NOTE: This page contains information that is only useful to Helpdesk / LIS faculty and staff. Therefore I'm considering moving this information to our Internal wiki. If you feel that this information is important to the general public and/or do NOT think that this move is appropriate, please comment on the discussion page.

--Hunt, Christopher 14:59, 17 November 2009 (UTC)

Mac Deployment, Management and Packaging

See Mac Deployment and Mac System Management Tools

Packaging Mac Software and Other Files

• The Commandments of Packaging in OS X

System, disks, users

Mount the PC portion (ISO 9660) of a hybrid disk on a Mac

This may be useful if you need to extract documentation or other files for the PC side of a hybrid disk, but all you have is a Mac.

1. Unmount the mac cd volume via disk utility (don't eject just dismount). Find the disk ID of the CD/DVD drive by selecting the CD/DVD device in disk utility and clicking the Info icon.
2. Open terminal and type:
   sudo mkdir /Volumes/myisodisk
   sudo mount -t cd9660 /dev/diskID /Volumes/myisodisk
   replace the diskID above with the disk ID you got in step 1.
3. That's it. Browse the cd via the Finder.

Scripting Adding and Removing Network Interfaces

See man networksetup

Why your Mac might not sleep

http://support.apple.com/kb/HT1776

Also: Sleep delayed if print job is in progress or printer isn't available (http://support.apple.com/kb/TS3216)

Refresh disk arbitration

Note: This may force disks that haven't mounted to mount.

disktool -r

Enable Journaling

diskutil enableJournal /

Matching Mac Model Name with Model Identifier, Mac OS X Build, production date, and Apple Hardware Test version

1. Get Model IDENTIFIER from System profiler (it will look like Model Identifier: MacBookPro2,2)
2. Visit http://mactracker.dreamhosters.com/iphone/#_modelWindow and find the model with that identifier
3. Done

More useful resources:

• http://support.apple.com/kb/HT1159
• http://www.chipmunk.nl/cgi-fast/applemodel.cgi
• http://www.apple.com/support/
• http://www.apple.com/support/serviceassistant/
• http://mactracker.dreamhosters.com/iphone/#_modelWindow
• http://www.appleserialnumberinfo.com/Desktop/index.php

Programatically Delete Cached User Accounts

From http://developer.apple.com/releasenotes/MacOSXServer/RN-DirectoryServices/index.html

# Script to remove cached accounts in the local DS node
# This should work in both Tiger and Leopard
# Run this script as root or with sudo
#!/bin/sh

# dscl searching only does exact matches.  So we list the records and pipe them through to grep to find the list of records we want.
# The first column will be the username and we get that using awk.
# We also remove the line endings with tr to make it one long string.

for cuser in `dscl . -list /Users AuthenticationAuthority | grep LocalCachedUser | awk '{print $1}' | tr '\n' ' '`; do
dscl . -delete /Users/$cuser                    # now we delete the record using dscl
done

More resources: http://www.macosxhints.com/article.php?story=20080127172157404
http://www.google.com/search?client=safari&rls=en-us&q=leopard+script+delete+user+account+dscl&ie=UTF-8&oe=UTF-8

Enabling Directory Service debug logging

sudo touch /Library/Preferences/DirectoryService/.DSLogDebugAtStart
sudo sudo killall -USR1 DirectoryService

Disabling Directory Service debug logging

sudo rm /Library/Preferences/DirectoryService/.DSLogDebugAtStart
sudo sudo killall -USR1 DirectoryService

Resetting Mac OS X Machine Account Domain Password

See http://www.afp548.com/article.php?story=20061217110502523

Forcefully remove a Mac from the domain

sudo dsconfigad -r -f -u username -p password

Where "username" is the username that was used to add the machine to the domain, and "password" is this username's password.

Resetting Directory Service Settings

This is useful in cases where removing/adding the computer from/to the domain does not work using the standard method (Manually Add a Mac to the Domain). The instructions below forcefully remove (unbind) the mac from the domain:

1. Login with a local account.
2. Open the Terminal application
3. Enter each of the lines below, followed by pressing enter:

sudo rm -rdfv /Library/Preferences/DirectoryService
sudo rm -rdfv /var/db/dslocal/nodes/Default/config
sudo sudo killall -USR1 DirectoryService

1. Open Macintosh HD => Applications => Utilities => MIDD => Midd1stBootConfig.
2. Follow the on-screen instructions. When the "Update User Template" application opens, click "Quit".
3. Reboot and try logging in again with your domain account. If that fails Manually Add a Mac to the Domain.

Lookup Certificates from Active Directory

http://support.apple.com/kb/HT3915

Force the Generation or Creation of a Kerberos Ticket

http://support.apple.com/kb/HT4100

Summary:

edit /etc/authorization and under <key>system.login.console</key> add:
<string>builtin:krb5store,privileged</string>

Slow SMB Access - Possible Fix

sudo sysctl -w net.inet.tcp.delayed_ack=0

P.S. "CIFS" as newer revision of SMB - SMB doesn't lock files properly and results in errors saving files when the files have been opened within an application (as opposed to opening in the Finder) - not likely a speed issue, but worth noting here.

