Archive for the ‘Mac’ Category

« Older Entries

Xserve RAID and Atto Thunderlink FC 1082 are incompatible if used without an FC switch

Tuesday, April 9th, 2013

We’re running a 2006 Xserve RAID at the university. Our old server was a 2006 Xserve with an Apple 2 Gbit Fibre Channel card. When we recently got a new Mac mini server to replace, we ordered an Atto Thunderlink FC 1082 to interface with the RAID. The Promise SANLink would have been a possible alternative, but the Thunderlink is capable of 8 Gbit/s, thus future-proofing our investment.

Unfortunately, when I hooked up the Thunderlink straight to the Xserve RAID using an Apple Fibre Channel Copper Cable, neither the Xserve RAID Admin utility nor the Mac mini showed a connection. After some googling around, it appears as if the Xserve RAID is not capable of negotiating links with HBAs that are capable of more than 2 Gbit/s. Turns out also says that you shouldn’t use their 4 Gbit card with the Xserve RAID: HT1769.

Since the RAID has been working fine for quite a while with two HP servers running VMWare ESXi with Qlogic QLE2460 controllers connected through a Qlogic SANbox 5200 2 Gbit FC switch, and I knew the Thunderlink worked with that switch, I simply used an FC Copper Cable between the Thunderlink and the switch and one between the switch and the RAID, configured the zoning, et voilà, the array mounted on the Mac mini.

Posted in Mac, Mac OS X Server | No Comments »

Fixing Microsoft Office 2011 SP2 Volume licensing

Wednesday, October 3rd, 2012

UPDATE 2012-11-15: The 14.2.5 installer no longer has this weird behavior (it does not include removables.txt files at all, however the postinstall script would still process them if they were there). Since it requires 14.2.3 as a prerequisite, you’ll still need to apply the fix mentioned below to 14.2.3 when chaining updates.

UPDATE 2012-11-30: I just obtained a copy of the 14.2.3 installer ISO from Microsoft VLSC. Copies of Office installed from it (or probably any 14.2.0+ installer ISO) do not exhibit the behavior explained here. The newer installer ships with flat-file Main.nib files that do not get removed by the removables.txt script.

UPDATE 2013-03-13: The 14.3.2 updater again contains a removables.txt which breaks Microsoft Office Setup Assistant.app. If you didn’t replace your installer ISO with a newer version, you will again need to apply the fix mentioned below when installing this update.

When you run Word, Excel, PowerPoint or Outlook 2011, it checks /Library/Preferences/com.microsoft.office.licensing.plist . If that file is not valid (such as after doing a fresh install of Microsoft Office 2011), it launches /Applications/Microsoft Office 2011/Office/Microsoft Office Setup Assistant.app. Microsoft Office Setup Assistant checks whether the DVD from which you installed is a volume licensed copy; if it is, it silently populates that plist and quits (allowing the app you initially started to start up); if it is not, it prompts you for a product key and activation.

If you install from the DVD, launch one of the Office apps to activate the license, quit it and then install all the available updates from Microsoft, everything is fine.

If you update to version 14.2.0, 14.2.1, 14.2.2, 14.2.3, 14.2.4 (or possibly future versions) right after installing from the DVD however, Microsoft Office Setup Assistant.app gets corrupted. This is due to ./Office 2011 14.2.X Update.mpkg/Contents/Packages/Office2011_all_core_14.2.X.combo.pkg/Contents/Resources/removables.txt, which gets run by ./Office 2011 14.2.X Update.mpkg/Contents/Packages/Office2011_all_core_14.2.X.combo.pkg/Contents/Resources/postflight. It deletes the contents of /Applications/Microsoft Office 2011/Office/Microsoft Office Setup Assistant.app/Contents/Resources/XX.lproj/Main.nib (which is a bundle-style NIB), however (unlike probably everything else listed in removables.txt) the update does not contain updated versions of them.

If you’re running an individually-licensed copy of Office 2011, that is no big deal: the Office apps themselves are able to prompt for a license key and activation.

