##osx-server

I'm going to the school now to see what is happening, I'll be back in 20 or so.

I have a feeling it might have something to do with iproj edits I made in the image.

"They're making smores with kids in the microwave" is an email desperately in need of punctuation

that was a weird one...was imaging a fusion drive iMac and got it to a state were it would no longer netboot to DS

I think i jacked up the fusion drive so much that it would hang when trying to mount the drive

same thing with internet recovery, wouldn't boot. had to use AST which, not sure what it did, but after running the storage diagnostic, it would then go to internet recovery, where i could delete the core storage volumes

Man, that security update doesn't mess around

there's a lot of good stuff in there

OS X Update (10.10.4), 1066078K [recommended] [restart] <<< that's-a big update!

beg00d: awesome, thank you

oh well, re-rolling 10.10.4 in AutoDMG this time with ARD update

bruienne: is that all it needs?

egomez_: according to rtrouton that's all he saw on a clean install

Cool.

Built one but haven't deployed.

Back in a bit -- letting Munki install 10.10.4...

In case anyone was waiting for it, here's the combo update: https://support.apple.com/kb/DL1820?locale=en_GB

you're gonna troll everyone and have them install the British one.. I like it =)

Colour?!

oh

whoops

https://support.apple.com/kb/DL1820 should work for anyone.

"Fixes an issue where a website could prevent the user from navigating away by presenting repeated JavaScript alerts in Safari"

the fix better be that it automatically punches the web designer in the face

Nick_ZWG: WOuldn't that be the types of websites that tell you you're infected with a virus and to call MAC

OPERATORS ARE STANDING BY

Nick_ZWG: http://weknowmemes.com/wp-content/uploads/2011/...

I recently had to install MacKeeper, as part of testing my "Remove MacKeeper" script. So annoying.

John Welch always suggested inventing cockpunch-over-IP

I think Skype qualifies

Nick_ZWG: good man

just remember this exists https://tools.ietf.org/html/rfc2549

any launchd experts around? I'm trying to create an agent that will tunnel AFP over a given port when that given port is requested by an App/Finder. I've got an agent that will do this, but running into a chicken and egg issue where the finder gives up before the tunnel had a chance to complete.

denmoff: I doubt launchd expertise can make the Finder wait longer...

probably not...just thought i'd ask.

that doesn't sound like something to solve client side, to me - any reason to be doing this port juggling on the client, and in a larger sense: what are you trying to accomplish?

bruienne beats me to it

i want to tunnel AFP thru ssh

so that my clients at home can connect to the share

i don't want to(and don't have the authority) to open ports on the firewall.

ssh is open tho.

mkay

so on-demand ssh tunnel

correct.

you could just setup a tunnel at boot

i could.

not a whole lot of overhead

but i don't want hundreds of clients connecting to my server

doing on-demand is probably just gilding the lilly

why would they?

the ssh connectiong

I guess I thought more people would be shouting: Apple back-ported the rootpipe fix to 10.9.5.

gneagle: is that included in Security Update 2015-005?

gneagle: did they? I didn't dig into the sec update yet

See the notes on Admin.framework

yeah look at that

top of the fold too

i thought rootpipe was CVE-2015-1130?

Apple's use of the "ATS" acronym for two different things won't be confusing at all

elliotjordan: I don't have CVEs memorized

gneagle: neither do i https://www.google.com/search?q=rootpipe+cve

elliotjordan: I am guessing these were updated CVEs

Until we can see the details on the new CVEs we don't know

huh they're placeholders

oh well

<sad trombone>

CVE-2015-3673 is yet another writeconfig exploit

yeah that'll take some time to flush out all the stragglers I bet

denmoff: if the tunnel is client-side, how does establishing it on-demand vs at boot have anything to do with "hundreds of clients connecting to [your] server"?

I feel like we're missing something important

the tunnel makes a ssh connection from the client to the server. wouldn't that mean i would have a separate ssh connection from each client?

you are doing this at scale? I thought it was just your personal Mac to work, using a tunnel..

i am thinking about doing it at scale, yes. :-)

doing AFP over a WAN connection at scale is going to hurt

tunneling it won't help

i have a slew of macbooks that are off my network most of the time. I'd like them to be able to connect to our afp share when needed.

For what purpose?

And that's what VPN was invented for...

a JAMF DP.

!!!!!

Can't that be HTTP instead?

Much better for that sort of thing

(or rather, httpS)

I've been having terrible results with https...not sure why tho.

Time to exercise your paid support with JAMF, then

HTTP/HTTPS is a better way to go.

Yes, JAMF File Share Distribution Point supports http/https

ok. thanks. I am trying to avoid their JDS specifically.

You don't have to use the JDS.

Using AFP fileshares for software distribution is so 1990s

And so Classic Mac OS

ok. sound advice. I'll give https another crack.

thank you.

denmoff: If you look at the settings for your distribution point(s), there should be an HTTP/HTTPS tab.