macOS 11 Compatibily Check

June 23, 2020 1:32 pm , Leave a Comment ,

Yesterday, Apple announced macOS 11. I need to know what members of my computer fleet are compatible.

William Smith, aka talkingmoose, was kind enough to post the regex for what models are compatible with macOS 11. You can find that here. I tested Smith’s regex in BBEdit and it worked as expected.

The question was, how do I get an easy list of my fleet in our MDM, Mosyle?

I sent a Custom Command to my fleet, it’s here on GitHub. I told it to run that custom command on all computers and to store the results as “Big Sur.”

model=$(sysctl hw.model)
if echo $model | grep -Ei "(MacBookAir[6-9]|MacBookPro1[0-6]|MacPro[6-7]|MacBook(10|9|8)|Macmini[7-8]|MacPro[6-7]|iMacPro1),\d|iMac1(4,4|[5-9],\d)" ; then
  echo "macOS 11 Compatible"
else
  echo "macOS 11 Incompatible"
fi

So now I needed to use that data to create a list. I created a new Device Group and said that the Custom Command Big Sur was like incompatible. It immediately showed me my Library machines, which are iMac12,1 and running their max OS, macOS 10.14.

And here’s the result!

Posted in: Information Technology , Tagged: , , ,

MDM Migration for macOS

May 4, 2020 3:32 pm , Leave a Comment ,

Here’s my little tale about MDMs. It’s a history, plus how we migrated from one platform to another, why we did, and the ouches along the way.

AirWatch on iPads

At my first MacAdmins at PSU, I was speaking to a fellow macadmin about the pain of managing iPads using Configurator, Apple’s in-house product to manage iPads. He said he was in a similar pain and then moved to AirWatch, a Mobile Device Management system (MDM).

AirWatch, along with Apple’s Device Enrollment Program (DEP) got me where I needed. I could wirelessly provision my iPads and install applications from Apple’s Volume Purchasing Program (VPP), which is basically the App Store for organizations.

macOS in WorkspaceONE

We eventually put our macOS devices into AirWatch, which was now retitled WorkspaceONE, with a very simple workflow. Computer would boot, DEP would tell the computer it was owned by the school and was assigned to WorkspaceONE, WorkspaceONE would install a package with Munki and run a script to rename the computer based on a Google Sheet (that script can be found here).

WorkspaceONE would also be used to install configuration profiles on the Mac for things that an MDM was needed for and couldn’t be done via Munki such as Privacy Preferences Policy Control (PPPC) which requires User Approved MDM (UAMDM) to be deployed.

iPad *headdesk*

All was good, and then stuff didn’t work as well. Apps wouldn’t push out to the devices, configuration profiles wouldn’t push out to the iPads. The Macs were depending on WorkspaceONE for so little that it didn’t really matter. I was helping my friend move away from DeployStudio for his imaging needs and move to no-imaging, I suggested he use Mosyle for his Macs. I liked what I saw and I was tempted.

Since Mosyle was free for one platform (iOS/iPadOS or macOS), in August 2019, I decided to move all my iPads over to Mosyle. It would be easy. I annually wipe all my iPads. Move them over to in Apple School Manager from WorkspaceONE to Mosyle, set up configuration settings, move my VPP licences overs, wipe the iPads and watch them all enroll. It went amazingly.

macOS *headdesk*

We mostly used WorkspaceONE on the macs just to install Munki, but there were a few things it wasn’t doing properly. We setup a firmware password to prevent students from restarting computers into Recovery and changing teacher passwords. It was only successfully installed on 10% of devices. We sent out PPPC settings for Smart Notebook and it only installed for about 80% of fleet. We sent out a kext allowlist which only worked on about 50% of the fleet.

Whenever we called VMWare support, we usually got a support agent who didn’t know the macOS platform. It would take over 24 hours before VMWare would call us. They would always call outside of our normal business hours and any resolution to our problems was in spite of their support staff, not because of them.

My plan was to move all macOS devices over to Mosyle in September 2020. It would be much harder. I can’t just wipe teacher laptops. While there’s no policy in favour of this, many teachers use their school devices as their personal devices. In addition, many don’t store all their data in Google Drive as they’ve been instructed to do for many years. As such, I also pushed back our planned roll out of Catalina until September 2020. Normally I tried to allow teachers to install a new OS via Munki as soon as possible (after testing).

The Best Plans Are Destroyed By A Pandemic

With remote learning, and a closed building, we were managing computers via Zoom. This is fine if WorkspaceONE was pushing out the PPPC policies correctly to allow for the fleet. Our users are Standard users (not Admin, aka, non-privileged users), and thus they cannot authorize the PPPC settings for Accessibility to allow remote control of their computer via Zoom.

