Changing the boot order on a VM in vSphere

If you want to change the boot order on a virtual machine in vSphere, it's not a setting in the vSphere interface. You have to force it to bring up the BIOS menu, and then change the order in the BIOS once you've booted up the VM.

Go to Edit Settings > Options > Advanced > Boot Options > Force BIOS Setup and check The next time the virtual machine boots, force entry into the BIOS setup screen

That setting will automatically revert to being unchecked once you've booted up the machine once with it on.

Let’s Encrypt certificate “expired” even though it’s not?

One of our servers (Ubuntu 18.04 with Nginx) is using Let's Encrypt's certbot to renew its SSL certificate regularly via script. Recently, it reported in web browsers as having an expired certificate. When I ran

certbot renew

it showed as having the certificate set to expire months from now.

Just on a lark, I rebooted the server, and then it was fine, and the web browsers showed the new certificate. Usually, a reboot isn't necessary. I'm not sure why it was all of a sudden this time. But just FYI: if you're using Let's Encrypt to renew your site's certificate, and it's definitely renewed but randomly not showing that way to client machines, try a reboot.

Using GAM to delete erroneously sent emails

Sometimes someone sends an email and wants to unsend it. It doesn't happen very often, and usually there isn't much you can do about if the email has been sent to an external recipient. If your organization uses G-Suite, though, you can delete internally sent emails. Just be careful. And also know that it's still possible that the recipient may see the deleted message anyway.

First, install GAM or Advanced GAM if you haven't already.

Then you can search for the message:

gam user recipient@school.edu delete messages query subject:"Totallyatestmessage"
Searching messages for recipient@school.edu
Got 1 messages for user recipient@school.edu
would try to delete 1 messages for user recipient@school.edu (max 1)
Once you're confident that's the message you want, append doit to the command to actually delete the message:

gam user recipient@school.edu delete messages query subject:"Totallyatestmessage" doit
Searching messages for recipient@school.edu
Got 1 messages for user recipient@school.edu
delete 1 messages
delete 1 of 1 messages

This won't move the message to the trash. It will straight up delete it. (There are options to just trash a message, though.)

Based on some testing I did, if you have Gmail set up in an external email program, the preview of the message may still be there, even after the message is deleted.

Once you delete it, the cached message will remain in the external email program for a while. If you tap on the cached message, you see the body of the message for a split second, and then the whole message disappears.

Dealing with iCloud accounts on DEP-enrolled iOS devices

I'm not sure how many other schools deal with this, but we found out something rather curious the other day, and it's been confirmed by Mosyle (our MDM) and a couple of folks on the MacAdmins Slack.

My understanding was that a DEP-enrolled MDM'ed iOS device would not allow an iCloud account (regular Apple ID, not a managed Apple ID) to be locked to it. In other words, you can sign in with an iCloud account, but anyone can just sign out of it without a password. That behavior would totally make sense (after all, it's not your device—it's the organization's, and it's a supervised device).

Apparently, that's not actually the case at all.

If you sign in with an iCloud account, you cannot remove the account without getting the password to the iCloud account or wiping the device.

One additional weird piece to this is that even though you can't sign out of the iCloud account without a password, you don't actually need the activation lock bypass code after a device wipe. It just re-enrolls in the MDM via DEP. So the iCloud account is locked to the device (until you wipe it), but the device itself isn't activation locked.

That may be fine if you're in a school-owned one-to-one iPad program: Student shows up first day of school, gets a DEP-enrolled iPad, signs into her iCloud account, uses it the whole year, and then the school's tech department wipes it at the end of the school year.

However, we have at the moment a one-to-one bring-your-own-iPad program, and so the school-owned iPads are for special temporary uses (in carts for certain academic programs, as short-term loaners in certain circumstances). So allowing students to sign in with iCloud accounts can be really inconvenient.

