Running sudo commands in Automator

If you're wondering how to run sudo (for privilege escalation) commands in Automator, this is one way to do it.

Launch up Automator (of course).

sudoautomator01
Find Run AppleScript in the library of actions.

sudoautomator02
Then, drag it over to the workflow area on the right. By default, Automator will put in some script structure for you to work with. Feel free to just delete that all completely.

sudoautomator03
In place of the predefined script, put in

do shell script "sudo whatevercommandyouwanttorun" with administrator privileges

if it's one command you want to run.

If you would rather run a script, it's a similar syntax of

do shell script "sudo /path/to/youractualscript.sh" with administrator privileges

sudoautomator04
You can save your workflow as an application.

sudoautomator05
When you double-click your .app file, it should then prompt you for an administrator username and password and then run your bash command or shell script in a sudo-like way.

Fix ownership of copied folders for Active Directory Macs

Warning

This script does some serious system modifications. If you don't know what you're doing, ask questions in the comments. Don't just run this script if you don't understand what it does or how it's doing it.

This also assumes short usernames match up with user folder names, which they usually do.

What issue this addresses

I'm not sure how often other people will encounter this situation, but if you have an old Mac joined to Active Directory, and you want to transfer the user folders (assuming they are local user folders) to a new Mac also joined to Active Directory, the copied folders may not have the right folder ownership. For example, if you use an admin account to copy the folders over, the copied folders may belong to root.

So when users log in, they may have folders they can't get access to, or you may get the OS X needs to repair your Library to run applications. Type an administrator's name and password to allow this error message when you log into the new Mac as a domain user who'd already logged in on the old Mac.

How you should modify this script before running it

The script is written in such a way that it will not try to change ownership of certain system accounts (e.g., root, Shared, Guest). You can add in others as you see fit.

It also assumes, since you're on a domain, that the proper group for domain users is YOURDOMAIN/Domain Users. Modify to your actual domain, accordingly.

Creating the script

As an admin user, launch up Terminal.app (you can use a text editor, but if you don't have a favorite text editor like TextWrangler or Sublime Text, the built-in text editor in Mac OS X may default to rich text format instead of plain text). You can find Terminal.app in /Applications/Utilities or through a Spotlight search.

Paste in the follow command:

nano ~/Desktop/fix\ folder\ ownership.sh

This will open up in a terminal-based text editor a file in which you can paste the script.

In nano (or your favorite text editor, if you opted for a graphical text editor instead of a terminal-based one), paste in the following script:

#!/bin/bash

# Announce what this does
echo 'This script will make sure users own their own user folders. This will not modify the Shared user folder, the root user folder, or any of the admin/admin2 folders.'

# Change directory to the Users directory.
cd /Users

# Loop through the existing users
for p in *; do

# Don't do this for the Shared user, root, or any local admin account...
if [ "$p" != "Shared" ] && [ "$p" != "root" ] && [ "$p" != ".localized" ] && [ "$p" != "Guest" ]; then

# Announce changing folder ownership
echo -e "Changing folder ownership for $p"

# Change ownership to the current user with the group being the domain users group
#sudo chown -R "$p":"YOURDOMAIN\Domain Users" /Users/"$p"/

# End checking it's not a user not to be modified
fi

# End looping through existing users.
done

Modify the script before you save

Before you save the file, make the modifications you need. You'll see that there's a line excluding modifications for Shared, for root, for .localized, and for Guest. If there are any other user accounts you don't want to modify ownership on, add those into that line as well, using the same format (copy everything from the ampersands through the closing bracket, and then paste it before the semi-colon and then modify the username).

Also, change YOURDOMAIN to your school or company's actual domain name.

Save the file and get it ready to run

Save the file (if you're using nano, press Control-X to save).