Then Apple rolled out a security update that caused major problems in macOS 10.14.6 and Zoom. We had crashes. Terrible crashes. Many were not able to teach.

To Mosyle and Beyond!

Mosyle were kind enough to offer us free usage until the end of June if I signed the full one year contract we were planning to buy next year (July 2020-July 2021). I jumped on that.

I was testing Mosyle for macOS in September, so back then I put all policies and configuration profiles from WorkspaceONE into Mosyle. I needed to do some updating of policies that changed since September. I did that, then I tested on a couple of machines. Then I wiped them, enrolled them in WorkspaceONE and tested the migration process to Mosyle. All seemed to go well.

Then I logged into the computer lab at the school. I tested the migration process on those computers, it went simply and quickly. Then I remembered that I don’t have Remote Desktop access to the computers at teacher homes. I’m running this through Zoom and a Standard User. So with a bit of a chat with Rich Trouton of Der Flounder fame, I confirmed that his software Privileges, if deployed through Munki, would give the user elevated privileges and allow me to walk them through the final process.

The Process

  1. First day, distribute to all devices via Munki a stub installer of Catalina
    I used the stub rather than the full installer because the download from Apple’s servers would be faster than the download from the school’s server
  2. Day before, add Privileges to the computer’s manifest in Munki as a Managed Install
  3. Switch computer from WorkspaceONE to Mosyle in Apple School Manager
  4. Check on WorkspaceONE if Privileges had been installed, if so, choose “Delete Device”
  5. Connect via Zoom, and have the user share their Desktop
  6. Request control, they would get a message asking either to open System Preferences to allow or Deny
  7. Ask the user to open System Preferences
  8. Ask the user to launch Privileges from the Applications folder and request privileges
  9. Have the user allow Accessibility for Zoom in the Privacy pane of System Preferences
  10. Take control and use Privileges to revoke privileges
  11. Put the Privileges app in the Managed Uninstalls for the device’s manifest in Munki
  12. Confirm the profiles are removed from the computer and it is unenrolled from WorkspaceONE
  13. Go to enroll.mosyle.com/?account=school and download the profile to enroll in Mosyle
  14. Assign the device in Mosyle to the appropriate user (teacher-only and admin-only profiles will be pushed depending on who it is assigned to)
  15. Run Managed Software Centre to remove Privileges
  16. Run the Catalina stub and tell the device to install 10.15.4

While in my testing everything worked like a charm, that didn’t translate to the real world.

What Went Wrong

For about 75% of the computers everything went perfectly. For 5% of the computer, it could take anywhere from an hour to 24 hours to delete the device from WorkspaceONE. Sometimes a reboot triggered it, sometimes a it just happened when it felt like it.

After days of trying to get help from VMWare, I was finally told by the MacAdmins slack that Delete Device is not the best way to do this. What I wanted was Enterprise Wipe, which removes all traces of the MDM (in theory). To me using the word “wipe” had some bad connotations and scared me away from using it.

I tested the Enterprise Wipe function on the computer lab iMacs and it worked like a charm. It could still take anywhere from 1 hour to 24 hours, but at least the support agent that was assigned to help me1 gave me a bit less grief if I used Enterprise Wipe rather than Delete Device.

There was still the remaining 20% of devices. There seemed to be a theme between those 20%. They all had enrolled in WorkspaceONE in September 2019 and never communicated with the system again.

I was installing the WorkspaceONE agent, on the computer to get it to reestablish communications with the MDM, and that worked, but once you told it to perform an enterprise wipe, it wouldn’t wipe.

Days would go by and no Enterprise Wipe.

I Guess We’re Disabling SIP? (Temporarily)

In the end I was kinda forced to do this. I didn’t want to, but I kinda had to.

  1. Connect with the user over the phone (there will be numerous restarts so Zoom won’t work)
  2. Diable SIP
    1. Have them restart the computer holding down Command-R
    2. Click Utilities
    3. Click Terminal
    4. Type csrutil disable and return2
    5. Restart the computer (Apple menu, restart)
  3. Connect via Zoom, keep the mic off as you’re still on the phone with them, screen share and request control
  4. Launch the terminal
  5. su <<Admin User Name here>>
  6. sudo rm -rf /var/db/ConfigurationProfiles/
  7. sudo rm /Library/Keychains/apsd.keychain
  8. sudo reboot
  9. Connect via Zoom, keep the mic off as you’re still on the phone with them, screen share and request control
  10. Go into System Preferences and make sure there are no profiles
  11. Enable SIP (has to be done before enrolling in Mosyle, because Mosyle will actually install the firmware password profile)
    1. Have them restart the computer holding down Command-R
    2. Click Utilities
    3. Click Terminal
    4. Type csrutil enable and return3
    5. Restart the computer (Apple menu, restart)
  12. Connect via Zoom, keep the mic off as you’re still on the phone with them, screen share and request control
  13. Enroll in Mosyle
    1. Go to enroll.mosyle.com/?account=school and download the profile to enroll in Mosyle
    2. Assign the device in Mosyle to the appropriate user (teacher-only and admin-only profiles will be pushed depending on who it is assigned to)

