macOS Updates 23 January 2018

macfamily-promo-osx-family-icon_2xApple have released updates to macOS High Sierra, macOS Sierra and OS X El Capitan today.

The updates for Sierra and El Capitan include mitigations for the Meltdown and Spectre vulnerabilities.

You can use the information below to search or report on the disposition of your inventory/fleet and read more from Apple.

  • macOS High Sierra 10.13.3
    Build numbers: 17D47 or 17D2047 (depending on hardware, both are current)
  • Security Update 2018-001 Sierra
    Build number: 16G1212
  • Security Update 2018-001 El Capitan
    Build number: 15G19009

For more information: About the security content of macOS High Sierra 10.13.3, Security Update 2018-001 Sierra, and Security Update 2018-001 El Capitan

Mavericks Update:Setting A Default Paper Size

printerThe Mac Admin reader David noted that the preference file and key referenced in Setting A Default Paper Size no longer manages the default paper size setting in OS X v10.9 Mavericks.

The new file is
~/Library/Preferences/org.cups.PrintingPrefs.plist

This makes the new preference domain: org.cups.PrintingPrefs

The Key that governs the preference remains the same: DefaultPaperID

The values remain the same, repeated below for your convenience.

Paper Size String
US Legal na-legal
US Letter na-letter
A4 iso-a4
A5 iso-a5
JIS B5 jis-b5
B5 iso-b5
Envelope #10 na-number-10-envelope
Envelope DL iso-designated-long-envelope
Tabloid tabloid
A3 iso-a3
Tabloid Oversize arch-b
ROC 16K roc16k
Envelope Choukei 3 cho-3-envelope
Super B/A3 arch-b-extra

Creating OS X Mavericks Install Media

mavericksIT staff, and even consumers often want to have a physical bootable install disk for OS X.  In OS X Mavericks, Apple have provided a relatively simple command line tool for creating bootable install media.

To create the install media, mount a volume that you would like to use as an install disk.  This volume needs to be able to hold at least 5.36 GB of data to house the install media. Note that this volume will be erased and reconfigured as an OS X installer. With the desired volume mounted, open the Terminal application and execute the following command:

sudo /Applications/Install OS X Mavericks.app/Contents/Resources/createinstallmedia --volume /Volumes/TargetVolumeName --applicationpath /Applications/Install OS X Mavericks.app --nointeraction

Replace “TargetVolumeName” with the name of the volume you want to turn into a bootable OS X Mavericks installation disk.

See the screenshot below for the Terminal output from the command above.

Mavericks Installer Creation
Mavericks Installer Creation

The Right OS For The Right Mac

macfamily-promo-osx-family-icon_2xA perennial topic of discussion amongst Mac system administrators is which operating system should be deployed to which Mac.  There is a mountain of misinformation floating around the community and the Internet on this topic. Here, I hope to set a few things straight.

On any particular Mac, the earliest version of OS X supported by Apple is the version that shipped with the Mac in question. Installing an earlier version of OS X will either fail to install, fail to boot after installation, or cause unexpected issues after boot. Regardless of how well the install goes or whether or not the computer boots, Apple will not support this configuration. Answers to support requests will generally amount to “install the correct operating system”. See the link below for Apple’s notes on this topic and a list of which OS X versions shipped with each Mac computer (note, as of this writing, the chart has not been updated to include 2013 iMac models).
http://support.apple.com/kb/HT1159

An Open Secret

It is widely held in the Mac sysadmin community that once Apple releases a new version of OS X, this new version includes the software components necessary to support the new OS X version on earlier hardware.

There are two situations in which this generally applies.

  1. An OS X installation that has had an update applied bearing the suffix “(Combo)”, as in “OS X Mountain Lion Update v10.8.5 (Combo)”, will usually support all hardware released prior to the update that meets the system requirements for the major OS X release, OS X Mountain Lion v10.8 in this example.
  2. The apps “Install Mac OS X Lion.app”, “Install OS X Mountain Lion.app” and soon, “Install OS X Mavericks.app”, from the Mac App Store will install OS X on any Mac computer released prior the latest update to the OS X installer app used.

I call this an “open secret” because you will find nothing in Apple’s documentation to support this claim, however it is generally correct.  I say “generally correct”, because occasionally it isn’t, particularly when hardware and OS X releases come close together.

The only 100% certain way to ensure an OS X installation is appropriate for and supported on a Mac computer is to use the OS X installer supplied by Apple for the computer in question, which includes a factory-installed Recovery System (Recovery HD) and OS X Internet Recovery.  See the link below for Apple’s explanation of OS X Recovery:
http://support.apple.com/kb/HT4718

OS X Hacking

There are those in the community who, for various reasons, hack new releases of OS X, and insert components from the new release into a previous release in an effort to run an earlier operating system than Apple intended or supports on a particular Mac.  The people doing this are clever and deserving of “geek cred”, but I would never recommend using such a hacked distribution in a production environment.

Running a “hacked operating system” may run afoul of the organization’s operating rules either self-imposed or legally required.  Even in the absence of such restrictions, my recommendation stands.  Vendor support is a key component in service level agreements.  If you choose to deploy an OS with unsupported modifications, you are ultimately personally responsible for every system failure.  This is not a position I want to be in or that I recommend you place yourself in.

Deploying OS X Configuration Profiles Without MDM

mobileconfigI was recently in a conversation with someone who needed to deploy configuration profiles to OS X clients, but they did not have the ability or authority within their organization to open the network ports required to implement a Mobile Device Management (MDM) solution.  This post describes how to install configuration profiles with an installer package.

The first step is to create and export your configuration profile as a .mobileconfig file.  These files can be created on a computer running OS X Server, using Profile Manager.  For more details on creating and downloading configuration profiles, see Apple’s Profile Manager Help documentation.

Once you have the .mobileconfig file, you’ll want to create a package that will deploy this file to a known location on your client systems.  I recommend a folder in the root Library named for your organization such as…

/Library/myOrg

For instructions on creating packages, refer to the documentation for your favorite package building tool.  My favorite is Composer.

Simply deploying the .mobileconfig file to this location won’t install it.  Apple provides a command line tool called profiles.  The profiles command can be used as part of a postinstall script included in the package that deploys the .mobileconfig file.  Below, find the two lines to include in this script…

#!/bin/bash
/usr/bin/profiles -I -F "/Library/MyOrganization/Company Wi-Fi.mobileconfig"

 

If the .mobileconfig profile should be deleted once installed, the following command can be added to a third line in the script…

rm "/Library/MyOrganization/Company Wi-Fi.mobileconfig"

 

Of course, “/Library/MyOrganization/Company Wi-Fi.mobileconfig”  should be replaced in each command with the quoted path to the .mobileconfig file deployed by the package.

I hope this is helpful.