tag:blogger.com,1999:blog-26003545249227091852024-03-20T15:10:03.145+00:00Tech BiterBiting the tech that feeds me for - longer than I care to rememberJohn Lockwoodhttp://www.blogger.com/profile/15899717580146455869noreply@blogger.comBlogger26125tag:blogger.com,1999:blog-2600354524922709185.post-24335087311939739702023-02-14T23:44:00.001+00:002023-02-14T23:46:11.105+00:00UK ISPs and (lack of) IPv6<p>TCP/IP is the protocol used to access the Internet. Users may be familiar with IPv4 style numeric addresses which look like 192.168.0.1 - that is four numbers each of which can be from 0 to 255. An example IPv6 address looks like this 2001:db8:3333:4444:5555:6666:7777:8888</p><p>Whilst there is a huge amount of waste with some organisations having more IPv4 addresses than they need and with some possible addresses being reserved the world has officially ran out of available IPv4 addresses in November 2019. Fortunately by using Network Address Translation - NAT the impact of this to your average user is minimal. Nethertheless it was rightly deemed necessary for an official solution to be created and this is to use a newer address protocol known as IPv6.</p><p>Both IPv4 and IPv6 addresses come from finite pools of numbers. For IPv4, this pool is 32-bits (<span style="font-size: x-small;"><span face="arial, sans-serif" style="background-color: white; color: #202124;">2</span><span face="arial, sans-serif" style="background-color: white; color: #202124; position: relative; top: -0.4em; vertical-align: baseline;">32</span></span>) in size and contains 4,294,967,296 IPv4 addresses. The IPv6 address space is 128-bits (<span style="font-size: x-small;"><span face="arial, sans-serif" style="background-color: white; color: #202124;">2</span><span face="arial, sans-serif" style="background-color: white; color: #202124; position: relative; top: -0.4em; vertical-align: baseline;">128</span></span>) in size, containing 340,282,366,920,938,463,463,374,607,431,768,211,456 IPv6 addresses.</p><p>A lot of websites already fully support IPv6 and so do all computer/device operating systems such as macOS, iOS, Linux and Windows along with nearly all currently used network equipment. Unfortunately the sad reality is that the overwhelming majority of UK ISPs still do not support IPv6. 😦</p><p>See - <a href="https://www.ispreview.co.uk/index.php/2021/11/update-on-ipv6-plans-for-virgin-media-talktalk-plusnet-and-vodafone.html">Update on IPv6 Plans for Virgin Media, TalkTalk, Plusnet and Vodafone</a></p><p>Note: British Telecom is the main exception to this as they do support IPv6. (The mobile phone 5G networks also support 5G as the use of IPv6 for 5G was part of the 5G design process.)</p><p>Since I could not rely on the majority of UK ISPs to provide me IPv6 connectivity and since I am a hardcore techie, I decided to solve this myself. This was done by obtaining a 6in4 tunnel which allows sending IPv6 over an IPv4 connection.</p><p>When IPv6 was being first rolled out there were a number of free 6in4 tunnel providers but most have now ceased to be available because they assume most ISPs would be able to offer native IPv6 by now or that us customers should beat up our providers to get this. (Fat chance!)</p><p>The most well known remaining 6in4 tunnel provider is <a href="https://tunnelbroker.net/">Hurricane Internet</a> and I did indeed use them successfully to create and use a 6in4 tunnel. All the IPv6 tests then passed. However as Hurricane are based in the US it had an unintended side effect which is that some IPv6 websites considered me to also be located in the US. This has recently become more and more of a problem with a number of TV streaming services blocking my access as a result.</p><p>As mentioned most other tunnel providers no longer offer a service but fortunately I have been able to find one that unlike Hurricane Internet does offer choices as to where their tunnel appears to be located. This one - <a href="https://www.tunnelbroker.ch/">TunnelBroker.ch</a> therefore enabled me to create a 6in4 tunnel that is located in the UK and hence the TV streaming services are now happy. 😃</p><p>For those interested this site <a href="https://test-ipv6.com/">https://test-ipv6.com/</a> is a good one to test if you have working IPv6 connectivity.</p><p>This site <a href="https://whatismyipaddress.com/">https://whatismyipaddress.com/</a> is a good one to show what your public IPv4 and IPv6 addresses are.</p><p>This one <a href="https://tools.keycdn.com/geo">https://tools.keycdn.com/geo</a> shows your presumed geographic location for IPv6.</p><p>Note: Whilst it is possible to configure macOS, Linux and Windows themselves to establish the 6in4 tunnel connection it is not possible to do this on iOS, Apple TV, or other sealed config devices. I therefore set the tunnel up in my own Draytek Vigor ADSL router and it then provides IPv6 addresses to all devices on my home network including my Apple TV box.</p><p>As a bonus since the IPv6 tunnel belongs to me and is nothing to do with my ISP, if/when I change ISP the tunnel settings will be completely unaffected and my IPv6 addresses will also be unchanged.</p>John Lockwoodhttp://www.blogger.com/profile/15899717580146455869noreply@blogger.com0tag:blogger.com,1999:blog-2600354524922709185.post-460828841923293502019-11-11T16:18:00.000+00:002019-11-11T16:18:12.132+00:00macOS Catalina - How to uses imaging even though Apple don't want you toApple have with each new version of macOS tightened the security and in general this is clearly a good thing.<br />
<br />
Apple have also removed a number of historically available functions - including ones used in the past by many Mac administrators. This arguably is a mixture of good and bad.<br />
<br />
The latest casualty in macOS Catalina is the loss of the --volume option in startosinstall.<br />
<br />
Losing the --volume option means you cannot boot from an external drive and automate the installation on to the internal drive along with (optionally) flags to erase the internal drive and install packages. Now you can only do this by booting from the internal drive itself and then running the startosinstall command which in turn means going through the Apple Setup Assistant at least once. This could be workable for wiping and reusing an existing Mac but only if you have a valid login when the Mac is returned by the previous user.<br />
<br />
This seems an extremely petty change since the GUI macOS installer still does let you boot from an external drive, run the installer and specify a different drive to install on to. Clearly there cannot be any technical reasons for this change. 😕<br />
<br />
Ironically the 'solution' to the loss of the --volume option is to go back in time and return to using AutoDMG and an image restoration process e.g. like DeployStudio (run locally).<br />
<br />
It should be noted that due to the now extremely <strike>aggressive</strike> secure implementation of Security & Privacy in Catalina one can no longer run normal DeployStudio workflows to configure a Mac unless you also install DeployStudio Runtime on the target Mac, give it and Terminal/bash/scripts full disk access permission. Clearly you would not do this on a Mac you are configuring.<br />
<br />
It is however possible to do the following.<br />
<br />
<ol>
<li>Use Mager Valp's <a href="https://github.com/MagerValp/AutoDMG">AutoDMG</a> (currently a beta version for Catalina compatibility) to build a Catalina image</li>
<ol>
<li>The source macOS Installer must be inside a disk image, I happen to use Greg Neagle's <a href="https://github.com/munki/macadmin-scripts/blob/master/installinstallmacos.py">installinstallmacos.py</a> script to download the macOS Installer and this automatically puts it in a disk image</li>
<li>Make sure you have no other volumes called 'Macintosh HD' mounted as otherwise AutoDMG gets 'confused' as which to use</li>
<li>This includes the normally invisible 'Macintosh HD - Data' now included with Catalina, I therefore have my USB boot drive named differently</li>
</ol>
<li>Use Richard Troughton's old <a href="https://github.com/rtrouton/First-Boot-Package-Install">first-boot-package</a> tool to run scripts and installers during the first boot of the restored image</li>
<li>Use a <a href="http://www.deploystudio.com/">DeployStudio</a> server to host the AutoDMG image</li>
<li>Use a USB boot stick with a full install of Catalina and use Disk Utility to erase the target (internal) drive if needed</li>
<li>Use DeployStudio Runtime to restore the AutoDMG created image</li>
<li>On first boot the restored Mac will then run the scripts/installers provided by Richard Troughton's tool, in my case I run an installer created using Greg Neagle's <a href="https://github.com/gregneagle/pycreateuserpkg">pycreateuserpkg</a> to create an initial local admin account, Mager Valp's <a href="https://github.com/MagerValp/SkipAppleSetupAssistant" target="_blank">SkipAppleSetupAssistant</a> pkg, my own script to set initial preferences, and then Greg Neagle's <a href="https://github.com/munki/munki">munkitools</a> installer. I also run another of my own <a href="https://jelockwood.blogspot.com/2019/10/auto-naming-mac-computers-using-values.html">scripts</a> to replace the DeployStudio function to automatically name restored computers.</li>
</ol>
<br />
I could have included an installer to enrol in to our MDM e.g. a Jamf QuickAdd.pkg however I intend to use DEP for Catalina.<br />
<br />
The above therefore pretty much restores past 'imaging' capabilities.John Lockwoodhttp://www.blogger.com/profile/15899717580146455869noreply@blogger.com8tag:blogger.com,1999:blog-2600354524922709185.post-85417664694316082482019-10-17T09:42:00.001+00:002019-10-17T09:42:48.697+00:00Auto-naming Mac computers using values from a database<div class="tr_bq">
Long time Mac admins may have used a tool like DeployStudio to 'build' Macs before issuing them to users.</div>
<br />
DeployStudio can install the operating system, set various settings and install files and programs. One of the tasks it can perform as part of its workflow is to automatically set the name of the computer based on a 'database' stored within DeployStudio.<br />
<br />
I always found this auto-naming of computers useful as it allowed using a name format that was completely under the control of the Mac administrator and therefore could be for example based on asset numbers rather than the computer serial number.<br />
<br />
Unfortunately it seems with macOS Catalina Apple have finally put the last nail in the coffin for using DeployStudio as a tool. (I had been able to devise a way to use it for macOS Mojave even with T2 chip equipped Macs.)<br />
<br />
Equally unfortunately it seems most other Mac management tools e.g. Jamf do not have a similar facility and at best leave you to write a script which typically names the computer based on its serial number.<br />
<br />
Whilst using a serial number is a possibility and achieves the main goal of being a unique value and one that <i>could</i> be used to track computers on a network it is not the format I prefer and whilst macOS is perfectly happy with that as a computer name that format would not work as well in other operating systems especially Windows which would lead to a loss of consistency in naming computers.<br />
<br />
I have therefore devised a script of my own to auto-name Macs using a database sourced value i.e. the way DeployStudio works. This script <i>could</i> be run via Jamf after enrolment. The example script listed below is using the database from DeployStudio. Clearly it would be massive overkill to setup and run a DeployStudio server solely for the purpose of running the database of computer names but if you have an existing DeployStudio server you can continue to use it for just this purpose. In theory this approach could be relatively easily modified to use an alternate database although directly using something like MySQL would then require having the MySQL client installed. In my case I am also considering using the free open source IT asset management system 'Snipe-IT' which like DeployStudio also has a REST API.<br />
<br />
<i>Note: In order to make this script as robust as possible and in particular more suitable for Jamf I went to considerable effort to process the XML returned by DeployStudio in a way that avoided having to write the results to a file, that is I have managed to do all the processing using pipes and stdin. This precluded using the defaults command for example. I also was careful to only use tools built-in to macOS.</i><br />
<br />
<b>#!/bin/sh</b><br />
<b><br /></b>
<b># DeployStudio connection settings</b><br />
<b>host='https://deploystudio.domain.com:60443'</b><br />
<b>adminuser='deploystudiouser'</b><br />
<b>adminpass='deploystudiopass'</b><br />
<b><br /></b>
<b># Get Mac serial number</b><br />
<b># Your choice to use ioreg or system_profiler</b><br />
<b># MAC_SERIAL_NUMBER=`/usr/sbin/ioreg -l | /usr/bin/grep IOPlatformSerialNumber | /usr/bin/awk '{print $4}' | /usr/bin/cut -d \" -f 2`</b><br />
<b>MAC_SERIAL_NUMBER=`/usr/sbin/system_profiler SPHardwareDataType | /usr/bin/grep 'Serial Number (system)' | /usr/bin/awk '{print $NF}'`</b><br />
<b><br /></b>
<b># Get Mac hostname from DeployStudio</b><br />
<b># This is done using DeployStudio's REST API which returns a binary XML record, this then has to be converted to text XML and the host name key obtained from it</b><br />
<b># It is assumed that your DeployStudio is using the default option to use a Mac serial number as the index, if you used MAC addresses this will not work</b><br />
<b>result=`/usr/libexec/PlistBuddy -c "Print $MAC_SERIAL_NUMBER:cn" /dev/stdin 2> /dev/null <<< $(/usr/bin/curl -s -k -u $adminuser:$adminpass "$host/computers/get/entry?id=$MAC_SERIAL_NUMBER" | /usr/bin/plutil -convert xml1 -r -o - -- - )`</b><br />
<b><br /></b>
<b># If a result is returned from DeployStudio then use it, else use a generic name</b><br />
<b>if [ $? -eq 0 ]; then</b><br />
<b><span style="white-space: pre;"> </span>echo "$result"</b><br />
<b>else</b><br />
<b><span style="white-space: pre;"> </span>result=`/usr/sbin/system_profiler SPHardwareDataType | /usr/bin/grep "Model Name" | /usr/bin/awk '{for(i=3;i<=NF;++i)printf $i""FS ; print ""}'`</b><br />
<b><span style="white-space: pre;"> </span>echo "$result"</b><br />
<b>fi</b><br />
<b><br /></b>
<b># Set Bonjour and Computer names</b><br />
<b>/usr/sbin/scutil --set LocalHostName "$result"</b><br />
<b>/usr/sbin/scutil --set ComputerName "$result"</b><br />
<b>/usr/bin/dscacheutil -flushcache</b><br />
<b><br /></b>
<b>exit</b>John Lockwoodhttp://www.blogger.com/profile/15899717580146455869noreply@blogger.com0tag:blogger.com,1999:blog-2600354524922709185.post-77309599440026317912018-11-09T14:53:00.000+00:002018-11-09T14:53:30.538+00:00Apple REALLY don't want you to use Imaging anymore!Apple have for quite some time being warning Mac Admins to switch to using DEP as a means of configuring Macs instead of various forms of disk imaging workflows. Linked to using DEP they clearly also assume everyone will get a brand new Mac or they or their admins will use RecoveryHD or Internet Recovery to wipe and reinstall them. (It is necessary to wipe and reinstall the operating system in order to trigger DEP enrolment.)<br />
<br />
Whilst there indeed some advantages to the <a href="https://support.apple.com/en-gb/HT204142" target="_blank">DEP</a> approach there are also some disadvantages - something Apple seem blinkered to. In particular contrary to what Apple seem to believe it <i>is</i> the case that every new employee gets a brand new Mac fresh out of the box, it is in reality far, <i>far</i> more common they will get issued a previously used laptop that needs wiping and rebuilding.<br />
<br />
Yes it is possible to do this with DEP and using RecoveryHD or <i>worse</i> Internet Recovery to first wipe and reinstall the operating system but this is orders of magnitude slower than a local disk imaging system. This is made worse by the fact that Apple have not provided a means of 'caching' Internet Recovery images. With Recovery images being now over 6GB in size even organisations with generous high speed Internet links will find this a pain.<br />
<br />
Imagine the torture suffered by Mac admins in countries with far less advanced Internet links or worse still capped usage levels!<br />
<br />
So, I maintain there still is a case for having a disk imaging solution. (Using a disk imaging approach does not prevent then using DEP after imaging a clean copy of the operating system.)<br />
<br />
Apple as mentioned have been discouraging disk imaging and possibly thought they had managed to completely disable this approach in High Sierra. This was because they removed the --volume option from the startosinstall command. Fortunately for me at least somehow the way I used this via a High Sierra based DeployStudioRuntime image <i>it still worked</i> even though it is not supposed to. Sadly DeployStudio has not been updated to allow successfully creating Mojave DeployStudioRuntime images.<br />
<br />
Trying to run the equivalent script under Mojave to run the startosinstall command does not work because with this approach the --volumes command definitely <i>is</i> killed off. Therefore the startosinstall command will only target the active boot drive which is no help.<br />
<br />
I therefore started to consider previous approaches that had worked for older OS releases, for example the old approach of restoring a previously installed boot drive - an approach commonly referred to as 'thick' imaging. This approach is far from desirable but I might have been driven to it. Before I tried that however I decided to look at my previous 'thin' imaging approach which was based on creating a thin install image using the popular <a href="https://github.com/MagerValp/AutoDMG" target="_blank">AutoDMG</a> tool and then using a DeployStudio workflow to restore that to an APFS volume.<br />
<br />
Well lucky me and ya boo sucks to you to Apple! It turns out AutoDMG does now support making a Mojave thin image, it also turns out that by booting from a full working Mojave disk and running the DeployStudioRuntime utility you can then run the workflow to restore this thin image.<br />
<br />
Note: To use an external drive on new Macs so you can boot in to a copy of Mojave and run the DeployStudioRuntime tool you need to turn off <a href="https://support.apple.com/en-gb/HT208330" target="_blank">SecureBoot</a>.<br />
<br />
This approach which I had previously abandoned for High Sierra historically does not include triggering any Firmware updates but so far the only models of Mac I need to use this approach for i.e. Macs that can <i>only</i> boot in to Mojave e.g. the Mac mini Late 2018 do not yet have any firmware updates. Older Macs even the MacBook Pro 15" 2018 can boot in to High Sierra and use my startosinstall based approach even to install Mojave.John Lockwoodhttp://www.blogger.com/profile/15899717580146455869noreply@blogger.com0tag:blogger.com,1999:blog-2600354524922709185.post-15760566673890917742018-10-16T10:43:00.000+00:002018-10-18T20:21:53.481+00:00UK - Dumb Boilers vs Smart ThermostatsIt is increasingly common these days for home owners to buy a 'smart' thermostat to control their central heating. Indeed arguably smart thermostats are the number one category of smart home device. The leading member of this category is of course the Nest Learning Thermostat. (Now version 3.)<br />
<br />
Originally such smart thermostats whilst indeed having various additional smartness actually worked in the same way as original dumb thermostats in that they basically sent a signal to the boiler asking for heat or saying stop I am warm enough, i.e. a basic on or off control. This approach involves the boiler either running at 100% power or 0% power i.e. fully on or fully off.<br />
<br />
However newer models of smart thermostat including the aforementioned Nest Learning Thermostat v3 also support an alternative approach which allows setting a target temperature for the boiler so that the boiler can adjust the level it needs to run at to keep at that target temperature. This means that instead of constantly starting and stopping the boiler it will run continuously at a lower power level to keep the temperature more even. This can create additional energy savings on top of more efficient schedules and might add an additional 5% savings. This approach is referred to as modulating control.<br />
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh6EFi0x430EW7fen9hN9UXDAxawHJU_pTu7VvbyHqSVwX6yGAixypAeIK3DTkB2C3bCALRoLUZMcKVINHigrPFnsm81KWy1z1bay4xwbenTEVBADmWBIGqHkB3jzl-zI4KIKToMWFiSv4/s1600/no-modulating-thermostat.jpg" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" data-original-height="540" data-original-width="720" height="300" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh6EFi0x430EW7fen9hN9UXDAxawHJU_pTu7VvbyHqSVwX6yGAixypAeIK3DTkB2C3bCALRoLUZMcKVINHigrPFnsm81KWy1z1bay4xwbenTEVBADmWBIGqHkB3jzl-zI4KIKToMWFiSv4/s400/no-modulating-thermostat.jpg" width="400" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Figure 1 - Traditional on/off control</td></tr>
</tbody></table>
<br />
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhwuMUMPKdro-mK2LTcEJXDKZsVIxPav86QNp_BnI3d0sBqjtI8yjONRC4pmlm13awUP3g6rFHdrlxHMaZAvwLHFnQOSUW36Jcth5ve8XLypqqqAD9ml9olkyMN4fpaky4ZhDsq7fBpfDY/s1600/modulating-thermostat.jpg" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" data-original-height="540" data-original-width="720" height="300" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhwuMUMPKdro-mK2LTcEJXDKZsVIxPav86QNp_BnI3d0sBqjtI8yjONRC4pmlm13awUP3g6rFHdrlxHMaZAvwLHFnQOSUW36Jcth5ve8XLypqqqAD9ml9olkyMN4fpaky4ZhDsq7fBpfDY/s400/modulating-thermostat.jpg" width="400" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Figure 2 - Modulating control</td></tr>
</tbody></table>
<br />
<br />
As you can see from these diagrams with traditional on/off control the boiler runs at 100% until it reaches the desired temperature and then turns off, it however will overshoot the desired temperature as the heat is released by your radiators, it will then undershoot as the radiators cool down whilst waiting for the boiler to heat them up again. With a modulating control the amount of power (heat) the boiler produces is reduced as it approaches the desired temperature meaning it does not overshoot and instead reduces power to the level needed to <i>keep it at that level</i>.<br />
<br />
Now in order to benefit from this more efficient modulating control you need both a smart thermostat that supports this feature and a boiler that also supports this feature. As mentioned the <a href="https://nest.com/uk/thermostats/nest-learning-thermostat/overview/" target="_blank">Nest Learning Thermostat v3</a> supports this, as do various <a href="https://www.honeywelluk.com/products/Underfloor-Heating/evohome-Main/" target="_blank">Honeywell Evohome</a> smart thermostats and so does the <a href="https://www.tado.com/gb/thermostat-heating" target="_blank">Tado</a> Thermostat. There is an official open standard called <a href="https://www.opentherm.eu/" target="_blank">OpenTherm</a> which was original devised by Honeywell and later released as an open standard. This OpenTherm standard is supported by the Nest v3, Evohome and Tado amongst others. Even Drayton offer an OpenTherm compatible thermostat. There seems to be also another alternative standard generally referred to as <a href="https://en.wikipedia.org/wiki/EBUS_(serial_buses)" target="_blank">eBus</a> aka energy Bus, however only Tado support this as well as OpenTherm. (It is not supported by Nest or Evohome.)<br />
