As most DIY computer geeks i have a server at home, more specifically a DIY Nas. It is basically an old p4 mini atx motherboard i had laying around with a raid controller card and a couple of hdd’s. The Nas runs an embedded FreeBSD distribution called Nas4Free,

Since the distro is an embedded install this means that any changes you make to it are gone when the server is restarted. So how can you extend its functionality and for example add a subsonic server to it.

The answer lies in Freebsd jails.Jails, sometimes referred to as an enhanced replacement of chroot environments, are a very powerful tool for system administrators, but their basic usage can also be useful for advanced users.

Jails improve on the concept of the traditional chroot environment, in several ways. In a traditional chroot environment, processes are only limited in the part of the file system they can access. The rest of the system resources (like the set of system users, the running processes, or the networking subsystem) are shared by the chrooted processes and the processes of the host system. Jails expand this model by virtualizing not only access to the file system, but also the set of users, the networking subsystem of the FreeBSD kernel and a few other things.

A jail is characterized by the following characteristics:

• A directory subtree — the starting point from which a jail is entered. Once inside the jail, a process is not permitted to escape outside of this subtree.
• A hostname — the hostname which will be used within the jailm usualy a descriptive one for the service that is running inside the jail.
• An IP address — The IP address of a jail is usually an alias address for an existing network interface, but it is not an requirement.
• A command — the path name of an executable to run inside the jail.

All of this means that this is the correct way to go when adding functions to an Nas4Free embedded install. So after some extensive googling and reading about FreeBSD jails i was confident enough to try setting up an jail.

Configuring Nas4Free

1. Go to this page: http://wiki.nas4free.org/doku.php?id=documentation:setup_and_user_guide:services_ssh
2. Check so that ssh is enabled and check the port number and also check that the option “Permit root login”is enabled.(The root password is the same as the WebGUI password but the login name is always “root”)
3. Go to the Nas4Free webgui and navigate the menu like this: System->Advanced->sysctl.conf
   Add there:
   Name: security.jail.chflags_allowed
   Value: 1
   Comment: can be whatever you want.
4. Now navigate in the webgui like this: Advanced->File Editor
5. In the file path textbox write “/etc/rc.conf”
6. Click load
7. Add to the file jail_enable=”yes”
8. Click the save button next to the textbox where you wrote the path to the file and then restart the nas4free server.

And now the fun starts ssh via putty or some other equivalent to the server and follow the following steps.

Create the folders and mount points

Remember to change all reference to /mnt/data to the mountpoint on your Nas where you are going to store the jail.

• mkdir /jail
• mkdir /mnt/data/jail
• mkdir /mnt/data/jail/{work,plugins,conf}
• mount_nullfs /mnt/data/jail /jail

The mount_nullfs command points /mnt/data/jail to /jail for ease of installation and use.

/jail/work is used for downloads,temporary files.
/jail/plugins the jail itself, this is where we are going to install subsonic.
/jail/conf contains the configuration and run-time files.

Download and extract the FreeBSD base system

The base system has to be downloaded to make sure you get all the necessary binaries, config files and scripts. To download it you can just copy paste the following commands into the ssh shell.

• cd /jail/work
• fetch ftp://ftp.freebsd.org/pub/FreeBSD/releases/`uname -m`/`uname -m`/`uname -r | cut -d- -f1-2`/base.txz
• fetch ftp://ftp.freebsd.org/pub/FreeBSD/releases/`uname -m`/`uname -m`/`uname -r | cut -d- -f1-2`/lib32.txz

The last command for fetching lib32 is not needed if you are running Nas4Free on an 32bit system.

The following two commands extract the base system into the plugins folder inside the jail.

• tar xvf /jail/work/base.txz -C /jail/plugins/
• tar xvf /jail/work/lib32.txz -C /jail/plugins/

Installing the plugins jail binaries

• cd /jail
• mkdir -p conf/root/{etc/rc.d/,usr/bin,usr/sbin}
• cp plugins/etc/rc.d/jail conf/root/etc/rc.d/
• cp plugins/usr/sbin/{jail,jexec,jls} conf/root/usr/sbin/
• cp plugins/usr/bin/mktemp conf/root/usr/bin/

The commands above create the file structure for the runtime files, also copy the nescessery rc script and binaries to conf.