Macs Randomly Unbinding from Domain

• If the problem is that the user recently changed their password and the computer is still remembering the old one, try updating the Login keychain: http://support.apple.com/kb/ht1631#
• For cases where the connection to the domain has been lost entirely, stuck Macs of 10.6 and below can be reset by deleting the kerberos.mydomain.plist and restarting the DirectoryService; this is what the "Re-Bind 10.6-" policy on Casper does.
• They changed how domain binding works in Lion; the "Re-Bind 10.7+" policy was designed to address this, but as of 2013.03.18 it does not work. For now:
  1. Go to System Preferences>Users & Groups>Login Options.
  2. "Network Account Server" should say MIDD; click Edit, then Open Directory Utility.
  3. Select Active Directory (the first option) and click the pencil below to edit.
  4. Click Unbind and enter domain technician credentials.
  5. In the "Active Directory Domain" field, type "middlebury.edu", click Bind, and enter your credentials again.
  6. Click Show Advanced Options and adjust some checkboxes:
     • YES, Create mobile account at login
       • NO, do not require confirmation
     • Yes, default user shell
  7. Then on the Administrative tab:
     • YES, Allow administration by:
       • Add "MIDD\Helpdesk Staff" to the list
     • Yes, allow authentication from any domain in the forest
  8. Close that window and hit Apply in the Directory Utility window if highlighted, then close it.
  9. Back in Users and Groups, under Login Options, confirm the following:
     • Automatic login OFF
     • Display login window as Name and Password
     • Show the Sleep, Restart, and Shut Down buttons
     • Allow network users to log in at the login window

You can check the connection to the domain by unlocking a system preference with your credentials. It's also good to check that users who haven't logged into the computer before can login over the network.

• This might be a good way to prevent the problem from happening: "change the passinterval on the clients. I ran the following script via Apple Remote Desktop as root and haven't had any problems since:
  dsconfigad -f -r -u ADadminusername -p ADadminpassword -lu localadminusername -lp localadminpassword
  sleep 10
  dsconfigad -lu localadminusername -lp localadminpassword -passinterval 0
  sleep 10
  computerid=`/usr/sbin/scutil --get LocalHostName`
  dsconfigad -f -a $computerid -domain yourdomain -u ADadminusername -p ADadminpassword -lu localadminusername -lp localadminpassword -ou ou=yourOU,DC=yourDC,DC=yourDC -status
  Source:http://www.macwindows.com/snowleopardAD.html#051810d

Cannot Login with Domain Account

• Mac is properly bound to AD
• Logging in with local account works
• Cannot login with Domain Account

Troubleshooting:

• Verify connected with Ethernet, then reboot (confirms Ethernet priority over wireless, syncs system time)
• UNCheck home dir setting in Directory Utility
• Tinker with UID settings (see http://www.macwindows.com/snowleopardAD.html#051810d)

Change of Username

When AD account username is changed, old username will continue to be in use for logging into the Mac. This is the solution to update the account for use with the new username:

• Back up user files - just in case
• Reboot, then log in with an administrator account (not the one to be changed)
• System Preferences > Users & Groups (may vary by OS)
• Unlock, select account, click on "-" to delete account, choose "Don't change the home folder" option!!!!!
• Browse in Finder to /Users/, rename the old user folder to match the new username
• Log in with new username -- if prompted to use existing folder, do so (depending on binding/directory services, it may be necessary to create the new account manually in System Preferences). Ideally, the new username will match the username listing in the MDM (ex. Jamf)
• This process can be modified to work with local accounts, or changed network accounts, though this will require additional permissions work (see "chown") and work in Keychain Access (based on lack of access to these resources when first logging in)
• Permissions may also be fixed in Finder > Go > Get Info > unlock > verify new user is listed as owner for user home folder and that permissions are copied to all contents
• Finder Favorites may need to be rebuilt.
• If the computername should be changed as well, see http://mediawiki.middlebury.edu/wiki/LIS/Advanced_Mac_Configuration_Topics#Remedying_and_preventing_duplicate_DDNS_registrations_in_Mac_OS_X.2C_or_.2C_steps_to_fully_rename_a_Mac_--_may_be_able_to_omit_Keychain_and_Kerberos_commands.

Slow Authentication at Login Screen

As a troubleshooting step, try specifying the domain name along with the username at the login screen. Other options include editing the LDAP timeout in the Directory Service plist. Source: http://www.macwindows.com/snowleopardAD.html#051810d 

GSSAPI Error - Kerberos

http://support.apple.com/kb/TS3070

Reset Mac user or admin password

Can require install disks to reset if you have forgotten the old password. Help here

Give admin (administrator) privileges to a user using the Terminal

Open Terminal, type the line below, hit enter:

sudo dscl . -append /Groups/admin GroupMembership usernamegoeshere

The reverse step uses "-delete" in place of "-append" - use this to remove admin privileges - this can be also useful to remove account information from the 'admin' or 'staff' groups in the case of a username change (remove entries for the old username to allow login with the new username on the same account)

To check who's an admin currently:

dscl . -read /Groups/admin | grep GroupMembership

The above can also be used in ARD commands or in shell scripts.

