Jekyll2024-10-20T18:01:31+00:00https://illudium.github.io/feed.xmlTopically Ephemeral IT insightsI'm starting with migrating over some things I had originally posted elsewhere.David HainesManaging Adobe updates remotely via Jamf or other MDM2024-10-20T00:00:00+00:002024-10-20T00:00:00+00:00https://illudium.github.io/2024/10/20/managing-Adobe-updatesAdobe provides their Remote Update Manager tool, which you can read more about from Adobe

There is an excellent script for using Adobe RUM via Jamf, from John Mahlman, here: https://github.com/jmahlman/Mac-Admin-Scripts/blob/master/Adobe-RUMWithProgress-jamfhelper.sh

One problem you will encounter with RUM, is that it will download available updates but fail to apply them, when an Adobe app is still running.

To handle that gracefully, I suggest the following script snippet (also listed here), which will invoke AppleScript and ask the user quit all running Adobe apps, and prompt them to save any unsaved changes.

#!/bin/sh

#other code here

quit_all_adobe_apps ()
{
osascript <<EOF
tell application "System Events"
	set adobeApps to displayed name of (every process whose background only is false and (name starts with "Adobe" or name is "Distiller")) as list
end tell

repeat with appName in adobeApps
	set end of adobeApps to appName
end repeat

try
	if adobeApps is not {} then
		repeat with currentApp in adobeApps
			if application currentApp is running then
				try
					tell application currentApp to activate
					tell application currentApp to quit
				end try
			end if
		end repeat
	end if
end try
EOF
}

# other code here

quit_all_adobe_apps
]]>David HainesMicrosoft Entra (Azure) discovery2024-03-15T00:00:00+00:002024-03-15T00:00:00+00:00https://illudium.github.io/2024/03/15/azure-entra-discoveryWhen you face (are tasked with) Azure/Entra discovery or cataloging, and want to work in an efficient manner, be sure to use the following:

Get-AzResource

along with:

Get-AzSubscription

Originally published by me, March 15th, 2024

]]>David HainesmacOS and advanced network commands for managing DNS settings2024-02-09T00:00:00+00:002024-02-09T00:00:00+00:00https://illudium.github.io/2024/02/09/advanced-macos-commandline-network-managementWhile MDM is unequivocally a must for managing macOS at (really any) scale, there are times when the core capabilities of MDM won’t meet our needs, and a custom scripted approach is required.

Commands for determining the active network interface and working with DNS server settings:

When we want to programmatically determine the existing primary network interface ID, name and existing DNS servers, there are a few different ways we can go about this:

serviceGUID="$(printf "open\nget State:/Network/Global/IPv4\nd.show" | /usr/sbin/scutil | /usr/bin/awk '/PrimaryService/{print $3}')"

serviceName="$(printf "open\nget Setup:/Network/Service/${serviceGUID}\nd.show" | /usr/sbin/scutil | /usr/bin/awk -F': ' '/UserDefinedName/{print $2}')"

!!! OR !!!

activeIF=$(route -n get 0.0.0.0 2>/dev/null | awk '/interface: / {print $2}')

serviceName=$(networksetup -listnetworkserviceorder | grep "$activeIF" | awk -v FS="(Hardware Port: |,)" '{print $2}')

The problem with cataloging existing DNS servers, when they are supplied via DHCP

When DNS servers are provisioned via DHCP, a common approach for determining the IP addresses for said servers will fail:

/usr/sbin/networksetup -getdnsservers "$serviceName"

Returns with incorrect info: “There aren’t any DNS Servers set on <serviceName>”

Which is hardly useful ! So, we can proceed with the following:

For utility and extra tech-type fun, let’s use an array !

currDNS=($(/usr/sbin/networksetup -getdnsservers "$serviceName"))

if [[ ${currDNS[0]} == "There" ]]; then
  currDNS=($(ipconfig getsummary $activeIF | awk -v FS="({|, |})" '/domain_name_server/ {$1=""; print $0 }'))
fi

# check the array, via 
# declare -p currDNS
# For an example of working with the captured info:
# echo ${currDNS[0]}

# So now you can capture those existing DNS servers and append another

/usr/sbin/networksetup -setdnsservers "$serviceName" ${currDNS[0]} ${currDNS[1]} 8.8.8.8

Originally published by me, Feb 9th, 2024

]]>David HainesGCP (Google Cloud): Discovery - collecting, reviewing auditing Projects and IAM2023-12-15T00:00:00+00:002023-12-15T00:00:00+00:00https://illudium.github.io/2023/12/15/GCP-googlecloud-IAM-project-discoveryPulling GCP IAM information typically means dealing with how GCP effectively uses Projects as a boundary/encapsulation.

