##osx-server

laurendc said: "adamcodega: come into the fold"

That help needs to be fixed

wut

adamcodega: i’m going to try a blank UDID with valid SN. and then see what the JSS does when I add the device

zoooky I believe I spelunked in postgresql for that and didn't see it

might be in the newer version of Apple Configurator, tho

i’m hoping it’s smart enough to tell. i’m guessing not, because they’re probable using UDID and not SN to identify devices per apples’ developers guidelines

iPCU can do it.

yeah, i hate ipcu tho

Nick_ZWG: yes, but didn’t apple quitly put iPCU to bed

Yes, they did.

I miss iPCU logs

quietly, with a bullet

ssshhh no more pain

bruienne: old yeller style

zoooky: spoiler alert, jeez

I don’t think apple will give me UDIDs of the devices I own…

bruienne: that’s lke complaining about romio and juliet .

zoooky great advice from jeremyagost, http://lemonjar.com/iosconsole/

shh no pain only dreams now https://pbs.twimg.com/media/BOSGjTrCQAINqIm.jpg

adamcodega: how long have you been sitting on that image? :#

zoooky: it came up once before

Lenovo made the only smart choice: http://news.lenovo.com/article_display.cfm?arti...

Kinda sad we couldn't have gotten to this point 10 years ago

Nick_ZWG: it was intresting to watch that evolve on reddit.

"our standard image will only include the operating system and related software, software required to make hardware work well (for example, when we include unique hardware in our devices, like a 3D camera), security software and Lenovo applications. "

weasel

mr weasel?

Sure, the Lenovo crap will still be on there

"Lenovo applications" == anything

but hey, it's a start

"Our goal is clear: To become the leader in providing cleaner, safer PCs. "

Cleaner

Not clean

This should hopefully keep the weaseling to a minimum - Lenovo will post information about ALL software we preload on our PCs that clearly explains what each application does.

"security software" <--- most of that is crappy adware as well

Superfish--provides guided suggestions

also what are these "customarily expected" apps?

But yeah, weasel language that they can point to in future lawsuits.

much like a pain killer "Helps fight pain!"

icnsole looks cool

zoooky: experimenting with it too, haven't sold the issue I was trying to fix yet though.

what was that?

rtrouton: have you seen issues with loginwindow crashing (getting booted to the Login Window) when opening System Profiler on OS X VMs on ESXi?

zoooky: devices on guest network can't reach caching server, that's fine I don't care, but they aren't failing back to Apple when they timeout.

jessep2: I haven't seen that. 10.10 VM? Or 10.9.x?

10.9 VM

it’s minor issue and it’s intermittent

adamcodega: so they’re discovering the cache server, but can’t reach it?

jessep2: One moment, let me see if I can reproduce on my end.

zoooky: they are being told by Apple goto the caching server.

and the ipads work fine from other network segments?

zoooky: yes.

jessep2: Nope, not seeing it.

not that it matters but I usually access it by Apple menu->Option->Sys Pref, also this is over ARD/SS

muliple ip segements right?

zoooky: yeah 192 versus 10.

Same router, same outgoing ISP

with VMware Tools installed, FWIW

adamcodega: sounds like a network issue

jessep2: That's roughly what I did. Apple menu: About this Mac: More Info: System Report.

zoooky: yeah need to verify who they are trying to hit.

adamcodega: like those segements are walled off, and they need to allow traffic to the cache server

zoooky: I don't want them to talk to the caching server.

rtrouton: okay, well thanks for giving a try :)

adamcodega: tried setting resistrct ip ranges on the server?

zoooky: not through advanced settings, just through "local subnets only"

justinrummel: did the re work out okay?

jessep2 no, it returns an error b/c the recipe does not like using parenthesis, and when I get a trimmed down regex with brackets it states no match found

It may be just Vivaldi's website... going to try a different one.

adamcodega: http://support.apple.com/en-us/HT202657 ListenRangesOnly

zoooky: yeah I have that bookmarked.

adamcodega: funny cause I want to move some network segements to another public IP. and I know when I do so. i’m going to have to figure out the reverse. lol

zoooky: why dont they just time out and download from Apple?

justinrummel: i see what happened - the RE of Shea’s works okay - the download changed to an HTTPS

so just add an ’s’ to the re pattern

downloads the dmg for me fine :)

adamcodega: *shrug* no clue, I have to say from my perspective. timing out is probable better then going to apple. So my internet connection doesn’t get saturated with apple updates. rather have them keep trying for the local till they get it and update.

adamcodega: sounds like a good feature request to put in with apple. allow admins to set fail open or fail closed.

jessep2 hmm.... wonder now what I'm doing wrong as I get "No valid recipe found for Vivladi.download"

Yeah.

justinrummel: was that a joke? :) VivALdi.download

adamcodega: take it you can’t change their public IP address for those guest segements?

so tried creating a JSS asset by API with SN but without UDID. then added the asset to the JSS. It created a new asseet. instead of pairing the two records together.

zoooky: no, we have a primary and backup WAN

so it deffently seems like the JSS is using UDID for device ID.

nope, went to the basic fundamentals and start at the first parent recipe

and I guess that is my problem. pkg works

Ugh.. doing stupid things hurt

Okay, I have solved the Chef bootstrap problem by doing it The Wrong Way™ but it works

Nick_ZWG are you going the FB route of bootsrapping Munki with Chef?

Nick_ZWG: You aren't using the private key on the clients, are you?

No, and no.

So I guess that (private key on clients) would be The Worst Way™ and no I'm not doing that

Instead, I have a launchdaemon continually running the one specific Chef recipe until the CSR is signed

like i said

The Wrong Way

or at least a not very efficient way

until I figure out some kind of notification mechanism

justinrummel: cool, be sure to submit an issue to Shea’s repo

or submit a PR

jessep2 already did!

:)

jessep2 https://github.com/autopkg/sheagcraig-recipes/p...

Nick_ZWG shouldn't signing client certs be manual anyway?

Of course not.

It should be policy-based!

(That's Project #2)

I think Puppet handles the client cert signing automatically. Casper does as well.

Puppet does this really well.

Chef doesn't use client certs, which is why I'm doing it

Nick_ZWG: So Chef isn't encrypting communication between clients and the Chef backend?

It is, but not with certs.

Apple's License Agreement for OS X says that you can only run "up to two (2) additional copies or instances of the Apple Software within virtual operating system environments on each Mac Computer you own or control that is already running the Apple Software". How does this apply to instances run under VMware ESXi? OS X isn't "already running" on ESXi machines and only running two instances seems unreasonable.

Rather, it is, but not using CA client certs.

I should add that I'm really talking about OS X Server.

Jonukas: It means, technically speaking, you can't run more than 3 OS X VMs per machine.

That being said, there's no *technical* limitation.

So it's more of a legal limitation than a technical one.