macOS Updates 23 January 2018

macfamily-promo-osx-family-icon_2xApple have released updates to macOS High Sierra, macOS Sierra and OS X El Capitan today.

The updates for Sierra and El Capitan include mitigations for the Meltdown and Spectre vulnerabilities.

You can use the information below to search or report on the disposition of your inventory/fleet and read more from Apple.

  • macOS High Sierra 10.13.3
    Build numbers: 17D47 or 17D2047 (depending on hardware, both are current)
  • Security Update 2018-001 Sierra
    Build number: 16G1212
  • Security Update 2018-001 El Capitan
    Build number: 15G19009

For more information: About the security content of macOS High Sierra 10.13.3, Security Update 2018-001 Sierra, and Security Update 2018-001 El Capitan

Jamf Pro EA: Member of AD Group

jamfProThis is an extension attribute script to determine if the user assigned to the computer is a member of a given AD group or groups.

In the example below, the script will return a “Yes” result if the user to which the computer is assigned in Jamf Pro is a member of the groups “ADGroupX” or “ADGroupY”.

The script will…

  • Get the computer’s serial number
  • Pull the computer record via the Jamf Pro API
  • Harvest the contents of the “username” field
  • Get the domain via dscl (computer must be bound to AD)
  • Determine if “username” is a member of “ADGroupX” or “ADGroupY”

This script can certainly be cleaned up a bit but does the job effectively.


# Is the user assigned to this computer a member of a given AD group or groups.
# In this example, the target groups are "ADGroupX" and "ADGroupY"

serialNumber=$(ioreg -l | awk -F'"' '/IOPlatformSerialNumber/ { print $4;}')
response=$(curl -v -k -u apiComputerReadUsername:apiComputerReadPassword -H "Accept: application/xml" -H "Content-Type: application/xml" https://JamfProUrl/JSSResource/computers/serialnumber/$serialNumber)

assignedUser=$(echo $response | xpath '/computer/location/username/text()' 2>/dev/null)

domain=$(dscl /Active\ Directory/ -read . | grep SubNodes | sed 's|SubNodes: ||g')

membership=$(dscl /Active\ Directory/"$domain"/All\ Domains read /Users/$assignedUser dsAttrTypeNative:memberOf | egrep 'ADGroupX|ADGroupY')

if [[ "$membership" == "" ]]; then
 echo "<result>No</result>"
 echo "<result>Yes</result>"

exit 0

The script can also be found on GitHub below.


the vocabulary of a person, language, or branch of knowledge.
“the size of the English lexicon”

– Google, 14 January 2017

To communicate complex technical concepts effectively, people need to speak the same language. The use of technical terms must remain consistent and logical to promote understanding. The absence of common, consistent language hinders the free exchange and easy comprehension of ideas. This is particularly true of system administrator communities that have to deal with a huge library of technical terminology.

Nerds (I use that term affectionately and apply it to myself) have a tendency to invent their own terms for products, processes, and concepts. Some technology professionals cling to incorrect terms, even after learning the correct ones. The best of us misspeak at times, especially when terms sound similar or describe similar things. That is fine, we’re all fallible humans.

The use of incorrect terminology becomes a problem when someone knows the correct term and deliberately uses an incorrect one out of preference. Those of us who have been working on Macs since they were all-in-one beige rectangles may feel a certain amount of “geek cred” when we use older terms, but this can confuse people who are new to the topic, making it difficult to join the conversation. This can also steepen the learning curve as a person new to the topic may not be aware of all of the historical or nonstandard terminology.

At The Mac Admin, we primarily discuss Apple products and services, so we use Apple’s own style guide to describe them. When discussing any other vendors’ products we will use that vendor’s style guide where available. When a guide is not available we will use the vendors’ documentation as a guide. When we need to discuss a concept that does not have any vendor-official term, we will do our best to be consistent and remove ambiguity by defining the term the first time we use it, remaining consistent in that definition, and avoiding terms known to have many conflicting definitions.

For further reading…

Apple Style Guide by Apple Inc.

Mavericks Update:Setting A Default Paper Size

printerThe Mac Admin reader David noted that the preference file and key referenced in Setting A Default Paper Size no longer manages the default paper size setting in OS X v10.9 Mavericks.

The new file is

This makes the new preference domain: org.cups.PrintingPrefs

The Key that governs the preference remains the same: DefaultPaperID

The values remain the same, repeated below for your convenience.

