Tag Archives: administration

APFS Disk Roles

APFS is Apple’s new file system coming sometime in 2017. In 10.12.x the disk management command line tools have been updated to recognize commands relating to APFS. diskutil has some APFS options, one of which being changeVolumeRole . In that verb there is a reference as to how to set the different roles the volume can be

From the manpage of diskutil:

changeVolumeRole | chrole volumeDevice roles
Change the role metadata flag bits of an existing
APFS Volume.

The roles should be any combination of one or more
of the characters busrvBUSRV in much the same man-
ner as diskutil apfs addVolume above, in which
unspecified flags are left alone, use of lower-case
causes flags to be cleared, and use of upper-case
causes flags to be set. Alternatively, clear will
remove all flags, or 0 can be used as a no-op for
scripting convenience. You should not make any
assumptions about the usage or legal combinations
of role bits.

Ownership of the affected disks is required.

But no where does it state what the roles BUSRV are.

The role of the disk can be observed by running diskutil apfs list

APFS Container (1 found)
|
+-- Container disk2 9C36DEF6-B883-462B-A227-84F8A60E3551
    ====================================================
    APFS Container Reference: disk2
    Capacity Ceiling (Size): 255883108352 B (255.9 GB)
    Capacity In Use By Volumes: 138276864 B (138.3 MB) (0.1% used)
    Capacity Available: 255744831488 B (255.7 GB) (99.9% free)
    |
    +-< Physical Store disk0s4 13E393EF-C27E-44EC-B238-A7CA8A842F50     | -----------------------------------------------------------     | APFS Physical Store Disk: disk0s4     | Size: 255883108352 B (255.9 GB)     |     +-> Volume disk2s1 CC9D66C2-345C-4415-92E4-8CDE3A396180
        ---------------------------------------------------
        APFS Volume Disk (Role): disk2s1 (No specific role)
        Name: apfTest
        Mount Point: /Volumes/apfTest
        Capacity Consumed: 24576 B (24.6 KB)
        Capacity Reserve: None
        Capacity Quota: None
        Cryptographic Security: None

Iterating thru the roles they translate to:

B = "Preboot"
U = "User"
S = "System"
R = "Recovery"
V = "VM"

A volume can be set with any combination of roles according to diskutil.

A volume with all roles set shows

APFS Volume Disk (Role):  disk2s1 (Preboot, User, System, Recovery, VM)

Advertisements
Tagged , , , , , , ,

What’s New? New “What’s New” Office 2016 Suppression Key

Updated:
• Notification that one setting can suppress What’s New for the entire Office suite
• Changed to reflect new 15.34 key to suppress What’s New dialogs by a boolean
• Update to OneNote now using the same OUIWhatsNewShonItemIds key instead of its own ONWhatsNewShownItemIds key

My previous post, Not much, what’s new with you?, showed how to suppress the “What’s New” banners on updated software versions of the Office 2016 Suite.  While it worked, it _was_ work to get the specific preference key value to block the latest banner from appearing.  Due to the nature of how the values were dynamically created at build time it wasn’t known what those values were until the software was downloaded, installed, launched, then examine the preference file for the new value of OUIWhatsNewLastShownLink.  Blah.

Our good friends at Microsoft recognized the madness and worked on a way to make the suppression easier and more predictable for us admins.  As of version 15.32 there is a new key that takes an array of ints that can be added to the mobileconfig profile —  OUIWhatsNewShownItemIds.  The previous key OUIWhatsNewLastShownLink is still needed to suppress the What’s New dialogs prior to 15.32.

Good News, Bad News, Better News, Best News, and Bestest News

The Good News is that the values of OUIWhatsNewShownItemIds are predictable. It starts at 1 and increases by 1 for every new feature that is to be listed in a What’s New dialog box.  The Bad News is that each application can have its own number of new features to display, so knowing how many values isn’t known ahead of time. The Better News is that there is a bug (VSO #1476177 – Give admins a better way to turn off the What’s New dialog for O365 users) reported by our same Microsoft friends to recognize a boolean to “Don’t show me any more What’s New dialogs for any new versions ever.”  The Bestest News is that the new boolean value coming in version 15.34 can be set in the key ShowWhatsNewOnLaunch to be -bool false in the com.microsoft.office domain for the entire suite.  No need for individual application domain settings to suppress What’s New dialogs. That feature is on track to be part of the 15.34 release on May 16th.

So, until May 16th, you can add a list of values to the OUIWhatsNewShownItemIds key to suppress dialogs until the boolean value is respected.  The array must be a complete list meaning you can’t just add a value of 10 and have that mean block all values 1-10.

