Nomenclatural Consistency; RIP Imaging

This post is, in part, a response to Anthony Reimer’s well thought out article on deployment terminology, appearing at AFP548 on 21 May, 2013.

I do agree with a great many of Mr. Reimer’s points.  It is helpful to the profession at large, if we adopt some sensible terminology that is not only consistent, but aligned with Apple’s own lexicon.  After all, this is Apple’s world and we’re just living in it.  It surprises me how often Apple-focused technology professionals, at times even Apple-badged employees, display an ignorance of, or on rare occasions, contempt for Apple’s own established lexicon.

Some words in common use are archaic and should be culled from our collective vocabularies.  The entry for the word “machine” in the Apple Style Guide reads: “Don’t use when you mean computer” (italics Apple’s) and appears thirty times in Mr. Reimer’s article.  In the blue-collar mentality many of us have, “machine” brings about grand romantic illusions of a hardworking sweaty engineer in the bowels of an engine room.  The term also serves to portray the computer as a Victorian engine, whirring and clicking along as it solves a never-ending list of calculations.  This may be a lovely vision if you’re a fan of steampunk, but this vision is far from the reality of the solid-state computers and iOS devices with virtually no moving parts being deployed today.  I bring up this point not to nitpick, but to suggest consistency.  Apple has developed and published its own lexicon.  Why should we ignore that and invent our own terms?  I believe it is far more efficient to use Apple’s terminology whenever applicable and only invent new terms where there is an absence of terminology from Apple.

Another term you’re likely to hear, particularly from sales professionals, is “silos”. A common theme is to draw hard lines of distinction between organizations with terms such as “education”, “enterprise” and “government”.  Why create unnecessary divisive language?  Having worked in and for all of these types of organizations, I can attest that, at least for IT staff, they are purely artificial distinctions and serve only to satisfy the misconceptions and/or egos of the C-level or non-technical management staff.  Computers are computers regardless of whether the goals of the organization using them is to make cheese, cars, laws or to educate children.  Each organization is unique in the set of requirements it lays out for itself, with most organizations assembling their requirements without regard to whether an individual requirement is believed to be an education, enterprise or government item.

The bit of Mr. Reimer’s article that resonates with me the most is the term “customizing”.  I believe that imaging is dead and it’s successor is customizing.  With the prevalence of high-speed networks, Apple Recovery HDs, and advanced management tools such as The Casper Suite and its ilk, that there are few, if any, reasons to ever apply an image to a Mac.  One of the biggest challenges Mac system administrators have historically faced is that of creating a single operating system image or installer that will work on all of their hardware.  Many solutions have been put forth, most of them quite clever, but all sharing the fatal flaw that they are unsupported by Apple.  When you step outside supported models, you cause the proverbial buck to stop with you.  The last thing I suggest doing in any deployment scenario is to make yourself ultimately responsible for malfunctions.  The solution is at once easy and obvious.  Apple ships each computer with a functioning operating system.  Erasing and replacing that operating system is a waste of time.  Using deployment tools, the factory-installed operating system can be configured to meet the organization’s needs.  The only semi-valid argument I have heard against this approach comes from very security-conscious entities claiming that they can’t trust the installation that comes from Apple’s factory.  To these organizations, I ask: Will you be using Apple’s installer to replace the system you’ve erased; and if so, how is that any more secure than the original installation?

You may be thinking that this is all well and good for a new computer, but what about when a computer needs to be repurposed or reassigned?  This is where NetInstall, the Apple Recovery HD, or Internet Recovery if necessary, comes in.  Using Apple’s own installer, the disk can be erased and a fresh operating system, designed and tested by Apple for the hardware in question, can be installed.  Then it’s a matter of customization for the computer’s new intended use.

Custom Paper Sizes

printerIn response to a reader request, here’s how to create custom paper sizes.

This is another item governed by a hidden preference file.  The preference file that governs custom paper sizes is

~/Library/Preferences/com.apple.print.custompapers.plist

This file does not exist until custom paper sizes have been created.  Let’s have a look at the contents of a preference file that defines one custom paper size – 4″ x 6″ borderless paper.

