Tagged Apple

Active Directory / Open Directory group nesting fixed in Snow Leopard

There was a bug in Mac OS X 10.5 “Leopard” that prevented proper application of MCX settings to an Active Directory group nested inside an Open Directory group. This problem has been corrected in 10.6 “Snow Leopard,” but it’s important to note that this is a client-side issue as well that requires you to upgrade all machines to Snow Leopard in order to have the settings properly apply.

The problem evidences itself in the following way: under Apple’s Magic Triangle guidelines, the proper method for access management on the desktop is to “nest” AD users and groups within OD groups, and then to apply settings to those OD groups. This allows for user management of AD users on any Macs they log into, while avoiding the risk of extending the AD schema itself. For the most part, this worked correctly in Leopard, except on AD groups nested in OD groups when applied to Computer groups within the OD. For example, placing a user AD\joeuser into an OD group called banned_users and then denying the banned_users group login access to the LabComputers OD group would block Joe from logging in, but adding AD\alumni into the same OD group would not prevent login access.

Thankfully, this nesting behavior now works correctly in 10.6. As long as you upgrade your clients as well, you should be able to manage Computer settings just like you’d expect.

Ok, but it’s still not a good idea

There’s been an inordinate amount of buzz surrounding the (potential) release of a new Apple tablet computer, which prompts me to ask, why is Apple building a tablet? PC manufacturers have been making tablets in one form or another for years, and they don’t sell. Is it because no one with the design ability and skill for marketing has created one until now? No, it’s because the concept is fundamentally flawed when deployed in the real world, and therefore has been rejected by consumers who, universally, live in that same world. Here’s why.

  1. Tablets are kind of like laptops, except that you either a) flip open the screen and lay it flat or b) the screen is exposed all the time. With the first option, you basically get a laptop with a weak point, i.e. the swivel where the screen goes from laptop to tablet mode. With the second option, you get scratches on your screen unless you are very, very careful.
  2. We buy desktops because they are fast. We buy laptops because they are portable. We buy phones because we can carry them with us and get access to information quickly and easily. Why would we buy an oversized phone that won’t fit in our pocket, can’t make calls, and lacks the horsepower of a laptop or desktop?
  3. Except on Star Trek, people who carry a device in one hand and attempt to move their other hand around on it will drop that device. Repeatedly. That’s another reason the phone makes sense — you can hold it in your hand and use gestures with the other hand.

If you don’t agree, consider this: many experts predict smartphone sales will surpass laptop sales by 2012. Why? Because smartphones can do all that stuff we need to do on the fly, without weighing us down. If you just need to read an email or surf the Web, why take out your laptop/tablet when your pocket-sized device will do?

Stop making me buy your over-priced hardware, Apple

A couple of Apple reps were by recently touting the new Podcast Producer 2 server product. If you’re not familiar with Podcast Producer 2, it basically lets you do audio and video capture, as well as camera control and some nifty workflow creation (for doing things like automatically stamping video with copyright info and a watermark). It’s not a bad product from a design standpoint, except that it has what I consider a critical weakness in most Apple server products–it’s designed to force you to buy a lot of over-priced Apple hardware. Here’s what Apple envisions for a typical classroom with A/V capture:

1 Mac Mini to drive the lecture station, show slide shows, etc ($700)
1 Mac Mini connected to a camera to control video/audio capture ($700)
1 video camera ($200)
1 microphone ($100)
1/6 of an Apple XServe ($1,000)

That’s $2,700 per classroom, based on my rough estimations, or about $2,000 more than it should cost. The extras are all in the Apple hardware–most of which is unnecessary. How can I be sure of this? For one thing, the second Mac Mini is superfluous, except that Podcast Producer 2 is incompatible with network video cameras. This isn’t a technology limitation–I’m currently running streams from network cams such as those made by Axis into QuickTime Streaming Server on Mac OS X Server. Why can’t I use those same cameras with Podcast Producer? Because Apple wants to sell me an extra Mac Mini to control the camera, that’s why.

It’s things like this that make me so opposed to encouraging Apple products in the enterprise. If Apple just made good products (they do) that worked well with whatever hardware you have (they don’t), then they would be a real player in the enterprise. But since they have taken the route of limited hardware (under the guise of interoperability concerns), I am less than enamored with Podcast Producer 2, for the same reason I dislike many Apple products.

Installing Microsoft Office 2008 on Snow Leopard

If you’re having trouble putting Microsoft Office 2008 on your new Snow Leopard (OS 10.6) Mac, it may be because you need to install Rosetta, the PowerPC emulator that allows you to run older software that was not designed to run on Intel Macs.

As it turns out, while Office 2008 is completely universal (that is to say, it will work with both PowerPC and Intel Macs), the installer is written only for PowerPC. If you put the disk in your computer without Rosetta, you will probably receive a message about it not being compliant, or you may not see the disk at all. If this happens, simply insert the Snow Leopard disk, and add Rosetta. Then re-insert the Office disk and it should prompt you to use Rosetta to run the installer.

Create an AppleScript GUI to set a local Software Update server

A little while back, I blogged about the Terminal commands you can use to set a local Apple Software Update server on your client machines. Obviously, there are many advantages to this, including faster package downloads and the ability to prevent bad or undesirable updates from being installed too soon. However, in this day and age, many users have laptops or Minis that often travel away from the network on which your local server resides. For this reason, it can be helpful to have a simple program that users can run to set their update server to either Apple’s default, or your own local update box. That way, if they can’t reach your server for one reason or another (like a firewall), they can always get critical updates from Apple. Here’s the AppleScript:

display dialog "Set Update Server" buttons {"Cancel", "Apple", "Local"} default button 3
if the button returned of the result is "Local" then
do shell script "defaults write /Library/Preferences/com.apple.Softwareupdate CatalogURL http://updateserver.mydomain.com:8088/"
do shell script "defaults delete /Library/Preferences/com.apple.SoftwareUpdate CatalogURL"
end if

Just substitute the URL of your local update server where it says http://updateserver.mydomain.com. You can test that it works by choosing your local server with your new GUI, then running Software Update. The window should read Software Update (updateserver.mydomain.com). If you set it back to the default, it should just read Software Update again.