Upgrade groups to the new UID format

This allows nested group (i.e. a domain group to be a member of a local group).

dseditgroup -o edit -t group -f n groupnamegoes here

Make the admin group a member of the _lpadmin group

• Easy solution: Connect to Middfiles and open Software => Software Macintosh => Quick-Fixes. Double-click Add Printer - Permissions Problem Fix (lpadmin).app
• The harder solution (run commands below): This converts the _lpadmin and the admin group to the new format, adds the key NestedGroups to the _lpadmin group and populates it with the GUID of the admin group. Finally, the admin account is made a member of the _lpadmin group.

dseditgroup -o edit -t group -f n admin
dseditgroup -o edit -t group -f n _lpadmin
dseditgroup -o edit -a admin -t group _lpadmin
dscl localhost -create /Local/Default/Groups/_lpadmin NestedGroups ABCDEFAB-CDEF-ABCD-EFAB-CDEF-00000050
dseditgroup -o edit -a admin -t group _lpadmin

Add an application to the dock using a script

• Add for current user:

defaults write com.apple.dock persistent-apps -array-add "<dict><key>tile-data</key><dict>\
<key>file-data</key><dict><key>_CFURLString</key><string>/Applications/Final Cut Express.app</string>\
<key>_CFURLStringType</key><integer>0</integer></dict></dict></dict>";

• Add for default user template:

defaults write /System/Library/User\ Template/English.lproj/Library/Preferences/com.apple.dock \
persistent-apps -array-add "<dict><key>tile-data</key><dict><key>file-data</key>\
<dict><key>_CFURLString</key><string>/Applications/Final Cut Express.app</string>\
<key>_CFURLStringType</key><integer>0</integer></dict></dict></dict>";

• Add for all users (current and future):

for folder in /Users/*
do
defaults write $folder/Library/Preferences/com.apple.dock persistent-apps -array-add \
"<dict><key>tile-data</key><dict><key>file-data</key><dict><key>_CFURLString</key>\
<string>/Applications/Final Cut Express.app</string><key>_CFURLStringType</key>\
<integer>0</integer></dict></dict></dict>";
currentuser=`basename $folder`
chown $currentuser $folder/Library/Preferences/com.apple.dock.plist
done

Run a command for each user

for folder in /Users/* echo "Doing a command for $folder" done

For example, this command sets the default printer to LIB242K:

for folder in /Users/*
do
echo Default LIB242K > $folder/.cups/lpoptions
chmod 777 $folder/.cups/lpoptions
done

Distribute a file to each user's home dir

E.g. distribute custom print settings to each user

for folder in /Users/*
do
ditto -V $folder/Library/Preferences/com.apple.print.custompresets.plist \
$folder/Library/Preferences/com.apple.print.custompresets.bak
ditto -V /System/Library/User\ Template/English.lproj/Library/Preferences/com.apple.print.custompresets.plist \
$folder/Library/Preferences/com.apple.print.custompresets.plist
chmod 777 $folder/Library/Preferences/com.apple.print.custompresets.plist
done

ARD techniques

Sharing ARD Preferences with other users

See http://www.versiontracker.com/dyn/moreinfo/macosx/10907697 (Seize the ARD).

ARD - Limit the number of simultaneous authentication requests

http://support.apple.com/kb/HT3803

ARD - Disable build_hd_index

http://support.apple.com/kb/HT1088

Known ARD Issues

See Known ARD Issues.

Desirable ARD commands

• Set disk permissions. Ignore permissions.
• Add ACLS for folders
• Run login permission script
• unbind/rename/rebind/rescan/apply proper admin privs.
• login items fix

Installing (Pushing) Adobe CS via ARD

Note: This assumes you've created a disk image with the applications (from /Applications), and a disk image with the settings (in /Library/Application Support, as well as /Library/Preferences).

hdiutil attach /adobepro.dmg
ditto -V /Volumes/adobepro /Applications
hdiutil detach /Volumes/adobepro
rm -rdfv /adobepro.dmg

hdiutil attach /settings.dmg
ditto -V /Volumes/settings /Library
hdiutil detach /Volumes/settings
rm -rdfv /settings.dmg

Installing LabStats via ARD

• Requirements: If the client computers are running Mac OS X Leopard, you need LabStats version 4.4.x (at least).

1. On your ARD computer, visit the labstats admin page and download the Mac installer.
2. Unzip it the package, and you will get two files (one ending in tar.gz, one ending in conf)
3. Unpack the tar file (double-clicking should suffice) until you see the install package (ends with pkg).
4. Open ARD, select the client computers (the ones that need labstats), then click "Copy"
5. Drag the pkg file and the conf file to the upper portion of the copy window (you can also use the + button), under "Place Item In" specify the full destination to "/tmp" (without the quotes), then click Copy.
6. When the copy process finishes, select the same computers again and click the Unix command button. In the window that appears, paste these lines in the upper portion:

   installer -package /tmp/labstats_mac_client_installer.pkg -target / 

rm -rdfv /tmp/labstats* 

1. Under "Run the command as" enter the user "root" and click "Send"

Mute or set volume via ARD

osascript -e "set volume 0"

Change the zero to another number to set the volume to a higher value. Zero is mute. This seems to be system wide. It also mutes the startup chime. Good for classrooms. If headphones are plugged in, they have a separate volume setting.