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
     <key>4x6 Borderless</key>
     <dict>
          <key>bottom</key>
          <real>0.0</real>
          <key>custom</key>
          <true/>
          <key>height</key>
          <real>432</real>
          <key>id</key>
          <string>4x6 Borderless</string>
          <key>left</key>
          <real>0.0</real>
          <key>name</key>
          <string>4x6 Borderless</string>
          <key>printer</key>
          <string> </string>
          <key>right</key>
          <real>0.0</real>
          <key>top</key>
          <real>0.0</real>
          <key>width</key>
          <real>288</real>
     </dict>
</dict>
</plist>

The first three lines identify the file as an Apple preference file.  The fourth line, “” is a dictionary tag.  Dictionary tags are used as containers for preference keys.  A dictionary is an unordered list of keys, whereas its counterpart – the array, is an ordered list of keys.

The fifth line is the first key in this preference file.  In com.apple.print.custompapers, this key is used to define the custom paper size.  This key’s value, starting on the sixth line is another dictionary containing the details for this custom paper size.  Each key is followed by its value.  See the table below for definitions of each of these keys.

Key Value
bottom Bottom margin, expressed in PostScript points*
custom The value “true” indicates this is a custom setting.
height Paper height, expressed in PostScript points*
id The setting’s identifier
left Left margin, expressed in PostScript points*
name The setting’s name
printer Unknown, possibly used to tie settings to individual printers
right Right margin, expressed in PostScript points*
top Top margin, expressed in PostScript points*
width Paper width, expressed in PostScript points*

*1 inch = 72 PostScript points.  Here are some handy Google search terms: “1 inch postscript point”, “1 centimeter postscript point”.

Crafting a custom paper size dictionary by hand requires a bit of arithmetic to translate the PostScript points to more familiar units and the dictionary syntax can be a bit fiddly for some administrators.  A useful shortcut would be to use the GUI to create the custom paper size entry on a test computer, then harvest the dictionary from the resulting preference file.  Once you have the dictionary, you could use it in a Configuration Profile or Managed Preference.

Cleaner Security Scripting

terminalIn previous articles, we have discussed making changes to the /etc/authorization file, also known as the authorization policy database or authorization database, using text editors.  Apple has a tool in Mac OS X that is specifically designed for that purpose.  /usr/bin/security, in addition to a multitude of other uses, security has a command called authorizationdb that allows for edits to the authorization database.

The authorizationdb command has three options, read, write and delete.  These function in much the same way as the defaults command is used to edit preference files.  Let’s use the previous article on setting DVD region codes as an example.  In that article, we discussed how to enable any user to set the initial DVD region code, but still require an administrative user to change the code once set.

To read the current authorization rule, we’ll use this command…

/usr/bin/security authorizationdb read system.device.dvd.setregion.initial

…which gives us the following output…

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
     <key>class</key>
     <string>user</string>
     <key>comment</key>
     <string>Used by the DVD player to set the region code the first time. Note that changing the region code after it has been set requires a different right (system.device.dvd.setregion.change).</string>
     <key>default-button</key>
     <dict>
          <key>en</key>
          <string>Set</string>
     </dict>
     <key>default-prompt</key>
     <dict>
          <key>en</key>
          <string>__APPNAME__ is trying to set the DVD region code for the first time.</string>
     </dict>
     <key>group</key>
     <string>admin</string>
     <key>shared</key>
     <true/>
</dict>
</plist>

Notes: Non-English strings in the default-button and default-prompt dictionaries have been removed for brevity.

The boldface “class” key and its value (emphasis mine) are the operative values that we are working with.  Using the write option for the authorizationdb command, we can make the same change described in the previous article, allowing any user to set the initial DVD region code, with a one-line script.

/usr/bin/security authorizationdb write system.device.dvd.setregion.initial allow

After running this command, if we read the contents of the system.device.dvd.setregion.initial key again using /usr/bin/security authorizationdb read system.device.dvd.setregion.initial, we now receive the following output…

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
     <key>rule</key>
     <string>allow</string>
</dict>
</plist>

Not only does /usr/bin/security simplify editing the authorization database, it also results in a cleaner entry.

I hope this is useful.

Mounting the EFI Boot Partition on Mac OS X

terminalHere’s the answer to another reader request…

According to WIkipedia, “On Apple–Intel architecture Macintosh computers, the EFI partition is initially blank and not used for booting. However, the EFI partition is used as a staging area for firmware updates.”  When people look to create non-standard boot environments or attempt to build a hackintosh, the first step is often mounting and modifying the EFI boot partition.  Before you read any further, take note: altering your EFI boot partition is not supported by Apple and The Mac Admin takes no responsibility if you render your computer(s) unbootable by mounting and modifying this partition.

