Wednesday 7 December 2016

Set Password policy for specific users or groups in MacOS 10.10+

Working in a SEN (Special Educational Needs) School with a single user directory has its issues...

Some of our pupils need very simple login credentials while staff still need to be locked down. Server.app's one-size-fits-all approach to password policy really doesn't work for us in this respect but there is a work around.


From 10.10 onwards, pwpolicy deprecated a whole bunch of commands and introduced an xml-based system for managing passwords called 'accountpolicies'.  The best place to start on these is..

man pwpolicy

The guidance is rather patchy and there is no clear explanation of all the possible policy parameters, but we play with the global policy in the GUI in Server.app, export the settings we want, then apply them via the command line or a script to specific users or groups.  This works for Local Users AND Local Network Users (OpenDirectory) Accounts equally well.

So start like this..

  1. Install Server.app on a client machine
  2. Open Server.app
  3. Click on Users in the left-hand pane
  4. Select either the Local Users of Local Network Users from the drop-down (either works just the same and are interchangeable).
  5. Click the cog at the bottom and choose 'Edit Password Policy' 
  6. Choose your preferred policy options
  7. Click OK
Now we've set the options we want for all accounts, we can extract a plist (xml file) with the raw settings using the terminal.

If you set your policy in Server.app for Local users enter the following: -
sudo pwpolicy -getaccountpolicies > MyPolicies.xml

..or if you set them for Local Network Users enter: -
sudo pwpolicy -a  -p  -u  -getaccountpolicies > MyPolicies.xml

Great!  You should now have a plist with all your policies you want to apply to specific users.  You can now turn off the GlobalPolicy you set back in Server.app by unticking all the boxes, or from the command line enter: -

For Local Users...
sudo pwpolicy -clearaccountpolicies

For Local Network Users..
sudo pwpolicy -a  -p  -clearaccountpolicies

Now to apply this policy to a user is just as straight forward: -

For Local Users...
sudo pwpolicy -u -setaccountpolicies /path/to/MyPolicies.xml

For Local Network Users..
sudo pwpolicy -a  -p  -u   -setaccountpolicies /path/to/MyPolicies.xml

For bonus points, here's a script which will apply the policy to a particular user group (eg. staff in my case).
#!/bin/bash
diradminuser=
diradminpw=
group=
pwpolicy=/usr/bin/pwpolicy
policyxml=/path/to/MyPolicy.xml

USERS=$(dscl /LDAPv3/127.0.0.1 -read /Groups/"$group" Member | tr " " "\n" | grep -v "Member:" | sort)

for USER in $USERS;do
  echo setting policy for user: $USER
  echo $pwpolicy -a $diradminuser -p $diradminpw -u $USER -setaccountpolicies "$policyxml"

done

Good luck :)

Monday 3 October 2016

Enable Flash Player for all sites in Mac OS Safari via the command-line / script

A little script that enables Adobe Flash Player for Safari on MacOS on all sites.  Useful for managed computers.

#!/bin/bash
defaults write com.apple.Safari ManagedPlugInPolicies ' "com.macromedia.Flash Player.plugin" =         {
            PlugInDisallowPromptBeforeUseDialog = 1;
            PlugInFirstVisitPolicy = PlugInPolicyAllowWithSecurityRestrictions;
            PlugInHostnamePolicies =             (
                                {
                    PlugInHostname = "www.adobe.com";
                    PlugInIsFreshlyExpired = 0;
                    PlugInPageURL = "http://www.adobe.com/uk/software/flash/about/";
                    PlugInPolicy = PlugInPolicyAllowWithSecurityRestrictions;
                    PlugInRunUnsandboxed = 1;
                }
            );
            PlugInRunUnsandboxedOnFirstVisit = 1;
        };
'
exit 0

Thursday 28 July 2016

How to Backup and Restore El Capitan Calendar Server (caldav)

With Server 5.1, the socket location to connect to the caldav database changed.

Make sure Calendar Server is switched OFF for this whole procedure....

sudo serveradmin stop calendar

To backup your existing calendar database...

/Applications/Server.app/Contents/ServerRoot/usr/bin/pg_dump -h /var/run/caldavd/PostgresSocket/ -U caldav caldav -c -f ~/Desktop/caldav.sql

To restore it, you may first want to drop the existing database...

sudo dropdb -h /var/run/caldavd/PostgresSocket -U caldav caldav

then create a new one...

sudo createdb -h /var/run/caldavd/PostgresSocket -U caldav caldav

Then import the backup you made at the start....

sudo cat caldav.sql | sudo psql -h /var/run/caldavd/PostgresSocket -U caldav caldav

Now you can start the service again...

sudo serveradmin start calendar

NOTE: If you receive an error using DROPDB about the database being accessed by other users, try this..

