APFS Disk Roles

APFS is Apple’s new file system coming sometime in 2017. In 10.12.x the disk management command line tools have been updated to recognize commands relating to APFS. diskutil has some APFS options, one of which being changeVolumeRole . In that verb there is a reference as to how to set the different roles the volume can be

From the manpage of diskutil:

changeVolumeRole | chrole volumeDevice roles
Change the role metadata flag bits of an existing
APFS Volume.

The roles should be any combination of one or more
of the characters busrvBUSRV in much the same man-
ner as diskutil apfs addVolume above, in which
unspecified flags are left alone, use of lower-case
causes flags to be cleared, and use of upper-case
causes flags to be set. Alternatively, clear will
remove all flags, or 0 can be used as a no-op for
scripting convenience. You should not make any
assumptions about the usage or legal combinations
of role bits.

Ownership of the affected disks is required.

But no where does it state what the roles BUSRV are.

The role of the disk can be observed by running diskutil apfs list

APFS Container (1 found)
|
+-- Container disk2 9C36DEF6-B883-462B-A227-84F8A60E3551
    ====================================================
    APFS Container Reference: disk2
    Capacity Ceiling (Size): 255883108352 B (255.9 GB)
    Capacity In Use By Volumes: 138276864 B (138.3 MB) (0.1% used)
    Capacity Available: 255744831488 B (255.7 GB) (99.9% free)
    |
    +-< Physical Store disk0s4 13E393EF-C27E-44EC-B238-A7CA8A842F50     | -----------------------------------------------------------     | APFS Physical Store Disk: disk0s4     | Size: 255883108352 B (255.9 GB)     |     +-> Volume disk2s1 CC9D66C2-345C-4415-92E4-8CDE3A396180
        ---------------------------------------------------
        APFS Volume Disk (Role): disk2s1 (No specific role)
        Name: apfTest
        Mount Point: /Volumes/apfTest
        Capacity Consumed: 24576 B (24.6 KB)
        Capacity Reserve: None
        Capacity Quota: None
        Cryptographic Security: None

Iterating thru the roles they translate to:

B = "Preboot"
U = "User"
S = "System"
R = "Recovery"
V = "VM"

A volume can be set with any combination of roles according to diskutil.

A volume with all roles set shows

APFS Volume Disk (Role):  disk2s1 (Preboot, User, System, Recovery, VM)

Office 2016 Preference Management Changes

Starting with Office version 15.33 you’ll have the ability to manage some suite-wide preferences via profile management. Previously, these settings were configurable via defaults commands but weren’t CFPrefs enabled to allow for profile management of the settings. Thanks to the hard work of Paul Bowden and Erik Schwiebert at Microsoft, along with the collaboration and feedback of Mac admins in the macadmins.org slack instance, this request of preference management has been made possible. And this is just the beginning. Now with the foundation for preference management in code this will allow for more management options in future versions.

When an Office 15.33 app is launched for the first time, the existing preferences in ~/Library/Group Containers/UBF8T346G9.Office/com.microsoft.officeprefs.plist will be migrated over to the new preference domain automatically. At that time a key will be set signaling that the migration has occurred.

Paul has put together a new site (http://www.office4mac.com) that showcases a video course educating users and admins of the management changes. Look for more videos to come. This video shows examples of the preference changes, how to manage them, and implementing them through a management system. It’s definitely worth the watch.

For me, the meat and potatoes of these changes are the keys and values that are manageable in the com.microsoft.office domain. Here is an example management profile of all the keys that can be managed.

OfficeActivationEmailAddress adds a “Belongs to” value in the About box to list who owns the software.

DefaultsToLocalOpenSave – by default Office offers to open and save documents to OneDrive, however due to data security policies that may not be acceptable and confuse users. This key will set the default open and save dialog boxes of all Office apps to the standard System views.

VisualBasicMacroExecutionState has 3 values that relate to the “GUI settings” in Preferences->Security & Privacty in app:

DisabledWithWarnings – “Disable all macros with notification” (Default)

DisableWithoutWarnings – “Disable all macros without notification”

EnabledWithoutWarnings – “Enable all macros (not recommended; potentially dangerous code can run)”

I don’t recommend managing the HaveMergedOldPrefs key as that is set organically. If you set it to TRUE then the old pref won’t be migrated automatically on first run. If you manage it as FALSE then it will try and migrate on every launch.

