Office 2011 SP2 VL media ditches Communicator for Lync

After an earlier Twitter exchange with @golby today I realized that as of the SP2 VL version of Office 2011 Microsoft has removed Communicator 13.x (also known as Communicator 2011 for Enterprise) in favor of their current Lync for Mac 2011 application, version 14.0.2. This is an important change for those on both sides of the Lync-coin: if you didn’t upgrade to Lync from OCS yet, you will now need to remove the Lync client during pre- or post-install and install the separately available Communicator 2011 PKG from the VL site. Since Communicator 2011 is not available outside of the VL site you will need to have yourself granted access to the site, or ask someone with access to download it. Those who are using Lync Server (Standard or Enterprise) and Lync for Mac 2011 will need to adjust their installation recipes since up to this point one would have had to install Lync for Mac 2011 separately, and remove the Communicator 2011 application either in pre- or post-install. In my case I am installing Office 2011 and Lync for Mac 2011 using Munki and since all users get the Lync client I have it requiring the Office 2011 installer. That will now have to be changed to just install Office 2011 SP2 while separately maintaining updates for Lync beyond the included 14.0.2 version.

Read more...

Fixing Microsoft Office 2011 SP2 deployment for Munki

With the release of the recent Microsoft Office for Mac 2011 SP2 update  a new and unwelcome feature was introduced to Mac admins deploying Microsoft Office 2011 updates with patch management solutions such as Munki, Casper or Absolute Manage: zombie mode. For reasons not entirely clear to anyone (including the Microsoft MBU folks themselves) the PKG install of SP2 causes Munki’s Managed Software Update to hang at the final stage while displaying “Finishing the Installation..” This appears to be due to a hamfisted clean up attempt by the embedded clean_path script which causes MSU to appear frozen in the finishing stage. One can go in and manually kill off the sleep-cycling process or wait for the 2 hour timeout that Munki uses for running processes launched by the Munki supervisor to expire. Neither is elegant nor time-effective so in an effort to remove this one misbehaving script from the equation I edited the PKG’s distribution.dist script and changed the following entry (line 251):

function volumeHasUpdatableVersionTest()
{
var result = false;
try {
//system.log("volumeHasUpdatableVersionTest: running volume_updatable " + my.target.mountpoint + " " + GetTempDirectory());
result = (system.runOnce('volume_updatable', my.target.mountpoint, GetTempDirectory()) == 0);
} catch (e) {system.log("volumeHasUpdatableVersionTest: mount: "+my.target.mountpoint+" exception: "+e);}
return result;
}

To simply read:

function volumeHasUpdatableVersionTest()
{
return true;
}

Since all that the code is doing is to compare the sys.exit() return code from volume_updatable to “0” and set result to “true” if it is, I decided to short-circuit the function and have it return “true” at all times. We’ll assume that Munki has already determined that an upgradable version of Office 2011 was found based on entries in the pkginfo, so simply passing over the test for an updatable version was acceptable for my environment.

For completeness sake, skipping over volumeHasUpdatableVersionTest() will bypass the following Microsoft-provided scripts:

find_office
office_updatable
clean_path

I welcome feedback on whether this is successful for others as well. I’m sure it’s possible to make a more targeted edit to prevent execution of just the clean_path script but I will leave that up to the adventurous Mac admins to determine.

Update: On 4/25/12 Microsoft released a patched SP2 updater, version 14.2.1. This appears to have fixed the issue with the Outlook database corruption but still experiences the same issue as described in this post, even though the release notes state that too was corrected. I have verified that the post-install code is still the same and will hang up at the same script. Microsoft has suggested neutering clean_path by going into the script and changing it there but my fix as descibed above still works.

Read more...

Another tool to fix PKGs with expired certs

Originally posted as reply to Greg Neagle’s post regarding his very helpful tool to fix PKG installers with expired certs, this deserves some attention as it has the potential to be quite a bit faster because it doesn’t do a full unflatten/flatten run on targeted PKGs:

https://github.com/etrepum/strip_pkg_signature

Go check it out.

