Removing Find My Mac from re-imaged machines

Sadly, my 250th blog post isn't fully an original post but just a link to an awesome blog post someone else wrote, but it's a good read:
Find My Mac

The only two things I'll add are these:

If you want to clear everything out (say, if you're re-imaging a machine... not sure why you'd want to keep any firmware variables around), you can run

sudo nvram -c
which will delete all firmware variables.

If a user signs out of her iCloud account before you re-image a machine, it will clear out the fmm-mobileme-token-FMM firmware variable but not the fmm-computer-name. That's likely sufficient to prevent a future lockout, but you may want to run the previous command to clear out all firmware variables just in case.

Terminal command to see the Startup Disk in macOS

If you want to see what the current Startup Disk is on your macOS installation, you can certainly go to System Preferences > Startup Disk.

But if you want to use the terminal instead of the GUI, this command will return the current Startup Disk:

bless --getBoot
If a Startup Disk is set, you'll see something like this:
If no Startup Disk is set, you'll see this error message instead:
Can't access "efi-boot-device" NVRAM variable
or this one:
Could not interpret boot device as either network or disk
Can't interpet EFI boot device
And, yes, there's a typo in the error message (as of macOS 10.12.6, anyway). That should say Can't interpret instead of Can't interpet.

Use the command-line to set a firmware password on macOS

For extra security, you can add a firmware password to Macs, especially since Find My Mac is essentially useless (unlike for iPads, which have an activation lock preventing thieves from reactivating the iPad after a factory reset) and DEP-to-MDM enrollments for Macs can even be avoided by thieves if they're resourceful enough.

If you have a laptop with a firmware password, you need that password to boot from anything except the startup disk. Combine that with FileVault encryption, and a stolen Mac is pretty much useless. Doesn't mean that you'll necessarily get it back, but the likelihood is higher if the device is useless to thieves.

You can, of course, enable the firmware password via Recovery Mode, but it's easier to do it from the command line:

sudo firmwarepasswd -setpasswd
You'll be prompted for the new firmware password. Afterwards, you'll need to reboot the machine for the change to take effect. (Be sure to make sure you have an actual startup disk selected in System Preferences!)

There are two modes for a firmware password: command and full. By default, the firmware password mode will be command, which means you'll be prompted for the password only if you boot from something other than the startup disk. If, for some strange reason, you want the mode to be full, it would mean you'd be prompted for a firmware password at every boot, regardless of what you're booting to.

A few other commands you might find useful...

sudo firmwarepasswd -check
checks to see if the firmware password is set.
sudo firmwarepasswd -verify
allows you to verify you have the correct password (without rebooting).
sudo firmwarepasswd -delete
deletes the firmware password. You'll need the current one to delete it, of course.

If you want to script firmware password setting, someone wrote a fairly simple script that does it. There's also firmware password manager, which is a far more sophisticated way to manage firmware passwords.

Fixing DNS on Ubuntu after a DNS server change

Maybe this is too niche an issue, but in case anyone else runs into this problem, we recently retired one DNS server for another one. A Ubuntu VM I was running didn't pick up on this change. I kept Googling about hosts not resolving in Ubuntu, and people kept pointing to the /etc/hosts and /etc/hostname files. Some older posts from years ago mentioned editing the /etc/resolv.conf file, but the file itself says not to manually edit it! (DO NOT EDIT THIS FILE BY HAND - YOUR CHANGES WILL BE OVERWRITTEN)

Well, turns out that's fine in this case. The wrong address was in there. I hand-edited it to the new address, and now everything's cool.

Looks as if you have to edit the /etc/network/interfaces file to change the dns-nameservers

If you can’t change the system language on macOS…

In theory, you can change the system language through System Preferences on macOS.

I did find a couple of machines that came with the system language in a different one from what I wanted, and even when I changed the primary language back to English (and rebooted when prompted), the original language persisted.

After doing a bit of Google searching, I came across this gem, which points to the command-line tool that really makes the system language change stick:

sudo languagesetup

Deploying Logic Pro X additional content

For one computer, you can use Apple's Logic Pro X: Download additional content knowledgebase article. If you have a lot of computers to deploy the additional content to, though, you'll want to capture those .pkg files.

One way to do that is to "install" on one machine and track down the .pkg files before doing the actual install. More details at Download all of the GarageBand / Logic Pro X Content Loops.

Another way is to use Hannes Juutilainen's script to download all the .pkg files.

One you have those hundreds of .pkg files, you can import them into whatever you're using to manage your Macs. For Munki I use this bulk-import script to get them all into the repo.

Your users may have to reindex the loops to get them all to appear.

From the loops drop-down menu, select Reindex All Loops.

Then, just wait for the indexing to complete.

Setting up GAM: “Click the 3 dots to the right of your service account” not showing

GAM is a neat little command-line utility for admins to manage the G-Suite for their organizations.

The setup process is fairly straightforward, even though there are a lot of steps.