Then, to make the file executable, paste in the following command:

chmod +x ~/Desktop/fix\ folder\ ownership.sh

Testing the script

Before using the script to actually modify anything, run it once with the change ownership line commented out (that's how it defaults to above).

cd ~/Desktop
./fix\ folder\ ownership.sh

Verify that the users that are listed are the actual ones you want to modify. Look very carefully at the list!!!

Running the script for real

If you feel confident about the list, modify the script so it will actually make the ownership changes. (By the way, you may need network connectivity to connect to Active Directory, or you may get warnings about illegal user names or illegal groups.)

Edit it again:

nano ~/Desktop/fix\ folder\ ownership.sh

Change the commented-out line:

#sudo chown -R "$p":"SIPREP\Domain Users" /Users/"$p"/

So it will now be uncommented out:

sudo chown -R "$p":"SIPREP\Domain Users" /Users/"$p"/

Then save (Control-X)

Then run the script again, and it should actually change the folder ownership:

cd ~/Desktop
./fix\ folder\ ownership.sh




For internal use

How to find the IP address of a printer on a Mac

If you have a printer already installed on your Mac, but you just want to find the IP address, this is one quick way to do it without printing out a test page and wasting paper / ink.

findprinterip01
Click on the Apple logo and then select About This Mac.

findprinterip02
Click on System Report....

findprinterip03
In the left-hand column, under Hardware, select Printers.

Find the printer you want more information about, and then click on that printer. You should see the IP address next to URI.

Authentication failed on changing admin accounts for ARD machine

I encountered an odd thing. I had ARD set to remote into a few workstations. I was doing some account cleanup on them and changed the admin accounts. In System Preferences Sharing, I still had it that all admins could remote in, but after deleting an admin account and adding a new one, I couldn't remote in with the new one.

There is a way to refresh it, however, which I found here. You ssh into the remote machine, and ten paste in these two commands:

sudo /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -deactivate -configure -access -off
sudo /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -activate -configure -access -on -restart -agent -privs -all

You should then be able to use ARD to remote in again.

Reset Printing System on Mac

If you're having printing issues with multiple printers (not just one or two), you may want to reset the printing system (Warning: this will remove your installed printers, and you'll have to install them again).

resetprintingsystem01
Go to System Preferences.

resetprintingsystem02
Select Printers & Scanners.

resetprintingsystem03
Right-click on a printer and then select Reset printing system....

Re-add the printers.

Get back the old Numbers default Print View

One of our users likes to see a print preview by default in Numbers. This was available in the older version of Numbers, but it's gone from the newer version of Numbers.

Unfortunately, the most viable solution for this is just to keep using the old version of Numbers.

numbersprintview01
If you're complaining about this issue, you likely already have the older version of Numbers. It will appear in the /Applications/iWork '09. If you don't have it, you also likely don't have this issue (because you're used to using only the new version of Numbers).

numbersprintview02
If you have an already-saved document that you want to open in Print View by default, go to File > Export To > Numbers '09

numbersprintview03
Just click Next.....

numbersprintview04
Name your exported document. Click Export.

numbersprintview05
Right-click on the exported file and select Get Info (for you keyboard shortcut–wedded folks, that's Cmd-I).

numbersprintview06
Find the Open with: section and then select Numbers.app (2.0).

numbersprintview07
Click Change All... and then click Continue.

numbersprintview08
Click View > Show Print View.

/System/Library/Keychains empty… and repercussions

The issue

We ran into a weird situation once, in which a user could not update anything. Trying to update Adobe Flash ended in an immediate error (Application Initialization Error), launching the Mac App Store led to the App Store saying it couldn't be contacted, and Chrome saying it was updated when it was several versions behind. Pretty much anything that had to contact a server for updates... couldn't.

The solution

After rebooting, checking for malware, failed proxy connections, and a bunch of other potential issues, we found out that the /System/Library/Keychains folder was empty.

So we copied the contents of that folder from another Mac, and then, magically, everything worked!

Very obscure issue and obscurer solution. Thanks to J. Pruden for finding it!

