macOS

macOS is the operating system developed by Apple for their Macintosh computers. It is the software that runs on Apple's desktop and laptop computers, providing users with a graphical user interface (GUI) and a wide range of features and functionalities. macOS offers a seamless integration with other Apple devices and services, along with a rich ecosystem of applications and software. It provides a user-friendly and secure computing environment for Mac users, enabling them to perform various tasks, access the internet, run applications, and manage their files and data.

Apple Silicon M1 / M2 Native Client Support and Rosetta

What

14.8+ FileWave Client PKG installer now installs a native M1 or M2 client, negating the need for Rosetta 2.

Prior FileWave client installers were for Intel only and relied on the PKG installer to install Rosetta 2 for M1 / M2 compatibility.  Rosetta 2 will not be disabled on clients that already have Rosetta 2 enabled.  Since newly enrolled clients, starting with 14.8.x+, will not install Rosetta 2, any other software requiring Rosetta 2 will require a Fileset to install Rosetta 2.

Note that the Administrator app still requires Rosetta 2.

When/Why

This update is for Apple M1 / M2 devices only.  The installer is now a universal binary for either processor type.

How

Both the standalone DMG installer and the Custom PKG will now support both Intel and M1 / M2 natively.  Create a new 14.8+ FileWave client installer from our Custom PKG Builder. The client upgrade Fileset will naturally be taken as native by macOS also.

Enable Rosetta 2

Below is an example of a script that could be used to enable Rosetta 2 through FileWave if still required for other software like the FileWave Administrator app:

#!/bin/zsh

# Determine OS version
osvers=$(sw_vers -productVersion)

# Check to see if macOS is 11 or greater
if [ ${osvers%%.*} -ge 11 ]; then
  # Check processor type
  processor=$(/usr/bin/uname -p)
  if [[ "$processor" != "arm" ]]; then
    echo "$(date) processor: ${processor}. No need to install Rosetta."
  else
    # Check if Rosetta process is running and instal if not found,
    # perform a non-interactive install of Rosetta.
    if [[ ! $(/usr/bin/pgrep -x oahd) ]]; then
        /usr/sbin/softwareupdate --install-rosetta --agree-to-license
        if [[ $? -eq 0 ]]; then
                echo "$(date) Rosetta has been successfully installed."
        else
                echo "$(date) Rosetta installation failed!"
                exitcode=1
        fi
    else
        echo "$(date) Rosetta already installed. Nothing to do."
    fi
  fi
  else
    echo "$(date) Mac is running macOS $osvers"    
    echo "$(date) No need to install Rosetta on this version of macOS."
fi 

exit 0 

Here is a Fileset that uses the above example script: Install Rosetta 2.fileset.zip

Bootstrap Token Management on macOS

Introduction

macOS 10.15 Catalina introduces a new method of SecureToken enablement called Bootstrap Token. This is an MDM-based management feature to automatically provide a SecureToken on all mobile account logins. This does not affect how local accounts get SecureTokens.

What is SecureToken?

Apple introduced Secure Token as a method of creating a “chain of trust” on a machine. The result was that only a trusted user could be created from another trusted user, and only those trusted users could leverage FileVault. This ensured that - from Apple’s perspective - the machine and users on it are secure.

For many Mac admins, the Secure Token feature introduced with macOS High Sierra has been a cause for great consternation. It has forced IT teams to adjust their management workflows to be able to administer and manage devices differently, given that Secure Tokens are critical in order to safely create Mac users and manage their FileVault full disk encryption (FDE) credentials.

Why the Consternation with SecureToken?

The challenge presented by the introduction of Secure Token was that the chain of trust ultimately made user and FileVault management much more challenging. An organization’s mobile and network accounts with Apple devices did not have the ability to create users that would be granted Secure Tokens.

Only the original user on the machine was granted a Secure Token and only that account could go on to create subsequent users that would properly be granted a Secure Token. This overhead severely impacted the ability of Mac admins to remotely manage their fleet of Mac systems.

What is the Benefit of Bootstrap Token?

Catalina can give the first mobile account to log in a SecureToken if no other accounts have a SecureToken yet, but the benefit of Bootstrap Token comes when multiple users log into an encrypted machine. All mobile accounts that log in automatically get a SecureToken without having to hand one off manually.

What Happens Under the Hood?

If support of Bootstrap Token management is implemented on the MDM server-side, during device enrollment command Settings / MDMOptions with flag AllowBootstrapToken = True should be sent to the device.  In this case, the device will send SetBootstrapToken and GetBootstrapToken requests to the MDM server later at the appropriate time.

To check the current status see "checking status" below

There are two main communications for SecureToken: SetBootStrapToken and GetBootstrapToken.

SetBootstrapToken request

When the first admin account is created (see Figure 1.1), MDM request SetBootstrapToken (requires DEP enrolled client) is sent from the device to the FileWave MDM server. The MDM server handles this request by storing the Bootstrap Token for the device in the appropriate place (FileWave encrypts and stores this in the inventory database).

 

image.png

 
Figure 1.1

Warning: There is one limitation - If you automatically create an admin during enrollment, the SetBootstrapToken request will not be sent.

image.png

image.png
Figure 1.2 - Not Suppressed (Token sent)

This is Default DEP		 Figure 1.3 - Suppressed (Token will not be sent)

Setup assistant user is standard

image.png
Figure 1.4 - Suppressed (Token will not be sent)

No user during setup assistant
Trigger Escrow
Escrowing of Bootstrap Token to server can be called with: 

profiles install -type bootstrap token
If the SetBootstrapToken request was properly sent to your MDM server, the output will be

profiles: Create Bootstrap Token created
profiles: Bootstrap Token created
profiles: Bootstrap Token escrowing to server...
profiles: Bootstrap Token escrowed
If you got this error after the initial command:

Error: The profile type option was not recognized.
The FileWave server may not be able to handle the request; make sure it is running 13.2 or greater

GetBootstrapToken request

When a new mobile account is created (manually or automatically, see "Examples" section) MDM request GetBootstrapToken (requires DEP enrolled client) is sent from the device to MDM server (it requires a Device Enrollment Program enrolled client). The MDM server should handle this request properly by returning the stored Bootstrap Token of the appropriate device. As a result, when a mobile account logs in a SecureToken will be enabled on the account. A list of which accounts can unlock the FileVault disk can be shown by the next command:

diskutil apfs listcryptousers /

There you can see the UUID of the mobile account as well as the Bootstrap Token External Key:

Cryptographic users for disk1s5 (9 found)
|
+-- JJJJJJJJ-UUUU-IIII-OOOO-AAAAAAAAAAAA
| Type: Local Open Directory User
|
+-- KKKKKKKK-LLLL-MMMM-NNNN-BBBBBBBBBBBB
| Type: MDM Bootstrap Token External Key
|
+-- GGGGGGGG-WWWW-QQQQ-ZZZZ-CCCCCCCCCCCC
| Type: Local Open Directory User
|
+-- BBBBBBBB-AAAA-MMMM-BBBB-AAAAAAAAAAAA
|   Type: iCloud Recovery User
|
+-- DDDDDDDD-0000-EEEE-DDDD-EEEEEEEEEEEE
|   Type: iCloud Recovery External Key
|
+-- TTTTTTTT-0000-WWWW-TTTT-WWWWWWWWWWWW
|   Type: Personal Recovery User
|
+-- NNNNNNNN-EEEE-SSSS-NNNN-EEEEEEEEEEEE
|   Type: Institutional Recovery User
|
+-- JJJJJJJJ-0000-CCCC-JJJJ-CCCCCCCCCCCC
|   Type: Institutional Recovery External Key
|
+-- AAAAAAAA-EEEE-FFFF-CCCC-DDDDDDDDDDD
    Type: Personal Recovery Key   

 Compare that list with

sudo fdesetup list

to show the same UUIDs of the accounts that have SecureTokens:

localadmin, JJJJJJJJ-UUUU-IIII-OOOO-AAAAAAAAAAAA
mobileaccount,GGGGGGGG-WWWW-QQQQ-ZZZZ-CCCCCCCCCCCC

Check Escrow/Server Status

To check if Bootstrap Token was escrowed to the server, the same command as above can be used:   

profiles status -type bootstraptoken
Server Supported Server Does not support 
profiles: Bootstrap Token supported on server: YES
 
profiles: Bootstrap Token supported on server: NO
Not Escrowed Escrowed Done
If the Bootstrap Token was not escrowed on the server (SetBootstrapToken request was not sent to MDM server or was not handled by MDM server properly), the output will be:

profiles: Bootstrap Token escrowed on server: NO
You can manually trigger (see "Trigger Escrow")

If the Bootstrap Token is already on the server the output will be:

 

profiles: Bootstrap Token escrowed on server: YES

Examples when Bootstrap Token helps

Example 1 - mobile account is created manually by an admin which doesn't have a Secure Token

Problem:

In macOS 10.15+ with FileVault is turned on, a network account login without Secure Token escrowed will be prompted for an admin who does have a secure token.

image.png
Figure 2.1

Solution:

With the token escrowed, there is no need to enter a SecureToken administrator's name and password anymore - "Bypass" can be safely pressed and the new mobile account will be shown at the startup window after the device reboots.