I did notice one little bit of weirdness that actually has nothing to do with GAM, but it put a little wrench in my GAM setup process. I don't know if many people will encounter this issue, but I'm writing it up just in case someone else does and is Googling for solutions.

At a certain point, GAM will prompt you to Click the 3 dots to the right of your service account. I didn't see the 3 dots. I kept thinking "Are the instructions out of date?" That seemed odd, though, since there was just a new release of GAM recently. I also couldn't find anything on the GAM mailing list indicating that the option had disappeared.

I then realized my browser window was too small (I don't expand it all the way out horizontally.

Notice how, with a smaller window width, there are no three dots on the right?

Expand the window width a bit, and then the three dots reappear, though!

I would have thought Google would have some kind of responsive web design to the page, but I guess not. In any case, if you run into this same issue, that's the solution—expand your browser window!

USB-C Multi-port adapter constantly prompts to install drivers

If you've run into the issue of the multi-port adapter constantly prompting to install drivers even after you've already installed the drivers (particularly annoying, since it requires a reboot), apparently the solution is to plug the power cable in through the multi-port adapter (instead of through a separate port). Worked for me that way.

Hat tip to Zak Nilsson on the MacAdmins Slack for making me aware of this fix.

AutoPkg recipe writing: things to look out for

AutoPkg is a cool project for Mac admins (in theory, Windows admins could use it, too, and there are even a few Windows recipes). Although it's a flexible framework that can be applied in many different ways, what it's most useful for is automating the tedious process of going to a website, downloading a new version of the software, and then importing that download into whatever you're using to push updates out to your Mac clients.

For a while, I was using existing recipes (there are many, so this is a totally valid approach), but eventually there was software I didn't see recipes for, so I started writing my own recipes. At first, I just started by copying existing templates and just modifying certain parts (the download URL, or the regular expressions to search for within the search URL).

Here are some things I noticed, in case you ever want to write your own recipes and run into these issues.

Arguments need to be separate

I ran into this issue where I was trying to purge the destination before unarchiving a .zip file, but it didn't seem to be working. Even though the archive_path and destination_path seemed to work fine without being in the Arguments dictionary, the purge_destination key wasn't registering until I put them all into the Arguments dictionary, as I should have from the start... so, remember to always put all arguments in an actual Arguments dictionary. Example:


Code signature verification within disk images

When you're doing code signature verification on a disk image, you don't have to explicitly use the DmgMounter processor to mount the disk image. Instead, you can just treat the .dmg as a folder that includes the bundle to be verified. Here's an example (where %pathname% refers to the downloaded .dmg):

<string>identifier "net.gete.diskmakerx" and anchor apple generic and certificate 1[field.1.2.840.113635.] /* exists */ and certificate leaf[field.1.2.840.113635.] /* exists */ and certificate leaf[subject.OU] = "2U4ZFMT67D"</string>

Dealing with regular expressions

If you're not a regex expert, some of the regular expression searches for the URLTextSearcher processor may look like gibberish to you.

A few tips to help with that, apart from (or maybe in addition to?) reading up on all the details of the Python regex documentation:

  • Before you put the regex into your recipe, you can test out your regex using Regex101 (select the Python one).
  • Generally speaking, the most useful thing I've found is creating a capture group with
  • Just as you're about to put the regex into your recipe, make sure to substitute &lt; for < and &gt; for >

Code: Debugging the Gender Gap screening at SI

On Wednesday, May 17, we will be screening Code: Debugging the Gender Gap here at SI. Students, faculty, and staff are all welcome to come, and the event counts as a GOYB!


After the screening, we will have a discussion with guest panelists from the industry:

Lin Ling, Director of Growth at SourceClear

Lin loves building scalable growth stories at early stage B2B start ups. Today, she works with engineers and data scientists to grow paying customers at SourceClear - a software security firm. Originally a STEM nerd from NYC, she never thought she would be leading growth strategies in Silicon Valley. Other: ran growth at Spigit - innovation software firm, over caffeinated as a Deloitte Consultant doing tech systems for Google, etc. Loves yoga, D3.js, and converting websites.

Monica Garde, Software Engineer at Google Inc.

Monica has been at Google for the past 4 years as a Software Engineer on a number efforts, most recently on the Search team bringing features to emerging markets. Outside of the office, Monica runs a Girls Who Code club in Mountain View and works with to help local nonprofits improve their technical infrastructure. Prior to Google, Monica was a student at Cornell University where she studied Computer Science.

Katie Lane, Product Marketing at Bugsnag

Katie is a Texas native, and graduated from the University of Texas where she studied Electrical Engineering. Katie has spent time in various tech roles such as designing high availability data-centers, to working on the wifi chips in your cell phones, and now in product marketing, helping tech companies better communicate their products to the world. She loves teaching Girls Who Code and hopes to inspire lifelong learning for girls in tech.

Movie Trailer