Configuring the jail

• cp /etc/resolv.conf /jail/plugins/etc/
• cp /jail/plugins/usr/share/zoneinfo/Europe/Stockholm /jail/plugins/etc/localtime

The commands above copy the resolv.conf file from the Nas to the jail and also the timezone file. Obviously exchange Europe/Stockholm for your own timezone. Next we will configure the mounts that the jail is going to be able to access

• touch /jail/conf/fstab.plugins
• mkdir /jail/plugins/mnt/DataDisk1
• nano /jail/conf/fstab.plugins

Copy into the fstab file the following lines:

/mnt/data/DataDisk1 /jail/plugins/mnt/DataDisk1 nullfs ro 0 0

Of course exchange DataDisk1 for the mounts that you have on the Nas that you want to be accessible in the jail. The next part of the configuration is to create the rc.conf file.

• touch conf/rc.conf.local
• nano conf/rc.conf.local

Copy into the rc.conf.local the following lines:

jail_enable=”YES” # enable jails YES|NO
jail_list=”proto” # name of the jail to start, it can be basically whatever you want “proto www…”
jail_proto_rootdir=”/jail/plugins” # path to our jail
jail_proto_hostname=”plugins.domain.local” # hostname
jail_proto_ip=”192.168.2.201″ # ip of the jail, replace with a ip in the same subsystem as your NAS
jail_proto_interface=”fxp0″ # Network Interface to use, replace with your NAS interface name
jail_proto_devfs_enable=”YES” # use devfs
jail_proto_mount_enable=”YES” # mount YES|NO
jail_proto_fstab=”/jail/conf/fstab.plugins” # File with Filesystems to mount

And the last step is to create the jail start-up script

• nano /jail/conf/jail_start

Copy into jail_start the following lines:
#!/bin/tcsh -x
#mounting to /jail
mkdir /jail
mount_nullfs /mnt/data/jail /jail
# copy jail binaries to /usr, not needed if N4F is 454 or up
# because Daoyama include needed files, uncomment if you use low .454 version
# cp -r /jail/conf/root/ /
# link config files to /etc
ln -s /jail/conf/rc.conf.local /etc
#start all jails
/etc/rc.d/jail start

For the startup script to be executable we have to make it executable via the following command:

• chmod 755 /jail/conf/jail_start

And to make it run each time the Nas server is started we add it via the webgui under: System|Advanced|Command Scripts.

Command: /mnt/data/jail/conf/jail_start
Type: PostInit

Save and apply, and reboot your server. After a successful reboot you can check your new jail via SSH using the jls command. If everything went as it should you should see something like this:

JID             IP Address                   Hostname                      Path
1                192.168.1.201             plugins.domain.local       /jail/plugins

If the output of the jls command is different, type the following command: rehash and then try the jls command again. If the output is still different then go over the steps and verify that you didn’t miss a step.

P.s. to enter the jail you use the jexec command in the case of the plugins jail you would type in the ssh console ” jexec 1 csh “.

So basically that’s how you set up a FreeBSD jail on a Nas4Free embedded install.

z.B:

# make

>> lsof_4.57D.freebsd.tar.gz doesn’t seem to exist in /usr/ports/distfiles/.

>> Attempting to fetch from ftp://lsof.itap.purdue.edu/pub/tools/unix/lsof/.

===> Extracting for lsof-4.57

>> Checksum OK for lsof_4.57D.freebsd.tar.gz.

Using the Ports Collection assumes a working Internet connection. Otherwise, manually obtain and place a copy of the distfile into /usr/ports/distfiles.

If the file is corruped, then the Checksum will be stopped, so I must delete the tar file under /usr/ports/distfiles/, Then back to the ports, do make install again.

Otherwise,

# rm -rf /usr/ports/*

# rm -rf /var/db/portsnap/files/*

#portsnap fetch extract

That will completely clear out the ports tree, remove all the history for portsnap, fetch the latest portsnap tarball, and create a new ports tree.

Since you have filesystem corruption already, the “nuke’n pave” method is the only way to be sure everything is in place.

—-by Phoenix

http://forums.freebsd.org/showthread.php?t=30508

WindowMaker on FreeBSD

This weekend I decided it was time to upgrade the software on the two functional Sun Sparc systems I have. I have FreeBSD on the newer of the two machines, and had been trying various window managers to use. The older Sparc has FVWM (recently upgraded to the latest version) on it so whilst it is really my favourite for reasons of nostalgia, I felt I’d like something different. I had tried XFce, but many features of it were broken on the FreeBSD/Sparc64 platform. So I installed a few other window managers to see what they were like.