If you’re running a volume licensed copy of Office 2011, you’re in trouble: You now get prompted for a product key by every Office app, which you obviously don’t have.

To fix this situation, you have two options:

1. Copying /Library/Preferences/com.microsoft.office.licensing.plist from a working install. You can do this using your favorite software depolyment tool, such as Munki. Please note that importing it as a Managed Preference (MCX) into Workgroup Manager (and probably Profile Manager) does not help. The file needs to be physically present on the client machine.

2. Move Microsoft Office Setup Assistant.app out of the way before updating. You can do this if your software deployment tool supports adding custom pre- and post-install scripts (Munki allows you to do that).

Here’s my pre-install script:

#!/bin/bash
cd "/Applications/Microsoft Office 2011/Office"
mv "Microsoft Office Setup Assistant.app" "SetupAssistantBackup.app"
exit 0

And my post-install script:

#!/bin/bash
cd "/Applications/Microsoft Office 2011/Office"
mv "SetupAssistantBackup.app" "Microsoft Office Setup Assistant.app"
exit 0

To find out whether you still need to do this on future updates (such as 14.2.5), open the installer package in a tool like Pacifist and check the following: a) Did they remove the  Microsoft Office Setup Assistant.app lines from removables.txt (go to the Resources tab and enter removables.txt into the search box to locate the file)? b) Does the update contain a new version of Microsoft Office Setup Assistant.app (go to the Package Contents tab and enter setup assistant into the search box to check for its existence)? If either one is true, Microsoft decided to fix the problem and you no longer need to use my pre-/post-install scripts.

Tags: , ,
Posted in Mac, Technical Stuff | 1 Comment »

Mac OS X 10.8 Mountain Lion Review

Tuesday, September 11th, 2012

So I finally upgraded to Mountain Lion. I completely skipped over Lion because I didn’t like how Apple was iOS-ifying everything and had just stayed on Snow Leopard until a few days ago. Personally, I think Snow Leopard was the best operating system ever released. It was super stable and had everything you could ask of an operating system. I never really liked Leopard because it never worked 100% stable for me (though it did bring Time Machine and QuickLook, both of which are features I use every day). Tiger was great too back in the days, but if you look at it now, the GUI looks totally inconsistent.

Now that Apple is discontinuing security updates for Snow Leopard and an increasing number of apps requires Lion or newer, I had not much of a choice but upgrade.

This isn’t a full review of Mountain Lion. If you want to read one, check out John Siracusa’s epic review at Ars Technica. So far my impressions are:

Stability and speed: Mountain Lion is just as stable as Snow Leopard. It is also noticeably more responsive than Snow Leopard. I don’t think this has anything to do with actual speed, but more of a psychological thing: Safari now renders progressively, and many apps already let you interact with them while they’re still starting up (previously they would have been frozen for another second or two while they finished their startup prcedure).

iOS-ification: Launchpad is completely useless, but luckily Spotlight and the Dock still work exactly as they always have and will continue to be my preferred way of launching applications.

Auto Save however is outright obnoxious. You can no longer Command-D to hit the “Don’t Save” button when you want to close a window discarding changes. [UPDATE: Can't believe it took me half a year to figure out that Command-Backspace can be used instead as an alternative to the old Command-D.] That window doesn’t even respect NSNavPanelExpandedStateForSaveMode (i.e. clicking the disclosure triangle is not persistent). “Save as” is now a secondary menu option behind “Duplicate”. iWork and TextEdit now show a file browser upon launch instead of opening a blank document. Save as defaults to iCloud instead of the local hard drive. And there are probably dozens of other things.

Here are some useful defaults commands to make it slightly less painful, but you still can’t completely disable Auto Save. Luckily I spend most of my time in apps that don’t use Auto Save (e.g. Microsoft Office, TextWrangler, TextMate, TeXShop).

defaults write -g NSNavPanelExpandedStateForSaveMode -bool TRUE # always expand open/save dialog
defaults write -g NSDocumentSaveNewDocumentsToCloud -bool FALSE # save locally instead of to iCloud by default

Also, check “Ask to keep changes when closing document” in the General pane in System Preferences.

