macOS
macOS is the operating system developed by Apple for their Macintosh computers. It is the software that runs on Apple's desktop and laptop computers, providing users with a graphical user interface (GUI) and a wide range of features and functionalities. macOS offers a seamless integration with other Apple devices and services, along with a rich ecosystem of applications and software. It provides a user-friendly and secure computing environment for Mac users, enabling them to perform various tasks, access the internet, run applications, and manage their files and data.
- Apple Silicon M1 / M2 Native Client Support and Rosetta
- Bootstrap Token Management on macOS
- Change Administrator User Password on macOS
- Customised Screen Saver (macOS)
- Deploy Folder with Icons (macOS)
- Deploying CUPS printers (macOS)
- Microsoft Enterprise Platform Single Sign-on for macOS
- EUD Security Guidance: macOS 10.13+
- FileVault
- Firmware Password (macOS 10.14 Mojave+)
- Full macOS Model name to Inventory (Custom Field)
- Hide local macOS admin users
- How to Create Local User Accounts on macOS 10.15+
- Login Window Banner (Agreement Policy) for macOS
- macOS 11 Compatible Devices (Custom Field)
- macOS 14 Compatible Devices (Custom Field)
- Message to macOS User
- Notify Users with a dialog (macOS)
- Remove Casper JSS Client Components
- Understanding Free Space on APFS Volumes
- Wipe Device for macOS
- Troubleshooting
Apple Silicon M1 / M2 Native Client Support and Rosetta
What
14.8+ FileWave Client PKG installer now installs a native M1 or M2 client, negating the need for Rosetta 2.
Prior FileWave client installers were for Intel only and relied on the PKG installer to install Rosetta 2 for M1 / M2 compatibility. Rosetta 2 will not be disabled on clients that already have Rosetta 2 enabled. Since newly enrolled clients, starting with 14.8.x+, will not install Rosetta 2, any other software requiring Rosetta 2 will require a Fileset to install Rosetta 2.
Note that the Administrator app still requires Rosetta 2.
When/Why
This update is for Apple M1 / M2 devices only. The installer is now a universal binary for either processor type.
How
Both the standalone DMG installer and the Custom PKG will now support both Intel and M1 / M2 natively. Create a new 14.8+ FileWave client installer from our Custom PKG Builder. The client upgrade Fileset will naturally be taken as native by macOS also.
Enable Rosetta 2
Below is an example of a script that could be used to enable Rosetta 2 through FileWave if still required for other software like the FileWave Administrator app:
#!/bin/zsh
# Determine OS version
osvers=$(sw_vers -productVersion)
# Check to see if macOS is 11 or greater
if [ ${osvers%%.*} -ge 11 ]; then
# Check processor type
processor=$(/usr/bin/uname -p)
if [[ "$processor" != "arm" ]]; then
echo "$(date) processor: ${processor}. No need to install Rosetta."
else
# Check if Rosetta process is running and instal if not found,
# perform a non-interactive install of Rosetta.
if [[ ! $(/usr/bin/pgrep -x oahd) ]]; then
/usr/sbin/softwareupdate --install-rosetta --agree-to-license
if [[ $? -eq 0 ]]; then
echo "$(date) Rosetta has been successfully installed."
else
echo "$(date) Rosetta installation failed!"
exitcode=1
fi
else
echo "$(date) Rosetta already installed. Nothing to do."
fi
fi
else
echo "$(date) Mac is running macOS $osvers"
echo "$(date) No need to install Rosetta on this version of macOS."
fi
exit 0
Here is a Fileset that uses the above example script: Install Rosetta 2.fileset.zip
Bootstrap Token Management on macOS
With FileWave 13.2, support for Apple's Bootstrap Token management has been added.
Introduction
macOS 10.15 Catalina introduces a new method of SecureToken enablement called Bootstrap Token. This is a new MDM-based management feature to automatically provide a SecureToken on all mobile account logins. This does not affect how local accounts get SecureTokens.
What is SecureToken?
Apple introduced Secure Token as a method of creating a “chain of trust” on a machine. The result was that only a trusted user could be created from another trusted user, and only those trusted users could leverage FileVault. This ensured that - from Apple’s perspective - the machine and users on it are secure.
For many Mac admins, the Secure Token feature introduced with macOS High Sierra has been a cause for great consternation. It has forced IT teams to adjust their management workflows to be able to administer and manage devices differently, given that Secure Tokens are critical in order to safely create Mac users and manage their FileVault full disk encryption (FDE) credentials.
Why the Consternation with SecureToken?
The challenge presented by the introduction of Secure Token was that the chain of trust ultimately made user and FileVault management much more challenging. An organization’s mobile and network accounts with Apple devices did not have the ability to create users that would be granted Secure Tokens.
Only the original user on the machine was granted a Secure Token and only that account could go on to create subsequent users that would properly be granted a Secure Token. This overhead severely impacted the ability of Mac admins to remotely manage their fleet of Mac systems.
What is the Benefit of Bootstrap Token?
Catalina can give the first mobile account to log in a SecureToken if no other accounts have a SecureToken yet, but the benefit of Bootstrap Token comes when multiple users log into an encrypted machine. All mobile accounts that log in automatically get a SecureToken without having to hand one off manually.
What Happens Under the Hood?
If support of Bootstrap Token management is implemented on the MDM server-side, during device enrollment command Settings / MDMOptions with flag AllowBootstrapToken = True should be sent to the device. In this case, the device will send SetBootstrapToken and GetBootstrapToken requests to the MDM server later at the appropriate time.
To check the current status see "checking status" below
There are two main communications for SecureToken: SetBootStrapToken and GetBootstrapToken.
SetBootstrapToken request
When the first admin account is created (see Figure 1.1), MDM request SetBootstrapToken (requires DEP enrolled client) is sent from the device to the FileWave MDM server. The MDM server handles this request by storing the Bootstrap Token for the device in the appropriate place (FileWave encrypts and stores this in the inventory database).
|
Figure 1.1 |
Warning: There is one limitation - If you automatically create an admin during enrollment, the SetBootstrapToken request will not be sent.
Figure 1.2 - Not Suppressed (Token sent) This is Default DEP |
Figure 1.3 - Suppressed (Token will not be sent) Setup assistant user is standard |
Figure 1.4 - Suppressed (Token will not be sent) No user during setup assistant |
Trigger Escrow |
Escrowing of Bootstrap Token to server can be called with:
If the SetBootstrapToken request was properly sent to your MDM server, the output will be
If you got this error after the initial command:
The FileWave server may not be able to handle the request; make sure it is running 13.2 or greater |
GetBootstrapToken request
When a new mobile account is created (manually or automatically, see "Examples" section) MDM request GetBootstrapToken (requires DEP enrolled client) is sent from the device to MDM server (it requires a Device Enrollment Program enrolled client). The MDM server should handle this request properly by returning the stored Bootstrap Token of the appropriate device. As a result, when a mobile account logs in a SecureToken will be enabled on the account. A list of which accounts can unlock the FileVault disk can be shown by the next command:
diskutil apfs listcryptousers /
There you can see the UUID of the mobile account as well as the Bootstrap Token External Key:
Cryptographic users for disk1s5 (9 found)
|
+-- JJJJJJJJ-UUUU-IIII-OOOO-AAAAAAAAAAAA
| Type: Local Open Directory User
|
+-- KKKKKKKK-LLLL-MMMM-NNNN-BBBBBBBBBBBB
| Type: MDM Bootstrap Token External Key
|
+-- GGGGGGGG-WWWW-QQQQ-ZZZZ-CCCCCCCCCCCC
| Type: Local Open Directory User
|
+-- BBBBBBBB-AAAA-MMMM-BBBB-AAAAAAAAAAAA
| Type: iCloud Recovery User
|
+-- DDDDDDDD-0000-EEEE-DDDD-EEEEEEEEEEEE
| Type: iCloud Recovery External Key
|
+-- TTTTTTTT-0000-WWWW-TTTT-WWWWWWWWWWWW
| Type: Personal Recovery User
|
+-- NNNNNNNN-EEEE-SSSS-NNNN-EEEEEEEEEEEE
| Type: Institutional Recovery User
|
+-- JJJJJJJJ-0000-CCCC-JJJJ-CCCCCCCCCCCC
| Type: Institutional Recovery External Key
|
+-- AAAAAAAA-EEEE-FFFF-CCCC-DDDDDDDDDDD
Type: Personal Recovery Key
Compare that list with
sudo fdesetup list
to show the same UUIDs of the accounts that have SecureTokens:
localadmin, JJJJJJJJ-UUUU-IIII-OOOO-AAAAAAAAAAAA
mobileaccount,GGGGGGGG-WWWW-QQQQ-ZZZZ-CCCCCCCCCCCC
Check Escrow/Server Status
To check if Bootstrap Token was escrowed to the server, the same command as above can be used:
profiles status -type bootstraptoken
Server Supported | Server Does not support |
|
|
Not Escrowed | Escrowed Done |
If the Bootstrap Token was not escrowed on the server (SetBootstrapToken request was not sent to MDM server or was not handled by MDM server properly), the output will be:
You can manually trigger (see "Trigger Escrow") |
If the Bootstrap Token is already on the server the output will be:
|
Examples when Bootstrap Token helps
Example 1 - mobile account is created manually by an admin which doesn't have a Secure Token
Problem:
In macOS 10.15+ with FileVault is turned on, a network account login without Secure Token escrowed will be prompted for an admin who does have a secure token.
