Casper Suite: Firmware Updates Extension Attribute

casperSuiteAs promised, here is the follow up to my previous post.

People who have followed this blog will know that I like zero touch. Unfortunately, firmware updates usually require physically touching a computer. In the absence of a scriptable robot that can go around to users’ desks pressing buttons, this process is hard to automate. Thankfully, firmware updates are relatively infrequent compared to other Apple Software Updates.

Using an Extension Attribute in the Casper Suite, I have been able to achieve the following goals…

  • Automate Apple Software Updates without continually running Software Update on computers that only have firmware updates available.
  • Generate a list of computers that require firmware updates.  This list is given to technicians as a work list of computers to visit and run the firmware updates on.

Here’s the script to use in the Extension Attribute (I call it “Available FWUs”)…

#!/bin/bash
# Populate "Firmware Updates Available" extension attribute
# Get firmware update count
fwupdcount=`softwareupdate -l | grep -c -e Firmware -e firmware -e EFI -e SMC`
echo "<result>$fwupdcount</result>"

The fourth line is looking for available software updates with names that contain the terms “Firmware”, “firmware”, “EFI”, and “SMC”.  This covers all of the firmware updates I can find on apple.com/support.  If additional terms become needed in the future, one can add ” -e <desiredTerm>” to the command between “SMC” and the final backtick.

The result will be an integer.  An Advanced Search for computers with Available FWUs more than 0 will give you the firmware update work list.  I use a Smart Computer Group containing computers with Available SWUs more than 0 and Available FWUs less than 1 as the scope for an automated Software Update policy.

I hope this is helpful!

Note: Recent Apple firmware updates haven’t been requiring manual interaction.  This process may not be needed if your environment consists solely of new hardware.

Reprint: Extending the Casper Suite with Dummy Packages

mt-cover-0909Questions about this article have come up in conversations with other Mac sysadmins.  As the reprint rights have since reverted back to me, I’m glad to share the content.

This content is copyright © 2009 by Miles A. Leacy IV.  Permission is granted to redistribute the article in it’s unaltered form.

Download the article at the link below (opens in a new window):

https://drive.google.com/open?id=1Qax-mKcTWgBnu9IANZGORyaiLDG65VV1

A few notes:

  • The Dummy Package/Dummy Receipt workflow is no longer necessary as of Casper Suite version 7.  Extension Attributes provide the same functionality in a much more usable (not to mention supported) fashion.
  • The script contained in the article can be altered to be used in an Extension Attribute. This will be covered in a follow up post on this site.
  • You may want to add terms other than “Firmware” to the script, such as “SMC”, “EFI”, etc., to cover all known firmware updates.

I hope some of you will find this article useful.

Managing Spotlight

spotlightThe long hiatus is over, and The Mac Admin is back.  Here’s a short item to get started with…

Recently, I had been experiencing some frustration as my Spotlight results weren’t including items I’d expected, such as applications when my search term was the correctly spelled application title.  The solution to this is to reset Spotlight’s cache, causing it to be rebuilt.

The command used is  mdutil.  From the man page, mdutil’s purpose is to “manage the metadata stores used by Spotlight”.  Note that mdutil requires root privileges, so sudo may be needed for this command.  I used the command below to fix my own Spotlight problems.

mdutil -E /

The -E flag erases the spotlight cache on the volume(s) specified.  In this case, only the root, or booted, volume is specified, represented by the “/” character.  By adding the “a” flag and omitting the volume specification, the command will erase the caches on all volumes, like so…

mdutil -Ea

The “i” flag can be used to turn indexing on or off for the specified volumes.  For example, let’s say I have a flash drive volume called myFlashDrive. If I want to remove the existing cache and prevent Spotlight from creating a new one, I can run the following command…

mdutil -E -i off /Volumes/myFlashDrive

I hope this is helpful.

NSA Security Recommendations Part 1

securityThe United States National Security Agency has published a pamphlet titled Hardening Tips for the Default Installation of Mac OS X 10.5 “Leopard” (title links to document).  I consider many of these tips to be no-brainers, some to be best practices, and the rest have variable value depending on your organization’s requirements.  This article is the first of a series in which I’ll examine each of these tips, how to automate their implementation, and discuss any caveats for each.

Note: The NSA document, and therefore this series of articles, refer specifically to Mac OS X version 10.5 (Leopard). The ideas and techniques should transfer to 10.6 (Snow Leopard), but be sure to test carefully before putting into production. I will discuss any changes required to implement each recommendation in 10.6.