Hold-to-umlaut is annoying on a full-size keyboard. Luckily you can re-enable key repeat:

defaults write -g ApplePressAndHoldEnabled -bool false # enable key-repeat

FileVault 2 is simple to enable, as secure as software-based full-disk encryption can be (according to several researchers) and has no noticeable performance hit. If you’re using it, you should enable deep sleep, otherwise the disk remains unlocked during sleep:

sudo pmset -a destroyfvkeyonstandby 1 hibernatemode 25

One thing that Apple could improve: after waking from deep sleep and entering your password at the EFI screen, that password should also be passed to the screensaver unlock screen (similar to how it’s passed to the loginwindow when booting). (this might be worth filing a bug report)

All of my favorite hidden Dock settings still work:

defaults write com.apple.Dock showhidden -bool YES # make hidden apps transparent
defaults write com.apple.dock no-glass -boolean YES # disable 3D dock
killall Dock

The one thing that doesn’t really work anymore is dragging widgets out of Dashboard after enabling developer mode:

defaults write com.apple.dashboard devmode -bool YES # enable dashboard dev mode
killall Dock

If you uncheck “Show Dashboard as a space” in the Mission Control pane in System Preferences, you can actually drag out the widget, but more often than not, it will just vanish along the way and won’t reappear until you kill the Dock.

Messages: I find it slightly annoying that Messages lists every single phone number and email address in the Show Info screen for every buddy, even if they don’t have iMessage activated. In fact, it even shows them after you disable iMessage in Messages’ preferences. Also, I miss the new message popup in the top right corner of my screen. Now, the only indication of a message received while you were away from your computer is a small number badge on the messages icon and a notification in Notification Center (which you don’t see until you open Notification Center). In fact, it doesn’t even show the message window until you click the icon (which may actually be a bug).

Notification Center is a very nice Growl replacement. I mainly need it for Mail and iChat, so I didn’t even bother installing something like Bark to forward Growl messages to Notification Center.

Full Screen is useless on a multi-screen setup, but running apps in full screen is pointless anyway on all but the smallest screens. Spaces used to be a pretty neat feature to switch between multiple sets of apps. Unfortunately, the old spaces (which you could access using Ctrl plus a number key or Ctrl plus the arrow keys) are gone and the new spaces can only be used to switch between multiple full-screen apps.

Most of my complaints are a matter of getting used to. When upgrading to a new OS, you always gain some things and you lose some things The only major issue I have is Auto Save. As long as my everyday apps don’t support it, I’ll be happy. Once they do (in Microsoft Office 2015 perhaps), I’ll need to find some way to get around it or get used to it.

Everything else is a reasonable tradeoff for being on the most recent OS version again.

I do remember how much my Windows friends complained six years ago when Vista changed everything they were used to after a decade of Windows 95 thru Windows XP. Or how some of my Linux friends complain about how Gnome 3 is so much worse than Gnome 2.

Posted in Mac | 5 Comments »

Installing Apple Remote Desktop 3.6.1 without first installing the boxed version

Sunday, September 9th, 2012

Apple Remote Desktop 3.0 was released in 2006. The current version is 3.6.1, and as such your six year old boxed copy license still entitles you to run it.

ARD has undergone some major changes during that time: most notably, Apple switched it from a Postgres database to an SQLite database, which greatly reduced its memory footprint and made it much more self-contained.

After reinstalling Mac OS X on my computer, I didn’t want to first install my boxed copy (version 3.2) because I didn’t want it to bloat my system with a copy of Postgresql that would get replaced by the update anyway.