<br />
Unfortunately here in the UK many of the various boiler manufacturers are proving very unhelpful. Most do now provide at least some boiler models that support modulating control as well as the traditional on/off control but only support modulating control with their own proprietary thermostats. Whilst they do not say so it seems their proprietary thermostats are using the eBus standard. As such this precludes using the Nest etc. in modulating mode although the Tado would still work.<br />
<br />
What is even more annoying is that Vaillant a leading brand actually sell their boiler with OpenTherm support in the Netherlands, they do this by selling their own eBus to OpenTherm bridge module - VR33 to convert their eBus signals to OpenTherm signals. However Vaillant do not sell this module in the UK and if you get one and have it fitted <i>even by an official Vaillant engineer</i> they will invalidate the warranty on your entire Vaillant system. Remember this is an official Vaillant part and one that does work on UK boilers.<br />
<br />
Worcester-Bosch are a little better, they have their own proprietary variation on eBus called EMS. Bosch own several brands throughout Europe, Worcester-Bosch in the UK, Nefit in the Netherlands, Junkers in I believe Portugal and of course Bosch in Germany. Since OpenTherm is very common in the Netherlands Nefit have produced a module to convert Bosch's EMS to OpenTherm. See - <a href="https://en.robbshop.nl/ems-ot-opentherm-converter-nefit" target="_blank">this</a>. However there is also another interesting possibility. Worcester-Bosch also sell an <a href="https://www.worcester-bosch.co.uk/products/accessories/directory/easycontrol-adapter" target="_blank">adapter</a> to allow connecting their <a href="https://www.worcester-bosch.co.uk/products/boiler-controls/bosch-easycontrol" target="_blank">EasyControl smart thermostat</a> which speaks only their proprietary EMS protocol to OpenTherm boilers, it should also work with their older <a href="https://www.worcester-bosch.co.uk/products/boiler-controls/wave" target="_blank">Wave smart thermostat</a>. This adapter however is described as bi-directional which <i>might</i> mean it can also do the reverse and allow an OpenTherm smart thermostat to connect to a Worcester-Bosch EMS boiler. The Nefit module is not sold in the UK but the Worcester-Bosch adapter is officially available.<br />
<br />
Both OpenTherm and eBus have additional benefits, they can provide error diagnostics to your smart thermostat so that you can be far better informed of either a potential problem or an actual fault, they also allow a smart thermostat to not only control the central heating but also to control your hot water scheduling as well. I have not seen anything official but Tado at least suggest that the eBus standard is technically superior to the much older OpenTherm standard. I also get the impression eBus maybe a purely European standard at this point - hence the fact Nest and Honeywell aka Evohome do not support it.<br />
<br />
To summarise -<br />
<br />
<ul>
<li>UK boiler manufacturers try and lock you in to their own proprietary 'smart' thermostat</li>
<li>Most UK boilers do not support OpenTherm and do not say they support eBus (but in reality many do)</li>
<li>Vaillant who do at least in the Netherlands support OpenTherm are deliberately refusing to do this in the UK and even go as far as punishing anyone who gets their own OpenTherm bridge module</li>
</ul>
<br />
So either you have to run your boiler in old fashioned dumber on/off mode, or get the Tado Thermostat or accept being locked in to the boiler manufacturers own proprietary 'smart' thermostat.<br />
<br />
Note: If your Vaillant boiler is out of warranty you could consider using that VR33 module.<br />
<br />
A list of potentially OpenTherm compatible boilers is available <a href="https://www.myboiler.com/opentherm-capable-boilers/" target="_blank">here</a>.John Lockwoodhttp://www.blogger.com/profile/15899717580146455869noreply@blogger.com0tag:blogger.com,1999:blog-2600354524922709185.post-45250452763925367672018-08-05T15:25:00.000+00:002018-08-05T15:25:07.515+00:00Extracting EFI firmware for standalone install in High SierraWhen Apple released High Sierra they included built-in to the <b>Install macOS High Sierra.app</b> an EFI firmware updater as well. This was mainly to add additional support for booting from APFS volumes but also as part of a plan to continuously check that the Mac firmware had not been infected by malware and also as a way of adding potentially regular EFI firmware updates.<br />
<br />
Unfortunately since this firmware update was not available separately and because it could not be automated as part of a traditional disk image based imaging process e.g. DeployStudio this caused some difficulties for Mac admins. As a result Mac admins quickly created a workaround in the form of 'extracting' the EFI firmware updater from a standard <b>Install macOS High Sierra.app</b> so it could be run separately. This indeed worked fine for High Sierra 10.13.1 but Apple changed things again in subsequent versions at least in 10.13.3, I don't have a copy of 10.13.2 to check and the suggested approach then became broken.<br />
<br />
Note: Because <i>correctly</i> deploying High Sierra with the built-in firmware updates is effectively impossible with a disk imaging approach Apple say you should instead use the DEP - Device Enrolment Program approach instead. This has its own complexities hence why some Mac admins came up with the original means of extracting the EFI firmware updater.<br />
<br />
This script gets round the change introduced in 10.13.3 once more and works for 10.13.6 and I would expect also 10.13.3 to 10.13.5 inclusive. Basically it includes a copy of a sub-script that is no longer included by Apple as of 10.13.3 and later. I also use the munkipkg tool rather than pkgutil so you will need to download munkipkg from here <a href="https://github.com/munki/munki-pkg">https://github.com/munki/munki-pkg</a> and install it in /usr/local/bin<br />
<br />
It should be noted that the change that Apple made in presumably 10.13.3 was to add further firmware updaters to the same mechanism in addition to the original EFI firmware update that is of most concern to Mac admins. Some of the other additional updaters cover SSD firmware and USB-C firmware. It is to me at least, impossible to tell if my 'fixed' version happens to install those as well, I would suspect not.<br />
<br />
Therefore as Apple say <i>you should not do this</i>. However at your own risk here is my fixed script.<br />
<br />
<a href="https://github.com/jelockwood/extract-firmware" target="_blank">https://github.com/jelockwood/extract-firmware</a><br />
<br />
If the script completes successfully the custom built installer package is available at <b>/tmp/FirmwareUpddateStandalone/FirmwareUpdateStandalone.pkg</b><br />
<br />
You may want to also check your Mac to see if it has the correct EFI firmware, this is most easily done by downloading and running this free tool - <a href="https://github.com/duo-labs/EFIgy-GUI">https://github.com/duo-labs/EFIgy-GUI</a>John Lockwoodhttp://www.blogger.com/profile/15899717580146455869noreply@blogger.com0tag:blogger.com,1999:blog-2600354524922709185.post-33829453090499089272018-08-05T15:21:00.000+00:002018-08-05T15:21:01.539+00:00Nest Hello, Skybell and Ring - UK smart doorbell installationsAs you will know if you have come looking for this article these are the three leading smart door bells all of which are US products. This unfortunately means they are more complex to install in the UK and Europe due to the differences between normal wired doorbells in the US and the EU.<br />
<br />
In the UK and Europe doorbells typically use an 8V AC transformer like this -<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjbEAKKlXw1hlvk7epmwRBL3oH6XHtJ0ruIBVbRlOaRnX0m07Kk5lPm8Tt8A0IhJklMyYDZFQiay_YlY5E7GrTyns6Zhn3Pgkv_GU_bexQnkUTk577C7w13SR6jIolOcUIjeb8iAo81ym0/s1600/41M5Qa8B7bL._SL500_AC_SS350_.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="350" data-original-width="350" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjbEAKKlXw1hlvk7epmwRBL3oH6XHtJ0ruIBVbRlOaRnX0m07Kk5lPm8Tt8A0IhJklMyYDZFQiay_YlY5E7GrTyns6Zhn3Pgkv_GU_bexQnkUTk577C7w13SR6jIolOcUIjeb8iAo81ym0/s320/41M5Qa8B7bL._SL500_AC_SS350_.jpg" width="320" /></a></div>
<br />
However the US typically uses a 16V AC transformer like this -<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi2lIm_SSXwu1dIvpY5SRBiSUmC4VyoXxk1sVUpHp_ZOpwf7S1kwpZzTFv8gsexIsnlH1YpeejAxBnDQhi-Ro8KjqfBYuF-admK-bcbiGlO0aOpxZG_aOXItYj_DIsOZ-ICzsp4whMP81M/s1600/61Jff3Bn4JL._SL1000_.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="718" data-original-width="1000" height="229" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi2lIm_SSXwu1dIvpY5SRBiSUmC4VyoXxk1sVUpHp_ZOpwf7S1kwpZzTFv8gsexIsnlH1YpeejAxBnDQhi-Ro8KjqfBYuF-admK-bcbiGlO0aOpxZG_aOXItYj_DIsOZ-ICzsp4whMP81M/s320/61Jff3Bn4JL._SL1000_.jpg" width="320" /></a></div>
The above is a 16V AC transformer but is for 110V not the European standard of 220V. The reason the US can get away with a lethal looking transformer like this is that it is converting from 110V and this is less dangerous than the European 220V.<br />
<br />
So, these smart door bells are designed to use a higher voltage than a typical UK/EU wired doorbell and this means we cannot unless we are very lucky use an existing door bell transformer. As I mentioned typically UK/EU wired doorbells come with an 8V transformer as shown, however 12V AC transformers are also widely available and this difference is usually still within the bounds an 8V doorbell will accept in fact some Friedland wired doorbells will accept 16V AC.<br />
<br />
First what do each of the three smart doorbell brands say they actually need?<br />
<div class="MsoNormal">
<br /></div>
<table border="1" cellpadding="0" cellspacing="0" class="MsoTableGrid" style="border-collapse: collapse; border: none; mso-border-alt: solid windowtext .5pt; mso-padding-alt: 0cm 5.4pt 0cm 5.4pt; mso-yfti-tbllook: 1184;">
<tbody>
<tr style="mso-yfti-firstrow: yes; mso-yfti-irow: 0;">
<td style="border: solid windowtext 1.0pt; mso-border-alt: solid windowtext .5pt; padding: 0cm 5.4pt 0cm 5.4pt; width: 85.15pt;" valign="top" width="85">
<div class="MsoNormal">
<b style="mso-bidi-font-weight: normal;">Nest Hello<o:p></o:p></b></div>
</td>
<td style="border-left: none; border: solid windowtext 1.0pt; mso-border-alt: solid windowtext .5pt; mso-border-left-alt: solid windowtext .5pt; padding: 0cm 5.4pt 0cm 5.4pt; width: 85.15pt;" valign="top" width="85">
<div class="MsoNormal">
<b style="mso-bidi-font-weight: normal;">Skybell HD<o:p></o:p></b></div>
</td>
<td style="border-left: none; border: solid windowtext 1.0pt; mso-border-alt: solid windowtext .5pt; mso-border-left-alt: solid windowtext .5pt; padding: 0cm 5.4pt 0cm 5.4pt; width: 85.15pt;" valign="top" width="85">
<div class="MsoNormal">
<b style="mso-bidi-font-weight: normal;">Skybell Trim Plus<o:p></o:p></b></div>
</td>
<td style="border-left: none; border: solid windowtext 1.0pt; mso-border-alt: solid windowtext .5pt; mso-border-left-alt: solid windowtext .5pt; padding: 0cm 5.4pt 0cm 5.4pt; width: 85.15pt;" valign="top" width="85">
<div class="MsoNormal">
<b style="mso-bidi-font-weight: normal;">Ring 2<o:p></o:p></b></div>
</td>
<td style="border-left: none; border: solid windowtext 1.0pt; mso-border-alt: solid windowtext .5pt; mso-border-left-alt: solid windowtext .5pt; padding: 0cm 5.4pt 0cm 5.4pt; width: 85.2pt;" valign="top" width="85">
<div class="MsoNormal">
<b style="mso-bidi-font-weight: normal;">Ring Pro<o:p></o:p></b></div>
</td>
</tr>
<tr style="mso-yfti-irow: 1; mso-yfti-lastrow: yes;">
<td style="border-top: none; border: solid windowtext 1.0pt; mso-border-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext .5pt; padding: 0cm 5.4pt 0cm 5.4pt; width: 85.15pt;" valign="top" width="85">
<div class="MsoNormal">
16-24V AC<o:p></o:p></div>
</td>
<td style="border-bottom: solid windowtext 1.0pt; border-left: none; border-right: solid windowtext 1.0pt; border-top: none; mso-border-alt: solid windowtext .5pt; mso-border-left-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext .5pt; padding: 0cm 5.4pt 0cm 5.4pt; width: 85.15pt;" valign="top" width="85">
<div class="MsoNormal">
10-36V AC<o:p></o:p></div>
</td>
<td style="border-bottom: solid windowtext 1.0pt; border-left: none; border-right: solid windowtext 1.0pt; border-top: none; mso-border-alt: solid windowtext .5pt; mso-border-left-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext .5pt; padding: 0cm 5.4pt 0cm 5.4pt; width: 85.15pt;" valign="top" width="85">
<div class="MsoNormal">
10-36V AC<o:p></o:p></div>
</td>
<td style="border-bottom: solid windowtext 1.0pt; border-left: none; border-right: solid windowtext 1.0pt; border-top: none; mso-border-alt: solid windowtext .5pt; mso-border-left-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext .5pt; padding: 0cm 5.4pt 0cm 5.4pt; width: 85.15pt;" valign="top" width="85">
<div class="MsoNormal">
Battery pack<o:p></o:p></div>
</td>
<td style="border-bottom: solid windowtext 1.0pt; border-left: none; border-right: solid windowtext 1.0pt; border-top: none; mso-border-alt: solid windowtext .5pt; mso-border-left-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext .5pt; padding: 0cm 5.4pt 0cm 5.4pt; width: 85.2pt;" valign="top" width="85">
<div class="MsoNormal">
16-24V AC<o:p></o:p></div>
</td>
</tr>
</tbody></table>
<!--[if gte mso 9]><xml>
<o:OfficeDocumentSettings>
<o:AllowPNG/>
</o:OfficeDocumentSettings>
</xml><![endif]-->
<!--[if gte mso 9]><xml>
<w:WordDocument>
<w:View>Normal</w:View>
<w:Zoom>0</w:Zoom>
<w:TrackMoves/>
<w:TrackFormatting/>
<w:PunctuationKerning/>
<w:ValidateAgainstSchemas/>
<w:SaveIfXMLInvalid>false</w:SaveIfXMLInvalid>
<w:IgnoreMixedContent>false</w:IgnoreMixedContent>
<w:AlwaysShowPlaceholderText>false</w:AlwaysShowPlaceholderText>
<w:DoNotPromoteQF/>
<w:LidThemeOther>EN-GB</w:LidThemeOther>
<w:LidThemeAsian>JA</w:LidThemeAsian>
<w:LidThemeComplexScript>X-NONE</w:LidThemeComplexScript>
<w:Compatibility>
<w:BreakWrappedTables/>
<w:SnapToGridInCell/>
<w:WrapTextWithPunct/>
<w:UseAsianBreakRules/>
<w:DontGrowAutofit/>
<w:SplitPgBreakAndParaMark/>
<w:EnableOpenTypeKerning/>
<w:DontFlipMirrorIndents/>
<w:OverrideTableStyleHps/>
<w:UseFELayout/>
</w:Compatibility>
<m:mathPr>
<m:mathFont m:val="Cambria Math"/>
<m:brkBin m:val="before"/>
<m:brkBinSub m:val="--"/>
<m:smallFrac m:val="off"/>
<m:dispDef/>
<m:lMargin m:val="0"/>
<m:rMargin m:val="0"/>
<m:defJc m:val="centerGroup"/>
<m:wrapIndent m:val="1440"/>
<m:intLim m:val="subSup"/>
<m:naryLim m:val="undOvr"/>
</m:mathPr></w:WordDocument>
</xml><![endif]--><!--[if gte mso 9]><xml>
<w:LatentStyles DefLockedState="false" DefUnhideWhenUsed="true"
DefSemiHidden="true" DefQFormat="false" DefPriority="99"
LatentStyleCount="276">
<w:LsdException Locked="false" Priority="0" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Normal"/>
<w:LsdException Locked="false" Priority="9" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="heading 1"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 2"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 3"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 4"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 5"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 6"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 7"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 8"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 9"/>
<w:LsdException Locked="false" Priority="39" Name="toc 1"/>
<w:LsdException Locked="false" Priority="39" Name="toc 2"/>
<w:LsdException Locked="false" Priority="39" Name="toc 3"/>
<w:LsdException Locked="false" Priority="39" Name="toc 4"/>
<w:LsdException Locked="false" Priority="39" Name="toc 5"/>
<w:LsdException Locked="false" Priority="39" Name="toc 6"/>
<w:LsdException Locked="false" Priority="39" Name="toc 7"/>
<w:LsdException Locked="false" Priority="39" Name="toc 8"/>
<w:LsdException Locked="false" Priority="39" Name="toc 9"/>
<w:LsdException Locked="false" Priority="35" QFormat="true" Name="caption"/>
<w:LsdException Locked="false" Priority="10" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Title"/>
<w:LsdException Locked="false" Priority="1" Name="Default Paragraph Font"/>
<w:LsdException Locked="false" Priority="11" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Subtitle"/>
<w:LsdException Locked="false" Priority="22" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Strong"/>
<w:LsdException Locked="false" Priority="20" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Emphasis"/>
<w:LsdException Locked="false" Priority="59" SemiHidden="false"
UnhideWhenUsed="false" Name="Table Grid"/>
<w:LsdException Locked="false" UnhideWhenUsed="false" Name="Placeholder Text"/>
<w:LsdException Locked="false" Priority="1" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="No Spacing"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 1"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 1"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 1"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 1"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 1"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 1"/>
<w:LsdException Locked="false" UnhideWhenUsed="false" Name="Revision"/>
<w:LsdException Locked="false" Priority="34" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="List Paragraph"/>
<w:LsdException Locked="false" Priority="29" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Quote"/>
<w:LsdException Locked="false" Priority="30" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Intense Quote"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 1"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 1"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 1"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 1"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 1"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 1"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 1"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 1"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 2"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 2"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 2"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 2"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 2"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 2"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 2"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 2"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 2"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 2"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 2"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 2"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 2"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 2"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 3"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 3"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 3"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 3"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 3"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 3"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 3"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 3"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 3"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 3"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 3"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 3"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 3"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 3"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 4"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 4"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 4"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 4"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 4"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 4"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 4"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 4"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 4"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 4"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 4"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 4"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 4"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 4"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 5"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 5"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 5"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 5"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 5"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 5"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 5"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 5"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 5"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 5"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 5"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 5"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 5"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 5"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 6"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 6"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 6"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 6"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 6"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 6"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 6"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 6"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 6"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 6"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 6"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 6"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 6"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 6"/>
<w:LsdException Locked="false" Priority="19" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Subtle Emphasis"/>
<w:LsdException Locked="false" Priority="21" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Intense Emphasis"/>
<w:LsdException Locked="false" Priority="31" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Subtle Reference"/>
<w:LsdException Locked="false" Priority="32" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Intense Reference"/>
<w:LsdException Locked="false" Priority="33" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Book Title"/>
<w:LsdException Locked="false" Priority="37" Name="Bibliography"/>
<w:LsdException Locked="false" Priority="39" QFormat="true" Name="TOC Heading"/>
</w:LatentStyles>
</xml><![endif]-->
<style>
<!--
/* Font Definitions */
@font-face
{font-family:"MS 明朝";
panose-1:0 0 0 0 0 0 0 0 0 0;
mso-font-charset:128;
mso-generic-font-family:roman;
mso-font-format:other;
mso-font-pitch:fixed;
mso-font-signature:1 134676480 16 0 131072 0;}
@font-face
{font-family:"MS 明朝";
panose-1:0 0 0 0 0 0 0 0 0 0;