To mount an EFI boot partition, follow these steps:

1. Discover the volume identifier for your EFI boot partition.

Run this command:

diskutil list

The output should look something like this:

/dev/disk0
 #: TYPE                     NAME          SIZE       IDENTIFIER
 0: GUID_partition_scheme                  *251.0 GB  disk0
 1: EFI                                    209.7 MB   disk0s1
 2: Apple_HFS                Macintosh HD  250.1 GB   disk0s2
 3: Apple_Boot               Recovery HD   650.0 MB   disk0s3

 

In this case, the volume identifier of the EFI partition is disk0s1

2. Create a mount point.

A mount point is a directory where a non-booted volume is mounted.  On Mac OS X, mount points are typically created in /Volumes.  We can create a directory called efi within /Volumes by running the following command:

mkdir /Volumes/efi

 

3. Mount the EFI partition at the efi mount point.

Run the command:

sudo mount -t msdos /dev/disk0s1 /Volumes/efi

 

That’s it.  Your EFI volume will be mounted.  Modify it at your own risk.

Restoring a Locked iOS Device

iPhone4If you work with, support, or own iOS devices (iPhone, iPad, iPod Touch), you probably have or will encounter a situation where you have a locked device but have lost, forgotten or never knew the passcode.

Using Device Firmware Update (DFU) mode, you can get the device back to a factory state.  This will wipe all of the data on the device, but  from there, you can restore a backup or set it up as a new device.

Here’s the procedure:

  1. Plug the device into a computer that has an iTunes installation.
  2. Launch iTunes.
  3. Press and hold the Power button and the Home button at the same time.
  4. Hold both buttons for 10 seconds
  5. After 10 seconds, release the Power button but continue to hold the Home button.
  6. iTunes will display a dialog stating that it has detected a device in recovery mode, giving you the option to restore the device.

In DFU mode, the device’s screen will remain completely black. If you see the Apple logo, the device has simply rebooted.  Repeat the steps above and be careful with the timing on steps 4 and 5.

Setting A Default Paper Size

printerThis post is in response to a reader request.

In Mac OS X, the default paper size is a setting that determines the size of paper that applications will try to print to unless the user chooses otherwise. For most systems and applications this defaults to US Letter.  In order to provide a positive user experience, especially for end users outside of the United States, it may be desirable to set a different default paper size.

The file that contains this preference is:
~/Library/Preferences/com.apple.print.PrintingPrefs.plist

This makes the preference domain: com.apple.print.PrintingPrefs

The Key that governs the preference is called : DefaultPaperID

DefaultPaperID contains a string value that corresponds to a paper size. See the chart below:

Paper Size String
US Legal na-legal
US Letter na-letter
A4 iso-a4
A5 iso-a5
JIS B5 jis-b5
B5 iso-b5
Envelope #10 na-number-10-envelope
Envelope DL iso-designated-long-envelope
Tabloid tabloid
A3 iso-a3
Tabloid Oversize arch-b
ROC 16K roc16k
Envelope Choukei 3 cho-3-envelope
Super B/A3 arch-b-extra

To set this preference with a script use the command below, replacing with the correct string for the intended paper size.

For a single user, run as the user:
defaults write ~/Library/Preferences/com.apple.print.PrintingPrefs DefaultPaperID

For all users, run as root:
defaults write /Library/Preferences/com.apple.print.PrintingPrefs DefaultPaperID

This process has been tested on Mac OS X v10.6 (Snow Leopard), v10.7 (Lion) and v10.8 (Mountain Lion).

I hope you find this useful.

Lock It Down

securityIn the previous article, we discussed the consumerized model of IT.  Now let’s have a look at a locked down model, and some guidelines that will help maintain sanity both for the IT group and the user community at large.

Why Lock Down?

After considering the consumerized model, one might think that it sounds so progressive & cost effective that no one should bother locking down computers any more.  Well, no solution is one-size-fits-all.  If there is an existing user community accustomed to a certain level of support and management, or if there are legal requirements to satisfy, we can’t simply board up the help desk and redirect the support line to the nearest Genius Bar.