To disable SecureToken for an admin, use:

sysadminctl -secureTokenOff

To check if Secure Token is enabled or not, use:

adminsysadminctl -secureTokenStatus

Example 2 - mobile account is created automatically when profile Mobility is used

With macOS 10.15 and FileVault turned on, profile Mobility was installed on the device with the option 'Create mobile account when user logs in to network account'.

image.png
Figure 2.2

After a network account login, a mobile account is created automatically (as the "Bypass" button from the dialog "Enter a SecureToken ..." was pressed implicitly). A new mobile account will be shown at startup window after the device reboots.

In comparison: when the same actions are done on macOS 10.14, there is one additional dialog (see figure 2.1) to enter a SecureToken administrator's name and password during the auto-creation of a mobile user. If "Bypass" will be pressed, the new mobile account will not be shown at the startup window after the device reboots and FileVault should be enabled manually for each new mobile account.

Summary

If FileVault is already encrypted, the new mobile account(s) will be added to the preboot unlock user list automatically. No need to update preboot and do other additional work like past OSes.

Change Administrator User Password on macOS

This article will guide you through importing a Fileset that will give you the ability to change the Administrator password on macOS devices.

Requirements:

Steps to Deploy:

Tested on macOS Ventura and Sonoma (macOS 13+). The script should reflect a proper success or failure in Fileset Status if the AdminPassword or AdminUsername value is incorrect.

Customised Screen Saver (macOS)

Description

Create a customised macOS Screen Saver (.saver) to simply display an image or more advanced HTML/Javascript code.

Ingredients

Directions

Fileset Installation

  1. Download and unzip "FileWave Example ScreenSaver.zip".
  2. Import into FileWave Admin

Customise ScreenSaver Name (Optional)

Customise the Source File (Optional)

Optional
Replace entire contents of file with custom HTML/Javascript if desired

Test

Associate Fileset to a test machine.  On installation the following should be seen from the example:

Set Screen Saver as Default

Login Window Profile Requirement
Edit any already existing "Login Window" Profile. If first time use of "Login Window" payload, please make sure to review all other Profile settings.

Deploy Folder with Icons (macOS)

Description

The following demonstrates how to successfully deploy folders with custom icons.  There have been changes by Apple which means previous methods may fail to present the icon.

Information

This process will involve:

  1. Creating a fileset that includes the folders with icons
  2. Creating an Activation Script
  3. Change the properties of the script to include the paths to the folders

1. Create the Fileset

To build the fileset, the folder requires a custom icon.  To add a custom icon, choose Get Info on the Folder (this could be an Application) and drag the icon or image file onto the folder icon at the top of the window:

Create a standard Fileset using this Folder or App.

2. Create An Activation Script

Highlight the Fileset and choose the Script icon.

In the Window that opens, select Activation Script and then choose to Create a script.  In this example the script was called 'add-xattr.sh'.  The script should contain the following:

#!/bin/bash
{
for directory in "$@"
do
    xattr -wvx com.apple.FinderInfo '00 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00' "$directory"
done
}

3. Change the Script Properties

Once created, highlight the script and choose 'Properties'

The Executable tab should be edited to match the path to the location of your Folder or Application containing the custom icon.

Associate the Fileset and on deployment the Folder or Application will have the chosen icon.

Multiple Folders with Icons
The Fileset can contain multiple folders with custom icons. For each folder containing a custom icon, add an additional Launch Argument in the Executable tab to match.

Deploying CUPS printers (macOS)

Before you begin

We first need to setup the CUPS printers on a single test device. Once they are manually setup please test each individual printer and ensure they work as you'd like them to before proceeding. Note that you want to setup ONLY the printers you want to deploy via CUPS in this method. If possible have these as your only printers on the device to make things easier.

Creating Fileset

1.) Create a new folder on your Desktop(or anywhere safe) titled cups

2.) Navigate to /etc/cups

3.) Copy the following files into your cups folder on the desktop:

The ppd folder should show the names of all the printers you manually setup. If you have other printers you don't want to deploy delete them from the ppd folder in the new location before proceeding.

4.) Open terminal and give full access to the config files via the below commands:

$ sudo -su
$ chmod 755 /Users/<your user here>/Desktop/cups/printers.conf
$ chmod 755 /Users/<your user here>/Desktop/cups/printers.conf.O

To make things easier you can type chmod 755 and then drag/drop the file into terminal to have it automatically fill in the appropriate path.

5.) Create a new empty fileset. Filesets > New Desktop Fileset > Empty

6.) Open your fileset by double-clicking on it and uncheck "Hide unused folders"

7.) Click on etc/ to highlight it and then click "Import File/Folder"

8.) Import the cups folder that you created on your desktop. 

9.) In the fileset click the arrow to the left of etc and then to the left of cups to show the contents of the folders. This should match the folder on your desktop with all files included

10.) Highlight printers.conf then click "Get Info" at the top, click the verification tab and select "Download if missing" then click Apply at the bottom right.

11.) Repeat step 8 for printers.conf.O as well.

12.) Test deploy by sending to a single machine and verify it works properly before deploying out to the rest of your clients.

The reason we change the verification settings for only these two files is that the printers.conf and printers.conf.O files are dynamically changing when any changes are made regarding printers on the end computer. Filewave would detect the change and then try to overwrite the config with what's in this filset thus potentially breaking the printers on your devices. 

Deploying iOS Applications to macOS Devices Using FileWave

What

With the latest updates to FileWave 15.5.0, administrators now have the capability to associate iOS application filesets with macOS devices. This means that if an application is compatible with both iOS and macOS platforms, it can be installed on macOS devices directly through FileWave, provided that the necessary licenses are available. This new functionality simplifies the deployment process and expands the range of applications that can be distributed to end-users on macOS devices.

When/Why

When to Use

This feature is particularly useful when you have applications that are designed to run on both iOS and macOS platforms—known as Universal apps or Catalyst apps. These applications are built to operate seamlessly across Apple’s ecosystem. By associating iOS application filesets with macOS devices, you can:

Why This Feature Matters

Apple’s introduction of macOS versions that support iOS applications (starting with macOS 11 Big Sur on Apple Silicon devices) has blurred the lines between the two operating systems. Leveraging this capability within FileWave allows organizations to:

How

Prerequisites

Before deploying iOS applications to macOS devices, ensure the following conditions are met:

Monitoring and Troubleshooting

image.png

Related Content

Microsoft Enterprise Platform Single Sign-on for macOS

What

With Platform Single Sign-on (Platform SSO), we can utilize SSO extensions that extend to the macOS login window, allowing users to synchronize local account credentials with an identity provider (IdP). In this case, we are combining what is provided here: Microsoft Enterprise S... | FileWave KB with Platform Single Sign-on for macOS - Apple Support. The local account password is automatically kept in sync after this configuration, so the cloud password and local passwords will match. Users will also still be able unlock their Mac with Touch ID and Apple Watch. The end result will allow the user to login with their Entra ID and password or their local account username with their synced Entra ID's password.