Figure 2.1 |
Solution:
With the token escrowed, there is no need to enter a SecureToken administrator's name and password anymore - "Bypass" can be safely pressed and the new mobile account will be shown at the startup window after the device reboots.
To disable SecureToken for an admin, use:
sysadminctl -secureTokenOff
To check if Secure Token is enabled or not, use:
adminsysadminctl -secureTokenStatus
Example 2 - mobile account is created automatically when profile Mobility is used
With macOS 10.15 and FileVault turned on, profile Mobility was installed on the device with the option 'Create mobile account when user logs in to network account'.
Figure 2.2 |
After a network account login, a mobile account is created automatically (as the "Bypass" button from the dialog "Enter a SecureToken ..." was pressed implicitly). A new mobile account will be shown at startup window after the device reboots.
In comparison: when the same actions are done on macOS 10.14, there is one additional dialog (see figure 2.1) to enter a SecureToken administrator's name and password during the auto-creation of a mobile user. If "Bypass" will be pressed, the new mobile account will not be shown at the startup window after the device reboots and FileVault should be enabled manually for each new mobile account.
Summary
If FileVault is already encrypted, the new mobile account(s) will be added to the preboot unlock user list automatically. No need to update preboot and do other additional work like past OSes.
Change Administrator User Password on macOS
This article will guide you through importing a Fileset that will give you the ability to change the Administrator password on macOS devices.
Requirements:
- FileWave Admin
- macOS Client
Steps to Deploy:
-
Download and Import the Fileset
- Download Change Admin Password (Ventura+).fileset.zip
- Import the Fileset into FileWave Admin.
-
Edit Environment Variables
- This Fileset uses Environment Variables to determine the Admin username, current password, and new password. You need to edit these variables to add your Admin account information and new password.
- To do this, double-click on the Fileset to open it.
-
Navigate to the Script
- Update Environment Variables
- Test your deployment
- Finally, deploy the Fileset to a test device with this Admin account and update the model.
- Verify the new password works after deployment.
Tested on macOS Ventura and Sonoma (macOS 13+). The script should reflect a proper success or failure in Fileset Status if the AdminPassword or AdminUsername value is incorrect.
Customised Screen Saver (macOS)
Description
Create a customised macOS Screen Saver (.saver) to simply display an image or more advanced HTML/Javascript code.
Ingredients
- FileWave Central
- Example Fileset: Example_FileWave.saver.zip
Taken from: https://github.com/tlrobinson/WebSaver
Directions
Fileset Installation
- Download and unzip "FileWave Example ScreenSaver.zip".
- Import into FileWave Admin
Customise ScreenSaver Name (Optional)
- Open Fileset Contents
- Expand /var/scripts/498452 (Number will differ to example)
- Select file: FileWaveExampleScreenSaver.sh
- Select Get Info > Executable (Tab)
- Set LaunchArgument 1 to the desired name (replacing FileWave)
- Repeat steps 4 to 6 with file: RemoveFileWaveScreenSaver.sh
Customise the Source File (Optional)
- Replace the following file with a desired file: /tmp/FileWave.saver/Contents/Resources/fw.png
- Edit /tmp/FileWave.saver/Contents/Resources/index.html" and replace "fw.png" with filename of the new image name from step 1.
Optional
Replace entire contents of file with custom HTML/Javascript if desired
Test
Associate Fileset to a test machine. On installation the following should be seen from the example:
Set Screen Saver as Default
- Open Profile Editor and Select Login Window
- Set 'Use screen saver module at path' to /Library/Screen Savers/FileWave.saver" (Replace FileWave.saver to match your custom name if changed from above)
Login Window Profile Requirement
Edit any already existing "Login Window" Profile. If first time use of "Login Window" payload, please make sure to review all other Profile settings.
Deploy Folder with Icons (macOS)
Description
The following demonstrates how to successfully deploy folders with custom icons. There have been changes by Apple which means previous methods may fail to present the icon.
Information
This process will involve:
- Creating a fileset that includes the folders with icons
- Creating an Activation Script
- Change the properties of the script to include the paths to the folders
1. Create the Fileset
To build the fileset, the folder requires a custom icon. To add a custom icon, choose Get Info on the Folder (this could be an Application) and drag the icon or image file onto the folder icon at the top of the window:
Create a standard Fileset using this Folder or App.
2. Create An Activation Script
Highlight the Fileset and choose the Script icon.
In the Window that opens, select Activation Script and then choose to Create a script. In this example the script was called 'add-xattr.sh'
. The script should contain the following:
#!/bin/bash
{
for directory in "$@"
do
xattr -wvx com.apple.FinderInfo '00 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00' "$directory"
done
}
3. Change the Script Properties
Once created, highlight the script and choose 'Properties'
The Executable tab should be edited to match the path to the location of your Folder or Application containing the custom icon.
Associate the Fileset and on deployment the Folder or Application will have the chosen icon.
Multiple Folders with Icons
The Fileset can contain multiple folders with custom icons. For each folder containing a custom icon, add an additional Launch Argument in the Executable tab to match.
Deploying CUPS printers (macOS)
Before you begin
We first need to setup the CUPS printers on a single test device. Once they are manually setup please test each individual printer and ensure they work as you'd like them to before proceeding. Note that you want to setup ONLY the printers you want to deploy via CUPS in this method. If possible have these as your only printers on the device to make things easier.
Creating Fileset
1.) Create a new folder on your Desktop(or anywhere safe) titled cups
3.) Copy the following files into your cups folder on the desktop:
- printers.conf
- printers.conf.O
- the entire ppd folder
The ppd folder should show the names of all the printers you manually setup. If you have other printers you don't want to deploy delete them from the ppd folder in the new location before proceeding.
4.) Open terminal and give full access to the config files via the below commands:
$ sudo -su
$ chmod 755 /Users/<your user here>/Desktop/cups/printers.conf
$ chmod 755 /Users/<your user here>/Desktop/cups/printers.conf.O
To make things easier you can type chmod 755 and then drag/drop the file into terminal to have it automatically fill in the appropriate path.
5.) Create a new empty fileset. Filesets > New Desktop Fileset > Empty
6.) Open your fileset by double-clicking on it and uncheck "Hide unused folders"
7.) Click on etc/ to highlight it and then click "Import File/Folder"
- If asked to replace a folder go ahead.
8.) Import the cups folder that you created on your desktop.
9.) In the fileset click the arrow to the left of etc and then to the left of cups to show the contents of the folders. This should match the folder on your desktop with all files included
10.) Highlight printers.conf then click "Get Info" at the top, click the verification tab and select "Download if missing" then click Apply at the bottom right.
11.) Repeat step 8 for printers.conf.O as well.
12.) Test deploy by sending to a single machine and verify it works properly before deploying out to the rest of your clients.
The reason we change the verification settings for only these two files is that the printers.conf and printers.conf.O files are dynamically changing when any changes are made regarding printers on the end computer. Filewave would detect the change and then try to overwrite the config with what's in this filset thus potentially breaking the printers on your devices.
Microsoft Enterprise Platform Single Sign-on for macOS
What
With Platform Single Sign-on (Platform SSO), we can utilize SSO extensions that extend to the macOS login window, allowing users to synchronize local account credentials with an identity provider (IdP). In this case, we are combining what is provided here: Microsoft Enterprise S... | FileWave KB with Platform Single Sign-on for macOS - Apple Support. The local account password is automatically kept in sync after this configuration, so the cloud password and local passwords will match. Users will also still be able unlock their Mac with Touch ID and Apple Watch. The end result will allow the user to login with their Entra ID and password or their local account username with their synced Entra ID's password.
When/Why
An Administrator who is managing a fleet of MacBooks may want to use this for another level of security or for taking advantage of the full integration that macOS now offers with SSO. You are offered the same benefits as listed in: Microsoft Enterprise S... | FileWave KB except with the added layer of further syncing the local account with your identity provider account.
How
Below are the following requirements and configuration creation steps for deployment.
Platform SSO Requirements:
-
macOS 13 or later
-
A mobile device management (MDM) solution that supports the Extensible Single Sign-on payload which includes support for Platform SSO (enrolled in FileWave via DEP or User approved enrollment in our case)
-
Support from the IdP for the Platform SSO authentication protocol
-
One of two supported authentication methods:
-
Authentication with a Secure Enclave–backed key: With this method, a user who logs in to their Mac can use a Secure Enclave–backed key to authenticate with the IdP without a password. The Secure Enclave key is set up with the IdP during the user registration process
-
Password authentication: With this method, a user authenticates with a local password or an IdP password
-
Note: If the Mac is unenrolled from the MDM solution, it’s also unregistered from the IdP.