 

Don’t Surf or Read Mail using Admin Account

This falls into the “no-brainer” category.  I firmly believe that in an organization where the end user does not own his or her computer, there is no reason for that user to have administrative rights on the system.  For every so-called valid reason to grant administrative permission that I have encountered, there is a workaround that can give the user the ability to do their job without granting admin rights.  If you find yourself fighting against an organizational culture that wants admin rights for end users, you can counter with this statement:

 

“If end users have administrative rights, no IT group can make any guarantees or reliably satisfy any SLA regarding the performance, security or continued operability of the systems in question.”

 

Put simply, if unqualified people can mess with the works, then all bets are off.

 

Not being a technical procedure, this concept holds true for Snow Leopard, all other versions of Mac OS X and for any other OS as well.
If you believe you have a valid reason to grant administrative privileges to end users or your organization is forcing you to grant those privileges for a particular reason or reasons, please leave a comment. I’ll do my best to describe a solution to the given problem without granting administrative rights.

Script: Enable Remote Management (ARD)

terminalHere’s another script for zero-touch deployment. If you want to enable Remote Management for Apple Remote Desktop access, this script will get you there.

This script uses the kickstart command which is buried within the ARDAgent application. Entering the following command in Terminal will display the full listing of options and examples available with this tool.

/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart help

I have most commonly enabled the Remote Management service, granted all privileges to a single local admin user used by IT staff, and restarted the agent and menu extra to allow the agent to read the new configuration. The script below will accomplish these items. Reviewing the kickstart help will give you the syntax to write your own script to accomplish different Remote Management configurations.

#!/bin/bash

##### HEADER BEGINS #####
# scr_sys_enableARDforAdminUser.bash
#
# Created 20081231 by Miles A. Leacy IV
# miles.leacy@themacadmin.com
# Modified 20090812 by Miles A. Leacy IV
# Copyright 2009 Miles A. Leacy IV
#
# This script may be copied and distributed freely as long as this header
# remains intact.
#
# This script is provided "as is". The author offers no warranty or
# guarantee of any kind.
# Use of this script is at your own risk. The author takes no responsibility
# for loss of use,
# loss of data, loss of job, loss of socks, the onset of armageddon, or any
# other negative effects.
#
# Test thoroughly in a lab environment before use on production systems.
# When you think it's ok, test again. When you're certain it's ok, test
# twice more.
#
# This script:
# - enables the Remote Management service (ARD)
# - grants access and all privileges to the user "admin"
# - restarts the ARD agent and the ARD menu extra
#
# This script must be run as root (done automatically when deployed with
# the Casper Suite).
#
# When using the script with a Casper Suite configuration for imaging,
# set it to run At Reboot.
#
##### HEADER ENDS #####




/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -activate -configure -access -on -users admin -privs -all -restart -agent -menu

Script: Set Mac OS X Server Serial Number

Continuing with the concept of automated server deployment, here is a small script that changes the serial number in a Mac OS X Sever installation.

A server system that has been deployed via disk imaging or automated deployment systems will boot, but to use the server features, a valid and unique serial number must be entered.  Luckily, Apple provides a command line utility to set the serial number.

The script, as written, is intended for use with The Casper Suite.  Replacing $4 with a static value or using another method of passing a value would be necessary if you are not using The Casper Suite.

#!/bin/bash

##### HEADER BEGINS #####
# scr_sys_setServerSerial.bash
#
# Created 20081231 by Miles A. Leacy IV
# miles.leacy@themacadmin.com
# Modified 20081231 by Miles A. Leacy IV
# Copyright 2008 Miles A. Leacy IV
#
# This script may be copied and distributed freely as long as this header
# remains intact.
#
# This script is provided "as is".  The author offers no warranty or
# guarantee of any kind.
# Use of this script is at your own risk.  The author takes no responsibility
# for loss of use,
# loss of data, loss of job, loss of socks, the onset of armageddon, or any
# other negative effects.
#
# Test thoroughly in a lab environment before use on production systems.
# When you think it's ok, test again.  When you're certain it's ok, test
# twice more.
#
# This script sets a Mac OS X Server installation's serial number to the value
# provided in $4 by Casper.
# Run as an "at reboot" script when imaging with Casper, making sure to type
# double-check the serial in the script parameters before imaging.
#
##### HEADER ENDS #####

# Change serial to $4 from JSS

/System/Library/ServerSetup/serversetup -setServerSerialNumber "$4"

exit 0

 

Timed Automatic Shutdown With Notification and Client Opt-out

Note: I realize that parts of this script extend beyond the viewable area.  I am considering changes to the site formatting to prevent this in the future, but I have found that if you select the script text in Safari and copy it, the text beyond the viewable area will be captured.