Exporting GarageBand to Google Drive on the iPad

When you try to share a GarageBand project out from the iPad, the immediately apparent options may include only Facebook, SoundCloud, and YouTube (yes, even if you select the More option).

If you want to export your project to Google Drive, you may have to take a few extra steps.

export garageband to google drive 01
Select your project by either tapping Select or long-pressing on the project icon itself.

export garageband to google drive 02
Once it's selected, click the share button (looks like an up arrow pointing out of a rectangle).

export garageband to google drive 03
Select Open in...

export garageband to google drive 04
Before you can select what to open the project in, you'll have to fill in some details about the song. Fill those in.

export garageband to google drive 05
Then you should see a lot more applications appear to share it in, including Open in Drive. You may have to do a bit of horizontal scrolling to get it to appear, depending on how many shareable-to apps you have installed.

export garageband to google drive 06
Once Google Drive opens, you'll then be prompted to upload the song. Select Upload.

Getting Started with Munki (not monkey)

5 April, 2018 update: This page used to have a tutorial that walked you through setting up a bunch of GUI tools to manage and keep up-to-date a Munki server. I've reconsidered, and I don't think that's the best approach for new Munki administrators to take to learning Munki.

First Steps

Here are a series of links you should read and follow, in this order, to explore Munki on your own:

  1. Demonstration Setup: Walks you through a very basic setup, using a Mac as a Munki server and another Mac (or even the server itself) as a test Munki client. Even though you can do so, I'd highly recommend against setting up a Mac running Server.app to be your Munki server. If you use a Mac, just use regular macOS with the built-in Apache.
  2. Overview: If you're absolutely new to Munki, you should really understand the basic mechanics of it and what catalogs and manifests are. If you read the overview and are still confused, ask for clarification from other Munki administrators (see links in Getting Help).
  3. How Munki Decides What Needs To Be Installed: This is one of the most frequently asked questions from new Munki administrators, so it's very important you understand why you may have a Munki item that's in an endless install loop (and how to fix it).
  4. An opinionated guide to Munki manifests : Some opinions on how you should structure your manifests in Munki.
  5. Another opinionated guide to Munki manifests: Some more (related) opinions on how you should structure your manifests in Munki.

Getting Help

And here are some great places to go for help, if you have Munki-related questions:

  1. MacAdmins Slack #munki channel
  2. Munki-Discuss Google Group
  3. MacEnterprise mailing list

Server Setup

Want to secure your Munki repo and/or move it to Linux? You may find these links handy:

  1. Using https / self-signed certificates and basic authentication with Munki: If you want to stay with macOS and have basic authentication on an internal-only server.
  2. Certbot Apache on macOS: If you're going for basic authentication on a public-facing server, and you want a proper (not self-signed) SSL certificate.
  3. Setup a Munki repo on Ubuntu 14.04 - Part 1: Yes, I know it says 14.04, but the basic instructions still work for 16.04, and they'll probably work for 18.04, too.
  4. Certbot Nginx on Ubuntu 16.04 (xenial): Proper SSL certificate for Ubuntu (again, if your server is public-facing).
  5. Using Munki With SSL Client Certificates: Basic authentication not enough security for you? Set up revokable client certificates instead.

Munki-related Helper Tools

Need other helper tools?

  1. AutoPkg: Allows you to automate downloading and installing new software into your Munki repo. Get to know the command-line tool well first if you choose to also install the (no longer maintained) GUI management for it called AutoPkgr.
  2. MunkiAdmin: A great graphical frontend for managing your Munki repo (after you've already understood how the pieces work together... and, frankly, even with MunkiAdmin, I'd still recommend using munkiimport on the command-line to manually import new items that don't come through AutoPkg). As an alternative, you may want to check out mwa2, which is web-based.
  3. MunkiReport-PHP or sal: If you want to add in a reporting piece to see what your Munki clients are up to.