WS-Trust federation
WS-Trust federation is supported in macOS 13.3 or later. This allows Platform SSO to successfully authenticate users when their account is managed by an IdP federated with Microsoft Entra ID.
Deployment:
Here is an example Profile Fileset ready to deploy in your environment with the default configuration:
- Profile - Entra ID Platform SSO.fileset.zip
-
The Microsoft Company Portal app must be installed on the device. It can be installed manually by users or deployed over FileWave. You can download the Company Portal app here: Company Portal app
Please Note: On macOS devices, Apple requires the Company Portal app be installed. Users don't need to use or configure the Company Portal app, it just needs to be installed on the device.
End-user Interaction required:
After successful deployment, in the notifications area of the user's device, they should be presented with a message:
After signing in and registering, when you go to System Settings > Users & Groups > click the 'i' next to your Username, you should be able to confirm everything went successfully with the new settings here:
Notes and Observations
- If two-factor authentication is enabled in your environment, whenever your end user opens a Microsoft Application, they will be presented with an 'Approve sign in request' as frequently as what is configured in your Domain's security settings.
Related Content
EUD Security Guidance: macOS 10.13+
Information
The Nation Cyber Security Centre has various guides on security. This article covers a section of the End User Device Security Collection and how to use FileWave to monitor or follow the guidance as laid out:
From the document:
This guidance was developed following testing performed on MacBook Pro and MacBook Air devices running macOS 10.13 (High Sierra)
It's important to remember that this guidance has been conceived as a way to satisfy the 12 End User Device Security Principles. As such, it consists of recommendations and should not be seen as a set of mandatory instructions requiring no further thought.
Risk owners and administrators should agree a configuration which balances business requirements, usability and security.
As set out from the list, here are some solutions. For descriptions of Configuration Profiles, please consult FileWave Profile Editor section.
Custom Fields
Below are additionally some custom fields for reporting on the status of pertinent settings. These have been described as if using the new Custom Fields introduced in 12.7+.
For using these Custom Fields with earlier versions of FileWave, these will need to be added as Filesets and edited to write custom values to the client using fwcld.
The Custom Fields provided are examples using English. Where searching for text in response to a command is concerned, if the OS is running a different language, the script may need to be altered to match.
Assured data-in-transit protection, VPN Profile
VPN may be configured using Configuration Profiles
Assured data-at-rest protection, FileVault
FileVault may be configured using Configuration Profiles
Custom Field to show current FileVault status:
#! /bin/bash
#
# FileWave client will execute this script. The output will be used as the value of the custom field.
#
# Below is an example of how to read the value of one ENVIRONMENT VARIABLE in your script:
# my_var=${ENV_VAR_NAME}
#
fv_status=$(fdesetup status 2>/dev/null)
error_code=$?
if [ $error_code -ne 0 ]
then
echo "Error: "$error_code
else
case $fv_status in
*"Off"*)
echo "Off"
;;
*"On"*)
echo "FileVault"
;;
*)
echo "$fv_status"
;;
esac
fi
exit 0
Custom Field to show if device supports FileVault Authenticated Restart. N.B. This requires FileVault to be enabled to work.
#! /bin/bash
#
# FileWave client will execute this script. The output will be used as the value of the custom field.
#
# Below is an example of how to read the value of one ENVIRONMENT VARIABLE in your script:
# my_var=${ENV_VAR_NAME}
#
filevault_auth_bypass=$(fdesetup supportsauthrestart) 2>/dev/null
if [ $? -ne 0 ]
then
echo Unsupported
else
echo $filevault_auth_bypass | sed -e 's/t/T/g' -e 's/f/F/g'
fi
exit 0
Authentication
Either:
* Users have two passwords – one for FileVault 2, and one to login and unlock their device (see Provisioning Steps for how to achieve this)
* Or users have one password which fulfils both requirements.
DEP Profile can include a local admin account to be created during enrolment, which could be hidden.
The user should be required to authenticate to the device in line with your organisation’s authentication policy (see Authentication Policy).
This user’s login password derives a key which encrypts certificates and other credentials, giving access to organisational services.
Secure boot
Set an EFI (firmware) password to make it more difficult for an attacker to modify the boot process. However, with physical access, the boot process can still be compromised.
Firmware password can be set using the provided recipe: Firmware Password (macOS 10.14 Mojave+)
Custom Field to show Firmware Status:
#! /bin/bash
#
# FileWave client will execute this script. The output will be used as the value of the custom field.
#
# Below is an example of how to read the value of one ENVIRONMENT VARIABLE in your script:
# my_var=${ENV_VAR_NAME}
#
if [ -e /usr/sbin/firmwarepasswd ]
then
firmware_status=$(firmwarepasswd -check | awk '{print $NF}')
error_code=$?
if [ $error_code -ne 0 ]
then
echo "Error: "$error_code
else
echo "$firmware_status"
fi
else
echo "N/A"
fi
exit 0
Platform integrity and application sandboxing, SIPs
SIPs is on by default and is unlikely to be disabled. However, FileWave has a default inventory item to check that SIP is enabled:
Application whitelisting
Use the MDM to whitelist default macOS applications. Use GateKeeper to prevent the installation and running of unsigned applications. An organisation application catalogue can also be used which only contains enterprise-approved or in-house applications.
Custom Field to display Gatekeeper version:
#! /bin/bash
#
# FileWave client will execute this script. The output will be used as the value of the custom field.
#
# Below is an example of how to read the value of one ENVIRONMENT VARIABLE in your script:
# my_var=${ENV_VAR_NAME}
#
defaults read /var/db/gkopaque.bundle/Contents/Info.plist CFBundleShortVersionString
exit 0
Malicious code detection and prevention
XProtect is built into macOS. It has a limited signature set which is maintained by Apple to detect widespread malware. XProtect will also restrict vulnerable plugin versions (such as Java) to limit exposure. Several third-party anti-malware products also exist which attempt to detect malicious code for this platform. Content-based attacks can be filtered by scanning capabilities in the organisation.
Custom Filed to display XProtect version:
#! /bin/bash
#
# FileWave client will execute this script. The output will be used as the value of the custom field.
#
# Below is an example of how to read the value of one ENVIRONMENT VARIABLE in your script:
# my_var=${ENV_VAR_NAME}
#
defaults read /System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/XProtect.meta.plist Version
exit 0
Security policy enforcement
Mark MDM profiles as non-removable so the user cannot remove them and alter their configuration.
General setting of each profile has an option to deny profile removal under the Security option.
External interface protection
USB removable media can be blocked through MDM if required. If an EFI password is set, DMA is only possible when the device is booted and unlocked.
Restrictions profile may be used to control access to external media
Device update policy
MDM can be used to audit which App Store software and OS versions are installed on a device. The attached script will turn on automatic updates, but this cannot be achieved remotely with MDM.
By default, this cannot be achieved over MDM. However, FileWave has the option for a Custom Settings profile that could control this over MDM
Event collection for enterprise analysis
macOS logs can be viewed by a local administrator on device, or from a distance using remote administration tools. Third-party software can also be used to automate log collection.
Client Info has an option to view Command History. Client Info and Client Monitor have the option to view FileWave logs by default.
Viewing macOS logs would involve another method. Options could include:
- Fileset Activation Script to read the file. Output of scripts can be viewed in the Fileset Status view; right click on Script and choose 'View Script Output'.
- Remote Control of device
- Fileset Script to upload these files to a secure share
Example Activation Script:
#!/bin/bash
cat /private/var/log/system.log
exit 0
Incident response
“macOS devices can be locked, wiped, and configured remotely by their MDM.”
