.  Once complete, unmount the NBI, rename it if necessary, and you should now be able to log into a Yosemite NBI when Netbooted in VMWare Fusion.

Tagged ,

Using pkgutil To Adjust Flat Packages

“I love it when companies break away from the standard pkg practices.”

– No one ever

When you run into an installer that is doing something you don’t expect or recommend we get to put on our Mac admin spelunking hat to dive into the depths of the installer to see what’s going on.  There are some handy tools that make this easier already bundled in the OS.  Those are: pkgutil and installer.  There are also good 3rd party apps like Pacifist and Suspicious Package that I use for examining installers as well.  For this exercise I didn’t need those.

I ran into an issue with the Fiery E-22C driver installer from EFI launching an app mid-install to offer to setup printers.

Not Helpful

That’s great for home users with a Fiery front end (who doesn’t have a Fiery at home?) but not for deploying in the enterprise.  The only way to get the drivers to install at this point was to click the link in the bottom left of the app window.  Not ideal. I tried many ways to bypass the “wizard” app as the installer existed but even when attempting a CLI install it would launch the app when a user was logged and the install would totally fail if no user was logged in.

One thing going for us at this point is the pkg is a flat package. Running the following will extract the pkg to better examine it:

pkgutil --expand ~/Desktop/Fiery\ Printer\ Driver.pkg ~/Desktop/fieryprinterdrivers

Navigating to ~/Desktop/fieryprinterdrivers shows us the expanded package contents:

Expanded Package

 Right click on the “FieryPrinterDriverInstaller.pkg” and choose “Show Package Contents”:

Show package contents

After digging around the piece that needed adjustments was the postinstall.  There was a system version check in there to launch the “wizard” if the OS was 10.5 or older.  If 10.5 or older it would just install the drivers.  That’s what I wanted on my new shiny OS!

#Pkg installs driver and exits in 10.5 since no Wizard is supported below 10.6
if [ "$MAJOR" = "10" ] && [ "$MINOR" = "5" ]
 logger "Postinstall Script: Checking for previous driver and printers with FSU and performing system cleanup"
 /bin/sh /tmp/efi_wiz_fsu_delete && logger "Postinstall Script: FSU done"
 sudo rm -f /tmp/efi_wiz_fsu_delete
 logger "Postinstall Script: Installing driver only for 10.5" && sudo installer -pkg /tmp/Fiery\ Printer\ Driver\\ Software/OSX/Printer\ Driver/OSX\ installer.pkg -target / && exit 0

Further down if the OS was > 10.5 it would launch the “wizard” which is what I didn’t want.  To fix this install postinstall script all I needed to do was remove the OS Minor version check to make it just install the drivers if the OS Major version is 10.  I can handle deploying the drivers to the appropriate OS so I’m not worried about using their logic.

if [ "$MAJOR" = "10" ] && [ "$MINOR" = "5" ]
if [ "$MAJOR" = "10" ]

Once the postflight file is adjusted we can flatten the package back up again by running:

pkgutil --flatten ~/Desktop/fieryprinterdrivers/ ~/Desktop/Fiery\ Printers\ Driver\ Fixed.pkg

 And now I have a new package “Fiery Printers Driver Fixed.pkg” that’s deployable, won’t launch the wizard, and will install the drivers.

fixed pkg is a pkg

Tagged ,

createmobileaccount workaround for 10.10.3

UPDATE: As of Mac OS X 10.10.4 this issue has been addressed by Apple. The following still applies to 10.10.3 installs. 

Since 10.10.3 was released on April 8, 2015, the Mac admin community has had the privilege of discovering what’s broken with this new OS. We knew about the rootPipe fix but not it’s unintended collateral damage. One piece that was discovered comprimised is the tool “createmobileaccount” found in /System/Library/CoreServices/ This tool can be used to pre-create a home folder and add the user to the local directory service node without having a user log in. It can also dynamically verify that the account attempting to be made actually exists in the directory service prior to creating the account. That can be handy for restoring user data, creating a directory based account prior to sending off-site, or giving a user admin rights prior to deployment. As of 10.10.3 and it’s rootPipe fix, that tool is broken. BUT, there is a workaround.

The workaround to still use createmobileaccount is to do the following*:

  1. Copy the user template to create the home folder: cp -R /System/Library/User\ Template/English.lproj /Users/${newUser}
  2. Change rights on the folder for the new user: chown -R ${newUser}:staff /Users/${newUser}
  3. Run createmobileaccount: /System/Library/CoreServices/ -n ${newUser}

Take note if you implement this workaround in your workflow that the home folder is being created before createmobileaccount is run.  If createmobileaccount fails, the home folder you created will still exists and you may want to clean that up depending on the environment.

*thanks to mm2270’s post on JAMFNation.

Tagged , ,