8a1b12f119682c525692a750d75d8f6f.png

When/Why

An Administrator who is managing a fleet of MacBooks may want to use this for another level of security or for taking advantage of the full integration that macOS now offers with SSO. You are offered the same benefits as listed in: Microsoft Enterprise S... | FileWave KB except with the added layer of further syncing the local account with your identity provider account.

How

Below are the following requirements and configuration creation steps for deployment.

Platform SSO Requirements:

Note: If the Mac is unenrolled from the MDM solution, it’s also unregistered from the IdP.

WS-Trust federation

WS-Trust federation is supported in macOS 13.3 or later. This allows Platform SSO to successfully authenticate users when their account is managed by an IdP federated with Microsoft Entra ID.

Deployment:

Here is an example Profile Fileset ready to deploy in your environment with the default configuration:

Screenshot 2024-03-21 at 9.25.19 AM.png

Please Note: On macOS devices, Apple requires the Company Portal app be installed. Users don't need to use or configure the Company Portal app, it just needs to be installed on the device.

End-user Interaction required:

After successful deployment, in the notifications area of the user's device, they should be presented with a message:

Screenshot 2024-03-21 at 9.15.56 AM.png

Screenshot 2024-03-21 at 9.16.31 AM.png

Screenshot 2024-03-21 at 9.17.10 AM.png

Screenshot 2024-03-21 at 9.17.52 AM.png

After signing in and registering, when you go to System Settings > Users & Groups > click the 'i' next to your Username, you should be able to confirm everything went successfully with the new settings here:

Screenshot 2024-03-21 at 9.18.37 AM.png

Notes and Observations

Related Content

EUD Security Guidance: macOS 10.13+

Information

The Nation Cyber Security Centre has various guides on security.  This article covers a section of the End User Device Security Collection and how to use FileWave to monitor or follow the guidance as laid out:

https://www.ncsc.gov.uk/guidance/eud-security-guidance-macos-1013-high-sierra#recommendedpoliciesandsettings

From the document:

This guidance was developed following testing performed on MacBook Pro and MacBook Air devices running macOS 10.13 (High Sierra)

It's important to remember that this guidance has been conceived as a way to satisfy the 12 End User Device Security Principles. As such, it consists of recommendations and should not be seen as a set of mandatory instructions requiring no further thought.

Risk owners and administrators should agree a configuration which balances business requirements, usability and security.

As set out from the list, here are some solutions.  For descriptions of Configuration Profiles, please consult FileWave Profile Editor section.

Custom Fields
Below are additionally some custom fields for reporting on the status of pertinent settings. These have been described as if using the new Custom Fields introduced in 12.7+.

For using these Custom Fields with earlier versions of FileWave, these will need to be added as Filesets and edited to write custom values to the client using fwcld.

The Custom Fields provided are examples using English. Where searching for text in response to a command is concerned, if the OS is running a different language, the script may need to be altered to match.

Assured data-in-transit protection, VPN Profile

VPN may be configured using Configuration Profiles

image.png

Assured data-at-rest protection, FileVault

FileVault may be configured using Configuration Profiles

image.png

Custom Field to show current FileVault status:

#! /bin/bash
#
# FileWave client will execute this script. The output will be used as the value of the custom field.
# 
# Below is an example of how to read the value of one ENVIRONMENT VARIABLE in your script:

# my_var=${ENV_VAR_NAME}
#

fv_status=$(fdesetup status 2>/dev/null)
error_code=$?

if [ $error_code -ne 0 ]
then
	echo "Error: "$error_code
else
	case $fv_status in

	*"Off"*)
		echo "Off"
		;;
	*"On"*)
		echo "FileVault"
		;;
	*)
		echo "$fv_status"
		;;
	esac
fi

exit 0

Custom Field to show if device supports FileVault Authenticated Restart.  N.B. This requires FileVault to be enabled to work.

#! /bin/bash
#
# FileWave client will execute this script. The output will be used as the value of the custom field.
# 
# Below is an example of how to read the value of one ENVIRONMENT VARIABLE in your script:

# my_var=${ENV_VAR_NAME}
#

filevault_auth_bypass=$(fdesetup supportsauthrestart) 2>/dev/null

if [ $? -ne 0 ]
then
	echo Unsupported
else
	echo $filevault_auth_bypass  | sed -e 's/t/T/g' -e 's/f/F/g'
fi

exit 0

Authentication

Either:

* Users have two passwords – one for FileVault 2, and one to login and unlock their device (see Provisioning Steps for how to achieve this)
* Or users have one password which fulfils both requirements.

DEP Profile can include a local admin account to be created during enrolment, which could be hidden.

image.png

The user should be required to authenticate to the device in line with your organisation’s authentication policy (see Authentication Policy).

This user’s login password derives a key which encrypts certificates and other credentials, giving access to organisational services.

Secure boot

Set an EFI (firmware) password to make it more difficult for an attacker to modify the boot process. However, with physical access, the boot process can still be compromised.

Firmware password can be set using the provided recipe: Firmware Password (macOS 10.14 Mojave+)

Custom Field to show Firmware Status:

#! /bin/bash
#
# FileWave client will execute this script. The output will be used as the value of the custom field.
# 
# Below is an example of how to read the value of one ENVIRONMENT VARIABLE in your script:

# my_var=${ENV_VAR_NAME}
#

if [ -e /usr/sbin/firmwarepasswd ]
then
        firmware_status=$(firmwarepasswd -check | awk '{print $NF}')
        error_code=$?

        if [ $error_code -ne 0 ]
        then
                echo "Error: "$error_code
        else
                echo "$firmware_status"
        fi
else
        echo "N/A"
fi

exit 0

Platform integrity and application sandboxing, SIPs

SIPs is on by default and is unlikely to be disabled.  However, FileWave has a default inventory item to check that SIP is enabled:

image.png

Application whitelisting

Use the MDM to whitelist default macOS applications. Use GateKeeper to prevent the installation and running of unsigned applications. An organisation application catalogue can also be used which only contains enterprise-approved or in-house applications.

image.png

image.png

Custom Field to display Gatekeeper version:

#! /bin/bash
#
# FileWave client will execute this script. The output will be used as the value of the custom field.
# 
# Below is an example of how to read the value of one ENVIRONMENT VARIABLE in your script:


# my_var=${ENV_VAR_NAME}
#

defaults read /var/db/gkopaque.bundle/Contents/Info.plist CFBundleShortVersionString

exit 0

Malicious code detection and prevention

XProtect is built into macOS. It has a limited signature set which is maintained by Apple to detect widespread malware. XProtect will also restrict vulnerable plugin versions (such as Java) to limit exposure. Several third-party anti-malware products also exist which attempt to detect malicious code for this platform. Content-based attacks can be filtered by scanning capabilities in the organisation.

Custom Filed to display XProtect version:

#! /bin/bash
#
# FileWave client will execute this script. The output will be used as the value of the custom field.
# 
# Below is an example of how to read the value of one ENVIRONMENT VARIABLE in your script:


# my_var=${ENV_VAR_NAME}
#

defaults read /System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/XProtect.meta.plist Version

exit 0

Security policy enforcement

Mark MDM profiles as non-removable so the user cannot remove them and alter their configuration.

General setting of each profile has an option to deny profile removal under the Security option.

image.png

External interface protection

USB removable media can be blocked through MDM if required. If an EFI password is set, DMA is only possible when the device is booted and unlocked.

Restrictions profile may be used to control access to external media

image.png

Device update policy

MDM can be used to audit which App Store software and OS versions are installed on a device. The attached script will turn on automatic updates, but this cannot be achieved remotely with MDM.

By default, this cannot be achieved over MDM.  However, FileWave has the option for a Custom Settings profile that could control this over MDM

image.png

Event collection for enterprise analysis

macOS logs can be viewed by a local administrator on device, or from a distance using remote administration tools. Third-party software can also be used to automate log collection.

Client Info has an option to view Command History.  Client Info and Client Monitor have the option to view FileWave logs by default.

