These are the slides from the presentation with Chris Dawe of Wheelwrights LLC, at Cascadia IT Conference. The slides broke out into four clear sections:
This week’s edition of Techno Bits is now out in the wild, and this week I’ve written about the ransomware trojan that was embedded in Transmission 2.90 by an unknown party who both had an Apple code-signing certificate and access to Transmission’s web server. That’s a huge threat vector, so it might be time to start thinking about using Extinguish on a full-time basis.
Also included are the latest update to Munki-in-a-Box, and some thoughts about the nature of web security, and the state of my iPad Pro fascination.
Tonight I’ve released a test branch of Munki-in-a-Box that adds a significant feature: Out of the box HTTP Authentication over SSL for a higher level of security.
Previous versions of Munki-in-a-Box have leveraged transport layer security to make sure that the packages and manifests sent from the server to the client were not captured in transit. TLS is helpful for making sure that you’re talking with the right server, provided that you haven’t accepted a false certificate. This new version seeds the authentication credentials to the client through the ClientInstaller.pkg file created by the script, and then provides HTTP Basic Authentication setup files for your Server.
This does make a pretty stark change: The Software Repo now has to be in the Server’s path, and by default, it will be a folder marked
/Library/Server/Web/Data/Sites/Default. Server cannot apply .htaccess and .htpasswd files outside of
/Library/Server, so the repository has to live there directly instead of in
You can set the password for HTTP Basic Authentication in the initial declaration of variables.
Next up? Figuring out how to automate the setup of a CA for device certificate signing.
This afternoon, Apple released a background update that accidentally blacklisted their own Ethernet kernel extension. These background updates are generally not user-facing. The system will perform a daily check for these updates and apply them without notification. Users whose systems installed the update, marked as com.apple.pkg.IncompatibleKextConfigData.14U2129 or Incompatible Kernel Extension Configuration Data 3.28.1, on reboot lost their Ethernet adapter’s functionality.
This is a result of Apple’s security processes working to disable kernel extensions Apple deems harmful. Also included in this update was the banishment of spyresoft’s Dockmod which somehow managed to get a kernel extension signed by Apple into production, in conflict with the security guidelines for OS X. This is a concern for a number of reasons, but that’s a matter for another day.
Fortunately, Apple realized their error in a short period of time, and pushed another Incompatible Kernel Extension Configuration Data update which removed the entry for the Ethernet Kernel Extension.
Are you concerned that you might be missing your Ethernet adapter? You can check. From a terminal, run
This will then reveal all the Incompatible Kernel Extension updates. Look for:
If you see both 14U2129 and 14U2130, you are up to date. If you only see 14U2129, you should run the following to get the update from Apple (likely over your Wi-Fi connection):
sudo softwareupdate --background-critical
This will update the background updates and apply them. You may need to reboot to enable the missing kernel extension.
Thanks as always to my fine colleagues Pepijn Bruienne, Rich Trouton, Allister Banks, Mike Lynn, and Ben Toms for contributing advice and code.
Update: Via Patrick Fergus comes an important update: another way to check is to use System Profiler. Look in Software > Installations, “Incompatible Kernel Extension Configuration Data”,
14U2129 = bad,
14U2130 = good,
sudo softwareupdate --background-critical to update to the new version.
Update Two: Via Rich Trouton, a longer, more detailed examination of the issue. Still not sure how this one made it out of QA.
Update Three: Via many sources, Apple has provided a technote for those who were affected. In addition, Rosyna Keller has posited a reasonable theorem for why this happened: this was supposed to be released after the upcoming release of 10.11.4, which could contain a security patch for the Apple Ethernet Kernel Extensions that were blocked yesterday. Kernel Extensions are blocked based on name and version identifier. If the Kernel Extensions were revised upward – say, for a security release – then it’s very possible that this is the reason things were done.
What remains to be seen is why they released this change now as opposed to after 10.11.4 shipped and had been in the field for some time. Given the catastrophic affect on systems, though, it’s possible this was just an intern with a faulty commit button that wasn’t caught. Neither make me feel warm and fuzzy about the state of software coming from Apple.
A special edition of Techno Bits due to yesterday’s court events surrounding the iPhone and Encryption:
Late yesterday, Apple released a letter to their customers, signed by CEO Tim Cook, concerning device encryption. Earlier in the day, a Federal Court, at the request of the Department of Justice, issued a technical assistance order to Apple to get them to comply. The phone belongs to a deceased person accused of shooting a number of people in an attack on a county facility in San Bernardino, California, and the iPhone 5C is locked. The FBI would like access to the locked device, presumably to determine whether the deceased was part of a terrorist cell, acting alone, or something even far more nefarious. Given the FBI’s mandate, it is not a surprise that they want access to the phone.
While this particular request is grantable (and attacks against A7 phones and later is not), it shouldn’t be granted, because we should not be giving anyone the ability to crack a locked iPhone, because developing those tools is admitting that they should be given to any government, not just ours.
This week in Techno Bits vol. 60: Packaging Isn’t (Quite) Dead yet, some feedback on last week’s issue that sparked a lot of commentary. There are updates to the idea of a future without packages and why we might not be there just yet that you should catch up on. I’ve also got a download of my favorite talks from MacADUK, as well as some commentary on the nature of getting ahead vs. doing good.
This week’s newsletter contains highlights from the MacADUK conference, put on by Amsys in London, England this week. It was an incredible show where I got to talk with a lot of really great admins, kick around good ideas, ponder appropriate security changes necessary for our production environments, and plan for a better tomorrow. One particular discussion at the pub on Tuesday night lead to the longest section of this week’s newsletter: what if the end of the .pkg as we know it is upon us? What if the tool we use for deployment every day was suddenly curtailed by a change at Apple?
Chris Dawe from Wheelwrights LLC and I co-presented this deck at the Mac Admin & Developers Conference in London on Tuesday, February 9th 2016. Our focus was on leveraging native, 3rd party, and cross platform tools to help manage, troubleshoot and plan small, medium and large-scale WiFi networks across sites large & small.
Our presentation notes are available for download as a PDF file: A WiFi Toolkit – MacAdUK 2016
Some tools that we’ve mentioned include:
- Adrian Granados – WiFi Explorer (MAS and non-MAS)
- Adrian Granados – AirTool (free)
- Adrian Granados – WiFi Signal (MAS)
- Wireshark – Free & OS
- Open Source – Kismac (free)
- Etwok – NetSpot (non-MAS)
- Ekahau – SiteSurvey (Windows)
- Metageek – Chanalyzer (Windows)
- Metageek – InSSIDer Office (Mac + Windows)
Some resources that are helpful:
- Wireshark Cheat Sheet for Wi-Fi (PDF Download)
- Revolution Wi-Fi
- Wi-Fi Trek: Prague
- Apple iOS Deployment Guide (PDF Download)
- MacAdmins Slack – channels #wifi #networknerdery #meraki #aerohive
- Cisco Best Practices Guide for Apple Device Deployment (PDF Download)
- Aerohive High Density Network Design Guide (PDF Download)
- Meraki High Density Microsite
This week’s edition of Techno Bits has a bunch of detail on Office 2016, as well as a progress report on my regular use of an iPad Pro as my primary computer, as well as a bunch of useful links and articles.
In the final volume of Techno Bits for 2015, there’s a reminder of how important community is to our common interest, some news of changes afoot in Microsoft Office 2016 for the Mac, and a bunch of good links (Wi-Fi Keys! The Pixel C! Airwatch’s REST API! Craig Federighi!)
I’ll have a state-of-the-product post up next week on the future of Munki in a Box.