48 6 likes 87,117 views Last modified Jul 12, 2013 7:28 PM
  1. Scripts Of The Ancients Mac Os Update
  2. History Of Mac Os
  3. Mac Os Version Timeline
  4. Scripts Of The Ancients Mac Os 11
  5. Scripts Of The Ancients Mac Os 8

Hello and welcome to my User Tip



See this here for the latest Security Issues




  • Some scripts that might be of use to macOS admins. Might be related to Munki; might not. This script can create disk images containing macOS Installer applications available via Apple's softwareupdate catalogs. Run./installinstallmacos.py -help to.
  • Run Scripts with a GUI With previous versions of Python, there is a peculiarity of Mac OS X that you should keep in mind: programs communicating with the window manager called Aqua (in other words, anything that has a GUI) must have a special way to run.



It is better that the script program can run automatically at a fixed time in the background. We can use a built-in mechanism called launch daemon / agent in Mac OS X to automatically execute scripts when the system starts. Starting from 10.4, Mac OS X uses the launchd process to manage the services and processes of the entire operating system.

'Do I need to run anti-virus/anti-malware software on a Mac?'


Apple has installed OS X anti-malware now in 10.6.8 and above OS X operating system versions, there is no need to install anti-virus software and it wasn't very good at catching the rare malware we get anyway as Apple acts fast and has the benefit of the Software Update and background checks.


Third party anti-virus tends to cause issues when Apple issues OS X updates, so it's not advised to install them.


If you need more to clean the Windows files of their malware, I suggest installing the free ClamXav as that's a run as you need it.




Warning about online banking:


No computer or device is 100% secure, even Macs (especially older versions) but they are a lot more secure than Windows machines depending upon usage. There is a minor amount of malware targeting Mac's, driveby's and trojans mainly, so you take some pre-cautions in that regard.



Like with gambling, do not deal with amounts online that your not willing to risk losing.


Your bank will NOT issue a refund if a loss occurs, it's out of their responsibility what occurs on your machine. Far as they know, you transferred all your money to another bank and then withdrew it all or worse, they can claim you had a accomplice! So you see their position why they don't issue refunds, they would be scammed by many often.


It's rather easy to set up a secure savings account with more substantial funds and use a more accessible online/checking/debit account with less funds and transfer some from one to the other occasionally (but not via online banking of course) with either no or very limited overdraft protection, only keeping what one is willing to lose in the less secure accounts that is exposed to the world.


Entire bank accounts have been drained by hackers, the money wired overseas and withdrawn before the thieves are caught (if so) or even anyone even knowing it occurred. If the hack occurs on your machine, there is little recourse, the government is swamped and you may get little or nothing back, certainly be without for quite some time even if they do mange to get it stopped in time.


Is that really worth risking for the convenience of online banking?


Take some precautions, separate your funds, increase the security and reduce / eliminate the outside electronic access for accounts in higher amounts, and only gamble with online, ATM, debit cards, checks etc., with what your willing to risk losing.


Don't completely buy the banks online banking game, they just love pushing it because it reduces their costs at your security expense, it can be used, but used WISELY. 🙂


See this:





Hardening your Mac and yourself to prevent future attacks



In the military there is a form of security called 'compartmentalized security' and basically it's about not allowing anything to have access to everything, but rather to place more barriers, 'hoops' and security checks in place before a target reaches it's goal, especially something of great value.


This method also reduces the attack surface area when surfing the web, sort of like channeling your enemy to have no other choice but to attack though one small door or limited opportunity, like only though the browser, instead of the browser + Java, JavaScript, QuickTime, Flash, Silverlight etc.


It assumes, like it should be, that the web is a hostile zone and you need to have no trust, until you establish that trust before lowering your defenses.


Unfortunately most web browsers and users today go around assuming the web is a warm, safe happy place, and one can click on and do anything.


'la la de da, I have a Mac and nothing can hurt me, because Mac's never get viruses' bad thinking.


Blackhole Exploit sites are just waiting to compromise your machine merely by visiting them or running a browser plug in on them, or clicking a link in a email or post on a untrusted forum.




You keep your security where your in the loop and keeping watch on things and the activity going on with your machine.



#1 Keep your OS X Software up to date by using the Apple Menu > Software Update also checking with third party software for updates.


Apple can't help you if you don't don't let them.




