OpenSSL CSR with Alternative Names one-line | End Point Blog

openssl req -new -key endpoint.com.key -sha256 -nodes
-subj ‘/C=US/ST=New York/L=New York/O=End Point/OU=Hosting Team/CN=www.endpoint.com/
emailAddress=administrative-not-existent-address@our-awesome-domain.com/
subjectAltName=DNS.1=endpoint.com,
DNS.2=usually-not-convered-domain.endpoint.com,
DNS.3=multiple-domains-crt.endpoint.com’ > http://www.endpoint.com.csr

via OpenSSL CSR with Alternative Names one-line | End Point Blog

Advertisement

OS X Server Port Conflict on 8443

Apache Server now tries to consume 8443, as does Apache Tomcat.

system.log will show constant failures…

Apr 12 12:03:24 mbp com.apple.xpc.launchd[1] (com.apple.serviceproxy[1085]): Service exited with abnormal code: 1

If you want Tomcat to have 8443, tell Apache to stop using it by commenting out the listen…

Edit /Library/Server/Web/Config/Proxy/apache_serviceproxy.conf

listen 80
listen 443
listen 8008
listen 8800
#listen 8443
listen 8843

 

Python to list members of Open Directory Group

#!/usr/bin/python

import ldap

uri = ‘ldap://localhost’
userDN = “uid=diradmin,cn=users,dc=mbp,dc=local”
pw = “pwd”
groupName = “cn=workgroup,cn=groups,dc=mbp,dc=local”

ldapClient = ldap.initialize(uri)
ldapClient.set_option(ldap.OPT_REFERRALS, 0)

ldapClient.bind(userDN, pw)

results = ldapClient.search_s(groupName, ldap.SCOPE_BASE)

# print results

for result in results:
result_dn = result[0]
result_attrs = result[1]

# print result_dn
# print result_attrs

if “memberUid” in result_attrs:
for memberUid in result_attrs[“memberUid”]:
print memberUid

ldapClient.unbind_s()

 

Casper Suite Documentation

Casper Suite Release Notes

http://docs.jamfsoftware.com/casper-suite/release-notes

 

Casper Suite Administrator’s Guide

http://docs.jamfsoftware.com/casper-suite/administrator-guide

 

JAMF Software Server Installation and Configuration Guide for Linux

http://docs.jamfsoftware.com/casper-suite/jss-install-guide-linux

 

JAMF Software Server Installation and Configuration Guide for OS X

http://docs.jamfsoftware.com/casper-suite/jss-install-guide-osx

 

JAMF Software Server Installation and Configuration Guide for Windows

http://docs.jamfsoftware.com/casper-suite/jss-install-guide-windows

 

Manually Installing the JAMF Software Server

http://docs.jamfsoftware.com/casper-suite/jss-install-guide-manually

 

QuickStart Guide for Managing Computers

http://docs.jamfsoftware.com/casper-suite/quickstart-computers

 

QuickStart Guide for Managing Mobile Devices

http://docs.jamfsoftware.com/casper-suite/quickstart-mobile-devices

Disable the SD Card Reader on OS X Macs

OS X has a restrictions profile to disable external devices (USB/Thunderbolt/Firewire) but treats the SD card reader as an internal device.

That makes it a challenge to align with NIST 800.53

Apple RADAR 21204193

We can do the following at startup to disable SD writes while still having read ability…

/sbin/kextunload /System/Library/Extensions/AppleSDXC.kext/
We can also launch a script at login with a launchD based on the StartOnMount event. This is from LANL’s stonix project available on github…

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC -//Apple Computer//DTD PLIST 1.0//EN http://www.apple.com/DTDs/PropertyList-1.0.dtd>
<plist version="1.0">
<dict>
<key>Label</key>
<string>org.name.blocksd.startonmount</string>
<key>ProgramArguments</key>
<array>
<string>sh</string>
<string>-c</string>
<string>/path/to/script.sh</string>
</array>
<key>StartOnMount</key>
<true/>
<key>RunAtLoad</key>
<true/>
<key>KeepAlive</key>
<false/>
</dict>
</plist>

Script:

sdMntPnt=`system_profiler SPStorageDataType | grep "Reader Media" -B 8 | grep "Mount Point" | awk '{ $1=$2=""; print $0 }' | sed 's/^[ \t]*//;s/[ \t]*$//'`
# If the variable is anything other than empty, unmount the volume.
if [ "$sdMntPnt" != "" ]; then
  umount -f "${sdMntPnt}"
fi

 

Unlock OS X System Panes for Non-Admin Users

It’s much easier to use “security authorizationdb” than attempting to modify /etc/authorization manually, especially since it’s not a simple plist anymore — it’s moved to a database as have many OS X preference settings.