After six years, it’s a safe bet that the downloadable Admin Update 3.6.1 does not require any previous version’s files. However, the installer checks for the existence of a previous version before allowing you to select the destination drive. This check can be satisfied by first running

defaults write /Applications/Remote\ Desktop.app/Contents/Info CFBundleShortVersionString -float 3.0

I’d like to point out that it still requires the license key that came in the box when you first run ARD.

Tags:
Posted in Mac, Mac OS X Server | No Comments »

Troubleshooting Apple Software Update Server

Saturday, June 23rd, 2012

We are currently in the process of migrating towards a thin imaging approach for the Macs I manage at my university. One of the things we needed was an Apple Software Update Server, which is pretty straight forward to set up using Server Admin. I used Snow Leopard Server 10.6.8 with Lion updates enabled as described in Apple’s KB article.

A command I found extremely useful:

sudo serveradmin settings swupdate | grep "enable = no" | awk -F '=' '{print $1"= yes"}' | sudo serveradmin settings

This command enables all available updates. If you have set SUS to automatically mirror, but not automatically enable, this command saves you from having to click on every single one of the 600 updates to enable it.

A few days after I set up my SUS I was starting to see a bunch of error messages in /var/log/swupd/swupd_syncd_log after starting a sync run using the refresh button below the updates list in Server Admin. I’ll go over them here and explain my fixes:

“Product file URL contains possible security violation.” in log

*** Product file URL contains possible security violation.
*** Product ID: "11D2515_ServerEssentials"; file URL: "http://swcdn.apple.com/content/downloads/10/59/11D2515_ServerEssentials/xajda1v3ycqbtv75fiw5hvosaovu9to9hc/ServerEssentials.dst/041-5774.Italian.dist"
*** Reason: file download path cannot be reached / does not exist.
*** The suspect product file will not be downloaded.

A few Lion updates contain subfolders, which SUS does not create. Simply create those subfolders (mkdir /var/db/swupd/content/downloads/10/59/11D2515_ServerEssentials/xajda1v3ycqbtv75fiw5hvosaovu9to9hc/ServerEssentials.dst; chown _softwareupdate /var/db/swupd/content/downloads/10/59/11D2515_ServerEssentials/xajda1v3ycqbtv75fiw5hvosaovu9to9hc/ServerEssentials.dst) and have SUS recheck for available updates.

[EDIT: The original version of this blog post used curl to download the file, but forgot to chown the folder. Letting SUS download the file itself is the cleaner solution.]

[EDIT 2: This issue is really widespread with the ARD Client 3.6 update, where http://swcdn.apple.com/content/downloads/31/58/041-5433/xt9k9paj5zu8rx258rdccohk236ee77clh/RemoteDesktopClient.dst/041-5433.*.dist fails. This does solve this issue.]

“Product XXX-YYYY is no longer available and has no replacement” in log or ”*** Missing version string for product XXX-YYYY” in log or ”_productId Update” showing up in Server Admin

Your catalog is corrupted. Delete it to have it rebuilt automatically. The following commands help:

sudo serveradmin stop swupdate
cd $(sudo serveradmin settings swupdate:updatesDocRoot | awk -F '"' '{print $2}')/html/content
mv catalogs catalogs.old
sudo serveradmin start swupdate

Tags: , , , ,
Posted in Mac OS X Server | No Comments »

Protected: Create a bootable Mac OS X Lion Server USB drive

Friday, June 8th, 2012

This post is password protected. To view it please enter your password below:

Tags: , , , ,
Posted in Mac, Mac OS X Server | Enter your password to view comments.

Protected: Running Mac OS X 10.4, 10.5, 10.6 and 10.7 in VMWare Fusion 4.0

Wednesday, September 14th, 2011

This post is password protected. To view it please enter your password below:

Tags: , , , , , , , , ,
Posted in Mac, Virtualization | Enter your password to view comments.

Extending Active Directory for Mac OS X clients

Tuesday, February 15th, 2011

After I wrote about building your own OpenDirectory server on Linux a while back, I decided to do the same thing on Windows Server 2008 R2. The process of extending the AD schema to include Apple classes and attributes is documented by Apple (this is the Leopard version of the document – if you don’t plan on having exclusively Snow Leopard clients, you can follow the newer version of the document that skips a couple of things that Snow Leopard no longer needs).