Make Macs Speak via ARD

say "I hate Macs"

Set the Open Firmware password via ARD

Note: You need our Open Firmware package for this! It should be on our Mac server.

sudo ofpassword set blahblah123

Enable SSH via ARD

This seems to work:

systemsetup -setremotelogin on

If you get saclutil you can restrict ssh login to a single user or group:

saclutil -s ssh -a -u jsmith

group: saclutil -s ssh -a -g admin

To undo SACLs for ssh:

saclutil -s ssh -d

Some other ideas:

echo yes | /System/Library/CoreServices/RemoteManagment/ARDAgent.app/Contents/Support/systemsetup -setremotelogin on
/sbin/service ssh start
echo "AdminsPassHere" | sudo service ssh start

This seems to work until reboot:

/usr/sbin/sshd

Enable ARD remotely

e.g. via SSH

sudo /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -configure -access -on -users admin -privs -all

If nothing's been enabled, the full line should look like: sudo /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -activate -configure -access -on -users admin -privs -all -restart -agent -menu

Mount AFP volume via applescript via ARD

osascript -e 'mount volume "afp://user:password@computername/Macintosh HD"'

Check if a process is running via ARD

E.g. Check if AFP server is running

ps -axww | grep -i "AppleFileServer"

Start AFP sharing remotely

1. Change /etc/hostconfig so that AFPSERVER=-YES=
2. Send unix script

   sudo AppleFileServer

TWICE

Get folder size via ARD

du -d 1 -h /Users/Shared/editingclass

Set power management on Macs via ARD

Can be done using the pmset command. Remember to always execute this command as user "root" in ARD. Examples:

• Instructor stations that need to remain awake for the duration the class:

  pmset -a sleep 0 disksleep 10 displaysleep 75

The sleep parameter tells the computer never to sleep, disksleep makes the hard disk spin down in 10 minutes, displaysleep makes the monitor remain awake for 75 minutes.

• Regular workstations that need to remain awake for management purposes can turn off the screen (e.g. after 35 mins) and spin down the hard disk to save power:

  pmset -a sleep 0 disksleep 10 displaysleep 35

• Alternatively, the machines can be turned off / set to sleep whenever and you designate a "remote management" time period (say, every day after 3:00am). The Mac OS X power management allows you to set the computer to wake up or power on at a specific day and time. This way if a machine was turned off or set to sleep, it can become available for updates, etc. Here's an example:

  pmset repeat wakeorpoweron MTWRF 03:00:00

This wakes the machine (if it's asleep) or powers it on (if it's turned off), every weekday at 3am.

Get Link Speed

ioreg -l | grep "IOLinkSpeed"

Divide by 1000000 to get "human readable".

Application tips

Pushing LabStats via ARD

Labstats can be pushed via ARD. There are two methods, both start with the same process:

1. On a machine with ARD, grab the Mac labstats installer from http://labserver:8080/admin
2. Unpack it, you'll get two files - a pkg package and a "conf" file.

Method 1: Copy the labstats.conf file INSIDE the installer (ctrl+click on the installer, open Contents => Resources => drag the conf file in here). Open the file named "postflight", delete everything in it and replace it with:

#!/bin/sh

ditto "$1/Contents/Resources/labstats.conf" /private/etc/labstats.conf
chown root:wheel /private/etc/labstats.conf
SystemStarter start LabstatsClient

Method 2: Push the default config file AFTER pushing labstats: Use the ARD "copy" button to copy the conf file to a custom destination: /etc

Reset Spotlight

sudo mdutil -i off /
sudo mdutil -E /
sudo mdutil -i on /

Update Symantec AntiVirus

LiveUpdate -update LUal -liveupdatequiet YES -liveupdateautoquit YES

LiveUpdate tends to be in the root library support folder: /Library/Application\ Support/Norton\ Solutions\ Support/LiveUpdate/LiveUpdate.app/Contents/MacOS/LiveUpdate -update LUal -liveupdatequiet YES -liveupdateautoquit YES

Check when an application was last opened

mdls -name kMDItemLastUsedDate /Application/Application.app

Check an entire folder:

mdls -name kMDItemLastUsedDate /Application/*

Filter applications from an entire folder:

mdls /Applications/Adobe\ Photoshop\ CS/* | egrep '(kMDItemLastUsedDate|kMDItemDisplayName)' \
| egrep '(kMDItemLastUsedDate)|(app)'