Viewing macOS logs would involve another method.  Options could include:

Example Activation Script:

#!/bin/bash
cat /private/var/log/system.log

exit 0

Incident response

macOS devices can be locked, wiped, and configured remotely by their MDM.”

Device context menu has options to either Lock or Wipe a device.  FileWave has extensive options for remotely configuring MDM enrolled devices.

image.png

image.png

Additional Custom Fields

Firewall Status:

#! /bin/bash
#
# FileWave client will execute this script. The output will be used as the value of the custom field.
# 
# Below is an example of how to read the value of one ENVIRONMENT VARIABLE in your script:

# my_var=${ENV_VAR_NAME}
#

fw_status=$(/usr/libexec/ApplicationFirewall/socketfilterfw --getglobalstate 2>/dev/null)
error_code=$?

if [ $error_code -ne 0 ]
then
	echo "Error: "$error_code
else
	case $fw_status in

	*"disabled"*)
		echo "Off"
		;;
	*"enabled"*)
		echo "Enabled"
		;;
	*)
		echo "$fw_status"
		;;
	esac
fi

exit 0

Local Admins:

#! /bin/bash
#
# FileWave client will execute this script. The output will be used as the value of the custom field.
# 
# Below is an example of how to read the value of one ENVIRONMENT VARIABLE in your script:

# my_var=${ENV_VAR_NAME}
#

/usr/bin/dscl . -read /Groups/admin GroupMembership | cut -d " " -f 3- | tr " " ","

exit 0

Hidden Admins:

#! /bin/bash
#
# FileWave client will execute this script. The output will be used as the value of the custom field.
# 
# Below is an example of how to read the value of one ENVIRONMENT VARIABLE in your script:

# my_var=${ENV_VAR_NAME}
#
declare -a HiddenAdmins=()

function check_hidden {

	while [ $# -gt 0 ]
	do
		IsHidden=$(dscl . read /Users/$1 IsHidden 2>/dev/null | awk '{print $NF}')
	
		if [[ $IsHidden -eq 1 ]]
		then
			HiddenAdmins+=($1)
		fi	

		shift
	done 
}

check_hidden $(/usr/bin/dscl . -read /Groups/admin GroupMembership | cut -d " " -f 3-)

echo ${HiddenAdmins[@]} | tr " " ","

exit 0

Visible Admins:

#! /bin/bash
#
# FileWave client will execute this script. The output will be used as the value of the custom field.
# 
# Below is an example of how to read the value of one ENVIRONMENT VARIABLE in your script:

# my_var=${ENV_VAR_NAME}
#

#!/bin/bash

declare -a VisibleAdmins=()

function check_hidden {

	while [ $# -gt 0 ]
	do
		IsHidden=$(dscl . read /Users/$1 IsHidden 2>/dev/null | awk '{print $NF}')
	
		if [[ ! $IsHidden -eq 1 ]]
		then
			VisibleAdmins+=($1)
		fi	

		shift
	done 
}

check_hidden $(/usr/bin/dscl . -read /Groups/admin GroupMembership | cut -d " " -f 3-)

echo ${VisibleAdmins[@]} | tr " " ","

exit 0

Installed Security Updates:

#!/bin/zsh

declare -a output_array=()
get_pkg_name=0

function check_duplicate {

	if [ ${#output_array[@]} -eq 0 ]
	then
		output_array+=($1)
	else
		array_counter=0

		while [ $array_counter -lt ${#output_array[@]} ]
		do
			array_counter=$(( array_counter + 1 ))		

			if [[ "$1" == "${output_array[${array_counter}]}" ]]
			then
				break
			fi
	
			if [ $array_counter -eq ${#output_array[@]} ]
			then
				output_array+=($1)
			fi
		done
	fi
}

/usr/libexec/PlistBuddy -c 'Print ' /Library/Receipts/InstallHistory.plist | while read line
do
	case "$line" in

		*"Security Update")
			get_pkg_name=1
		;;
		*"Security Update"*)
			check_duplicate "${line##* }"
		;;
		*"com.apple.pkg.update.os"*|*"com.apple.pkg.update.10"*)
			if [ $get_pkg_name -eq 1 ]
			then
				sec_number=$( echo "$line" | awk -F "." '{print $(NF-1)}' | sed 's/[A-Za-z]*//g')
				check_duplicate "${sec_number}"
				get_pkg_name=0			
			fi
		;;
	esac				
done

echo ","${output_array}"," | tr " " ","

exit 0

Firmware Unlock Seed (password recovery key).  A new key is generated with each password change.  Firmware password changes require a reboot before reporting correctly.  Key may only be used by Apple.

#! /bin/bash
#
# FileWave client will execute this script. The output will be used as the value of the custom field.
# 
# Below is an example of how to read the value of one ENVIRONMENT VARIABLE in your script:

# my_var=${ENV_VAR_NAME}
#

# Retrieve firmwarepassword unlockseed.  Response may only be used by Apple to unlock the device.

# Firmware status
check_firmware=$(firmwarepasswd -check | awk '{print $NF}')

if [[ "$check_firmware" != "No" ]]
then
        unlock_seed=$(firmwarepasswd -unlockseed &>/dev/null)
        if [ $? -eq 0 ]
        then
                echo $unlock_seed
        else
                echo Error
        fi
else
        echo Disabled       
fi

exit 0

Preparation for deployment

The steps below should be followed to prepare your organisation's infrastructure for hosting a deployment of these devices:

Set up an MDM server (e.g. Profile Manager on macOS Server). This may require setting up the Open Directory component of a macOS Server.

Ensure all Configuration Profiles are signed to prevent modification in transit, or post install

Create policies on Profile Manager for:
* Ensure 'Use SSL' is selected for all server settings
* VPN
* Passcode
* Disk encryption and key escrow
* Exchange/Mail/Calendar Settings.
* Disabling access to the Preference Panes in Restrictions (macOS) for iCloud and Network as access to these could be used to disable the VPN.”

FileWave can be used to mimic Profile Manager and much more.

It is worth noting however, that FileWave does not have the option to sign Configuration Profiles.  This is a current Feature Request: FW-19687. 

Recommendation in this case would be to use Profile Manager to sign the profile and then import this into FileWave.  It is also possible to achieve this from the macOS command line:

/usr/bin/security cms -S -N "Certificate Common Name" -I "/path/to/original.mobileconfig" -o "/path/to/create/signed.mobileconfig"

Signing certificates can be generated if you have a Apple developer account or if you already have a macOS Server running and then added to the keychain prior to signing.

Policy Creations

“Additional Consideration

* Whitelist applications to further reduce the risk of malicious code being execute
* Tighten permissions on USB mass storage and optical devices to help prevent data loss through removable media
* Use Restrictions to blacklist locations from which users should not run applications, or whitelist trusted applications that users are allowed to run
* Include internal CA Certificates where appropriate to ensure users can authenticate network services
* Include corporate network profiles (e.g. 802.1X or Wi-Fi) to ensure that network access credentials are distributed securely”

Feature Requests
Where Feature Requests have been noted, please view release notes for added features in future updates.

This KB Contains public sector information licensed under the Open Government Licence v3.0.

http://www.nationalarchives.gov.uk/doc/open-government-licence/version/3/

FileVault

FileVault

FileVault - Getting Started

Please Note
Setting up FileVault 2 with FileWave is supported with MDM enrolled macOS devices only! MDM enrolled devices are such that went through DEP enrollment or had the MDM profile installed manually.

These advanced steps are for system administrators and others who are familiar with the command line and FileWave.

What you need to begin

What is FileVault 2

FileVault full-disk encryption (FileVault 2) uses XTS-AES-128 encryption with a 256-bit key to help prevent unauthorized access to the information on your startup disk.

FileVault 2 has three different decrypting mechanisms:

Setup

Full Disk Encryption Assistant

UpdatedFileVault2_2.png

Institutional Key Creation and Import

Create an IRK keychain using the following command

sudo security create-filevaultmaster-keychain ~/Desktop/FileVaultMaster.keychain
security unlock-keychain ~/Desktop/FileVaultMaster.keychain

Disk Encryption Profile

Next, we will need to set up the Apple Profile that will configure and set up FileVault 2. Again your devices need to be MDM enrolled for this payload.