But since schema extensions are generally frowned upon in the Windows world because they’re irreversible (why the heck, Microsoft…?), I initially tried a dual-directory (golden triangle, magic triangle) type approach where I’d be augmenting my AD with Apple records coming from an AD LDS (Active Directory Lightweight Directory Services, previously called ADAM, Active Directory User Mode, which is basically a plain LDAP server from Microsoft). While this may sound like a great idea, I just couldn’t get it to work. After dozens of manual schema extensions to AD LDS (Microsoft doesn’t include many standard LDAP attributes, so I had to dig through the dependencies of apple.schema and even tried importing a complete OD schema), I gave up because I could not get Workgroup Manager to authenticate against it to allow me to make changes.

So the next thing to do was follow Apple’s AD schema extension guide (linked above) and do what everybody else did. This was rather straight-forward (managed preferences for users, groups and computers worked right away), but when I tried to create a computer list (which is not possible using Snow Leopard’s Server Admin Tools, but requires Tiger’s (which throw loads of errors on Snow Leopard but still get the job done) since Leopard introduced computer groups which however are not supported by the AD plugin), it just said I didn’t have permission to do that. After enabling DirectoryService debug logging (killall -USR1 DirectoryService && killall -USR2 DirectoryService), I traced it down to Active Directory: Add record CN=Untitled_1,CN=Mac OS X,DC=xxx,DC=zz with FAILED – LDAP Error 19 in /Library/Logs/DirectoryService/*. Apparently, that’s caused by some versions of ADSchemaAnalyzer setting objectClassCategory to 0 instead of 1 on all exported classes. Too bad AD schema extensions are irreversible and that’s one of the attributes you can’t change later on… :-( Well, with AD Schema Management MMC snap-in, I was able to rename the botched apple-computer-list class, defunct it and add a new one using ldifde. With some really wild hacking in the AD Schema using ADSI Editor, I was then able to  eventually get OS X to no longer look at the renamed attribute, but instead at the new one. To see whether you have been successful, killall DirectoryService, wait a few seconds and grep -H computer-list /Library/Preferences/DirectoryService/ActiveDirectory* will show a line indicating which class in the schema it’s using.

Once you’re there, everything should work as expected. If you don’t want to use Tiger’s Workgroup Manager to create old-style computer lists, you can do that in ADSI Editor and create apple-computer-list objects in the CN=Mac OS X branch by hand.

So, attached is the schema ldif that’s exactly the way it should be. I really wonder why Apple doesn’t provide it themselves – it’s going to turn out exactly like that every time you follow their guide on any Windows server… Apple Schema for Active Directory

I guess that the overall conclusion of this should be that AD schema extensions in general and specifically Mac OS X managed clients in AD environments are a nasty hack. I suppose the dual directory/magic triangle/golden triangle approach with a Microsoft AD and an Apple OD would work, but it requires maintaining two separate directories, which may not be that great in a larger environment either.

If Apple discontinues Mac OS X Server at some point in the near future (which the demise of the Xserve and the lack of announcements regarding Mac OS X 10.7 Server alongside Mac OS X Lion suggest), this is definitely something they need to improve. There are some third-party solutions that store MCX settings outside of AD (similar to Windows GPOs, which are stored on the SYSVOL share) such Thursby ADmitMac – however that’s a rather expensive solution (a dozen client licenses costs about as much as two Mac mini servers) and might break after OS updates (though from what I’ve heard, they’re rather quick at providing updates). If Apple does discontinue Mac OS X Server, they should definitely improve Lion’s AD integration to replicate ADmitMac’s features.