Batch checking

mdls "/Applications/Macromedia Dreamweaver MX 2004/Dreamweaver MX 2004" \
| egrep '(kMDItemLastUsedDate|kMDItemDisplayName)'  | egrep '(kMDItemDisplayName|2008-10*|2008-11*)'
mdls "/Applications/Macromedia Flash MX 2004/Flash MX 2004" \
| egrep '(kMDItemLastUsedDate|kMDItemDisplayName)'  | egrep '(kMDItemDisplayName|2008-10*|2008-11*)'
mdls "/Applications/Macromedia Fireworks MX 2004/Fireworks MX 2004" \
| egrep '(kMDItemLastUsedDate|kMDItemDisplayName)'  | egrep '(kMDItemDisplayName|2008-10*|2008-11*)'

mdls "/Applications/Adobe Photoshop CS/Adobe Photoshop CS.app" \
| egrep '(kMDItemLastUsedDate|kMDItemDisplayName)'  | egrep '(kMDItemDisplayName|2008-10*|2008-11*)'
mdls "/Applications/Adobe InDesign CS/InDesign CS.app" \
| egrep '(kMDItemLastUsedDate|kMDItemDisplayName)'  | egrep '(kMDItemDisplayName|2008-10*|2008-11*)'
mdls "/Applications/Adobe Illustrator CS/Illustrator CS.app" \
| egrep '(kMDItemLastUsedDate|kMDItemDisplayName)'  | egrep '(kMDItemDisplayName|2008-10*|2008-11*)'

mdls "/Applications/GarageBand.app" | egrep '(kMDItemLastUsedDate|kMDItemDisplayName)' \
| egrep '(kMDItemDisplayName|2008-10*|2008-11*)'

X11 and the PATH variable in Leopard and Snowleopard

There seems to be no way to directly set the X11 PATH variable. However, if you correctly set your PATH variable in the Terminal (check the command path_helper), you can then launch xterm (X11) from Terminal.app and it will inherit the PATH variable.

A massive X11 FAQ is available here: http://forums.macosxhints.com/showthread.php?t=80171

Network & Printers

Get MAC Address

/sbin/ifconfig en0 | grep ether | cut -d' ' -f 2

Set computer name

sudo scutil --set LocalHostName NEWCOMPUTERNAME
sudo scutil --set ComputerName NEWCOMPUTERNAME

Printers: Install, delete, set as default

List installed printers

lpstat -p

Install

lpadmin -p printer_name -E -v lpd://server/printer -P path-to-ppd.gz

• An example with a compressed ppd:

lpadmin -p printer_name -E -v lpd://server/printer -P /Library/Printers/PPDs/Contents/Resources/HP\ LaserJet\ 4050\ Series.gz

• Or an uncompressed ppd:

lpadmin -p printer_name -E -v lpd://server/printer -P /Library/Printers/PPDs/Contents/Resources/HP\ LaserJet\ 4050\ Series.ppd

Must be followed by

cupsenable printer_name

Delete

lpadmin -x printer_name

e.g.:

lpadmin -x AdobePDF7

Set as default

lpadmin -d printer_name

Install but disable sharing and add description

lpadmin -p printer_name -E -v lpd://server/printer -D "Room AB123" -P ppdpath -o printer-is-shared=false

Enabling Duplexing

On HP printers this should suffice:

lpadmin -p prntr -E -v lpd://srv/prnt -D "rmnr" -P "ppdpath" -o "HPOption_Duplexer=True" -o Duplex=DuplexNoTumble

On other models you can try listing the available printer options, then pass the appropriate option to lpadmin using the "-o" parameter. To list all available printer options, install the printer on any one workstation and then run:

lpoptions -p printer_name -l

For an HP laserjet the above command gives two options related to duplexing: HPOption_Duplexer and Duplex -- so those are the parameters passed using "-o" in the example above.

Enable Printing Controls for Users

Situation: local printer stops while printing, and standard user cannot resume job. Or non-admin should be allowed to install a new printer queue. /private/etc/cups/cupsd.conf/ can be edited for granular permissions to functions normally reserved for members of admin & lpadmin groups, for example.

Misc

List of Mac SMC and EFI Firmware Updates

http://support.apple.com/kb/HT1237

It may be possible to automate the installation of these by using the -y switch:
http://support.apple.com/kb/HT3962
sudo ./Contents/Resources/RemoteEFIUpdater -y -shutdown

Remedying and preventing duplicate DDNS registrations in Mac OS X, or , steps to fully rename a Mac -- may be able to omit Keychain and Kerberos commands.

NOTE: You may need to combine these fixes with the suggestions outlined in the next section Advanced_Mac_Configuration_Topics#Macs losing AD bind connection or unable to login to a domain account on a Mac.

1. remove computer from domain
2. Run these commands

sudo /usr/sbin/systemkeychain -k /Library/Keychains/System.keychain -C -f
sudo rm -rf /var/db/krb5kdc
sudo /usr/libexec/configureLocalKDC
(this ensures uniqueness of local kerberos db)

1. Optionally, if he system is having SMB authentication issues, follow these instructions: http://support.apple.com/kb/HT3169
2. Rename computer as desired under System Preferences => Sharing, then run these commands:

sudo hostname NEWCOMPUTERNAME
sudo scutil --set ComputerName NEWCOMPUTERNAME
sudo scutil --set LocalHostName NEWCOMPUTERNAME
sudo scutil --set HostName NEWCOMPUTERNAME
(this ensures all possible host names are the same - don't ask why there are 4 different places)

1. Open Directory Utility, AD plugin, rename computer as desired there, then bind to domain (adding to correct OU)
2. If the computers are connected to an XSan, you may need to re-enter username/password in Xsan admin app. May need to remove computer from Xsan database and re-add.
3. For a computer name change, if the username has changed in AD as well, see [[1]].

