##osx-server

Provisioning is microsofts current vision.

In many ways SCCM is a legacy product now.

egomez: is it due to everyone being pretty mobile and byod etc?

frogor: what are you looking into that might require DYLD_ tricks?

mosen: that and I think most of the models that SCCM does are legacy ways of thinking. Microsoft is moving towards a methodology that is similar to Apple. It will take many more years because Enterprise will bitch and moan but I personally see the writing on the wall.

SCCM is heavy, obtuse and slow.

jessep2: Oh nothing now at this point.

jessep2: This was a side investigation after our emergency rally last night.

egomez: I feel like you relinquish a bit of control though :) oh well

jessep2: Circumventing AST protections (blocking HTTP) for System python in munki when using NSURL

jessep2: We figured out two viable methods last night.

jessep2: But I was digging into more of the internals seeing if there was a third/more.

mosen: sure but some things admins need to care less about.

The amount of management is ridiculous.

frogor: AST protections? blocking HTTP?

Kind of agree with gneagle on this more and more. There is desired state but it's often confused with YOUR desired state.

egomez: In some cases yeah, Ive seen places that were heavily managed

jessep2: 10.11 DP5 implemented what iOS 9 did and changed NSURL APIs to not do HTTP any more without putting override keys in Info.plist

And once that state is managed it become a chore for the admin and comes across as heavy handed to your users.

jessep2: .... which is not exactly a do-able solution for /System/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/Info.plist ....

given SIP + "don't change /System"

Without those override keys, NSURL won't do HTTP in 10.11 DP5+

But we figured out 2 ways around it.

jessep2: Method 1: https://botbot.me/freenode/osx-server/2015-07-2...

ah, now i get it

:)

Method 1 implementation: https://botbot.me/freenode/osx-server/2015-07-2...

Method 2: https://botbot.me/freenode/osx-server/2015-07-2...

Method 2 implementation: https://botbot.me/freenode/osx-server/2015-07-2...

This is so unholy: https://gist.github.com/gregneagle/8ed97badf5b7...

jessep2: The python objc bridge access to infoBundle returns a *mutable* dict ...

... which if you set it before the other functions are called ... apparently changes the concept of what was loaded from Info.plist in-memory ...

(contrary to every. single. piece. of. documentation. about NSBundle mainBundle infoDictionary)

Declaration

OBJECTIVE-C

@property(readonly, copy) NSDictionary *infoDictionary

readonly is a suggestion

"A dictionary, constructed from the bundle's Info.plist file, that contains information about the receiver. (read-only)"

Heh

A very heavily suggested suggestion.

huh

But yeah. It totally works. I've been using LSUIElement = 1 for a while now on it

Then Greg tried the AST override key and surprise, it worked

er, ATS

I knew others worked too, though. You can't change the Dock's name for Python.app (probably because it uses the CFBundle calls) but if you change the application name, the menu will reflect it when it appears / is rendered.

Well howdy chilcote

'lo

what did I do

?

Aside from rejoin? Nothin :)

Ah. Caught me

Was just perusing through the NSURL security stuff some more from 10.11

sounds delightful

jessep2: 10.11 DP5 also added python 2.7.10

Which was amazing

Now urllib2 SNI HTTPS support works.

No need for pyOpenSSL or any of that other jazz.

can I still telnet?

heheh

sure

DP6 though ....

;)

sweet. That's how I deploy everything

Me too. I like to calculate TLS in my head. And then manually change all the blocks on the disks.

in seriousness, I need to start testing netboot with ElCrap.... from what I'm hearing we might have to change some things

you would do that frogor, showoff :)

chilcote: Oh the subnet stuff or SIP or all of the above?

*subnet bless

the subnet stuff. Hope ip helpers will still work

ip helpers do work

That's actually Apple's preferred method

Well OK then. Problem solved :)

So far NetBoot is perfect on 10.11.

$oldjob used bless extensively, due to a cranky dhcp network guy who refused to add helpers

With ip helpers.

Bless does still work though

chilcote: Yeah - at $oldjob, anyone who has to bless to an IP outside of the local subnet? GOOD LUCK

that's exactly it. I had a python agent that was called, and would pass the IP of the netboot server, along with the image requested, to nvram. On netboot, the automation pulled the image info from nvram and restored it and booted back into the system.

But if it's an IP within the subnet / normal broadcast discovery (with ip helper passthrough to real IP), then you're fine

It was pretty smooth, if I may say so myself

all callable from a web portal

Good luck to them now!

Well - and even then, I think the issues only happen when bless is called from non-Recovery.

Like from an already imaged machine that you want to netboot to reimage?

Yeah

Problem doing from within the OS

If SIP is not disabled

But a clean box or you're booted into recovery already? Should be ok.

Yeah, that won't work for them any more.

Not from recovery

it was fully automated. No interaction. User punched a few buttons on the portal, and 10 minutes later they got an IP to log into, with the OS they requested.

Yeah, because recovery is missing python and all that fun stuff. You'd need a custom netboot image ... on your local subnet ...

sounds like they're in for pain ;)

that's what we used-- a custom netboot. All it did was run a shell script.

Restore, reboot

rinse, repeat

but it required the long form bless command. No helpers. Heh

Whoops. Time to get on the road. Later :)

ok I'm out again, later

https://simbimbo.wordpress.com/2015/07/24/well-... <- 96 new MacBook Pros in a single rack.

ya take one down and ... 95 macbook pros in the rack

Well, they're three to a drawer, so ...

Very impressed with their design idea to keep the lids wedged open.