The two debug keys msoridEnableLogging and msoridDefaultMinimumSeverity should only be set when debugging an issue and I don’t see a need to manage them centrally. Leaving them enabled isn’t recommended.

Seeing these preference options move to a manageable location is a big plus for us admins, not only for the specifics of these settings, but also in the willingness of Microsoft to make these changes based on admin feedback. This can only mean more good things in the future.

How to remove accounts cleanly

When you want to get rid of an account that’s not being used on a computer anymore, how do you do that pragmatically?  Visiting the computer and going thru the System Preferences’ Users & Groups options is time consuming, inconvenient, and sometimes physically not possible.

Previously I’d say use dscl to remove the cached account credentials and rm -r /Users/username to remove the home folder.  However, that leaves behind pieces that has caused some issues.

Enter sysadminctl

This removes any running processes by that user, the home folder, the public share, the cached credentials, and disabling Back To My Mac for that user if set.

Example:

bash-3.2# ls /var/db/dslocal/nodes/Default/sharepoints/
Tester's Public Folder.plist eholtam's Public Folder.plist admin's Public Folder.plist

bash-3.2# sysadminctl -deleteUser tester
2017-03-14 21:28:05.241 sysadminctl[2093:60392] Killing all processes for UID 503
2017-03-14 21:28:05.242 sysadminctl[2093:60392] Removing tester's home at /Users/tester
2017-03-14 21:28:05.877 sysadminctl[2093:60392] Deleting Public share point for tester
2017-03-14 21:28:05.903 sysadminctl[2093:60392] Deleting record for tester
2017-03-14 21:28:05.930 sysadminctl[2093:60392] AOSKit INFO: Disabling BTMM for user, no zone found for uid=503, usersToZones: {
 502 = "1234567.members.btmm.icloud.com.";
}

bash-3.2# ls
eholtam's Public Folder.plist admin's Public Folder.plist

Future me will be using sysadminctl for all account deletion needs.

Sierra’s Built-in Storage Management Utility

New with Sierra there is a built-in utility to help keep disk storage space available.  The function is part of the System Information.app and is accessed a few ways:

1.  => About This Mac => Storage => Manage…
2. (Hold the option key down)  => System Information… => Window => Storage Mangement (Cmd-U)
3. /Applications/Utilities/System Information.app => Window => Storage Mangement (Cmd-U)

Once launched it will proceed to gather data sizes of categories of interest. The available and total disk space will be listed in the window’s name.

First you’ll see some recommendations of ways to keep disk space available.  Each has its own set of gotchas so be sure to make note of the implications:

Store in iCloud —

There has been some interesting discoveries in the behavior surrounding iCloud Desktop and Documents.  See iCloud Desktop and Documents in macOS Sierra – The Good, The Bad and the Ugly for a full rundown. Even though these checkboxes are checked by default, that doesn’t represent the actual state of the setting.  On my machine I have Desktop and Documents turned off in the iCloud preference pane yet this box shows as checked.

Optimize Storage —

Empty Trash Automatically —

If you’re one of those that can’t commit to deleting things once put in the Trash, let the OS handle it for you.

Reduce Clutter —

This option opens the Documents listing.

Along the left are categories and the amount of space each is taking up.  Accessing those brings up a list sorted by largest on top.  If you want to remove an individual listing, right click and select Delete. Even though Applications are listed, non-admins can’t remove applications without admin credentials.

Thanks to @adamcodega for pointing this tool out.

Cache Active Directory credentials off-site

A scenario I ran into recently involved an existing user who had their computer re-imaged with OS 10.10.5.  Their user data was backed up and restored prior to returning the system to the user.  To restore data I first use createmobileaccount to create a home directory and cache user information based off of AD, then rsync the data into the local home directory.  Since I don’t know the user’s password I don’t use the -p option leaving the cached account information without a password. Instead, the password is cached the first time the user logs in.  However, that only works when the computer can talk to our AD environment.

This user didn’t log in prior to taking the laptop out of the office for the week (who does that after a computer upgrade?!).  Since no password was cached there was nothing to authorize their credentials against. This could make for a long week for this user.

