Tag Archives: Mac Admin

A few years ago I was searching for a way to easily create bookmarks in Microsoft Remote Desktop 8 on the Mac. Prior to version 8 you could drop an .RDP file on a machine and that was really all you needed to do to give your users the ability to connect to servers. Granted, you can still use this method, it’s just a bit sloppier, in my opinion.

So I went searching for a way to script the bookmarks, and that led me to my good friend Ben Toms’ (@macmuleblog) blog. I found his post, “HOW TO: CREATE A MICROSOFT REMOTE DESKTOP 8 CONNECTION” and started experimenting. After some trial and error, I discovered that using PlistBuddy to create the bookmarks just wasn’t being consistent. So I looked into using the defaults command instead. I finally was able to settle on the following script:

You can find that code in my GitHub repo here.

RDC URI Attribute Support

I had posted that script up on JAMF Nation back in June 2014 when someone had asked about deploying connections. Recently user @gmarnin posted to that thread asking if anyone knew how to add an alternate shell key to the script. After no response, he reached out to me on the Twitter (I’m @stevewood_tx in case you care). So, I dusted off my script, fired up my Mac VM, and started experimenting.

The RDC GUI does not allow for a place to add these URI Attributes. I read through that web page and Marnin forwarded me this one as well. Marnin explained that he was able to get it to work when he exported the bookmark as an .RDP file and then used a text editor to add the necessary “alternate shell:s:” information. Armed with this knowledge, I went to the VM and started testing.

First I created a bookmark in a fresh installation of RDC. I had no bookmarks at all. After creating a bookmark I jumped into Terminal and did a read of the plist file and came up with this:

Now that we had a baseline, I exported the bookmark to the desktop of the VM, edited it to add the “alternate shell” bits, and then re-imported it into RDC as a new bookmark. I then tested to make sure it would work as advertised. After some trial and error, I was able to get the exact syntax for the “alternate shell” entry to work. Now I just needed to see what changes were made in the plist file. A quick read showed me the following:

The key is the line that has “remoteProgram” as part of the entry. You have to get the full path on the Windows machine to the application you want to run on connection to the server. Once you know that path, you can adjust your bookmark script however you need.

The script I posted above, and is linked in my GitHub repo, contains the line to add that Remote Program (alternate shell). If you do not need it, just comment it out of the script.


Recently on JAMF Nation there was a discussion about the Adobe Flash Player Distribution site going away. This site is where admins can go to get a copy of Flash that can then be legally distributed to their fleet of machines. The discussion started out to be about the change Adobe recently made to the URL for this site, but quickly turned to a discussion around distribution of Flash via Casper.

While I have signed up for the Adobe distribution site, I currently utilize a PKG file that comes from AutoPKGr (I replaced my Jenkins install with AutoPKGr last year sometime). Utilizing AutoPKGr makes my life easier, because I do not have to do anything except update my policy to replace the actual PKG file. I’m not going to go into setting up AutoPKGr for use with Casper, there have been plenty of discussions on that, but rather I am going to list out my procedures for processing Flash upgrades.

It’s Upgrade Day

I typically find out that there is a Flash upgrade from JAMF Nation. Someone typically posts that there is a Flash update almost immediately upon release. Once I’ve verified that the update has been uploaded to my JSS by AutoPKGr, I will go update my policy, changing out the PKG file.

As you will see, the policy is set to trigger on “Recurring Check-In” because I don’t care if a web browser is open or not. Flash can be installed while browsers are open, the users just have to restart the browsers that are open after the update. We’ll handle letting them know via a CocoaDialog script.

There are a few pre-requisite items we need to have in place for this process to work. First, we need to have a way to grab the Flash version off of the machines in our fleet. Second, we need to have a Smart Group that will capture all of the machines that are out of spec. This will allow us to scope our policy to those machines.

Grab the Version

I utilize an Extension Attribute to grab the version of Flash and store it in the database. While it can be argued that utilizing an EA to grab the version is not efficient, since the EA will run every time a Recon runs, there really isn’t another reliable method for grabbing the version.

So, setup an EA to grab the version of Flash. My EA is named “AdobeFlashVersion” and utilizes the following BASH script:

That’s pretty straight forward. Now that we have the version, we can build our Smart Group.

Screen Shot 2015-12-18 at 5.38.04 PM.png

As you can see, just pick your EA name out of the list of criteria to search for, and enter the version you are searching for using the “is not” operator.

Policy Time

Now that we’ve got our Smart Group collecting machines that are out of date, we can build our policy to install the update. We will name our policy “Update Flash Player” and place it in whichever category makes sense to your deployment of Casper.

I have my update policy set to run at “Recurring Check-in”, which means that machines will update as soon as they contact the JSS. The frequency is set to “Once per computer”, since we only need it to run one time.


We’ll click on Packages next so that we can add our Flash package. Click on Configure to get a list of all packages in the JSS:


Screen Shot 2015-12-18 at 5.32.24 PM.png

We should now have a list of all packages that the JSS knows about. Locate our latest Flash Player package and click Add to add it to the policy:


I utilize a script that runs after Flash has been installed to notify end users to restart any open web browsers. My script uses CocoaDialog to make these notifications, but you can use the built in notification process that Casper has. The script I utilize is below:

Now that we’ve added that script to our policy, we will add a line to the Files & Processes tab to set Flash to not auto update.