So, that was my tale. I hope it helps someone. I hope that someone at VMWare sees this and tries to figure out why their support is so bad.

  1. I don’t want to use any verbiage to imply that she did actually help me, because she didn’t. I don’t even want to suggest she tried to help me, because she didn’t. []
  2. Text this to them, so you don’t have to spell that out over the phone. []
  3. Text this to them, so you don’t have to spell that out over the phone. []
Posted in: Music

Doctor Who Serial 034 – The Macra Terror

March 29, 2020 9:16 pm , Leave a Comment ,

Part One

Well the companions are being idiots and attacking the first person they see. Sure he has a terrible hairdo, but that’s no reason.

Why have we never had a bearded Doctor?

“No one ever left alive in nineteen hundred eighty five will ever doooooo!”

Part Two

Those uniforms are amazing. The collar is so high, and the shoulder pads are good enough to be Romulan. That was the problem with Star Trek: Picard. not enough shoulder pads.

There is no macra!!!!

Those electronics are fragile, if you knock on them, you shouldn’t pop out of the wall.

Oh, there is indeed a macra, what a crabby beasty.

The controller doesn’t seem to be in control.

Part Three

Why does the music sound like a Nintendo game?

Part Four

These cheerleaders for the government are so much fun. I love this.

The Highland Fling is one of the things that makes me think Jamie is the best companion the Doctor has ever had.

Posted in: Television , Tagged: , , , ,

Doctor Who Serial 030 – The Power of the Daleks

March 25, 2020 5:37 pm , Leave a Comment ,

Part One

I was excited for a Patrick Troughton episode. I love the second doctor and Jamie… then I see this is the one story without Jamie. Well, it’ll be 2 and Ben and Polly. I can live.

I like the shot looking down the risey fally bit of the console.

Oh Doctor, you should’ve kept that hat.

Ben and Polly really just assumed that he’s the Doctor. The Doctor hasn’t said it.

Creepy!

Part Two

The original theme and opening credits were truly the best.

Lesterson’s glasses are fantastic. Don’t think they’d suit my face, though.

Lesterson should listen and not try to reactivate a Dalek.

Why is Polly the only one wearing shorts?

Part Three

Yeah we get that you are a servant. You only have to say it once.

People in Doctor Who need to stop being so shocked at machines having any sense of intelligence.

How could this scientist be so sure that the Dalek has a positronic brain? Why hasn’t he opened it before? Wouldn’t that be the first thing you’d do?

Haha, the Dalek wanting to shout how much better than Humans they are.

Oh shit, there’s three Daleks now. “When I say run, run like a rabbit.”

Part Four

That dude is going to regret letting the Daleks do stuff.

Oh the scientist is seeing the errors of his way, but the lady is becoming the evil one.

Janley, the lady, is giving the Daleks their guns… stupid.

Oh shit, the Daleks have Doctor Who on the TVs in their office.

Part Five

I feel like they haven’t figured out who Patrick Troughton’s Doctor is yet. He is great, but he’s going to be so much better.

“We are not ready yet to teach these human being the laws of the Daleks.” You seem ready, you have an entire army.

Did that jail guard really give a prisoner a water glass and a glass jug? That seems unsafe.

I forgot about Ben and Polly.

Part Six

Yes, I get it, you conquer and destroy, Daleks. You don’t need to scream it over and over.

I don’t get how Doctor Who convinced us that the Daleks could be the biggest baddest species in the universe.

Posted in: Television , Tagged: , , ,

Doctor Who Serial x – K9 and Company

March 17, 2020 8:17 pm , Leave a Comment ,

The opening credits might be the greatest thing that’s ever been in the Doctor Who universe. K9!

Peter Tracy is a looker. Sarah should go for him.

God, I would never stay at my aunt’s place if within 10 minutes of arriving 3 strangers showed up to see how I was doing. Jesus, just let her be.