Attack methods of malware



Browser attacks


These depend upon a flaw in the web browser itself, which may or may not include the assistance of scripts or plug-ins installed in the web browsers.


Keep your web browsers updated by running the built in updater, via the developers site or for Safari via Software Update under the Apple Menu.


Obviously don't surf to websites that are going to attack your browser, even if there has been no exploits reported just for the fact that there are many that are NOT being reported.


Scripts Of The Ancients Mac Os Update

If your going to engage in this sort of risky behavior visiting hostile sites, either use a virtual machine guest OS, 'guest account' or another General User account, or even another computer that you don't care out wiping and reinstalling the operating system, and certainly don't install anything with your admin password on these potential hostile sites.


Have more than one browser on your machine, this way you can switch to another until a update for your primary one occurs or in case you have problems with Safari.


Your alternate browser choices are Firefox (highly customizable, lots of add-ons), Chrome (more secure, but from a advertising company that tracks you online), Opera and some others.





Script & plug-in based attacks


Web browsers use JavaScript, Java, Flash, Silverlight, QuickTime and many others to do do things in your browser. You need to keep the ones you control updated.


If your not using any of these scripts on a constant basis then turn them off in your browsers preferences.


It's highly advised to turn off Java (not JavaScript) in all your browsers preferences (if installed) unless you specifically need it then only use it for trusted sites.


Flash (lots of security issues) and Silverlight (kept secret) is depending upon use, read about NoScript below.


JavaScript is used quite often, so you should leave that one on.


This handy online checker will inform you of outdated scripts, especially Flash and Silverlight which are the most commonly used ones that have to be maintained by the user.




Direct links to trusted source downloads:


Bookmark these links in your browser



Flash - no matter what pops up in your browser etc., download and install from here,


Lots of websites have Flash content http://get.adobe.com/flashplayer/


Uninstall Flash:http://helpx.adobe.com/flash-player/kb/uninstall-flash-player-mac-os.html



Silverlight - no matter what pops up in your browser, download and install from here, used for Netflix



Uninstall Silverlight: https://www.microsoft.com/getsilverlight/get-started/install/removing-silverligh t-mac.aspx



Flip4Mac - allows playback of copy protected Windows Media files on Mac's, optional install



Java, JavaScript and QuickTime


for these, just run Software Update under the Apple menu. Apple will take care of them, provided your on 10.6 or later that is.


Java should be disabled/removed on 10.5 and earlier machines if no update is available.




Virus attacks


Viruses are malware that attach themselves to known files and shared amongst users unawares. OS X based viruses are rare and so far non-existent in circulation.


A Mac can act like a Typhoid Mary and transfer Windows viruses to other Windows users on shared files, so perhaps it's would be good to clean these using the free ClamXav which you run as you need too.


Malware has the opportunity of getting around before anyone knows about it. The reason Windows machines still get infected despite having anti-malware installed is the anti-malware is looking for signatures, definitions or behavior of what it's supposed to find. Since there isn't any for new exploits, the malware gets on and disables the anti-virus or worst, uses it to keep other malware off and trick the user into thinking they have a clean machine.


The user experiences heavy CPU load, assumes it's the anti-virus and doesn't even consider malware is on their machine. So most all anti-virus / anti-malware software is sort of like closing the barn door after the horse has already escaped, but can help stop the spread of malware eventually but it's not a preventative measure against new threats if they can spread rapidly enough and silently enough. Later down the tip here I will explain LittleSnitch, which can help 'watch the backdoors' to alert you of strange outgoing network connections.


Malware writers use the same anti-virus software to 'test' if their malware gets by it, also they have the ability to spread their malware far and wide before anyone picks up there is a problem. So you can see why it's important to employ a strong defense on one's behavior and machine to reduce the chance of malware getting on.


The best offense against malware is a secure operating system and third party software, which so far the Unix/Linux based operating systems are more secure, like OS X your using.


Windows 7 has done a much better job of catching up compared to previous versions where malware outbreaks were a almost weekly occurrence, still not near as good as OS X, although no operating system or browser is 100% perfect. Apple has made some errors in judgement in regards to keeping OS X's security up to Unix's tough standards. Which I'm helping to assist you to overcome those weaknesses.


Problem with malware on the Mac's has mainly come from not viruses, but via exploits in third party browser plug-ins, driveby attacks, social exploits and Trojans.