IMPORTANT NOTE:
* If you use the option "User is not prompted for FileVault activation at login" There is a chance that FileVault may never fully activate. It is recommended you do not use this option.
* This payload can't be used in conjunction with other payloads in the same profile.
* Importing a profile with FileVault 2 options is not possible; FileVault 2 configuration must be created using the Assistant and Full * Disk Encryption payload; if you try to import such profile FileWave will have to remove FDE payloads before importing - FileWave can do it for you.
* If you had FDE payloads before upgrading to FileWave 12.9+, you won't be able to edit those profiles unless FileVault 2 options are removed - FileWave can do it for you.
* Escrow Personal Recovery Key is required for Authenticated Restart and being able to store the key in FileWave.

Disk Encryption Inventory Information

Now that you have FileVault 2 enabled on your device(s) you can view inventory pulled from the device(s) regarding the FileVault 2 settings:

Disk Encryption Recovery Key Escrow 

When FileVault 2 is enabled FileWave will keep track of the configuration applied to the corresponding keys such as the Institutional Recovery Key (IRK) used to encrypt the disk and the Personal Recovery Key (PRK).

To manage these keys go to Assistants → FDE Recovery Key Management...

Once you select a device you will be able to Show Personal Recovery Key... or Download Institution Recovery Key... depending on what configuration was used to set up FileVault on that machine.

You can also delete outdated entries but keep in mind if a device has FDE managed by FileWave, it's not possible to remove FDE keys from the assistant. You have to disable FDE or remove the device from FileWave first.

Status can be:

PRK Status can be:

Authenticated Restart

macOS 10.13 NOT SUPPORTED
Authenticated restart using Personal Recovery Key does not work on macOS 10.13+ on APFS
This option is for Personal Recovery Key only; Institutional Keys are not supported with this option

When FileVault 2 is enabled, the device will be locked on startup. At this stage, FileWave does not connect to the device until the drive is unlocked. You need to be aware of this if you have FileVault 2 enabled on a device and then send out a Fileset that requires a reboot! After the reboot, the end-user will have to unlock the drive before the deployment can finish. 

FileWave may be able to help with this using Authenticated Restart as a Fileset option. If you selected the option Escrow Personal Recovery Key when you created the Disk Encryption Profile to enable FileVault 2 then FileWave will be able to use the authenticated restart to unlock the drive without user interaction.

This option is located in the Fileset Properties for any Fileset you are requiring a reboot for.

Right-click on Fileset → Properties → Select Requires Reboot 

Possible Security Risk
Keep in mind using this option can be seen as a security risk and should be used accordingly. The device will reboot unlocked so access to encrypted data is possible and until the device reboots, an escrow key is stored in memory but still encrypted.

Recent versions of macOS for FileVault IRKs

The use of Institutional FileVault keys, also known as Institutional Recovery Keys (IRK), is no longer recommended in recent versions of macOS, including macOS Ventura. The utility of IRKs for organizations has become limited, particularly on Macs with Apple Silicon, where IRKs provide no functional value. This is because IRKs can't be used to access recoveryOS, and because Target Disk Mode is no longer supported, the volume can't be unlocked by connecting it to another Mac.

Instead, the use of a Personal Recovery Key (PRK) is now recommended. A PRK provides an extremely robust recovery and operating system access mechanism, unique encryption per volume, escrow to MDM, and easy key rotation after use.

Moreover, there is only one PRK per encrypted volume. During FileVault enablement from MDM, the PRK can optionally be hidden from the user. When configured for escrow to MDM, MDM provides a public key in the form of a certificate, which is then used to asymmetrically encrypt the PRK in a CMS envelope format. The encrypted PRK is returned to MDM in the security information query, which can then be decrypted for viewing by an organization. Many MDM vendors provide the option to manage these keys to allow for viewing directly in their products. MDM can also optionally rotate PRKs as often as is required to help maintain a strong security posture—for example, after a PRK is used to unlock a volume

Additional information managing FileWave in macOS: Managing FileVault in macOS
Information regarding recent versions of macOS managing FileVault: Manage FileVault with mobile device management

Related Content

FileVault

FileVault 2 enabled on macOS ADE enrollment

What

Once you have started down the road of using FileVault to secure your data with FileVault - Getting Started then you may want to think about enabling FileVault at enrollment time for macOS systems.

When/Why

FileVault is a built-in encryption solution for macOS devices that will protect your data at rest. Think about a laptop issued to a Teacher or a Financial person and what would happen if that laptop was stolen. What data would be on it? Enabling FileVault is very simple, and adds some peace of mind. As of FileWave 15.2.0 and macOS 14.0 there is now an option available to enable FileVault from enrollment time. 

How

Once you have gone through FileVault - Getting Started to understand how it is configured, and you are running at least FileWave 15.2.0 with devices that are at least macOS 14.0 then you can go to FileWave Central: Assistants -> DEP Association Management and make a profile with the below option enabled of "Force Setup Assistant to enable FileVault". Note that you will not be able to enable the option until you have created a profile that configures FileVault, but if you have gone through the Getting Started guide then you should have this created. 

image.png

Once you have this enabled then you should be all set. Make this enrollment profile either the default or just assigned to specific devices. We always recommend testing things on one device first to be sure you are happy with the options, and to test your Institutional Recovery key to make sure it works with the password you believe it should. 

Related Content

Firmware Password (macOS 10.14 Mojave+)

Description

Apple have seen to make some changes regarding this over time, through versions of macOS.  The following is a method that should work with macOS 10.10+ machines.  This recipe allows for creating, changing or deleting the Firmware password.

This script in this recipe is setting the Firmware password of macOS devices. If set incorrectly, you could become locked out of the device. FileWave offers this script as is, use of this script is at the user's understanding and risk and FileWave holds no responsibility for devices that become locked and un-usable. If concerned, please refrain from using this script.

macOS Catalina
This script has been tested successfully on macOS Catalina (10.15.x)

Ingredients

macOS versions
This method uses the binary 'firmwarepasswd'. This was known to exist in all versions of macOS 10.10 and above. It is possible that this was introduced in later versions of 10.9. However, FileWave 13+ supports macOS 10.11+

Directions

  1. Download the above Fileset recipe and import into FileWave
  2. Duplicate the Fileset and append the name appropriately: New, Change or Delete
  3. Change the Launch Arguments to match the renamed duplicated Fileset based upon the below table
  4. Edit the script if required for reboot options or set Fileset Properties Reboot
  5. Associate, test and then deploy

Launch Arguments

To set the Launch Arguments

There are 3 options for this fileset: New, Change or Delete.  The Launch Arguments should be set as required based upon these options as seen in the table below:

Launch Argument

New

Change

Delete

1

new

change

delete

2

new password

new password

old password

3

  

old password

  

Examples

Reboot Options

By default, the script will not reboot once completed.  However, a reboot is required after setting.  This could be achieved by setting the Fileset Properties.  Alternatively, an option is built into the script to allow for this.  Please edit the script appropriately:

reboot_flag=false
# Default - do not reboot at script end; consider using Fileset properties for reboot.
# Firmware password change requires reboot.  Tests for alternate boot drive selected                              
# Alternative options: error, set or ignore
# Use ignore to set default to reboot
# Uncomment command as desired
# error: Script will abort and no firmware password will be set if set boot drive does not match current booted drive
# reboot_device error
# set: Script will set the firmware password without a reboot attempt if set boot drive does not match current booted drive
# reboot_device set
# ignore: Script will continue regardless, setting firmware password and rebooting
# reboot_device ignore

If choosing an option that does not reboot, the device will need a reboot before the firmware password setting is complete.

Options 'error' and 'set' will check to see if currently set boot drive matches currently booted drive.  If true, both options will continue to set the firmware password.  If false, 'error' will exit an error without any change, whilst 'set' will set the password but will not reboot.

All options: 'set', 'error' and 'ignore', will ensure (on success) that the current set boot drive matches the currently booted drive before rebooting.