The only options we have are:

  • Let people sign into their iCloud accounts and then track them down later to remove their accounts. (A lot of tracking down of people.)
  • Pre-emptively sign into a generic iCloud account to prevent others from signing into their own iCloud accounts. (A lot of manual labor.)
  • Preventing all account sign-ins via MDM restriction. (This also shuts down the ability for people to sign into Mail or Google Apps, though, so it's a non-starter.).
  • Wipe the device every time there's a lock.
Right now, it's looking as if the last option is the least worst option. Not sure how many other schools are in this sort of situation, but until Apple changes the MDM spec, that's what we have to deal with.

Referencing a PHP variable by using another variable as part of the name

This is kind of a niche scenario, but when you Google making a variable from another variable php, most of the examples involve using a double dollar sign, which may not be what you want to do.

Yes, whenever possible, it makes sense to use arrays instead of weirdly-constructed variable names, but that may depend on the type of data you're working with and how it's stored in the (possibly legacy) database.

$variableaspartofname=1;
${'firstpartofname_'.$variableaspartofname.'_lastpartofname'}='whatevervalueyouwanttoassign';
That's it. If you do that, it will assign whatevervalueyouwanttoassign as the string value to a variable called $firstpartofname_1_lastpartofname.

Word 2016 in Windows printing embedded images zoomed in and cropped

One Windows user ran into an issue in which embedded images in a Word document would appear fine in the print preview but then would print zoomed in and cropped. In other words, the area on the printed document where the image should be is the same size as the image should be but only part of the image is printed inside that area but zoomed in and pixelated.

In this situation, saving to PDF would allow the user to print it properly.

Someone else online had a similar situation and was able to fix it by adjusting the dpi of the original images.

Turns out the fix was even easier than that: the documents had been created in an older version of Word, and they were saved as .doc files. Once the user saved them as .docx, everything printed just fine.

iTunes 12.8 on 10.13.6 not seeing iOS devices

If iTunes 12.8 on macOS High Sierra isn't seeing iOS devices, you may get a prompt to install software to see the iOS device, and then the installation may seem to take a while. For example, you may see this for a long time (over 20 minutes):

And even this might stay for a few minutes:

Once that's installed, it should work. If you don't see that prompt on one machine but do see it on another, you can grab the installer from /Library/Updates/041-14491 and install that manually.

iPhone cookie error when adding a Google account

If you are on iOS 12.0.1 and getting a you've reached this page because we have detected that cookies are disabled in your browser error message every time you try to add a Google account to Mail—and you're certain that cookies in Safari are indeed not blocked—update iOS (to 12.1, as of this writing), and that message will go away, and you can go ahead and add Google accounts.

Getting osTicket to schedule ticket creation from emails

If you go to Admin Panel > Emails > Settings > Incoming Emails, right now (as of release 1.10.4—the latest stable release as of this writing), you'll see something called Fetch on auto-cron, which isn't super useful, because it will fetch emails only if an agent is logged into osTicket.

There is an external scheduler option. Unfortunately (again, as of 1.10.4), that Using External Task Scheduler link is broken. I believe it's supposed to go to RECURRING TASKS SCHEDULER (CRON JOB).

There, you see on a *nix system, you're supposed to put in a cron job of

*/5 * * * * nobody /path/to/php /path/to/api/cron.php
but that didn't work for me on Ubuntu 16.04.5 (Xenial). If I ran the command
sudo /path/to/php /path/to/api/cron.php
manually, it would fetch the emails and create a ticket. And, even when a ticket wasn't automatically created, I could still see in /var/log/syslog the cron job actually having been run.

I even tried changing the user to root instead of nobody (but if you create a cron job using

sudo crontab -e
it runs as root anyway... not really sure what nobody is supposed to do there.

It didn't work until I substituted in this line instead:

5 * * * * /usr/bin/php /path/to/api/cron.php
Now, again, I don't really know what that nobody was supposed to do. According to the Ubuntu community docs, having the username in there is supposed to run it as that user, but when I had nobody or even root as the specified user, the command would run, but no ticket would be created.

I had to leave out the user altogether. Also, again according to the Ubuntu community docs, you should be able to put an */# in front of the four asterisks to run it every # minutes, but I found the command executed properly if I just put a single number in there.

Any cron job experts out there who can explain this, I'd love to learn more of the nuances of how this all works (or doesn't work)?