Reinstall macOS using installr

Now that Mac imaging is essentially dead and the new T2 chips make it more complicated to boot from external drives, reinstalling macOS to re-deploy a Mac can be a bit trickier.

installr is a tool to do a clean reinstall of macOS via recovery mode (and install additional packages, too, if you'd like).

The actual usage of installr is fairly straightforward and explained well in its README on GitHub.

Here are a couple additional notes from my own testing on a late 2014 Mac Mini, though...

Listen to the README on http vs. https

https is definitely not something you can rely on if you're using installr over the network. If you try to serve up the installr.dmg over https, and then attach it via recovery mode, you may get this as a response:

Usage: hdiutil attach [options] <image>
       hdiutil attach -help

installr from USB not that much faster than over network

Using installr over USB (even from a portable SSD) doesn't make the re-installation process go much faster.

When I ran installr of http (over wireless), it took 4 minutes and 27 seconds from confirming erasure of the drive to the installer finishing and then needing to reboot to complete the installation.

When I ran installr off a USB portable SSD, it took 1 minutes and 48 seconds from confirming erasure of the drive to the installer finishing and then needing to reboot to complete the installation.

So, it's a difference of less than 3 minutes. When you still have another 17 to complete the installation after that, 3 minutes is not a huge gain for choosing USB installr over http installr, but that small gain is something to consider when choosing how you decide to use installr in your own environment.

One huge advantage to using http is having the installr files or disk images in one place instead of a variety of USB drives. How you choose to use installr will greatly depend on the needs and means of your organization.

Google Forms preview gives “resource unavailable” error message

We had a situation in which someone created a Google Form and the preview for it would always come up with a resource unavailable error.

This wouldn't happen for any other form. And it wouldn't happen on another computer.

Clearing the cache didn't fix it, but clearing just Google cookies did fix it.

Something definitely worth trying, since most of the results for this indicate a problem with the Google Docs service being down and nothing to do with cookies being corrupted.

Changing the boot order on a VM in vSphere

If you want to change the boot order on a virtual machine in vSphere, it's not a setting in the vSphere interface. You have to force it to bring up the BIOS menu, and then change the order in the BIOS once you've booted up the VM.

Go to Edit Settings > Options > Advanced > Boot Options > Force BIOS Setup and check The next time the virtual machine boots, force entry into the BIOS setup screen

That setting will automatically revert to being unchecked once you've booted up the machine once with it on.

Let’s Encrypt certificate “expired” even though it’s not?

One of our servers (Ubuntu 18.04 with Nginx) is using Let's Encrypt's certbot to renew its SSL certificate regularly via script. Recently, it reported in web browsers as having an expired certificate. When I ran

certbot renew

it showed as having the certificate set to expire months from now.

Just on a lark, I rebooted the server, and then it was fine, and the web browsers showed the new certificate. Usually, a reboot isn't necessary. I'm not sure why it was all of a sudden this time. But just FYI: if you're using Let's Encrypt to renew your site's certificate, and it's definitely renewed but randomly not showing that way to client machines, try a reboot.

Using GAM to delete erroneously sent emails

Sometimes someone sends an email and wants to unsend it. It doesn't happen very often, and usually there isn't much you can do about if the email has been sent to an external recipient. If your organization uses G-Suite, though, you can delete internally sent emails. Just be careful. And also know that it's still possible that the recipient may see the deleted message anyway.

First, install GAM or Advanced GAM if you haven't already.

Then you can search for the message:

gam user delete messages query 'subject:"Totallyatestmessage"'
Searching messages for
Got 1 messages for user
would try to delete 1 messages for user (max 1)
Once you're confident that's the message you want, append doit to the command to actually delete the message:

gam user delete messages query 'subject:"Totallyatestmessage"' doit
Searching messages for
Got 1 messages for user
delete 1 messages
delete 1 of 1 messages

This won't move the message to the trash. It will straight up delete it. (There are options to just trash a message, though.)

Based on some testing I did, if you have Gmail set up in an external email program, the preview of the message may still be there, even after the message is deleted.