Wow, Ward knows way too much about a future robotic dogs.

I think this is the first Doctor Who christmas episode.

K9 is very obviously a robot dog and not the familiar of a witch.

Peter Tracy doesn’t want to be a witch.

So Sarah Jane leaves someone’s house. They are rude and don’t believe her, she gets home and nearly immediately that woman calls her up and tells her she can’t be alone and must come back. Why would Sarah Jane even consider that, you’re a rude bastard.

K9! do do honk honk!

Posted in: Television , Tagged: , ,

Doctor Who Serial 115 – Logopolis

March 15, 2020 11:01 pm , Leave a Comment ,

We’re here. The final Tom Baker story. I’m gonna take a Doctor Who break soon. After this I’m going to watch K-9 and Company, which is the next Doctor Who item to air. Then I’ve got two serials that were animated that I didn’t watch before. After that I’m not sure how long it’ll be before I start up Peter Davison’s era. Maybe a year, maybe a day. Who knows. This past week seems like it was a whole year with this pandemic.

Part One

Oh that’s the Master’s TARDIS, just so happened to masquerade as a police box.

The Doctor doesn’t do a great job of communicating with people.

HAHAHA! The machine code they use makes the TARDIS draw like I used to do on my Commodore 64.

15 minutes of this episode was dedicated to fixing a flat tire and measuring a police box.

Part Two

Aunt and copper dolls!

If the Doctor is going to put a creepy garden in his TARDIS, he should make it less creepy. Also, how many people do you think from the hundreds of years of the Doctor’s life is roaming around in the TARDIS that never met the Doctor and are just trapped.

We have the same mind!

Why do British people pronounce “omega” so strangely.

The Doctor has an ominous stalker. If I recall correctly, the Watcher never gets explained. Maybe if they didn’t spend 15 minutes on flat tires (or tyres) then we wouldn’t be here. Watching Doctor Who makes me think that maybe Stephen Moffat’s bad writing when he was head writer is just normal Doctor Who.

Now there’s someone named the Monitor. Doctor, Master, Monitor, Watcher.

I really don’t understand why it’s so urgent that the Doctor head to Logopolis to have his TARDIS reconfigured.

Also, why is the advanced technology of Logopolis computers from the ’80s?

Part Three

So the TARDIS shrinks. Adric panics as the Doctor is in there… why should that matter? The external dimensions are not linked to the internal dimensions.

I feel like the only thing Ainsley is doing in this episode is laughing at the camera.

If the TARDIS is shrunk, why is it shot with fisheye?

Poor Tegan, she has nothing to do to help.

Really Doctor, that’s how you tell Tegan that Auntie Vanessa died? You’re a prick.

Part Four: The Final Part

Aww, I miss the sound of dot matrix printers.

This is the funkiest Doctor Who music ever.

More Masterial laughter.

Tom Baker deserved a better finale. But hello Peter Davison!

Posted in: Television , Tagged: , , , , , ,

Doctor Who Serial 114 – The Keeper of Traken

March 12, 2020 11:02 am , Leave a Comment ,

Part One

I started the episode, and then I got distracted by online grocery shopping. So that’s ten minutes of the episode without any commentary.

Cassia’s hair and eye shadow are on fleek, is that what the youngin’s say now… on fleek? I’m hip. It reminds me of Working Girl, which I watched last night.

“It looks almost alive,” says Adric as he approaches a stone like man who looks in no way alive.

I like the beards in this episode.

Oh shit, rock boy just vaporized the TARDIS.1

Damn, that’s bad timing for the Keeper to shout out “EVIL!” as soon as he see Doc and Adric.

Part Two

“I had no idea your science was this far advanced,” Adric says as he stares at CRT monitors and racks of equipment with blinking lights.

What the fuck was this:

Part Three

I love falling nets.

I like the guy with the moustache. He just seems so tired of everyone’s shit.

“Only the Doctor can destroy our plans,” duh.

Stone man made a TARDIS sound as it faded away.

OH MY THE STONE TARDIS IS BACK! THE STONE TARDIS IS THE KEEPER OF TRAKEN!

Part Four

Doctor, it’s the Master, obviously.

Also, I love ROCK TARDIS!

Oh shit, Shit master’s got the new master body captured!

  1. I went looking for a YouTube clip of “why not just waporize them?” from Star Trek VI: The Undiscovered Country. I couldn’t find it. Imagine it’s here. []
Posted in: Television , Tagged: , , , ,

Pizza Dough

March 9, 2020 9:45 am , 1 Comment ,

I’m blogging this for personal use. The website I use has gone bye-bye. I have three go to recipes for pizza dough. Kenji Lopez Alt’s New York Style Dough, his neapolitan dough, and this one. Kenji’s require at least overnight rest, so I like this for its one hour rise.