Trojan attacks


Trojans are programs or files you think are one thing and turn out to be another, or do what they say but have sinister portions to it, you need to trust the source of your downloads. Check with many others about the developer, the site your downloading from etc., before committing.


Usually it's installing stuff from untrustworthy sources like from links on thread posts where there isn't a trust worthy site admin, P2P networks or other means like emails attachments, files and links and such avenues that it's hard to locate the person(s) responsible.


Apple has incorporated a Trojan check for all downloads, but again like viruses on Windows, it also suffers from the time delay with new ones.


A good rule of thumb is to wait and watch a site your thinking of downloading software from, usually if they are out to screw people over they won't be up for long or get bad reviews.


If you get a lot of files via e-mail, you may want to consider installing the free ClamXav to clean the filth, however most of them are going to be for Windows.



Social exploits, tricking the user attacks, phishing


If your asked for your password or to do something like install this or that 'codec to watch this movie', or 'update your Flash here' or Software Update window appears, or 'OS X has found a virus' window appears while a web browser is open, consider not going ahead, rather exit the browser and reboot the computer to clear the memory.


Check the status of your plug-ins using the trusted Mozilla check or links above, or from a site you know is the developers site, run the Software Update from the Apple menu. You might find out that you were lied too, and the site you were on was trying to trick you into giving up your password.


Don't believe everything that pops up to notify you of something when surfing, I know Flash and Software Update does this so don't click on it or give it your password, Force Quit the browser by switching to the Finder and using Apple menu, reboot the computer and then check Software Update and Flash for updates yourself with the links I've provided above.


Browser scripts have the ability to mimic OS X looking and other programs windows, like the Flash updater.


Browser and scripts based exploits have the ability to access the Users files and upload them online. So if one has a plain file containing password reminders, private information, consider using a small third party program to encrypt files or folder, a encrypted USB key, Keychain Access, etc etc.


IMO you shouldn't be doing any online banking, or using credit/debit cards in amounts your not willing to lose, most anyone can be fooled to enter their vital details into a rogue website.



Driveby attacks


Driveby attacks occur simply by visiting a website which then take advantage of a vulnerability in a browser or plug-in, no tricking of the user is needed. This is how Flashback first attacks, silent and deadly using your third party plugins, this time it was Java before that it was Flash. Since Java isn't used too much at all online, I suggest you turn it off.


Firefox has the ability to turn off not only Java, but Flash, Silverlight in the add-ons menu. A much better arrangement perhaps than Safari which can't. Again the objective is to reduce the avenues of attack as much as possible.


The Firefox + NoScript method below will reduce your browser/script exploit possibilities as you surf the web as you enable scripts only on sites you trust.



Driveby downloads


A website can initiate a download simply by being visited, so say your surfing a trusted site and get redirected really fast to another site or click a trick link you think is something else but is actually a link to download.


A download occurs, (especially on a fast connection with a small file you won't see it sometimes) and there is a nice neat little package of pain awaiting your click in the Downloads folder. Could be named something your used to installing like Flash, or Silverlight, and here you go giving it your admin password to install, directly into root and your pwned.


Well to stop this you use a browser that allows you the option to inform you before the download occurs. Firefox does if it's preferences are set that way.


Next you keep your Downloads folder clean and don't use it to store things or installers, move the trusted installer packages to a new folder somewhere else. When you go to download something, make sure the Downloads folder is empty first.




Consider running as 'Standard User'


There are four user permissions levels on Mac's. Root, , Admin, Standard and Guest



Root Level User - dangerous


This is the most dangerous user, it or anything else can do anything on the machine, it's disabled for a very good reason. Programmers work in root all the time (and offline mostly) as they prepare code, so for them having to enter a Admin password each time to gain Root is a pain.


Single User mode is Root, and used as a troubleshooting and problem solving means when the computer isn't functioning normally.


Running as root user all the time is suicide for most anyone else.



Admin Level User - very risky


When a Mac user first sets up a machine that account is called a Admin account. Most single users of the machine keep it this way either unawares or to facilitate doing things with the machine, installing programs and having Software Update automatically run.


Running all the time as 'Admin' is a bit dangerous, as anything that gets in via the web browser or anything else has a lot of freedom to move around and wait to attack at the opportune time, even alter other programs.