Macs losing AD bind connection or unable to login to a domain account on a Mac

NOTE: You may need to combine these fixes with the suggestions outlined in he previous section Advanced Mac Configuration Topics#Remedying_and_preventing_duplicate_DDNS_registrations_in_Mac_OS_X. More information here: http://www.macwindows.com/leopardAD.html (search for “losing” or look under http://www.macwindows.com/leopardAD.html#012209e)

Proposed fixes: http://www.macwindows.com/Kerberos-workarounds-for-Macs-losing-AD-binding.html

And

http://www.macwindows.com/Readers-verify-modify-Kerberos-fixes-for-Mac-AD-binding.html

Proposed cause for the issue: Then one of our staff went to an Apple Integration seminar at Cambridge (UK) where the little known fact emerged that Leopard has a persistent Kerberos certificate which can cause problems with just such things as binding to AD. This is a particular problem if using an image to build multiple machines which are then bound to AD - it is the equivalent of having identical machine accounts on windows.

Apple’s take on the issue: http://support.apple.com/kb/TS1245

Also, verify the correct date, time, and time zone information in System Preferences.  If system is bound to domain, also verify in Directory Utility that the Search Policy includes an entry for "/Active Directory/All Domains".

If computer is properly bound (admin can verify by attempting to unlock system preferences), but no domain account can log in, be sure the setting allowing network users to log in is checked in Users system pane (if present).

If some accounts can login, but others cannot that have been used before (most commonly due to a username change), may need to delete account, verify the username folder has been removed, and also remove from the Groups/admin and/or Groups/staff list (using "dscl" command with the "-remove" switch).

Connect to an AFP server from the command line

sudo mkdir /Volumes/myserver
mount_afp afp://username:password@servername/sharename /Volumes/myserver

Reimage a mac from an image using the command line asr

sudo asr restore --source /Volumes/Source/Image.dmg --target /Volumes/Destination --erase --noverify

Note: This ERASES the destination drive. It also skips verification (which Disk Utility forces you to do, thus adding 10-15 minutes to the imaging process). Verification is GOOD, but sometimes, when you're sure that the image is healthy and your destination drive is healthy, it can be a waste of time.

Manipulating and modifying ACL permissions from the command line terminal

Read ACL

ls -le /path/to/dir

Write ACL

chmod -R +a "group:admin allow read write delete" /path/to/dir

Delete ACL

chmod -R -a# 0 /path/to/dir

Run an ASR server

GUI: Protonpack

sudo asr -source /Volumes/Images/image.dmg -server /path/to/config.plist

Restore a client from an ASR server

GUI: NetRestore

sudo asr -source asr://serverip -targer /Volumes/Volume -erase -noverify

Set expanded windows for save and print

defaults write -g PMPrintingExpandedStateForPrint -bool TRUE

defaults write /Library/Preferences/.GlobalPreferences NSNavPanelExpandedStateForSaveMode -string 1

Pre-populate the username field in the Connect to Server window

http://support.apple.com/kb/HT4121?viewlocale=en_US

E.g.:
defaults write /Library/Preferences/com.apple.NetworkAuthorization UseShortName -bool YES

Make the help window and the add printer (addprinter.app) window act normal

This makes the help window and addprinter.app window accessible to the Dock and command-tab.

i=/System/Library/CoreServices/AddPrinter.app/Contents/Info.plist
sudo defaults write "${i%.plist}" LSUIElement 0
sudo chmod 644 "$i"

i=/System/Library/CoreServices/Help\ Viewer.app/Contents/Info.plist
sudo defaults write "${i%.plist}" LSUIElement 0
sudo chmod 644 "$i"

Variables available to shell scripts in Installer packages

• $1: Full path to the installation package the Installer application is processing.
• $2: Full path to the installation destination
• $3: Installation volume (or mountpoint) to receive the payload
• $4: The root directory for the system:
• $SCRIPT_NAME: Filename of the operation executable
• $PACKAGE_PATH: Full path to the installation package
• $INSTALLER_TEMP: Scratch directory used by Installer to place its temporary work files
• $RECEIPT_PATH: Full path to a temporary directory containing the operation executable

Slipstreaming Office 2008 for Mac

See: Slipstreaming Office 2008 for Mac

Apple System Image Utility Tips

• When creating a workflow, "Define Image Source" needs to be on top and "Create Image" on the bottom of the workflow. The rest of the actions may have any order (or so it appears).

