06 Apr GitHub Repo Referenced in Enterprise Mac Admin Book
Recently, we received our order for the book “Enterprise Mac Administrator’s Guide: Second Edition” written by Charles Edge and William Smith. This book provides detailed explanations of the technology required for large-scale Mac OS X deployments and show you how to integrate it with other operating systems and applications. It addresses the growing size and spread of Mac OS X deployments in corporations and institutions worldwide. In some cases, this is due to the growth of traditional Mac environments, but for the most part it has to do with organizations instituting device choice and switcher campaigns, where Windows and/or Linux environments are migrating to Mac OS X.
To our surprise, our GitHub repository was listed as a reference in “Chapter 10: Free and Open Sources Tools for Mac Admins” on page 447 of the book.
We are very honored and flattered that the authors felt that it deserved being referenced along with many other notable MacAdmin tools and resources.
About Our GitHub Repo
We implemented our GitHub repository to meet multiple needs for our group and organization. It allowed our group to share code & ideas with the public and being from an academic setting, a research university, publishing your work is critical. It provides professional development to our team members and motivation to develop code that is well documented, implemented and reviewed outside our internal group. We have had many feature requests and bug fixes from the public that would not have been found or implemented without use sharing using GitHub. It offers all of the distributed revision control and source code management (SCM) functionality of Git as well as adding its own features. Unlike Git, which is strictly a command-line tool, GitHub provides a web-based graphical interface and desktop as well as mobile integration. It also provides access control and several collaboration features such as bug tracking, feature requests, task management, and wikis for every project.
Here is a presentation by a member of our team, Pierce Darragh, providing an overview of GitHub for MacAdmins.
To help in quickly reviewing our GitHub repository, below is a summary of our repositories with brief description and how it is implemented in our environment.
We use 802.1x on our laptops to provide user authentication to our enterprise wireless and directory service. This is our solution to resolve the where an 802.1x connection will not automatically reconnect upon wake from sleep. It uses an AppleScript with UI scripting and crankd to detect changes in Wi-Fi. We are actively researching migrating off AppleScript with UI scripting to using native frameworks or libraries using python and PyObjC.
We have student checkout Android tablets that we needed to provide a solution to allow quickly wiping user data and restoring the tablets to a default configuration. This repository provided us with this functionality.
In our environment, we create disk images to be used to quickly restore computers to known states. We like to keep backups of these images, sorted by date, but often we would forget to upload new versions to our remote backup server. Eventually we decided to just automate the process, and so Archive Manager was born.
Demonstrate the use of BigHonkingText as a lightweight user interface. BigHonkingText was originally written by Steve Hayman of Apple. It is tool to display a text message in large letters, like visible from across the room, etc.
Cleanup Manager was originally designed to help cleanup user home folders on shared, frequently-used machines. We use it in our student labs on stations where we provide temporary storage for user data like media editing, checkout laptops, etc. Cleanup Manager is also used to manage shared drives that have a tendency to fill up quickly based on age or available volume space, etc.
“Crappy Apps” are applications with exceptional requirements beyond an average application. For example, a crappy application might have…
- Insecure Permissions
- Require Hardcoded Variables (usernames, paths, etc.)
- Update with Every Launch
- Require Access to Locations We Don’t Want to Provide
- Launched by a Specific User or Group
In most cases we work around crappy app behavior by enclosing the offending application in a disk image, attach a shadow file to capture file system changes and using an AppleScript to launch the program for the user, allowing us to script around undesirable behavior. We are planning on migrating this to Python and will provide a tool that we automatically build the crappy application container.
Display Manager is a solution to programmatically manage display settings like width, height, depth, refresh rate, mirroring, brightness and HDMI underscan. We use this to set default display settings on our fleet of computers and in lab environments we can reset display settings to default for each user session.
The firmware password is one leg of three interlocking methods used to secure Apple computers. The other two are: using strong passwords on user accounts and FileVault to apply full disk encryption (FDE). Firmware Password Manager (FWPM) is a solution for actively managing firmware passwords in enterprise environments.
We found that on our fleet of Mac’s the firmware updates weren’t always listed in the Software Update database, but needed to have them installed. To discover the availability of firmware updates we developed this solution that parses over the firmware support website and compares against the output of Software Update.
This discovers client/machine specific information and publishes info to Sassafras KeyServer and nvram like enterprise property inventory labels, etc. We ran into situations where labels would be removed or unreadable and this provided a solution to programmatically output information locally and in a central repository.
This was our solution to manage our student checkout laptops off hours including operating system, software and configuration updates, installation and removal while the laptops lid was closed.
A suite of tool to help manage Mac’s in an enterprise environment including accessing applications’ information, analyzing mounted filesystems, outputting data to logs, modifying Property Lists, Slack integration, etc.
A solution to manage Location Services, Contacts requests, Accessibility, and iCloud access on Mac’s in enterprise environment. It adjusts the values in the various security and privacy databases and allows administrators to grant access to certain applications without the users needing to request permission. This is especially helpful because some services (Location Services, Accessibility) require privileged (root) access to complete the request and in our environment our users do not have administrative privileges.
We are currently using radmind to manage or OS X clients & servers file systems. This is our solution to automatically create up-to-date never booted images that we can use to quickly re-image the Mac’s in our enterprise. In the very near future, we will be migrating this solution to use JAMF Software’s Casper Suite to provide the updates to the automated image creation process.
We are currently using radmind to manage or OS X clients & servers file systems. We are using Intermapper to monitor clients & servers and services. This solution allows us to report back differences between the two systems to keep them up-to-date. In the very near future, we will be migrating this solution to use JAMF Software’s Casper Suite and migrate the solution to use it instead of radmind infrastructure.
This is a solution to manage sudoers files in an Mac enterprise environment. It is designed to be able to be run in a fully automated capacity to help systems administrators push out changes to their vast fleets of computers without having to rewrite the sudoers file directly. When used with the appropriate flags, Sudoers Manager will not prompt for any input and will only exit unsuccessfully if the rules given to it are bad and cannot pass a visudo check.
This is a solution that helps system administrators check for files with execute-as bits set (i.e. the SUID and SGID bits). We developed SUID Scan as a frontline, lightweight defense mechanism against the rootpipe security vulnerability. You start with a scan of the machine from the know state and re-run the scan routinely and compare it against default state scan. Any differences can be used to notify the system administrators like email, slack, etc.