Category Archives: Mac

Mac Server Update Breaks Profile Manager

Profile Manager 3.2.1 Error – Symptoms

With the recent “Shellshock” exploit floating around, I just went through my servers to get them all up to date. I updated my Mac OS X Mavericks Server to 3.2.1. In doing this update – it actually broke my profile manager with an error:

We're sorry, but something went wrong. We've been notified about this issue and we'll take a look at it shortly.
We’re sorry, but something went wrong. We’ve been notified about this issue and we’ll take a look at it shortly.

I also received other errors with Profile Manager:
syntaxerror json parse error unrecognized token '>' ok profile manager
Profile manager 3.2.1 was also giving 500 Server errors and in general just would work. I could get to the login screen – but was unable to actually log in. It would redirect to the above error page. More or less, profile manager was completely broken – and I didn’t have a backup to restore to.

After some digging around – it appears that something goes haywire in the upgrade process.  (Like you didn’t already know that! :D)

Profile Manager 3.2.1 Error – The Fix

If you are having the same problems as I posted above, all you need to do to fix Profile Manager 3.2.1 errors is the following.

  1. Run the command:
    sudo psql -U _devicemgr -d devicemgr_v2m0 -h /Library/Server/ProfileManager/Config/var/PostgreSQL -c "UPDATE auto_join_profiles SET usage_log = NULL"
  2. Run the command:
    sudo /Applications/

The first command clears out the usage log in the PostgreSQL database. All I can figure is there is something in that Log that the migrateDB command does not like. Once you reset that log – you are then able to successfully migrate the database. You may get one more error page – but just hit the reload button and it will actually load the page after.

Windows 7 Can’t Connect to Mac OS X VPN Server

How To Connect Windows 7 To Mac VPN Server behind Firewall

Background of problem:

I had a Mac OS X VPN Server set up at a school district that was behind a firewall. It was set up with a static 1 to 1 NAT so that it could be reached publicly. I was able to connect to the Mac VPN with all of my mac devices and had no issues. However, my boss – a windows user – wanted access. Her Windows 7 machine was not able to connect to the VPN Server. No matter what settings we tried it just would not connect.

I spend hours googling and searching the internet for a solution to my problem. I figured that it must be something incompatible between the Mac server and Windows 7. As it turns out – it really had nothing to do with the fact that it was a Mac server. According to Microsoft, Windows by default does not support IPSec over NAT. What this means is that no matter how hard your try to connect to an IPSec VPN that is behind NAT – Windows is not going to connect.

How To Fix:

  1. Log on to the Windows Vista client computer as a user who is a member of the Administrators group.
  2. Click Start Start button, point to All Programs, click Accessories, click Run, type regedit, and then click OK. If the User Account Control dialog box is displayed on the screen and prompts you to elevate your administrator token, clickContinue.
  3. Locate and then click the following registry subkey:
     Note: You can also apply the
    DWORD value to a Microsoft Windows XP Service Pack 2 (SP2)-based VPN client          computer. To do this, locate and then click the following registry subkey:     HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\IPSec
  4. On the Edit menu, point to New, and then click DWORD (32-bit) Value.
  5. Type AssumeUDPEncapsulationContextOnSendRule, and then press ENTER.
  6. Right-click AssumeUDPEncapsulationContextOnSendRule, and then click Modify.
  7. In the Value Data box, type one of the following values:
    • 0
      A value of 0 (zero) configures Windows so that it cannot establish security associations with servers that are located behind NAT devices. This is the default value.
    • 1
      A value of 1 configures Windows so that it can establish security associations with servers that are located behind NAT devices.
    • 2
      A value of 2 configures Windows so that it can establish security associations when both the server and the Windows Vista-based or Windows Server 2008-based VPN client computer are behind NAT devices.
  8. Click OK, and then exit Registry Editor.
  9. Restart the computer.