Since I had already created a home folder with all the user data I didn’t want to erase it or even have to bother with moving it around to a temporary user account.  Instead I did the following to preserve the files and allow the user to log in off-site:

1. Have the user log in as a local admin.
2. Have the user log into our company VPN as themselves.
3. I gained access to the computer via Apple Remote Desktop (ssh, ScreenSharing, or any other means would work as well)
4. I removed the current cached user info, sans password with sudo dscl . -delete /Users/<username>. This removes the locally cached information for the user from /var/db/dslocal/nodes/Default/users/<username>.plist but leaves the /Users/<username> home folder data alone.
5. I then issued sudo /System/Library/CoreServices/ManagedClient.app/Contents/Resources/createmobileaccount -n <username> -p <password> . I had the user type their password to match their AD account.

Step 5 recreates the cached user information in /var/db/dslocal/nodes/Default/users/<userid>.plist (as long as the computer can talk to Active Directory), but this time with a cached password. Log out of the admin account and now the user can log in as themselves off-site using their AD credentials and access the already created home directory in /Users/<username>.

Flash Player 20.0.0.235 Adds Phone Home Analytics

Update: This issue seems to be isolated to version 20.0.0.235 as subsequent releases do not contain the LaunchDaemon and executable.  

Starting with the Flash Player 20.0.0.235 there are two new files added to the installer that attempt to send anonymous analytic data back to Adobe.  The files are a new LaunchDaemon at /Library/LaunchDaemons/com.adobe.SC.FPFeedbackService-1.0.plist that fires off  /Library/Application Support/Adobe/FPFeedbackService.  Running strings against the FPFeedbackService binary reveals some interesting tidbits:

# Following anonymous information is being collected from your machine.
# OS, OSType
- Operating System details
# UserAgent
- Browser details
# FlashVersion
- Installed Flash Player version
# RenderMode
- Represents the render mode of the SWF content.
# SWFVersions
- It is the list of SWF Versions played in browser and their count.
e.g. SWF10|23 means that SWF file having version 10 have been played 23 times.
# ASVersions
- It is the list of Action Script Versions associated to SWF files and their count.
e.g. AS2|10 means SWF file having Action Script Version 2 have been played 10 times.
# APIList
- The API List represents the collated API and its count in all played SWF files.
API names have been encoded to reduce the network traffic.
e.g. flash.display3D::Context3D will be encoded as 17.

and

User has disabled the service.Exiting.
Analytics Disabled.Exiting.


I found no option for disabling the analytics in the Flash Player PreferencePane.  Flash Player’s configuration can be managed with a /Library/Application Support/Macromedia/mms.cfg configuration file.  That’s how automatic updates have been suppressed previously. However, there is no mention of the new analytics or how to disable it in the ADOBE® FLASH® PLAYER 20.0 Administration Guide.  There is no mention in the blog post announcing the release, either. I’ve submitted a comment to that post for clarification but it has yet to be approved by a moderator.

The macadmins Slack team discussed, dug in, and and discovered that it can most likely be disabled by adding the entry DisableAnalytics=1 to the mms.cfg file.

To suppress automatic updates and disable analytics, the mms.cfg file should look like:

AutoUpdateDisable=1
SilentAutoUpdateEnable=0
DisableAnalytics=1

Help them help you

I support computers AND users. I’m sure you do, too. My users aren’t expected to know their IP address or how to find it. Occasionally I get in a situation where I can’t pre-fetch a computer name for a user I’m about to call. Once I get the user on the horn I’ll need to have them find that IP and give it to me so I can assist remotely. To make the discovery easier I wrote a quick little Applescript app they can run that outputs the computer’s hostname and current active IP address. It offers to put the name or IP address in their clipboard for easier transfer and avoid typos via IM or email.

Below is the code and output:

Installing VMWare Tools on a Netboot NBI

Netboot is great.  VMWare Fusion is great. Yosemite is….Netboot and VMWare are great. I use VMs to test things on our builds at work.  To get those VMs setup I use our imaging process that utilizes Netboot.  However, I discovered that, new with Yosemite, when the VM Netbooted to our Yosemite NBI I wasn’t able to login to OS X. After typing in the username and password the login attempt would just hang with the spinning gear turned beachball.  No bueno. Turns out all it requires is getting the VMWare Tools installed on the NBI.  No problem right? But VMWare’s installer (read: .app) doesn’t allow installing on a non-boot volume.  Crap.  This wouldn’t be a very interesting post if we stopped here so…

TL;DR: you need to mount the NBI and install the tools via the CLI ‘installer’ command.