Manually connect to psql...

sudo psql -h /var/run/caldavd/PostgresSocket -U caldav caldav

Find and kick all active connections..

SELECT
 pg_terminate_backend (pg_stat_activity.pid)
FROM
 pg_stat_activity
WHERE

 pg_stat_activity.datname = 'target_database';

Quit PSQL...

\q

Then try the dropdb again...

sudo dropdb -h /var/run/caldavd/PostgresSocket -U caldav caldav



Wednesday 23 September 2015

How to reset Software Update Server on Mac OS 10.10 Yosemite / 10.11 El Capitan

This article briefly details how to reset a misbehaving Software Update Server on Mac OS 10.10 Yosemite or 10.11 El Capitan.  It was tested on server version 5.0.4 but should work on 4.x too.



This can (and for simplicity, probably should) all be done from Terminal.app / command line without touching Server.app GUI.

Firstly, stop the Software Update Service if it's running: -

sudo serveradmin stop swupdate

Next, move the old config files out of the way (but keep them just in case for now).

sudo mv /Library/Server/Software\ Update/Cache  /Library/Server/Software\ Update/Cache.old  
(the server should automatically create a new folder after a few moments)
sudo mv /Library/Server/Software\ Update/Config/swupd.conf /Library/Server/Software\ Update/Config/swupd.conf.old
sudo mv /Library/Server/Software\ Update/Config/swupd.plist /Library/Server/Software\ Update/Config/swupd.plist.old

... and wipe the old logs and cache...

sudo rm /Library/Server/Software\ Update/Log/*
sudo rm /Library/Server/Software\ Update/Cache/*

... and the old data directory where the downloaded updates are stored...

sudo rm /Library/Server/Software\ Update/Data/*

Next, we need to set a couple of things....  Firstly, we need to tell it the port to use to serve updates (strangely it doesn't populate the default port for itself).

sudo serveradmin settings swupdate:portToUse = 8088

If you use a custom Data directory for your updates (eg. you put them on a different volume), then make the directory, give ownership to softwareupdate and update the config to point at it...

sudo mkdir /Volumes/myDisk/swupdate
sudo chown -R _softwareupdate:_softwareupdate /Volumes/myDisk/swupdate
sudo serveradmin settings swupdate:updatesDocRoot = "/Volumes/myDisk/swupdate/"

One more thing, depending on the URL you use in your MDM to point clients to the server, you may need to create a soft link in the Data html folder to point clients to the software update catalog file (revise this as necessary if you moved your data folder someplace else): -

sudo ln -s /Library/Server/Software\ Update/Data/html/index-10.11-10.10-10.9-mountainlion-lion-snowleopard-leopard.merged-1.sucatalog /Library/Server/Software\ Update/Data/html/index.sucatalog

Ok!  Now fire it back up...

sudo serveradmin start swupdate

Go make a coffee, take a walk or do something fun for awhile while it downloads the new catalogues...


After awhile, you should have a clean Software Update Server ready to start work, enjoy :)





Thursday 10 September 2015

How to create a bootable Mac OS 10.11 El Capitan Installation USB Flash Drive


This guide will quickly show you how to make a Mac OS 10.11 El Capitan bootable USB installer it will work with the Gold Master candidate just released or the Retail version when it ships in mid September.



1 - Grab a copy of the 'Install OS X El Capitan.app' or the 'Install OS X El Capitan GM Candidate.app' from the App Store.

2 - Insert a blank USB flash drive in to your mac.

3 - Go to Applications > Utilities and open Terminal.app.

4 - Type the following command, all as one line, in to Terminal.app where 'Untitled' is the name of your USB drive.

sudo /Applications/Install\ OS\ X\ El\ Capitan.app/Contents/Resources/createinstallmedia --volume /Volumes/Untitled --applicationpath /Applications/Install\ OS\ X\ El\ Capitan.app --nointeraction

5 - Wait awhile and you're USB flash drive will be ready.

6 - To boot from your Flash drive, either go to Apple > System Preferences > Startup Disk and select your USB drive, or hold down 'Alt' while booting for the boot device selector screen.

Good Luck!

Thursday 30 July 2015

Tuesday 23 June 2015

Show more Network Users on Login Window on Mac OS X Yosemite

Mac OS 10.10 Yosemite seems to limit the number of displayed network users to around 220.


Fortunately, there is a hidden key which can be included in the loginwindow.plist which lets you work around this and increase that number... so here it is :-

sudo defaults write /Library/Preferences/com.apple.loginwindow MaxNetworkUsers -int

For example: -

sudo defaults write /Library/Preferences/com.apple.loginwindow MaxNetworkUsers -int 500

Once you have entered this, reboot and you should see your additional users.