To help my IT friends at my job I’m leaving, I’m trying to share things that will help them. Below is a link to my NewsBlur subscriptions. I have A LOT of Mac stuff in here. The NewsBlur system costs $2/month ($3 if you are feeling it is worth it and have spare $). It is extremely worthwhile especially since the demise of Google Reader. There’s also an iPhone and iPad app you can use on the go. The stuff in the Engineering – Mac feeds will help someone do most of what I do.
Users having the freedom to fully use their computers even in an Enterprise. I’ve been thinking long and hard about this topic. Long ago when I began working in corporate IT I was taught that users can’t be trusted. They can’t possibly know what is good for their computer, and we must approve everything they do. We must basically suck all the fun out of the thing they use for perhaps 90% of their day. It used to make sense to me because I was always mostly a Windows guy at work while at home I was mostly a Mac and Linux guy. Where I always would get bent out of shape was when we would take Windows shortcomings and imagine the Macs had the same shortcoming. I’ll explain what I mean. Some of our users need admin rights of their machines. Because Windows, prior to UAC in Vista, was completely unsafe to run as an admin we made folks create a secondary account for admin reasons on their machine. Somehow on the Macs the same rule was in place even though OS X effectively had a better version of UAC before UAC even existed.
Where I work I’m in charge of Desktop Engineering. We have a responsibility for every laptop, desktop, iPad, iPhone, Android, etc… device in the environment at a very high level. We create the base images that go on the computer systems, we package the software that goes out to them. There is a staff of Desktop Support folks who will implement thing my group creates, and they also provide the direct support to the users at the company. Those Desktop Support folks see a wide range of issues. When they don’t know how to fix something they escalate the issue to my group.
I have been using InstaDMG for a long time to make my Max OS X 10.5 Leopard and 10.6 Snow Leopard images. It always worked without flaw until recently. A technician mentioned to me that /Applications/Mail.app would not launch on my 10.5.8 image. I later also had some issues with the Finder that I just couldn’t figure out. On an email list someone said they saw the same thing on 10.6 with the following error;
You have Mail version 4.0 (1075/1077). It can’t be used on Mac OS X Version 10.6.2 (Build 10C540)
I read the advisory for the libc/strtod(3) buffer overflow over the weekend and wondered if 10.4.11 wasn’t included simply because nobody tested, and I think I’m right. I logged in to a 10.4.11 machine in Console by entering “>console” in the Name: field of the login window. Then I logged in as my local admin account and typed “printf %1.262159f 1.1” and sure enough I was knocked out of my session back to the login window. It would appear to me that 10.4.11 is vulnerable to this overflow. Now let’s see if Apple goes back and makes a patch for 10.4.11 as well as 10.5.8 and 10.6.2. I would imagine now would be a good time for folks to remove anything older than 10.4.11 from your environment, and depending on Apple’s response you may end up moving all your 10.4.11 to 10.5.8 or 10.6.2 if they don’t issue a patch.
So I use InstaDMG to build my Mac OS X images for work. I got reports of Java being broken in my latest image. On looking at the problem the machines were at Java 1.5.0_13 when they should have been at 1.5.0_16. Reinstalling Java Update 2 and Java Update 3 didn’t bring the machines to 1.5.0_16 like it should have. Also the Java apps in /Applications/Utilities/ are broken.
[For those that don’t know what InstaDMG is you should really check it out if you manage Macintosh systems. It’s at www.afp548.com and is really really helpful.]
So I included the latest iTunes and noticed my DMG was still mounted when all was done. “lsof” is my friend and showed me there were two things in use that should not have been.
- /Volumes/OS-Build-08-03-15/Applications/iTunes.app/Contents/Resources/ iTunesHelper.app/Contents/MacOS/iTunesHelper
- /Volumes/OS-Build-08-03-15/System/Library/PrivateFrameworks/MobileDevice.framework/Versions/A/ MobileDevice
I knew the framework was loaded from the binary since when I killed the iTunesHelper process the framework let go. Then I found this…
- /iTunes.mpkg/Contents/Resources/iTunesX.pkg/Contents/Resources/ postflight_actions/runiTunesHelper
The above is the dopey script that Apple made that simply launches the helper if a user is logged in. Why not also test if the target volume is the booted volume? I don’t know. Seems a little lame to me. For our purposes just delete this file. For InstaDMG there is no need to kill the current helper and certainly no need to launch the helper inside the DMG you are building.
I was running iPhoto 4 when I noticed that if a closed the window then the app would exit too. I thought to myself.. humm.. that is strange. Sure enough Apple designed it that way. Funny thing is that Mail does not act the same way. Some apps exit when the last window closes, and some don’t. In my mind that only causes confusion for computer users. Shame on Apple for not following the same design for all their iApps. I subitted this feedback to Apple;
While I actually like when apps exit when the last window closes, this doesn’t appear to be Apple’s ‘standard’ design practice. Either all Apps from Apple should exit when the last window closes or none should IMHO. Mail.app is an example of an app that doesn’t quit when the last window closes. If I want to hide an app then Command-H is the standard. Someone at Apple needs to make a design choice and convey that to developers so that there is a consistant look and feel to apps on the Macintosh. It’s not good when even Apple flip flops design choices from app to app.
So I decided I would share. 🙂 This is the cron job I use to keep OS X machines up to date with LiveUpdate and Norton AntiVirus 9.0.1. It’s a fairly simple script. I put this in /sw/etc/cron.daily/ because I use anacron that I installed with Fink. If you don’t want Fink on your system then there is a system cron that is in /etc you can use, but it requires that the machine must be on when the cron job should run. This condition was not acceptable to me. Read on to see the script…