Treat yo self to a nice macOS High Sierra icon

Hey y'all, are you looking for a way to get a nice, high-resolution copy of the macOS High Sierra icon for internal documentation, Self Service, or just for funsies? If you have Install macOS High on your Mac you already have one!

Right-click on the installer app and select Show Package Contents:

Expand to Contents > Resources, and you'll see ProductPageIcon.icns, as well as two .tiff files:

Lazy VM building hacks with AutoDMG and KextPolicy

When I wrote my Quick user test machines with VMware Fusion post many moons ago I discussed building VMs with Caper Imaging and VMware Fusion, and having the VMware Tools installer run during imaging. What's great about having the VMware Tools automatically installed when setting up a VM via an imagine workflow is that it's one less step to getting a testing VM in shape for drag-and-drop, copy-pasting, and native window resizing.

A bit of a wrench was thrown in the works here due to Secure Kernel Extension Loading with macOS 10.13, where kexts that load must be approved by the user and whitelisted to be run on the machine. As it turns out, that approval for the VMware Tools kext is stored in /var/db/SystemPolicyConfiguration/ in a file called KextPolicy.

Something you can do when building your VM is to pre-install this KextPolicy file alongside the VMware Tools.pkg installer so that while the VM is being built the pre-approval is already there. This really only works with something like AutoDMG which is agnostic to SIP when building the disk image.

Fave Friday

Fave Friday

3D printed diamond hanging planter by GreenDesk

DIY knit cat ear hat by Gina Michele

Mr. and Mrs. Frankenstin mugs

Pink felt letter board from

Happy/Sad Mac stud earrings by pixelparty

Have a fantastic weekend!

Three Big Things

So it's been a pretty crazy few days in Apple Admin land. There are three things in particular that have stood out to me, so I thought rounding them up here might be helpful (especially for folks that don't live and breath social media like I do).

First up: Apple's big announcement regarding Secure Kernel Extension Loading (SKEL) on High Sierra

If you've done any testing with macOS 10.13 "High Sierra" you've probably run into something like the above. If an application or service requires a kernel extension (kext) to load on installation or launch the OS asks the device user to approve the kext for future loading. As it turns out, lots of apps use kexts. And lots of enterprises deploy and manage devices that use lots of kexts. So a lot of us kicked and yelled because while it's important for consumer level users to acknowledge when kernel extensions are loading, managed devices by an organization should ideally have some level of control over messages like these. This helps improve the experience for someone using an organizationally managed device, and avoids confusion that valid applications might appear to be doing nefarious things based on that scary warning dialogue. Erik Gomez threw together a nice post on this a few weeks ago.

This week Apple dropped a new support article called "Prepare for changes to kernel extensions in macOS High Sierra." In it was a lovely nugget of information that made Apple Admins across the globe very happy:
In macOS High Sierra, enrolling in Mobile Device Management (MDM) automatically disables SKEL. The behavior for loading kernel extensions will be the same as macOS Sierra.
If your organization utilizes MDM, the presence of MDM will disable SKEL. And in future releases, functionality will be provided to allow organizations using MDM to manage Macs to whitelist kernel extensions to SKEL can be utilized for added protection of the OS.

This is good.

Item Two: Jamf Pro version 10 beta program is now live

Jamf announced this week that their beta program for version 10 is now available. Jamf Pro 10 features a huge UI overhaul and new patch management functionality, as well as other things that are likely covered under the beta program's NDA. If you work at an organization that uses Jamf to manage Apple devices it's a no brainer to join the beta program and start testing the new version. Log into your Jamf Nation account and go to My Assets, and within that page you'll find a link to enroll in the beta program. Join me in the beta discussion forms to talk about the new features and provide feedback to Jamf prior to launch.

Third Big Thing: VMware announces VMware Fusion 10 with High Sierra and touch bar support

After a few weeks of availability of the VMware Fusion Technical Preview, VMware has announced VMware Fusion version 10 this fall. If you've been evaluating the technical preview you'll notice the same updated UI with tab support and touch bar integration. This is the version that will officially support macOS 10.13 "High Sierra" as well. And don't worry, if you use MDM you won't get alerts about VMware Fusion's kernel extensions on launch. Yay! Worth noting here is support for Apple’s Metal Graphics acceleration, which should improve performance, rendering, and battery life.

Why is this a big deal for Apple Admins? Because VMware Fusion is basically essential for testing packages, policies, changes in configuration profiles and settings, DEP, imaging configurations… basically everything ever. It's worth investing in the Pro version for Linked and Full Clones, which makes quickly spinning up machines to test DEP (with a little help from AutoDMG and vfuse) or to quickly image a pre-configured VM to have a user environment for testing without relying on a physical machine or clunky snapshots. (They might not be as clunky in VMware Fusion 10, who knows.)

So there you have it! Go test and have fun and sleep better at night knowing managing kernel extensions will be less painful in High Sierra (or Hi-C as a co-worker calls it) will be.

Hands on with the Netgear Orbi

Ecobee (left) and the Netgear Orbi Router (right).

Hey y'all, you may not know this but we bought a house! And naturally leading up to buying the house I set aside a tech budget with the priorities being a smart thermostat and a good wifi system. I started by basically just asking around to see what people recommended, and the Ecobee was a clear winner in the smart thermostat category (more on that later). The wifi system, however, was a bit more contentious.

For some context, over the last 5+ years I've relied on an Airport Express to provide our wifi. It was fine for the most part. I mean I know I sacrificed some speed but I lived in small apartments and loved AirPlay. Fast forward to today, where I work in IT professionally and occasionally work from home. I need a decent connection for uploading and downloading software packages, video conference, and all that other junk.

But now I live in a two-story, 2800 sq. ft. house. It's awesome. But that poor AirPort Express didn't stand a chance. When the SuddenLink installation person showed up we were still moving in and our lunch had just been delivered. He asked me where to set up the connection and I pointed to the first connection I saw, which was downstairs on the eastern wall in the Living Room.

House floorplan with main wifi router (Airport Express) on first floor in the living room.

The first time I sat down in my office upstairs and tried to use my computer the connection dropped about every minute. It just didn't have enough power to get upstairs to my office on the western side of the house. Then I remembered I still had my old Airport Express (first gen) and could use it as an extender for the main one downstairs. So I gave it a shot.

Setting your arbitrary computer naming convention during DEP enrollment

Or rather, how I set our arbitrary computer naming convention on a machine during DEP enrollment. At my shop, we use the format $username-mac to name our Macs. I'm not sure why, or why it really matters, but for some reason some organizations get really weird and particular about computer names. Most of it comes down to not utilizing reporting tools well to do computer record/detail lookups imho. Anyway.

Here's what it does:

  • Detects location of jamf binary on the machine
  • Detects the username of the logged-in user (so this works best if you have the user create their account during DEP enrollment/setup assistant
  • Formats the computer name in the way we want it
  • Uses scutil to set computer name/hostname/local hostname
  • Sets the NetBIOS name to match
  • Is probably too thorough and then uses jamf's setComputerName to set the name as well
  • Throws in some echos for good measure

I use it in one of the enrollmentComplete policies, scoped to our DEP PreStage Enrollment machines, before a recon.

I'd be happy using, like, any computer name but, well, I do what I'm told. Hopefully the above helps some of you out too.

Pleeeeeeease test before deploying!