Run UNIX commands in an AppleScript

Leopard Logo If you want to easily encapsulate a shell script or a UNIX command in an AppleScript, but that command must be executed as root (through a sudo), just do the following (all one line):

do shell script "unix_command" password "your_password" with administrator privileges

where unix_command is the actual command you want to execute. In my case, this was to set the Sharing hostname to match the actual DNS hostname of the computer, which looked like this:

do shell script "sudo scutil --set ComputerName `hostname`" password "NoWayJose" with administrator privileges

By the way, if you do intend to set the Sharing name to the computer’s hostname, make sure to include the backticks (located under the ~ sign at the top left of most keyboards) around the word hostname, otherwise you’ll just name your computer ‘hostname’ rather than its DNS name.

It’s important to note that this a) leaves your password in the script, and b) runs silently. If you just want to be prompted for a password, add the following lines before and after your script, like this:

tell application "Terminal"
do script "sudo scutil --set ComputerName `hostname`"
end tell

This will launch Terminal, which will then prompt you for your password in order to sudo.

Disable an Open Firmware (EFI) password on an Intel Mac

Ok, so you thought it would be a good idea to secure your Mac using a firmware password, and then you forgot it. Or, alternatively, you left your machine logged in and an enterprising and mischievous co-worker set a password while you were away. In either scenario, you’re confronted with the same problem: you can’t do anything but boot normally unless you enter the password to unlock the firmware.

If you’re running Leopard, the latest release of OS X from Apple, the solution is actually quite easy. As with most Apple stuff, the firmware password seems really secure, but it’s not, since Apple has nicely built in a backdoor. Here’s what you’ll need: your computer, a Leopard install disk or original system disk, and an administrative account on the Mac you’re unlocking. Got it? Ok, let’s get started:

  1. Boot normally into Mac OS X. You should be able to do this, because you’re not changing any boot options.
  2. Insert the OS X Leopard DVD into your computer. The popup will appear asking to install OS X. Just ignore or close it.
  3. Open Terminal by going to Applications -> Utilities -> Terminal or typing ‘Terminal’ into Spotlight.
  4. Enter the following: open /Volumes/Mac\ OS\ X\ Install\ DVD/Applications
  5. In the Finder window that opens, choose Utilities and then Firmware Password Utility. Uncheck the box to set the firmware password and hit Change. Your password is now reset to blank, and you won’t be prompted to enter one when changing boot options.

Configure a Leopard client for an Apple Software Update server

To configure a Mac running OS X 10.5 (Leopard) to connect to a local Apple Software Update server, simply use the following command, where servername is the name of your local server that runs Software Update.

defaults write /Library/Preferences/com.apple.Softwareupdate CatalogURL http://servername:8088/

If you have any problems, verify that you can see the update server by accessing the following URL from the client’s web browser:


If you don’t see an XML-type page come up, you should verify that the Software Update service is running on the server, and that port 8088 is properly configured to allow traffic on your network.

Office Word 2008 for Mac crashes when you choose File > Open

Someone at my work had a problem with Microsoft Office 2008 for the Mac crashing whenever they’d go to File > Open inside of Word. If they double-clicked on the file, everything was fine. Not wanting to hunt around through infinite Library folders looking for the offending files and “uninstalling” Office, I found a quick and easy solution online:

According to this site, “This is due to corrupt preferences, specifically the UserName/Library/Preferences/com.microsoft.Word.plist . Quit Word, drag that file to the desktop, and relaunch Word.” That solution worked perfectly for my customer, and they’re back to happily opening files from inside of Office.

Now, if that doesn’t work, there are some additional preferences files you can tweak/delete. You can find that additional troubleshooting advice here.

My BlackBerry is better than your iPhone

Our resident Apple toady made a passing remark this morning to me after seeing a colleague’s new iPhone, something like this: “Hey, his iPhone’s better than your BlackBerry.” Now, my BlackBerry is about three years old, nowhere near top-of-the-line, yet that horribly biased statement got me thinking. After all, it’s undeniable that the iPhone’s Mac OS X-based environment is slicker and prettier than the BlackBerry’s rather austere JAVA environment. But the point of a smartphone is, for lack of a better word, to be smart, and the BlackBerry still does a better job.

It boils down to one thing above all else, beyond the minor problems like no expansion slots and no one-touch phone dialing (the other half of ‘smartphone’): no 3rd-party apps. Apple, as has always been their hallmark, wants to keep everything in-house, so we get a phone that shows Youtube, but not Flash-based content on the bundled Safari browser. And, we get a phone that can do barely a tenth of what my JAVA-based phone can. Here’s what my BlackBerry can do right now that the iPhone will never be able to do:

  1. S/FTP access
  2. Remote Desktop access
  3. VNC access
  4. SSH
  5. Opera Mini browser
  6. SharkModem tethered modem software

The list goes on, but the point is that RIM made a good decision to go with a technology that was demonstrating itself both universal and capable of being deployed on handheld devices. All of the apps I’ve mentioned are 3rd-party, and I’m not counting gadgets like Gmail which may be on both phones. Apple decided to keep everything tightly under wraps, and now they’ve delivered a phone that’s glitzy and slick, but also inherently limited in scope. And that’s why the BlackBerry line is still better.

blackberry, iphone, apple, itunes