macOS Network Shares with Permission Inheritance

Comment

macOS Network Shares with Permission Inheritance

Creating a network share on macOS does not automatically propagate assigned permissions to child files & subdirectories. This means if one user creates a new directory in a share, other users are able to view the new directory, but are unable to add anything to it. Correctly configuring directory permissions is the solution covered in today's blog post.

Understanding File & Directory Permissions

POSIX permissions are used to assign basic read, write and execute privileges to the owner (creator of the file/directory), group (a single group inherited from the parent directory) and others (everyone else).

At the same time an access control list (ACL) can be applied to a file/directory to assign specific permissions, allowing for multiple users and groups with varying levels of access. ACLs override POSIX permissions and are comprised of access control entries (ACEs), each entry specifying a particular user or group's rights (either an allow or deny) to perform specific operations. The ACEs in an ACL are evaluated from top to bottom until an ACE that applies to the user is found, once a match is found all remaining entries are ignored, making the order of ACEs paramount.

To allow our users to add to each others directories we simply add the file_inherit & directory_inherit attributes to an ACE. This will ensure the ACL applied to the share is inherited by child files & subdirectories.

There are two ways to apply an ACL:

Server app

Select the server name in the left sidebar, click the Storage tab and drill down to the directory you wish to modify. Click the gear at the bottom of the screen and select "Edit Permissions..." Expand out assigned users & groups, tick Inheritance and click OK.

Doing so will apply the ACL to the selected directory, but not to any subdirectories. If you wish to apply the same ACL to subdirectories, select the gear again, then 'Propagate Permissions...' and with only the Access Control List checkbox ticked click OK.

Note: You will notice inherited permissions are greyed out in the Server app to prevent accidental editing.

Terminal

Those comfortable in Terminal may wish to do the same via the command line.

List

To list existing ACLs in a directory:

ls -le

Add

To recursively add inheritance to a directory simply append  file_inherit & directory_inherit tasks to the end of the existing ACE:

# Recursively add the following ACE to all files and folders inside Directory Name, marking the ACE as inherited.
chmod -R +ai "group:marketing allow list,add_file,search,add_subdirectory,delete_child,readattr,writeattr,readextattr,writeextattr,readsecurity,file_inherit,directory_inherit" "Directory Name"/*

# Apply the same ACE directly to "Directory Name," without marking it as inherited (allowing it to be edited in the Server app).
chmod +a "group:marketing allow list,add_file,search,add_subdirectory,delete_child,readattr,writeattr,readextattr,writeextattr,readsecurity,file_inherit,directory_inherit" "Directory Name"

Insert

Use +a# to insert an ACE at a specific index (at index 0):

chmod +a# 0 "group:marketing allow list,add_file,search,add_subdirectory,delete_child,readattr,writeattr,readextattr,writeextattr,readsecurity,file_inherit,directory_inherit" "Directory Name"

Replace

Use =a# to edit an existing ACE (at index 2):

chmod =a# 2 "group:marketing allow list,add_file,search,add_subdirectory,delete_child,readattr,writeattr,readextattr,writeextattr,readsecurity,file_inherit,directory_inherit" "Directory Name"

Remove 

Use -a# to remove the first ACE (at index 0):

chmod -a# 0 "Directory Name"

Use -N to alltogether remove an ACL from a file or directory:

chmod -N "Directory Name"
# Tip: chmod -RN will recursively remove ACLs

Further Reading

If you would like to learn more about macOS file permissions the following are great resources:

Comment

Printing Hierarchical Directory Structures in Terminal

Comment

Printing Hierarchical Directory Structures in Terminal

Tree is an open source command line tool for recursively outputting the structure of a directory. It is useful for generating a clear representation of complex directory structures.

Installation

Tree is compatible with most Unix based operating systems, including macOS. Since tree is not included with macOS, here are two methods for installing it:

Via Homebrew

If you already have Homebrew installed simply run:

brew install tree

From Source Code

1. Download the source code from GitHub:

git clone https://github.com/execjosh/tree.git

2. Move into the tree directory and edit the Makefile:

cd tree
nano Makefile

3. Comment out (prepend a #) the line under Linux defaults and uncomment (remove the #) the lines under the OS X section:

 

Note: To save changes in nano; press control + X, then Y and return.