Additional Custom Fields
Firewall Status:
#! /bin/bash
#
# FileWave client will execute this script. The output will be used as the value of the custom field.
#
# Below is an example of how to read the value of one ENVIRONMENT VARIABLE in your script:
# my_var=${ENV_VAR_NAME}
#
fw_status=$(/usr/libexec/ApplicationFirewall/socketfilterfw --getglobalstate 2>/dev/null)
error_code=$?
if [ $error_code -ne 0 ]
then
echo "Error: "$error_code
else
case $fw_status in
*"disabled"*)
echo "Off"
;;
*"enabled"*)
echo "Enabled"
;;
*)
echo "$fw_status"
;;
esac
fi
exit 0
Local Admins:
#! /bin/bash
#
# FileWave client will execute this script. The output will be used as the value of the custom field.
#
# Below is an example of how to read the value of one ENVIRONMENT VARIABLE in your script:
# my_var=${ENV_VAR_NAME}
#
/usr/bin/dscl . -read /Groups/admin GroupMembership | cut -d " " -f 3- | tr " " ","
exit 0
#! /bin/bash
#
# FileWave client will execute this script. The output will be used as the value of the custom field.
#
# Below is an example of how to read the value of one ENVIRONMENT VARIABLE in your script:
# my_var=${ENV_VAR_NAME}
#
declare -a HiddenAdmins=()
function check_hidden {
while [ $# -gt 0 ]
do
IsHidden=$(dscl . read /Users/$1 IsHidden 2>/dev/null | awk '{print $NF}')
if [[ $IsHidden -eq 1 ]]
then
HiddenAdmins+=($1)
fi
shift
done
}
check_hidden $(/usr/bin/dscl . -read /Groups/admin GroupMembership | cut -d " " -f 3-)
echo ${HiddenAdmins[@]} | tr " " ","
exit 0
Visible Admins:
#! /bin/bash
#
# FileWave client will execute this script. The output will be used as the value of the custom field.
#
# Below is an example of how to read the value of one ENVIRONMENT VARIABLE in your script:
# my_var=${ENV_VAR_NAME}
#
#!/bin/bash
declare -a VisibleAdmins=()
function check_hidden {
while [ $# -gt 0 ]
do
IsHidden=$(dscl . read /Users/$1 IsHidden 2>/dev/null | awk '{print $NF}')
if [[ ! $IsHidden -eq 1 ]]
then
VisibleAdmins+=($1)
fi
shift
done
}
check_hidden $(/usr/bin/dscl . -read /Groups/admin GroupMembership | cut -d " " -f 3-)
echo ${VisibleAdmins[@]} | tr " " ","
exit 0
Installed Security Updates:
#!/bin/zsh
declare -a output_array=()
get_pkg_name=0
function check_duplicate {
if [ ${#output_array[@]} -eq 0 ]
then
output_array+=($1)
else
array_counter=0
while [ $array_counter -lt ${#output_array[@]} ]
do
array_counter=$(( array_counter + 1 ))
if [[ "$1" == "${output_array[${array_counter}]}" ]]
then
break
fi
if [ $array_counter -eq ${#output_array[@]} ]
then
output_array+=($1)
fi
done
fi
}
/usr/libexec/PlistBuddy -c 'Print ' /Library/Receipts/InstallHistory.plist | while read line
do
case "$line" in
*"Security Update")
get_pkg_name=1
;;
*"Security Update"*)
check_duplicate "${line##* }"
;;
*"com.apple.pkg.update.os"*|*"com.apple.pkg.update.10"*)
if [ $get_pkg_name -eq 1 ]
then
sec_number=$( echo "$line" | awk -F "." '{print $(NF-1)}' | sed 's/[A-Za-z]*//g')
check_duplicate "${sec_number}"
get_pkg_name=0
fi
;;
esac
done
echo ","${output_array}"," | tr " " ","
exit 0
Firmware Unlock Seed (password recovery key). A new key is generated with each password change. Firmware password changes require a reboot before reporting correctly. Key may only be used by Apple.
#! /bin/bash
#
# FileWave client will execute this script. The output will be used as the value of the custom field.
#
# Below is an example of how to read the value of one ENVIRONMENT VARIABLE in your script:
# my_var=${ENV_VAR_NAME}
#
# Retrieve firmwarepassword unlockseed. Response may only be used by Apple to unlock the device.
# Firmware status
check_firmware=$(firmwarepasswd -check | awk '{print $NF}')
if [[ "$check_firmware" != "No" ]]
then
unlock_seed=$(firmwarepasswd -unlockseed &>/dev/null)
if [ $? -eq 0 ]
then
echo $unlock_seed
else
echo Error
fi
else
echo Disabled
fi
exit 0
Preparation for deployment
The steps below should be followed to prepare your organisation's infrastructure for hosting a deployment of these devices:
Set up an MDM server (e.g. Profile Manager on macOS Server). This may require setting up the Open Directory component of a macOS Server.
Ensure all Configuration Profiles are signed to prevent modification in transit, or post install
Create policies on Profile Manager for:
* Ensure 'Use SSL' is selected for all server settings
* VPN
* Passcode
* Disk encryption and key escrow
* Exchange/Mail/Calendar Settings.
* Disabling access to the Preference Panes in Restrictions (macOS) for iCloud and Network as access to these could be used to disable the VPN.”
FileWave can be used to mimic Profile Manager and much more.
It is worth noting however, that FileWave does not have the option to sign Configuration Profiles. This is a current Feature Request: FW-19687.
Recommendation in this case would be to use Profile Manager to sign the profile and then import this into FileWave. It is also possible to achieve this from the macOS command line:
/usr/bin/security cms -S -N "Certificate Common Name" -I "/path/to/original.mobileconfig" -o "/path/to/create/signed.mobileconfig"
Signing certificates can be generated if you have a Apple developer account or if you already have a macOS Server running and then added to the keychain prior to signing.
Policy Creations
- YES - Use SSL in various Payloads
- YES - VPN payloads
- YES - Passcode payloads
- YES - Disk Encryption with Personal and Institutional Recovery Key
- Partly - Profile may be applied to enforce both/either Institutional and Personal Recover Key. Currently storing the Personal Recovery Key is not supported. There is a Feature Request for this: FW-20543
- YES - Exchange/Mail/Calendar Settings.
- YES - Disabling access to the Preference Panes in Restrictions (macOS) for iCloud and Network as access to these could be used to disable the VPN.
“Additional Consideration
* Whitelist applications to further reduce the risk of malicious code being execute
* Tighten permissions on USB mass storage and optical devices to help prevent data loss through removable media
* Use Restrictions to blacklist locations from which users should not run applications, or whitelist trusted applications that users are allowed to run
* Include internal CA Certificates where appropriate to ensure users can authenticate network services
* Include corporate network profiles (e.g. 802.1X or Wi-Fi) to ensure that network access credentials are distributed securely”
-
YES - Whitelist applications to further reduce the risk of malicious code being execute
-
YES - Tighten permissions on USB mass storage and optical devices to help prevent data loss through removable media
-
YES - Use Restrictions to blacklist locations from which users should not run applications, or whitelist trusted applications that users are allowed to run
-
YES - Include internal CA Certificates where appropriate to ensure users can authenticate network services
-
YES - Include corporate network profiles (e.g. 802.1X or Wi-Fi) to ensure that network access credentials are distributed securely
Feature Requests
Where Feature Requests have been noted, please view release notes for added features in future updates.
This KB Contains public sector information licensed under the Open Government Licence v3.0.
http://www.nationalarchives.gov.uk/doc/open-government-licence/version/3/
FileVault
FileVault - Getting Started
Please Note
Setting up FileVault 2 with FileWave is supported with MDM enrolled macOS devices only! MDM enrolled devices are such that went through DEP enrollment or had the MDM profile installed manually.
These advanced steps are for system administrators and others who are familiar with the command line and FileWave.
What you need to begin
- FileWave version 12.9+
- macOS 10.9+ MDM enrolled in FileWave
- macOS devices have to be MDM enrolled in FileWave
What is FileVault 2
FileVault full-disk encryption (FileVault 2) uses XTS-AES-128 encryption with a 256-bit key to help prevent unauthorized access to the information on your startup disk.
FileVault 2 has three different decrypting mechanisms:
- If a user is a part of "FileVault users", successful login unlocks FileVault
- A Personal Recovery Key (PRK) can be generated for each user and used to unlock FileVault
- An Institutional Recovery Key (IRK) - which is actually a cryptographic key pair - can be used to unlock FileVault
Setup
Full Disk Encryption Assistant
- Open the FileWave Admin
- Assistants → Full Disk Encryption Management → FDE Configuration Management...
- Once you click the "+" on the bottom left you will then be able to select the recovery key type on the right
- Personal (PRK): This will prompt the user their "FileVault Recovery Key" that the end-user will need to keep for decryption (FileWave will be able to escrow this key later)
- Institutional (IRK): A key will need to be created on your macOS device and then imported into the Disk Encryption Configurations window. Please follow the steps below
Institutional Key Creation and Import
Create an IRK keychain using the following command
sudo security create-filevaultmaster-keychain ~/Desktop/FileVaultMaster.keychain
- Unlock the keychain
security unlock-keychain ~/Desktop/FileVaultMaster.keychain
- Open Keychain Access Utility and Add (File > Add) the keychain you just created above
- Select the keychain you just added - it should contain both certificate and private key; select both and export both as .p12 file - protect the file with a password
- Back in the Disk Encryption Configurations window upload the p12 key you just created.
-
- Personal and Institutional (IRK and PRK): Provides the end user a personal key and the institutional key can be used as well
- Save
Disk Encryption Profile
Next, we will need to set up the Apple Profile that will configure and set up FileVault 2. Again your devices need to be MDM enrolled for this payload.
- Go to Filesets → New Desktop Filesets → Profile
- Once in the Profile Editor you will need to Fill out the General Payload then configure the Disk Encryption
- Now is the time to configure your FileVault 2 payload
If you are using the Escrow Personal Recovery Key you are required to put a description in the Escrow Location Description (macOS 10.13+) pane. This description can be informing the user where the key gets stored by default, which is /var/db/FileVaultPRK.dat. Or the description can be letting the user know to contact the technology department for more information.