However to gain root level it must ask for the Admin password, trick the user or alter another program to use a 'sudo window' (super user do, aka 'root') which gives it a few minutes to do whatever it wants to your machine, once in root, it's all over.


If you in Admin Level user and something asks for your Admin password, it means it needs root user powers, so if this occurs while surfing with a fake pop-up window looking like a Software Update, you can see how easily a user can be tricked (that's how one of the Flashback attacks works)


If malware attacks while your in Admin User, even without needing your Admin password, the cleanup efforts likely still will require a complete erase of the entire OS X with a 'fresh install' of everything and returning vetted user files from a clean backup.


So essentially, Admin and Root user require the same cleanup efforts if something unawares gets on the machine.



Standard Level User - best security


The next level down is Standard User, this restricts some things one can do (and thus malware) unless one enters the Admin name and password to effect change outside the Standard User account.


Use the Standard User all the time in your daily use of the machine as a form of protection by restricting whatever gets on one's machine unawares to less privileges and permissions access of only the Standard User account.


One would have to consciously give further permission to the malware, so it reduces the potential for behind the scenes malware from gaining further access to programs or OS X, forces the hidden malware to announce itself or try to deceive the user via a social exploit or Trojan to do so.


If one suspects a attack occurred, they can reboot the machine, log into Admin user and delete the Standard User account, reboot, recreate it. Restore clean copies of files from backup.


To convert your present Admin level user account to Standard User, simply head to System Preferences, create a new Admin account, (different password obviously) and then log out and into this new Admin User. Head to System Preferences there and change the first Admin account to Standard User, log out and into the Standard User and use that.


When one needs to do more things that isn't allowed in Standard User, like trashing or installing a program, a window will appear to ask for your Admin name and password just to make sure it's you making the change. 🙂


Run the Software Update manually once in awhile as it doesn't run automatically in Standard User. One must have at least one Admin User account on the machine, it's also beneficial to have another (admin) account on the machine for data recovery purposes if one can't log into their Standard user account.




Guest Level User - private browsing


This is a temporary user account given to those who want to let someone to use their machine for a short period with nothing saved when they log out. It has no access to anything and nothing is saved.




Dispelling the misinformation 'it needs your Admin password to infect your machine'


Because code can run in any user account with any permissions level, malware can run there also and still do unseen damage without the tell tale 'needs your Admin password' window to show itself or install.


It can upload your files, place malicious images, log your keystrokes and monitor your behavior. All right from Standard User which has the lowest permissions level on the machine.



If one is running as Standard User, the Admin name and password is needed for most malware to escape and make changes to Applications and System/root.


Of one is running as Admin User (the default setup on Mac's) then the Admin password is only needed to get root access.



If malware code runs in your lowly Standard User account, it can copy say a admin password requiring program out of Applications (write protected, but not read protected) and paste it into a hidden folder in the Standard User, then change the program into a trojan and replace the Dock icon link with the trojan.


The next time you click the Disk Utility icon in your Dock, instead giving your admin password to Disk Utility, your giving it to the trojan which then can do anything it wants too.


If you don't believe me, go ahead and try it for yourself. Create a Standard User and then right click on a standalone program (one that is self contained) in Applications folder and click copy, then paste it into say your Movie folder, then replace the Dock icon with the copy and go ahead and click it. It runs.


Users of Firefox know that it auto-updates in the background without requiring a admin password each time it does, how is this possible right?


Since a web browser can log keystrokes and upload user files, so can malware all without needing the Admin password.


If it wanted to escape and make changes outside Standard User and/or into root, it certainly would require the password.



Patches not being applied fast enough


Browser exploits are the prime attack vector with the third party plug-ins vulnerabilities being the main cause. However any program that contacts the Internet is potentially exploitive, also there is no iron clad law that vulnerabilities will be immediately patched.


It's been widely known that once a vulnerability is discovered, sometimes the operating system maker is not told, or knows but intentionally doesn't do anything about it for some time. The vulnerability is sold and used as a means to gain access to people's machines by governments, it's only until it's widely exploited by malware writers that the problem becomes great and the vulnerability is closed.


I advise using browsers like Firefox that get more timely and rapid updates, disable as many browser add-ons that are not being actively used.