mso-font-charset:128;
mso-generic-font-family:roman;
mso-font-format:other;
mso-font-pitch:fixed;
mso-font-signature:1 134676480 16 0 131072 0;}
@font-face
{font-family:Cambria;
panose-1:2 4 5 3 5 4 6 3 2 4;
mso-font-charset:0;
mso-generic-font-family:auto;
mso-font-pitch:variable;
mso-font-signature:3 0 0 0 1 0;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{mso-style-unhide:no;
mso-style-qformat:yes;
mso-style-parent:"";
margin:0cm;
margin-bottom:.0001pt;
mso-pagination:widow-orphan;
font-size:12.0pt;
font-family:Cambria;
mso-ascii-font-family:Cambria;
mso-ascii-theme-font:minor-latin;
mso-fareast-font-family:"MS 明朝";
mso-fareast-theme-font:minor-fareast;
mso-hansi-font-family:Cambria;
mso-hansi-theme-font:minor-latin;
mso-bidi-font-family:"Times New Roman";
mso-bidi-theme-font:minor-bidi;}
.MsoChpDefault
{mso-style-type:export-only;
mso-default-props:yes;
font-family:Cambria;
mso-ascii-font-family:Cambria;
mso-ascii-theme-font:minor-latin;
mso-fareast-font-family:"MS 明朝";
mso-fareast-theme-font:minor-fareast;
mso-hansi-font-family:Cambria;
mso-hansi-theme-font:minor-latin;
mso-bidi-font-family:"Times New Roman";
mso-bidi-theme-font:minor-bidi;}
@page WordSection1
{size:612.0pt 792.0pt;
margin:72.0pt 90.0pt 72.0pt 90.0pt;
mso-header-margin:36.0pt;
mso-footer-margin:36.0pt;
mso-paper-source:0;}
div.WordSection1
{page:WordSection1;}
-->
</style>
<!--[if gte mso 10]>
<style>
/* Style Definitions */
table.MsoNormalTable
{mso-style-name:"Table Normal";
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-priority:99;
mso-style-parent:"";
mso-padding-alt:0cm 5.4pt 0cm 5.4pt;
mso-para-margin:0cm;
mso-para-margin-bottom:.0001pt;
mso-pagination:widow-orphan;
font-size:12.0pt;
font-family:Cambria;
mso-ascii-font-family:Cambria;
mso-ascii-theme-font:minor-latin;
mso-hansi-font-family:Cambria;
mso-hansi-theme-font:minor-latin;}
table.MsoTableGrid
{mso-style-name:"Table Grid";
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-priority:59;
mso-style-unhide:no;
border:solid windowtext 1.0pt;
mso-border-alt:solid windowtext .5pt;
mso-padding-alt:0cm 5.4pt 0cm 5.4pt;
mso-border-insideh:.5pt solid windowtext;
mso-border-insidev:.5pt solid windowtext;
mso-para-margin:0cm;
mso-para-margin-bottom:.0001pt;
mso-pagination:widow-orphan;
font-size:12.0pt;
font-family:Cambria;
mso-ascii-font-family:Cambria;
mso-ascii-theme-font:minor-latin;
mso-hansi-font-family:Cambria;
mso-hansi-theme-font:minor-latin;}
</style>
<![endif]-->
<!--StartFragment-->
<!--EndFragment--><br />
<div class="MsoNormal">
<br /></div>
As we can see from the above table the most common requirement is for 16V AC which happens to be the hardest to find in the UK.<br />
<br />
As far as I can tell Nest, Skybell and Ring do the following.<br />
<br />
<ul>
<li>Nest tell you to find your own 16V transformer or to get a professional installer - and they offer to include professional installation for you</li>
<li>Skybell have a European agent who sells 12V transformers</li>
<li>Ring include in the box in Europe a 24V transformer as standard - although this creates a new problem as you will see</li>
</ul>
<br />
So Nest are the least helpful for DIYers. Considering they did a very good job making UK/EU versions of their Thermostat and Protect fire alarm this is very surprising. Skybell's European agent has a solution but it is only suitable for Skybell being only 12V. Ring have themselves completely solved the problem but as I mentioned created a new one.<br />
<br />
Whilst a typical UK/EU wired doorbell as mentioned uses 8V AC it can cope with 12V AC or even 16V AC as this is still low voltage. However I consider it unlikely it would cope with 24V AC which after all is three times the more typical 8V AC. Ring acknowledge this and their solution requires you to stop using the wired door chime and to use instead Ring's own wireless ringer. As far as I am aware neither Nest or Skybell support wireless ringers.<br />
<br />
In my own case I planned to buy a Skybell Trim Plus and in theory an easily obtainable 12V transformer would do the job but I wanted to have the most flexible solution so I myself wanted to get a transformer that could do ideally 12V, 16V and 24V - just in case. There are a few multi voltage bell transformers doing 8V, 12V and 24V but ones doing 16V as well as 12 and 24 are extremely rare. Fortunately I did manage to find one. See - <a href="http://protekuk.co.uk/24V-8VA-2-Module-Bell-Transformer-BT8-24">http://protekuk.co.uk/24V-8VA-2-Module-Bell-Transformer-BT8-24</a><br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEikVN9MD3rP6PybLXkVhgHuTu2bDfh9XUKaXS9YryZeZo3m7a8GGgMrqmKR9ooaawmsrywIqd7ZGJ9yHut0iOQzuQur_q6FeajleSsjeV-6sFNm92o7lOmXz_8tOEtgSXqcEVkYL2LVurU/s1600/BT8-24-1024x768.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="768" data-original-width="1024" height="240" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEikVN9MD3rP6PybLXkVhgHuTu2bDfh9XUKaXS9YryZeZo3m7a8GGgMrqmKR9ooaawmsrywIqd7ZGJ9yHut0iOQzuQur_q6FeajleSsjeV-6sFNm92o7lOmXz_8tOEtgSXqcEVkYL2LVurU/s320/BT8-24-1024x768.jpg" width="320" /></a></div>
<br />
Whilst as shown above all three brands claim to support using 16V AC I have seen reports of problems doing this with the Ring Pro such as losing connectivity and their own transformer included as standard is a 24V one suggesting 16V might indeed not be sufficient for the Ring Pro. See - <a href="https://support.ring.com/hc/en-us/articles/115000148786-Ring-Video-Doorbell-Pro-European-Version">https://support.ring.com/hc/en-us/articles/115000148786-Ring-Video-Doorbell-Pro-European-Version</a><br />
<br />
Interestingly one can see from the above Ring article that it has four screw holes at the top like the above Protek model. This might suggest it does support additional voltages to the 24V but the picture is too low resolution to read the text on the Ring transformer to confirm this.<br />
<br />
Note: The various plugin transformers listed for smart doorbells might, indeed should work for the smart doorbell but do not support using an existing wired chime.<br />
<br />
So I have bought the Protek transformer and fitted it with my existing doorbell and chime and wired it to use 16V AC. This is working fine. I then tried to order to the Skybell Trim Plus from the European agent - <a href="https://www.topsolute.com/">https://www.topsolute.com/</a> only to find they are temporarily out of stock.<br />
<br />
<br />John Lockwoodhttp://www.blogger.com/profile/15899717580146455869noreply@blogger.com0tag:blogger.com,1999:blog-2600354524922709185.post-34952991722168556982018-07-09T13:33:00.001+00:002018-07-09T13:34:51.481+00:00JAMF JSS and checking Mac firmware versionsJAMF's JSS has a built-in capability to show what version of firmware a Mac has but this as of itself does not tell you if the firmware is too old, the correct version or even a newer than expected version.<br />
<br />
With support for APFS boot drives in High Sierra and later requiring some Macs to have their firmware updated this is more of an issue than it used to be. Sadly Apple no longer provide standalone firmware updaters meaning there is no official Apple source of information to check what firmware version a Mac should be running.<br />
<br />
Historically you in theory used to be able to ensure your Macs firmware was up-to-date simply by regularly running Apple's Software Update check and if there was a firmware update you would be informed and could run it.<br />
<br />
Worryingly as per this article <a href="https://duo.com/assets/ebooks/Duo-Labs-The-Apple-of-Your-EFI.pdf">https://duo.com/assets/ebooks/Duo-Labs-The-Apple-of-Your-EFI.pdf</a> many Macs even if supposedly covered by Apple firmware updates via the Software Update mechanism still failed to get installed the correct version.<br />
<br />
Duo-Labs therefore wrote their own tool to check whether a Mac has the correct firmware version. See - <a href="https://github.com/duo-labs/EFIgy">https://github.com/duo-labs/EFIgy</a> both a GUI version you can run locally and a command line version are available.<br />
<br />
The purpose of this article is to describe how you can use the command line version of the EFIgy tool with JAMF to audit all your Macs and thereby find out whether any of your Macs has an out-of-date version of firmware.<br />
<br />
Note: Since Apple no longer provide standalone firmware updaters the only official way to get newer firmware versions installed now is to either install the latest High Sierra version or the (at the time of writing) Mojave beta version. (Yes Mojave has for at least the Mac Pro 2010/2012 models even newer firmware than that included with the High Sierra installer.)<br />
<br />
In order to get a result from EFIgy we need to use the command line version and have the result returned as an extension attribute to JSS. The following issues needed to be solved in order to achieve this.<br />
<br />
<ol>
<li>EFIgyLite_cli.py as its name suggests is a python script, it is more typical to use shell scripts to populate Extension Attributes but I suspect it would in theory be possible with a python script as it obeys the same <a href="https://en.wikipedia.org/wiki/Shebang_(Unix)" target="_blank">shebang</a> mechanism as a shell script. However as it turns out I needed to front-end it with a standard shell script so the fact it is a python script became immaterial.</li>
<li>EFIgyLite_cli.py either needs the python certifi module to be installed or a cacert.pem file to be in the same location as the python script.</li>
<li>EFIgyLite_cli.py as standard requires human interaction to answer a question with a yes or no answer.</li>
<li>The result from EFIgyLite_cli.py is rather verbose, my current solution condenses this significantly down to a single line but it could in theory be further abbreviated down to one of 'up2date', 'outofdate', 'newer', 'model_unknown' or 'build_unknown'.</li>
</ol>
<br />
<br />
In order of what needs to be done, here is how I solved these issues.<br />
<br />
<ol>
<li>I modified the standard EFIgyLite_cli.py script to add an additional command line parameter -a which when used will automate the running of the script - in other words if you include this parameter it will not ask you the Y/N question but will run as if you said Y. (Fixes issue 3)</li>
<li>I used my previously discussed solution on how to use the shell script <a href="http://jelockwood.blogspot.com/2018/06/using-cat-eof-in-shell-script-to.html" target="_blank">CAT EOF</a> feature to include multiple files, via this I encoded both the EFIgyLite_cli.py and the cacert.pem files inside my shell script and my script will then automatically 'restore' them in to a temporary folder. My script will then run the python script from that temporary folder. (Fixes issues 1 & 2)</li>
<li>My shell script then takes the result returned by the python EFIgyLite_cli.py script and extracts just the single line that contains the desired result. (Fixes issue 4)</li>
</ol>
<br />
<br />
Note: This means you cannot use the (current) standard version of EFIgyLite_cli.py you must you my modified version. I have however submitted an enhancement request to the original authors and provided them with details of the change I made to achieve this.<br />
<br />
Note: As an aside, whilst creating this solution I discovered that JSS runs shell scripts on client machines from working directory of /private/var/<nameofjamfaccount>/<br />
<br />
Here is how you need to configure the Extension Attribute in JSS.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjp4Llw8eCvjSmPQEpUmTXSLtGy719dwjjBlgClmiH74KbWnzgGWbIJ0ChDij3FoOkLExq1k8FIyElFYYKFxYpeyNN7mfDyrAHCRdH_Hsz1IzOvH96jYixtdIkc9ZxWnkY6F8cUR2LgHAA/s1600/Screen+Shot+2018-07-09+at+14.04.46.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="458" data-original-width="1298" height="224" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjp4Llw8eCvjSmPQEpUmTXSLtGy719dwjjBlgClmiH74KbWnzgGWbIJ0ChDij3FoOkLExq1k8FIyElFYYKFxYpeyNN7mfDyrAHCRdH_Hsz1IzOvH96jYixtdIkc9ZxWnkY6F8cUR2LgHAA/s640/Screen+Shot+2018-07-09+at+14.04.46.png" width="640" /></a></div>
<br />
Here is the script - including the encoded EFIgyLite_cli.py and cacert.pem files. If your being paranoid - and you always should, you should either run this first on a test Mac or otherwise decode the encoded files and examine their content to reassure yourself they are not malicious.<br />
<br />
<a href="https://drive.google.com/file/d/1cyi6Y9W2e22JFIAgewIJepo-sRiJUswv/view?usp=sharing" target="_blank">firmware_checker.sh</a><br />
<br />
For the more adventurous amongst you, some people have found a way to extract the firmware installers from a High Sierra installer app to produce a standalone firmware installer package file. I have used this approach myself on a few Macs. See <a href="https://github.com/grahamgilbert/imagr/wiki/High-Sierra-Notes">https://github.com/grahamgilbert/imagr/wiki/High-Sierra-Notes</a>John Lockwoodhttp://www.blogger.com/profile/15899717580146455869noreply@blogger.com0tag:blogger.com,1999:blog-2600354524922709185.post-42505350440409782162018-06-06T14:37:00.003+00:002018-06-06T14:37:44.582+00:00Me and Apple's DHCP Server - a long history…I have had a long and involved relationship with Apple with regards to their DHCP support.<br />
<br />
I have in the past successfully persuaded Apple to :-<br />
<br />
<br />
<ul>
<li>Add support to macOS X aka OS X aka macOS to be able to use WPAD i.e. Web Proxy Auto Discovery which Apple calls 'Auto Proxy Discovery'</li>
<li>and add support to their DHCP server for DHCP option codes as used by VoIP handsets and other network equipment</li>
</ul>
<br />
<br />
I also wrote myself a GUI tool to make it far easier for people to generate the encoded values Apple required for DHCP option codes in their bootpd.plist config file. See <a href="http://jelockwood.blogspot.com/2013/06/dhcp-server-on-os-x-server.html">http://jelockwood.blogspot.com/2013/06/dhcp-server-on-os-x-server.html</a><br />
<br />
This tool still works by the way.<br />
<br />
However the one thing I did not succeed in persuading Apple to do was adding an IPv6 capable DHCP server. Apple's DHCP server is based on an extremely modified bootpd package which never was able to support IPv6.<br />
<br />
With the recent(ish) announcement from Apple of yet more services going to be removed from their Server.app including the DHCP server it is clear that IPv6 is never going to be added. It also means my tool will no longer have a purpose.<br />
<br />
<span style="background-color: #f9f9f9; color: #333333; font-family: "Courier New", Courier, monospace; font-size: 53.3333px; font-weight: 700; text-align: center; white-space: nowrap;">:'(</span>John Lockwoodhttp://www.blogger.com/profile/15899717580146455869noreply@blogger.com0tag:blogger.com,1999:blog-2600354524922709185.post-52659504462603871722018-06-06T14:18:00.000+00:002018-07-09T10:37:50.663+00:00Using Cat << EOF in a shell script to restore binary filesUnix/Linux/Mac shell scripts support what is commonly called 'Cat << EOF' whereby an entire file can be included in a shell script and 'restored' to a separate file stored on the drive.<br />
<br />
As should be obvious this derives from the fact that at the command line you can do a command such as -<br />
<br />
<b><span style="font-family: "courier new" , "courier" , monospace;">cat /etc/hosts > newfile.txt</span></b><br />
<br />
In this scenario we want to be able to use a shell script to create the desired file. You might think that this could be simply achieved as follows -<br />
<br />
<b><span style="font-family: "courier new" , "courier" , monospace;">#!/bin/sh</span></b><br />
<b><span style="font-family: "courier new" , "courier" , monospace;">echo "This is the content of a file" > newfile.txt</span></b><br />
<b><span style="font-family: "courier new" , "courier" , monospace;">exit</span></b><br />
<br />
and yes this to some extent is possible, however if your file is going to contain multiple lines - some of which might be blank lines and some might contain commands or special characters this soon becomes effectively impossible with a simple echo command. Therefore shell scripts can use the Cat << EOF feature instead. Here is a simple example -<br />
<br />
<b><span style="font-family: "courier new" , "courier" , monospace;">#!/bin/sh</span></b><br />
<b><span style="font-family: "courier new" , "courier" , monospace;">cat <<- 'EOF' > newfile.txt</span></b><br />
<b><span style="font-family: "courier new" , "courier" , monospace;">This is the content of a file</span></b><br />
<b><span style="font-family: "courier new" , "courier" , monospace;">This is more content</span></b><br />
<b><span style="font-family: "courier new" , "courier" , monospace;"><br /></span></b>
<b><span style="font-family: "courier new" , "courier" , monospace;">Yet more content still</span></b><br />
<b><span style="font-family: "courier new" , "courier" , monospace;">EOF</span></b><br />
<b><span style="font-family: "courier new" , "courier" , monospace;">exit</span></b><br />
<br />
You should now be able to see where the reference to Cat << EOF comes from, however the official term is a 'heredoc', see <a href="https://en.wikipedia.org/wiki/Here_document">https://en.wikipedia.org/wiki/Here_document</a><br />
<br />
This approach is commonly used to include and generate a single text file as shown above. However what if you want to do something more complicated? What if you want to either do an entire directory, or nested set of directories/files or binary files? Is this even possible?<br />
<br />
The answer fortunately is yes. To do this the easiest way I have found is as follows -<br />
<br />
<b><span style="font-family: "courier new" , "courier" , monospace;">tar -cv nameofdirectory | openssl base64 -e</span></b><br />
<br />
This uses the standard tar command to convert the specified directory (or binary files) and then pipes the result to openssl, openssl is then told to encode the input in to base64 format, base64 is an ASCII i.e. text encoded version of the binary data. In this case the result is then displayed to standard output in your terminal and can be copy/pasted in to your shell script in the Cat << EOF section.<br />
<br />
Here therefore is an example shell script which would 'restore' a file<br />
<br />
<b><span style="font-family: "courier new" , "courier" , monospace;">#!/bin/sh</span></b><br />
<b><span style="font-family: "courier new" , "courier" , monospace;">cd /where/you/want/to/restore</span></b><br />
<b><span style="font-family: "courier new" , "courier" , monospace;">/usr/bin/openssl base64 -d << EOF | tar xf -</span></b><br />
<style type="text/css">
p.p1 {margin: 0.0px 0.0px 0.0px 0.0px; font: 11.0px Menlo; color: #000000; background-color: #ffffff}
span.s1 {font-variant-ligatures: no-common-ligatures}
</style>
<br />
<div class="p1">
<span class="s1"><b><span style="font-family: "courier new" , "courier" , monospace; font-size: small;">dGVzdC50eHQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA</span></b></span></div>
<div class="p1">
<span class="s1"><b><span style="font-family: "courier new" , "courier" , monospace; font-size: small;">AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA</span></b></span></div>
<div class="p1">
<span class="s1"><b><span style="font-family: "courier new" , "courier" , monospace; font-size: small;">AAAAADAwMDY0NCAAMDAwNzY3IAAwMDAwMjQgADAwMDAwMDAwMDA1IDEzMzA1NzY0</span></b></span></div>
<div class="p1">
<span class="s1"><b><span style="font-family: "courier new" , "courier" , monospace; font-size: small;">MzUzIDAxNDUyNQAgMAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA</span></b></span></div>
<div class="p1">
<span class="s1"><b><span style="font-family: "courier new" , "courier" , monospace; font-size: small;">AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA</span></b></span></div>
<div class="p1">
<span class="s1"><b><span style="font-family: "courier new" , "courier" , monospace; font-size: small;">AAAAAAAAAAAAAAAAAAAAAAB1c3RhcgAwMGpvaG4ubG9ja3dvb2QAAAAAAAAAAAAA</span></b></span></div>
<div class="p1">
<span class="s1"><b><span style="font-family: "courier new" , "courier" , monospace; font-size: small;">AAAAAAAAAAAAc3RhZmYAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAwMDAwMDAg</span></b></span></div>
<div class="p1">
<span class="s1"><b><span style="font-family: "courier new" , "courier" , monospace; font-size: small;">ADAwMDAwMCAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA</span></b></span></div>
<div class="p1">
<span class="s1"><b><span style="font-family: "courier new" , "courier" , monospace; font-size: small;">AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA</span></b></span></div>
<div class="p1">
<span class="s1"><b><span style="font-family: "courier new" , "courier" , monospace; font-size: small;">AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA</span></b></span></div>
<div class="p1">
<span class="s1"><b><span style="font-family: "courier new" , "courier" , monospace; font-size: small;">AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB0ZXN0CgAAAAAAAAAAAAAA</span></b></span></div>
<div class="p1">
<span style="font-variant-ligatures: no-common-ligatures;"><b><span style="font-family: "courier new" , "courier" , monospace; font-size: small;">many lines deleted for the sake of readability</span></b></span></div>
<div class="p1">
<span class="s1"><b><span style="font-family: "courier new" , "courier" , monospace; font-size: small;">AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA</span></b></span></div>
<div class="p1">
<span class="s1"><b><span style="font-family: "courier new" , "courier" , monospace; font-size: small;">AAAAAAAAAAAAAAAAAAAAAA==</span></b></span></div>
<b><span style="font-family: "courier new" , "courier" , monospace;">EOF</span></b><br />
<br />
<b><span style="font-family: "courier new" , "courier" , monospace;">exit</span></b><br />
<br />
Whilst the command format is quite different it should be clear it is using the same openssl command to decode the base64 text and then sending it to the tar command to be 'restored'.<br />
<br />
So this approach allows storing and restoring either a single or multiple binaries files or an entire hierarchy of directories and text or binary files. This approach can even cope with restoring an Apple disk image or an ISO image and after you restore it could then use another command to mount the image and copy or run something from that image.John Lockwoodhttp://www.blogger.com/profile/15899717580146455869noreply@blogger.com0tag:blogger.com,1999:blog-2600354524922709185.post-50169664478286861242017-11-30T11:17:00.001+00:002017-11-30T11:17:42.630+00:00Creating Certificates - Google Chrome issueHere's some tips for you if you are creating your own server certificates.<br />
<br />
Google Chrome requires your certificate have a SAN - Subject Alternative Name entry even if the certificate is only going to have a single name. You therefore need to add the main i.e. sole name as a SAN entry as well.<br />
<br />
Note: If your certificate genuinely needs two or more names i.e. the main plus additional ones you should always add the main as a SAN entry along with the additional names.<br />
<br />
For example lets say your certificate is for myserver.example.com your certificate would have a main name of myserver.example.com and a DNS type SAN entry also of myserver.example.com<br />
<br />