4. To compile the binary simply run:

make

5. Move the newly generated binary into /usr/local/bin/:

sudo mv tree /usr/local/bin/

6. Lastly, move the manual page into /usr/share/man/man1/.

sudo mv doc/tree.1 /usr/share/man/man1/

Usage

Tree has many options and the manual page goes into each one in-depth, you can view the man page with:

man tree

Our favourite options:

  • -C: Colour folder names to help distinguish files from folders
  • -d: Only output directories, not files
  • -H: Output as HTML with hyperlinks to files and folders
  • -N: Do not escape spaces with forward slashes or replace non=printable characters
  • -o: Send output to a file
  • -Q: Put double quotes around filenames

Example

Using tree to list all files and folders in a user's Music directory:

 

Comment

Demystifying the Apple Lightning to USB 3 Camera Adapter

Comment

Demystifying the Apple Lightning to USB 3 Camera Adapter

A common question I get from travellers is, "how can I back up the photos taken with my digital camera without my laptop?"

The answer is to get an Apple Lightning to USB 3 Camera Adapter (MK0W2AM/A | model A1619) to use with your iPad/iPhone. This adapter works with any iPad or iPhone with a Lighting port, which covers almost every iPad/iPhone sold in the last 6 years.

Usage

  1. Simply connect your camera's USB cable into the adapter and plug the adapter into your iPad/iPhone.
  2. The Photos app will automatically launch and allow you to import specific photos or import all.
  3. Imported photos will appear in the Last Import photo album.

Once imported, the next time your iPad/iPhone is connected to the Internet (e.g. hotel Wi-Fi), photos can be uploaded to your iCloud Photo Library.

The Photos app also remembers previously imported photos, so you don't need to worry about accidentally reimporting the same photos again.

Photos are not modified in any way and retain all metadata including date & time, location (cameras with GPS), camera settings used to take the photo and original filename.

Testing the adapter with a Panasonic Lumix DMC-TZ30, I found the Photos app fails to detect AVCHD formatted videos and therefore will not import them. Unless your camera records videos as MP4 files, importing videos will almost certainly require access to a computer.

Lightning to USB Camera Adapters.jpg

The adapter is superior to the non-USB 3 Apple Lightning to USB Camera Adapter (MD821AM/A | model A1440).  Some digital cameras attempt to recharge when connected, the extra draw of power causes the iPad/iPhone error: "Cannot Use Device: The connected device requires too much power."

This error still occurs with the new adapter, however attaching a Lightning charger to the adapter resolves the error, allowing more cameras to work. If you are still getting the error: "Cannot Use Device: The connected device requires too much power." after connecting a charger, the charger is not outputting enough power for both the iPad/iPhone and the camera. Make sure you are using the charger that came with your iPad/iPhone.

Note: If you already own the older Lightning to USB Camera Adapter, connecting the adapter to an externally powered USB hub should also resolve the error.

Owners of the iPad Pro 10.5-inch and iPad Pro 12.9-inch will experience faster import speeds as the adapter performs at USB 3 speeds, compared to standard USB 2 speeds with other iPads and iPhones.

Surprisingly the adapter also works with many USB devices including:

  • keyboards: with support for screen brightness, volume and playback controls
  • barcode scanners: ideal for point-of-sale terminals
  • Ethernet adapters: ideal for fixed digital kiosks, Apple list supported models here.
  • hubs: connect multiple USB devices at once
  • memory card readers (e.g. microSD, MMC, etc.)
  • microphones: for higher quality audio recording
  • Musical Instrument Digital Interface devices (e.g. MIDI keyboards)

Note: The adapter does not provide access to storage apart from importing photos & videos.