IMPORTANT NOTE:
* If you use the option "User is not prompted for FileVault activation at login" There is a chance that FileVault may never fully activate. It is recommended you do not use this option.
* This payload can't be used in conjunction with other payloads in the same profile.
* Importing a profile with FileVault 2 options is not possible; FileVault 2 configuration must be created using the Assistant and Full * Disk Encryption payload; if you try to import such profile FileWave will have to remove FDE payloads before importing - FileWave can do it for you.
* If you had FDE payloads before upgrading to FileWave 12.9+, you won't be able to edit those profiles unless FileVault 2 options are removed - FileWave can do it for you.
* Escrow Personal Recovery Key is required for Authenticated Restart and being able to store the key in FileWave.
- From this point, you are ready to deploy this profile to your MDM enrolled macOS devices.
Disk Encryption Inventory Information
Now that you have FileVault 2 enabled on your device(s) you can view inventory pulled from the device(s) regarding the FileVault 2 settings:
- FDE Has Institutional Recovery Key
- FDE Has Personal Recovery Key
- FDE Is Enabled
- FDE Support
- Authenticated restart supported
- FDE Personal Recovery Key Hint Message
- Has FileWave recovery Key
Disk Encryption Recovery Key Escrow
When FileVault 2 is enabled FileWave will keep track of the configuration applied to the corresponding keys such as the Institutional Recovery Key (IRK) used to encrypt the disk and the Personal Recovery Key (PRK).
To manage these keys go to Assistants → FDE Recovery Key Management...
Once you select a device you will be able to Show Personal Recovery Key... or Download Institution Recovery Key... depending on what configuration was used to set up FileVault on that machine.
You can also delete outdated entries but keep in mind if a device has FDE managed by FileWave, it's not possible to remove FDE keys from the assistant. You have to disable FDE or remove the device from FileWave first.
Status can be:
- Disabled
- Enabled
- Pending - this is the state reported by a device between the profile installation and when FDE actually being enabled
PRK Status can be:
- Valid
- Cannot decrypt
- Invalid - no key or not a valid key
Authenticated Restart
macOS 10.13 NOT SUPPORTED
Authenticated restart using Personal Recovery Key does not work on macOS 10.13+ on APFS
This option is for Personal Recovery Key only; Institutional Keys are not supported with this option
When FileVault 2 is enabled, the device will be locked on startup. At this stage, FileWave does not connect to the device until the drive is unlocked. You need to be aware of this if you have FileVault 2 enabled on a device and then send out a Fileset that requires a reboot! After the reboot, the end-user will have to unlock the drive before the deployment can finish.
FileWave may be able to help with this using Authenticated Restart as a Fileset option. If you selected the option Escrow Personal Recovery Key when you created the Disk Encryption Profile to enable FileVault 2 then FileWave will be able to use the authenticated restart to unlock the drive without user interaction.
This option is located in the Fileset Properties for any Fileset you are requiring a reboot for.
Right-click on Fileset → Properties → Select Requires Reboot
Possible Security Risk
Keep in mind using this option can be seen as a security risk and should be used accordingly. The device will reboot unlocked so access to encrypted data is possible and until the device reboots, an escrow key is stored in memory but still encrypted.
Recent versions of macOS for FileVault IRKs
The use of Institutional FileVault keys, also known as Institutional Recovery Keys (IRK), is no longer recommended in recent versions of macOS, including macOS Ventura. The utility of IRKs for organizations has become limited, particularly on Macs with Apple Silicon, where IRKs provide no functional value. This is because IRKs can't be used to access recoveryOS, and because Target Disk Mode is no longer supported, the volume can't be unlocked by connecting it to another Mac.
Instead, the use of a Personal Recovery Key (PRK) is now recommended. A PRK provides an extremely robust recovery and operating system access mechanism, unique encryption per volume, escrow to MDM, and easy key rotation after use.
Moreover, there is only one PRK per encrypted volume. During FileVault enablement from MDM, the PRK can optionally be hidden from the user. When configured for escrow to MDM, MDM provides a public key in the form of a certificate, which is then used to asymmetrically encrypt the PRK in a CMS envelope format. The encrypted PRK is returned to MDM in the security information query, which can then be decrypted for viewing by an organization. Many MDM vendors provide the option to manage these keys to allow for viewing directly in their products. MDM can also optionally rotate PRKs as often as is required to help maintain a strong security posture—for example, after a PRK is used to unlock a volume
Additional information managing FileWave in macOS: Managing FileVault in macOS
Information regarding recent versions of macOS managing FileVault: Manage FileVault with mobile device management
Related Content
FileVault 2 enabled on macOS ADE enrollment
What
Once you have started down the road of using FileVault to secure your data with FileVault - Getting Started then you may want to think about enabling FileVault at enrollment time for macOS systems.
When/Why
FileVault is a built-in encryption solution for macOS devices that will protect your data at rest. Think about a laptop issued to a Teacher or a Financial person and what would happen if that laptop was stolen. What data would be on it? Enabling FileVault is very simple, and adds some peace of mind. As of FileWave 15.2.0 and macOS 14.0 there is now an option available to enable FileVault from enrollment time.
How
Once you have gone through FileVault - Getting Started to understand how it is configured, and you are running at least FileWave 15.2.0 with devices that are at least macOS 14.0 then you can go to FileWave Central: Assistants -> DEP Association Management and make a profile with the below option enabled of "Force Setup Assistant to enable FileVault". Note that you will not be able to enable the option until you have created a profile that configures FileVault, but if you have gone through the Getting Started guide then you should have this created.
Once you have this enabled then you should be all set. Make this enrollment profile either the default or just assigned to specific devices. We always recommend testing things on one device first to be sure you are happy with the options, and to test your Institutional Recovery key to make sure it works with the password you believe it should.
Related Content
Firmware Password (macOS 10.14 Mojave+)
Description
Apple have seen to make some changes regarding this over time, through versions of macOS. The following is a method that should work with macOS 10.10+ machines. This recipe allows for creating, changing or deleting the Firmware password.
This script in this recipe is setting the Firmware password of macOS devices. If set incorrectly, you could become locked out of the device. FileWave offers this script as is, use of this script is at the user's understanding and risk and FileWave holds no responsibility for devices that become locked and un-usable. If concerned, please refrain from using this script.
macOS Catalina
This script has been tested successfully on macOS Catalina (10.15.x)
Ingredients
- FileWave
- macOS 10.11+
- Supplied Fileset - Set Firmware Password V1.1.fileset.zip
macOS versions
This method uses the binary 'firmwarepasswd'. This was known to exist in all versions of macOS 10.10 and above. It is possible that this was introduced in later versions of 10.9. However, FileWave 13+ supports macOS 10.11+
Directions
- Download the above Fileset recipe and import into FileWave
- Duplicate the Fileset and append the name appropriately: New, Change or Delete
- Change the Launch Arguments to match the renamed duplicated Fileset based upon the below table
- Edit the script if required for reboot options or set Fileset Properties Reboot
- Associate, test and then deploy
Launch Arguments
To set the Launch Arguments
- Open the Fileset
- Select the script within the Fileset
- Choose Get Info
- Select Executable tab
There are 3 options for this fileset: New, Change or Delete. The Launch Arguments should be set as required based upon these options as seen in the table below:
Launch Argument |
New |
Change |
Delete |
1 |
new |
change |
delete |
2 |
new password |
new password |
old password |
3 |
old password |
Examples
Reboot Options
By default, the script will not reboot once completed. However, a reboot is required after setting. This could be achieved by setting the Fileset Properties. Alternatively, an option is built into the script to allow for this. Please edit the script appropriately:
reboot_flag=false
# Default - do not reboot at script end; consider using Fileset properties for reboot.
# Firmware password change requires reboot. Tests for alternate boot drive selected
# Alternative options: error, set or ignore
# Use ignore to set default to reboot
# Uncomment command as desired
# error: Script will abort and no firmware password will be set if set boot drive does not match current booted drive
# reboot_device error
# set: Script will set the firmware password without a reboot attempt if set boot drive does not match current booted drive
# reboot_device set
# ignore: Script will continue regardless, setting firmware password and rebooting
# reboot_device ignore
If choosing an option that does not reboot, the device will need a reboot before the firmware password setting is complete.
Options 'error' and 'set' will check to see if currently set boot drive matches currently booted drive. If true, both options will continue to set the firmware password. If false, 'error' will exit an error without any change, whilst 'set' will set the password but will not reboot.
All options: 'set', 'error' and 'ignore', will ensure (on success) that the current set boot drive matches the currently booted drive before rebooting.
Examples:
For the script to reboot, un-hash the following line:
# ignore: Script will continue regardless, setting firmware password and rebooting
reboot_device ignore
To allow the password to be changed, but only reboot if set boot drive matches currently booted drive, un-hash the following line:
# set: Script will set the firmware password without a reboot attempt
reboot_device set
Only un-hash one line from these options.