Safari does not complain if you don't have a SAN entry but Google Chrome does.<br />
<br />
I personally find using the free XCA tool far easier to work with especially with regards to adding SAN entries than trying to do this via the command line with openssl. XCA is a Java app that acts as a front-end to openssl. See <a href="http://xca.sourceforge.net/">http://xca.sourceforge.net/</a><br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgoa7uGZGILxPFEdXVI5cizVOhfVons5baYgThgZQlboR9r3rga87Pv2g8-g-A5ooVVpGl8Cq7CyDLwkDDVAh_p14ue1SG-JpDqcvw-EmnrliAaZgRDQWE0HQFrdf-j0ZfEiok6M-uZVmA/s1600/xca-interface.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="533" data-original-width="702" height="242" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgoa7uGZGILxPFEdXVI5cizVOhfVons5baYgThgZQlboR9r3rga87Pv2g8-g-A5ooVVpGl8Cq7CyDLwkDDVAh_p14ue1SG-JpDqcvw-EmnrliAaZgRDQWE0HQFrdf-j0ZfEiok6M-uZVmA/s320/xca-interface.png" width="320" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<br />
You can either use XCA to just create the CSR - Certificate Signing Request and include the SAN entries in the CSR or you can use it to create self-signed certificates completely also with SAN entries.<br />
<br />
Note: Apple's Keychain Access tool does not let you define SAN entries.John Lockwoodhttp://www.blogger.com/profile/15899717580146455869noreply@blogger.com0tag:blogger.com,1999:blog-2600354524922709185.post-11556555137398155812016-03-04T12:27:00.002+00:002016-04-01T11:20:04.723+00:00IKEv2 with iOS - issues and workarounds<br />
<section class="j-original-message" style="border: 0px; font-family: inherit; font-size: 12px; font-style: inherit; margin: 0px 0px 32px; padding: 0px 40px 0px 22px; vertical-align: baseline;"><div class="jive-rendered-content" style="border: 0px; font-family: inherit; font-style: inherit; margin: 0px 0px -8px; overflow-x: auto; overflow-y: hidden; padding: 0px 0px 8px; vertical-align: baseline;">
<div style="border: 0px; font-family: inherit; font-style: inherit; padding: 0px; vertical-align: baseline;">
Apple added support for IKEv2 VPN connections in iOS8 but only via mobileconfig profiles and added further support in iOS9 so you could define an IKEv2 profile in the GUI on the iOS device itself. (Apple also added IKEv2 support to OS X in El Capitan.)</div>
<div style="border: 0px; font-family: inherit; font-style: inherit; height: 8pt; min-height: 8pt; padding: 0px; vertical-align: baseline;">
<br /></div>
<div style="border: 0px; font-family: inherit; font-style: inherit; padding: 0px; vertical-align: baseline;">
Note: IKEv2 is considered much more modern and secure than previous older VPN standards such as IPSec, L2TP, and PPTP. Hence the fact Apple added support for IKEv2 and my using it.</div>
<div style="border: 0px; font-family: inherit; font-style: inherit; height: 8pt; min-height: 8pt; padding: 0px; vertical-align: baseline;">
<br /></div>
<div style="border: 0px; font-family: inherit; font-style: inherit; padding: 0px; vertical-align: baseline;">
While I have now successfully got an iPhone running iOS 9.2.1 to connect via IKEv2 to a matching IKEv2 VPN server I did come across a bug along the way which I have now reported to Apple. Obviously in getting it working I managed to get round these problems.</div>
<div style="border: 0px; font-family: inherit; font-style: inherit; height: 8pt; min-height: 8pt; padding: 0px; vertical-align: baseline;">
<br /></div>
<div style="border: 0px; font-family: inherit; font-style: inherit; padding: 0px; vertical-align: baseline;">
A common method for generating mobileconfig profiles for use with iOS devices is Apple Configurator. Apple Configurator 1.7.2 for Yosemite supports defining an IKEv2 profile but only for iOS clients, Apple Configurator 2.1 for El Capitan supports creating an IKEv2 profile for both iOS and Macs.</div>
<div style="border: 0px; font-family: inherit; font-style: inherit; height: 8pt; min-height: 8pt; padding: 0px; vertical-align: baseline;">
<br /></div>
<div style="border: 0px; font-family: inherit; font-style: inherit; padding: 0px; vertical-align: baseline;">
The issue I hit with Apple Configurator is that both the Yosemite version and the El Capitan version add an entry in the mobileconfig as standard which caused a conflict with my IKEv2 VPN server and prevented the iOS device from successfully connecting. The entry is in the IPv4 section and is a flag called OverridePrimary and AppleConfigurator sets this to be 'true' i.e. 1. This flag apparently tells the VPN client it must send all network traffic via the VPN connection including 'normal' traffic that needs to go to Internet connected sites, e.g. web browsing traffic. There is nothing wrong with wanting this to happen and in fact most corporates using IKEv2 would want that, however at least in my case this setting conflicts with settings in my IKEv2 VPN server which itself is already set to force all VPN clients to send all traffic via the VPN, this conflict causes the connection attempt to fail.</div>
<div style="border: 0px; font-family: inherit; font-style: inherit; height: 8pt; min-height: 8pt; padding: 0px; vertical-align: baseline;">
<br /></div>
<div style="border: 0px; font-family: inherit; font-style: inherit; padding: 0px; vertical-align: baseline;">
Note: I am using StrongSwan 5.1.2 on a Linux server as the VPN server.</div>
<div style="border: 0px; font-family: inherit; font-style: inherit; height: 8pt; min-height: 8pt; padding: 0px; vertical-align: baseline;">
<br /></div>
<div style="border: 0px; font-family: inherit; font-style: inherit; padding: 0px; vertical-align: baseline;">
To workaround this problem after identifying it I had to manually edit the mobileconfig file produced by Apple Configurator and delete the following section.</div>
<div style="border: 0px; font-family: inherit; font-style: inherit; height: 8pt; min-height: 8pt; padding: 0px; vertical-align: baseline;">
<br /></div>
<div class="dp-highlighter" style="background-color: #e7e5dc; border: 0px; font-family: Consolas, 'Courier New', Courier, mono, serif; font-style: inherit; margin: 0px !important; overflow: visible; padding: 1px 0px 0px; vertical-align: baseline; width: auto;">
<div class="bar" style="border: 0px; font-family: inherit; font-style: inherit; margin: 0px; padding: 0px 0px 0px 45px; vertical-align: baseline;">
<div style="border: 0px; font-family: inherit; font-style: inherit; margin: 0px; padding: 0px; vertical-align: baseline;">
</div>
</div>
<ol class="dp-xml" start="1" style="background-color: white; border: 0px; color: #5c5c5c; font-family: inherit; font-style: inherit; list-style-image: initial; list-style-position: initial; margin: 0px 0px 1px 45px !important; padding: 0px; vertical-align: baseline;">
<li class="alt" style="border-left-color: rgb(108, 226, 108); border-left-style: solid; border-width: 0px 0px 0px 3px; color: inherit; font-family: inherit; font-style: inherit; height: 12pt; line-height: 12pt; list-style: decimal-leading-zero outside; margin: 0px !important; padding: 0px 3px 0px 10px !important; position: relative; vertical-align: baseline; white-space: nowrap;"><span style="background-color: inherit; border: 0px; color: black; font-size: 9pt; font-style: inherit; margin: 0px; padding: 0px; vertical-align: baseline;"><span style="background-color: inherit; border: 0px; font-size: 9pt !important; font-style: inherit; margin: 0px; padding: 0px; vertical-align: baseline;"> </span><span class="tag" style="background-color: inherit; border: 0px; color: #006699; font-size: 9pt; font-style: inherit; font-weight: bold; margin: 0px; padding: 0px; vertical-align: baseline;"><</span><span class="tag-name" style="background-color: inherit; border: 0px; color: #006699; font-size: 9pt; font-style: inherit; font-weight: bold; margin: 0px; padding: 0px; vertical-align: baseline;">key</span><span class="tag" style="background-color: inherit; border: 0px; color: #006699; font-size: 9pt; font-style: inherit; font-weight: bold; margin: 0px; padding: 0px; vertical-align: baseline;">></span><span style="background-color: inherit; border: 0px; font-size: 9pt !important; font-style: inherit; margin: 0px; padding: 0px; vertical-align: baseline;">IPv4</span><span class="tag" style="background-color: inherit; border: 0px; color: #006699; font-size: 9pt; font-style: inherit; font-weight: bold; margin: 0px; padding: 0px; vertical-align: baseline;"></</span><span class="tag-name" style="background-color: inherit; border: 0px; color: #006699; font-size: 9pt; font-style: inherit; font-weight: bold; margin: 0px; padding: 0px; vertical-align: baseline;">key</span><span class="tag" style="background-color: inherit; border: 0px; color: #006699; font-size: 9pt; font-style: inherit; font-weight: bold; margin: 0px; padding: 0px; vertical-align: baseline;">></span><span style="background-color: inherit; border: 0px; font-size: 9pt !important; font-style: inherit; margin: 0px; padding: 0px; vertical-align: baseline;"> </span></span></li>
<li class="" style="background-color: #f8f8f8; border-left-color: rgb(108, 226, 108); border-left-style: solid; border-width: 0px 0px 0px 3px; font-family: inherit; font-style: inherit; height: 12pt; line-height: 12pt; list-style: decimal-leading-zero outside; margin: 0px !important; padding: 0px 3px 0px 10px !important; position: relative; vertical-align: baseline; white-space: nowrap;"><span style="background-color: inherit; border: 0px; color: black; font-size: 9pt; font-style: inherit; margin: 0px; padding: 0px; vertical-align: baseline;"> <span class="tag" style="background-color: inherit; border: 0px; color: #006699; font-size: 9pt; font-style: inherit; font-weight: bold; margin: 0px; padding: 0px; vertical-align: baseline;"><</span><span class="tag-name" style="background-color: inherit; border: 0px; color: #006699; font-size: 9pt; font-style: inherit; font-weight: bold; margin: 0px; padding: 0px; vertical-align: baseline;">dict</span><span class="tag" style="background-color: inherit; border: 0px; color: #006699; font-size: 9pt; font-style: inherit; font-weight: bold; margin: 0px; padding: 0px; vertical-align: baseline;">></span><span style="background-color: inherit; border: 0px; font-size: 9pt !important; font-style: inherit; margin: 0px; padding: 0px; vertical-align: baseline;"> </span></span></li>
<li class="alt" style="border-left-color: rgb(108, 226, 108); border-left-style: solid; border-width: 0px 0px 0px 3px; color: inherit; font-family: inherit; font-style: inherit; height: 12pt; line-height: 12pt; list-style: decimal-leading-zero outside; margin: 0px !important; padding: 0px 3px 0px 10px !important; position: relative; vertical-align: baseline; white-space: nowrap;"><span style="background-color: inherit; border: 0px; color: black; font-size: 9pt; font-style: inherit; margin: 0px; padding: 0px; vertical-align: baseline;"> <span class="tag" style="background-color: inherit; border: 0px; color: #006699; font-size: 9pt; font-style: inherit; font-weight: bold; margin: 0px; padding: 0px; vertical-align: baseline;"><</span><span class="tag-name" style="background-color: inherit; border: 0px; color: #006699; font-size: 9pt; font-style: inherit; font-weight: bold; margin: 0px; padding: 0px; vertical-align: baseline;">key</span><span class="tag" style="background-color: inherit; border: 0px; color: #006699; font-size: 9pt; font-style: inherit; font-weight: bold; margin: 0px; padding: 0px; vertical-align: baseline;">></span><span style="background-color: inherit; border: 0px; font-size: 9pt !important; font-style: inherit; margin: 0px; padding: 0px; vertical-align: baseline;">OverridePrimary</span><span class="tag" style="background-color: inherit; border: 0px; color: #006699; font-size: 9pt; font-style: inherit; font-weight: bold; margin: 0px; padding: 0px; vertical-align: baseline;"></</span><span class="tag-name" style="background-color: inherit; border: 0px; color: #006699; font-size: 9pt; font-style: inherit; font-weight: bold; margin: 0px; padding: 0px; vertical-align: baseline;">key</span><span class="tag" style="background-color: inherit; border: 0px; color: #006699; font-size: 9pt; font-style: inherit; font-weight: bold; margin: 0px; padding: 0px; vertical-align: baseline;">></span><span style="background-color: inherit; border: 0px; font-size: 9pt !important; font-style: inherit; margin: 0px; padding: 0px; vertical-align: baseline;"> </span></span></li>
<li class="" style="background-color: #f8f8f8; border-left-color: rgb(108, 226, 108); border-left-style: solid; border-width: 0px 0px 0px 3px; font-family: inherit; font-style: inherit; height: 12pt; line-height: 12pt; list-style: decimal-leading-zero outside; margin: 0px !important; padding: 0px 3px 0px 10px !important; position: relative; vertical-align: baseline; white-space: nowrap;"><span style="background-color: inherit; border: 0px; color: black; font-size: 9pt; font-style: inherit; margin: 0px; padding: 0px; vertical-align: baseline;"> <span class="tag" style="background-color: inherit; border: 0px; color: #006699; font-size: 9pt; font-style: inherit; font-weight: bold; margin: 0px; padding: 0px; vertical-align: baseline;"><</span><span class="tag-name" style="background-color: inherit; border: 0px; color: #006699; font-size: 9pt; font-style: inherit; font-weight: bold; margin: 0px; padding: 0px; vertical-align: baseline;">integer</span><span class="tag" style="background-color: inherit; border: 0px; color: #006699; font-size: 9pt; font-style: inherit; font-weight: bold; margin: 0px; padding: 0px; vertical-align: baseline;">></span><span style="background-color: inherit; border: 0px; font-size: 9pt !important; font-style: inherit; margin: 0px; padding: 0px; vertical-align: baseline;">1</span><span class="tag" style="background-color: inherit; border: 0px; color: #006699; font-size: 9pt; font-style: inherit; font-weight: bold; margin: 0px; padding: 0px; vertical-align: baseline;"></</span><span class="tag-name" style="background-color: inherit; border: 0px; color: #006699; font-size: 9pt; font-style: inherit; font-weight: bold; margin: 0px; padding: 0px; vertical-align: baseline;">integer</span><span class="tag" style="background-color: inherit; border: 0px; color: #006699; font-size: 9pt; font-style: inherit; font-weight: bold; margin: 0px; padding: 0px; vertical-align: baseline;">></span><span style="background-color: inherit; border: 0px; font-size: 9pt !important; font-style: inherit; margin: 0px; padding: 0px; vertical-align: baseline;"> </span></span></li>
<li class="alt" style="border-left-color: rgb(108, 226, 108); border-left-style: solid; border-width: 0px 0px 0px 3px; color: inherit; font-family: inherit; font-style: inherit; height: 12pt; line-height: 12pt; list-style: decimal-leading-zero outside; margin: 0px !important; padding: 0px 3px 0px 10px !important; position: relative; vertical-align: baseline; white-space: nowrap;"><span style="background-color: inherit; border: 0px; color: black; font-size: 9pt; font-style: inherit; margin: 0px; padding: 0px; vertical-align: baseline;"> <span class="tag" style="background-color: inherit; border: 0px; color: #006699; font-size: 9pt; font-style: inherit; font-weight: bold; margin: 0px; padding: 0px; vertical-align: baseline;"></</span><span class="tag-name" style="background-color: inherit; border: 0px; color: #006699; font-size: 9pt; font-style: inherit; font-weight: bold; margin: 0px; padding: 0px; vertical-align: baseline;">dict</span><span class="tag" style="background-color: inherit; border: 0px; color: #006699; font-size: 9pt; font-style: inherit; font-weight: bold; margin: 0px; padding: 0px; vertical-align: baseline;">></span><span style="background-color: inherit; border: 0px; font-size: 9pt !important; font-style: inherit; margin: 0px; padding: 0px; vertical-align: baseline;"> </span></span></li>
</ol>
</div>
<div style="border: 0px; font-family: inherit; font-style: inherit; height: 8pt; min-height: 8pt; padding: 0px; vertical-align: baseline;">
<br /></div>
<div style="border: 0px; font-family: inherit; font-style: inherit; padding: 0px; vertical-align: baseline;">
As my IKEv2 server is set to force all traffic via the VPN connection that still happens but this time with the above deleted from the mobileconfig the connection succeeds.</div>
<div style="border: 0px; font-family: inherit; font-style: inherit; height: 8pt; min-height: 8pt; padding: 0px; vertical-align: baseline;">
<br /></div>
<div style="border: 0px; font-family: inherit; font-style: inherit; padding: 0px; vertical-align: baseline;">
Unfortunately the Apple Configurator user interface does not list this option and hence does not itself allow disabling it if as in my case this turns out to be needed. Hence the need to manually edit the mobileconfig file. While investigating this issue I discovered that the old iPhone Configuration Utility which I had previously been using for Cisco IPSec configurations (being old it does not support IKEv2 configurations) does add the same OverridePrimary setting but sets it to 0 i.e. off and hence this is why I have not seen this problem before.<br />
<br />
Note: Even though iPhone Configuration Utility set the setting to be 0 i.e. off because my StrongSwan5 setup has its own rule to force all traffic to go via the VPN connection this did indeed still as desired successfully force all traffic to go via the VPN connection. It should also be noted that the majority of example StrongSwan5 configurations include the same rule to force all traffic to go via the VPN connection which is to include the following in /etc/ipsec.conf<br />
<br />
leftsubnet=0.0.0.0/0<br />
<br />
This as should be obvious to anyone who has had to deal with configuring routers for a while means include every single IP address as the destination.</div>
<div style="border: 0px; font-family: inherit; font-style: inherit; height: 8pt; min-height: 8pt; padding: 0px; vertical-align: baseline;">
<br /></div>
<div style="border: 0px; font-family: inherit; font-style: inherit; height: 8pt; min-height: 8pt; padding: 0px; vertical-align: baseline;">
<br /></div>
<div style="border: 0px; font-family: inherit; font-style: inherit; padding: 0px; vertical-align: baseline;">
Now that I have got IKEv2 'working' on iOS I will move on to trying this in El Capitan and see how many bugs Apple have managed to include there. <span alt="Mischief" class="emoticon_mischief emoticon-inline" style="background-image: url("https://discussions.apple.com/6.0.3.0/themes/apple_0.7.0/images/emoticons/mischief.png"); background-repeat: no-repeat no-repeat; border: 0px; display: inline-block; font-family: inherit; font-style: inherit; height: 16px; margin: 0px; padding: 0px; vertical-align: baseline; width: 16px;"></span></div>
</div>
<div class="j-answer-rollup" style="border: 0px; font-family: inherit; font-style: inherit; margin: 35px 0px 12px; min-height: 0px; padding: 0px; position: relative; vertical-align: baseline;">
</div>
</section><footer style="border-top-color: rgb(229, 229, 229); border-top-style: solid; border-width: 1px 0px 0px; clear: both; font-family: inherit; font-size: 0.9em; font-style: inherit; margin: 24px 0px 0px; min-height: 0px; padding: 0px 40px 0px 15px; vertical-align: baseline; zoom: 1;"><span class="js-acclaim-metoo-container acclaim-container acclaim-like-container j-disabled" data-can-like="false" data-likes="0" data-ratingtype="metoo" data-showicon="true" data-type="small" style="border: 0px; display: block; float: left; font-family: inherit; font-size: 11px; font-style: inherit; margin: 12px 0px; padding: 0px; position: relative; vertical-align: baseline;"><span style="border: 0px; font-family: inherit; font-style: inherit; margin: 0px; padding: 0px; vertical-align: baseline;"><span style="background-color: #f6f6ee; color: #333333; font-family: "lucida grande" , "lucida sans unicode" , "helvetica" , "arial" , "verdana" , sans-serif;"></span></span></span></footer>John Lockwoodhttp://www.blogger.com/profile/15899717580146455869noreply@blogger.com2tag:blogger.com,1999:blog-2600354524922709185.post-51268542534710251552016-02-17T12:45:00.003+00:002016-02-17T12:47:23.414+00:00Automating the distribution of Apple Mail Stationery in a corporate environmentI recently had to find a solution to distribute Apple Mail Stationery files to all the Macs in a company. Stationery for use with Apple Mail is normally distributed either as an attachment to an email or as a file on a disk and either way would normally be installed in each users individual home directory. Not only would this result in potentially multiple copies of the same stationery file on a single Mac but the location in a users home directory is a rather complex one looking for example like this -<br />
<br />
~/Library/Containers/com.apple.mail/Data/Library/Application Support/Mail/Stationery/Apple/Contents/Resources/Custom/<br />
<br />
While hypothetically it might be possible to come up with a solution to both automate initial distribution of these files to each user and to distribute updates to these files to those users it seemed to me that the easiest solution was going to be to automate distributing them to each computer rather than each user especially as I was wanting to do this via <a href="https://www.munki.org/" target="_blank">Munki</a>.<br />
<br />
Note: This approach should equally work using similar tools like ARD, CasperSuite, etc.<br />
<br />
The first step was therefore to locate where Apple's own included example mail stationery files were located which is…<br />
<br />
/Library/Application Support/Apple/Mail/Stationery/Apple/Contents/Resources/<br />
<br />
…with multiple sub-folders to organise the different categories of stationery Apple provide. An added complexity is that Apple also use the following file as an index defining the list of categories/sub-folders<br />
<br />
/Library/Application Support/Apple/Mail/Stationery/Apple/Contents/Resources/TableOfContents.plist<br />
<br />
I could have simply placed my files in one of the existing Apple folders but apart from this likely being confusing to users it may also be at risk of being wiped by Apple updates. I therefore wanted to create a sub-folder for my own files. I therefore needed to find a way to -<br />
<br />
<ol>
<li>Create the sub-folder</li>
<li>Update Apple's TableOfContents if needed to include my sub-folder</li>
<li>Copy my files in to it</li>
</ol>
<br />
I accomplished this by creating a standard Apple Installer package file with a payload of my mail stationery files, and a pre-install script in the Installer package to create the sub-folder and to update the TableOfContents index. While I have chosen to use a single Installer package to install multiple mail stationery files to the same folder this approach could easily be adapted to have individual installer package files one for each stationery file.<br />
<br />
While the TableOfContents file is a plist file it is not of a format that makes it possible to use the standard 'defaults' command to modify it - defaults is particularly weak at handling arrays, it might have been possible to use PlistBuddy but I settled on using a perl script as part of a shell script to do this.<br />
<br />
#!/bin/sh<br />
/bin/mkdir -p "/Library/Application Support/Apple/Mail/Stationery/Apple/Contents/Resources/MyCompanyName/Contents/Resources/" && /bin/cp -R "/private/tmp/Mail Stationery/" "$_";<br />
searchtableofcontents=`grep '<string>MyCompanyName</string>' "/Library/Application Support/Apple/Mail/Stationery/Apple/Contents/Resources/TableOfContents.plist"`<br />