Getting at your files may be the objective of the malware


Sometimes malware is after your personal information, which if it is in the account your accessing the Internet with and a exploit occurs, is theirs for the taking. Law enforcement types have been known to try to trick criminals to rigged websites which then use a browser or other exploit to read/upload personal files, since the law can do this, it stands to reason so can the bad guys.


Filevault likely won't help much if the malware already has access to your account or even root, your browser certainly has read/write capability to your account, Filevault or not.


Enabling Filevault is not exactly so private, it's more for if you should lose your machine the bad guys can't get your data, that's about it. Because if you need your machine repaired, you have to give Apple etc., the password to fix your machine. Also law enforcement types will demand the password, along with Customs searches, court orders etc.


Filevault makes it hard to retrieve files or fix software on the machine in a indirect manner, like if OS X isn't booting for some reason. If you engage Filevault, make sure you maintain unencrypted backups someplace with physical security (like a safe) less you forget the password or other issue arises.


The fact that your machine may die at any moment and need repair, you might want to consider having a self encrypting external drive or USB (like a Iron Key) to store personal data on and off the machine at all times, and thus can take to any machine or program that can read the files. Hardware based encryption is more secure than software based which can be changed by malware.


You might want to consider less confining and more tailored alternatives.





Safari hardening



Most browsers allow the continuous running of all third party scripts, giving malware writers more of a surface area of attack to get into your machine if they find a exploit. So they can use Java, Javascript, Flash, Silverlight and even Quicktime to gain access to your machine.


Safari is a good browser, it's fast, it's designed like most all other browsers to be easy for users as it must cater to all user experience levels.


Safari does have the ability to disable web plug-ins, but it's a all or nothing approach and you have to head to Safari > Preferences to do it.


Your Safari > Preferences > Security should appear as such (ignore the Google Safe Browsing Service warning)




Safari improvements


Apple has updated Safari to disable Java if it's not used recently (if you have it installed). Also they won't allow older versions of Flash to run, displaying a update window if a newer version exists. These changes are welcome and should reduce some of the attacks via these vectors, however they still allow a exploit window of opportunity.



Safari 6 currently for 10.7 and 10.8 users only!


10.6 or prior users, use Firefox or Chrome instead as it gets updated more often.






Consider using Firefox web browser + NoScript


I'm recommending a method that doesn't run the plug-ins and scripts all the time on every web site you visit, especially JavaScript which is heavily used online (and used for those deceptive popup windows), until you first decide if you trust the website your visiting, then you can enable that trust for that website, either temporarily (ideal) or permanently.


Firefox has the NoScript Add-on that's only available on that browser and I haven't found anything even close to it on any other browser. Install from here first.



Use the Firefox's > Customize Toolbar option to drag the 'Temporally Allow All' NoScript button to the toolbar. That's all you need to do to get started, no need to mess with the finer controls.



NoScript is hands down the best 'web cop' on the Internet and will protect one against web side based trickery and attacks. Instead of all the web browser scripts and plug-ins running all the time, and taking your chances as you visit various web sites, they are turned off by default and only enabled as you need it. Once you trust the site and it requires it, then click the Temp button and the page reloads with the scripts on.


You'll be mildly surprised how little you'll use it, many sites run fine without any scripts running.


If you visit a site often and trust it completely, you can whitelist it in NoScript too. Also have NoScript allow scripts for all your Bookmarks. So you can control your security better as you surf.


If your surfing and get a 'redirect' to a hostile site which can occur in a matter of milliseconds, your scripts are automatically turned off by default, reducing their attack possibilities to only the browser, instead of any of the scripts or plug-ins running in the browser which can be many for some.


If one had the NoScript method enabled and came across a MacDefender or Flashback malware attack, they likely went by unscathed and unaware a attempt was even made. Because Javascript was used to display a fake OS X Software Update or Flash update window trying to gain further access to your machine.


I recommend you clean out your NoScript 'whitelist' once in awhile and start over with a new one


Also enable the 'Show downloads window' in Firefox preferences to alert one of unauthorized or accidental downloads as it gives a window and a button to proceed or cancel before starting, not automatically downloads any link a user clicks like some other browsers do.


Consider installing the WOT add-on for Firefox (Web of Trust) that flags each link for trustworthiness and opinions of other users around the web this way before you click a link it will tell you the status of that site via public opinion.


