Munki, Monolithic Imaging, and Microsoft Office 2016 Volume License Serializer

If you have Macs that were cloned from an already-activated system (either via monolithic imaging, or one-off machines that were migrated or experienced hardware failure) you will find that your Office 2016 activation is broken. You will also find that Munki doesn’t know it needs to re-run the Office 2016 serializer since a receipt already exists for it.

I was able to work around this by adding a couple scripts to the serializer’s pkgsinfo. First I added an installcheck_script that looks for a file in /Users/Shared which contains the serial of the computer on which Office was activated. If it doesn’t match the computer’s serial, or if it doesn’t exist, then the serializer package will run. Then we use a postinstall_script to write the serial number of the current computer to this file so we know it’s been activated on this machine and doesn’t need to run again.

installcheck_script:

#!/bin/bash

machineserial=`system_profiler SPHardwareDataType | awk '/Serial/ {print $4}'`

activatedserial=`cat /Users/Shared/.office2016activatedserial`

if [[ $machineserial == $activatedserial ]]; then

exit 1

fi

postinstall_script:

#!/bin/bash

system_profiler SPHardwareDataType | awk '/Serial/ {print $4}' > /Users/Shared/.office2016activatedserial

Deploying Epson EasyMP Multi PC Projection for Mac

When adding Epson EasyMP Multi PC Projection 2.1.0 to Munki, I found that the built-in postinstall script fails.

Some digging revealed that the script was expecting a file to exist at </tmp/mpp-72B3FDFF-9513-4CED-96C3-34881FC77AB8>. It reads that file and uses the value contained for the “ClientMode” preference in </Library/Preferences/com.epson.EasyMP_Multi_PC_Projection.Settings/mppsettings.xml>

On a successful install the the GUI, that preference is just the integer “0”. So I added the following preinstall script to my Munki pkgsinfo.

#!/bin/bash
echo "0" > /tmp/mpp-72B3FDFF-9513-4CED-96C3-34881FC77AB8

The postinstall script is appeased and EasyMP Multi PC Projection 2.1.0 installs successfully. No direct modification or repackaging necessary.

Using SSH Keys for Passwordless Authentication

SSH keys can provide an additional layer of security (if you also disable password authentication on the server), or they can simplify the process of connecting to remote servers. For our purposes we’re interested in the latter – connecting to the server without entering a password.

The basic idea is that you create a public/private key pair on your computer, then upload the public key to the remote server. When you connect to the remote server, your computer can use the private key to authenticate instead of entering your password.

First we’ll create the key:

ssh-keygen -f ~/.ssh/id_rsa -N ""

If a key already exists, you’ll be asked if you want to overwrite it. If this happens you can respond by pressing “n” (no) and continue to the next step.

Next we need to upload the key to the server. Replace “user” with your username, and “host” with the address of the SSH server.

ssh-copy-id -i ~/.ssh/id_rsa user@host

If it worked, you should now be able to SSH to the remote host without entering your password.

DesktopPictureProfileCreator

DesktopPictureProfileCreator is a simple bash script that generates mobileconfig profiles for managing the desktop picture on macOS computers.

Run the script followed by the path to the image you want to set as the desktop picture. For example “sh DesktopPictureProfileCreator.sh /Library/Desktop\ Pictures/Aqua\ Blue.jpg”. Whatever path you specify must exist in the same location on the computer(s) you intend to deploy it to.

The profile will be created on the desktop of whichever user runs the script. In the example above, the profile would appear at ~/Desktop/Desktop-Aqua-Blue-jpg.mobileconfig

For more info and to download, check out my mobileconfigs repository on GitHub.

File ownership considerations with Nginx and php-fpm

I recently switched my CentOS 7 web server over to Nginx and php-fpm.

From my experience with Apache I assumed that PHP scripts would be executed by the same user the web server is running as — ‘nginx’ in this case. But this could no longer be taken for granted since php-fpm is a separate process from the web server.

In my configuration php-fpm was actually running as the ‘apache’ user. This meant any files that need to be writable by PHP scripts should still be owned by that user or group rather than ‘nginx’.

A common scenario where this matters is if your users need to be able to install WordPress updates, Plugins, or Themes via the browser without entering additional credentials. In order for this to work, the web server (or in this case, php-fpm) must be able to write to the files in question.

If you are wrestling with file permissions, or are unsure of the correct permissions to set in this scenario, be sure to confirm which user and group are specified in /etc/php-fpm.d/www.conf

# grep "^user\|^group" /etc/php-fpm.d/www.conf 
user = apache
group = apache

Or you can check the actual running process with pstree:

$ pstree -ua | grep "nginx\|php"
  |-nginx
  |   |-nginx,nginx
  |   |-nginx,nginx
  |   |-nginx,nginx
  |   |-nginx,nginx
  |   |-nginx,nginx
  |   |-nginx,nginx
  |   |-nginx,nginx
  |   `-nginx,nginx
  |-php-fpm
  |   |-php-fpm,apache              
  |   |-php-fpm,apache              
  |   |-php-fpm,apache              
  |   |-php-fpm,apache              
  |   |-php-fpm,apache              
  |   |-php-fpm,apache              
  |   `-php-fpm,apache

Scheduling Reboot of Motorola Cable Modem

UPDATE: This no longer works for me because a recent firmware update removed the Restart command from the web interface.

Periodically my Motorola SURFboard SB6141 cable modem stops talking to the outside world. I don’t know why, but restarting the modem fixes it every time. Rather than having to regularly power-cycle it by hand – or, heaven forbid, buy new hardware – I decided to schedule an automatic reboot.