Start by listing all projects in the root folder of an organization in GCP:

gcloud alpha projects search --query="parent.id=<tenant_ID_Here"

AND

gcloud projects list --filter 'parent.id=<id_here> AND parent.type=organization' | awk '{print $1 }' > projects.txt

And from there, reference the following with something like

for Project in projects.txt; do gcloud projects get-iam-policy Project; done

For more information and reference, see https://stackoverflow.com/questions/44746358/how-do-i-list-all-iam-users-for-my-google-cloud-project

Dec 15, 2023

]]>David HainesIDRAC RED007: UNABLE TO VERIFY UPDATE PACKAGE SIGNATURE2023-10-05T00:00:00+00:002023-10-05T00:00:00+00:00https://illudium.github.io/2023/10/05/IDRAC%20RED007:%20UNABLE%20TO%20VERIFY%20UPDATE%20PACKAGE%20SIGNATUREDell servers provide an iDRAC (“Integrated Dell Remote Access Controller”) card for remote management of the unit. Note that this feature is a default (with some limited functionality in the “express” version) in Dell’s most entry-level tower server options.

There are a number of options for managing updates for Dell servers, including direct access to an iDRAC card, which is configured with a specifed network configuration during initial setup of a/the server in question. Of course, please observe standard best-practices and never provide public accessibility to any such device, keep it behind your perimeter firewall where it (the iDRAC interface) can only be accessed via VPN. Once configured the iDRAC card is readily accessible at its assigned IP address, via a web-browser.

While there may be a tendency to “set it and forget it” with regards to something like this, there is an expectation to keep the iDRAC updated, and generally within a certain range (for reasons of compatibility if not official support) of associated system BIOS versions. If you are tasked with maintaining a Dell server that’s fallen behind in terms of updates, you can encounter an error when attempting to update an iDRAC when jumping up too many versions:

idrac RED007: Unable to verify Update Package signature

Remediation

This is most probably due to the existing iDRAC setup lacking required information about newer security (certificate) information for the much newer update installer.

A confirmed fix is to apply earlier updates to/for the iDRAC in a more step-wise manner: For example, if the card is listed at version 2.3x.(etc), apply the update to 2.40.40.40 then 2.5x, etc. up the latest update. It is often possible to skip one version, but as always, proceed with due care & caution.

Originally published by me, January 29, 2019

]]>David HainesNew items on a fileserver (network fileshare) from one user are missing (don’t show up) for other users:2023-05-06T00:00:00+00:002023-05-06T00:00:00+00:00https://illudium.github.io/2023/05/06/new-items-on-a-fileserverA common occurrence with clients/users on Macs working with a fileserver (network shares) is that when someone else adds new items (files, folders) to network (server-based) sharepoint/folder/drive, other Mac users don’t see those new items, they appear to be missing or “hidden,” but they’re not.

(This is actually a longstanding issue with macOS and the Finder).

An available workaround as remediation:

This is a long-standing issue with (shortcoming of the macOS Finder, in that it’s not very good at picking up changes or auto-refreshing in response to underlying changes in a network-based volume. It can happen with OS X Server-based AFP, and various vendors’ AFP or SMB server-based shares/network folders. One thing we can easily do is create an AppleScript to prompt/prod the Finder to refresh. Save it as an application, store it somewhere safe from accidential deletion (eg: /Library/CompanySupport) and then add it (drag and drop) to the top of a Finder window. Users can click on it to cause a Finder refresh. Optionally, you can add a dialog stating that a refresh is happening.

The AppleScript content is below:

try
 tell application "Finder" to update items of front window
end try

And with a dialog:

try
 tell application "Finder" to update items of front window
 display dialog "Refreshing the Finder" default button "OK" giving up after 1
end try
]]>David HainesmacOS and the continuing saga of softwareupdate (software update) being “frozen” or not working, no updates listed2023-01-25T00:00:00+00:002023-01-25T00:00:00+00:00https://illudium.github.io/2023/01/25/macOS%20and%20the%20continuing-saga-of-softwareupdateThere is a well-known issue with macOS in which a Mac does not show available software updates. This has been occurring since the time of macOS Big Sur - aka “macOS ‘(this one) goes to’ 11”

Investigating further

If you look at the running processes, you may see an existing softwareudpated process listed, which might have been active for some time.

Manually launching Software Update (in the GUI) or using the softwareudpate command, will simply sit without returning anything about available updates.

Remediation

To get past this, I have found the following helpful and the steps do not require a reboot:

Run the following via the Terminal (or remotely via ssh): sudo /bin/launchctl disable system/com.apple.softwareupdated

Then wait several seconds, and run: sudo /bin/launchctl enable system/com.apple.softwareupdated

Wait several more seconds. Note, the following should be (technically speaking) redundant and unnecessary, but think of it as one more “kick” to help get things working again:

sudo /bin/launchctl kickstart -k system/com.apple.softwareupdated

And - hopefully - you’ll find the problem resolved, as I have so far.

Originally published by me, March 17th, 2022

]]>David Haines