Paper Size String
US Legal na-legal
US Letter na-letter
A4 iso-a4
A5 iso-a5
JIS B5 jis-b5
B5 iso-b5
Envelope #10 na-number-10-envelope
Envelope DL iso-designated-long-envelope
Tabloid tabloid
A3 iso-a3
Tabloid Oversize arch-b
ROC 16K roc16k
Envelope Choukei 3 cho-3-envelope
Super B/A3 arch-b-extra

Creating OS X Mavericks Install Media

mavericksIT staff, and even consumers often want to have a physical bootable install disk for OS X.  In OS X Mavericks, Apple have provided a relatively simple command line tool for creating bootable install media.

To create the install media, mount a volume that you would like to use as an install disk.  This volume needs to be able to hold at least 5.36 GB of data to house the install media. Note that this volume will be erased and reconfigured as an OS X installer. With the desired volume mounted, open the Terminal application and execute the following command:

sudo /Applications/Install OS X --volume /Volumes/TargetVolumeName --applicationpath /Applications/Install OS X --nointeraction

Replace “TargetVolumeName” with the name of the volume you want to turn into a bootable OS X Mavericks installation disk.

See the screenshot below for the Terminal output from the command above.

Mavericks Installer Creation
Mavericks Installer Creation

The Right OS For The Right Mac

macfamily-promo-osx-family-icon_2xA perennial topic of discussion amongst Mac system administrators is which operating system should be deployed to which Mac.  There is a mountain of misinformation floating around the community and the Internet on this topic. Here, I hope to set a few things straight.

On any particular Mac, the earliest version of OS X supported by Apple is the version that shipped with the Mac in question. Installing an earlier version of OS X will either fail to install, fail to boot after installation, or cause unexpected issues after boot. Regardless of how well the install goes or whether or not the computer boots, Apple will not support this configuration. Answers to support requests will generally amount to “install the correct operating system”. See the link below for Apple’s notes on this topic and a list of which OS X versions shipped with each Mac computer (note, as of this writing, the chart has not been updated to include 2013 iMac models).

An Open Secret

It is widely held in the Mac sysadmin community that once Apple releases a new version of OS X, this new version includes the software components necessary to support the new OS X version on earlier hardware.

There are two situations in which this generally applies.

  1. An OS X installation that has had an update applied bearing the suffix “(Combo)”, as in “OS X Mountain Lion Update v10.8.5 (Combo)”, will usually support all hardware released prior to the update that meets the system requirements for the major OS X release, OS X Mountain Lion v10.8 in this example.
  2. The apps “Install Mac OS X”, “Install OS X Mountain” and soon, “Install OS X”, from the Mac App Store will install OS X on any Mac computer released prior the latest update to the OS X installer app used.

I call this an “open secret” because you will find nothing in Apple’s documentation to support this claim, however it is generally correct.  I say “generally correct”, because occasionally it isn’t, particularly when hardware and OS X releases come close together.

The only 100% certain way to ensure an OS X installation is appropriate for and supported on a Mac computer is to use the OS X installer supplied by Apple for the computer in question, which includes a factory-installed Recovery System (Recovery HD) and OS X Internet Recovery.  See the link below for Apple’s explanation of OS X Recovery:

OS X Hacking

There are those in the community who, for various reasons, hack new releases of OS X, and insert components from the new release into a previous release in an effort to run an earlier operating system than Apple intended or supports on a particular Mac.  The people doing this are clever and deserving of “geek cred”, but I would never recommend using such a hacked distribution in a production environment.

Running a “hacked operating system” may run afoul of the organization’s operating rules either self-imposed or legally required.  Even in the absence of such restrictions, my recommendation stands.  Vendor support is a key component in service level agreements.  If you choose to deploy an OS with unsupported modifications, you are ultimately personally responsible for every system failure.  This is not a position I want to be in or that I recommend you place yourself in.

Understanding New Software With Old Batteries

batteriesI’ve come across lots of tweets, blog posts, and in-person comments regarding battery life on older devices after having upgraded to iOS 7.  While I know many people simply enjoy complaining, perhaps a dose of knowledge will help ease misguided anger.

There are two primary factors in the degradation of lithium-ion batteries.  The first is charge cycles. Apple rates iPhone batteries at 400 charge cycles.1 An iPhone battery that has been recharged more than 400 times will experience decreased performance. Second, these batteries have an expiration date. The useful life of a lithium-ion battery is two to three years, even if it goes through zero charge cycles.2 The battery in an iPhone 4s purchased at launch in October 2011 has likely reached the end of its usable life.

iOS 7 was launched alongside new iPhone models with improved batteries. New, more power-intensive features were likely developed with the new battery technology in mind. Older devices not only have previous generation battery technology, but those batteries are approaching, if not already past, their usable life cycle.

If you’re not ready to upgrade your device, but your battery has exceeded its usable life in charge cycles, age, or both, You can purchase a new battery at an Apple Store or Apple Authorized Service Provider.