I also advise using Ad Block Plus and only enabling it on sites you trust, because advertising is fetched from other sites than the one your viewing, so it provides a nice attack angle for malware to get on many sites. Usually quality sites will retain quality advertisers and poor quality sites with low character will care less about if their advertisements are infecting users computers.




Consider installing LittleSnitch (advanced)


LittleSnitch is a payware outbound firewall checker that loads upon boot time in root (kernel extension file: kext) and watches for outgoing network traffic. It's useful for the fact that it pops up quick window alerting you of the outbound network traffic. If a program that hasn't already been cleared with you attempts to contact the network or Internet, use a different port that you initially allowed. LS will stop that from occurring until you give it the clear and set the access.


Most web traffic occurs on port 80, however sometimes you load a video or a game into the browser and it can open another port, LS will flag this to make sure it's ok before allowing it out, as it could be malware.


If the malware uses the browser and port 80, then there isn't much LS can do obviously as it can't determine if the outbound traffic is malicious or not, but it's added another level of defense as it confines browser based malware to port 80 to hide itself, hacking/using another process or program that has another port access or gaining root access to disable LittleSnitch itself. To gain root access, it would have to trick the user into giving up their Admin password.


Modern computers have a whopping 65,535 ports, gives lots of places to hide and communicate to the world without your knowledge. A remote port scan of all 65,535 ports to see if any are responding would take a very long time and have to be run frequently.


Only small fraction of these 65,535 ports are used for legitimate purposes which LS is default configured to match OS X and allow out (or your computer would act unstable) so LS watches everything else for any unusual behavior.


BTW, Flashback malware deleted itself if it saw LittleSnitch, not saying all malware will do this, but it didn't want LS to alert to it's presence on the machine or to those curious enough to inform others unusual behavior.


OS X Crisis trojan can be reduced if your running as Standard User and using LittleSnitch (installs in root) to detect the background calls to the command server.



Deep Freeze (advanced, restrictive)


Is payware software that does just that, it 'deep freezes' your boot drive so when you reboot it returns everything to like it was before the freeze occurred. There can be 'thawed zones' for users files, so those are allowed to change, but everything else can be frozen, thus no change to the boot drive is permanent. Apple uses this software in their stores where all the people fiddling around and then at night a shutdown and a morning reboot puts things right back where they want it.


One can use this type of software as part of a defense, to protect kids computers etc., however like anything, once the malware has the admin password it can gain root and do whatever it likes. Also since malware can run on the machine in the meanwhile or in a 'thawed zone', despite not getting root, can certainly do a lot of damage in the meanwhile, grabbing or encrypting files (ransomware), gleaming other data etc., while it has control. Anyway it's something to consider, perhaps a whole machine frozen and user files stored on a external drive instead would work good with this type of software.


I advise this sort of defense tactic for Mac's with operating system versions Apple no longer supports (10.6 and earlier) and common area uses where a lot of people access the machines and thus make it difficult to track down who is responsible for the machines unauthorized changes.



Note: If your locking down the machine, and especially with 10.6.8 and earlier not getting Safari security updates, you might want also to consider using Firefox + PublicFox add-on which will lock down the browser from downloads, changes etc.



Backup and prepare for the worst (everyone)


Everything can be replaced except your unique users files, keep at least two copies of these on separate hardware in easily accessible formats (in addition to TimeMachine and bootable clones) so you can take your files to any machine, Mac or PC and go on with your life.


My view in regards to malware, since it can take a long time to discover, is to have a archived bootable clone(s), DVD's/CD's of your files, dated so you can go back before the malware started making the rounds. Your computer, operating system and programs can all be replaced, but not your personal files, so take the time to burn files to DVD's as a archive, you may need to use them someday.


Something learned about the Conflicker malware on Windows, the thing 'hopped' to any rewriteable media, USB flash drives, hard drives, you name it, so it made eradication most difficult. Only DVD's archives of files, programs and operating system burned before the infection started were considered safe. CD-R and DVD-R (BlueRay-DVD's too) have the asset that once they are burned, they can't be changed later on by malware.


TimeMachine used as intended isn't going to protect one against a malware attack as it's connected too often. Having a couple of archived clones of one's boot drive pre-dating the attack will, provided before the restore occurs, the entire malware infected target drive (OS X , Recovery, Partition map, EFI etc) is Zero erased from a non-writeable boot DVD first or all rewritable media simply replaced with a new ones, which in some Mac's can't be done by the user less they violate their AppleCare/warranty.


