[jdyck]

Hey,

I’ve been playing around with this again today, trying to massage things into place and building different catalog files for different packages.

I really like the core ideas surrounding this development package…

However, I’m still trying to figure out how to keep my custom packages more organized into folders, which I’m having difficulty doing…

Perhaps I’m just being perfectionist, but in my case I’m a contractor – one of my main clients is a French School District, while my other clients are all English, so for something like MS Office I’m facing difficulties in that all the updates are language specific, but have the same filenames… I could perhaps just rename the files, but I did that with my last modular system and found there were some errors caused with incorrectly named installer receipts.

I’m hoping to have a folder structure something like:
[code]MS-Office08-French
–MSOffice08-French.dmg
–Office 2008 2P1 Update (12.1.0).mpkg
–Office 2008 12.1.1 Update.mpkg
–Office 2008 12.1.2 Update.mpkg (these are the french updaters, which unfortunately have the same filename as the English ones)

MS-Office08-English
–MSOffice08-English.dmg
–Office 2008 2P1 Update (12.1.0).mpkg
–Office 2008 12.1.1 Update.mpkg
–Office 2008 12.1.2 Update.mpkg (these are the english updaters, which unfortunately have the same filename as the French ones)

Client-Customizations
–Misc customer-specific installers
–ThisCustomersMSLicense
–etc[/code]
This way I could have a catalog file that did something like:
[code]Third Party Software:
Office 2008 MSOffice08-English.dmg hash
Office SP1 Update OfficeUpdates-English/Office 2008 SP1 Update (12.1.0).mpkg hash
Office 12.1.1 Update OfficeUpdates-English/Office 2008 12.1.1 Update.mpkg hash
Office 12.1.2 Update OfficeUpdates-English/Office 2008 12.1.2 Update.mpkg hash[/code]
Which is what larkost above suggested I try, but alas as soon as I add the “OfficeUpdates-French/” part the script dies.

Like I said, I love the modular methodology and I really like the direction InstaDMG/InstaUp2Date is taking, just want it to take that extra step.

Perhaps if adding some kind of recursion or whatever to get away from the flat repository is difficult, another option might be to allow a catalog file to temporarily override the userSuppliedPKGFolder variable? That way in my example Office-English.catalog file I could just have a line at the top something like “userSuppliedPKGFolder = MSOffice08-English” and the remainder of that catalog would pull from the specified folder?

Maybe time for me to learn python or something so I can stop yelling suggestions from the sidelines and start contributing :).

[jdyck]

Hey all,

I’ve done some re-writing of the solution I’m using to abstract it away from our network and to remove a bit of proprietary stuff and have a package I have just uploaded to AFP548.com. Probably be a few days before it shows up, but curious to hear feedback and perhaps get some more robust ideas on it…

Just realized I didn’t include any kind of readme on it, basically two things are needed to make this work:

1 – You have to have the 802.1X WAP certificate added to your client systems (command in this discussion).
2 – Before you build the app, you need to go into the SetupWifi.applescript and change the referenced wifi network name to reflect your site.

The GUI app is basically just collecting the user name and password and feeding it to a shell script, which you could also just call yourself (if you know the user’s name and password)… Format is:

SetupWifi.sh -u username -p password -w wifinetworkname

Cheers

jeff

[jdyck]

Thanks larkost, that makes sense and I will try it next.

A few more clarification questions as I try to figure out best practices and limitations…

While I’m not that organized in real life, when it comes to computers I’m a bit picky, so have a hard time with one massive folder of PKG installers and DMGs… To help me keep my sanity, is there a proper way to reference a pkg or dmg file within the /InstaDMG/Installers/InstaUp2DateInstallers folder?

Kind of what I envision is having folders to contain major ‘components,’ ie: MS Office, ilife, iWork, OS Updates, System Config pkgs, etc. If nothing else it would make me feel much more on top of this ;).

Also, is it appropriate to build a bunch of .catalog “building blocks”, ie:

• An MS Office 08 catalog file, which would contain the config lines necessary to install the base package, each update, and a registration installer.

• iLife 08, which again would contain the base package and all updaters and registration files as needed.

Then I could have “Master files” that would mostly use include directives to build the image I want., for example:
[code]include-file: 10-5-5.catalog
include-file: MS_Office_08.catalog
include-file: iLife_08.catalog
etc.[/code]
Seems like this would allow me to build several “Build” trains, and as long as I focus on keeping each “building block” up to date all I need to do to update all my images is re-run instaUp2Date on the different “master” catalog files.