That line of information in the Execute Command box simply adds a line to a file called mms.cfg to tell Flash Player to not try to auto update. The line is:

The final thing for us to do is to add our Scope. Just click on the Scope tab at the top and add our Update Flash Smart Group:

Screen Shot 2015-12-18 at 6.01.26 PM.png


That’s all there is. Now that we have our update policy in place, each time there’s a new version we just have a few simple steps to update our end users:

  1. Get the new Flash package into the JSS
  2. Change our Smart Group to look for the new version number
  3. Change our policy to remove the old version and add the new version
  4. Finally, Flush All on the policy logs so everyone in the Smart Group gets the update.


I have been utilizing this method for updating Flash for well over a year now, and I have not had any troubles at all.

I hope this quick article has helped you out.


Continuing with my posts on automation, or at least the automation of package building, I’d like to introduce you to my new assistant, Jenkins.  Jenkins is a continuous integration server.  Continuous Integration, or CI, is defined by Wikipedia as:

Continuous integration (CI) is the practice, in software engineering, of merging all developer working copies with a shared mainline several times a day.

To put it plainly, or to put it into the perspective of a Mac sysadmin, Jenkins can be used to run shell commands at a given interval, or to run several commands in series.  We can then use CRON like scheduling within Jenkins to run these commands at a given time each day, each week, or whatever interval you give.

Jenkins will require the use of the Java 6 JRE on the machine you run it on.  You can go out to the Jenkins CI web site ( to download the installer for Mac.  Once you have downloaded the software, while logged in as an admin on the machine, run the Jenkins installer PKG.  After the installation has completed, either restart the computer, or open a Terminal window and load the LaunchDaemon:

launchctl load /Library/LaunchDaemon/org.jenkins-ci.plist

If Java is not installed you may be prompted to load Java.  After completing these steps, open a web browser and navigate to the home page for Jenkins:


You should hopefully see the Jenkins dashboard, which looks similar to this:


NOTE:  If you receive an error about the home folder, try restarting the computer.

You can also check this web site for more info:

If you successfully loaded the Jenkins dashboard, then you are all set to start using the power of a CI server.  I utilize Jenkins to work with my AutoPkg installation (on the same machine) so that I can build packages while I sleep.

Next up we’ll look at integrating Jenkins and AutoPkg.

There’s been a lot of talk in the Mac admin community recently about AutoPkg (  This tool, currently being developed by Greg Neagle and Tim Sutton, allows for the use of “recipes” to download and package different software found on the Internet.  This ability takes a lot of the work out of locating software, downloading it, and then packaging it, something a Mac admin may do multiple times a week.  AutoPkg automates all of that.  And, if you are a user of Munki, there are even recipes in AutoPkg that will import directly into Munki and update the catalogs.

As a prerequisite for AutoPKG to work, you need to have the command line version of git installed.  If you’ve installed XCode, then you have git.  If not, you can get git by downloading either a GUI GitHub tool like this one here, or download the command line version of git here.

Once you have git installed, go ahead and download the AutoPkg installer file from this location.  Now that it is downloaded, go ahead and run the AutoPkg installer.  This will install the AutoPkg software in the proper  locations on the machine.  Once completed, fire up Terminal and you can verify the software is properly installed by running the following command:

autopkg version

That will give you the current version installed on the system.  Now that AutoPkg is installed, you may want to create a directory in a common location, like the root of the drive or in the /Users/Shared folder, to hold the output from AutoPKG.  By default AutoPkg stores it’s output inside the user’s Library folder at ~/Library/AutoPkg/Cache.  This location can be changed by adjusting the CACHE_DIR in the preferences.  I like to store it at the root of the drive in a folder named Autopkg_Done.

mkdir /Autopkg_Done
chmod 777 /Autopkg_Done

Now that you have the CACHE_DIR created, you’ll need to tell AutoPkg about it.  This is done with the following command:

defaults write com.github.autopkg CACHE_DIR /path/to/cache/dir

So, in our example, the command we’d use is this:

defaults write com.github.autopkg CACHE_DIR /Autopkg_Done
NOTE:  AutoPKG stores its preferences in the user’s Preferences folder (~/Library/Preferences/com.github.autopkg.plist).  Because of this, any new user on the machine that will need to use AutoPKG will need to have the CACHE_DIR set and will need to download the recipe repositories (more on this in a minute).

With AutoPkg installed, and the CACHE_DIR set, all we have left is to tell it about some recipe repositories.  AutoPkg utilizes git repositories that hold recipes for building different packages.  Like using a recipe to bake a cake, AutoPkg uses these recipes to build the different files.

As of this writing, there are four repositories that I am aware of.  They are:
We need to tell AutoPkg about these repositories.  This is accomplished with the following command line:

autopkg repo-add <repoURL>

So for the four repositories above, we would use the following:

autopkg repo-add
autopkg repo-add
autopkg repo-add
autopkg repo-add

Now that we have our repositories in AutoPkg, we are free to run one of the recipes.  We can see what recipes we have access to with the following:

autopkg list-recipes

If all went right, you should see a list of the recipes that your AutoPkg installation knows about.  To run one, simply use the following:

autopkg run <recipe>

For example, to run Adobe Flash Player:

autopkg run AdobeFlashPlayer.pkg

That will download the Flash Player and create a PKG file for deployment inside of our CACHE_DIR (/Autopkg_Done in our case).  We can navigate through the folders there to find a pristine Flash installer package that we can now deploy to our machines.
There’s plenty more to know about AutoPkg, including how to import directly into Munki during a build.  Check out the wiki for more information on Munki integration, or if you want help with installation and config, go here.

Next up, we’ll setup Jenkins, a continuous integration server that will eventually allow us to build packages while we sleep