Examples:

For the script to reboot, un-hash the following line:

# ignore: Script will continue regardless, setting firmware password and rebooting
reboot_device ignore

To allow the password to be changed, but only reboot if set boot drive matches currently booted drive, un-hash the following line:

# set: Script will set the firmware password without a reboot attempt
reboot_device set

Only un-hash one line from these options.

Firmware Password Unlock Seed

The unlock seed is a unique recovery key that can be used by Apple to unlock a device in the event of the password being forgotten.  Please see the following KB for an example Custom Field that may be used to report this key:

EUD Security Guidance: macOS 10.13+


Full macOS Model name to Inventory (Custom Field)

Description

Need to know the full name of "Retina, 15-inch, Late 2013)" rather than the Model Identifier "MacBookPro11,3".  The provided script will look up the name and write it to inventory as a custom field

If necessary, please view the following for details on creating Custom Fields.

Information

Since the introduction of Apple's new randomized serial numbers, the method of using Apple's online lookup service does not work with these devices.  However, all modern devices have a store of a product name locally on the device.  The below method will check for the existence of a local name, but if not found, will query Apple instead based upon the Serial Number of the device

Note, that the name stored locally may differ slightly from the one provided by Apple's lookup server.  To give an indication of the difference in details see the below table (sometimes they will match):

Examples:

   
Name as indicated by Apple's servers and About This Mac Name as stored in local file
MacBook Pro (13-inch, M1, 2020) MacBook Pro (13-inch, M1, 2020)
MacBook Pro (Retina, 15-inch, Mid 2015) 15" MacBook Pro with Retina display (Mid 2015)
iMac (21.5-inch, Late 2009) iMac Intel Core 2 Duo (widescreen, Late 2009)
Mac mini (Late 2012) Mac mini (Late 2012)

Virtual Devices

Virtual machines do not have legitimate Apple serial numbers by default and you may use virtual machines with the FileWave client. Since the serial number is used to determine the macOS model, additionally the script has been designed to allow for machines built using VMware.  Similar consideration could be taken for devices built with other viritualisation software: e.g. Parallels, VirtualBox, etc.

Script

Although this uses a local file, for older hardware information may be missing.  In this instance it will attempt to pull the information directly from Apple:

#!/bin/zsh
  
mac_model=$(sysctl -n hw.model)
  
if [[ "$mac_model" =~ ^"VMware" ]]
then
        echo "$mac_model"
        exit 0
fi
  
# File that stores device information.  Old models may not have this file.  Additionally some models only have a description
# Information is not exactly the same as that reported through About This Mac, but is similar enough to suffice in most instances
apple_locale=$(defaults read /Library/Preferences/.GlobalPreferences.plist AppleLocale)
attr_file="/System/Library/PrivateFrameworks/ServerInformation.framework/Versions/A/Resources/${apple_locale}.lproj/SIMachineAttributes.plist"
  
if [ -e "$attr_file" ]
then
 
    # Use marketingModel if available
        model_name=$(/usr/libexec/PlistBuddy -c "Print :${mac_model}:_LOCALIZABLE_:marketingModel" "$attr_file" 2>/dev/null)

    # If not found, use description if available
        if [ -z $model_name ]
        then
                model_name=$(/usr/libexec/PlistBuddy -c "Print :${mac_model}:_LOCALIZABLE_:description" "$attr_file" 2>/dev/null)
        fi
fi

# If not found in plist check ioreg.  Apple seemed to have stopped populating the plist file, but do populate ioreg data now
if [ -z "$model_name" ]
then        
    model_name=$(ioreg -c IOPlatformDevice | awk -F "\"" '/product-name/ || /product-description/ {print $(NF-1); exit}')
fi
 
# If still not found, try to get the details from Apple
if [ -z "$model_name" ]
then
    # Redirect standard error as macOS 10.10.x has an unfixed bug with system_profiler
    serial_number=$(ioreg -l | awk -F "\"" '/IOPlatformSerialNumber/ {print $(NF-1)}')

    # Get serial number length, note wc includes new line character
    # For serials of 11 characters, last 3 digits of serial required
    # For serials of 12 characters, last 4 digits of serial required
    serial_number_length=$(echo $serial_number | wc -c)

    # wc also adds empty spaces
    case $serial_number_length in
  
        *"13"*)
            serial_number=$(echo $serial_number | awk '{print substr( $NF, length($NF) - 3, length($NF) ) }')
            ;;
        *"12"*)
            serial_number=$(echo $serial_number | awk '{print substr( $NF, length($NF) - 2, length($NF) ) }')
            ;;
        *)
            echo "$mac_model"
            exit 0
            ;;
    esac

    model_name=$(curl -s https://support-sp.apple.com/sp/product\?cc=$serial_number | sed 's|.*<configCode>\(.*\)</configCode>.*|\1|')

    # If this still fails, just return the hardware model details
    if [[ "$model_name" =~ "error" ]]
    then
        model_name="$mac_model"
    fi
fi

if [ -z $model_name ]
then
    echo "$mac_model"
else
    echo "$model_name"
fi
 
exit 0

Hide local macOS admin users

Description

Hide local admins at the login window

Ingredients

Directions

  1. Make an empty Fileset with a script that runs at activation.
  2. Use this code as an example of how to hide admins at login, and also show the "other..." option at the login window to still use the local admin account. 
    #!/bin/sh
# This script is a Postflight sample
# benm @ fw
#hide the just made admin account and enable screen sharing 
echo "hiding local admins at the login window"
#enable hidden admins
sudo defaults write /Library/Preferences/com.apple.loginwindow Hide500Users -bool YES
#enable "other..." option at login window
sudo defaults write /Library/Preferences/com.apple.loginwindow SHOWOTHERUSERS_MANAGED -bool TRUE
  3. To show admins at the login window again. Send out: 
    sudo defaults write /Library/Preferences/com.apple.loginwindow Hide500Users -bool NO

 

How to Create Local User Accounts on macOS 10.15+

Description

Provided is a scripted recipe to create a local user account on macOS devices associated with the below Fileset.  Options allow for creating:

Other values may be specified.

Information

Requirements are:

Customised values are set with the use of Environment Variables.  Settings within the downloaded recipe are:

Customisation includes:

'id_choice'

This options is stating whether the id to be used will be solely one preset value or if a range of values should be attempted; first available will then be attempted.

static_id

When set as 'static_id', the value set in 'unique_id' will be used as the users ID.  If this value is already in use, the script will exit with an error.

next_id

When set as 'next_id', a range of values will be tested starting at 'unique_id' and ending with 'end_id'.  The first available value found will be used. If none are found the script will exit with an error.

'username'

This is the short name of the user.  If the name already exists on the device, the script will exit with an error.

'islocaladmin'

If set as TRUE, the new user will be added as an administrator of the device

'is_hidden'

If set as TRUE, the new user will be hidden

'enable_secure_token'

If set as TRUE, the new user will be enabled as a secure token user.  This options requires the following values to also be set: admin_user and admin_password

Other

All other values should be edited as desired

Directions

To create a user:

Example

Consider a device that already has 3 local accounts, with user IDs 501, 502, 503.  Settings could then be either:

or may look something like:

In the first instance, ID 504 will be attempted.  This is useful if all devices are the same and it is considered desirable that all users of this name have the same ID on each device.

In the second instance, 501 will be attempted, then 502 and 503, when finally 504 will be met, found to be free, and then be attempted.  This option is particularly useful for devices where an unknown quantity of user accounts may exist on each device and the users' ID is not considered important.

Considering this example with all other settings as default, the following account should be created:

NFSHomeDirectory: /Users/fwadmin
PrimaryGroupID: 20
RealName:
 FileWave Admin
RecordName: fwadmin
UniqueID: 504
UserShell: /bin/zsh

Additionally, the user will be a local Admin, but the account was not set as hidden

Login Window Banner (Agreement Policy) for macOS

Description

Having your users accept a policy at the login window before they log in is easy.

RecipemacOSBanner-banner

Ingredients

Directions

Creating the text file

Apple's TextEdit will work perfectly Located in: Macintosh HD → Applications → TextEdit.app

PolicyBanner

With any of these extensions:

A sample rtfd is attached ( PolicyBanner.rtfd_.zip ).

