AutoPkgr for Dummies 2: Trust your recipes

So you've set up AutoPkgr. Good job! But now you're like "why do I keep getting these FAIL_RECIPES_WITHOUT_TRUST_INFO errors"? Something I didn't cover in my previous guide is the introduction of verifying and trusting recipes in autopkg 1.x (because that didn't exist at the time). From the introduction to this feature:
AutoPkg encourages the use of recipes created and shared by others. You can leverage the hard work done by other admins without having to re-invent the wheel yourself. You can add "repos" of other people's recipes using the autopkg repo-add command.

But there is an element of risk in using other people's recipes -- a bad actor could create a malicious recipe, or a well-meaning admin could introduce an error into a recipe that causes unexpected issues.

You should audit any third-party recipes you use, especially if you do not know the recipe creator/maintainer. This means becoming familiar enough with AutoPkg recipes to be able to read and understand them.
By default, AutoPkg (and by extension, AutoPkgr) will stop runs for recipes without trust info set. To set trust info, you need to create a recipe override and store that trust info in your override. The override recipes should then be the recipes you run on a schedule with AutoPkgr. Here's a quick overview on how that works.

Fave Friday



Quiet night at home club from Threadless


Getting Warmer cowl by Espace Tricot on Ravelry


Flower Mr. Saturn by SaradaBoru on RedBubble

Gremlins tank from H&M


Love Me More layered tulle skirt and A Fan of Bowknot crop top from Chicwish


Have a great weekend!

Branding Self Service 10

If you live under a rock you may not have heard that Jamf released Jamf Pro 10 this week. It is a giant overhaul of the user interface of the web interface and Self Service, so you can basically chuck all of my old branding the JSS/Self Service stuff in the bin. Phew.

The new dashboard and UI for Jamf Pro 10.
Self Service 10


The dashboard is way more visually appealing now, and the use of space of the tiles on the dashboard flows much better than the version 9 JSS. It's a huge change, as you can probably tell by looking at the above. So is Self Service, and something you may have noticed in the stock imagery above is the icon and name within the application are for a company, not just the default Jamf Self Service icon. This is because Jamf has built in branding the application into the Jamf Pro server. No need to download and hack and upload and deploy manually with every update. Hooray!

In Jamf Pro 10, all you need to do is head to Settings > Computer Management > Self Service, and you'll see a page with Configuration and Branding settings. The very first option is to change the name of the application. If you do this, it will automatically deploy (assuming you have auto-install turned on) the Self Service app with the name of your choice.

Fave Friday


Excuse Me Princess pin by Be Subtle Prins


Matrix Brass Off shampoo and conditioner (does a great job of getting rid of orange brassiness in lightened hair)


Crochet pet bed pattern by Bernat (via Joann Fabrics)



White pearl UFO halo ring by williamwhite on Etsy



This offbeat wedding dress look. I could see myself going for a look like this for my wedding!


Have a great weekend!

See ya next week at the JNUC!

What's up?! Next week is the Jamf Nation User Conference (JNUC) and I'm super happy that I'll be there next week to nerd out over Mac Admin stuff and finally wear some of this stuff I've been knitting/crocheting in chilly Minneapolis.

I'll be taking the Jamf 400/Casper Certified Expert course so I'll be around on Tuesday and Wednesday morning for the keynotes and 11:15 am sessions. I'll also be at some mini-events in the evening, including the MacAdmins Podcast Live recording and After Party, the SplashBuddy Jumpstart, Jamf Nation Party, and the TILT Pinball trip on Thursday.



Come find me in the evenings or Tuesday/Wednesday morning if you want to snag an Austin Apple Admins sticker while they last.

We've got the community notes set up for next week as well, and some lovely vanity links for you to bookmark:

https://jamf.it/JNUC2017-session-notes
https://jamf.it/JNUC2017-community-notes

Edit permissions will be opened up Monday morning (the 23rd) and closed the following Monday (the 30th). Take a gander at the readme for some tips on making the notes section as fun/useful as possible.

I'm looking forward to seeing some new and familiar faces next week in Minneapolis!

Treat yo self to a nice macOS High Sierra icon

Hey y'all, are you looking for a way to get a nice, high-resolution copy of the macOS High Sierra icon for internal documentation, Self Service, or just for funsies? If you have Install macOS High Sierra.app on your Mac you already have one!

Right-click on the installer app and select Show Package Contents:


Expand to Contents > Resources, and you'll see ProductPageIcon.icns, as well as two .tiff files:

Lazy VM building hacks with AutoDMG and KextPolicy

When I wrote my Quick user test machines with VMware Fusion post many moons ago I discussed building VMs with Caper Imaging and VMware Fusion, and having the VMware Tools installer run during imaging. What's great about having the VMware Tools automatically installed when setting up a VM via an imaging workflow is that it's one less step to getting a testing VM in shape for drag-and-drop, copy-pasting, and native window resizing.

A bit of a wrench was thrown in the works here due to Secure Kernel Extension Loading with macOS 10.13, where kexts that load must be approved by the user and whitelisted to be run on the machine. As it turns out, that approval for the VMware Tools kext is stored in /var/db/SystemPolicyConfiguration/ in a file called KextPolicy.


Something you can do when building your VM is to pre-install this KextPolicy file alongside the VMware Tools.pkg installer so that while the VM is being built the pre-approval is already there. This really only works with something like AutoDMG which is agnostic to SIP when building the disk image.