if [ "$searchtableofcontents" != "<span class="Apple-tab-span" style="white-space: pre;"> </span><string>MyCompanyName</string>" ]; then<br />
<span class="Apple-tab-span" style="white-space: pre;"> </span>perl -i -pe 'BEGIN{undef $/;} s/<\/array>.*<\/plist>/\t<dict>\n\t\t<key>Folder Name<\/key>\n\t\t<string>MyCompanyName<\/string>\n\t<\/dict>\n<\/array>\n<\/plist>/smg' "/Library/Application Support/Apple/Mail/Stationery/Apple/Contents/Resources/TableOfContents.plist";<br />
fi<br />
exit 0<br />
<br />
I then added this installer package to my Munki repo to be automatically distributed to all the Macs. I can and have issued updated versions simply by creating a new updated installer package with a new version number and Munki picks this up and distributes it as an update.<br />
<br />
Users can then see the mail stationery in Apple Mail as a separate folder in the standard list of stationery. Users do not have to be bothered by or confused by getting an email attachment and working out how to install it themselves. Furthermore this works even if a user uses more than one different Mac and even if the user leaves and someone else gets their Mac.<br />
<br />
I can also automate uninstalling this and tidying things up by using the following matching Uninstall script in Munki.<br />
<br />
#!/bin/sh<br />
searchtableofcontents=`grep '<string>MyCompanyName</string>' "/Library/Application Support/Apple/Mail/Stationery/Apple/Contents/Resources/TableOfContents.plist"`<br />
if [ "$searchtableofcontents" == "<span class="Apple-tab-span" style="white-space: pre;"> </span><string>MyCompanyName</string>" ]; then<br />
<span class="Apple-tab-span" style="white-space: pre;"> </span>perl -i -pe 'BEGIN{undef $/;} s/\n\t<dict>\n\t\t<key>Folder Name<\/key>\n\t\t<string>MyCompanyName<\/string>\n\t<\/dict>//smg' "/Library/Application Support/Apple/Mail/Stationery/Apple/Contents/Resources/TableOfContents.plist";<br />
fi<br />
exit 0<br />
<br />
Note: The above script's If statement has <i>exactly</i> the number of spaces needed in it so be careful when copying it.<br />
<br />
Note: Munki uses the package receipts list to delete i.e. uninstall the actual mail stationery files, the above script simply removes the sub-folder entry from the Apple TableOfContents file.John Lockwoodhttp://www.blogger.com/profile/15899717580146455869noreply@blogger.com0tag:blogger.com,1999:blog-2600354524922709185.post-92024834646898381312016-02-13T15:54:00.001+00:002016-02-13T15:55:43.708+00:00Munki and Microsoft Office licensesMany Mac using organisations will use a free open-source tool called <a href="https://www.munki.org/munki/" target="_blank">Munki </a>to
deploy applications and updates for those applications including of course
Microsoft Office for Mac. If you have a Microsoft volume license this is
extremely easy as all you have to do is download the ISO and add the contents to
your Munki repo. If you however still have individual aka. ‘boxed’ license
numbers for Office then matters are a bit more complicated.<br />
<br />
Firstly a bit of a rant about Microsoft and their ‘Volume’ licenses. To most
people volume implies a volume discount as anyone who has to do the weekly
supermarket shopping run will be familiar with. This also applies to most
software companies but <em>not</em> Microsoft. Instead volume when associated
with Microsoft probably refers to how loud their customers will scream when they
see how much they are being ripped off by Microsoft. You will be staggered to
learn that a Microsoft volume license for Office 2016 costs almost exactly
double the price of the same number of ‘boxed’ Office 2016 copies. Yes you read
that correctly <em>double</em>!<br />
<br />
Now this is on top of the long standing practice by not only Microsoft but
most software companies of not allowing you to convert individual boxed licenses
to be part of a volume license and therefore requiring you to pay full price for
a new volume license. This is as I said a longstanding practice and while
arguably unfair and arguably counter-productive in that it can discourage
customers moving to a volume license which even ignoring costs would be in the
long-term interest of Microsoft as well.<br />
<br />
Historically small organisations would start off by buying boxed licenses and
then grow to a size that the simpler administration provided by a volume license
becomes important, most companies at some point would hit this problem. (These
days companies might start off with Office 365 and then move to a volume
license.)<br />
<br />
Note: The fact that the volume license for Office costs double the price of
the same number of boxed copies applies to both Mac and Windows versions. At
least one can say unusually that Microsoft are treating both Mac and Windows
customers equally bad.<br />
<br />
The main purpose of this post is therefore to describe how to continue to use
boxed Microsoft licenses on Macs via Munki and to still keep much of the benefit
of simplicity provided otherwise by a volume license.<br />
<br />
The steps to do this are simple to do and only require a modest amount of
initial work.<br />
<ol>
<li>Add as normal the (boxed) Office installer to your Munki repo
</li>
<li>Use Munki to deploy Office to a new Mac
</li>
<li>On the new Mac launch Office and manually activate its license as normal
</li>
<li>This will create the license file on that Mac, this now needs to be copied
to your Munki server, I create an additional sub-folder in the Munki repo called
licenses for this purpose, and then in the licenses folder create another folder
called office2008 or office2011 or office2016 as appropriate, then create in
that a folder named with the serial number of the Mac e.g. CK123456789Z and
finally put the office license file in that</li>
</ol>
For Office2008 the license file is located at<br />
/Applications/Microsoft Office 2008/Office/OfficePID.plist<br />
For Office2011 the license file is located at<br />
/Library/Preferences/com.microsoft.office.licensing.plist<br />
For Office2016 the license file is located at<br />
/Library/Preferences/com.microsoft.office.licensingv2.plist<br />
<br />
So on your Munki repo you will have something like this<br />
./licenses/office2008/CK123456789Z/OfficePID.plist or<br />
./licenses/office2011/CK123456789Z/com.microsoft.office.licensing.plist
or<br />
./licenses/office2016/CK123456789Z/com.microsoft.office.licensingv2.plist<br />
<br />
This now makes it possible to have Munki automatically install the license
file the next time the same Mac needs Office reinstalling, perhaps after
replacing a fault hard disk or fitting a bigger hard disk or wiping and
reinstalling the entire Mac. As the license file is linked to the same Mac all
that is required is to copy the license file back to the same location. To do
this I use the following post-install script in Munki for the Office
install.<br />
<br />
Note: This example script is for Office 2011 it should be very obvious what
changes are needed for other versions of Office based on the above
information.<br />
<br />
<pre class="csharpcode">#!/bin/sh
officeversion=”office2011”
location=”/Library/Preferences”
filename=”com.microsoft.office.licensing.plist”
serialnumber=$(/usr/sbin/system_profiler SPHardwareDataType | /usr/bin/grep 'Serial Number (system)' | /usr/bin/awk '{print $NF}')
/usr/bin/curl https://munki.domain.com/repo/licenses/$officeversion/$serialnumber/$filename –o $location/$filename
<span class="kwrd">exit</span>
</pre>
<pre class="csharpcode">
</pre>
Note: If you run the Munki install of Office before a license file has been
created and added to the relevant sub-folder of the licenses folder this is not
a problem as Office will still be installed successfully and you simply have to
license it manually, thereafter assuming you remember to copy the license file
to the relevant folder in your Munki repo this will be copied automatically
after the install of Office.John Lockwoodhttp://www.blogger.com/profile/15899717580146455869noreply@blogger.com0tag:blogger.com,1999:blog-2600354524922709185.post-23663265134911228612015-11-20T16:01:00.000+00:002015-11-20T16:01:56.532+00:00Apple HomeKit, the 'Internet of Things' and securityApparently some manufacturers are criticising Apple for the 'excessive' security required in order to gain HomeKit certification. Some of them and some pundits may be thinking this is another fiendish scheme by Apple to achieve lock-in to yet another Apple only eco-system.<br />
<br />
They are wrong.<br />
<br />
Apple have shown themselves to be very much concerned about security and gone to great lengths for example to provide excellent security for iOS devices including end-to-end encryption in iMessage - so much so that the FBI is pretty <a href="http://time.com/3437222/iphone-data-encryption/" target="_blank">unhappy</a>.<br />
<br />
Funnily enough on the topic of the FBI, some of you may have seen a new TV series called CSI: Cyber which about a cybercrime fighting division in the FBI, the <a href="http://www.csifiles.com/content/2015/03/review-csi-cyber-kidnapping-2-0/" target="_blank">first episode</a> in the series was about a baby monitor being hacked over the Internet. This is actually based on true events, baby monitors have and are being hacked over the Internet. See http://www.bbc.co.uk/news/technology-34138480<br />
<br />
So Apple is being well ahead of the field in building in extremely robust security in to HomeKit ready for when the 'Internet of Things' really takes off, it is after all far easier to do this at the beginning rather than trying to figure out how to fix things afterwards.John Lockwoodhttp://www.blogger.com/profile/15899717580146455869noreply@blogger.com0tag:blogger.com,1999:blog-2600354524922709185.post-61987564447064546352015-06-22T12:00:00.000+00:002015-06-22T12:03:32.177+00:00Apple Lossless music files and Windows, an updateAs per my previous article here - <a href="http://jelockwood.blogspot.co.uk/2013/06/using-apple-lossless-aka-alac-in-windows.html">Using Apple Lossless (aka. ALAC) in Windows</a> the situation is unchanged for Windows 7, 8, or 8.1 however if you are currently testing Windows 10 or plan to upgrade to it when it is released then there is significant news for you.<br />
<br />
Microsoft with Windows 10 have added official built-in support for a number of additional music and video formats and this <i>includes</i> Apple Lossless. This is provided in the form of a brand new MediaFoundation codec, both 32-bit and 64-bit versions are included. In fact there seem to be both decoding for playback and encoding versions provided although at this point I have not found any way to utilise the encoding versions. Playback is of course via Windows Media Player.<br />
<br />
Furthermore with a subsequent update to Windows 10 preview Microsoft have also fixed the deliberate crippling of Apple Lossless files which previously resulted in such files being moved to the 'other' section of the Windows Media Player library. Apple Lossless files now correctly end up in the 'music' section at least in Windows 10. The previous workaround using WMPTagPlus is still needed for Windows 7, 8, and 8.1.<br />
<br />
As a result of these two changes it is no longer necessary to install <i>any</i> additional software <i>at all</i> in Windows 10 and you can now straight away fully utilise Apple Lossless files. As before Windows Media Player still is able <i>itself </i>to read the meta-tags in these files including any embedded album artwork.<br />
<br />
One of the supposed benefits of using a MediaFoundation codec over a DirectShow equivalent is that MediaFoundation codecs are supposed to support the ability to use the 'play-to' feature in Windows Media Player so that you can stream the music to a compatible DNLA client device. With DNLA being in my opinion a poorly designed and implemented system and with very few DNLA clients supporting Apple Lossless I have not yet been able to confirm whether this works for Apple Lossless files. If anyone else has had success please post a comment detailing what DNLA client you successfully tested an Apple Lossless file with.John Lockwoodhttp://www.blogger.com/profile/15899717580146455869noreply@blogger.com1tag:blogger.com,1999:blog-2600354524922709185.post-10782860651006977292014-07-22T09:00:00.000+00:002014-07-22T09:05:13.601+00:00Running Crypt Server on a Mac via Server.app(Revised for new Django 1.5 version of Crypt Server)<br />
Crypt is software written by Graham Gilbert of pebble.it to provide a FileVault2 escrow solution. That is to provide a secure centralised store for FileVault2 recovery passwords. With this (or similar FileVault2 Escrow solution) the user or authorised administrator can generate the recovery key to get back into a FileVault2 protected machine should the user forget their original code or leave the company. See <a href="http://grahamgilbert.com/blog/2013/01/18/crypt-a-filevault-2-escrow-solution/">http://grahamgilbert.com/blog/2013/01/18/crypt-a-filevault-2-escrow-solution/</a><br />
<br />
Crypt consists of two parts, a client part which firstly enforces the use of FileVault2 encryption on the computer and secondly stores the details for the recovery key in the matching Crypt Server. There are other similar solutions available but Crypt has the advantages of being free and not using any external hosted systems.<br />
<br />
Whilst (obviously) the client part of Crypt is native Mac software designed to run on Macs, currently the only official documentation for the Crypt Server is aimed at running Crypt Server on a Ubuntu Linux Server. It is certainly possible to run the Crypt Server on an Ubuntu Server with Mac clients by following those instructions and you can even host the Ubuntu Server in a Virtual Machine running on a Mac, e.g. in VirtualBox. However some people might prefer to run Crypt Server natively on an existing OS X Server and this article therefore describes how to achieve this.<br />
<br />
Firstly we need to look at the requirements for running Crypt Server -<br />
Apache<br />
Python<br />
VirtualEnv<br />
Django<br />
mod_wsgi<br />
Of these Apache is included on all Macs as is Python, Django can be easily installed but mod_wsgi is only included if you have Server.app installed on top of Lion or Mountain Lion. This article is only aimed at how to get Crypt Server working with Server.app. As Server.app is very cheap if your unwilling to pay even that modest sum then your on your own and perhaps should stick to using the free Ubuntu Server approach. So in terms of this article the full requirements will be -<br />
<br />
OS X Lion or OS X Mountain Lion<br />
Server.app<br />
Apache<br />
Python<br />
VirtualEnv<br />
Django<br />
mod_wsgi<br />
<br />
I will be differing from the normal Crypt Server install instructions so as to be able to integrate with Apple's Server.app approach. I will be including download links for the configuration files I had to create to achieve this.<br />
<br />
Step 1.<br />
Ensure you have Server.app installed and have run it at least once so it can configure itself. As is best practice your server should have a static IP address. The only service in Server.app we will require is the webserver service. We will configure this later. You can if you wish run other services and even other websites on the server you will be using. In order to be able to run multiple websites on the standard port 80, you need to have at least one extra DNS name pointing to this server. So if its main DNS name (A record) is server.example.com you would add an alias (CNAME) and pick a new name for that for example cryptserver.example.com this will allow using a website name of cryptserver.example.com for the website we will be using.<br />
<br />
<em>Note: I see no benefit to running Crypt Server on a (web) server accessible from the Internet. In fact I would suggest from a security point of view you should only run it on an internal private server. This does mean client machines will need to be setup either on the internal private network or via a VPN connection to the private internal network.</em><br />
<br />
Step 2.<br />
We will be installing various Django and other python modules. The standard Ubuntu instructions describe using apt-get and pip to install these modules. Neither of these commands is as standard part of OS X however we can install pip very easily by using the built-in 'easy_install' command. So the first command will be<br />
<br />
<strong>sudo easy_install pip</strong><br />
<br />
We now have the pip command installed so we can now use it to install the other modules as follows. First we will install VirtualEnv which allocates the modules to an environment private for the use of Crypt to prevent conflicts with any other python based software which might use different versions of these modules.<br />
(You can check to see if virtualenv is already installed by typing the command <strong>virtualenv -–version</strong> if it is already installed then you can skip this step.)<br />
<strong>sudo pip install virtualenv</strong><br />
We will then create the environment for Crypt.<br />
<strong>cd /usr/local</strong><br />
<strong>bash</strong><br />
(virtualenv prefers using the bash shell rather than the standard sh shell)<br />
<strong>sudo virtualenv crypt_env</strong><br />
<strong>cd crypt_env</strong><br />
<strong>sudo source bin/activate</strong><br />
<strong>sudo pip install django==1.5.3</strong><br />
(The current version of Crypt Server is now written specifically for Django 1.5 and has not been tested with Django 1.6, the above command ensures that Django 1.5.3 is used.)<br />
<strong>sudo pip install south</strong><br />
<strong>sudo pip install django-bootstrap_toolkit</strong><br />
<div>
</div>
<div>
Step 3.</div>
<div>
We will now download the Crypt Server software. This is available here <a href="https://github.com/grahamgilbert/Crypt-Server">https://github.com/grahamgilbert/Crypt-Server</a> this can in theory be downloaded using a GIT client however I chose to download the ZIP archive listed on the right-hand side and save having to install GIT on my server.<br />
<br />
In order to have file paths matching (as much as possible) the original Ubuntu instructions and also to match the settings files I am providing you then need to expand the zip file and move/copy the resulting folder of files as follows. The zip file contains at the top a single folder called crypt-server-master and in that various subfolders. The folder crypt-server-master needs to be renamed crypt and moved into <strong>/usr/local/crypt_env/</strong> therefore the path to crypt will become <strong>/usr/local/crypt_env/crypt/</strong> I did this in Terminal.app. </div>
<div>
<div>
<div>
<div>
</div>
<div>
Step 4.</div>
<div>
We now need to create a wsgi file, the author provides an example one but strangely does not include it in the zip file, so here is one I prepared earlier <a href="http://pastebin.com/8WdxQJCn" target="_blank">crypt.wsgi</a> :)<br />
<br />
Note: Oops! Just discovered on 22nd July 2014 that the link above to the example crypt.wsgi was pointing to an old incorrect version, I have updated the link to point to a corrected version.<br />
<br /></div>
<div>
</div>
<div>
You need to download that file and copy it to <strong>/usr/local/crypt_env/crypt/crypt.wsgi</strong></div>
</div>
</div>
<div>
</div>
<div>
<em>Note: Apple's Server.app will not process python webapps unless they use the file extension .wsgi if you try using the file extension .py they will not work.</em></div>
<div>
</div>
<div>
Step 5.</div>
<div>
We now need to create and configure the settings file for Crypt Server, first we copy the example file.</div>
<div>
</div>
<div>
<strong>sudo cd /usr/local/crypt_env/crypt/fvserver/</strong></div>
<div>
<strong>sudo cp example_settings.py settings.py</strong><br />
<br />
We now need to edit settings.py pick your favourite commandline editor, e.g. nano, pico or vi.<br />
<br />
You need to set the Administrator email details and the TimeZone for your server. This step is the same as the original Ubuntu instructions. You can therefore look at section 27 here <a href="http://derflounder.wordpress.com/2012/12/31/first-look-at-crypt/">http://derflounder.wordpress.com/2012/12/31/first-look-at-crypt/</a></div>
<div>
</div>
<div>
Step 6.</div>
<div>
We now need to generate the database that Crypt Server will use to store the accounts and FileVault2 recovery keys. To do this we use the following commands.</div>
<div>
</div>
<div>
<strong>sudo cd /usr/local/crypt_env/crypt/</strong><br />
<strong>sudo python manage.py syncdb</strong><br />
<br />
These steps are again the same as the original Ubuntu instructions so you can look at section 28 here <a href="http://derflounder.wordpress.com/2012/12/31/first-look-at-crypt/">http://derflounder.wordpress.com/2012/12/31/first-look-at-crypt/</a><br />
<br />
<em>Note: The user account being created here is only used internally in the database it is not linked in anyway to Open Directory or any other OS X user account. It is used when you login to Crypt Server via a web-browser.</em><br />
<br />
Then we do<br />
<br />
<strong>sudo python manage.py migrate</strong><br />
<strong>sudo python manage.py collectstatic</strong><br />
<br />
Again this is the same as the standard Ubuntu instructions so see sections 29 and 30 here <a href="http://derflounder.wordpress.com/2012/12/31/first-look-at-crypt/">http://derflounder.wordpress.com/2012/12/31/first-look-at-crypt/</a><br />
<br />
We have now in theory finished installing and setting up Crypt Server, the remaining steps will be integrating it into Apple's Server.app<br />
<br />
Step 7.<br />
Launch Server.app and go to the webserver service. Create a new website using the hostname you chose in step 1. Leave it using the standard port 80 and all IP addresses settings. Click on the Edit button next to Aliases and add a rule to map from a path of <strong>/static/</strong> to a folder (any folder) we will be manually editing this later because Server.app does not let you browse to <strong>/usr/local</strong> where we need it to point to.</div>
<div>
<br />
You should now quit Server.app for now, do not start the webservice yet. Next we want to manually edit the apache conf file corresponding to the website you have just created. This will be located in <strong>/Library/Server/Web/Config/apache2/sites/</strong> it will have a name something like <strong>0000_any_80_cryptserver.example.com.conf</strong> the exact name will depend on the host name you are using. You need to edit this in Terminal.app using your favourite editor. You want to set the line beginning with DocumentRoot (the fourth line typically) to the following<br />
<br />
<strong>DocumentRoot "/usr/local/crypt_env/crypt"</strong><br />
<br />
You also want to set the line beginning with <Directory similarly as follows<br />
<br />
<strong><Directory "/usr/local/crypt_env/crypt"></strong></div>
<div>
</div>
<div>
Finally we want to edit the line beginning <strong>Alias /static/</strong> it will be need the bottom of this file, change it to the following</div>
<div>
</div>
<div>
<strong>Alias /static/ "/usr/local/crypt_env/crypt/static/"</strong><br />
We have to do this manually because the files for Crypt Server are not in the normal websites folder location, and because in Server.app you cannot browse and set the location to somewhere in <strong>/usr/local/</strong> as this is 'hidden' from view.<br />