I had never installed WindowMaker before but had certainly heard of it. I remember looking through many package lists to see many of the dock apps, and wondering about the window manager itself. WindowMaker has a similar style to the old NeXT workstations operating system called NeXTStep the system that would eventually become mac OSX.

The first thing I noticed when I fired it up was how minimalist it appeared to be. I found the root menu relatively quickly and managed to work out most of how it works within a few hours. I was quite impressed with how fast the interface responded when I clicked on items, although FVWM is a slight bit faster but not by much. There is a very nifty configuration program built-in that controls pretty much everything you could want to change. This makes it very newb friendly, I was able to set up my desktop the way I wanted it very quickly.

It isn’t the most pretty of window managers however, and there is no pager built-in. Workspaces are managed by the clip icon, usually at the top left of the screen. When using it via X on the local network it was quite fast, but over a VPN or SSH connection it became quite sluggish when FVWM maintains reasonable speed. I’ve heard that it can get slow if you have a large number of dock apps running.

Overall I quite like WindowMaker, whilst it isn’t a replacement for FVWM for me, it will be a nifty interface for my newer sparc machine. I like that I can configure most things with the user interface, and the large number of dock apps available for it. It isn’t so useful when I’m connecting into my machine externally however as the speed drops of significantly. It’s available on all the different distributions and the various BSD systems.

The locate command is good for finding files and directories.  Enter something similar to:

locate someprogram | more

If that doesn’t work, perhaps try the whereis or find commands:

whereis someprogram | more

find / -name “someprogram*”

For variations on these commmands, you can type:

man locate

man whereis

man find

http://www.us-webmasters.com/FreeBSD/Tips-Hints-Tricks/How-to-Find-Files-and-Directories-on-FreeBSD/

Generate sha512 hash
echo "password" | openssl dgst -sha512

Find all files in current directory and change permissions
find . -type f -print0 | xargs -0 chmod 644

What is Pfsense ?

pfSense is a free, open source customized distribution of FreeBSD tailored for use as a firewall and router. In addition to being a powerful, flexible firewalling and routing platform, it includes a long list of related features and a package system allowing further expandability without adding bloat and potential security vulnerabilities to the base distribution. pfSense is a popular project with more than 1 million downloads since its inception, and proven in countless installations ranging from small home networks protecting a PC and an Xbox to large corporations, universities and other organizations protecting thousands of network devices.

This project started in 2004 as a fork of the m0n0wall project, but focused towards full PC installations rather than the embedded hardware focus of m0n0wall. pfSense also offers an embedded image for Compact Flash based installations, however it is not our primary focus.

At the time of writing, the Arduino IDE version 1.0.3 is available as a PCBSD “PBI“. This PBI bundles avrdude version 5.11, which does the low-level programming for a wide variety of Arduino devices. As supplied, the Arduino IDE had no problem programming my Nano over the USB-serial interface. However, it refused to program my Uno R3 — I would get the following error each time:

avrdude: stk500_getsync(): not in sync: resp=0x00

Turns out to be a problem with avrdude sending a too-short reset signal to the Uno over the USB-serial connection. Bob Frazier noted the solution (extending part of the reset signal from 50ms to 250ms) in early January 2012. This is  fixed  in avrdude’s main development branch, but hasn’t (yet) been incorporated into the FreeBSD Port for avrdude 5.11.

The trick is to build avrdude from Ports (with patch applied), install the new avrdude executable into its usual (non-PBI) location, delete the PBI’s own version of avrdude and symlink in the newly built Ports version.

First, fetch and unpack the avrdude Port’s source files:

  [gja@gjadesktop] /usr/ports/devel/avrdude# make fetch
  ===>  License GPLv2 accepted by the user
  => avrdude-5.11.tar.gz doesn't seem to exist in /usr/ports/distfiles/.
  => Attempting to fetch http://nongnu.askapache.com/avrdude/avrdude-5.11.tar.gz
  avrdude-5.11.tar.gz                           100% of  536 kB  148 kBps
  [gja@gjadesktop] /usr/ports/devel/avrdude#
  [gja@gjadesktop] /usr/ports/devel/avrdude# make extract
  ===>  License GPLv2 accepted by the user
  ===>  Extracting for avrdude-5.11
  => SHA256 Checksum OK for avrdude-5.11.tar.gz.
  [gja@gjadesktop] /usr/ports/devel/avrdude#