The modem itself doesn’t have a facility for automatic reboots, but it has a web page with a button to restart it! <http://192.168.100.1/cmConfig.htm> So all we have to do is automate the clicking of that button.

If you have this model, or a similar one, this command should work. Just paste it into your terminal/console program and hit Enter, and see if you temporarily lose connectivity to the Internet. If you do, then it worked:

/usr/bin/curl http://192.168.100.1/reset.htm -G -d reset_modem=Restart%20Cable%20Modem > /dev/null

Once you verify it works for your modem, add it as a cron job. Mine looks like this, running daily at 4:30am:

30 4 * * * /usr/bin/curl http://192.168.100.1/reset.htm -G -d reset_modem=Restart%20Cable%20Modem > /dev/null

Tips:

  • The only real dependency is that you have curl installed. On Mac OS X, CentOS, and Debian it lives at /usr/bin/curl but if you’re using a different distro/OS you’ll want to make sure the path is correct.
  • Verify the IP of your cable modem is correct. For most/all Motorola models it’s 192.168.100.1 but try Googling yours if that doesn’t bring up a status page in a browser.
  • If the IP is correct, make sure the values passed by the restart button are the same as my example. (Go to the page that has the button, make sure that URL matches my example, then view source to make sure the name and value of the button match.)

Yosemite Captive Portal Fix

A number of Yosemite Macs are having problems with our organization’s Wi-Fi captive portal.

If you don’t first sign in via the window presented by Captive Network Assistant, the system appears to have zero network connectivity. You can’t ping anything, you can’t perform DNS lookups, etc. It’s as if the OS is actively blocking all attempted connectivity until it knows you have succeeded in authenticating.

Consequently, Browsers throw errors instead of presenting our captive portal page. This is a big problem, since in many cases the Captive Network Assistant app was previously disabled or deleted!

I found I could whitelist our network so that it lets applications try connecting even if the Captive Network Assistant has not yet been placated.

Just copy the command below, replacing NAMEOFNETWORK with the SSID of your captive portal network. A reboot may be necessary, but it may also be enough to simply switch Wi-Fi off and on again.

sudo /usr/libexec/PlistBuddy -c "Add ScrapingParameters:DisabledRealms:0 string @NAMEOFNETWORK" /Library/Preferences/SystemConfiguration/CaptiveNetworkSupport/Settings.plist

AirPrintProfileCreator

AirPrintProfileCreator is a simple bash script which aids you in creating mobileconfig profiles that enable iOS devices to print to a CUPS server.

Download and run the script on your server (“sudo sh AirPrintProfileCreator.sh”) and follow the prompts on screen. When the profile has been created, you can install it on your iOS device via Configurator, MDM, or just post it online or email it to yourself.

The script should work on any recent Mac or other *nix systems with CUPS installed, but I have only tested on OS X v 10.9. Your CUPS server must have a static/reserved IP.

For more info and to download, check out my mobileconfigs repository page on GitHub.

Using Configuration Profiles to Enable iOS Printing to CUPS Servers

Thanks to Configuration Profiles, it is now possible to print to any printer that’s shared using CUPS, including both Mac OS X and Linux servers, without help from third-party software.

Aside from the obvious benefit of being free, the great thing about this approach is that the print server does not have to broadcast its presence on the same network as the iOS device. It works across routable subnets or even VPN connections.

Before you begin, please make sure you have all of the following:

  • iPhone, iPad, or iPod touch running iOS 7 or higher.
  • Mac or Linux system running CUPS, with a static/reserved address.
  • Mac running Apple Configurator to create the profile.

Enable Printer Sharing

  • OS X:
    1. Open System Preferences.
    2. Click on Sharing.
    3. Enable Printer Sharing
    4. Verify that the desired printers are enabled for everyone.
  • Linux or other *NIX:
    1. Visit the CUPS web interface <http://localhost:631>
    2. Click on the Administration tab.
    3. Enable the option to Share printers connected to this system.
      Tip: You may also need to click on the Printers tab and modify individual printers to enable sharing for them individually.

Create Profile

  1. Open Apple Configurator on your Mac.
  2. Select the Supervise tab.
  3. Click the + (plus) button.
  4. Click Create New Profile…
  5. In the Name field, give your profile a title.
  6. Click on AirPrint.
  7. Click the Configure button.
  8. Click the + (plus) button.
  9. Select the Undiscoverable radio button.
  10. Enter the IP Address of your CUPS server.
  11. Enter the Resource path, which is the path to the print queue. It will be similar to /printers/queue-name
    Tip: Run lpstat -p in the Terminal on your CUPS server to get a list of available queue names. A printer titled My_Laser_Printer would have a path of /printers/My_Laser_Printer
  12. Click the Save button.
  13. Repeat steps 9 through 13 for any additional printers you wish to configure.
  14. Click Save to save your new profile.

Install Profile

There are many ways you can send the profile to your iOS device(s). Here are a few ideas:

  • Use the Prepare feature in Configurator.
  • Export the profile, email it to yourself, and open the attachment on your device.
  • Post it on a web server and visit the URL in Safari.
  • Push it to the device via an MDM service.

Conclusion

Once your profile has been installed, try printing from any app. Your printer should appear automatically. If it doesn’t, here are a few things you can try:

  • Double-check the queue name and the IP address of the CUPS server.
  • Verify that the cups server is reachable from the network your iOS device is on.
    Tip: Visit http://server.ip.here:631 in a browser. You may receive a message that the CUPS web interface is not enabled, but that’s OK as long as the page comes up.
  • Make sure print sharing is enabled in general, as well as for the specific printer(s) you added to your profile.