Once you delete it, the cached message will remain in the external email program for a while. If you tap on the cached message, you see the body of the message for a split second, and then the whole message disappears.

P.S. A previous version of this didn't have single quotes around the subject. Kudos to Stace Felder for doing testing on this and finding that without the single quotes, GAM won't look for a subject with that exact string—only subjects that have all the words.

Dealing with iCloud accounts on DEP-enrolled iOS devices

I'm not sure how many other schools deal with this, but we found out something rather curious the other day, and it's been confirmed by Mosyle (our MDM) and a couple of folks on the MacAdmins Slack.

My understanding was that a DEP-enrolled MDM'ed iOS device would not allow an iCloud account (regular Apple ID, not a managed Apple ID) to be locked to it. In other words, you can sign in with an iCloud account, but anyone can just sign out of it without a password. That behavior would totally make sense (after all, it's not your device—it's the organization's, and it's a supervised device).

Apparently, that's not actually the case at all.

If you sign in with an iCloud account, you cannot remove the account without getting the password to the iCloud account or wiping the device.

One additional weird piece to this is that even though you can't sign out of the iCloud account without a password, you don't actually need the activation lock bypass code after a device wipe. It just re-enrolls in the MDM via DEP. So the iCloud account is locked to the device (until you wipe it), but the device itself isn't activation locked.

That may be fine if you're in a school-owned one-to-one iPad program: Student shows up first day of school, gets a DEP-enrolled iPad, signs into her iCloud account, uses it the whole year, and then the school's tech department wipes it at the end of the school year.

However, we have at the moment a one-to-one bring-your-own-iPad program, and so the school-owned iPads are for special temporary uses (in carts for certain academic programs, as short-term loaners in certain circumstances). So allowing students to sign in with iCloud accounts can be really inconvenient.

The only options we have are:

  • Let people sign into their iCloud accounts and then track them down later to remove their accounts. (A lot of tracking down of people.)
  • Pre-emptively sign into a generic iCloud account to prevent others from signing into their own iCloud accounts. (A lot of manual labor.)
  • Preventing all account sign-ins via MDM restriction. (This also shuts down the ability for people to sign into Mail or Google Apps, though, so it's a non-starter.).
  • Wipe the device every time there's a lock.
Right now, it's looking as if the last option is the least worst option. Not sure how many other schools are in this sort of situation, but until Apple changes the MDM spec, that's what we have to deal with.

Referencing a PHP variable by using another variable as part of the name

This is kind of a niche scenario, but when you Google making a variable from another variable php, most of the examples involve using a double dollar sign, which may not be what you want to do.

Yes, whenever possible, it makes sense to use arrays instead of weirdly-constructed variable names, but that may depend on the type of data you're working with and how it's stored in the (possibly legacy) database.

That's it. If you do that, it will assign whatevervalueyouwanttoassign as the string value to a variable called $firstpartofname_1_lastpartofname.

Word 2016 in Windows printing embedded images zoomed in and cropped

One Windows user ran into an issue in which embedded images in a Word document would appear fine in the print preview but then would print zoomed in and cropped. In other words, the area on the printed document where the image should be is the same size as the image should be but only part of the image is printed inside that area but zoomed in and pixelated.

In this situation, saving to PDF would allow the user to print it properly.

Someone else online had a similar situation and was able to fix it by adjusting the dpi of the original images.

Turns out the fix was even easier than that: the documents had been created in an older version of Word, and they were saved as .doc files. Once the user saved them as .docx, everything printed just fine.

iTunes 12.8 on 10.13.6 not seeing iOS devices

If iTunes 12.8 on macOS High Sierra isn't seeing iOS devices, you may get a prompt to install software to see the iOS device, and then the installation may seem to take a while. For example, you may see this for a long time (over 20 minutes):

And even this might stay for a few minutes:

Once that's installed, it should work. If you don't see that prompt on one machine but do see it on another, you can grab the installer from /Library/Updates/041-14491 and install that manually.