Am I approaching this correctly, or am I just dreaming :).

Thanks again,

Jeff

[jdyck]

If anyone is interested, I’ll try and pull a few of the proprietary private stuff from the AppleScript Studio app and post it.

[jdyck]

Hey, sorry for the delayed reply (to the email as well), have been working on a bunch of other stuff…

Anyway, I kinda got things working to a pseudo-acceptable level – on the user level on first login the user gets an application that asks for their user-name and password. Once they enter this and click setup it pops up a message instructing them to connect to our network, after which the security dialog to give permissions for the wireless to access the keychain item pops up.

It’s not as smooth as I wanted, and the backend is kinda scary, but here’s what I did…

[b]1) Install 802.1X certificate into system keychain.[/b]

I have a master launchd ‘startup-script’ that gets called on system startup. It runs and goes through a list of scripts in a hidden folder – one of these scripts installs the 802.1X cert for the Wireless network into the keychain, using the following command:
[code]security add-trusted-cert -d -r trustRoot -k “/Library/Keychains/System.keychain” \
“/path/to/Secure Certificate Authority.cer”[/code]
[b]2) Directly configure plists to connect[/b]

I have a second launchd ‘login-script’ which runs upon user login. It fires up an AppleScript Studio application I created which asks for the username and password. When you enter that info and click setup, it runs a shell script (see below) that adds the user info into a keychain item, then creates the plists OS X uses to configure 802.1x… it then pops up instructions for the user to select the wireless network (couldn’t figure out a way to automate this) which then pops up the authorization dialog to ask you if you want to allow the wireless config to use the keychain entry you created. The user then clicks “always allow” and dismisses the instructions dialog, at which point the program sends a stop airport then start airport command… As the Airport starts it sees its new plists and auto-connects.

**Note: Because this configs some system level plists, if you now login as any other user the system will still try to connect to the 802.1x wireless, but because it won’t have the user level settings it’ll ask you for your user name and password. I’m working laptops assigned to individual students, so this hasn’t been a concern for me, but it may be for others.

[b]SetupWifi.sh[/b] (called by SetupWiFi.sh username password /path/to/PListBuddy:
[code]#!/bin/sh
# SetupWiFi.sh

# Set a few properties…
# $1 = User’s short name, $2 = User’s password, $3 = Path to PListBuddy

USER=$1
PASS=$2
Buddy=$3
LocalUser=`whoami`
HOME=`dscl . -read /Users/$LocalUser home | sed -e ‘s|dsAttrTypeNative:home: ||g’`
LOG=$HOME/Library/Logs/CSF-NetworkSetup.log

# Get MAC Addresses
hwAddress=`ifconfig en0 | awk ‘/ether/ { gsub(“:”, “”); print $2 }’`
hwAddresswithColons=`ifconfig en0 | awk ‘/ether/ { gsub(“:”, “\\\\:”); print $2 }’`

AirAddress=`ifconfig en1 | awk ‘/ether/ { gsub(“:”, “”); print $2 }’`
AirAddresswithColons=`ifconfig en1 | awk ‘/ether/ { gsub(“:”, “\\\\:”); print $2 }’`
AirAddresswithColons2=`ifconfig en1 | awk ‘/ether/ { gsub(“:”, “\\:”); print $2 }’`

# Get some Unique Identifiers to use in the plists…
uuid=`uuidgen`
netuuid=`uuidgen`

AirportPref=/Library/Preferences/SystemConfiguration/com.apple.airport.preferences.plist
EAPProfiles=”$HOME/Library/Preferences/com.apple.eap.profiles.plist”
EAPBindings=”$HOME/Library/Preferences/ByHost/com.apple.eap.bindings.$hwAddress.plist”

# Setup the log so we know what’s going on later…
echo “” >> $LOG
echo “Creating some plist files to allow the Wireless to auto-connect…” >> $LOG
echo “——————————————————————” >> $LOG
echo “” >> $LOG
echo “User to configure: $USER” >> $LOG
echo “Computer Hardware address: $hwAddress” >> $LOG

echo “First we need to build the System AirportPref…”
“$Buddy” -c “Delete :KnownNetworks” $AirportPref ;# Remove any previous entry.