How to allow non-admin mac user to use App Store

How to allow non-admin mac user to use App Store

There are times you may need to provide a non-admin user access to purchase and install apps from the Mac App Store.  However, out of the box – the Mac Operating System does not allow this due to that user not having full permission.  When a user installs an app – it installs to the /Applications folder which requires administrative rights. In a situation where giving admin rights to that user isn’t feasible – there is a work around.

I have a non-admin user named “Tom Foolery”. I would like him to stay a standard user – but have access to purchase and install from the App Store.  Here is what I do:

Add Non-Admin User to _appstore Group

  1. Log in to the computer as a user with Administrative Rights
  2. Open up your command line by clicking the Spotlight   located in the top right of your Mac screen to search for the Terminal command line.
  3. Type in “Terminal” and then click on the Terminal app. 
    Once opens  you are now ready to type commands to add the non-admin user to the _appstore group.
  4. Type the following command:
    sudo dscl . -append /Groups/_appstore GroupMembership tomfoolery

    You will need to replace “tomfoolery” with your username. Don’t know what username you should use. Use the following command to list the users on your OS.

    sudo dscl . -list /Users

    Be sure to copy the username exactly as listed and insert it into the dscl command.

  5. Now login as the non-admin user and enjoy your access to the App Store!

Keep In Mind

When a user installs an app from the App Store – the App Store is actually controlling the installation and setting the permissions.  Meaning – an app installed by a non-admin user is going to be installed in the /Applications folder as user System and group Wheel.  What this means is that they will not be able to delete the app after they install it because they won’t have permission.

Kickstart Man Page

Kickstart is a great utility to help you configure Apple Remote Desktop from the apple command line. There are many scenarios where you might need this – especially in bulk imaging, scripting, and/or package making. The following kickstart man page was created with the following command:

sudo /System/Library/CoreServices/RemoteManagement/ -help

You could also do the following

sudo cd /System/Library/CoreServices/RemoteManagement/

sudo ./kickstart -help

Example on how to use this coming soon!

kickstart — Quickly uninstall, install, activate, configure, and/or restart
             components of Apple Remote Desktop without a reboot.

kickstart -uninstall -files -settings -prefs

          -install -package 


          -configure -users  
            -access -on  -off 
            -privs  -all -none

                    -allUsers [-privs ]
            -computerinfo -set1 -1  
                          -set2 -2  
                          -set3 -3  
                          -set4 -4 

              -setmenuextra -menuextra  yes
              -setdirlogins -dirlogins  yes
              -setreqperm   -reqperm    no
              -setvnclegacy -vnclegacy  yes
              -setvncpw     -vncpw      mynewpw
              -setwbem      -wbem       no


          -restart -agent -console -menu



          -help     ## Show verbose documentation


– Uninstall program files (but not preferences and settings), install the given package, and then restart the service.
  kickstart -uninstall -files -install -package RD_Admin_Install.pkg -restart -console

– Install the given package and then restart the ARD agent.
  kickstart -install -package RD_Client_Install.pkg -restart -agent

– On 10.4 and earlier, stop the Remote Management service but, if activated, it will start after the next computer restart.
– On 10.5 and later, use kickstart -deactivate instead.
  kickstart -stop

– Stop the Remote Management service and deactivate it so it will not start after the next computer restart.
  kickstart -deactivate -stop 

– Restart the agent.
  kickstart -restart -agent -console

– Activate the Remote Management service and then restart the agent.
  kickstart -activate -restart -agent -console

– Activate the Remote Management service, enable access, and restart the agent.
  kickstart -activate -configure -access -on -restart -agent

– Disable user access.
  kickstart -configure -access -off

– Give admin and bob all access.
  kickstart -configure -access -on -privs -all -users admin,bob

– Use Directory Server accounts for authentication. Users must be a member of one of the ARD directory groups to authenticate.
  kickstart -configure -clientopts -setdirlogins -dirlogins yes

– Disable the Remote Management menu extra.
  kickstart -configure -clientopts -setmenuextra -menuextra no

The following examples are only for Mac OS X 10.5 and later.