Given that DVD's and CD's are sort of on their way out, and with 10.7+ there are no boot disks, some Mac's have no optical drives, one must plan ahead for malware of the Conflcker magnitude affecting OS X and all rewritable media with a eradication method that can insure a compete erasure or replacement of a targets machines storage drive, firmware etc.




Secure your WiFi and privacy


Some advice I have to share here





If this User Tip has benefited you, take a second to rate it down below.


Thank You 🙂

Note: This post may be a little out of date as it was originally written in 2015. But I’m posting it here as the fundamentals have not really changed much.

Credits: Thanks to Gary Larizza for his post on AFP548.com where most of this documents content was sourced ( https://www.afp548.com/2010/06/03/the-commandments-of-packaging-in-os-x )

When managing Mac OS X devices, you will enviably have to deploy files or applications to many devices. There are many ways to achieve this, however the most effective and best practice method is to use Packages.
While packaging is quite simple, it can very quickly become quite complex. This document serves to provide some guidelines to help you avoid some simple mistakes and prevent confusion when creating packages.

There are many tools out there used to create Packages, Apple offer their own built in command line tools like pkgbuild. This guide will not go into detail about how to use any of these tools, it is up to the system admin’s own personal preference on which tools they wish to use in order to create their packages.
However version control is very important, as is the ability to quickly and accurately create and recreate packages. The ability for packages to be peer reviewed and package versions to easily be diff’d is also important and the admin’s choice of tools should take this into account. It is also highly recommend that a version control system such as git is used in combination with package creation.
Below is a list of tools that are recommended for creating packages:

Packages by Whitebox

A great GUI driven tool to create flat and distribution packages and provides an easy to learn GUI. It is still quite powerful and allows a great deal of control over how your packages are created. A build file is created which saves information on how the package should be created such as the payload, pre/post flight scripts, additional resources etc etc.

Cost: $0 – FREE

The Luggage

A completely text driven package building system perfect for use with version control systems such as Git. Files can easily be reviewed to see what will be in the package without any extra work.

The big benefit to using The Luggage is that because the packages are created with make files, these make files can easily be diff’d to see changes as well as talking other users through the creation process. No GUI panes to navigate.

Cost: $0 – FREE

Munki PKG

Munki PKG is a simple tool very similar to The Luggage which builds packages in a consistent, repeatable manner from source files and scripts in a project directory.

Files, scripts and metadata are stored in a way that is easy to track and manage using a version control system like git.

Cost: $0 – FREE

Installation method

Your installer should not require any input from the end user.

DO NOT:

  • Assume that your package will be installed interactively via the GUI or to the currently booted volume. More often than not packages will be deployed to machines via management systems such as Munki or Casper. Because of this you should ensure that your package can be installed to machines that are unattended (at the login window without a console user logged in)

DO:

  • Ensure that your package can be installed via the command line and by any management framework with and without a user logged in.

Installation target

DO NOT:

  • Assume that your package will be installed to the currently booted volume. Your package might not necessarily be installed to the currently booted volume, so ensure that any scripts in your package use the correct variables passed to it from the installer application. For example, reference the target volume in your scripts by using the variable $3 (in bash) rather than using absolute file references.
  • Use tools such as sw_vers in order to get the Operating System version. These tools will only report the OS of the currently booted volume.

DO:

  • Check the SystemVersion.plist on the target volume ($3)
  • Check if the boot volume (/) is the same as the target volume ($3) if any of your scripts require it.

Unnecessary actions.

DO NOT:

  • Perform ‘helpful’ things like using osascript to open a Finder window showing your newly installed application. Similarly do not do things like opening a browser window to the installed software’s homepage.
  • The problem with these things is if you are installing the software in an unattended mode where the computer is at the LoginWindow, these types of things will simply cause errors in your installation process.
  • Require unnecessary reboots if you can accomplish the same thing by loading/unloading LaunchDaemons/LaunchAgents – If you go down this path, remember that it is even more important to check if you are installing to the boot volume or not.
  • Automatically add files to the Dock, Desktop or anywhere outside of /Applications or other required directories. If you wish to add Dock items, use another package/script/profile/tool to achieve that.
  • Ask for admin/elevated privileges if they are not needed for installation, i.e. installing into
    /Users/Shared
  • Create separate installers for different architectures/OS versions. If you have separate payloads for separate architectures/OS versions, perform your architecture/OS check on the target volume, not the currently booted operating system see rule 2.