Comment

Raspberry Pi Tips & Tricks

Comment

Raspberry Pi Tips & Tricks

Introduction

For those unfamiliar, a Raspberry Pi is a low-cost, energy efficient, highly extensible, credit card sized computer. To assist new Raspberry Pi owners I have put together my notes on the topic and will continue to append to it as new discoveries are made.

Common Commands

Copying a Raspberry Pi Operating System Image (.img) to a microSD Card

Loading an initial operating system can seem like a daunting task, in fact many Mac users are unaware that copying an .img file to a microSD does not require any additional software. In this example I will be using Raspbian Stretch Lite, a good base image for most Raspberry Pi projects.

Connect the microSD card to a Mac using an SD card adapter or a microSD to USB reader.

To find the disk identifier of the microSD card, open Terminal and run the following command:

diskutil list

In my situation the microSD was mounted as /dev/disk2, I could tell this by comparing  the size of the disk (31.1 GB).

Before we can copy the Raspbian data to the microSD card we need to unmount the disk first with the command:

sudo diskutil unmountDisk /dev/disk2

Time to copy the contents of the image file to the microSD card, take note of the r in front of disk2:

sudo dd if=~/Downloads/2017-11-29-raspbian-stretch-lite.img of=/dev/rdisk2 bs=1m

Setting Up a Headless (No Screen) Raspberry Pi

By default SSH (remote login) is disabled. To enable SSH create an empty file called "ssh" in the root of the SD card. On a Mac this can be achieved with the Terminal command:

touch /Volumes/boot/ssh

Connect to Wi-Fi

Raspbian includes the Raspberry Pi Software Configuration Tool, this includes a user friendly way to configure network settings. To open type:

sudo raspi-config

Changing the Default User Password

By default the username is pi and the password raspberry. Once logged into the Raspberry Pi, the easiest way to change the password is with the command:

sudo raspi-config

Updating Raspbian

To check for and install any available updates:

sudo apt-get update && sudo apt-get dist-upgrade && sudo reboot now

Favourite Use Cases

Pi-hole - Block ADS ON YOUR LOCAL NETWORK

Pi-hole is one of the best uses of the Raspberry Pi hardware. Pi-hole acts as a Domain Name System (DNS) server on the local network, blocking requests to ad related networks. This results in webpages and apps displaying content without unwanted ads. The screenshots below show the difference Pi-hole makes to the website speedtest.net.

Pi-hole also includes a nice dashboard, reporting usage and providing the ability to further blacklist/whitelist specific sites.

Digital Signage

Screenly & Yodeck have Raspberry Pi software allowing any TV to be used for digital signage. Updating what is displayed on screens is as easy as uploading new content via a web browser. Both currently offer a free tier for a single display.

Comment

A Guide to Implementing Apple iPads in Education

Comment

A Guide to Implementing Apple iPads in Education

There are several key pieces to a successful education iPad deployment. This guide is a good starting point towards understanding how the pieces come together.

Mobile Device Management (MDM)

An MDM unlocks the real potential of iPads in education. There are hundreds of MDM vendors, in Australia the most common one is Jamf Pro (formerly Casper Suite). Jamf have a great track record for supporting new features as they come out and offer substantial discounts to educational institutes.

All reliable MDMs are subscription based, where you pay X amount per month/year per iPad.

An MDM will allow for:

  • wireless deployment of apps and settings to iPads, no more syncing with iTunes/Apple Configurator or manually downloading onto each device.
  • keeping an inventory of your iPads.
  • the features discussed below; Device Enrolment Programme, Volume Purchase Programme and Apple School Manager.

Device Enrolment Programme (DEP)

Once a school is enrolled for DEP, new iPads purchased from an Apple Authorised Reseller are registered with the schools DEP account. iPads registered with DEP will automatically talk to the schools MDM (e.g. Jamf Pro) and automate the set up of the iPad, I.T. never needs to see the device.

Volume Purchase Programme (VPP)

VPP allows for the bulk purchase of app licenses and many apps offer a 50% discount when purchasing quantities of twenty or more at a time.

Once a purchase in the VPP portal has been made, the app licenses will appear in your MDM and you can select the devices you wish to deploy that app to.