Read more...

Checking applied AD policies with Centrify DirectControl agent

While troubleshooting some policy behavior using Centrify DirectControl 5.0.2 on a test Mac I found myself sorely missing the Centrify-native version of “gpresult”. Centrify implements “adgpupdate” which behaves much like its Windows counterpart but in order to look at applied policies one is left tool-less. Luckily all retrieved and applied policies can be found on the local filesystem, and perused from there.

To see the policies navigate to /var/centrifydc/reg and as root one can inspect both computer and user policies:

bash-3.2# ls -l<br /> total 0<br /> drwxr-xr-x  7 root  wheel  238 Dec  1 10:40 machine<br /> drwxr-xr-x  5 root  wheel  170 Mar  6 11:16 users

The gp.report file contains all applied policies and their settings in /var/centrifydc/reg/machine and /var/centrifydc/reg/users/SOMEUSER:

bash-3.2# ls machine/<br /> .lock gp.report software<br /> applied_policies secedit

bash-3.2# ls users/user2/<br /> gp.report software

The files themselves look like basic .reg files with each policy rule occupying one line preceded by a machine or user-specific configuration stanza, which is updated by Centrify’s tools when policies are updated. It is probably A Very Bad Idea to make any manual changes here. The raw .pol files as pulled from your domain’s SYSVOL can be found in the software directory and its sub-directories for both users and machine, machine-specific security .pol files are stored in secedit. The applied_policies file lists the GUIDs of all applied policies as pulled from LDAP, they are complete DNs, one per line.

My next step is going to be corralling some of this information into a single script along the lines of “adgpresult” to make the desired info a little easier to get to. But for now this is at least one way to get to the GPO policies for Macs using Centrify DirectControl.

Read more...

Custom Munki Conditional Items

Courtesy of Heig Gregorian, munkitools 0.8.2 Build 1459 (and later) now has the ability to add custom conditional item entries using your favorite scripting language (Ruby, Python, bash). It does this by executing compatible scripts in /usr/local/munki/conditions to write key/value pairs to the newly added ConditionalItems.plist which lives in the Managed Installs directory, /Library/Managed Installs by default. Heig has updated the ConditionalItems wiki page on the Munki project page to reflect the added functionality. This very welcome addition allows for some very interesting customization of Munki’s conditional_items functionality and I thank Heig for writing the code and Greg for merging it into munkitools.

Read more...

Configuring Firefox 10 ESR with CCK Wizard

Nick McSpadden wrote up a helpful step-by-step guide on how to configure Firefox 10 ESR using CCK Wizard while nixing any and all user-facing notifications. The attentive reader will notice that it takes quite a few steps to get to where you want to be with Firefox. Mozilla is not doing any Enterprise/Edu admin any favors with this added complexity.

Read more...

Boot Mac OS X 10.6 from a DMG

Being able to boot Mac OS X from a DMG has been possible since 10.5 but Apple has only recently started to use it with the Lion installation process where BaseSystem.dmg is used as the system boot volume. There are situations where this could come in handy, for example to create a Rescue partition-sans-partition for 10.5 or 10.6 systems, or to upgrade 10.5 users to Snow Leopard without needing NetBoot access. In fact, the sparseimage that is inside the NBI bundle file created by following Rich Trouton’s tutorial on performing Snow Leopard upgrades with NetInstall and DeployStudio can be used without modification following the steps below. So far I have verified that both read-only compressed DMG files and read/write sparseimage files can be used.

Read more...

Unceremonious beginnings

Opinions are plentiful and often wrong, so I never blogged anything. Having enjoyed a fair amount of tech-oriented blogs over the years I’ve come to appreciate them for providing both quickly jotted down notes and elaborate technical writeups. With that purpose in mind I’m going to start writing down some of my own notes and findings, if only to save them for future reference. In the process others may find what I come up with helpful (or completely ridiculous) but I’ll leave that up to the reader.

Onward!

Read more...