<br />
<em>Note: Fortunately my experience is that once this change is made manually, Server.app respects it and does not later overwrite it.</em><br />
<br />
The standard Ubuntu instructions tell you to run the website with an additional user account setup specifically for it and that you need to add an additional command to the apache conf file you have just edited above. I could not get those instructions to work with Server.app but fortunately it is not necessary to do so. If you follow the instructions here the website will run successfully with the standard _www account. You do need however to set the ownership of the Crypt Server files to _www so that the standard account can access and modify the Crypt Server database. To do this issue the following command<br />
<br />
<strong>sudo chown -R _www /usr/local/crypt_env</strong><br />
<br />
Step 8.<br />
We now need to setup the extra config files to make the Crypt Server django webapp available as a webapp that will be listed in Server.app and this will allow us to have this webapp run when someone accesses this website. In this article I will merely tell you what to put where and how to then turn it on, but for more details on how you setup webapps in general with Server.app see my other article about this topic available here <a href="http://jelockwood.blogspot.co.uk/2013/06/running-django-webapps-with-os-x.html">http://jelockwood.blogspot.co.uk/2013/06/running-django-webapps-with-os-x.html</a><br />
<br />
You need to first place a file called <strong>com.crypt.webapp.wsgi.plist</strong> in <strong>/Library/Server/Web/Config/apache2/webapps/</strong> here is a copy of <a href="https://docs.google.com/file/d/0BwD4il5Z1G6fRS01OXBtTVB2VkE/edit?usp=sharing">com.crypt.webapp.wsgi.plist</a> I have made for you. You also need to place a file called<strong> httpd_crypt.conf</strong> in <strong>/Library/Server/Web/Config/apache2/</strong> here is a copy of <a href="https://docs.google.com/file/d/0BwD4il5Z1G6fdFBRa29vSG1pSWM/edit?usp=sharing">httpd_crypt.conf</a> for you to use.<br />
<br />
You can now open Server.app again. Go to the webserver service and select the website you previously added in step 7 above. Edit the website by clicking on the pencil button, scroll down and click on the 'Edit Advanced Settings...' button. You should now see a list of available webapps, the one you want to enable (tick) is the 'FileVault Escrow Server'. This corresponds to the webapp that the two files you have just installed has defined and this will run the Crypt Server webapp when you access this website. Then click OK and then click Done. You can now start the websites service.<br />
<br />
<br />
All being well you should now be able to access the Crypt Server in a web-browser at a URL like <a href="http://cryptserver.example.com/">http://cryptserver.example.com/</a> depending on what hostname you are using.</div>
</div>
John Lockwoodhttp://www.blogger.com/profile/15899717580146455869noreply@blogger.com16tag:blogger.com,1999:blog-2600354524922709185.post-47306582300448886312014-03-27T19:19:00.000+00:002014-03-27T09:37:10.131+00:00DHCP Option Code Utility 1.1I finally updated my DHCP Option Code Utility to make it compatible with Mountain Lion. This gets round a change Apple introduced (it had worked fine with Tiger, Leopard, Snow Leopard and Lion).<br />
<br />
DHCP Option Code Utility makes it easy for mere mortals to generate the encoded values needed to define DHCP Option Codes for use with Apple's DHCP server. The most common uses of DHCP Option Codes are to define extra fields of information to advertise things like a VoIP phone system or a PXE Boot Server.<br />
<br />
I also took the opportunity to add the ability to define 'null-terminate strings' as well as normal strings.<br />
<br />
More details along with a download link can be found here.<br />
<br />
<a href="http://jelockwood.blogspot.co.uk/2013/06/dhcp-server-on-os-x-server.html">http://jelockwood.blogspot.co.uk/2013/06/dhcp-server-on-os-x-server.html</a><br />
<br />
[As a belated update to this post - I did sometime ago confirm that version 1.1 also works fine running in Mavericks, and that the DHCP server in Mavericks Server.app still accepts the same encoded values. Version 1.1 can therefore run on 10.4 all the way up to (currently) 10.9.2 and the values work with 10.5 Server through to Mavericks Server.app]John Lockwoodhttp://www.blogger.com/profile/15899717580146455869noreply@blogger.com0tag:blogger.com,1999:blog-2600354524922709185.post-26516316463902497642014-03-16T11:45:00.000+00:002017-01-11T11:51:06.871+00:00How to do VPN on Demand for iOS at zero cost despite Apple's best efforts to prevent thisApple support a feature called 'VPN on Demand' despite the best efforts of both Apple and <a href="http://www.patentlyapple.com/patently-apple/2012/11/apple-sued-for-vpn-on-demand-functionality-in-mountain-lion.html" target="_blank">VirnetX</a> to sabotage this. There are three main requirements in order to implement this.<br />
<ol>
<li>You need to use a supported VPN client which can either be the built-in Cisco IPSec client or a supported SSL VPN client </li>
<li>You need to use certificates for authentication instead of a pre-shared-key </li>
<li>You need to use a MDM (Mobile Device Management) solution to configure and push the settings to the client device (iOS or Mac) including the VPN on Demand settings</li>
</ol>
With regards to the VPN client it would seem you can therefore use the built-in Cisco IPSec VPN client on your iOS or Mac client, however as we shall see Apple have made this as difficult as possible to achieve. While some techies may prefer an SSL solution and it is certainly the case that Apple's built-in IPSec client is falling behind with regards to newer security standards e.g. IKEv2, I prefer using the built-in client as there is no extra cost for it, nothing extra needs to be installed and in theory being from Apple themselves it will always be compatible with the current OS version.<br />
<br />
Before I go on to how to get this working <i>despite</i> Apple's best efforts, why do we want VPN on Demand? This can be for one of two reasons.<br />
<ol>
<li>To give access to an internal system that is not directly visible on the Internet and to do so in a way that is as seamless and automatic as possible in order to make things as easy as possible for users </li>
<li>or to have a mobile device always route all traffic via a VPN connection so that its traffic is always protected even when using public WiFi hot-spots. By automating and enforcing this you avoid users forgetting to manually establish a VPN connection</li>
</ol>
The later reason is becoming more and more important these days with not only the threat of cyber-criminals but also Governments snooping on your traffic. So the goal is to have a compatible VPN server, a compatible VPN client and to configure things so that the VPN connection routes all traffic via it, and for the connection to be established <i>completely automatically</i>.<br />
<br />
I could have bought a commercial VPN server from Cisco, Juniper, SonicWall, F5, Aruba or CheckPoint but this would have been very expensive. It is not possible to use Apple's own VPN server solution as it only supports PPTP or L2TP, this is despite the fact that Apple use the open-source Racoon software which does support using Cisco IPSec. I initially looked at compiling and installing the standard unmodified Racoon software in OS X but this would risk causing incompatibilities with Apple's own software so my first effort was to install and configure Racoon in an Ubuntu Linux virtual machine using Virtualbox. Total cost £0<br />
<br />
I initially and successfully did so with a pre-shared-key (henceforth referred to as PSK) and then added authentication via LDAP to OpenDirectory running on a Mac server. Total cost so far £0<br />
<br />
I then setup a self-signed rootCA and server certificate and client certificate using XCA. Total cost so far £0<br />
<br />
Note: Apple's built-in VPN client requires that server certificates have the server name also in a subject alternative name field (SAN). While it is possible to do this using the command line openssl tool or Certificate Assistant in Keychain Access, life is made much easier with XCA.<br />
<br />
I reconfigured Racoon to use certificates instead of a PSK and likewise the test iPhone I was using initially running iOS 7.0.4. I then hit the first Apple bug. If you modify a VPN configuration on the iOS device changing it from using IPSec with a PSK to IPSec with a certificate, even though all the details are correctly filled in it will fail to connect. This is because even though you have switched from PSK mode to certificate mode which hides the Cisco 'Group' field, it will still try and use the Cisco 'Group' field. As this is irrelevant for a certificate authenticated connection the VPN server will reject the connection due to being very confused. Nothing on the iPhone will give you a clue about this so I had to dig through debug logs on the Linux server to track this down. To work around this you must delete the old VPN configuration and create a fresh one. Once I had cracked this I was able to successfully get the iPhone to connect and use a certificate and username/password to connect. Total cost so far £0 plus a lot of my hair being pulled out.<br />
<br />
At this stage we now have a Cisco IPSec compatible VPN server using a certificate, and the iOS device also using a certificate and the username/password being authenticated via OpenDirectory. In theory we are now ready to setup the MDM system. At this point as a diversion I also got StrongSwan working in another Ubuntu Linux virtual machine using the same certificates as another alternative Cisco IPSec compatible server. I did not get it working with LDAP to OpenDirectory at this point because the standard version 4.5.2 of StrongSwan for Ubuntu 12.04 is too old to enable this, but I did get it working with manually defined username/password details. StrongSwan 5 or later would be able to use LDAP authentication.<br />
<br />
I already had a copy of Server.app and hence Apple's ProfileManager so I set it up and was able to successfully enrol my test iPhone and push profiles over the air to it. I was using the same self-signed rootCA, plus an additional server certificate but the same client certificate. So far however I am unable to get ProfileManager to push this certificate to the iPhone. As far as I am concerned there is nothing wrong with the certificates as the same client certificate works when emailed to the iPhone directly, and works for the VPN connection from the iPhone, and what's more works when pushed over-the-air from the free <a href="https://meraki.cisco.com/products/systems-manager" target="_blank">Cisco Meraki Systems Manager</a> MDM solution. I therefore gave up on ProfileManager and switched to the free Cisco Meraki Systems Manager. I again enrolled the iPhone and created a profile in Systems Manager to push the client certificate to the iPhone and to also push a VPN configuration set to use that client certificate with a Cisco IPSec connection. This worked with a another major issue still to be resolved as we will see. Total cost so far £0 and the loss of some more hair.<br />
<br />
Note: This certificate problem with ProfileManager may be a second Apple bug.<br />
<br />
Having now successfully got a Cisco IPSec compatible VPN server working with certificates and successfully setup an MDM solution to push the settings to the iPhone I tested manual connections to the VPN server. This worked and I was able to enter and save and use the same OpenDirectory user credentials. However when I turned on VPN on Demand as part of the profile being pushed to the iPhone I discovered that the iPhone would not save the password, it would not let me edit the VPN configuration, there was also no way in the profile to define the password. As a result every time the VPN connection was told to connect I was asked again to re-enter the password. It turns out this is how currently it is 'supposed' to work. This makes it in not only my but many other peoples opinions an unusable solution for VPN on Demand. I personally consider this to be yet another Apple bug. (In Microsoft speak this would be described as a feature.)<br />
<br />
Note: My Ubuntu Racoon VPN server had been configured to allow clients to save passwords and this had already been proven to work with manually configured VPN settings on the same iPhone.<br />
<br />
I tried various options like an account with an empty password, not entering a username or %short name% in the VPN profile, even creating and manually editing a mobileconfig file with Xauth disabled. None of these options worked. It was beginning to look like I would have no choice but to pay for a commercial SSL VPN server.<br />
<br />
I had when initially investigating this from the angle of 'how to do you save the password' found some discussions from other equally annoyed and frustrated Apple customers regarding this but none of these had listed a solution. By now I had gone as far as asking for a quote for an SSL VPN solution, however I did then find mention of something called Xauth-noauth for StrongSwan.<br />
<br />
See <a href="http://serverfault.com/questions/476033/strongswan-without-password-on-ios" target="_blank">http://serverfault.com/questions/476033/strongswan-without-password-on-ios</a><br />
<br />
I found this when I switched to searching for how to connect <i>without</i> a username and password. As you can see other people have hit the same problem as I had. Fortunately someone (ecdsa) had come up with a solution which was to write a special Xauth module for use with StrongSwan which effectively ignores the Xauth details leaving just the certificate authentication active. With this the iPhone no longer asks for a password as it has not been asked by StrongSwan for one.<br />
<br />
Note: There are normally two stages to authenticating a VPN connection, the first stage is either via a PSK or by exchanging and verifying SSL certificates, the second stage is eXtended AUTHentication or Xauth and is where the username and password are normally exchanged and verified.<br />
<br />
I therefore dusted off my StrongSwan configured virtual machine. Unfortunately this Xauth-noauth module is only for StrongSwan 5.0.2 or later and as previously mentioned the standard version of StrongSwan for Ubuntu 12.04 is the much older and substantially different 4.5.2. As a pre-built StrongSwan 5 or later was not available for Ubuntu 12.04 I had to download the source code for <a href="http://www.strongswan.org/download.html" target="_blank">StrongSwan 5.1.2</a> and build it myself along with all its dependencies. I was however able to do this and install it and thankfully it did exactly what was wanted and no longer asked the iPhone for a username and password. I was therefore able to use the VPN profile from the Systems Manager MDM with VPN on Demand enabled and the iPhone was now able to <i>repeatedly</i> connect without nagging me each time for the password! Yippee! Total cost so far - drum roll please - £0<br />
<br />
<u>Building StrongSwan 5.1.2 from scratch</u><br />
<br />
First install dependencies<br />
<br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;">sudo apt-get install libpam0g-dev</span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;">sudo apt-get install libcurl4-openssl-dev</span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;">sudo apt-get install libcurl4-nss-dev</span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;">sudo apt-get install libldap2-dev</span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;">sudo apt-get install libgmp3-dev</span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;"><br /></span>
Then download and uncompress source code<br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;"><br /></span>
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;">wget http://download.strongswan.org/strongswan-5.1.2.tar.bz2</span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;">tar -xjvf strongswan-5.1.2.tar.bz2</span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;"><br /></span>
Then configure what modules to enable and compile and install (the configure command is all on a single line)<br />
<div>
<br /></div>
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;">cd strongswan-5.1.2</span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;"><br /></span>
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;">./configure --prefix=/usr --sysconfdir=/etc --enable-curl --enable-ldap --enable-pkcs11 --enable-md4 --enable-openssl --enable-ccm --enable-gcm --enable-farp --enable-eap-identity --enable-eap-aka --enable-eap-aka-3gpp2 --enable-eap-md5 --enable-eap-gtc --enable-eap-mschapv2 --enable-eap-dynamic --enable-eap-radius --enable-eap-tls --enable-eap-ttls --enable-eap-peap --enable-eap-tnc --enable-xauth-eap --enable-dhcp --enable-charon --enable-xauth-pam --enable-xauth-noauth</span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;"><br /></span>
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;">sudo make</span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;">sudo make install</span><br />
<br />
Here is the /etc/ipsec.conf I used for StrongSwan 5<br />
<br />
<div style="font-style: normal; font-variant: normal; font-weight: normal; line-height: normal; margin: 0px;">
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;"># basic configuration</span></div>
<div style="font-style: normal; font-variant: normal; font-weight: normal; line-height: normal; margin: 0px; min-height: 13px;">
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;"><br /></span></div>
<div style="font-style: normal; font-variant: normal; font-weight: normal; line-height: normal; margin: 0px;">
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;">config setup</span></div>
<div style="font-style: normal; font-variant: normal; font-weight: normal; line-height: normal; margin: 0px;">
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;"><span class="Apple-tab-span" style="white-space: pre;"> </span>uniqueids=never</span></div>
<div style="font-style: normal; font-variant: normal; font-weight: normal; line-height: normal; margin: 0px;">
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;"><br /></span></div>
<div style="font-style: normal; font-variant: normal; font-weight: normal; line-height: normal; margin: 0px;">
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;"># Add connections here.</span></div>
<div style="font-style: normal; font-variant: normal; font-weight: normal; line-height: normal; margin: 0px; min-height: 13px;">
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;"><br /></span></div>
<div style="font-style: normal; font-variant: normal; font-weight: normal; line-height: normal; margin: 0px;">
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;">conn %default</span></div>
<div style="font-style: normal; font-variant: normal; font-weight: normal; line-height: normal; margin: 0px;">
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;"><span class="Apple-tab-span" style="white-space: pre;"> </span>authby=rsasig</span></div>
<div style="font-style: normal; font-variant: normal; font-weight: normal; line-height: normal; margin: 0px;">
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;"><span class="Apple-tab-span" style="white-space: pre;"> </span>leftrsasigkey=%cert</span></div>
<div style="font-style: normal; font-variant: normal; font-weight: normal; line-height: normal; margin: 0px;">
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;"><span class="Apple-tab-span" style="white-space: pre;"> </span>rightrsasigkey=%cert</span></div>
<div style="font-style: normal; font-variant: normal; font-weight: normal; line-height: normal; margin: 0px;">
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;"><span class="Apple-tab-span" style="white-space: pre;"> </span>keyingtries=1</span></div>
<div style="font-style: normal; font-variant: normal; font-weight: normal; line-height: normal; margin: 0px;">
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;"><span class="Apple-tab-span" style="white-space: pre;"> </span>keylife=60m</span></div>
<div style="font-style: normal; font-variant: normal; font-weight: normal; line-height: normal; margin: 0px;">
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;"><span class="Apple-tab-span" style="white-space: pre;"> </span>ikelifetime=240m</span></div>
<div style="font-style: normal; font-variant: normal; font-weight: normal; line-height: normal; margin: 0px; min-height: 13px;">
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;"><br /></span></div>
<div style="font-style: normal; font-variant: normal; font-weight: normal; line-height: normal; margin: 0px;">
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;">conn ios</span></div>
<div style="font-style: normal; font-variant: normal; font-weight: normal; line-height: normal; margin: 0px;">
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;"><span class="Apple-tab-span" style="white-space: pre;"> </span>keyexchange=ikev1</span></div>
<div style="font-style: normal; font-variant: normal; font-weight: normal; line-height: normal; margin: 0px;">
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;"><span class="Apple-tab-span" style="white-space: pre;"> </span>left=%defaultroute</span></div>
<div style="font-style: normal; font-variant: normal; font-weight: normal; line-height: normal; margin: 0px;">
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;"><span class="Apple-tab-span" style="white-space: pre;"> </span>leftsubnet=0.0.0.0/0</span></div>
<div style="font-style: normal; font-variant: normal; font-weight: normal; line-height: normal; margin: 0px;">
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;"><span class="Apple-tab-span" style="white-space: pre;"> </span>leftfirewall=yes</span></div>
<div style="font-style: normal; font-variant: normal; font-weight: normal; line-height: normal; margin: 0px;">
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;"><span class="Apple-tab-span" style="white-space: pre;"> </span>leftcert=serverCert.pem</span></div>
<div style="font-style: normal; font-variant: normal; font-weight: normal; line-height: normal; margin: 0px;">
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;"><span class="Apple-tab-span" style="white-space: pre;"> </span>right=%any</span></div>
<div style="font-style: normal; font-variant: normal; font-weight: normal; line-height: normal; margin: 0px;">
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;"><span class="Apple-tab-span" style="white-space: pre;"> </span>rightsubnet=10.0.1.0/24</span></div>
<div style="font-style: normal; font-variant: normal; font-weight: normal; line-height: normal; margin: 0px;">
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;"><span class="Apple-tab-span" style="white-space: pre;"> </span>rightsourceip=10.0.1.0/24</span></div>
<div style="font-style: normal; font-variant: normal; font-weight: normal; line-height: normal; margin: 0px;">
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;"><span class="Apple-tab-span" style="white-space: pre;"> </span>leftauth=rsa</span></div>