Each application domain (com.microsoft.Excel, com.microsoft.onenote.mac, com.microsoft.Outlook, com.microsoft.Powerpoint, and com.microsoft.Word) will need the values added for OUIWhatsNewShownItemIds. The easiest way would be to add these values to the existing mobileconfig profiles from Not much, what’s new with you? and modify it like this example for Word. But come version 15.34 just use the new key in the com.microsoft.office domain and call it a night.

Tagged , , , ,

Office 2016 Preference Management Changes

Starting with Office version 15.33 you’ll have the ability to manage some suite-wide preferences via profile management. Previously, these settings were configurable via defaults commands but weren’t CFPrefs enabled to allow for profile management of the settings. Thanks to the hard work of Paul Bowden and Erik Schwiebert at Microsoft, along with the collaboration and feedback of Mac admins in the macadmins.org slack instance, this request of preference management has been made possible. And this is just the beginning. Now with the foundation for preference management in code this will allow for more management options in future versions.

When an Office 15.33 app is launched for the first time, the existing preferences in ~/Library/Group Containers/UBF8T346G9.Office/com.microsoft.officeprefs.plist will be migrated over to the new preference domain automatically. At that time a key will be set signaling that the migration has occurred.

Paul has put together a new site (http://www.office4mac.com) that showcases a video course educating users and admins of the management changes. Look for more videos to come. This video shows examples of the preference changes, how to manage them, and implementing them through a management system. It’s definitely worth the watch.

For me, the meat and potatoes of these changes are the keys and values that are manageable in the com.microsoft.office domain. Here is an example management profile of all the keys that can be managed.

suite-wide preferences.png

OfficeActivationEmailAddress adds a “Belongs to” value in the About box to list who owns the software.

DefaultsToLocalOpenSave – by default Office offers to open and save documents to OneDrive, however due to data security policies that may not be acceptable and confuse users. This key will set the default open and save dialog boxes of all Office apps to the standard System views.

VisualBasicMacroExecutionState has 3 values that relate to the “GUI settings” in Preferences->Security & Privacty in app:

DisabledWithWarnings – “Disable all macros with notification” (Default)

DisableWithoutWarnings – “Disable all macros without notification”

EnabledWithoutWarnings – “Enable all macros (not recommended; potentially dangerous code can run)”

I don’t recommend managing the HaveMergedOldPrefs key as that is set organically. If you set it to TRUE then the old pref won’t be migrated automatically on first run. If you manage it as FALSE then it will try and migrate on every launch.

The two debug keys msoridEnableLogging and msoridDefaultMinimumSeverity should only be set when debugging an issue and I don’t see a need to manage them centrally. Leaving them enabled isn’t recommended.

Seeing these preference options move to a manageable location is a big plus for us admins, not only for the specifics of these settings, but also in the willingness of Microsoft to make these changes based on admin feedback. This can only mean more good things in the future.

Tagged , , , , ,

How to remove accounts cleanly

When you want to get rid of an account that’s not being used on a computer anymore, how do you do that pragmatically?  Visiting the computer and going thru the System Preferences’ Users & Groups options is time consuming, inconvenient, and sometimes physically not possible.

Previously I’d say use dscl to remove the cached account credentials and rm -r /Users/username to remove the home folder.  However, that leaves behind pieces that has caused some issues.

Enter sysadminctl

This removes any running processes by that user, the home folder, the public share, the cached credentials, and disabling Back To My Mac for that user if set.

Example:

bash-3.2# ls /var/db/dslocal/nodes/Default/sharepoints/
Tester's Public Folder.plist eholtam's Public Folder.plist admin's Public Folder.plist

bash-3.2# sysadminctl -deleteUser tester
2017-03-14 21:28:05.241 sysadminctl[2093:60392] Killing all processes for UID 503
2017-03-14 21:28:05.242 sysadminctl[2093:60392] Removing tester's home at /Users/tester
2017-03-14 21:28:05.877 sysadminctl[2093:60392] Deleting Public share point for tester
2017-03-14 21:28:05.903 sysadminctl[2093:60392] Deleting record for tester
2017-03-14 21:28:05.930 sysadminctl[2093:60392] AOSKit INFO: Disabling BTMM for user, no zone found for uid=503, usersToZones: {
 502 = "1234567.members.btmm.icloud.com.";
}

bash-3.2# ls
eholtam's Public Folder.plist admin's Public Folder.plist

Future me will be using sysadminctl for all account deletion needs.

Tagged , , , , ,

Cache Active Directory credentials off-site

A scenario I ran into recently involved an existing user who had their computer re-imaged with OS 10.10.5.  Their user data was backed up and restored prior to returning the system to the user.  To restore data I first use createmobileaccount to create a home directory and cache user information based off of AD, then rsync the data into the local home directory.  Since I don’t know the user’s password I don’t use the -p option leaving the cached account information without a password. Instead, the password is cached the first time the user logs in.  However, that only works when the computer can talk to our AD environment.