I stole this from here http://mmmisformommy.com/2014/01/garlic-fingers-donair-sauce.html, but the site is dead now. I found the recipe on archive.org.

Pizza Dough

  • 1 cup lukewarm water
  • 2 1/4 tsp dry active yeast (not quick rise) (this is equivalent to 1 packet)
  • 1 tsp honey (I use maple syrup)
  • 1 tbsp olive oil
  • 1 tsp salt
  • 2 1/2 cups all purpose flour (spooned in and levelled with a knife)

Combine first three ingredients in your mixer bowl. Wait 5 minutes to ensure yeast is active.

Add remaining ingredients.

Using the dough hook, run the mixer on the lowest speed for 6 minutes. At the same time, some water in your microwave and run for 6 minutes to get nice and steamy.

Form dough into a ball, spray bowl with cooking spray, return dough to bowl, cover with tea towel, and place in the microwave (while it’s off, but steamy).

Let sit for 45-50 minutes.

Punch down dough, and rest for 10 more minutes.

Donair Sauce

While we’re here, let’s preserve the donair sauce recipe:

  • 1 can of sweetened condensed milk
  • 1/3 cup of white vinegar
  • 1 tsp of garlic powder

Garlic Fingers

Next is if we want to use the dough to make garlic fingers… who doesn’t. We tried some of Pizza Delight’s frozen Garlic Fingers, and they’re not as good as it is in the restaurant or the homemade with this recipe.

  • 3 tbsp of butter
  • 1 tbsp of garlic

Slather the garlic butter from edge to edge and then top with 2 1/2 cups of low moisture mozzarella.

Posted in: Food , Tagged: , , ,

Doctor Who Serial 113 – Warriors’ Gate

March 7, 2020 12:30 pm , Leave a Comment ,

Part One

This feels like a Beckett play. “We have lift off,” two bored dudes shout, “yay!”

Okay as this goes on, this feels more and more like a Beckett play.

Every time they say “time winds” I assume they are talking about “time farts.”

The dude just said more people were coming. Why don’t Adric or Romana think it’ll happen?

“Give me a printout.”

Part Two

Cobwebs and skeletons, they’re covered in grime1.

Vladimir and Estrogan are still sitting in the same spot, providing commentary.

I think I missed something, why is K9 walking backwards?

“This is important, I need you to do it.” “Energy levels critical.” “Oh, come on old chap!” That really feels like a scene with Henry Fondle from BoJack Horseman.

Part Three

I like when my wife watches with me, and laughs at the ridiculousness. Like the Doctor disappearing as he walks backwards, or the monster/muppet hand pressing the button.

Aww, scary monster is freeing Romana.

K9 is a lot lighter than I would have expected.

Is the Scottish guy supposed to look exotic and alien?

K9 shut up! Listen to your Time Lady.

Fuck Romana is captured twice in this story… well, that’s not surprising.

Part Four

The Masters are garbage people.

I like that the Doctor is really into pickles in this episode. I too am rather fond of pickles.

Romana is leaving! K9, too!

  1. sung to the tune of Incense and Peppermint []
Posted in: Television , Tagged: , , , ,

Doctor Who Serial 112 – State of Decay

March 4, 2020 9:34 pm , Leave a Comment ,

Part One

This felt like Monty Python for a second.

The Great One is rising, and wikipedia told me that he is a vampire. I’m afraid of this episode. I hope it’s not as bad as…

“The Vampires of Venice” episode of Doctor Who, first broadcast 8 May 2010.

“Immature humanoid, non-hostile.” K9 is very descriptive about Adric.

Oh man! That cross dissolve to the bat was supposed to be dramatic… it was not.

C’mon Adric, they’re giving you soup, now you’re asking for cheese?

Part Two

You call that a tower? My apartment building is much bigger.

Romana needs to learn how to clink glasses without cutting herself.

I’m liking Adric.

Part Three

People too often want to share power with the Doctor. They should learn he doesn’t want to rule the universe.

That door pass scanner seems like bad security. You have to leave the security card behind.

“There once was a man from south Gallifrey…”

Part Four

It’s a rebellion, the Doctor is forming!

Adric is really keen to be a vampire. I can kinda see it. These vampires, while rather melodramatic, don’t seem to be living such a bad unlife.

The music sounds like it’s an old DOS game.

Wow, the dying vampires are amazing.

Posted in: Television , Tagged: , , , ,