Firmware Password Unlock Seed
The unlock seed is a unique recovery key that can be used by Apple to unlock a device in the event of the password being forgotten. Please see the following KB for an example Custom Field that may be used to report this key:
EUD Security Guidance: macOS 10.13+
Full macOS Model name to Inventory (Custom Field)
Description
Need to know the full name of "Retina, 15-inch, Late 2013)" rather than the Model Identifier "MacBookPro11,3". The provided script will look up the name and write it to inventory as a custom field
If necessary, please view the following for details on creating Custom Fields.
Information
Since the introduction of Apple's new randomized serial numbers, the method of using Apple's online lookup service does not work with these devices. However, all modern devices have a store of a product name locally on the device. The below method will check for the existence of a local name, but if not found, will query Apple instead based upon the Serial Number of the device
Note, that the name stored locally may differ slightly from the one provided by Apple's lookup server. To give an indication of the difference in details see the below table (sometimes they will match):
Examples:
Name as indicated by Apple's servers and About This Mac | Name as stored in local file |
MacBook Pro (13-inch, M1, 2020) | MacBook Pro (13-inch, M1, 2020) |
MacBook Pro (Retina, 15-inch, Mid 2015) | 15" MacBook Pro with Retina display (Mid 2015) |
iMac (21.5-inch, Late 2009) | iMac Intel Core 2 Duo (widescreen, Late 2009) |
Mac mini (Late 2012) | Mac mini (Late 2012) |
Virtual Devices
Virtual machines do not have legitimate Apple serial numbers by default and you may use virtual machines with the FileWave client. Since the serial number is used to determine the macOS model, additionally the script has been designed to allow for machines built using VMware. Similar consideration could be taken for devices built with other viritualisation software: e.g. Parallels, VirtualBox, etc.
Script
Although this uses a local file, for older hardware information may be missing. In this instance it will attempt to pull the information directly from Apple:
#!/bin/zsh
mac_model=$(sysctl -n hw.model)
if [[ "$mac_model" =~ ^"VMware" ]]
then
echo "$mac_model"
exit 0
fi
# File that stores device information. Old models may not have this file. Additionally some models only have a description
# Information is not exactly the same as that reported through About This Mac, but is similar enough to suffice in most instances
apple_locale=$(defaults read /Library/Preferences/.GlobalPreferences.plist AppleLocale)
attr_file="/System/Library/PrivateFrameworks/ServerInformation.framework/Versions/A/Resources/${apple_locale}.lproj/SIMachineAttributes.plist"
if [ -e "$attr_file" ]
then
# Use marketingModel if available
model_name=$(/usr/libexec/PlistBuddy -c "Print :${mac_model}:_LOCALIZABLE_:marketingModel" "$attr_file" 2>/dev/null)
# If not found, use description if available
if [ -z $model_name ]
then
model_name=$(/usr/libexec/PlistBuddy -c "Print :${mac_model}:_LOCALIZABLE_:description" "$attr_file" 2>/dev/null)
fi
fi
# If not found in plist check ioreg. Apple seemed to have stopped populating the plist file, but do populate ioreg data now
if [ -z "$model_name" ]
then
model_name=$(ioreg -c IOPlatformDevice | awk -F "\"" '/product-name/ || /product-description/ {print $(NF-1); exit}')
fi
# If still not found, try to get the details from Apple
if [ -z "$model_name" ]
then
# Redirect standard error as macOS 10.10.x has an unfixed bug with system_profiler
serial_number=$(ioreg -l | awk -F "\"" '/IOPlatformSerialNumber/ {print $(NF-1)}')
# Get serial number length, note wc includes new line character
# For serials of 11 characters, last 3 digits of serial required
# For serials of 12 characters, last 4 digits of serial required
serial_number_length=$(echo $serial_number | wc -c)
# wc also adds empty spaces
case $serial_number_length in
*"13"*)
serial_number=$(echo $serial_number | awk '{print substr( $NF, length($NF) - 3, length($NF) ) }')
;;
*"12"*)
serial_number=$(echo $serial_number | awk '{print substr( $NF, length($NF) - 2, length($NF) ) }')
;;
*)
echo "$mac_model"
exit 0
;;
esac
model_name=$(curl -s https://support-sp.apple.com/sp/product\?cc=$serial_number | sed 's|.*<configCode>\(.*\)</configCode>.*|\1|')
# If this still fails, just return the hardware model details
if [[ "$model_name" =~ "error" ]]
then
model_name="$mac_model"
fi
fi
if [ -z $model_name ]
then
echo "$mac_model"
else
echo "$model_name"
fi
exit 0
Hide local macOS admin users
Description
Hide local admins at the login window
Ingredients
- FW Central
- Proper text editor (like TextWrangler - OS X or notepad ++ - Windows)
Directions
- Make an empty Fileset with a script that runs at activation.
- Use this code as an example of how to hide admins at login, and also show the "other..." option at the login window to still use the local admin account.
#!/bin/sh # This script is a Postflight sample # benm @ fw #hide the just made admin account and enable screen sharing echo "hiding local admins at the login window" #enable hidden admins sudo defaults write /Library/Preferences/com.apple.loginwindow Hide500Users -bool YES #enable "other..." option at login window sudo defaults write /Library/Preferences/com.apple.loginwindow SHOWOTHERUSERS_MANAGED -bool TRUE
- To show admins at the login window again. Send out:
sudo defaults write /Library/Preferences/com.apple.loginwindow Hide500Users -bool NO
How to Create Local User Accounts on macOS 10.15+
Description
Provided is a scripted recipe to create a local user account on macOS devices associated with the below Fileset. Options allow for creating:
- Admin or standard accounts
- Hidden or visible accounts
Other values may be specified.
Information
Requirements are:
- 'Create macOS user' Fileset - Create macOS User.fileset.zip
- Some consideration regarding user name, password and ID numbers
Customised values are set with the use of Environment Variables. Settings within the downloaded recipe are:
Customisation includes:
- username - unix shortname (no spaces)
- realname - long display name
- password - users password
- group_id - user's primary group id
- shell_type - e.g /bin/bash, /bin/zsh
- islocaladmin - set user to be a local admin TRUE/FALSE
- is_hidden - set user to be an invisible account TRUE/FALSE
- id_choice - set to be a dedicated value [static_id] or find next available value [next_id]
- unique_id - either the ID to use when id_choice is static_id or the beginning ID of a range of IDs to attempt when id_choice is set to next_id
- end_id - for next_id, the end value of range of IDs to stop testing and if reached script will exit 1
- enable_secure_token - enable secure token for the new user TRUE/FALSE
- admin_user - short name of a local administrator (only required if enable_secure_token is set as TRUE)
- admin_password - password of admin_user (only required if enable_secure_token is set as TRUE)
'id_choice'
This options is stating whether the id to be used will be solely one preset value or if a range of values should be attempted; first available will then be attempted.
static_id |
When set as 'static_id', the value set in 'unique_id' will be used as the users ID. If this value is already in use, the script will exit with an error. |
next_id |
When set as 'next_id', a range of values will be tested starting at 'unique_id' and ending with 'end_id'. The first available value found will be used. If none are found the script will exit with an error. |
'username'
This is the short name of the user. If the name already exists on the device, the script will exit with an error.
'islocaladmin'
If set as TRUE, the new user will be added as an administrator of the device
'is_hidden'
If set as TRUE, the new user will be hidden
'enable_secure_token'
If set as TRUE, the new user will be enabled as a secure token user. This options requires the following values to also be set: admin_user and admin_password
Other
All other values should be edited as desired
Directions
To create a user:
- Download the above Fileset and import into FileWave
- Edit the Environment Variables as required
- Associate and Update Model to test devices
- Once tested associate to greater quantity or all devices.
Example
Consider a device that already has 3 local accounts, with user IDs 501, 502, 503. Settings could then be either:
- Variable: id_choice
- Value: static_id
- Variable: unique_id
- Value: 504
or may look something like:
- Variable: id_choice
- Value: next_id
- Variable: unique_id
- Value: 501
- Variable: end_id
- Value: 600
In the first instance, ID 504 will be attempted. This is useful if all devices are the same and it is considered desirable that all users of this name have the same ID on each device.
In the second instance, 501 will be attempted, then 502 and 503, when finally 504 will be met, found to be free, and then be attempted. This option is particularly useful for devices where an unknown quantity of user accounts may exist on each device and the users' ID is not considered important.
Considering this example with all other settings as default, the following account should be created:
NFSHomeDirectory: /Users/fwadmin
PrimaryGroupID: 20
RealName:
FileWave Admin
RecordName: fwadmin
UniqueID: 504
UserShell: /bin/zsh
Additionally, the user will be a local Admin, but the account was not set as hidden
Login Window Banner (Agreement Policy) for macOS
Description
Having your users accept a policy at the login window before they log in is easy.