First, make sure that your existing NBI is read/write when mounted.  In my case the NBI is actually a .sparseimage but renamed to .dmg for Netboot use.  When mounting the image named .dmg it mounts as read-only.  Renaming the .dmg to .sparseimage mounts the volume as read-write. YMMV. There are ways to convert disk images to read-write. I’ll leave that discovery up to you if your environment requires it.

VMWare Tools acquisition/installation:

There are a couple ways to get the tools.  I prefer to pull the tools from the VMWare Fusion.app bundle itself to guarantee that the version of VMWare Fusion you’re running is compatible with the tools. If you want an automated way using AutoPkg to get the latest tools check out Rich Trouton’s post at Der Flounder.  You can also download the tools if you know what version you need at VMWare’s repository.

Locally, the tools are located in the application bundle found at /Applications/VMware\ Fusion.app/Contents/Library/isoimages/darwin.iso

Mounting that image results in the installer and uninstaller.

However attempting to use the .app installer will fail as it won’t let you target the install on a non-boot drive.  Since it’s a .app “installer” there must be a .pkg buried in the bundle. To get the actual installer .pkg right click on “Install VMWare Tools.app” and choose “Show Package Contents”.  Navigate to the /Volumes/VMware\ Tools/Install\ VMware\ Tools.app/Contents/Resources/ directory.  There you’ll find “VMWare Tools.pkg”. Jackpot.

Copy the “VMWare Tools.pkg” to the computer where the NBI is mounted and run ‘installer’ pointing the target at the mounted Netboot NBI.

 sudo installer -pkg /Volumes/VMware\ Tools/Install\ VMware\ Tools.app/Contents/Resources/VMware\ Tools.pkg -target /Volumes/Yosemite\ NetBoot -verbose

That will install on the mounted volume.  Once complete, unmount the NBI, rename it if necessary, and you should now be able to log into a Yosemite NBI when Netbooted in VMWare Fusion.

createmobileaccount workaround for 10.10.3

UPDATE: As of Mac OS X 10.10.4 this issue has been addressed by Apple. The following still applies to 10.10.3 installs. 

Since 10.10.3 was released on April 8, 2015, the Mac admin community has had the privilege of discovering what’s broken with this new OS. We knew about the rootPipe fix but not it’s unintended collateral damage. One piece that was discovered comprimised is the tool “createmobileaccount” found in /System/Library/CoreServices/ManagedClient.app/Contents/Resources/createmobileaccount. This tool can be used to pre-create a home folder and add the user to the local directory service node without having a user log in. It can also dynamically verify that the account attempting to be made actually exists in the directory service prior to creating the account. That can be handy for restoring user data, creating a directory based account prior to sending off-site, or giving a user admin rights prior to deployment. As of 10.10.3 and it’s rootPipe fix, that tool is broken. BUT, there is a workaround.

The workaround to still use createmobileaccount is to do the following*:

1. Copy the user template to create the home folder: cp -R /System/Library/User\ Template/English.lproj /Users/${newUser}
2. Change rights on the folder for the new user: chown -R ${newUser}:staff /Users/${newUser}
3. Run createmobileaccount: /System/Library/CoreServices/ManagedClient.app/Contents/Resources/createmobileaccount -n ${newUser}

Take note if you implement this workaround in your workflow that the home folder is being created before createmobileaccount is run.  If createmobileaccount fails, the home folder you created will still exists and you may want to clean that up depending on the environment.

*thanks to mm2270’s post on JAMFNation.

10.10 – Boot Hangs after Deleting /var/folders Directory

UPDATE 4-13-2015: Apple replied back to my bug report stating it behaves as expected and deleting the /var/folders directory is not supported. So….don’t delete /var/folders.

Previously, in OS 10.9 it has been documented that removing the data in /private/var/folders is a good troubleshooting step for various reasons. There is a good writeup at blog.magnusviri.com describing what /var/folders contains and what issues arise from its bloat. Up thru OS 10.9.5 it hasn’t been an issue deleting contents or the parent directory.

The article above mentions deleting just the contents of /var/folders, which is still good advice. However a haphazard deletion of the /var/folders directory itself will cause issues in 10.10. If you delete the parent folder /var/folders and reboot, the computer will boot to about 50% and hang indefinitely. It will look a lot like the “loginLockout” behavior except the progress bar is at around 50% instead of 33% and the cursor is on screen. Don’t be fooled as I was. This is not loginLockout.