“$Buddy” -c “Add :KnownNetworks dict” $AirportPref
“$Buddy” -c “Add :KnownNetworks:$uuid dict” $AirportPref
“$Buddy” -c “Add :KnownNetworks:$uuid:Remembered\ Channels array” $AirportPref
“$Buddy” -c “Add :KnownNetworks:$uuid:Remembered\ Channels:0 integer 1” $AirportPref
“$Buddy” -c “Add :KnownNetworks:$uuid:Remembered\ Channels:1 integer 8” $AirportPref
“$Buddy” -c “Add :KnownNetworks:$uuid:SCAN_DIRECTED bool Yes” $AirportPref
“$Buddy” -c “Add :KnownNetworks:$uuid:SecurityType string 802.1X\ WEP” $AirportPref
“$Buddy” -c “Add :KnownNetworks:$uuid:SSID_STR string csf-secure” $AirportPref
“$Buddy” -c “Add :Version integer 6” $AirportPref

echo “Building the User’s EAPProfiles setting at $EAPProfiles…” >> $LOG
“$Buddy” -c “Delete :Profiles” $EAPProfiles ;# Remove any previous entry.

“$Buddy” -c “Add :Profiles array” $EAPProfiles >> $LOG
“$Buddy” -c “Add :Profiles:0 dict” $EAPProfiles >> $LOG
“$Buddy” -c “Add :Profiles:0:ConnectByDefault bool Yes” $EAPProfiles >> $LOG
“$Buddy” -c “Add :Profiles:0:EAPClientConfiguration dict” $EAPProfiles >> $LOG
“$Buddy” -c “Add :Profiles:0:EAPClientConfiguration:AcceptEAPTypes array” $EAPProfiles >> $LOG
“$Buddy” -c “Add :Profiles:0:EAPClientConfiguration:AcceptEAPTypes:0 integer 21” $EAPProfiles >> $LOG
“$Buddy” -c “Add :Profiles:0:EAPClientConfiguration:AcceptEAPTypes:1 integer 25” $EAPProfiles >> $LOG
“$Buddy” -c “Add :Profiles:0:EAPClientConfiguration:UserName string $USER” $EAPProfiles >> $LOG
“$Buddy” -c “Add :Profiles:0:EAPClientConfiguration:UserPasswordKeychainItemID string $uuid” $EAPProfiles >> $LOG
“$Buddy” -c “Add :Profiles:0:UniqueIdentifier string $uuid” $EAPProfiles >> $LOG
“$Buddy” -c “Add :Profiles:0:UserDefinedName string $USER” $EAPProfiles >> $LOG
“$Buddy” -c “Add :Profiles:0:Wireless\ Network string csf-secure” $EAPProfiles >> $LOG
“$Buddy” -c “Add :Profiles:0:userDefinedName string $USER-WPA” $EAPProfiles >> $LOG

echo “Building the User’s EAPBindings settings at $EAPBindings…” >> $LOG
“$Buddy” -c “Delete :$AirAddresswithColons” $EAPBindings ;# Remove any previous entry.

“$Buddy” -c “Add :$AirAddresswithColons array” $EAPBindings >> $LOG
“$Buddy” -c “Add :$AirAddresswithColons:0 dict” $EAPBindings >> $LOG
“$Buddy” -c “Add :$AirAddresswithColons:0:Hardware\ Address string $AirAddresswithColons2” $EAPBindings >> $LOG
“$Buddy” -c “Add :$AirAddresswithColons:0:UniqueIdentifier string $uuid” $EAPBindings >> $LOG
“$Buddy” -c “Add :$AirAddresswithColons:0:Wireless\ Network string csf-secure” $EAPBindings >> $LOG

# Now we need to add a password to the keychain with the uuid and allow eapservice to access…
security add-generic-password -a $USER -s $uuid -p $PASS >> $LOG

# Flag that this has been done so it won’t reload next login
touch “$HOME/Library/Logs/.LoginScript-SetupWireless.sh-done”

exit 0[/code]
It then uses an applescript extension to turn off the wireless card then turn it back on, at which point OS X will fully authenticate to the wireless network.

It’s obviously a pretty tedious workaround to something that should be much easier, and I am CERTAINLY open to a more elegant solution should anyone figure it out. However, it took far too long to track down all those entrees and get something that worked at all, so for now I’m content.