– Allow access for only these users (the users must be specified in a separate command).
  kickstart -configure -allowAccessFor -specifiedUsers

– Allow access for all users and give all users full access.
  kickstart -configure -allowAccessFor -allUsers -privs -all

– Start the Remote Management service.
  kickstart -activate

Version 0.9


This script can be run like any UNIX tool from the command line or
called from another script.

Before starting:

– Use this script at your own risk.  Read it first and understand it.

– Log in as an administrator (you must have sudo privileges)

– Copy this script to any location you like (such as /usr/bin/local/)

– Ensure this file has Unix line endings, or it won’t run.


– Run the script using “sudo” (enter your password if prompted)

      sudo ./kickstart -restart -agent

Command-line switches:

The optional “parent” switches activate the top level kickstart features:


These features can be selected independently, but will always be done
in the order shown above.

For anything interesting to happen, you *must* specify one or more of
the parent options, plus one or more child options for those that
require them.  Child options will be ignored unless their parent
option is also supplied.

All options are switches (they take no arguments), except for -package  -users  and -mask , as noted below.

-uninstall  ## Enable the “uninstall” options:

  -files    ## Uninstall all ARD-related files
  -settings ## Remove access privileges in System Preferences
  -prefs    ## Remove Remote Desktop administrator preferences

-install    ## Enable the “install” options:

  -package path ## Specify the path to an installer package to run

-configure  ## Enable the “configure” options:

  -users john,admin ## Specify users to set privs or access (default is all users)

  -activate ## Activate ARD agent in Sys Prefs to run at startup

  -deactivate ## Deactivate ARD agent in Sys Prefs to run at startup

  -access   ## Set access for users: 
    -on     ## Grant access
    -off    ## Deny  access

  -privs    ## Set the user’s access privileges:
    -none               ## Disable all privileges for specified user
    -all                ## Grant all privileges (default)…
                        ## … or grant any these privileges…
    -DeleteFiles        ##
    -ControlObserve     ## Control AND observe (unless ObserveOnly is also specified)
    -TextMessages       ## Send a text message
    -ShowObserve        ## Show client when being observed or controlled
    -OpenQuitApps       ## Open and quit aplicationns
    -GenerateReports    ## Generate reports (and search hard drive)
    -RestartShutDown    ##
    -SendFiles          ## Send *and/or* retrieve files
    -ChangeSettings     ## Change system settings
    -ObserveOnly        ## Modify ControlObserve option to allow Observe mode only

    -mask number        ## Specify “naprivs” mask numerically instead (advanced)

  -allowAccessFor ## Specify the Remote Management access mode
    -allUsers       ## Grant access to all local users
    -specifiedUsers ## Only grant access to users with privileges

  -computerinfo         ## Specify all four computer info fields (default for each is empty)
     -set1 -1  
     -set2 -2  
     -set3 -3  
     -set4 -4 

  -clientopts           ## Allow specification of several opts.
     -setmenuextra -menuextra  yes|no        ## Set whether menu extra appears in menu bar
     -setdirlogins -dirlogins  yes|no        ## Set whether directory logins are allowed
     -setreqperm   -reqperm    yes|no        ## Allow VNC guests to request permission
     -setvnclegacy -vnclegacy  yes|no        ## Allow VNC Legacy password mode
     -setvncpw     -vncpw      mynewpw       ## Set VNC Legacy PW
     -setwbem      -wbem       yes|no        ## Allow incoming WBEM requests over IP        

-stop       ## Stop the agent and/or console program (N/A if targetdisk is not /)

-restart    ## Enable the “restart” options:         (N/A if targetdisk is not /)

  -agent    ## Restart the ARD Agent and helper
  -console  ## Restart the console application
  -menu     ## Restart the menu extra

-targetdisk ## Disk on which to operate, specified as a mountpoint in
            ## the current filesystem.  Defaults to the current boot volume: “/”.
            ## NOTE: Disables the -restart options (does not affect currently
            ## running processes).