Credit can be added to a VPP account either via credit card or by purchase order.

Apple School Manager (ASM)

Apple School Manager is a teacher's dream - it allows them to remotely view, lock and control iPads in the classroom. Apple has a 3 minute video demonstrating the functionality of the Classroom app (part of ASM).

Historically iPads have always been a single user device, so when they are shared (often the case in schools) this can cause problems especially if students delete other students work. With ASM, iPads gain security for shared use as each student is given their own unique account and passcode, keeping their work safe.

Their work is also synchronised with iCloud allowing them to pick up any school iPad, log in and have their previous work appear on that iPad.

Registering a school for DEP, VPP and ASM is free and can be completed here.

Apple Caching Service

With lots of apps, updates and iCloud data being downloaded from the Internet it is paramount to have a Mac mini set up with macOS Server and the Caching Service. The Caching Service reduces the amount of data downloaded over the Internet connection and speeds up delivery of repeat data.

How it works

The first time an app is downloaded from the Internet, during that initial download it is cached on the Mac mini. If another device requests the same update it doesn’t need to download it from the Internet again, instead it is rapidly downloaded from the local Mac mini.

Comment

Recovering a Forgotten OS X/macOS User Password

1 Comment

Recovering a Forgotten OS X/macOS User Password

Recently I had an elderly client that could not remember the password to his iMac nor the email passwords configured in Apple Mail. I was caught in a situation where I could not reset his Keychain as that would remove his email passwords, but I also had no way of extracting passwords from his Keychain. On top of that I needed the password to install new printer drivers.

This information is intended to support others that have forgotten their login password, it should not be used for evil. If you want to secure your system from vulnerabilities like this it is important to enable FileVault whole-disk encryption and use a unique/secure password. You can turn it on under System Preferences > Security & Privacy > FileVault.

I remembered reading how the Automatic Login feature stores a cipher of the user's password in /etc/kcpassword. A quick Google search later and I had the following command to extract the password.

Since the above command requires sudo and I didn't have access to an administrator account, I booted the iMac into Target Disk Mode, connected it to another Mac (via FireWire/Thunderbolt cable) and ran the following command:

sudo ruby -e 'key = [125, 137, 82, 35, 210, 188, 221, 234, 163, 185, 31]; IO.read("/Volumes/Macintosh HD 1/etc/kcpassword").bytes.each_with_index { |b, i| break if key.include?(b); print [b ^ key[i % key.size]].pack("U*") }'

And just like that I had recovered his password!

1 Comment

Adding HomeKit Support to LIFX Light Bulbs

98 Comments

Adding HomeKit Support to LIFX Light Bulbs

In the smart light market the two major players are Philips Hue and LIFX. Around the time HomeKit was first released, Philips Hue offered a new hardware bridge to allow customers to control their Philips Hue bulbs with Siri. LIFX on the other hand has been telling customers that HomeKit support is on its way, but has yet to deliver.

With the announcement of iOS 10's Home app I was over waiting and started looking into ways to make LIFX bulbs HomeKit compatible. That's when I came across Homebridge, a community developed solution that acts as a bridge for non-HomeKit compliant devices, LIFX light bulbs being one of them.

I have put together this guide for other LIFX bulb users eager to take advantage of HomeKit.

In this guide I run Homebridge on a Mac mini, however you should be able to get this working on a PC or even a Raspberry Pi. Also, to be useful the machine running Homebridge will need to always be on.

Steps

Homebridge requires Node.js, download and install it.

Now install Homebridge, open Terminal (Utilities > Terminal) and type:

sudo npm install -g --unsafe-perm homebridge 

If prompted, install Git and run the above command again.