Ingredients
- FW Admin
- macOS computer
- A text editor application
Directions
Creating the text file
- Open a text editor
Apple's TextEdit will work perfectly Located in: Macintosh HD → Applications → TextEdit.app
- Add the information you'd like in the banner and save the file named
|
With any of these extensions:
- .txt - Plain Text - Saves as text only
- .rtf - Rich Text - Saves as text with features like color and font
- .rtfd - Rich Text Directory - Saves as text with color, font and images
A sample rtfd is attached ( PolicyBanner.rtfd_.zip ).
Placing the text file into the fileset
- Download the sample fileset ( Custom-LoginWindow-Agreement.fileset.zip )
- Import the fileset into FileWave Admin
- Open the fileset and the
/Library/Security/
folder - Replace PolicyBanner.txt with your PolicyBanner.txt or PolicyBanner.rtf or PolicyBanner.rtfd
- Change the permissions/owner so a user can not edit the file.
Please Note: If you use the rtfd format:
1. The file will show up as a folder, as it has to include the picture and text as two seperate files
2. URL or other Hyperlinks will not work when displayed at the login window
3. You will not be able to export the rtfd later due to it's folder format.
Notes
See support.apple.com/kb/HT4788 For more information.
macOS 11 Compatible Devices (Custom Field)
Description
Details on identifying compatible devices for macOS 11 (Big Sur) using a Custom Field.
macOS |
Custom Field, returns either: compatible or incompatible |
Example query view:
Ingredients
- macOS - Custom Field exported file: Custom Big Sur Compatible Devices.customfields.zip
Directions
- Download the Custom Field exported file and unzip
- From the Admin console, open: Assistants > Custom Fields
- Choose Import
- After importing, select desired value for Assigned to all devices
- Save
Details for Importing and Exporting Custom Field Files
May be assigned to all devices, since Windows script is configured to return: NA
macOS 14 Compatible Devices (Custom Field)
Description
Details on identifying compatible devices for macOS 14 (Sonoma) using a Custom Field.
macOS |
Custom Field, returns either: compatible or incompatible |
Example query view:
Ingredients
- macOS - Custom Field exported file: FileWave CF macOS 14 Compatible.customfields
Directions
- Download the Custom Field exported file and unzip
- From the Admin console, open: Assistants > Custom Fields
- Choose Import
- After importing, select desired value for Assigned to all devices
- Save
Details for Importing and Exporting Custom Field Files
May be assigned to all devices, since Windows script is configured to return: NA
Message to macOS User
Description
This Fileset recipe shows you how to send a Message via a dialog box to a User currently logged on to a Mac, using a fileset.
This Fileset will make the FileWave Client wait with further deployments until the end user has acknowledged the dialog and closed it with "ok". If you want to change that behaviour so that it just displays a message and then deploys further filesets, refer to the last step of the recipe.
Ingredients
Directions
- Download the attached zip file, uncompress it and import it into FileWave Admin via Drag & Drop , or by clicking "New Desktop Fileset" , "Import".
- Double-Click the FileSet to display its contents, and drill down to the /usr/local/scripts folder.
- Click once onto the message.txt and then the "Edit Text" button on the top of the FileSet Window to edit the file. Adjust the message to what you need it to say, and confirm with "OK".
- Associate the FileSet to a Mac where somebody is currently logged in , update the model , and observe the message popup.
- If you want to change the behaviour of this fileset so that it just displays a message, and then goes on deploying further filesets, do the following :
- open the FileSet by double-clicking it
- drill down to the /usr/local/scripts folder
- click once onto the display-alert-on-current-users-desktop.sh , and then the "Get Info" button
- Select the "Executable" tab
- Uncheck the "Wait for exectuable to finish" checkbox
- Confirm with ok
- Test your fileset by associating it and running Model Update
Related Content
Notify Users with a dialog (macOS)
Description
The provided Fileset is an example of notifying users, in particular here, a message regarding Fileset status when downloading and installing new Filesets.
The Fileset is designed to:
- Create a continual running service that monitors Fileset changes
- Where Fileset changes occur, begin monitoring the FileWave Client log file
- If a number of preset text strings are found in the log file, send this to the Notification Centre
- Lastly, where another preset text is found, stop monitoring the log file
The service has been built to be actioned automatically by the user logging in. Where Filesets are disassociated, each has a pre-uninstallation script to ensure the services should also be removed.
Ingredients
- Provided Fileset:
↓ macOS |
Directions
For the example provided:
- Download the necessary provided Fileset
- Upload using FileWave Admin
- Associate to the appropriate devices
- 'Update Model'.
Fileset scripts may be modified for personal preference. In each Fileset there is a script that is actioned by the local computer service. The scripts are using a pattern match. The pattern matching may be edited as required, removing or adding appropriately.
macOS
Locate the "prompt_user.sh" file within the Fileset and choose to edit. In the following code block snippet from this script, the case statement is pattern matching text. In the provided example the script is looking for lines that contain any one of the following:
- Model version
- Downloading Fileset
- Done activating
- Activate all
Where found, the 'show_message' function is being used to prompt the user:
prompt_user.sh
# * are wildcard entries and | acts as a logical OR
case "$line" in
*"Model version"*|*"Downloading Fileset"*|*"Done activating"*|*"Activate all"*)
show_message
;;
The second part of the case statement is causing the script to exit. The pattern match this time, is any line that contains:
- Data successfully sent to the inventory server
prompt_user.sh
*"Data successfully sent to the inventory server"*)
exit 0
;;
Notification Center Permissions
Notifications are user choice. Users must accept notifications when prompted.
The below section of the 'com.filewave.promptuser.plist' may be edit as desired, where the defined keys determine the following:
- 'the_title' is the Title of the notification
- 'bundle_id' defines an App bundle. That bundles name and icon will be displayed:
com.filewave.prompt_user.plist
<key>EnvironmentVariables</key>
<dict>
<key>the_title</key>
<string>FileWave Message</string>
<key>the_subtitle</key>
<string></string>
<key>bundle_id</key>
<string>com.filewave.fwGUI</string>
</dict>
Users may still allow Notifications in System Preferences if previously denied:
Launch Services
Once a launch service is running, editing an already loaded script will have no impact on the current service; the service itself must be reloaded. If parts of the Fileset are edited after association, consideration of this should be taken into account to ensure those changes are made active.
Notes
The above provides an example of notifying users, using a service. However, with some adaptation messages could be sent in other ways at alternate times to users.
Related Content
Remove Casper JSS Client Components
Description
To remove all Casper JAMF Software-related components from computers that have been managed by the JSS.
Ingredients
- FW Central
- (Other tools, features, and applications that will be needed)
Directions
- Create a new empty Fileset (From the Fileset View : New Desktop Fileset > Empty : Type a Name > OK)
- With it selected: Click the Scripts item in the button bar
- Create a new activation script and name it.
- Paste the script below and edit
#!/usr/bin/env zsh # This will remove JAMF from macOS # Function to identify the location of the jamf binary CheckBinary() { # Identify location of jamf binary using modern command substitution jamf_binary=$(which jamf) # Evaluate conditions to identify the correct binary path if [[ -z "$jamf_binary" ]] && [[ -e "/usr/sbin/jamf" ]] && [[ ! -e "/usr/local/bin/jamf" ]]; then jamf_binary="/usr/sbin/jamf" elif [[ -z "$jamf_binary" ]] && [[ ! -e "/usr/sbin/jamf" ]] && [[ -e "/usr/local/bin/jamf" ]]; then jamf_binary="/usr/local/bin/jamf" elif [[ -z "$jamf_binary" ]] && [[ -e "/usr/sbin/jamf" ]] && [[ -e "/usr/local/bin/jamf" ]]; then jamf_binary="/usr/local/bin/jamf" fi # Error handling for missing jamf binary if [[ -z "$jamf_binary" ]] || [[ ! -x "$jamf_binary" ]]; then echo "Error: jamf binary not found or not executable." exit 1 fi } # Function to remove the JAMF framework RemoveJamf() { "$jamf_binary" removeFramework || { echo "Error: Failed to remove JAMF framework." exit 2 } } # Main script execution CheckBinary RemoveJamf # Exit with a success status exit 0
- Associate as standard or scheduled
Understanding Free Space on APFS Volumes
What
This article explains how free space is calculated on APFS volumes and how it differs from traditional file systems like HFS+.
When/Why
Understanding free space on APFS volumes is essential for managing storage on macOS devices, as it helps users and administrators make informed decisions about disk usage and maintenance.
How
-
Traditional file systems (HFS+): Calculating free space on HFS+ volumes involves subtracting the total occupied storage blocks from the total volume capacity.
-
Snapshots: APFS snapshots complicate free space calculations as they dynamically occupy storage blocks. Deleting snapshots can free up space, but the amount depends on other snapshots and their deletion.
-
Clones: Cloned files in APFS initially share storage blocks, but as their data diverges, they consume additional space. Finder reports cloned files as separate entities, but APFS accounts for shared storage blocks.