I was recently confronted with a scenario…

  • Client Macs are required to shut down or restart daily at a predetermined time.
  • Clients who are still working at this time should be able to opt out of the shut down.
  • If a client opts out, the event should be cancelled and not recur until the following day.

I solved this problem with a shell script that uses osascript to display the GUI dialog.  The script can be delivered via a policy using The Casper Suite, or by creating a launchd item.

Note that Casper Suite users can declare parameter variables instead of static values if they wish to handle variable assignment through the Casper Suite.

The script follows…

#!/bin/sh

##### HEADER BEGINS #####
# timedForcedShutdown.sh
#
# Created 20050508 by Miles A. Leacy IV
# miles.leacy@themacadmin.com
# Last modified 20050508 by Miles A. Leacy IV
# Copyright 2009 Miles A. Leacy IV
#
# This script may be copied and distributed freely
# as long as this header remains intact.
#
# This script is provided "as is".  The author offers no warranty
# or guarantee of any kind.
# Use of this script is at your own risk.  The author takes no
# responsibility for loss of use, loss of data, loss of job,
# loss of socks, the onset of armageddon, or any other
# negative effects.
#
# Test thoroughly in a lab environment before use on production systems.
# When you think it's ok, test again.  When you're certain it's ok,
# test twice more.
#
# This script will help to enforce a mandatory reboot or shut down.
#
# If no console user is logged in, the script will execute the command
# stored in the $shutdownAction variable.
#
# If a console user is logged in, a dialog is displayed informing the user
# of the number of minutes until shutdown followed by a configurable
# message stored in $notificationMessage.  The dialog contains two buttons.
#
# Clicking the "Postpone" button will cancel shutdown/reboot.
#
# Clicking the "Shut Down" button will execute the command
# stored in the $shutdownAction variable.
#
###########

###########
# Declare Variables
# Edit this section to change the script parameters
###########

minutesN=30
# Number of minutes to count down before shutdown

shutdownAction="echo The system would shut down now."
# The default echo command above is for testing purposes.
# Change to "shutdown -r now" to reboot
# Change to "shutdown -h now" to shut down

notificationMessage="Please save any files you are working on.nn
Click Shut Down to shut down immediatelyn
Click Postpone to postpone shut down until tomorrow evening."
# This message will appear in the initial dialog box following
# This computer is scheduled to $shutdownPhrase in $minutesN minutes.

shutdownPhrase="Shut Down"
# This variable should contain either "Shut Down" or "Restart"
# depending on the value of $shutdownAction.  This string will appear
# in the dialog and will determine the name of the button that causes
# $shutdownAction to be executed.

postponeAlert="Automatic shutdown has been postponed until tomorrow."

###########
# Script Body
# Do not edit below this line
###########

# If no user is logged in at the console, shut down immediately
consoleUser=`/usr/bin/w | grep console | awk '{print $1}'`
if test "$consoleUser"  == ""; then
$shutdownAction
fi

function timedShutdown {
button=`/usr/bin/osascript << EOT
tell application "System Events"
	activate
	set shutdowndate to (current date) + "$minutesN" * minutes
	repeat
		set todaydate to current date
		set todayday to day of todaydate
		set todaytime to time of todaydate
		set todayyear to year of todaydate
		set shutdownday to day of shutdowndate
		set shutdownTime to time of shutdowndate
		set shutdownyear to year of shutdowndate
		set yearsleft to shutdownyear - todayyear
		set daysleft to shutdownday - todayday
		set timeleft to shutdownTime - todaytime
		set totaltimeleft to timeleft + {86400 * daysleft}
		set totaltotaltimeleft to totaltimeleft + {yearsleft * 31536000}
		set unroundedminutesleft to totaltotaltimeleft / 60
		set totalminutesleft to {round unroundedminutesleft}
		if totalminutesleft is less than 2 then
			set timeUnit to "minute"
		else
			set timeUnit to "minutes"
		end if
		if totaltotaltimeleft is less than or equal to 0 then
			exit repeat
		else
			display dialog "This computer is scheduled to " & "$shutdownPhrase" & " in " & totalminutesleft & " " & timeUnit & ". " & "$notificationMessage" & " " giving up after 60 buttons {"Postpone", "$shutdownPhrase"} default button "$shutdownPhrase"
			set choice to button returned of result
			if choice is not "" then
				exit repeat
			end if
		end if
	end repeat

end tell
return choice
EOT`
if test "$button" == "Postpone"; then
	`osascript << EOT
          tell application "System Events"
	  activate
	  display alert "$postponeAlert" as warning buttons "I understand" default button "I understand"
          end tell`
        else
        $shutdownAction
	exit 0
fi
}

timedShutdown