<div style="font-style: normal; font-variant: normal; font-weight: normal; line-height: normal; margin: 0px;">
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;"><span class="Apple-tab-span" style="white-space: pre;"> </span>rightauth=rsa</span></div>
<div style="font-style: normal; font-variant: normal; font-weight: normal; line-height: normal; margin: 0px;">
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;"><span class="Apple-tab-span" style="white-space: pre;"> </span>rightauth2=xauth-noauth</span></div>
<div style="font-style: normal; font-variant: normal; font-weight: normal; line-height: normal; margin: 0px;">
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;"><span class="Apple-tab-span" style="white-space: pre;"> </span>ike=aes128-sha1-modp2048,3des-sha1-modp1536</span></div>
<div style="font-style: normal; font-variant: normal; font-weight: normal; line-height: normal; margin: 0px;">
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;"><span class="Apple-tab-span" style="white-space: pre;"> </span>esp=aes128-sha1-modp2048,3des-sha1-modp1536</span></div>
<div style="font-style: normal; font-variant: normal; font-weight: normal; line-height: normal; margin: 0px;">
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;"><span class="Apple-tab-span" style="white-space: pre;"> </span>rekey=no</span></div>
<div style="font-style: normal; font-variant: normal; font-weight: normal; line-height: normal; margin: 0px;">
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;"><span class="Apple-tab-span" style="white-space: pre;"> </span>reauth=no</span></div>
<div style="font-style: normal; font-variant: normal; font-weight: normal; line-height: normal; margin: 0px;">
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;"><span class="Apple-tab-span" style="white-space: pre;"> </span>dpddelay=10</span></div>
<div style="font-style: normal; font-variant: normal; font-weight: normal; line-height: normal; margin: 0px;">
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;"><span class="Apple-tab-span" style="white-space: pre;"> </span>dpdtimeout=30</span></div>
<div style="font-style: normal; font-variant: normal; font-weight: normal; line-height: normal; margin: 0px;">
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;"><span class="Apple-tab-span" style="white-space: pre;"> </span>dpdaction=clear</span></div>
<div style="font-style: normal; font-variant: normal; font-weight: normal; line-height: normal; margin: 0px;">
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;"><span class="Apple-tab-span" style="white-space: pre;"> </span>auto=add</span></div>
<div>
<br />
Update - 2014-09-13<br />
After successfully running this StrongSwan VPN solution for several months with iPhone and iPad devices I discovered that users were unable to successfully connect over O2 cellular data connections, they were still able to connect over EE data, or WiFi connections. Narrowing down the circumstances was made more difficult by eliminating things like poor data connections, running out of data allowance, international roaming, confirming whether they they were using WiFi or not. Clearly there was something different about the O2 network upsetting things as the EE and WiFi connections used the same settings and even the same devices. After spending sometime investigating this it would seem that the O2 data network has problems with the size of packets used. For example if you connect using a pre-shared-key (which works) this will be a fairly small packet as the pre-shared-key is a straight forward password, however when you connect using certificates a copy of the certificate has to be sent and this is much bigger and did not work. Fortunately this has been easy to fix, StrongSwan has a command called fragmentation that enables handling splitting larger packets in to smaller ones and this has solved this problem. To use this you need to add the following line to the /etc/ipsec.conf file as shown above.<br />
<br />
<span class="Apple-style-span" style="font-family: "courier new" , "courier" , monospace; font-size: x-small;"><span class="Apple-tab-span" style="white-space: pre;"> </span></span><span class="Apple-style-span" style="font-family: "courier new" , "courier" , monospace; font-size: x-small;">fragmentation=yes</span><br />
<br /></div>
The last step was tweaking the rules for VPN on Demand. Both Apple's ProfileManager and Cisco Meraki System Manager have very limited options for VPN on Demand that can be configured in their GUI interfaces. In fact they are so limited that effectively they can only accomplish option 1 I listed at the beginning which is to automate providing access to an internal server, and not to automate connecting via VPN all the time for all traffic. Fortunately Apple do document how to manually configure this. Yes I know it is a big shock but Apple does still provide some useful documentation sometimes.<br />
<br />
See page 40 https://developer.apple.com/library/ios/featuredarticles/iPhoneConfigurationProfileRef/iPhoneConfigurationProfileRef.pdf<br />
<br />
Update 2017-01-11 it has been brought to my attention that the above link no longer works, that is Apple have removed that page. The nearest equivalent currently working link I can find is <a href="https://developer.apple.com/library/content/featuredarticles/iPhoneConfigurationProfileRef/Introduction/Introduction.html#//apple_ref/doc/uid/TP40010206-CH1-SW27">https://developer.apple.com/library/content/featuredarticles/iPhoneConfigurationProfileRef/Introduction/Introduction.html#//apple_ref/doc/uid/TP40010206-CH1-SW27</a><br />
<br />
I therefore used <a href="http://support.apple.com/kb/dl1465" target="_blank">iPhone Configuration Utility</a> to build a mobileconfig profile containing the client certificate and the VPN settings, I then exported it and edited this as per Apple's documentation above to use the URLStringProbe option to check for the ability to access a URL on my VPN server and if found to be true to trigger a VPN connection. This might be opposite of what you would expect but it is the correct choice to force a connection always to happen and by doing it this way if my server is down the URL test will fail and VPN on Demand will not be activated and the device will still be usable although not protected by a VPN connection. You therefore need to use a URL that is accessible <i>without</i> a VPN connection. I then pushed this out to the iPhone using Systems Manager. With this installed my iPhone now as soon as it gets an Internet connection will automatically trigger a VPN connection which will route all traffic over it and all without any user interaction being needed. Grand total cost a massive £0!<br />
<br />
As a final aside, all the above should apply equally to using Mac clients, testing this shall be my next project.<br />
<br />
<u>Links to Resources</u><br />
<u><br /></u><a href="https://www.virtualbox.org/wiki/Downloads" target="_blank">VirtualBox</a> or <a href="http://www.virtuallyghetto.com/2013/04/installing-esxi-51-update-1-on-mac-mini.html" target="_blank">ESXi 5.1</a><br />
<a href="http://www.ubuntu.com/download/server" target="_blank">Ubuntu 12.04 Server</a><br />
<a href="http://www.strongswan.org/download.html" target="_blank">StrongSwan 5.1.2</a><br />
<a href="https://meraki.cisco.com/products/systems-manager" target="_blank">Cisco Meraki Systems Manager</a><br />
<a href="http://sourceforge.net/projects/xca/" target="_blank">XCA</a><br />
<a href="http://support.apple.com/kb/dl1465" target="_blank">iPhone Configuration Utility 3.5 for Mac</a> John Lockwoodhttp://www.blogger.com/profile/15899717580146455869noreply@blogger.com26tag:blogger.com,1999:blog-2600354524922709185.post-5460390099707317452014-03-15T21:37:00.000+00:002014-11-19T15:20:35.337+00:00Deploying Sophos Anti-Virus on a Mac networkSophos have provided a Mac version of their Anti-Virus software for a long time and uniquely also used to provide a Mac tool for providing an internal corporate deployment and update service for this.<br />
<br />
This tool was called 'Sophos Update Manager' (SUM) it did two things. Firstly it let you build a pre-configured installer package which would include the settings telling Mac clients how to get updates, and secondly it would automatically update this install and folder, it would also put in this folder new anti-virus definitions.<br />
<br />
You would therefore normally have this folder on a Mac file server and have the installer package and hence client Macs configured to get updates from this folder. You could also define Sophos' own servers as the backup - secondary source for updates.<br />
<br />
This solution was therefore comparable with Sophos' own Windows tools of in the past Sophos Library Manager and now Sophos Enterprise Console, and also comparable with equivalent Windows only tools from McAfee and Symantec. The big difference being that no-one else makes a similar Mac tool for Mac <i>only</i> environments.<br />
<br />
In more recent times Sophos have failed to update SUM and officially it only runs on OS X 10.7 (Lion) or older, it did however continue to be able to distribute updates for Sophos Anti-Virus 8 for Macs even if client Macs were running Mountain Lion. However not only does SAV8 not officially support running on OS X 10.9 (Mavericks) SAV8 is also due to be discontinued in April 2014.<br />
<br />
It is therefore necessary to move all Macs to SAV9 by April 2014.<br />
<br />
SUM does not support SAV9 and so far Sophos have shown no interest in providing an updated version. Sophos do provide a standalone installer for SAV9 which will automatically if needed uninstall SAV8 and replace it with SAV9, and this installer can be pre-configured with the credentials needed to get updates directly from Sophos' servers.<br />
<br />
See <a href="http://www.google.com/url?q=http%3A%2F%2Fwww.sophos.com%2Fen-us%2Fsupport%2Fknowledgebase%2F119744.aspx&sa=D&sntz=1&usg=AFQjCNHLACAUkI2CgC6CotWdgfyCSOYJBA">http://www.sophos.com/en-us/support/knowledgebase/119744.aspx</a><br />
<br />
You might think therefore that all one needs to do is download the standalone SAV9 installer, pre-configure it as per the above article and then deploy it to all your Macs. Unfortunately the standalone SAV9 installer is <i>not</i> a standard Apple installer type package, it is an application that itself does the installation. This means it <i>cannot</i> be deployed using standard Apple administration tools like Apple Remote Desktop, Casper, or Munki. All these tools will merely see it as an application and at best just copy it to a client Macs Applications folder where it will just sit and do nothing.<br />
<br />
As a reminder, the SAV8 installer was a standard installer package and after being configured using SUM could be deployed using standard Mac tools.<br />
<br />
What was really annoying is that as someone who has also managed both Windows only and mixed environments with Sophos I happen to know that SAV9 when managed by Sophos Enterprise Console on a Windows server does still come as a standard Apple installer package.<br />
<br />
Sophos technical support were not a lot of help regarding this and frankly seem pretty clueless about how Mac software is deployed in an enterprise environment. They suggested switching to Sophos Cloud. Sophos Cloud can be thought of as being a cloud based version of Sophos Enterprise Console in that it lets you manage settings and view the status of the client computers running Sophos Anti-Virus, and unlike the Sophos Enterprise Console can be accessed via a web-browser on a Mac. However the client installer used with Sophos Cloud for Mac is still the same custom application and not a standard Apple installer package, as such it still cannot be deployed using standard Mac administration tools.<br />
<br />
As an aside the free home edition of Sophos Anti-Virus for Mac is also based on the same custom application.<br />
<br />
So at this point the only official options were to buy a Windows Server just so you could run Sophos Enterprise Console, something that would have cost a fortune even if you run it in a virtual machine as you not only would have to buy Windows Server but also all the Client Access Licenses for all your Macs, or you would have to go round each and every Mac client and manually run the standalone installer application with the huge administrative overhead this entails and the often frequent difficulty to get access to machines.<br />
<br />
Clearly this had moved Sophos from being by far the most friendly Mac solution thanks to SUM, to being actually worse than most since at least McAfee with their ePO system use standard Apple installer packages.<br />
<br />
I raised this issue in some user forums including here <a href="https://jamfnation.jamfsoftware.com/discussion.html?id=9785">https://jamfnation.jamfsoftware.com/discussion.html?id=9785</a> and also pursued this matter directly with another contact I had at Sophos. Via that contact I was able to find out that hidden inside the Sophos standalone installer application was a command line tool called InstallationDeployer and that this tool could be scripted and run via a standard Unix shell script. With this information <strike style="font-style: italic;">which is still not on the Sophos website</strike> now listed at <a href="http://www.sophos.com/en-us/support/knowledgebase/14179.aspx">http://www.sophos.com/en-us/support/knowledgebase/14179.aspx</a>, it then immediately became obvious that it would be possible to build an Apple installer package containing the Sophos standalone installer application and a post-install script which would automate running the Sophos standalone installer.<br />
<br />
After updating the above forum with this information I had started building such an installer package but Richard Trouton beat me to it and to be honest his solution is cleaner than the one I was building. Richard has written this up here <a href="http://derflounder.wordpress.com/2014/02/20/deploying-sophos-anti-virus-for-mac-os-x-9-x/">http://derflounder.wordpress.com/2014/02/20/deploying-sophos-anti-virus-for-mac-os-x-9-x/</a> however Richard's script only works with the free home edition of Sophos Anti-Virus for Mac which would have been the only version he had access to. I have therefore taken his script and enhanced it so that it works for both the free home edition and also the paid-for official SAV9 standalone installer.<br />
<br />
Update - SAV 9.2.x now stores the auto-update credentials <i>outside</i> the Sophos installer application in a separate folder. This means I had to modify my script to copy both the installer application and this folder, I did this by putting both the Sophos installer and their settings folder inside another folder. This folder (of both items) gets copied to the client Mac and my scripts looks inside the folder and then inside the Sophos installer to find and run the Sophos commandline tool to do the actual installation. If you look at my further updated script you will see the name of the folder that you must use or otherwise you need to modify my script to the name of the folder you have chosen.<br />
<br />
My updated version of the script can be accessed here <a href="http://pastebin.com/uRT2VMw9">http://pastebin.com/uRT2VMw9</a><br />
My further updated version of the script which now supports SAV 9.2.x is here <a href="http://pastebin.com/0EYi7V4c">http://pastebin.com/0EYi7V4c</a><br />
<br />
Note: The free home edition is not authorised for business use, only for home use.<br />
<br />
So if you have no Windows server and need to mass deploy Sophos Anti-Virus 9 for Mac the best solution is as follows.<br />
<ol>
<li>Download the SAV9 standalone installer</li>
<li>Pre-configure it with your Sophos update credentials as per the Sophos article</li>
<li>Convert it to an Apple installer package as per Richard's article but with my version of his script</li>
<li>Deploy it using your favourite tool - ARD, Casper, Munki, or other</li>
</ol>
You don't need to keep building new versions of the installer as once installed the client Macs will then update themselves directly from the Sophos servers.John Lockwoodhttp://www.blogger.com/profile/15899717580146455869noreply@blogger.com5tag:blogger.com,1999:blog-2600354524922709185.post-54685971830213064672013-11-05T22:07:00.001+00:002013-11-05T22:09:18.232+00:00mod_xsendfile and OS X Server.app<p>mod_xsendfile is a small Apache2 module that processes X-SENDFILE headers.</p> <p>It makes it much quicker to download large files from a webserver and allows them to be streamed directly from disk without having to be first read in to memory.</p> <p>This module is not included in OS X as standard but is included in OS X Server.app. You might want to use this module with websites you have written yourself or with web systems you have downloaded and installed. I recently wanted to install and test the free open-source <a href="http://github.com/jnraine/munkiserver">MunkiServer</a> project which uses this module, I however encountered an issue doing so which I am documenting here so anyone else using OS X Server.app and mod_xsendfile can understand and solve if they also encounter it.</p> <p>I initially found that the Apache web-server in Server.app was crashing repeatedly when I tried loading the MunkiServer web application. I eventually tracked this down to when MunkiServer tried loading mod_xsendfile and I determined it was when MunkiServer tried using the command</p> <p>XSendFilePath /path/to/files</p> <p>This command was added in mod_xsendfile version 0.10 it turns out that the version of mod_xsendfile included in Server.app does not include this command because it is an older version and therefore only supports the previous command of XSendFileAllowAbove instead. This command was no help for MunkiServer. The solution is to download the current version, compile it in Terminal using the command </p> <p>apxs –cia mod_xsendfile.c</p> <p>which requires you to have XCode installed and then configure Apache to load it instead of the version included in Server.app.</p> <p>It seems the majority of MunkiServer users either don’t run it on a Mac or don’t run it using Server.app and either option means they typically always download the latest version and compile it.</p> <p>You can download the latest mod_xsendfile from <a href="https://tn123.org/mod_xsendfile/">https://tn123.org/mod_xsendfile/</a></p> John Lockwoodhttp://www.blogger.com/profile/15899717580146455869noreply@blogger.com0tag:blogger.com,1999:blog-2600354524922709185.post-3970261409581053392013-07-28T15:46:00.001+00:002014-08-07T14:41:37.522+00:00FileVault 2 Escrow ServersWhat is FileVault?<br />
FileVault is Apple’s solution for securing a users files by encrypting them. The original version of FileVault (FileVault 1) was introduced with Mac OS X Panther (10.3) and continued through to Mac OS X Snow Leopard (10.6). FileVault 1 worked by storing the users home directory inside an encrypted disk image file, the rest of the contents of the hard disk where not encrypted. Later on security was further improved with the introduction of ‘Secure Virtual Memory’ whereby the contents of virtual memory stored on the hard disk was also encrypted, it was still the case that the rest of the hard disk was not encrypted. <br />
<a href="http://lh6.ggpht.com/-u7ZNELnzYaw/UfoeCF3HsNI/AAAAAAAAAGU/eh8GOQMORxw/s1600-h/sp_accounts_security%25255B1%25255D%25255B6%25255D.jpg"><img alt="sp_accounts_security[1]" border="0" src="http://lh6.ggpht.com/-DrjvNCL7n4I/UfoeC2QI9TI/AAAAAAAAAGc/kbsJVkErXSI/sp_accounts_security%25255B1%25255D_thumb%25255B4%25255D.jpg?imgmax=800" height="484" style="border-bottom-width: 0px; border-left-width: 0px; border-right-width: 0px; border-top-width: 0px; display: inline;" title="sp_accounts_security[1]" width="520" /></a> <br />
<br />
FileVault 1 however had two major problems, firstly it had a reputation for reliability problems potentially losing all your personal files (unless you had a backup), and secondly because the entire hard disk was not encrypted it was possible for either the user to mistakenly store files outside their encrypted home directory, or for misbehaving applications to do so. As a result FileVault 1 was never accepted as being adequate for use by Governments or Enterprise customers especially in regulated industries like finance, law, and medicine. As a result Government and Enterprise customers would instead use products meeting the FIPS 140-2 security standard such as CheckPoint Full Disk Encryption, PGP Whole Disk Encryption, Sophos SafeGuard, or WinMagic SecureDoc Disk Encryption (all of which are available for both Mac and Windows computers).<br />
<br />
Apple therefore with OS X Lion (10.7) introduced FileVault 2, this encrypts the entire hard disk like its competitors and can also encrypt external drives as well (for storing your backups). FileVault 2 in OS X Lion eventually gained FIPS 140-2 certification itself, and OS X Mountain Lion also gained FIPS 140-2 certification in July 2013. FileVault 2 is regarded as being far more reliable than FileVault 1 and as it now encrypts the entire hard disk there is no danger of files accidently leaking outside the protected area.<br />
<br />
What is Escrow?<br />
With all encryption products you need to ensure you can still access the contents by knowing the correct security key. If you lose the key you lose the ability to access the files. Therefore most if not all such encryption products provide a means to generate a ‘recovery’ key if you lose your passcode either by a user being forgetful or a user leaving and you then wanting to gain access. FileVault 2 is no exception to this and Apple have provided such a mechanism. This is where the term Escrow comes in, a third-party stores (securely) the information needed to generate a recovery key. The rest of this article discusses the alternatives available to do this in-conjunction with Apple’s FileVault 2 software.<br />
<br />
1. Using your Apple ID to store the recovery key<br />
Many people may forget that Apple provide a means when you enable FileVault 2 to at the same time store your recovery key on Apple’s servers in your Apple ID account and this service is completely free of charge. This does count as an Escrow service with Apple acting as the third-party.<br />
See <a href="http://support.apple.com/kb/ht4790" title="http://support.apple.com/kb/ht4790">http://support.apple.com/kb/ht4790</a><br />
<a href="http://lh5.ggpht.com/-Pey_sqLe0Hc/UfoeDtSQBXI/AAAAAAAAAGk/BLLwpy4VFJg/s1600-h/HT4790_StoreKey----en%25255B1%25255D%25255B4%25255D.png"><img alt="HT4790_StoreKey----en[1]" border="0" src="http://lh3.ggpht.com/-Dc8ZLz969II/UfoeEcPL7vI/AAAAAAAAAGs/sBJMO3jICD8/HT4790_StoreKey----en%25255B1%25255D_thumb%25255B2%25255D.png?imgmax=800" height="484" style="border-bottom: 0px; border-left: 0px; border-right: 0px; border-top: 0px; display: inline;" title="HT4790_StoreKey----en[1]" width="584" /></a> <br />
However some users may be unhappy with the fact another company is storing this information. It is also not designed to make it easy for an IT administrator to manage multiple computers.<br />
<br />
2. Cauliflower Vest<br />
This is free open source software written by Google. It allows setting up a central store of recovery keys with secure access making it much more suitable for an IT administrator to manage. It can also make the use of FileVault 2 compulsory ensuring the laptop is secure.<br />