-verbose    ## Print (non-localizable) output from installer tool (if used)
-quiet      ## No feedback; just run.

-help       ## Print this extended help message

ARD has four main components:

1) ARD Helper
2) ARD Agent & associated daemons
3) ARD Menu Extra    (controlled by the SystemUIServer)
4) ARD Admin Console (if you have an Administrator license)

What this script does:

1) Any running ARD components will be stopped as needed.  For example,
   they’ll be stopped before an uninstall, reinstall, or restart
   request.  They will not be restarted unless you specify the
   -restart options.

2) Components will be restarted as required.  For example, restarting
   the administrator console forces a restart of the agent.
   Restarting the agent, in turn, forces a restart of the helper.

3) If you -uninstall but don’t specify a new installer to run, then
   the -restart family of switches will be ignored.

4) Options can be specified in any order, but remember that the
   options are ignored unless their parent options are specified.  For
   example, -package is ignored unless -install is specified.


You can make yourself a GUI-based kickstarter program to run this
script if you like.  The options, set in the console, can be conveyed
via environment variables to this script, per a spec shown in the
source code for this script (or the traditional way using command-line
switches).  Be sure the console application runs this script with sudo
privileges. The console should also specify its own location in the
APP environment variable, and may specify the location of a
STRINGS_FILE to use to load string definitions for any localizable
messages produced by this script.

A GUI console could stay up & running between runs of the script but
should avoid running multiple instances of this script at the same


This script can be used to grant very permissive incoming access
permissions.  Do not use the -activate and -configure features unless
you know exactly what you’re doing.

Blessing A Mac Hard Drive

Blessing Mac Hard Drive

In the world of IT, you never know what you are going to come up against. I have seen some of the strangest stuff imaginable pop up over time, Apple and PC alike. The one thing they all have in common – an end user who can provide no details to the events leading up to the event. With that being said, here is the first of hopefully many installments of my experiences and how I fixed the impossible. Okay, definitely not impossible – just checking if you are paying attention. On we go…

Don’t care about the long story? Skip it and see the direct details!

Today I encountered two iBooks that hung on the network imaging process. Naturally, my impatience got the best of me and I decided to restart them after some time of not finishing. As it turns out, the image process completed successfully – minus being able to boot.

On first startup:

I got the dreaded folder screen, but it never showed the question mark that I have grown accustomed to seeing.

I restart holding the option key just after the Apple “Chime” noise:

This allowed me to select the drive and actually boot up the computer. It was working! Kind of…

Now, I restart the computer and it boots right back to the same folder screen with no question mark. So the only way it will boot is by holding the option key at startup and selecting the boot volume.

I decide to try to set the startup disk by going to System Preferences -> Startup Disk and the drive doesn’t show up to select. Somehow, I am booted to a drive that Startup Disk doesn’t even recognize.

Boot to CD and startup disk gives me the same thing…


1.) iBook will not boot on its own– only get Apple folder with face
2.) Can boot when hold option key and select the boot volume
3.) Hard drive does not show up in “System Preferences… -> Startup Disk” to set as the boot drive
4.) Drive show in disk utility – and verifies successfully

The Fix:

bless --folder /Volumes/YOURHARDDRIVENAME/System/Library/CoreServices --bootinfo –bootefi

I issued this command to bless (make it bootable) the system and had it rebuild the boot files needed.

Next I set the boot drive with the following command.

bless --mount /Volumes/YOURHARDDIVENAME –setBoot

NOTE: If your hard drive name has a space in it – you need to escape the space with a backslash. If your hard drive name is “Macintosh HD” the command would be the following.

bless --mount /Volumes/Macintosh\ HD –setBoot

Voila – iBook was completely fixed!


Take this experience with caution – and if you are not sure if it applies to your situation – do not attempt it. I take no responsibilities for your problems – I do that enough in my day job!