Placing the text file into the fileset

Please Note: If you use the rtfd format:
1. The file will show up as a folder, as it has to include the picture and text as two seperate files
2. URL or other Hyperlinks will not work when displayed at the login window
3. You will not be able to export the rtfd later due to it's folder format.

RecipemacOSBanner-rtfd

Notes

See support.apple.com/kb/HT4788 For more information.

macOS 11 Compatible Devices (Custom Field)

Description

Details on identifying compatible devices for macOS 11 (Big Sur) using a Custom Field.

macOS

Custom Field, returns either: compatible or incompatible

Example query view:

Ingredients

Directions

Details for Importing and Exporting Custom Field Files

May be assigned to all devices, since Windows script is configured to return: NA

macOS 14 Compatible Devices (Custom Field)

Description

Details on identifying compatible devices for macOS 14 (Sonoma) using a Custom Field.

macOS

Custom Field, returns either: compatible or incompatible

Example query view:

Ingredients

Directions

Details for Importing and Exporting Custom Field Files

May be assigned to all devices, since Windows script is configured to return: NA

Admin Password management (MDM Command - macOS)

What

The Admin Password Management feature in FileWave allows administrators to remotely change the admin password on macOS devices enrolled via Automated Device Enrollment (DEP). This functionality utilizes MDM commands to securely update the admin account password without requiring physical access to the device. The admin account must have been created during enrollment using DEP profile options.

When/Why

When to Use:

Why Use This Feature:

How

Prerequisites

Note that if you create the admin account as required for this feature then you should consider: Bootstrap Token Management on macOS 

Steps to Change the Admin Password

Important Notes

The Admin Password Management feature empowers administrators to maintain strong security across all DEP-enrolled macOS devices efficiently. By leveraging FileWave Central to manage admin passwords remotely, organizations can ensure compliance with security policies, respond swiftly to potential threats, and maintain centralized control over their device fleet.

By utilizing this feature thoughtfully and adhering to best practices, you can significantly enhance your organization’s security posture while streamlining administrative tasks.

Related Content

Message to macOS User

Description

This Fileset recipe shows you how to send a Message via a dialog box to a User currently logged on to a Mac, using a fileset.

This Fileset will make the FileWave Client wait with further deployments until the end user has acknowledged the dialog and closed it with "ok". If you want to change that behaviour so that it just displays a message and then deploys further filesets, refer to the last step of the recipe.

Ingredients

Directions

  1. Download the attached zip file, uncompress it and import it into FileWave Admin via Drag & Drop , or by clicking "New Desktop Fileset" , "Import".
  2. Double-Click the FileSet to display its contents, and drill down to the /usr/local/scripts folder.
  3. Click once onto the message.txt and then the "Edit Text" button on the top of the FileSet Window to edit the file. Adjust the message to what you need it to say, and confirm with "OK".
  4. Associate the FileSet to a Mac where somebody is currently logged in , update the model , and observe the message popup.
  5. If you want to change the behaviour of this fileset so that it just displays a message, and then goes on deploying further filesets, do the following :
    • open the FileSet by double-clicking it
    • drill down to the /usr/local/scripts folder
    • click once onto the display-alert-on-current-users-desktop.sh , and then the "Get Info" button
    • Select the "Executable" tab
    • Uncheck the "Wait for exectuable to finish" checkbox
    • Confirm with ok
    • Test your fileset by associating it and running Model Update

Related Content

Notify Users with a dialog (macOS)

Description

The provided Fileset is an example of notifying users, in particular here, a message regarding Fileset status when downloading and installing new Filesets.

 The Fileset is designed to:

The service has been built to be actioned automatically by the user logging in.  Where Filesets are disassociated, each has a pre-uninstallation script to ensure the services should also be removed.

Ingredients

↓ macOS

Directions

For the example provided:

Fileset scripts may be modified for personal preference.  In each Fileset there is a script that is actioned by the local computer service.  The scripts are using a pattern match.  The pattern matching may be edited as required, removing or adding appropriately.

macOS

Locate the "prompt_user.sh" file within the Fileset and choose to edit.  In the following code block snippet from this script, the case statement is pattern matching text.  In the provided example the script is looking for lines that contain any one of the following:

Where found, the 'show_message' function is being used to prompt the user:

prompt_user.sh
# * are wildcard entries and | acts as a logical OR
case "$line" in
		*"Model version"*|*"Downloading Fileset"*|*"Done activating"*|*"Activate all"*)
			show_message
			;;

The second part of the case statement is causing the script to exit.  The pattern match this time, is any line that contains:

prompt_user.sh
*"Data successfully sent to the inventory server"*)
			exit 0
			;;

Notification Center Permissions

Notifications are user choice.  Users must accept notifications when prompted.

The below section of the 'com.filewave.promptuser.plist' may be edit as desired, where the defined keys determine the following:

com.filewave.prompt_user.plist
<key>EnvironmentVariables</key>
	<dict>
		<key>the_title</key>
		<string>FileWave Message</string>
		<key>the_subtitle</key>
		<string></string>
		<key>bundle_id</key>
		<string>com.filewave.fwGUI</string>
	</dict>

Users may still allow Notifications in System Preferences if previously denied:

Launch Services
Once a launch service is running, editing an already loaded script will have no impact on the current service; the service itself must be reloaded.  If parts of the Fileset are edited after association, consideration of this should be taken into account to ensure those changes are made active.

Notes

The above provides an example of notifying users, using a service.  However, with some adaptation messages could be sent in other ways at alternate times to users.

Related Content

Remove Casper JSS Client Components

Description

To remove all Casper JAMF Software-related components from computers that have been managed by the JSS.

Ingredients

Directions

  1. Create a new empty Fileset (From the Fileset View : New Desktop Fileset > Empty : Type a Name > OK)
  2. With it selected: Click the Scripts item in the button bar
  3. Create a new activation script and name it.
  4. Paste the script below and edit 
    #!/usr/bin/env zsh
# This will remove JAMF from macOS

# Function to identify the location of the jamf binary
CheckBinary() {
    # Identify location of jamf binary using modern command substitution
    jamf_binary=$(which jamf)

    # Evaluate conditions to identify the correct binary path
    if [[ -z "$jamf_binary" ]] && [[ -e "/usr/sbin/jamf" ]] && [[ ! -e "/usr/local/bin/jamf" ]]; then
        jamf_binary="/usr/sbin/jamf"
    elif [[ -z "$jamf_binary" ]] && [[ ! -e "/usr/sbin/jamf" ]] && [[ -e "/usr/local/bin/jamf" ]]; then
        jamf_binary="/usr/local/bin/jamf"
    elif [[ -z "$jamf_binary" ]] && [[ -e "/usr/sbin/jamf" ]] && [[ -e "/usr/local/bin/jamf" ]]; then
        jamf_binary="/usr/local/bin/jamf"
    fi

    # Error handling for missing jamf binary
    if [[ -z "$jamf_binary" ]] || [[ ! -x "$jamf_binary" ]]; then
        echo "Error: jamf binary not found or not executable."
        exit 1
    fi
}

# Function to remove the JAMF framework
RemoveJamf() {
    "$jamf_binary" removeFramework || {
        echo "Error: Failed to remove JAMF framework."
        exit 2
    }
}

# Main script execution
CheckBinary
RemoveJamf

# Exit with a success status
exit 0
  5. Associate as standard or scheduled


Understanding Free Space on APFS Volumes

What

This article explains how free space is calculated on APFS volumes and how it differs from traditional file systems like HFS+.

When/Why

Understanding free space on APFS volumes is essential for managing storage on macOS devices, as it helps users and administrators make informed decisions about disk usage and maintenance.

How

  1. Traditional file systems (HFS+): Calculating free space on HFS+ volumes involves subtracting the total occupied storage blocks from the total volume capacity.

  2. Snapshots: APFS snapshots complicate free space calculations as they dynamically occupy storage blocks. Deleting snapshots can free up space, but the amount depends on other snapshots and their deletion.

