Adobe Creative Cloud for Teams

May 16, 2013 by 1 Comment

Update: since the details that we received did not line up with Creative Cloud Enterprise features I asked for verification from our vendor whether we were given details about the CC  Enterprise product and whether it was given by an Adobe rep. Neither were the case, so I am modifying my post to instead outline the details of the Creative Cloud for Teams program for those SMB admins who are considering it for their users.

I apologize for any confusion the initial post created, it was by no means my intention to do so. A big thanks to Jody Rogers for alerting me about the misinformation. As always he is on top of things.

Adobe Creative Cloud for Teams highlights:

  • For those with security policies that forbid Cloud storage use, Creative Cloud storage must be blocked through firewall port filtering at the customer’s site.
  • Creative Cloud Packager currently does not have a “kill switch” for the CC storage functionality, as it has for EULA suppression, update notifications, etc.
  • Laptop users who use the CC apps at home or anywhere else that is not at their employer’s location will have full access to CC storage.
  • CC Teams admins have the ability to see which users are using CC storage and must police this usage themselves.
  • The ability to retrieve any CC-stored content for users who have been removed from the company’s CC account is in the works.
  • Upon first time deployment of one or more CC apps the end user must register an Adobe ID to then validate the app(s) they were given access to. CC Teams admins must generate email notifications for each new user (and likely also for each new app assigned to an existing user).
  • A user’s computer must make contact with the Adobe CC servers at least once every 30 days or the installed CC app(s) will revert to trial mode.
  • As far as I could understand there’s still the dual-license ability where a user can use the same applications they are licensed for on a desktop and a laptop computer. No clear word on whether this means simultaneously or not.
  • For those of us who need to test deployment, security or end-user functionality Adobe can decide to make short-term (think 3-4 weeks) licenses available.

These are all the points I got out of our 45 minute call. Anyone out there who has more solid details that either confirm or contradict any of the information presented here is encouraged to respond in the comments, email or Twitter.

Filed under Deployment, News Tagged with , ,

Link – Booting multiple NBIs using ISC DHCPD

May 31, 2012 by Leave a Comment

Brandon Penglase wrote up a very helpful wiki article on his site outlining how to configure ISC’s DHCP server to serve multiple NetBoot images as opposed to the single image, methods for which have been available for a number of years now. Noted caveats are that Startup Disk will not be able to display the available NBIs as it uses a custom port to receive the list of images back and the inability to use thin NetBoot images that require server-side storage for the client.

Go read it now.

Filed under Deployment Tagged with , ,

Office 2011 SP2 VL media ditches Communicator for Lync

May 10, 2012 by Leave a Comment

After an earlier Twitter exchange with @golby today I realized that as of the SP2 VL version of Office 2011 Microsoft has removed Communicator 13.x (also known as Communicator 2011 for Enterprise) in favor of their current Lync for Mac 2011 application, version 14.0.2. This is an important change for those on both sides of the Lync-coin: if you didn’t upgrade to Lync from OCS yet, you will now need to remove the Lync client during pre- or post-install and install the separately available Communicator 2011 PKG from the VL site. Since Communicator 2011 is not available outside of the VL site you will need to have yourself granted access to the site, or ask someone with access to download it. Those who are using Lync Server (Standard or Enterprise) and Lync for Mac 2011 will need to adjust their installation recipes since up to this point one would have had to install Lync for Mac 2011 separately, and remove the Communicator 2011 application either in pre- or post-install. In my case I am installing Office 2011 and Lync for Mac 2011 using Munki and since all users get the Lync client I have it requiring the Office 2011 installer. That will now have to be changed to just install Office 2011 SP2 while separately maintaining updates for Lync beyond the included 14.0.2 version.

Filed under Deployment Tagged with , , , ,

Fixing Microsoft Office 2011 SP2 deployment for Munki

April 16, 2012 by 1 Comment

With the release of the recent Microsoft Office for Mac 2011 SP2 update  a new and unwelcome feature was introduced to Mac admins deploying Microsoft Office 2011 updates with patch management solutions such as Munki, Casper or Absolute Manage: zombie mode. For reasons not entirely clear to anyone (including the Microsoft MBU folks themselves) the PKG install of SP2 causes Munki’s Managed Software Update to hang at the final stage while displaying “Finishing the Installation..” This appears to be due to a hamfisted clean up attempt by the embedded clean_path script which causes MSU to appear frozen in the finishing stage. One can go in and manually kill off the sleep-cycling process or wait for the 2 hour timeout that Munki uses for running processes launched by the Munki supervisor to expire. Neither is elegant nor time-effective so in an effort to remove this one misbehaving script from the equation I edited the PKG’s distribution.dist script and changed the following entry (line 251):

function volumeHasUpdatableVersionTest()
{
var result = false;
try {
//system.log("volumeHasUpdatableVersionTest: running volume_updatable " + my.target.mountpoint + " " + GetTempDirectory());
result = (system.runOnce('volume_updatable', my.target.mountpoint, GetTempDirectory()) == 0);
} catch (e) {system.log("volumeHasUpdatableVersionTest: mount: "+my.target.mountpoint+" exception: "+e);}
return result;
}