DO:

  • Use a distribution meta-package to provide a single package that will correctly determine OS/Architecture of the destination volume and install the appropriate payload.

Licensing

Licensing should be managed by Systems Administrators. Wherever possible licensing files should be packaged separately to the application being deployed. This allows for a single application package to be deployed to multiple sites with different licensing files applied later depending upon the licence that is appropriate for that site.

Licensing information might be supplied via a global plist/config profile/KMS or other.

This also prevents unauthorised installation of software should your application package be obtained by a unauthorised third party.

DO NOT:

  • Place licensing and registration files in the user’s home directory wherever possible. Use a global location such as /Library
  • Building licensing/registration mechanisms into the installer GUI.

History Of Mac Os

DO:

  • Allow a scriptable licensing interface to your software

Pre/Post install scripts

Use pre and post install scripts only when necessary, and follow all other rules with your scripts.

For example, it would be silly to use a package to install some files on disk and then use a post install script to set the permissions of those files. Instead correctly set the permissions of the files in the payload.

This also allows for reviewing of package contents via lsbom

DO NOT:

  • Use postinstall scripts to create or modify files – do this in the package payload.
  • If you must use post-install scripts, do not use osascript to move and copy files. Use CLI tools such as cp and mv in bash
  • Use any kind of GUI scripting, see Rule 1.
  • Use sudo in your scripts, your script is already running as root.

DO:

  • Exit your script with 0 on success, or non-zero on failure.
  • Trap error codes in your scripts
  • Use globbing in your scripts, because no one likes repetition and computers are built to do the work for us so let them.
  • Ensure your scripts handle paths with spaces in them.

Naming Conventions and Version Numbers

Naming conventions are necessary and helpful. For example VPN.pkg is NOT helpful.

Give your packages meaningful names and version numbers. Providing vendor and product name, along with important version numbers and vendor identification codes.

DO:

  • List your vendor and product name in your package name
  • Give packages meaningful names with version numbers. Remember 1.15 is greater than 1.2 in most situations.

Supporting Operating System Versions

If you are going to supporting running your application or payload on operating systems back to say version 10.8, then it should go without saying that you need to TEST your package on every version from 10.8 to the most current.

DO NOT:

  • Change the ownership and permissions of core Operating System folders and files

DO:

  • Keep your config data and cache data separate
  • Follow the directory structure mandated by the target platforms software deployment guidelines
  • Provide an uninstaller or uninstall script
  • Use the documented OS X .pkg format and not just a .pkg wrapper for a 3rd party solution that installs the software for you – obvious exception for Adobe software.

Be Descriptive

Download

Even if you are not planning on having your package installed via the GUI you should still make it GUI-friendly.

DO:

  • Provide a welcome message, read-me, description of whats happening and whats being installed.
  • Comment your pre/post install scripts thoroughly.

Snapshotting and Re-Packaging

Try to avoid using Snapshot methods to create packages – a common tool used to create snapshot packages is JAMF’s composer.

Snapshotting is generally considered bad juju and the result of a lazy (not in a good way) sysadmin

Packages created from snapshots lack the nuances and intent of the original package. They can often miss critical files or modifications to the file system.

If you are unable to use a vendor package, consider the following:

DO:

Mac Os Version Timeline

  • Attempt to unpack and reverse engineer the package – Use tools such as Pacifist (https://www.charlessoft.com/) and pkgutil –expand to determine what the package is attempting to achieve.
  • Try to modify the existing vendor package using things like providing a custom Choices.XML to select certain packages in a meta/distribution package for installation.

Product Signing

Scripts Of The Ancients Mac Os 11

Gatekeeper was introduced in 10.8 as a way to alert users to unsigned packages. For this reason, it is best practice to sign your installer packages with a developer ID certificate that lets your users know your packages can be trusted. It also allows packages to be installed in the GUI when Gatekeeper is configured to allow apps downloaded from the App Store and identified developers

Unsigned packages are not an issue when not using the GUI installer however.

Scripts Of The Ancients Mac Os 8

DO:

  • Use productsign to sign your packages with an Apple Developer ID certificate