By far, I see legal requirements as the most common and important reason to maintain a locked-down environment.  Legislation such as SOX & HIPAA, and standards such as PCI all place limits on how certain computer systems are allowed to operate.

In some organizations, it may be important to remove distractions and potential wrong turns in workflows.  There are still plenty of computer illiterate people in the workforce.  If these folks dominate an organization, it may be wise to limit the damage they can do through a series of electronically-enforced policies and restrictions.

No Admins

When implementing a locked-down model, I believe in one cardinal rule: In a locked-down environment no user outside the IT team should have administrative privileges.

If  this rule is broken, the environment is no longer locked down.  Administrative privileges are the keys to the proverbial kingdom.  A user with administrative privileges can change or remove any or all enforced settings, add or remove software as they see fit, and disable reporting to any inventory or compliance systems.  In short, IT cannot maintain any sort of Support Level Agreements or ensure compliance if the users have administrative privileges.

Even within the IT team, administrative privileges should be used only when necessary, meaning that IT staffers should be using non-admin accounts to do their routine work but have the means to elevate their access when needed and within carefully considered limits to balance security, accountability and efficiency.  An IT team that operates with administrative rights will usually have no idea of the issues faced by the typical non-admin user.  In addition, IT staffers are people too, and as such are prone to mistakes and bad judgement just like the rest of us.  Detailed and strict processes help to mitigate human error.

IT departments often face political pressure or directives from superiors to make exceptions to a “no-admins” policy.  If you find yourself in this position, I recommend preparing a cost-benefit analysis for your superior(s).  This report should include things like  data loss, lost productivity, support costs, and the costs of lost opportunities.  I have always felt that it is part of the job of an IT staff to let management and the business know when they’re trying to do something detrimental.  It is more desirable and generally less costly to prevent problems than fix them after the fact.  When an employer asks for something dumb, it’s a good idea to tell them it’s dumb and why it’s dumb in a quantifiable (and tactful) fashion.  If they still insist on the dumb thing, they can’t blame you for not doing your due diligence and informing them of the pitfalls.

When Not To Lock Down: Social Issues

Technology is often called upon to solve social issues.  I see this as a waste of time and resources as well as an unnecessary restriction of user capabilities.  Rather than limit everyone for fear that someone may misbehave, I feel it is much more productive to only punish the miscreant if misbehavior occurs.  There are many reasons to lock down computers and their functions, but in this sysadmin’s opinion, solving social issues should never be one of them.

Another Mac sysadmin once said “you can’t teach a backpack not to carry a Playboy” in response to a request to ensure that “naughty pictures” couldn’t appear on a school’s computers.  If little Bobby is caught with a Playboy in his backpack, it is confiscated, he’s sent to the principal’s office and Bobby is given the prescribed punishment, all because Bobby has misbehaved.  If however, Bobby accesses similar material in a computer lab, the IT staff ends up taking much of the blame because it happened on a computer, even though it’s still Bobby that misbehaved.  Misbehavior is still misbehavior whether it involves a computer or not.  If little Bobby is looking at naughty pictures in school, that is a disciplinary issue to dealt with accordingly.  Similarly, if Sally in accounting is playing solitaire all day and not doing her work, then Sally’s boss needs to have a chat with her and/or start looking for a new Sally. Technology is a moving target and users, especially children, are very resourceful and have nothing but time on their hands.  An IT staff that tries to manage social issues with technology will find themselves fighting a battle that is impossible to win.

Only Lock What Is Necessary

Heavy handed restrictions are the most likely to be circumvented.  I have been to offices where end users have very expensive company-supplied computers on their desks but never use them because they find the draconian restrictions imposed by an overzealous IT staff make the systems unusable.  These employees end up bringing their own laptops to work, thus creating a de-facto Bring-Your-Own model that the IT group has absolutely no control over, and often no knowledge of.

Each restriction that is not legally or contractually mandated should be carefully examined to determine if it is actually necessary.  What risks are being mitigated, and what are the potential impacts on user productivity?  Does the potential risk outweigh lost productivity and/or user dissatisfaction?  Unless the answer to that last question is yes, the restriction shouldn’t be implemented.

I hope these ideas will help make your restrictions more sensible and useful.