Install the patch in a form that the Port will automagically apply during ‘make build’:

  [gja@gjadesktop] /usr/ports/devel/avrdude# mkdir files
  [gja@gjadesktop] /usr/ports/devel/avrdude# cd files
  [gja@gjadesktop] /usr/ports/devel/avrdude/files# fetch http://www.mrp3.com/patch-arduino.c.20120102.txt
  patch-arduino.c.20120102.txt                  100% of  442  B   64 kBps
  [gja@gjadesktop] /usr/ports/devel/avrdude/files# mv patch-arduino.c.20120102.txt patch-arduino.c
  [gja@gjadesktop] /usr/ports/devel/avrdude/files# cd ../

Build & install the new avrdude:

  [gja@gjadesktop] /usr/ports/devel/avrdude# make build
  ===>  Patching for avrdude-5.11
  ===>  Applying FreeBSD patches for avrdude-5.11
  ===>  Configuring for avrdude-5.11
  checking build system type... amd64-portbld-freebsd9.1
  checking host system type... amd64-portbld-freebsd9.1
  checking target system type... amd64-portbld-freebsd9.1
	  [...various build-related messages...]
  cc -Wall -Wno-pointer-sign -O2 -pipe -I/usr/local/include -fno-strict-aliasing   -L/usr/local/lib -o avrdude avrdude-main.o avrdude-term.o ./libavrdude.a -lusb -lusb -lftdi -lusb  -lm -lreadline -lncurses -ltermcap
  [gja@gjadesktop] /usr/ports/devel/avrdude#
  [gja@gjadesktop] /usr/ports/devel/avrdude# make install
  ===>  Installing for avrdude-5.11
  ===>   Generating temporary packing list
  ===>  Checking if devel/avrdude already installed
  make  install-recursive
  test -z "/usr/local/bin" || ./install-sh -c -d "/usr/local/bin"
    install  -s -o root -g wheel -m 555 avrdude '/usr/local/bin'
  Backing up avrdude.conf in /usr/local/etc
  test -z "/usr/local/etc" || ./install-sh -c -d "/usr/local/etc"
  install  -o root -g wheel -m 444 avrdude.conf '/usr/local/etc'
  test -z "/usr/local/man/man1" || ./install-sh -c -d "/usr/local/man/man1"
  install  -o root -g wheel -m 444 avrdude.1 '/usr/local/man/man1'
  ===>   Compressing manual pages for avrdude-5.11
  ===>   Registering installation for avrdude-5.11
  [gja@gjadesktop] /usr/ports/devel/avrdude#

Replace the PBI’s version of avrdude:

  [gja@gjadesktop]/usr/ports/devel/avrdude# cd /usr/pbi/arduino-amd64/
  [gja@gjadesktop] /usr/pbi/arduino-amd64# mv bin/avrdude bin/avrdude-pbi-orig
  [gja@gjadesktop] /usr/pbi/arduino-amd64# ln -s /usr/local/bin/avrdude bin/avrdude

(This, of course, is a nasty hack that violates the normally self-contained nature of a PBI. Hopefully a future update of the Arduino IDE PBI will include a suitably patched avrdude.)

But in any case, I can now program my Uno R3.

The patch itself is rather small, altering one line of code:

  [gja@gjadesktop] /usr/ports/devel/avrdude# diff work/avrdude-5.11/arduino{.c,.c.orig}
  96c96
  <   usleep(250*1000); // increased from 50msec to 250msec - BBB
  ---
  >   usleep(50*1000);
  [gja@gjadesktop] /usr/ports/devel/avrdude#

Fun times ahead!

The FreeBSD Project has solved this problem by distributing the leadership to a group of 9 Core members, who are democratically elected by the Committers. The 275 Committers of the project can submit code changes to the master repositories, and integrate the changes submitted by around 5500  Contributors, who cannot. Contributors can be promoted to a Committer after a successful career of adding high quality code. It’s this organic structure that has helped the Project be successful and survive for over 30 years. Learn more about the FreeBSD Project’s organization structure here.