Depending on parental control settings you might be using, you may need to unlock the sysprefs generally before unlocking specific panes:

/usr/bin/security authorizationdb write system.preferences allow

To unlock networking: (Note that you also need to allow the underlying service, which in this case is “systemconfiguration”.)

/usr/bin/security authorizationdb write system.preferences.network allow
/usr/bin/security authorizationdb write system.services.systemconfiguration.network allow

To unlock date/time:

/usr/bin/security authorizationdb write system.preferences.datetime allow

Time Machine preference pane:

/usr/bin/security authorizationdb write system.preferences.timemachine allow

Energy Saver preference pane:

/usr/bin/security authorizationdb write system.preferences.energysaver allow

You can also read settings…

/usr/bin/security authorizationdb read system.preferences.energysaver

The auth database used by authd also determines to other aspects of OS X.

For example, DVD Region Code used to be an issue back in the 10.6 days…

/usr/bin/security authorizationdb write system.device.dvd.setregion.initial allow

Examples of other things you can set (options vary by OS X version)…

com.alf
com.apple.
com.apple.AOSNotification.FindMyMac.modify
com.apple.CoreRAID.admin
com.apple.DiskManagement.
com.apple.DiskManagement.internal.
com.apple.DiskManagement.reserveKEK
com.apple.KerberosAgent
com.apple.OpenScripting.additions.send
com.apple.Safari.parental-controls
com.apple.Safari.show-passwords
com.apple.ServiceManagement.blesshelper
com.apple.ServiceManagement.daemons.modify
com.apple.SoftwareUpdate.modify-settings
com.apple.SoftwareUpdate.scan
com.apple.XType.fontmover.install
com.apple.XType.fontmover.remove
com.apple.XType.fontmover.restore
com.apple.Xcode.distcc.admin
com.apple.ZFSManager.
com.apple.activitymonitor.kill
com.apple.appserver.privilege.admin
com.apple.appserver.privilege.user
com.apple.builtin.confirm-access
com.apple.builtin.confirm-access-password
com.apple.builtin.generic-new-passphrase
com.apple.builtin.generic-unlock
com.apple.container-repair
com.apple.dashboard.advisory.allow
com.apple.desktopservices
com.apple.desktopservices.scripted
com.apple.docset.install
com.apple.dt.Xcode.MoveToTrashRights
com.apple.dt.instruments.process.analysis
com.apple.dt.instruments.process.kill
com.apple.familycontrols.loginwindow.override
com.apple.familycontrols.override
com.apple.library-repair
com.apple.lldb.LaunchUsingXPC
com.apple.opendirectoryd.linkidentity
com.apple.pcastagentconfigd.
com.apple.security.assessment.update
com.apple.server.admin.streaming
com.apple.trust-settings.admin
com.apple.trust-settings.user
com.apple.uninstalld.uninstall
com.apple.wifi
config.add.
config.config.
config.modify.
config.remove.
config.remove.system.
sys.openfile.
system.
system.burn
system.csfde.requestpassword
system.device.dvd.setregion.initial
system.disk.unlock
system.global-login-items.
system.hdd.smart
system.identity.write.
system.identity.write.credential
system.identity.write.self
system.install.app-store-software
system.install.apple-config-data
system.install.apple-software
system.install.software
system.keychain.create.loginkc
system.keychain.modify
system.login.console
system.login.done
system.login.screensaver
system.login.tty
system.preferences
system.preferences.accessibility
system.preferences.accounts
system.preferences.datetime
system.preferences.energysaver
system.preferences.location
system.preferences.network
system.preferences.nvram
system.preferences.parental-controls
system.preferences.printing
system.preferences.security
system.preferences.security.remotepair
system.preferences.sharing
system.preferences.softwareupdate
system.preferences.startupdisk
system.preferences.timemachine
system.preferences.version-cue
system.print.admin
system.print.operator
system.printingmanager
system.privilege.admin
system.privilege.taskport
system.privilege.taskport.debug
system.privilege.taskport.safe
system.restart
system.services.directory.configure
system.services.systemconfiguration.network
system.sharepoints.
system.shutdown
system.volume.
system.volume.external.
system.volume.external.adopt
system.volume.removable.
system.volume.removable.adopt

Converting a Casper (or signed) profile to plaintext

This is useful for when you have downloaded a .mobileconfig from an Apple tool or an MDM.

$ security cms -D -i filename.mobileconfig | xmllint –format – > newName.mobileconfig

If it doesn’t work, maybe sure the paths are correct and make sure you haven’t copied any weird characters or carriage returns if you copy/paste into terminal.