Next install David Parry’s LIFX LAN Homebridge plugin:

sudo npm install -g homebridge-lifx-lan 

Download my LIFX ready Homebridge configuration file:

curl https://raw.githubusercontent.com/Error-freeIT/Homebridge-Configuration/master/lifx-config.json --create-dirs -o ~/.homebridge/config.json 

Start Homebridge by simply typing:

homebridge

Open the Home app on your iOS device, tap Get Started > Add Accessory > Homebridge > Add Anyway > Enter Code Manually > 053-73-874

The rest of the process is just tapping Next and configuring your rooms and scenes. If you're new to HomeKit I recommend reading Apple's article on the Home app.

As long as your LIFX lights are switched on you should see them in the Home app.

Once the novelty of telling Siri to control your lights starts to wear off, there's one more bit to make Homebridge automatically startup in the background. First we need to stop the current instance of Homebridge from running by pressing control + C. Then paste the following two commands into Terminal:

curl https://raw.githubusercontent.com/Error-freeIT/Homebridge-Configuration/master/com.github.homebridge.plist --create-dirs -o ~/Library/LaunchAgents/com.github.homebridge.plist

launchctl load ~/Library/LaunchAgents/com.github.homebridge.plist  

That's it! Enjoy your fancy HomeKit enabled LIFX lighting!

98 Comments

Apple Configurator 2 Workarounds

12 Comments

Apple Configurator 2 Workarounds

At the moment Apple Configurator 2 has a Mac App Store customer rating average of 1.5 out of 5 stars. I find it overall better than its predecessor, but I understand the poor rating and have put this post together to help others moving to Apple Configurator 2.

For me the biggest change between Apple Configurator 1 and 2 is the shift in app licensing. Buying a new app with Apple Configurator 1 involved downloading a spreadsheet of redemption codes from the Volume Purchase Program portal. Then you would use the first redemption code to download the app with iTunes. Then import that app’s .ipa file into Apple Configurator, re-download the spreadsheet of redemption codes (now with the first code marked as redeemed) and finally import the spreadsheet into Apple Configurator.

Thankfully Apple Configurator 2 uses managed distribution instead of redemption codes, cutting out the cumbersome process above. With managed distribution Apple track which devices/Apple IDs are assigned apps and give the organisation the ability to revoke and reissue app licenses. Managed distribution is also the licensing method used by all Mobile Device Management (MDM) solutions, making the eventual transition from Apple Configurator to a MDM solution much smoother.

Obtaining Free iLife & iWork Apps

If you are migrating from Apple Configurator 1 you will need to reapply for new managed distribution licenses of Pages, Numbers, Keynote, iMovie and GarageBand. This requires uploading proof of purchase with a list of eligible iPad serial numbers here.

Migrating Your Paid Apps

Apple have created an online form for migrating your paid apps to managed distribution. Simply fill out the form here, selecting ‘Migrate from redemption codes to managed distribution’ from the dropdown list. Apple will look at your purchase history and convert all your previously purchased apps to managed distribution.

Unexpected Behaviour

Issue: Apps aren’t being cached by Apple Configurator 2. 
Workaround: Setup another Mac on your network with OS X Server and the Caching service enabled.

Issue: Failing iOS firmware downloads on slow or unstable Internet connections.
Workaround: Manually download the firmware files (.ipsw) and copy them into Apple Configurator’s firmware directory.

To speed up the download of firmware I use https://ipsw.me to find my device's firmware URL and then download it with the DownloadThemAll! Firefox plugin.

Once downloaded copy the firmware file into place; In Finder click Go > Go to Folder… and paste:

~/Library/Group Containers/K36BKF7T3D.group.com.apple.configurator/Library/Caches/Firmware/

Issue: I made a change to a profile that was part of a blueprint. After applying the blueprint to a new iPad I noticed the profile installed was an older revision.
Workaround: If you edit a profile you will need to remove and re-add it to your blueprints. I find it odd that it does not reference the location of the profile selected.

Issue: I tried installing a few apps at once to a cart of iPads, received the error "An unexpected error has occurred with these iPads. The operation couldn't be completed. Operation not permitted [NSPOSIXErrorDomain - 0x1 (1)]" and ended up with some apps grayed out on the home screen. 
Workaround: This seems to be a known bug as reported here. Try installing the troubled apps individually. Reinstalling the app will give you the option to skip or overwrite the app and will not waste any additional licenses.