  3. Clones: Cloned files in APFS initially share storage blocks, but as their data diverges, they consume additional space. Finder reports cloned files as separate entities, but APFS accounts for shared storage blocks.

  4. Sparse files: These files contain little data relative to their overall size. Copying or saving sparse files without preserving their format causes them to expand to full size, consuming more space.

  5. Other volumes: APFS containers share free space among their volumes, unlike HFS+ volumes. Data and VM volumes, in particular, share free space, with macOS determining the VM volume's usage.

  6. Free space control: APFS and macOS control free space, with figures changing depending on snapshots, clones, sparse files, and VM volume usage. APFS provides estimates for "important usage" and "opportunistic usage" free space.

The impact of these factors on APFS free space calculations makes it challenging to precisely determine available storage. It's crucial for users and administrators to understand these complexities to effectively manage storage and device performance. By being aware of snapshots, clones, sparse files, and shared volumes, users can make more informed decisions regarding storage allocation and maintenance, ensuring optimal device performance and efficient use of resources.

There is also an open-source tool that can aid in seeing more accurate free space information linked to below.

  1. Free space on an APFS volume is an illusion – The Eclectic Light Company
  2. GitHub - scriptingosx/diskspace: macOS command line tool to return the available disk space on APFS volumes

Wipe Device for macOS

What

To wipe a macOS device you can right-click on a device and pick Wipe Device... as shown. Before macOS 12, Erase Device MDM command would obliterate the system, meaning that critical files and data would be removed and the system would then be inoperative. 

When/Why

In macOS 12 and later, this command uses Erase All Content and Settings (EACS) on Mac computers with the Apple M1 chip or the Apple T2 Security Chip. On those devices, if EACS can’t run, the device can use obliteration (macOS 11.x behavior)

How

It is important to record the Find my Mac PIN as this is not recorded anywhere in the FileWave logs. This is also true for the Lock command for macOS systems as well.

Upon receiving this command, the device performs preflight checks to determine if the device is in a state that allows EACS.

It is then possible to configure how the device's fallback behavior:

Do Not Obliterate:

Obliterate With Warning

Default

In FileWave 14.7, it is possible to define this behavior when Remote Wiping a device:

Related Content

Troubleshooting

Troubleshooting

Apple Metadata Missing After Fileset Installation (macOS)

Description

In some instances Metadata is added to items to provide additional features, however, this Metadata may not be transferred when the App is delivered as a standard Fileset.  Where this occurs, the Metadata may be re-injected using a script.  An example of this is highlighted in our KB on Deploying Folders with Icons.  

Teamviewer is another example of this.  The Quick Support version of the App has the option to include customisation, as per their guidelines.  In fact, the Tool: FileWave QS App implements this to provide branding, user name and a personalised design.

When customisation is configured on this App, the App receives additional Metadata.  If the Metadata were not restored, the customisation would be lost and the App would appear as the basic, standard looking App.

Instructions

To ensure the Metadata is re-applied after installation as a standard Fileset, the following should be followed:

To read the Metadata, open Terminal and run the following command, editing the path to match the required location.  Using FileWave QS App as an example:

$ xattr -l ~Downloads/FileWave\ QS.app 
com.TeamViewer.ConfigurationId: idcr6bwpyh

A script may now be created to re-instate this Metadata, again changing the path if the App is installed somewhere other than Applications.

#!/bin/zsh

xattr -w com.TeamViewer.ConfigurationId idcr6bwpyh /Applications/FileWave\ QS.app

exit 0

If using an alternative customised Teamviewer QS App, change the name to match the created App and use the reported value from the query to set the matching ID.

Verification
To ensure the script is run again if Verification actions a repair or re-instatement of the App, a Verification Script will also be required with the same contents.

On installation, all applied customisation should appear as expected. This same process may be applied to any additional Metadata that may be lost during Fileset installation.

Example Fileset

This example Fileset includes:

FileWave TV QS Version 14.fileset.zip

When updated versions of Teamviewer FileWave QS are supplied, then the Fileset should be updated with this newer download, to replace the current application.

Troubleshooting

iOS 12 / macOS 10.14+ and self-signed certificates

iOS 12 and macOS 10.14 introduce more secured rules ; certificates must be generated from at least a 2048-bit RSA key ; certificates generated from a 1024-bit key will be rejected by the device.

If you are using a trusted CA issued certificate, you should be fine, most of the certificates you get on the market are fulfilling this requirement ; if you generated your certificated with FileWave 9.0 or later, you should be good as well, since in this version the key used to generate certificates is 2048-bit. If you are running a FileWave installation which has been setup before FileWave 9.0 with self signed certificate, or if you are using a 1024-bit key issued certificate, you need to update your setup to have iOS 12 devices trust your server.

How to check the certificate RSA key size:

macOS, Linux:

openssl x509 -in /usr/local/filewave/certs/server.crt  -text -noout | grep Public-Key

Windows

C:\OpenSSL-Win64\bin\openssl.exe x509 -in C:\ProgramData\FileWave\FWServer\certs\server.crt -text -noout | FINDSTR Public-Key

Windows does not have openssl installed as standard so you will need to go to https://slproweb.com/products/Win32OpenSSL.html and download the appropriate version of OpenSSL for your environment.

Use a third party, trusted Certificate Authority. Most organizations already have a wildcard certificate (for instance *.acme.org), installing this certificate on "filewave.acme.org" will make your server trusted automatically. If you don't have a certificate, several CAs provide SSL certificates which are trusted by Apple, Google or Microsoft. For more information about these trusted certificates please read this KB article.

Self-Signed solution:

If you decide to stay with a self-signed certificate, you don't have another choice than renewing the certificate ; please read this KB article on how to renew the certificate.

The best approach would then be:

  1. Deploy a profile with "defer software update" set to 90 days restriction ; this will give you 90 days (starting from Monday, Sept 17th) during which devices won't be upgraded
  2. Follow steps described in Renew FileWave Server Self-signed Certificate KB article:
    1. create new key and certificate
    2. deploy the new certificate via profile
    3. switch to the new certificate once all devices have the profile installed
    4. recreate DEP profiles (and associations, if required)
  3. Already impacted devices can be manually "healed" by installing the profile (and trusting it explicitly for SSL in trust stored).

If you have a pre-FileWave 9.0 certificate and devices have already upgraded to iOS 12, the only way to recover, assuming you can't use trusted certificate, is to manually add the new certificate in the trust store and give it permissions for SSL.

Related Content

Troubleshooting

M1 Silicon macOS and Recovery

Description

Apple M1 devices require an alternate method for Recovery Mode and other considerations may need to actioned.

FileWave has seen instances where M1 macOS devices are no longer accessible after the first reboot following DEP enrolment.  It is believed the trigger for this experience is centred around the Admin account having never logged in.

Erasing M1 devices

It is possible to use Apple Configurator to Restore Apple Silicon M1 macOS devices.  This requires a second device along with the listed details from Apple's KB:

https://support.apple.com/en-gb/guide/apple-configurator-2/apdd5f3c75ad/mac

Apple's guidelines should be followed to restore the device

Activation Lock

If Activation Lock was enabled on the device, then the above process will block access to the device once recovered; a request to enter Apple ID and password will be presented.  However, it is likely there is no Apple ID associated to the device.  In this instance Recovery Mode should be used to access the menus to add in the appropriate Bypass Code.

The ByPass Codes are available from the FileWave Admin Assistants drop down menu:

Recovery Mode

M1 Silicon devices have a newer method to boot into Recovery Mode; hold down the Power Button until the screen displays: 'Loading startup options'

https://support.apple.com/en-gb/guide/mac-help/mchl82829c17/mac

To enter the Activation Lock code:

https://support.apple.com/en-gb/guide/mdm/apd593fdd1c9/web

At this point the device should be accessible again and a fresh enrolment may be actioned.

Failure to Personalise

There is an additional issue that Apple have identified:

Again, Apple have a KB on this issue:

https://support.apple.com/en-us/HT211983

The previous startup keys combinations used for Intel macOS devices do not apply to M1 Silicon macOS devices:
https://support.apple.com/en-gb/HT201255