Creating a signed Java Deployment Rule Set with Windows Server CA

Introduction

With the release of Oracle’s Java 7 Update 51 came heightened security measures that affect unsigned and self-signed Java applets. At its standard “High” security setting the Java web plugin and standalone JVM will refuse to run unsigned or self-signed applets unless they have been explicitly added to a user-level whitelist which is a newly added security feature in Java 7 Update 51.

Read more...

Auto-this and Auto-that

Inspired by recent Auto-events I decided I was tired of having to manually roll hardware-specific NetBoot images, such as we’ve had to do recently for both Mountain Lion and Mavericks releases. It took me a while to spelunk into the innards of System Image Utility and its related frameworks and tools but I feel that I was able to write up something half-decent for it.

With that said, please take a look at AutoNBI.py, the latest member of the Auto-family. There’s no fancy GUI, but that’s the point here - integration into your workflow. There’s some first version caveats such as the NBI modification method being pretty basic in that it currently will replace or add only one folder since that is what I needed to be able to do for my needs. I have some additional code in the works that will let AutoNBI ingest a plist file with more complex add and remove configurations, but for now this’ll have to do.

Read more...

Workaround for Konica Minolta (and other) PDEs in Mavericks

Is your organization using those really shiny and fancy Konica Minolta multifunction printers? Did your users start upgrading to Mavericks only to find that none of the custom functionality menus (courtesy of KM PDEs) were available in the Print window? Try this workaround to make them show up again in the print dialogs of sandboxed apps (Preview, TextEdit). Note that the script can easily be modified to provide the same workaround for other vendors’ incompatible PDEs as well. And make sure to use sudo, of course.

Update: To make applying this workaround a little easier I have created a ‘nopkg’ Munki pkginfo that will apply it to any PDEs found in a user’s /Library/Printers folder that are missing the required key in their Info.plist. It is up to the Mac admin to insert the names of the appropriate printer driver install items for which this patch should be an update. Get the pkginfo item right here.

Update 2: For those having trouble figuring out how to apply this workaround or those who don’t use Munki for their patch management I have put up a standalone version of the script. Simply unzip the file and run with sudo:

sudo ./mavericks_pde_fix.py

Changes will only be made to PDEs that are missing a key in their Info.plist required for Mavericks compatibility.

Read more...

Mavericks tool time - SIU and imagetool

Recently I’ve had to rebuild our customized NBI NetBoot images a number of times due to special OS builds (yay) and needing to test Mavericks DPs. In that process it became obvious that it’s easy to make a mistake adding certain resources, deleting others and making sure that the resulting DMG is resized afterwards. I don’t know about you, but if I have to repeatedly and manually run a bunch of error-prone steps my mind quickly turns towards automating the heck out of it to regain sanity and remove error.

Read more...

AFP548 Episode 2 up now

I recently casted pod for the fine folks at AFP548 and had the privilege of talking to the esteemed Charles Edge for an hour and change. Go check it out here.

Thanks to Charles and Allister for their direct involvement and the AFP548 purveyors at large for having me. It was a blast!

Edit: if iTunes seems wonky, this is the direct link to the episode on SoundCloud.

Read more...

PSU Mac Admins Conference 2013 slides are up

First of all I want to thank all those brave souls who stuck around until this year’s conference’s bitter end to come to listen to me talk about Munki, Munkiserver, Puppet and the combination of the three. The video of mine and other speaker’s sessions can be found on the PSU Mac Admins YouTube page somewhere in the latter part of June.

After some minor modifications (thanks @Allister) I have posted my slide deck as a PDF. The PSU folks will also be sending out links to attendees of the slides of all the other speakers.

However if you did not attend the conference you can find my slides right here.

Many thanks to the PSU Mac Admins team for organizing a well-oiled conference, it was a blast!

Read more...

Adobe Creative Cloud for Teams

Update: since the details that we received did not line up with Creative Cloud Enterprise features I asked for verification from our vendor whether we were given details about the CC  Enterprise product and whether it was given by an Adobe rep. Neither were the case, so I am modifying my post to instead outline the details of the Creative Cloud for Teams program for those SMB admins who are considering it for their users.

I apologize for any confusion the initial post created, it was by no means my intention to do so. A big thanks to Jody Rogers for alerting me about the misinformation. As always he is on top of things.

Adobe Creative Cloud for Teams highlights:

  • For those with security policies that forbid Cloud storage use, Creative Cloud storage must be blocked through firewall port filtering at the customer’s site.
  • Creative Cloud Packager currently does not have a “kill switch” for the CC storage functionality, as it has for EULA suppression, update notifications, etc.
  • Laptop users who use the CC apps at home or anywhere else that is not at their employer’s location will have full access to CC storage.
  • CC Teams admins have the ability to see which users are using CC storage and must police this usage themselves.
  • The ability to retrieve any CC-stored content for users who have been removed from the company’s CC account is in the works.
  • Upon first time deployment of one or more CC apps the end user must register an Adobe ID to then validate the app(s) they were given access to. CC Teams admins must generate email notifications **for **each new user (and likely also for each new app assigned to an existing user).
  • A user’s computer must make contact with the Adobe CC servers at least once every 30 days or the installed CC app(s) will revert to** trial mode**.
  • As far as I could understand there’s still the dual-license ability where a user can use the same applications they are licensed for on a desktop and a laptop computer. No clear word on whether this means simultaneously or not.
  • For those of us who need to test deployment, security or end-user functionality Adobe can decide to make short-term (think 3-4 weeks) licenses available.

These are all the points I got out of our 45 minute call. Anyone out there who has more solid details that either confirm or contradict any of the information presented here is encouraged to respond in the comments, email or Twitter.

Read more...

Link - Booting multiple NBIs using ISC DHCPD

Brandon Penglase wrote up a very helpful wiki article on his site outlining how to configure ISC’s DHCP server to serve multiple NetBoot images as opposed to the single image, methods for which have been available for a number of years now. Noted caveats are that Startup Disk will not be able to display the available NBIs as it uses a custom port to receive the list of images back and the inability to use thin NetBoot images that require server-side storage for the client.

Go read it now.

Read more...