-
Sparse files: These files contain little data relative to their overall size. Copying or saving sparse files without preserving their format causes them to expand to full size, consuming more space.
-
Other volumes: APFS containers share free space among their volumes, unlike HFS+ volumes. Data and VM volumes, in particular, share free space, with macOS determining the VM volume's usage.
-
Free space control: APFS and macOS control free space, with figures changing depending on snapshots, clones, sparse files, and VM volume usage. APFS provides estimates for "important usage" and "opportunistic usage" free space.
The impact of these factors on APFS free space calculations makes it challenging to precisely determine available storage. It's crucial for users and administrators to understand these complexities to effectively manage storage and device performance. By being aware of snapshots, clones, sparse files, and shared volumes, users can make more informed decisions regarding storage allocation and maintenance, ensuring optimal device performance and efficient use of resources.
There is also an open-source tool that can aid in seeing more accurate free space information linked to below.
Related Links
- Free space on an APFS volume is an illusion – The Eclectic Light Company
- GitHub - scriptingosx/diskspace: macOS command line tool to return the available disk space on APFS volumes
Wipe Device for macOS
What
To wipe a macOS device you can right-click on a device and pick Wipe Device... as shown. Before macOS 12, Erase Device MDM command would obliterate the system, meaning that critical files and data would be removed and the system would then be inoperative.
When/Why
In macOS 12 and later, this command uses Erase All Content and Settings (EACS) on Mac computers with the Apple M1 chip or the Apple T2 Security Chip. On those devices, if EACS can’t run, the device can use obliteration (macOS 11.x behavior)
How
It is important to record the Find my Mac PIN as this is not recorded anywhere in the FileWave logs. This is also true for the Lock command for macOS systems as well.
Upon receiving this command, the device performs preflight checks to determine if the device is in a state that allows EACS.
It is then possible to configure how the device's fallback behavior:
Do Not Obliterate:
- If EACS preflight fails, the device responds to the server with an Error status and doesn’t attempt to erase itself.
- If EACS preflight succeeds but EACS fails, then the device doesn’t attempt to erase itself.
Obliterate With Warning
- If EACS preflight fails, the device responds with an Acknowledged status and then attempts to erase itself.
- If EACS preflight succeeds but EACS fails, then the device attempts to erase itself.
Default
- If EACS preflight fails, the device responds to the server with an Error status and then attempts to erase itself.
- If EACS preflight succeeds but EACS fails, then the device attempts to erase itself.
In FileWave 14.7, it is possible to define this behavior when Remote Wiping a device:
|
|
|
Related Content
Troubleshooting
Apple Metadata Missing After Fileset Installation (macOS)
Description
In some instances Metadata is added to items to provide additional features, however, this Metadata may not be transferred when the App is delivered as a standard Fileset. Where this occurs, the Metadata may be re-injected using a script. An example of this is highlighted in our KB on Deploying Folders with Icons.
Teamviewer is another example of this. The Quick Support version of the App has the option to include customisation, as per their guidelines. In fact, the Tool: FileWave QS App implements this to provide branding, user name and a personalised design.
When customisation is configured on this App, the App receives additional Metadata. If the Metadata were not restored, the customisation would be lost and the App would appear as the basic, standard looking App.
Instructions
To ensure the Metadata is re-applied after installation as a standard Fileset, the following should be followed:
- Use a command line tool to read the Metadata prior to making the Fileset
- Create an Activation or Postflight Script, to re-insert the Metadata, as part of the Fileset
To read the Metadata, open Terminal and run the following command, editing the path to match the required location. Using FileWave QS App as an example:
$ xattr -l ~Downloads/FileWave\ QS.app
com.TeamViewer.ConfigurationId: idcr6bwpyh
A script may now be created to re-instate this Metadata, again changing the path if the App is installed somewhere other than Applications.
#!/bin/zsh
xattr -w com.TeamViewer.ConfigurationId idcr6bwpyh /Applications/FileWave\ QS.app
exit 0
If using an alternative customised Teamviewer QS App, change the name to match the created App and use the reported value from the query to set the matching ID.
Verification
To ensure the script is run again if Verification actions a repair or re-instatement of the App, a Verification Script will also be required with the same contents.
On installation, all applied customisation should appear as expected. This same process may be applied to any additional Metadata that may be lost during Fileset installation.
Example Fileset
This example Fileset includes:
- Version 14 of Teamviewer FileWave QS
- Postflight Script
- Verification Script
FileWave TV QS Version 14.fileset.zip
When updated versions of Teamviewer FileWave QS are supplied, then the Fileset should be updated with this newer download, to replace the current application.
iOS 12 / macOS 10.14+ and self-signed certificates
iOS 12 and macOS 10.14 introduce more secured rules ; certificates must be generated from at least a 2048-bit RSA key ; certificates generated from a 1024-bit key will be rejected by the device.
If you are using a trusted CA issued certificate, you should be fine, most of the certificates you get on the market are fulfilling this requirement ; if you generated your certificated with FileWave 9.0 or later, you should be good as well, since in this version the key used to generate certificates is 2048-bit. If you are running a FileWave installation which has been setup before FileWave 9.0 with self signed certificate, or if you are using a 1024-bit key issued certificate, you need to update your setup to have iOS 12 devices trust your server.
How to check the certificate RSA key size:
macOS, Linux:
openssl x509 -in /usr/local/filewave/certs/server.crt -text -noout | grep Public-Key
Windows
C:\OpenSSL-Win64\bin\openssl.exe x509 -in C:\ProgramData\FileWave\FWServer\certs\server.crt -text -noout | FINDSTR Public-Key
Windows does not have openssl installed as standard so you will need to go to https://slproweb.com/products/Win32OpenSSL.html and download the appropriate version of OpenSSL for your environment.
Recommended solution:
Use a third party, trusted Certificate Authority. Most organizations already have a wildcard certificate (for instance *.acme.org), installing this certificate on "filewave.acme.org" will make your server trusted automatically. If you don't have a certificate, several CAs provide SSL certificates which are trusted by Apple, Google or Microsoft. For more information about these trusted certificates please read this KB article.
Self-Signed solution:
If you decide to stay with a self-signed certificate, you don't have another choice than renewing the certificate ; please read this KB article on how to renew the certificate.
The best approach would then be:
- Deploy a profile with "defer software update" set to 90 days restriction ; this will give you 90 days (starting from Monday, Sept 17th) during which devices won't be upgraded
- Follow steps described in Renew FileWave Server Self-signed Certificate KB article:
- create new key and certificate
- deploy the new certificate via profile
- switch to the new certificate once all devices have the profile installed
- recreate DEP profiles (and associations, if required)
- Already impacted devices can be manually "healed" by installing the profile (and trusting it explicitly for SSL in trust stored).
If you have a pre-FileWave 9.0 certificate and devices have already upgraded to iOS 12, the only way to recover, assuming you can't use trusted certificate, is to manually add the new certificate in the trust store and give it permissions for SSL.
Related Content
M1 Silicon macOS and Recovery
Description
Apple M1 devices require an alternate method for Recovery Mode and other considerations may need to actioned.
FileWave has seen instances where M1 macOS devices are no longer accessible after the first reboot following DEP enrolment. It is believed the trigger for this experience is centred around the Admin account having never logged in.
Erasing M1 devices
It is possible to use Apple Configurator to Restore Apple Silicon M1 macOS devices. This requires a second device along with the listed details from Apple's KB:
https://support.apple.com/en-gb/guide/apple-configurator-2/apdd5f3c75ad/mac
- Up to date Apple Configurator App
- Network access to Apple
- USB-C to USB-C cable (supporting both power and data)
Apple's guidelines should be followed to restore the device
Activation Lock
If Activation Lock was enabled on the device, then the above process will block access to the device once recovered; a request to enter Apple ID and password will be presented. However, it is likely there is no Apple ID associated to the device. In this instance Recovery Mode should be used to access the menus to add in the appropriate Bypass Code.
The ByPass Codes are available from the FileWave Admin Assistants drop down menu:
- Activation Lock Management
Recovery Mode
M1 Silicon devices have a newer method to boot into Recovery Mode; hold down the Power Button until the screen displays: 'Loading startup options'
https://support.apple.com/en-gb/guide/mac-help/mchl82829c17/mac
To enter the Activation Lock code:
- Choose 'Recovery Assistant' from the Menu Bar
- Select with MDM key
- Use the key from the Admin console Activation Lock Management window for this device
https://support.apple.com/en-gb/guide/mdm/apd593fdd1c9/web
At this point the device should be accessible again and a fresh enrolment may be actioned.
Failure to Personalise
There is an additional issue that Apple have identified:
- "An error occurred while preparing the update. Failed to personalize the software update. Please try again."
Again, Apple have a KB on this issue:
https://support.apple.com/en-us/HT211983
The previous startup keys combinations used for Intel macOS devices do not apply to M1 Silicon macOS devices:
https://support.apple.com/en-gb/HT201255