This user didn’t log in prior to taking the laptop out of the office for the week (who does that after a computer upgrade?!).  Since no password was cached there was nothing to authorize their credentials against. This could make for a long week for this user.

Since I had already created a home folder with all the user data I didn’t want to erase it or even have to bother with moving it around to a temporary user account.  Instead I did the following to preserve the files and allow the user to log in off-site:

  1. Have the user log in as a local admin.
  2. Have the user log into our company VPN as themselves.
  3. I gained access to the computer via Apple Remote Desktop (ssh, ScreenSharing, or any other means would work as well)
  4. I removed the current cached user info, sans password with sudo dscl . -delete /Users/<username>. This removes the locally cached information for the user from /var/db/dslocal/nodes/Default/users/<username>.plist but leaves the /Users/<username> home folder data alone.
  5. I then issued sudo /System/Library/CoreServices/ManagedClient.app/Contents/Resources/createmobileaccount -n <username> -p <password> . I had the user type their password to match their AD account.

Step 5 recreates the cached user information in /var/db/dslocal/nodes/Default/users/<userid>.plist (as long as the computer can talk to Active Directory), but this time with a cached password. Log out of the admin account and now the user can log in as themselves off-site using their AD credentials and access the already created home directory in /Users/<username>.

Tagged , , , , , , , ,

Screen Sharing via Apple ID

Screen Sharing.app is a bundled application that lets you observe or control a remote computer.  Typically, the computer is already under your control and either has Screen Sharing enabled in the Sharing settings or a VNC server running.  But having a knack as a Mac whisperer doesn’t go unnoticed by family and friends.  There are times when it’d be really handy to be able to hop on a friend or family member’s computer to actually see what they’re trying to describe instead of talking thru it.  There are 3rd party services out there that can accomplish this but require downloading, installing, and configuring.  This feature just works* as long as the remote computer has an iCloud account setup on it, which at this point most do.

*Of course there are exceptions.  Firewall restrictions may not allow the traffic thru.

To start a session launch the Screen Sharing.app via Spotlight (command-space) and typing “Screen Sharing” or by navigating to /System/Library/CoreServices/Applications/Screen Sharing.app

Once it launches you’ll be presented with a field that asks for a hostname or Apple ID

hostnameorappleid

Start typing a name in your Contacts.  If you have contacts that have Apple IDs they’ll show up in blue text, similar to Messages.  It may take a few seconds for the names to be identified as Apple IDs and have the color change. If you know the Apple ID email address you can enter that directly as well.bluemeansicloud

Click the “Connect” button and the remote machine will get prompted to allow you to connect. Note, the prompt to connect will appear on all the machines that are setup with that Apple ID.

prompttoconnect

If the Apple ID of the instigating connection is in the receiver’s contacts, when “Accept” is clicked it will immediately allow Observe abilities of the remote screen.  If the Apple ID trying to connect doesn’t match a contact on the receiving machine the receiver will get this prompt.

notincontacts

Upon connection, by default the microphone is engaged so you can talk as well as see the remote screen. The microphone can be muted from menu bar extra if desired.  While connection is active the menu bar extra flashes to remind of that connection.

screensharingmenuextra

If you need to control the computer instead of just observe you can request control from the Screen Sharing window.  Once Control is asked for, the remote machine gets a prompt to allow control.

Tagged , , , , ,

Mac Admin QuickLook Tools

Quicklook has been around for a while and I harness its abilities to help me with my Mac admin life.  Apple advertised it for PDFs, images, and text files, however we admins can partake in the marketing highlight as well.

Below are a few of my favorite QuickLook plugins that I’ve been using for years.  Thankfully they still function.  Some have stopped development but are still available and going strong 7 OS revisions later.

QLStephen – Nothing fancy.  But it does let you view plain text files that don’t have a file extension. It is useful for reading files like README, INSTALL, CHANGELOG, Makefile, etc.

Scriptql – shows AppleScript .script files.  Getting rarer but good to have in a pinch.

QLColorCode – syntax highlighting of code and plist files.  Very handy for peeking in on .plists as the syntax is color coded.

syntax highlight

Much better

Screen Shot 2015-09-14 at 10.47.28 PM

 

Suspicious Package – My favorite.  It opens up .pkg and .mpkg installers to show the payload, scripts and other meta data about the installer.  It’s saved me so much time being able to peek in on an installer without having to deep dive into it.  I highly recommend it for anyone messing with .pkgs.

Suspicious Package quicklook Screen Shot 2015-09-14 at 10.53.21 PM

Please share your favorites in the comments.

Tagged , ,