Issue: My blueprint has both a lock screen and home screen set, but only the lock screen wallpaper applied.
Workaround: After applying the blueprint select Actions > Modify > Wallpapers…

Issue: The progress bar seems to be stuck.
Workaround: Click Window > Activity to see more detail.

Issue: The Photos app keeps opening.
Workaround: [Update 23/03/16]: Erik Gomez has reported Apple Configurator 2.2 in OS X 10.11.4 no longer does this and the workaround is no longer required. As discovered here you can stop Photos from reopening with the following Terminal command:

defaults -currentHost write com.apple.ImageCapture disableHotPlug -bool YES

Issue: Deleting an app directly on the iPad does not revoke the app license and when connected Apple Configurator 2 still detects the app as installed.
Workaround: Properly remove the app and revoke the license in Apple Configurator 2 by selecting Actions > Remove > Apps…

Issue: Apps are still functional on devices after the license has been revoked. If you install an app with Apple Configurator 2, then go to Window > VPP Assignments and revoke the license, the app remains functional on the devices and the license is returned to the VPP account.
Workaround: No workaround, just ignore it. What should happen: once the license is revoked it should prompt the device owner to purchase a copy of that app.

 

Lastly, if you have any Apple Configurator 2 tips please share them in the comments.

12 Comments

[SOLVED] Unable To Access iPhone Photos In Windows 7

2 Comments

[SOLVED] Unable To Access iPhone Photos In Windows 7

Last week I had a client who wanted help copying photos from his iPhone to his PC running Windows 7. When connecting his iPhone, iTunes would open and see the iPhone, but his photos would not appear under My Computer (Windows Explorer).

When reconnecting the iPhone I noticed Windows was failing to install a driver for a MTP USB Device. I could also see in Device Manager the device status was “Windows cannot start this hardware device because its configuration information (in the registry) is incomplete or damaged. (Code 19)”

After reinstalling iTunes and attempting to manually apply the correct device driver I still had the same driver failing to install issue.

Eventually I came across Navigat0's post and that fixed the issue. To help the next person who runs into this issue I have rewritten the process with screenshots below.

Type ‘regedit’ in the start menu search field and open it.

Expand HKEY_LOCAL_MACHINE > SYSTEM > CurrentControlSet > Control > Class.

Select {EEC5AD98-8080-425F-922A-DABF3DE3F69A} from the long list.

Right click UpperFilters > Delete > Yes.

Now close Registry Editor and reconnect your iPhone. Everything should work normally from now on.

2 Comments

Automate the Setup of Microsoft Exchange Accounts on OS X

2 Comments

Automate the Setup of Microsoft Exchange Accounts on OS X

I have been recently looking for the best way to automate the setup of Exchange accounts (specifically Office 365 hosted) on shared Macs. William Smith has created an impressive Exchange Setup AppleScript, perfect for Microsoft Outlook users.

I also wanted to automate the setup of Exchange accounts for Apple’s native OS X apps (Mail, Contacts, Calendars, Reminders and Notes). Normally this would be done with a Mobile Device Management (MDM) solution, pushing out user personalised configuration profiles. But for those situations where a MDM isn’t feasible (possibly due to budget, resources, policy, etc.) or simply overkill this post should help you out. 

To make life easier for those without a MDM I have put together a bash script to automate the setup of Exchange accounts on OS X.

 

How it works

The script locally generates and installs a user configuration profile (.mobileconfig file). To avoid the account being added as offline the user is also prompted for their Exchange account password.

Usage

I have tested this script on OS X El Capitan (10.11) with multiple Office 365 Exchange accounts.

  1. Install Joseph Chilcote's Outset script.
  2. Download the addexchangeaccount.sh script and customise the required DOMAIN and EXCHANGE_HOST values.
  3. Then copy the customised script into /usr/local/outset/login-once/ and remember to make it executable.

That's it! The first time a user logs in they are prompted to enter their Exchange account password and then the script does the rest.

2 Comments