To simply read:

function volumeHasUpdatableVersionTest()
{
return true;
}

Since all that the code is doing is to compare the sys.exit() return code from volume_updatable to “0″ and set result to “true” if it is, I decided to short-circuit the function and have it return “true” at all times. We’ll assume that Munki has already determined that an upgradable version of Office 2011 was found based on entries in the pkginfo, so simply passing over the test for an updatable version was acceptable for my environment.

For completeness sake, skipping over volumeHasUpdatableVersionTest() will bypass the following Microsoft-provided scripts:

find_office
office_updatable
clean_path

I welcome feedback on whether this is successful for others as well. I’m sure it’s possible to make a more targeted edit to prevent execution of just the clean_path script but I will leave that up to the adventurous Mac admins to determine.

Update: On 4/25/12 Microsoft released a patched SP2 updater, version 14.2.1. This appears to have fixed the issue with the Outlook database corruption but still experiences the same issue as described in this post, even though the release notes state that too was corrected. I have verified that the post-install code is still the same and will hang up at the same script. Microsoft has suggested neutering clean_path by going into the script and changing it there but my fix as descibed above still works.

Filed under Bugfixes, Deployment Tagged with , ,

Another tool to fix PKGs with expired certs

April 13, 2012 by Leave a Comment

Originally posted as reply to Greg Neagle’s post regarding his very helpful tool to fix PKG installers with expired certs, this deserves some attention as it has the potential to be quite a bit faster because it doesn’t do a full unflatten/flatten run on targeted PKGs:

https://github.com/etrepum/strip_pkg_signature

Go check it out.

Filed under Deployment, Development Tagged with , ,

Checking applied AD policies with Centrify DirectControl agent

March 9, 2012 by Leave a Comment

While troubleshooting some policy behavior using Centrify DirectControl 5.0.2 on a test Mac I found myself sorely missing the Centrify-native version of “gpresult”. Centrify implements “adgpupdate” which behaves much like its Windows counterpart but in order to look at applied policies one is left tool-less. Luckily all retrieved and applied policies can be found on the local filesystem, and perused from there.

To see the policies navigate to /var/centrifydc/reg and as root one can inspect both computer and user policies:

bash-3.2# ls -l
total 0
drwxr-xr-x  7 root  wheel  238 Dec  1 10:40 machine
drwxr-xr-x  5 root  wheel  170 Mar  6 11:16 users

The gp.report file contains all applied policies and their settings in /var/centrifydc/reg/machine and /var/centrifydc/reg/users/SOMEUSER:

bash-3.2# ls machine/
.lock gp.report software
applied_policies secedit

bash-3.2# ls users/user2/
gp.report software

The files themselves look like basic .reg files with each policy rule occupying one line preceded by a machine or user-specific configuration stanza, which is updated by Centrify’s tools when policies are updated. It is probably A Very Bad Idea to make any manual changes here. The raw .pol files as pulled from your domain’s SYSVOL can be found in the software directory and its sub-directories for both users and machine, machine-specific security .pol files are stored in secedit. The applied_policies file lists the GUIDs of all applied policies as pulled from LDAP, they are complete DNs, one per line.

My next step is going to be corralling some of this information into a single script along the lines of “adgpresult” to make the desired info a little easier to get to. But for now this is at least one way to get to the GPO policies for Macs using Centrify DirectControl.

Filed under Management Tagged with ,

Custom Munki Conditional Items

March 8, 2012 by Leave a Comment

Courtesy of Heig Gregorian, munkitools 0.8.2 Build 1459 (and later) now has the ability to add custom conditional item entries using your favorite scripting language (Ruby, Python, bash). It does this by executing compatible scripts in /usr/local/munki/conditions to write key/value pairs to the newly added ConditionalItems.plist which lives in the Managed Installs directory, /Library/Managed Installs by default. Heig has updated the ConditionalItems wiki page on the Munki project page to reflect the added functionality. This very welcome addition allows for some very interesting customization of Munki’s conditional_items functionality and I thank Heig for writing the code and Greg for merging it into munkitools.