Archiving user accounts from a previous semester

cd /Users/
mkdir zz_PreviousSememsters
for cfolder in /Users/*
do
echo $cfolder
echo "$cfolder" | grep -x zz_PreviousSememsters
if [[ $? > 0 ]]
then
echo "absent"
mkdir "$cfolder"
mv -f "$cfolder" "/Users/zz_PreviousSememsters/"
else
echo "present"
return 0
fi

done

Deleting ALL cached domain user accounts

You can also delete all accounts from the entire semester:

# Deleting cached domain accounts (this means local accounts will remain untouched)
for cuser in `dscl . -list /Users AuthenticationAuthority | grep LocalCachedUser | awk '{print $1}' | tr '\n' ' '`; do
dscl . -delete /Users/$cuser
rm -rdfv /Users/$cuser
done


# Deleting the Shared files
rm -rdfv /Users/Shared/*
rm -rdfv /Users/Shared/.*

Deleting ALL cached domain accounts except those on a custom list

#Set the warning flag to off (case sensitive) if you want to start the deletion of accounts.
MIDD_WARNINGFLAG=on

#Set this flag to true if you want /Users/Shared to be deleted, as well.
MIDD_DELETESHARED=false

if [[ "$MIDD_WARNINGFLAG" == "on" ]]
then
echo "MIDD_WARNINGFLAG is enabled so I can't delete stuff."
echo "Look at the template/script that you just used and set the MIDD_WARNINGFLAG to off (case sensitive)."
else
ls -a /Users/
#Accounts listed here will not be deleted. Local accounts are not deleted by default.
MIDD_DONTDELETE=admin,jsmith,joejohn
# Deleting cached domain accounts (this means local accounts will remain untouched)
for cuser in `dscl . -list /Users AuthenticationAuthority | grep LocalCachedUser | awk '{print $1}' | tr '\n' ' '`; do
echo $MIDD_DONTDELETE | grep -i "$cuser"
if [ $? == 1 ]
then
echo "Deleting $cuser"
dscl . -delete /Users/$cuser
rm -rdf /Users/$cuser
else
echo "$cuser in exclusions list, not deleting"
fi
done

if [[ "$MIDD_DELETESHARED" == "true" ]]
then
# Deleting the Shared files
echo Deleting "/Users/Shared"
rm -rdfv /Users/Shared/*
rm -rdfv /Users/Shared/.*
else
echo "MIDD_DELETESHARED is set to false so I'm not deleting any files in /Users/Shared"
fi
fi

Erasing a volume entirely and setting permissions

#Set the warning flag to off (case sensitive) if you want to start the deletion.
MIDD_WARNINGFLAG=on

if [[ "$MIDD_WARNINGFLAG" == "on" ]]
then
echo "MIDD_WARNINGFLAG is enabled so I can't delete stuff."
echo "Look at the template/script that you just used and set the MIDD_WARNINGFLAG to off (case sensitive)."
else
echo Permissions status before erasing
vsdbutil -c /Volumes/SaveHere
vsdbutil -c "/Volumes/Save Here"

echo Erasing Save Here volumes
diskutil eraseVolume "HFS+" "Save Here" "/Volumes/Save Here"
diskutil eraseVolume "HFS+" "Save Here" /Volumes/SaveHere

echo Ensuring proper permissions status after erasing
vsdbutil -d /Volumes/SaveHere
vsdbutil -d "/Volumes/Save Here"

echo Reporting permissions status after erasing
vsdbutil -c /Volumes/SaveHere
vsdbutil -c "/Volumes/Save Here"
fi

• Alternatively, you can replace the "diskutil eraseVolume..." lines with something like rm -rdf "/Volumes/path/to/specific folder to clear"==

Moving a users folder manually to a new machine

If you move a user's home folder to a new machine you can run this command as root (or sudo -s) to apply ownership of the folder to the user and domain users (as the group). This does not change the actual permissions, just the ownership. Launch the Terminal and do the following.

sudo -s
cd /Users
chown -vR username username
chgrp -vR midd\\domain\ users username
exit

How this works... the sudo -s makes you a root user (assumig you should be) until you type exit. 'cd' is used to get to the User's folder (where you should have copied the user's homefolder named username). chown -vR un un will change ownership recursively and show you that it is working. chgrp -vr... will change the group the same way. The \\ is used to escape the \ character and the space between domain and users. The exit is to make sure you get out of being a super user. You could throw in a second 'exit' if you wanted to exit out of the terminal completely.

Kerberos Issues

Kerberos KDC location specified in krb5.conf is not respected: http://support.apple.com/kb/TS3265

Mac OS X v10.6 Clients bound to Active Directory may not be able to dismiss screen saver using Active Directory credentials

Resolution
From the Go menu choose Go to Folder.
Type etc , then click Go.
Open the file named "authorization" in a text editor.
Find the following text in the "system.login.screensaver” entry:
<string>The owner or any administrator can unlock the screensaver.</string>

Change it to this:
<string>(Use SecurityAgent.) The owner or any administrator can unlock the screensaver.</string>
Save the file.

http://support.apple.com/kb/TS3287

High Sierra macOS 10.13 stuff

APFS file system - encryption is native - adds Secure Token concept Secure Token is required of users to unlock an encrypted drive, and is granted by default to the first account, and subsequent local accounts, but not to mobile accounts.

sysadminctl command is useful for checking Secure Token status, and is the new supported tool for changing passwords and creating accounts through scripted means. dscl is NOT supported!!!