Examining the boot drive while booted from another source showed many errors in system.log when booting about /var/folders/zz not being present. Surprisingly it appears that mkdir is being called but unable to create the directory structure.

.
.
.
Mar 19 09:40:26 macadmins-Mac.local dirhelper[1008]: mkdir(/var/folders/tx): No such file or directory
Mar 19 09:40:26 macadmins-Mac xpcproxy[1007]: libcoreservices: _dirhelper_userdir: 351: stat: /var/folders/tx/56ff45qs2rlc89vggkr8x3yr0000gn/: No such file or directory
Mar 19 09:40:26 macadmins-Mac.local dirhelper[1008]: mkdir(/var/folders/tx): No such file or directory
Mar 19 09:40:26 macadmins-Mac fontworker[1007]: libcoreservices: _dirhelper_userdir: 351: stat: /var/folders/tx/56ff45qs2rlc89vggkr8x3yr0000gn/: No such file or directory
Mar 19 09:40:26 macadmins-Mac fontworker[1007]: libcoreservices: _dirhelper: 454: mkdir: path=/var/folders/tx/56ff45qs2rlc89vggkr8x3yr0000gn/T/ modes[1]=0700: No such file or directory
Mar 19 09:40:26 macadmins-Mac fontworker[1007]: libcoreservices: _dirhelper: 454: mkdir: path=/var/folders/tx/56ff45qs2rlc89vggkr8x3yr0000gn/C/ modes[2]=0700: No such file or directory
Mar 19 09:40:27 macadmins-Mac storeassetd[304]: libcoreservices: _dirhelper: 454: mkdir: path=/var/folders/tx/56ff45qs2rlc89vggkr8x3yr0000gn/T/ modes[1]=0700: No such file or directory
Mar 19 09:40:27 macadmins-Mac fontd[227]: libcoreservices: _dirhelper: 454: mkdir: path=/var/folders/tx/56ff45qs2rlc89vggkr8x3yr0000gn/T/ modes[1]=0700: No such file or directory
Mar 19 09:40:31 macadmins-Mac.local dirhelper[1008]: mkdir(/var/folders/tx): No such file or directory
Mar 19 09:40:31 macadmins-Mac xpcproxy[1011]: libcoreservices: _dirhelper_userdir: 351: stat: /var/folders/tx/56ff45qs2rlc89vggkr8x3yr0000gn/: No such file or directory
Mar 19 09:40:31 macadmins-Mac.local dirhelper[1008]: mkdir(/var/folders/tx): No such file or directory
Mar 19 09:40:31 macadmins-Mac xpcproxy[1012]: libcoreservices: _dirhelper_userdir: 351: stat: /var/folders/tx/56ff45qs2rlc89vggkr8x3yr0000gn/: No such file or directory
Mar 19 09:40:31 macadmins-Mac fontd[227]: libcoreservices: _dirhelper: 454: mkdir: path=/var/folders/tx/56ff45qs2rlc89vggkr8x3yr0000gn/T/ modes[1]=0700: No such file or directory
Mar 19 09:40:31 macadmins-Mac fontd[227]: libcoreservices: _dirhelper: 454: mkdir: path=/var/folders/tx/56ff45qs2rlc89vggkr8x3yr0000gn/T/ modes[1]=0700: No such file or directory
Mar 19 09:40:31 macadmins-Mac loginwindow[64]: libcoreservices: _dirhelper: 454: mkdir: path=/var/folders/tx/56ff45qs2rlc89vggkr8x3yr0000gn/T/ modes[1]=0700: No such file or directory
Mar 19 09:40:31 macadmins-Mac fontd[227]: libcoreservices: _dirhelper: 454: mkdir: path=/var/folders/tx/56ff45qs2rlc89vggkr8x3yr0000gn/T/ modes[1]=0700: No such file or directory
Mar 19 09:40:31 macadmins-Mac.local locationd[241]: Could not write data to disk /var/folders/zz/zyxvpxvq6csfxvn_n00000sm00006d/C/cache.plist
Mar 19 09:40:45 localhost dirhelper[61]: /var/folders/: invalid ownership
.
.
.

To fix the issue I had to maually recreate the directories folders/zz in /var to allow the system to boot once again.

I’ve file a bug report and posted on OpenRadar.