Penn State MacAdmins Conference 2015 slides available

The slides for the two talks I gave at this year’s PSU Mac Admins Conference are now available as PDFs at these links:

Free your Netboot server with BSDPy
Connect the dots with Docker

Thanks to all attendees that showed up for either one or both of my talks, hope to see you all again next year!


MDM-azing - setting up your own MDM server

Pardon the pun, but I’ve been meaning to use that Shamen reference ever since MDM became A Thing.

It is not for a lack of Mobile Device Management solutions that I wanted to figure out the process of setting up my own MDM server of course. Quite the opposite as there are many vendors out [there] ( offering MDM solutions with varying levels of customer satisfaction. It’s fair to say that often MDM solutions tend to nudge over to the far ends of the spectrum capped by “Overly complicated” on one end and “Checkbox feature” on the other. Barring a few free ones most are also pricey, further lowering one’s sense of getting bang for one’s buck. Another issue can be integration with existing systems, which often leads to companies deciding to buy into complete solutions from one vendor. Not a perfect situation by any stretch of the imagination for those of us who have perfectly functional management tools just looking to enhancement their toolset with the benefits of Apple’s OS X MDM integration. There have been previous flurries of interest and activity in the Mac Admin community around creating a true OSS MDM solution. These attempts mostly fizzled due to uncertainty about the exact process of creating an MDM service and lack of sources of information. After some asking around it was determined that Apple keeps certain key bits of information behind the iOS Enterprise Developer paywall, such as the Mobile Device Management Protocol Reference document. Even more importantly the ability to sign the required MDM CSR for such a service is also only available to organizations subscribing to the same $300/year program.


BSDPy Redis caching

As we have been ramping up the BSDPy coverage in our environment it became clear that it was spending a lot of its time making API calls for clients that were checking in and not getting enough time to respond back to clients with boot acknowledgments. To offer some background to this problem the following are the steps that the BSDP client and server go through in the process of successfully Netbooting.


Conference Season 2015

With Spring on its way into Summer so does approach the conference season. The 2015 season promises to be busier than ever, so busy in fact that Mac Admins are having to make decisions on which conferences to skip this year because there’s so many to choose from. Exception to the rule is probably WWDC, for which one needs to have won the ticket lottery to attend. If you entered and won a ticket, I sure hope you intend on going. For those not so lucky there’s plenty of other events to meet up with fellow Mac Admins and discuss all the wonderful surprises Apple has in store for future hardware and software releases.

Some of the highlights:

ACEs Conference, New Orleans, LA - May 20-21
WWDC 2015, San Francisco, CA - June 8-12
MacDeployment 2015, Calgary, AB - June 18 Mac Devops YVR, Vancouver, BC - June 19 Penn State Mac Admins Conference, State College, PA - July 7-10
MacIT Conference, Santa Clara, CA - July 14-16
Mac SysAdmin 2015, Gothenburg, Sweden - September 29 - October 2
JAMF Nation User Conference, Minneapolis, MN - October 13-15
MacTech Conference, Los Angeles, CA - November 4-6

I’m fortunate enough to be speaking at two of these events, namely the Penn State Mac Admins Conference and Mac Sysadmin 2015. I have two talks lined up for PSU and one for Mac Sysadmin:

Free your NetBoot server with BSDPy - Penn State Mac Admins
Connect the dots with Docker - Penn State Mac Admins (Joint session with Nick McSpadden)
Practical Docker for Mac Sysadmins - Mac Sysadmin 2015

I hope to see some of you this summer at one of these events. Even if you can’t make it to State College or Gothenburg I hope you’ll consider some of the other events as they’re all great ways to meet some of your fellow Mac Admins and Learn New Stuff!</p>


Adding Python or Ruby to custom NetInstall images with AutoNBI

A recent update to AutoNBI, a tool I wrote to automate the creation of custom Apple NetInstall images (NBIs), expands its customization abilities. So far an admin has been able to essentially forklift a custom folder into the NBI, as explained quite nicely by Graham Gilbert in recent blog posts here and here. The immediate use for this is to replace the “Packages” folder on a standard NetInstall volume with one that has been prepped with a custom rc.imaging file and additional custom tools meant to be run at boot time such as a lightweight disk imaging or no-imaging tool. This feature works for applications that are fully self-contained like a compiled Cocoa app, but is not as useful if the application has a dependency on frameworks like Python or Ruby which are not part of the default NetInstall environment. The updated version of AutoNBI now offers the option to include either one or both of the Python or Ruby frameworks into the NetInstall BaseSystem.dmg allowing custom scripts written in either language to be run. The first tool to leverage this ability is Graham Gilbert’s very promising Imagr tool which is written in PyObjc and thus relies on the availability of the Python framework in /System/Library/Frameworks.

I’m looking at including other potentially useful add-ons such as VNC or SSH while sticking to the overall goal of keeping the boot environment lightweight in order to provide short boot times and minimal network load.

A special word of thanks goes to every Mac Admin’s favorite Python whisperer Michael Lynn for figuring out how to parse Apple’s custom wrapper around OS X Yosemite installer sources without which it would have been nearly impossible to add these new features.

The current main branch contains the changes, so go check it out! Updated instructions can be found in the Readme on the Bitbucket repository.


Box cutting, or how I stumbled onto a serious security flaw in Box Sync for Mac

TL;DR - Update to Box Sync for Mac 4.0.6035 immediately. The app exposes several sensitive bits of data like API keys, internal user IDs, URLs and passwords. Read on for details.

The trouble with Box Sync

Recently I revisited the convoluted mess that is the Box Sync application for Mac. If you are a Mac Admin in charge of even a small deployment environment you probably know how tedious it is to deploy the Box Sync application and manage its settings. Its only deployment method is an application bundle, which would be fine if it behaved like a normal drag and drop application: to deploy it your mass-deployment tool simply copies the application to /Applications, uses a profile or MCX to configure settings published by the vendor and all is well. Not so with Box Sync.


Enable Google two-factor authentication for SSH connections on OS X

Note: this post was updated with additional security concerns regarding Git and the method of installing the required tools needed for compiling the PAM module. Thanks to @marczak and @Magervalp for the feedback.

Two-factor authentication (2FA) is fairly mainstream these days, which is a good thing. It would be nifty if Mac Admins could add the increased security 2FA offers to remote (SSH) logins on OS X. There are existing commercial solutions like Duo Security (a local Ann Arbor business I heartily endorse) that offer tools to accomplish this but if you are already using Google Authenticator for other services it may make sense to use that instead. As part of the Google Authenticator open source code Google provides a PAM module which, with some effort, can be compiled and configured for use with OS X’s own PAM system. In order to compile the GA PAM module the Xcode CLI tools are required as well as automake and autoconf. The easiest way to install the latter two is either through Homebrew, a popular OS X package manager or using ready-made PKG installers from the Rudix project.


MacTech Conference 2014 Docker slides are up

I spoke at MacTech Conference 2014 about Docker earlier this week, the slides for which are now up at

In the talk I cover Docker and application containerization specific to Mac admins. The content is purposely not an all-encompassing dive into Docker but aims to introduce Mac admins to the concept of containerization and how it makes their lives easier deploying Mac management-centric services.

Thanks to everyone who showed up and asked questions during my talk. The MacTech Conference organization usually also makes the session videos available, for a fee. I am not involved in the sale of the videos so check out the Conference video page after the Conference to find out more.