Check Secure Token: 'sysadminctl -secureTokenStatus usernamehere' Directory Utility also has an entry that allows lookup of one user at a time

Also see "FileVault"

Mac OS X Server and Xserve Administration

NetBoot Across Subnets

http://support.apple.com/kb/HT4187

Configuring service principals in Active Directory when using a disjoint namespace

See: http://support.apple.com/kb/HT3795

AFP users unable to authenticate with Kerberos after upgrading

sudo sso_util configure -r REALM_NAME -a diradmin afp
See: http://support.apple.com/kb/TS2938

Cannot authenticate to SMB shares when bound to Windows Server 2008 Active Directory

See: http://support.apple.com/kb/TS2967

Cannot configure Lights-Out Management after installing Remote Desktop

Reinstall the latest combo update.

Slapd Daemon Crashing - org.openldap.slapd Throttling respawn

You may notice through system logs or crashes that the Slapd daemon (launched by launchd) is crashing. If you don't use OpenDirectory, or LDAP/OpenLDAP, or if you don't mind reverting the slapd settings to default, there are two solutions:

Solution 1 (RECOMMENDED):
http://support.apple.com/kb/TS3067

sudo launchctl unload -w /System/Library/LaunchDaemons/org.openldap.slapd.plist

Solution 2: Restore the default slapd settings:

sudo mv /etc/openldap/slapd.conf /etc/openldap/slapd.conf.bak

sudo ditto /etc/openldap/slapd.conf.default /etc/openldap/slapd.conf

Solution 3 (not recommended): Disable org.openldap.slapd -- you can use Lingon for this.

Seek out more info using this search: http://www.google.com/search?hl=en&q=site:apple.com+org.openldap.slapd+Throttling+respawn - one of the more valuable results is a discussion post here: http://discussions.info.apple.com/thread.jspa?threadID=2171224

Managing Preferences

MCX - Managed Preferences - supported through 10.8

MDM - Configuration Profiles - iOS & OS 10.7+

Modify plist files - defaults write - to modify existing preference files plistbuddy - another option - may replace defaults can apply changes via command line, script, using management tools (Mavericks - cfprefsd - https://github.com/mathiasbynens/dotfiles/issues/330)

Modify default application - duti (http://duti.org/index.html) bundle identifier for an application: "defaults read /path/to/application/appname.app/Contents/Info CFBundleIdentifier" UTI (Uniform Type Identifiers) reference: https://developer.apple.com/library/mac/documentation/Miscellaneous/Reference/UTIRef/Articles/System-DeclaredUniformTypeIdentifiers.html#//apple_ref/doc/uid/TP40009259-SW1

Privacy Settings

macOS Mojave (10.14) introduced Privacy settings (Security & Privacy system pane), including per-user and system-wide preferences to allow/deny Apple Events triggered by an application to access other applications/data/system resources. Simply put, managing these settings will help to avoid unwanted pop-ups when a new user logs into a Mac - arguably a desirable feature on shared-use computers. While on the other hand, the vendor defaults will provide a clear picture of what is going on with a user's privacy. Camera and Microphone defaults can only be set to "deny", not "allow".

Given that some settings are system-wide, and non-administrators cannot change those settings, there's a good argument to be made for pre-setting only system-wide settings for standard applications. Example - deny or allow Accessibility for Adobe Photoshop via Profile. Note: such settings applied via Profile may not be visible (let alone editable) within the System & Privacy pane!

Helpful tools to make this 'easy':

• Mobile Device Management (Jamf Pro 10.9+, or other) is a handy way to create & deliver Configuration Profiles for this purpose, assuming macOS 10.14+, User Approved MDM, & push notifications.
• The BundleID is usually in the form com.vendor.Appname (ex. com.adobe.Photoshop)

codesign -dr - /Applications/SampleAppName.app

capture text on line following

designated => 

This is the "Code Requirement"

• Apps and/or Services must be specified, as well as whether to allow or deny this app access to those apps & services.

Some resources: Apple - https://help.apple.com/deployment/mdm/#/mdm38df53c2a JAMF - https://www.jamf.com/jamf-nation/articles/553/preparing-your-organization-for-user-data-protections-on-macos-10-14

FileVault Disk Encryption

FileVault encryption has been available for years in macOS.  As of FileVault 2, it is 'whole disk encryption'.  Please see Apple's documentation for details.

Command line tips:

to check encryption status
"fdesetup status"
"fdesetup help" for more options, though functions that can be done through System Preferences (or with the sysadminctl command) should take precedence.

to check if a user has "Secure Token" (can unlock the encrypted drive) 
"sysadminctl -secureTokenStatus username"
"sysadminctl" provides many other useful options, though System Preferences is preferred where possible.

to remove Secure Token from a user (revoke their ability to unlock the drive) - this can be useful if the FileVault password gets out of sync with the login password (common for mobile accounts when the password is changed via a method other than Users & Groups in SysPrefs
"sysadminctl -secureTokenOff <user name> -password <password> (interactive || -adminUser <administrator user name> -adminPassword <administrator password>)"

A user must be an administrator AND have Secure Token to encrypt, decrypt, or allow others to unlock the drive (pass Secure Token to them).

A new mobile account user will have a prompt at first login that will allow an administrator with Secure Token to pass the token.  If this opportunity is bypassed, The FileVault tab of the Security & Privacy SysPrefs is where the token can be passed, AND it will also be necessary to go to Users & Groups, and hover over the account icon to "edit" and apply an image to that account.  (strange, but true)