about

How I Start: Writing Servers for Existing Clients

6 minutes

I find again and again that I end up creating a new server for clients which already exist. I have now gone through this process with multiple projects, including mdm, SCEP, osquery and others. Today, I want to take a moment and describe how I use Go to prototype a new server around a client that I’m not familiar with, or have no documentation for.

I always end up throwing out this early prototype, but it’s an important part of the process and deserves to be documented on it’s own.
A few days ago, I started a new project - moroz, a server for Santa, a popular macOS security tool. I’ll use Santa as the client in this example.

Read More…

Exploring the exec system call with Go

5 minutes

If you’ve created a Docker container, you’ve likely seen a docker-entrypoint.sh script which ends with exec $@. The ENTRYPOINT directive is a common way to add some sort of initialization to a docker container. It can be used to update some configuration based on environment variables passed to the container, generate some random data or do anything else necessary for the process to start. Today I want to focus on the exec $@ line that such an entrypoint script often ends with.

Read More…

image/draw: Adding Alpha Channel to PNGs.

5 minutes

The other day, I was reading a blog post by Erik Gomez about a recent change Apple made for setting LoginWindow images - as of macOS 10.12, they require a PNG which has an Alpha channel set. This requirement could be annoying and requires tools like Photoshop or ImageMagick. At a previous job managing lab machines at an art school, I was asked to update both the login window and desktop background image quite often, so I was intrigued by this change.

I have not had the chance to work with the image package yet, so I thought this would be a good opportunity to start. The resulting code turned out quite elegant, but I did run into a few challenges along the way.

Read More…

Accepting Github Webhooks with Go

7 minutes

Recently I had to write some automation scripts which ran whenever certain events occured in a Github repository. To do so, I wrote a custom HTTP server which accepted Github Webhooks and triggered my script. Github has a simple guide using sinatra, but I used the Go net/http library to write my server. This tutorial will show you how to build your own server to accept Github webhooks.

Read More…

Nodeless Puppet for macOS

3 minutes

When using puppet, it’s recommended that you assign a unique role to each node. The role could be webserver, admin_workstation, lab_mac and so on. There are several ways to do this, the most simple one is by having a list of nodes in manifests/site.pp, and there are sevaral abstractions, like Foreman, or the Puppet Enterprise Dashboard, which allow you to assing roles to nodes through a web interface. If this sounds vaguely familiar to you, it should – munki recommends the same strategy for manifests. We create a unique manifest for each hostname/serial number and use included manifests to add common applications.

Read More…

Dynamic Configuration Profiles with Puppet

3 minutes These days you can get a lot of configuration of OS X done by applying a profile to manage the setting you want. There are a myriad of ways to deploy a configuration profile - using MDM, Munki, Casper, email, etc. One thing that gets tedious with profiles is managing the same setting, accross multiple groups. If you have to set a different Desktop picture for five different groups, that means maintaining five different profiles. Read More…

An opinionated guide to Munki manifests

5 minutes I’ve been using Munki to manage Macs in enterprise environments for at least three years now, and frequently hang out in the #munki channel on the MacAdmins Slack. A few times a week there’s someone new who comes in to ask about Munki, and inevitably, the question of how to structure manifests comes up. What follows is an opinionated list of “best practices” that you should follow as a Munki beginner. Read More…

Secure Munki server with Let's Encrypt and SCEP

5 minutes In this post, I will show you how to set up a public Munki repository. The server will be configured to use HTTPS, but also require clients that connect to provide an X.509 client certificate to access the repo. Normally, this kind of setup would require your organization to pay for a SSL certificate, and set up a PKI system that will sign unique certificates for each device. Some enterprising MacAdmins have used the puppet CA to issue certificates for each Mac, but if you’re not already using puppet, this option is less attractive. Read More…

Munkiing around with DEP

4 minutes In my last post from November I wrote an introduction to Apple’s MDM Protocol spec. Apple has shown an innovative approach to enterprise deployment with it’s DEP service and MDM protocol. Apple’s solution allows for a more flexible deployment for administrators while giving users more control over their devices. Most enterprises already have robust solutions to manage devices in their organizations - especially laptops and desktops. We use Imagr, Munki and Puppet internally to manage our users’ machines. Read More…