See <a href="http://google-opensource.blogspot.co.uk/2012/02/cauliflower-vest-end-to-end-os-x.html" title="http://google-opensource.blogspot.co.uk/2012/02/cauliflower-vest-end-to-end-os-x.html">http://google-opensource.blogspot.co.uk/2012/02/cauliflower-vest-end-to-end-os-x.html</a><br />
See <a href="http://code.google.com/p/cauliflowervest/">http://code.google.com/p/cauliflowervest/</a><br />
<a href="http://lh4.ggpht.com/-zL7YQ-KPPAs/UfoeE5jmbRI/AAAAAAAAAGw/0LpDFnam1Rk/s1600-h/1330528122_mgpic_final%25255B1%25255D%25255B3%25255D.jpg"><img alt="1330528122_mgpic_final[1]" border="0" src="http://lh4.ggpht.com/-9LnEnW0SaOs/UfoeFR7UN3I/AAAAAAAAAG8/y-mB2C3f23Q/1330528122_mgpic_final%25255B1%25255D_thumb%25255B1%25255D.jpg?imgmax=800" height="484" style="border-bottom: 0px; border-left: 0px; border-right: 0px; border-top: 0px; display: inline;" title="1330528122_mgpic_final[1]" width="583" /></a> <br />
However it uses Google’s App Engine servers to store the information so again some users may not be happy with the thought someone else is storing their security keys.<br />
<br />
3. Casper Suite<br />
JAMF Software produce an extensive suite of management software for managing both Macs and iOS devices. This includes the ability to manage FileVault 2 both to enforce its use (like Cauliflower Vest) and to store the recover keys.<br />
See <a href="http://www.jamfsw.com/solutions/filevault/" title="http://www.jamfsw.com/solutions/filevault/">http://www.jamfsw.com/solutions/filevault/</a><br />
Unlike the previous two solutions as Casper Suite runs on your own servers you don’t have to worry about the possibility of a third-party having access to your security keys. This is however a commercial solution so you do have to buy the Casper Suite software and licenses.<br />
<br />
4. Crypt Server<br />
This is another free open source solution written this time by Graham Gilbert of pebble.it. It allows you to run your own server internally and securely store the recovery keys. It includes a matching client component so that like Casper Suite and Cauliflower Vest you can enforce the use of FileVault 2 encryption and automate the storing of the recovery keys.<br />
See <a href="http://grahamgilbert.com/blog/2013/01/18/crypt-a-filevault-2-escrow-solution/" title="http://grahamgilbert.com/blog/2013/01/18/crypt-a-filevault-2-escrow-solution/">http://grahamgilbert.com/blog/2013/01/18/crypt-a-filevault-2-escrow-solution/</a><br />
See <a href="https://github.com/grahamgilbert/Crypt-Server%C2%A0" target="_blank">https://github.com/grahamgilbert/Crypt-Server </a><br />
<a href="http://lh6.ggpht.com/-apOdvzCZEE8/UfoeF2xQikI/AAAAAAAAAHE/DEA4O15CPhQ/s1600-h/home%25255B1%25255D%25255B3%25255D.png"><img alt="home[1]" border="0" src="http://lh6.ggpht.com/-fcPC8tsyFms/UfoeGYsCmOI/AAAAAAAAAHM/citZGB0lO9I/home%25255B1%25255D_thumb%25255B1%25255D.png?imgmax=800" height="433" style="border-bottom: 0px; border-left: 0px; border-right: 0px; border-top: 0px; display: inline;" title="home[1]" width="644" /></a><br />
Above is a page from the server web administration interface, below is what the client sees when they setup a computer.<br />
<a href="http://lh6.ggpht.com/-aD5msnkpalI/UfoeG65sCtI/AAAAAAAAAHU/BIienGD4psw/s1600-h/Crypt-Screenshot%25255B1%25255D%25255B3%25255D.png"><img alt="Crypt-Screenshot[1]" border="0" src="http://lh3.ggpht.com/-zLxvUm92b7o/UfoeHs-uCPI/AAAAAAAAAHc/mMUmIiHB06M/Crypt-Screenshot%25255B1%25255D_thumb%25255B1%25255D.png?imgmax=800" height="461" style="border-bottom: 0px; border-left: 0px; border-right: 0px; border-top: 0px; display: inline;" title="Crypt-Screenshot[1]" width="644" /></a> <br />
Crypt Server was however originally written to run on a Linux Ubuntu Server. I have however worked out how to run it on an OS X Server using Apple’s Server.app software and instructions on how to do this are available here -<br />
<a href="http://jelockwood.blogspot.co.uk/2013/07/running-crypt-server-on-mac-via.html" title="http://jelockwood.blogspot.co.uk/2013/07/running-crypt-server-on-mac-via.html">http://jelockwood.blogspot.co.uk/2013/07/running-crypt-server-on-mac-via.html</a>John Lockwoodhttp://www.blogger.com/profile/15899717580146455869noreply@blogger.com2tag:blogger.com,1999:blog-2600354524922709185.post-78564131950200256112013-06-24T15:13:00.001+00:002013-06-24T15:14:04.544+00:00Mountain Lion gets FIPS 140-2 approval at lastMountain Lion was released in July 2012, its encryption code was effectively identical to that in Lion. As is usual Apple still had to apply for a new certification for Mountain Lion and did so. However the wheels obviously grind very slowly and it was only on June 14th 2013 that Mountain Lion finally received FIPS 140-2 certification.<br />
<br />
This should now make it possible to use Apple's built-in FileVault2 encryption in organisations that require a FIPS 140-2 certified product. I myself have been using PGP instead due to this issue.<br />
<br />
Anyone interested in doing this should visit the following two links<br />
<br />
http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/1401val2013.htm (search for Apple)<br />
http://support.apple.com/kb/ht5396John Lockwoodhttp://www.blogger.com/profile/15899717580146455869noreply@blogger.com0tag:blogger.com,1999:blog-2600354524922709185.post-49247207612182312702013-06-23T14:16:00.001+00:002014-05-09T10:58:05.027+00:00Using Apple Lossless (aka. ALAC) in WindowsApple has without a doubt won the music wars, their iPods and now iOS devices are by far the most popular personal music players, and the iTunes Store is by far the most popular music download store. Even Microsoft has conceded defeat and discontinued their Zune Player and store. Furthermore when Windows 7 was launched Microsoft added built-in support for AAC format music files as popularised by Apple.<br />
<br />
However many people want to use a lossless music format rather than a lossey format like MP3 or AAC and this is still an area that requires a bit of extra work. First some background.<br />
<br />
Many years ago I decided to setup a Microsoft Media Center because back then and still now, it was far superior to any equivalent solution on the Mac. Yes this maybe a shock but it’s true :)<br />
<br />
Elgato’s EyeTV does a great job for recording and playing back TV shows but that is all it does. FrontRow (when it existed) could playback files including your iTunes Music library but could not do TV recording. At the time PlexApp did not exist but even XBMC which PlexApp is based on also does not do live TV or record TV. While there are some equivalents to Microsoft Media Center like Myth, or MediaPortal, or SageTV they either did not work on the Mac at all, or had poor support for Mac compatible TV tuners, or were not as attractive as Microsoft Media Center. Gasp! Another shock, a piece of attractive Microsoft Software!<br />
<br />
So I wanted to use Microsoft Media Center (running on a Mac of course via Boot Camp). However I wanted to have a single copy of my music and still be able to sync it to my iPod or iPhone which meant the music needed to be in a format compatible with those devices. On the Apple side, supported music formats are MP3, AAC, AIFF, WAV, and Apple Lossless. On the Windows side supported formats were MP3, WMA, WAV, and AIFF. However Apple software does not support tags in WAV files, and Windows Media Player does not support tags in AIFF. Also as you can see from that list Apple Lossless was not supported at all in WMP. I therefore began by looking for additional codecs for WMP to let it play Apple Lossless files. I rapidly found several codecs that supported AAC for WMP but after an extensive search found there was none at all for Apple Lossless. So initially I had to settle for using AAC which could be used on both Apple and Microsoft systems with full support for meta-tags. <br />
<br />
I did not give up, I then decided to look for any Windows solutions that supported Apple Lossless in the hope one might be adapted to my needs, I then found that a plugin was available for dbPowerAmp and Foobar2000 but that it could not be used with Windows Media Player. I then found a developer library called <a href="http://www.un4seen.com/">BASS</a> which is available for Windows and Mac. On their website I also found an addon which supports <a href="http://www.un4seen.com/_/ico_download_win.gif">Apple Lossless</a> in Windows. These by themselves were not a solution, but at the same time I found a developer called Milenko Mitrovic had used the BASS library and a BASS MP3 addon and made a directshow filter called <a href="http://www.dsp-worx.de/?n=15">DC-BassSource</a> out of them. This showed that it would be possible in theory to do the same with the Apple Lossless addon. I managed to get in touch with the developer of <a href="http://www.dsp-worx.de/?n=15">DC-BassSource</a> and persuaded him to make a new version which added support for Apple Lossless (and AAC). When he sent it to me for testing, I then became the first person in the world to successfully play an Apple Lossless music track in Windows Media Player. As Microsoft Media Center uses WMP to manage and play the music it then meant I could also successfully play the music in Media Center as well.<br />
<br />
There was only one final step that needed addressing which was allowing WMP to read the tags in AAC and Apple Lossless files. (Both use the same file MPEG4 file format, file extension and tag format.) As there was already several codecs available for WMP to let it play AAC files there was also already two different plugins available for WMP to let it read tags from AAC files and since Apple Lossless uses the same file extension, file format, and tag format these worked equally well for Apple Lossless files. These two plugins are <a href="http://wmptagext.sourceforge.net/">WMP Tag Support Extender</a> and <a href="http://bmproductions.fixnum.org/wmptagplus/index.htm">WMP Tag Plus</a>. The combination of the modified DC-BassSource codec and one of these two WMP plugins meant that you could easily add Apple Lossless tracks to WMP and it would read the embedded tags to show the track name, album name, artist etc. You could even set WMP to monitor your iTunes library folder and when you added a new track/album to iTunes WMP would automatically spot this and add them to its own library using the same single copies of each track.<br />
<br />
This was an excellent result and worked fine from Windows XP through Windows Vista (not that I used Vista myself). However Microsoft did initially throw a spanner in the works when they released Windows 7. As you may remember above I mentioned that Microsoft added built-in support for AAC with Windows 7, they even added built-in support for reading MPEG4 tags as used in AAC files and even supported reading the embedded album artwork from AAC files. In theory this should not have been a problem, it was still possible to add an additional codec to allow playing Apple Lossless in WMP with Windows 7 and in theory as Apple Lossless files use the same file extension, file format, and tag format it should have happily read tags from Apple Lossless files as well. Unfortunately Microsoft went out of their way to specifically detect these files were <i>not</i> AAC files and even though (with the additional codec) it could play them Microsoft chose deliberately to move them to the ‘other’ section and not treat them as music files. This was incredibly frustrating as the pre-release version of Windows 7 had not done this. Fortunately Tim De Baets the developer of WMP Tag Plus was eventually able to come up with a way of tricking WMP in to thinking Apple Lossless files were AAC files. We could now once again have them play in WMP and have WMP accept them as music files and read the tags and artwork from them.<br />
<br />
There was one more added complexity with Windows 7 which had already been solved. The preferred type of codec in Windows 7 was no longer <a href="https://en.wikipedia.org/wiki/DirectShow">directshow</a> filters but a new type called <a href="http://en.wikipedia.org/wiki/Media_Foundation">Media Foundation</a>. If a suitable Media foundation codec was present it took precedence over a directshow filter one. Therefore the built-in Media Foundation codec for AAC took precedence over the directshow AAC/Apple Lossless codec meaning that initially it would not play Apple Lossless even if you installed the appropriate directshow filter. Fortunately a new multi-codec pack was released for Windows7 which was known as Win7Codecs from ‘Shark007’. This included the same modified DC-BassSource directshow filter but had a button specifically for disabling the built-in Media Foundation AAC codec thereby allowing the DC-BassSource codec to take over.<br />
<br />
If you would also like to use Apple Lossless with windows then download the appropriate choice from the list below.<br />
<br />
<strong>Windows XP or Windows Vista</strong><br />
DC-BassSource - <a href="http://www.dsp-worx.de/?n=15" title="http://www.dsp-worx.de/?n=15">http://www.dsp-worx.de/?n=15</a><br />
Wmp Tag Plus - <a href="http://bmproductions.fixnum.org/wmptagplus/index.htm" title="http://bmproductions.fixnum.org/wmptagplus/index.htm">http://bmproductions.fixnum.org/wmptagplus/index.htm</a><br />
<br />
<strong>Windows 7 or Windows 8</strong><br />
Win7Codecs - <a href="http://shark007.net/win7codecs.html" title="http://shark007.net/win7codecs.html">http://shark007.net/win7codecs.html</a><br />
WMP Tag Plus - <a href="http://bmproductions.fixnum.org/wmptagplus/index.htm" title="http://bmproductions.fixnum.org/wmptagplus/index.htm">http://bmproductions.fixnum.org/wmptagplus/index.htm</a><br />
As a bonus iTunes itself can now automatically convert from Apple Lossless to AAC when syncing to an iPod or iOS device. This allows you to keep your music on your computer in its full lossless original quality, and to copy a slightly lower quality version to your music device that takes up less space – which as iPods or iOS devices have far less storage space is an important consideration. With this automatic conversion you do <u>not</u> have keep two copies of each track.<br />
<br />
Apple Lossless is now an open-source standard with free source-code available here <a href="http://alac.macosforge.org/" title="http://alac.macosforge.org/">http://alac.macosforge.org/</a>John Lockwoodhttp://www.blogger.com/profile/15899717580146455869noreply@blogger.com0tag:blogger.com,1999:blog-2600354524922709185.post-89416174170955894322013-06-22T21:45:00.001+00:002013-06-26T16:14:11.182+00:00Running Django webapps with OS X Server.appDjango is a framework for writing python webapps. Typical instructions for installing and running Django webapps are targeted at Linux environments but as OS X is a full Unix operating system and supports the same open-source software as Linux including Python, Apache and Django it is possible to use (almost) the same Linux aimed instructions to install and run a Django webapp.<br />
<br />
However if you want to run such a Django webapp via Apple’s Server.app software then you need to undertake some extra steps. One step that you will not need to do if you have Apple’s Server.app installed is to install mod_wsgi to allow the Apache webserver to run Django i.e. Python webapps. While the standard OS X does not include this module Server.app does.<br />
<br />
This article will give an overview for installing a Django webapp for use with OS X Server.app but another later article will specifically show how to install the Django webapp ‘Crypt Server’. First we will look at how to install Django itself, the typical instruction for installing Django is -<br />
<b><br /></b>
<b>sudo pip install django</b><br />
<br />
However OS X as standard does not have the pip tool installed. OS X does have a similar tool called easy_install which could be used to install django but fortunately you can also use easy_install to install pip itself as follows<br />
<b><br /></b>
<b>sudo easy_install pip</b><br />
<br />
You can then use the command<br />
<b><br /></b>
<b>sudo pip install django</b><br />
<br />
You can then test it has been successfully installed and confirm what version it is using the following commands<br />
<br />
<b>sh-3.2# python</b><br />
<b>Python 2.7.2 (default, Oct 11 2012, 20:14:37) </b><br />
<b>[GCC 4.2.1 Compatible Apple Clang 4.0 (tags/Apple/clang-418.0.60)] on darwin</b><br />
<b>Type "help", "copyright", "credits" or "license" for more information.</b><br />
<b>>>> import django</b><br />
<b>>>> print django.get_version()</b><br />
<b>1.5.1</b><br />
<b>>>> quit()</b><br />
<b>sh-3.2# </b><br />
<br />
After installing Django you would then download and install your webapp. We then need to setup various files so the webapp can be managed via Server.app. Apple don’t really provide any documentation on how to do this (hence this article) but fortunately they do provide an example which is located at<br />
<b><br /></b>
<b>/Library/Server/Web/Config/apache2/webapps/com.apple.webapp.wsgi.plist</b><br />
<br />
So the first step would be to make a copy of that with a new name. The following is what that files contains.<br />
<br />
<pre class="csharpcode"><span class="kwrd"><?</span><span class="html">xml</span> <span class="attr">version</span><span class="kwrd">="1.0"</span> <span class="attr">encoding</span><span class="kwrd">="UTF-7"</span>?<span class="kwrd">></span>
<span class="kwrd"><!</span><span class="html">DOCTYPE</span> <span class="attr">plist</span> <span class="attr">PUBLIC</span> <span class="kwrd">"-//Apple//DTD PLIST 1.0//EN"</span> <span class="kwrd">"http://www.apple.com/DTDs/PropertyList-1.0.dtd"</span><span class="kwrd">></span>
<span class="kwrd"><</span><span class="html">plist</span> <span class="attr">version</span><span class="kwrd">="1.0"</span><span class="kwrd">></span>
<span class="kwrd"><</span><span class="html">dict</span><span class="kwrd">></span>
<span class="kwrd"><</span><span class="html">key</span><span class="kwrd">></span>name<span class="kwrd"></</span><span class="html">key</span><span class="kwrd">></span>
<span class="kwrd"><</span><span class="html">string</span><span class="kwrd">></span>com.apple.webapp.wsgi<span class="kwrd"></</span><span class="html">string</span><span class="kwrd">></span>
<span class="kwrd"><</span><span class="html">key</span><span class="kwrd">></span>displayName<span class="kwrd"></</span><span class="html">key</span><span class="kwrd">></span>
<span class="kwrd"><</span><span class="html">string</span><span class="kwrd">></span>Python "Hello World" app at /wsgi<span class="kwrd"></</span><span class="html">string</span><span class="kwrd">></span>
<span class="kwrd"><</span><span class="html">key</span><span class="kwrd">></span>launchKeys<span class="kwrd"></</span><span class="html">key</span><span class="kwrd">></span>
<span class="kwrd"><</span><span class="html">array</span><span class="kwrd">/></span>
<span class="kwrd"><</span><span class="html">key</span><span class="kwrd">></span>proxies<span class="kwrd"></</span><span class="html">key</span><span class="kwrd">></span>
<span class="kwrd"><</span><span class="html">dict</span><span class="kwrd">/></span>
<span class="kwrd"><</span><span class="html">key</span><span class="kwrd">></span>installationIndicatorFilePath<span class="kwrd"></</span><span class="html">key</span><span class="kwrd">></span>
<span class="kwrd"><</span><span class="html">string</span><span class="kwrd">></span>/Library/Server/Web/Data/WebApps/hello.wsgi<span class="kwrd"></</span><span class="html">string</span><span class="kwrd">></span>
<span class="kwrd"><</span><span class="html">key</span><span class="kwrd">></span>includeFiles<span class="kwrd"></</span><span class="html">key</span><span class="kwrd">></span>
<span class="kwrd"><</span><span class="html">array</span><span class="kwrd">></span>
<span class="kwrd"><</span><span class="html">string</span><span class="kwrd">></span>/Library/Server/Web/Config/apache2/httpd_wsgi.conf<span class="kwrd"></</span><span class="html">string</span><span class="kwrd">></span>
<span class="kwrd"></</span><span class="html">array</span><span class="kwrd">></span>
<span class="kwrd"><</span><span class="html">key</span><span class="kwrd">></span>requiredModuleNames<span class="kwrd"></</span><span class="html">key</span><span class="kwrd">></span>
<span class="kwrd"><</span><span class="html">array</span><span class="kwrd">></span>
<span class="kwrd"><</span><span class="html">string</span><span class="kwrd">></span>wsgi_module<span class="kwrd"></</span><span class="html">string</span><span class="kwrd">></span>
<span class="kwrd"></</span><span class="html">array</span><span class="kwrd">></span>
<span class="kwrd"></</span><span class="html">dict</span><span class="kwrd">></span>
<span class="kwrd"></</span><span class="html">plist</span><span class="kwrd">></span></pre>
<br />
<div>
You then need to make the following changes, the name key needs to match the name of the copy of the above file you made, the displayName can be anything you want and is the description that will show up in Server.app, the installationIndicatorFilePath is a file it will look for to confirm your webapp is actually installed and therefore allow running it, and includeFiles is another configuration file we will look at next. You do not have to alter it but the requiredModuleNames ensures the mod_wsgi module is loaded so it can run the wsgi script i.e. the python code that makes up your webapp.</div>
<br />
<div>
Now looking at the above mentioned includeFiles value. If you look at the file the example points to which is <b>/Library/Server/Web/Config/apache2/httpd_wsgi.conf</b> you will need to make your own copy of this (and updated includeFiles to match) and this is what that example contains</div>
<br />
<div>
<b>WSGIScriptAlias /wsgi /Library/Server/Web/Data/WebApps/hello.wsgi</b></div>
<br />
<div>
This works just like a standard apache alias command and lets you point Apache to where your wsgi script is located which can be anywhere on computer and does not have to be in the standard websites folder. So you would put the full file path to your wsgi script here. This is typically somewhere in the set of folders making up your webapp. The wsgi file would be provided as part of your webapp.<br />
<br />
Tip: If your 'wsgi' file actually came as wsgi.py then you need to rename it to have a wsgi file extension e.g. something.wsgi this is because Apache at least in Apple's configuration only accepts that file extension. </div>
<br />
<div>
Presuming you have now installed Django, your webapp, and setup the above files for Server.app the final step is to create a website in Server.app which will host your webapp. This is pretty much the same process as creating a normal website but with the additional step that you click on the ‘Edit Advanced Settings…’ button in the new website and enable the entry for your webapp that should hopefully now be listed.</div>
<br />
Note: You can also test your webapp without Apache using the command<br />
<br />
<b>python manage.py runserver 80</b><br />
<br />
(You have to do this from the webapp directory.) This uses the lightweight webserver included with Django instead of Apache and means it also is not managed via Server.appJohn Lockwoodhttp://www.blogger.com/profile/15899717580146455869noreply@blogger.com7