[jdyck]

Never mind, I just answered my own question – for anyone else looking it’s pretty easy. The InstaDMG script has a line that states:

# Default ISO code for default install language. Script default is English.
ISO_CODE=”en”

Change the “en” to “fr” or the iso code of the language you want.

[jdyck]

Thanks for double checking Patrick! I tried again and still no go, then clued into the problem… line endings… Swapped to Unix LF and it was good. Not sure why my Pico attempt didn’t work though.

Anyway, looks like I’m good to go

Thanks for the time.

Jeff

[jdyck]

It’s mostly working for me, from a combination of Apple updates and a bit of workarounds…

Apple has updated this so that it caches at least some groups, and I’ve met them halfway by making sure that the managed OD group contains AD groups with direct user members, rather than the abstracted AD group of AD groups containing AD users that I had before. It means the OD group membership isn’t quite as “clean” as I might have wanted, but it works so I won’t complain too much.

Hope that helps.

Jeff

[jdyck]

Hey, that’s perfect!!! I had played around with the security add-trusted-cert command but kept getting errors… I think because I was trying to do the -p eap part, which kept giving an error. This works though, which is fantastic. Thanks a bunch, now just need to revisit my scripts to auto-generate the 802.1x config to see if that works.

[jdyck]

Hey larkost,

Thanks for your reply, the tool you came up with looks pretty slick.

I must confess to being pretty clueless about ‘real’ coding (I do some AppleScript Studio and bash stuff, but no C or Cocoa), so not sure that I’d be able to contribute terribly much to what you’ve already done. I did convert my certs into hex and tried inserting them into your code, but when I run the resulting compile I get a segmentation fault, so guess I’m missing something.

I had pretty much traced the necessary steps to the following, which it seems your tool does…

1) The certificate has to be imported into the System keychain, and trust configured to always allow EAP.

2) Several preference files are configured, the ones I’ve traced are:
– /Library/Preferences/SystemConfiguration/com.apple.airport.preferences.plist -> Correlates to known networks for auto-connect
– ~/Library/Preferences/com.apple.eap.profiles.plist -> Sets EAP types, user name, user password keychain item and a UniqueIdentifer for the connection.
– ~/Library/Preferences/ByHost/com.apple.eap.bindings.MACAddress.plist -> Seems to just match up the network name with the UniqueIdentifer.

I’ve been able to use PListBuddy to recreate the preference files as part of a loginscript fired off by launchd, but I’m stumped on getting the trust settings for the cert.
Both using security -add-trusted-cert command, and your tool, to adjust the trust settings you are required to enter an admin password. Problem is, if you use a startup script you don’t even get that opportunity.

I’m just doing this manually after first boot, but would really love to have this automated. Starting to think that’s not going to be possible though.

Now just need to test to see if the login script works ok when the certificate is in place.

[jdyck]

I also have experienced the problems with Leopard’s Packagemaker… It’s fine for smaller installers, but anything big, like Adobe CS3 or MS Office seems to pretty much lock it up. I’ve jumped to IceBerg for those cases,but since I’m going to have to be training more Jr staff to create these packages it would be nice to have just one workflow.

[jdyck]

That may be worth a try – I need to double check but I think I specified mine through OD. It works (in the sense that there is a mobile account created that shows up in the Accounts preference pane and is labeled as a Mobile, Managed account). But like previously mentioned, as soon as you take it off the network and re-login you no longer have any MCX settings. So if your Dock, for example, is set through OD, then when you login you get a very basic dock (we’re getting Finder and Trash), and if you are limiting applications, then when off the network the user can run any application. I’m not in the office to try today but will on Thursday when I return.

[jdyck]

Not sure about the other folks, but mine certainly are mobile accounts, and since we’re talking about being able to take them off the network I’d assume most of the others are also. In my situation if I drag an AD USER into the OD managed group it works fine, it’s only when I drag an AD GROUP that the problem surfaces. Also, while ON the network it works, just when you take the network (and access to the AD servers) away that you lose all membership settings.

[jdyck]

dds, I went into my ticket for the same problem and added a note referencing your ticket. Hopefully we’ll see a resolution soon as this is a deal killer for my environment with 1000s of laptops…

[jdyck]

I’m seeing very long login times as well, but without a .local AD domain. I’m setting up laptops with Mobile accounts though, so not sure if that makes any difference. My logins are taking upwards of 3 minutes, which is not very good when these machines are going to be going into the hands of (impatient) students. Hopefully a solution comes soon…

[Author]

Posts