Filed under Deployment, News Tagged with

Boot Mac OS X 10.6 from a DMG

February 28, 2012 by Leave a Comment

Being able to boot Mac OS X from a DMG has been possible since 10.5 but Apple has only recently started to use it with the Lion installation process where BaseSystem.dmg is used as the system boot volume. There are situations where this could come in handy, for example to create a Rescue partition-sans-partition for 10.5 or 10.6 systems, or to upgrade 10.5 users to Snow Leopard without needing NetBoot access. In fact, the sparseimage that is inside the NBI bundle file created by following Rich Trouton’s tutorial on performing Snow Leopard upgrades with NetInstall and DeployStudio can be used without modification following the steps below. So far I have verified that both read-only compressed DMG files and read/write sparseimage files can be used.

Prepping a 10.6 bootable DMG, this assumes the source DMG contains Mac OS X 10.6:

  1. Create a folder to store the required files in /private/BootDMG to secure its contents. All files and folders including the root folder must have root ownership.
  2. Inside the BootDMG root folder create Contents/Resources/Files and Contents/Resources/Image, using mkdir: 
    sudo mkdir -p /private/BootDMG/Contents/Resources/Files
sudo mkdir -p /private/BootDMG/Contents/Resources/Image
  3. Copy the DMG of a Snow Leopard-based bootable DMG such as the Snow Leopard Install DVD or a DeployStudio Runtime boot volume to /private/BootDMG/Contents/Resources/Image/YOURDMG.dmg: 
    sudo cp /Users/admin/Some/Folder/YOURDMG.dmg /private/BootDMG/Contents/Resources/Image/
  4. Mount /private/BootDMG/Contents/Resources/Image/YOURDMG.dmg, using Disk Utility or hdiutil: 
    sudo hdiutil attach -nobrowse -noverify /private/BootDMG/Contents/Resources/Image/YOURDMG.dmg
  5. From the mounted DMG copy the following files to /private/BootDMG/Contents/Resources/Files and unmount the DMG: 
    sudo cp /Volumes/YOURDMG/mach_kernel /private/BootDMG/Contents/Resources/Files/
sudo cp /Volumes/YOURDMG/usr/standalone/i386/boot.efi /private/BootDMG/Contents/Resources/Files/
sudo cp /Volumes/YOURDMG/System/Library/Caches/com.apple.kext.caches/Startup/Extensions.mkext /private/BootDMG/Contents/Resources/Files/
sudo umount /Volumes/YOURDMG
  6. Note: if Extensions.mkext does not exist on the source DMG, you can simply create an empty file by the same name using touch or by saving an empty text file with tools such as vi, TextMate or TextEdit.
  7. Use defaults to write required settings to a new com.apple.Boot.plist file: 
    sudo defaults write /private/BootDMG/Contents/Resources/Files/com.apple.Boot Kernel /private/BootDMG/Contents/Resources/Files/mach_kernel
sudo defaults write /private/BootDMG/Contents/Resources/Files/com.apple.Boot 'Kernel Flags' "rp=file://private/BootDMG/Contents/Resources/Image/YOURDMG.dmg"
sudo defaults write /private/BootDMG/Contents/Resources/Files/com.apple.Boot 'MKext Cache' /private/BootDMG/Contents/Resources/Files/Extensions.mkext
  8. Finally, use the bless command to set the Mac to boot from the DMG: 
    sudo bless --folder "/private/BootDMG/Contents/Resources/Files" --file "/private/BootDMG/Contents/Resources/Files/boot.efi" --setBoot --options "config=\private\BootDMG\Contents\Resources\Files\com.apple.Boot"
  9. You can now reboot the Mac, which will boot using the DMG you prepped.

Given the steps above it shouldn’t be too hard to create a deployment-ready package that drops a prepped bootable DMG and accompanying files somewhere on a user’s machine and configures it for booting either immediately or later through a simple user-facing GUI tool to select either regular HD boot or DMG boot.

Filed under Deployment

Configuring Firefox 10 ESR with CCK Wizard

February 28, 2012 by Leave a Comment

Nick McSpadden wrote up a helpful step-by-step guide on how to configure Firefox 10 ESR using CCK Wizard while nixing any and all user-facing notifications. The attentive reader will notice that it takes quite a few steps to get to where you want to be with Firefox. Mozilla is not doing any Enterprise/Edu admin any favors with this added complexity.

Filed under Deployment

Unceremonious beginnings

February 27, 2012 by Leave a Comment

Opinions are plentiful and often wrong, so I never blogged anything. Having enjoyed a fair amount of tech-oriented blogs over the years I’ve come to appreciate them for providing both quickly jotted down notes and elaborate technical writeups. With that purpose in mind I’m going to start writing down some of my own notes and findings, if only to save them for future reference. In the process others may find what I come up with helpful (or completely ridiculous) but I’ll leave that up to the reader.

Onward!

Filed under News, Opinion