Tags: , , , , , ,
Posted in Mac, Technical Stuff, Windows | 38 Comments »

Slim down Final Cut Studio’s Media Content using HFS Compression

Saturday, December 26th, 2009

A full installation of Final Cut Studio 3 with all media content (for Motion, DVD Studio Pro, and Soundtrack Pro Loops) takes up around 40-50 GB of hard drive space.
How about regaining 5-10 GB of precious by enabling HFS compression for these folders? Since HFS compression is completely transparent, there are no adverse effects to expect (other than browsing the content libraries being almost unnoticeably slower).

To start, you’ll need a command-line tool called afsctool which can compress (and, amongst other features, decompress) folders using HFS compression. The command you’ll need to run is e.g. sudo afsctool -c -l -k -v -i -9 /Library/Application\ Support/Final\ Cut\ Studio. This compresses all files the given folder using the highest possible compression, verifies its results, prints out the names of files it is unable to compress, and outputs statistics once it’s done.

Some of the folders I compressed:
/Library/Application Support/Final Cut Studio/ (contains Motion and DVD Studio Pro templates): 22.5% compression savings
/Library/Application Support/LiveType/ (contains Motion’s LiveType fonts): 11.4% compression savings
/Library/Application Support/GarageBand/ (contains GarageBand’s  instruments and learning-to-play stuff): 14.3% compression savings
/Library/Application Support/iDVD/ (contains iDVD’s themes): 19.5% compression savings
/Library/Audio/Apple Loops/ (contains GarageBand’s and Soundtrack Pro’s loops): 4.1%
/Library/Audio/Impulse Responses/ (contains  Soundtrack Pro’s impulse response data): 41.3% compression savings

Looking at the compression savings: everything that contains high-quality video can be compressed by around 20%, while audio which is already heavily compressed only yields around 5%. The most amazing result though are the 40% by which the Impulse Responsed were compressed – apparently, these are uncompressed AIFF audio files and thus ideal for compression.

Obviously, your mileage may vary and I’m not responsible if you compress too much and break your system (I’m sure there is a reason why Apple didn’t compress all system files). However, compressing the iLife and Final Cut Studio media content appears safe, I haven’t noticed any unwanted side-effects and it seems well worth trying if you’d like to regain a few gigabytes.

Tags: , , , , ,
Posted in Final Cut Studio, iLife, Mac, Technical Stuff | 4 Comments »

Laptop Theft Tracking Software for Mac OS X

Monday, August 17th, 2009

Over the past 2.5 years or so, I’ve been developing a piece of software that allows tracking a stolen Mac laptop (works for Desktops too, though they are obviously less likely to get stolen).
Once installed on your Mac, it starts contacting my server in regular intervals to check whether it has been armed through a Web GUI. If it is armed, it starts sending screenshots and iSight captures, as well as network information like internal and external IP and available wireless networks, which you can then provide to the police in order to aid recovery of your Mac. So in that regard, it is very similar to software like e.g. Orbicule’s Undercover.

After 3 major releases of LTT and beta testing on close to 200 computers, I can now say that version 3.0.4 is very stable and runs well on both Tiger and Leopard, has no known bugs and is ready for widespread use. My current server setup can (theoretically) handle around 10000 simultaneously active clients. If you’re interested in testing it or if you would like to give your Mac some additional theft protection, please contact me so that I can set you up with an account to use the service.

Frequently Asked Questions

How secure is LTT?
All communication is done over an SSL-encrypted connection, so it is protected from being spied on and not prone to things like ARP spoofing or DNS poisoning.

How do you prevent unauthorized access to my LTT account, which could potentially be used for spying?
As long as you keep your password secret, there is not a whole lot you need to worry about. However, if somebody were to break into my server, I obviously can’t guarantee for it ;-) .

Why am I not receiving screenshots?
If the screen is asleep, screenshots are apparently not possible – this is not a bug in my software, it’s probably due to the way Apple implemented WindowServer.

Why am I not receiving iSight captures?
Either  the camera is in use by a different program or the laptop is being operated with the clamshell closed.

Tags:
Posted in Mac, Programming | No Comments »

« Older Entries