MDM from scratch

6 minutes This summer, at PSU MacAdmins, Pepijn Bruienne showcased project-imas/mdm-server, a simple implementation of a iOS MDM server. I had little interest in an MDM so far, because of it’s limited applications on OS X. With Apple’s DEP program, and recent additions such as OS X Software Update management through MDM, the whole idea became more appealing. I’ve been reading some of the Apple Developer docs to get a better understanding of how the MDM protocol works behind the scenes, and implementing my own server. Read More…

Sync git repos with a sidekick container

2 minutes Most of what I do these days - configuration, code and even blog posts are stored in a git repository somewhere. With the addition of [Large File Storage] on Github, I’ve also started storing some binary files in Git. Often, I have to save the content of a repo in a Docker container. How to do this reliably, especially without rebuilding a container that needs to access the content of the repo? Read More…

Sysadmin productivity with Go

3 minutes Over the past 6 months, I’ve been learning Go and using it to solve various system administration tasks. One of the first useful things I wrote in Go, was a program that read the report plist, which AutoPkg outputs, and piped the output to Slack. With the release of AutoPkg 0.5.0, the format of --report-plist had changed, which meant that I would have to rewrite my script. By this time I had a better handle on Go, especially it’s concurrency primitives. Read More…

A practical intro to Prometheus

4 minutes There are two terms that are used to describe monitoring - whitebox and blackbox. An example of blackbox monitoring are Nagios checks, like pinging a gateway to see if it responds. It’s called a blackbox because we can probe at a program, but we don’t really have any control over it’s internal state, or how it interacts with the rest of your system. Whitebox monitoring on the other hand means having data about the internal state of your program. Read More…

Monitoring Munki with Logstash

4 minutes This summer I set out to build a monitoring system for our infrastructure. The ELK stack is a great solution for log collection and analysis. One of the first things that I began monitoring with ELK is my Munki Install log. Here is how I’m using Logstash and Elasticsearch to monitor Munki accross all my clients. Step 1: Client devices Ship logs from clients to logstash. To transport logs, we will use logstash-forwarder, which is a CLI utility that will send logs over the network and use TLS for security. Read More…

A tiny Kibana Docker container.

1 minutes I’ve been using docker-alpine as a base image for a lot of my Docker containers. It has a lot of nice features, the main one being how tiny my containers are. For example, I built an nginx image that is about 15mb in size. For comparision, the official nginx image is 138mb. Yesterday I set out to build a Kibana dashboard, and ran into an issue: Kibana vendors NodeJS and npm, and the versions it ships are both dependent on glibc. Read More…

Intro to creating OS X Packages

2 minutes For years I’ve used tools like The Luggage and Whitebox Packages to package scripts and deploy files to end user machines. The Luggage is cumbersome, and I’m a bit averse to GUI tools that I can’t easily version control and automate. I’ve expressed this frustration in ##osx-server a couple weeks ago, and Tim Sutton replied with tvsutton > mkdir "root"; <put stuff in root>; pkgbuild --root root --identifier foo.pkg --version 1. Read More…

Certified - an internal CA for your company

2 minutes Many of the services we set up today require SSL and it’s useful to be able to generate/revoke certificates as you wish. This costs money, and the tools for generating your own CA are dificult to use. Recently I started using certified which is a set of shell scripts to manage an internal CA. Certified is easy to use, and also comes in with a built in git repo for your CA. Read More…

My Private API

3 minutes I work at at a private school that leverages Veracross, a student information system(SIS) for almost everything we do. Attendance, grades, inventory and any other data relevant to the organization finds it’s way into Veracross in one way or another. There are several ways of interacting with Veracross, the most common being ESWeb, a web interface for querying and interacting with the data. Veracross, also has an API, but it’s (1) read only and (2) many of the queries that are possible in ESWeb are not possible via the API. Read More…