The Project’s interaction as a legal entity are handled by the FreeBSD Foundation, which is a 501(c)(3) non-profit organization dedicated to supporting the Project financially and representing it where a legal entity is required. Kirk McKusick is a Director, and helped build the governance structure for the Project. He also holds the copyright on the BSD Daemon, better known as Beastie.

We had a great crowd of over 60 who came to talk with Kirk. There was a big contingent from NYC*Bug, other Unix user groups and message distros. There were a lot of great questions, including asking about the benefits of the BSD License vs the GPL, how the Foundation builds relationships, both public and private, with large companies that run FreeBSD.
We had two surprise attendees in the crowd, Wietse Venema, the author of postfix, and Eric Allman, the author of sendmail. I had a chance to sit down and pick Eric’s brain on a couple of ideas we’ve been talking about at HQ. While getting his master at Berkeley in the 1980′s, Eric worked on Ingress, a fully open source ACID compliant RDBMS with Michael Stonebraker, Jerry Held and others. Ingress is the predecessor to Sybase, Microsoft SQL Server, and Postgres (Post Ingress). We floated the idea of building in Unix permissions to the row level, allowing for more granular data access. Ingress had tried to apply row level permissions, but removed it because of the highly complicated nature of resolving multiple levels of permission granting across users. Since we’re not planning to add any grant permissions for this Eric said our crazy idea was feasible, but wasn’t sure it was advisable. All we heard was feasible.

One of the reasons, I’d never used Apple products before was because I never really deemed it necessary. Nowadays the number of Mac users seem to be growing and there is more demand for people with Mac / OS X knowledge.

As such my quest for knowledge and certification began. For me personally this meant:

• Using Apple online resources
  • http://www.apple.com/support/
  • http://switchtoamac.com/
  • http://training.apple.com/itpro/macinteg/exam
• Reading books (mainly the great book Apple Pro Training Series: OS X Support Essentials. Before purchasing, you might also want to look for coupon codes as it might save you 30% off or more.)
• Watching computer based training (CBT) videos
• Working with OS X (thanks go out to my employer Open Line for providing me with a MacBook Pro, books and most importantly … TIME)
  • Personally I didn’t think it was necessary to take a course at a training center, but some people might prefer this.
• Asking colleagues for help (thanks guys !!!)
• Making sure that I understood everything and if it wasn’t the case, look it up.
• Taking notes / creating this summary blog post that can be used as a reference if needed
• Testing my knowledge using test questions from Revise IT

I’ve taken the exam last friday and passed with 92.5%. Even though I think it was a pretty good score, I still had to make some educated guesses. This made me realize that there’s still a lot to learn and that getting more experience is important as well.

I also want to mention that I took the exam at LAI the training institute for IT professionals in Schiedam (The Netherlands). They were really kind, helpful and service oriented. The waiting area and test room were great and they even provided a pastry and all kind of drinks at no charge. This has been my best test taking experience to date, so keep up the good work guys.

I’m looking forward to attending the OS X Server 10.8 course at LAI the training institute for IT professionals at the end of March. I’ll try to create another blog post about this as well.

But now back to the important stuff, here are my notes/summary. I hope it is useful. If you find any errors or have any suggestions, please leave a comment.

Notes / summary for the “OS X Support Essentials 10.8 Exam”

Installation

• OS X Mountain Lion can only be aquired from the Mac App Store.
• Install preparations:
  • Needs to be supported model
    • iMac (Mid 2007 or newer)
    • MacBook (Late 2008 Aluminum, or Early 2009 or newer)
    • MacBook Pro (Mid/Late 2007 or newer)
    • Xserve (Early 2009)
    • MacBook Air (Late 2008 or newer)
    • Mac mini (Early 2009 or newer)
    • Mac Pro (Early 2008 or newer)
  • Requires 2GB RAM, 8GB of available HDD space. Also firmware needs to be up-to-date. More info on the website.
  • Upgrade from OS X v10.6.8 or later.
  • Don’t install an older version of OS X than the version that came with your Mac. Newer hardware might not be supported, possible issues are described here.
  • Before upgrading:
    • Check if applications are compatible.
    • Backup data.
    • Ensure firmware is up-to-date (System Information, Boot Rom Version).
  • Review configuration by going to the Apple icon in the upper left corner. Use the option key to switch between “About this Mac” and “System Information”. If desirable, save system information as .spx or print it to PDF. For older OS X versions, use “System Profiler”.
    • In “About this Mac” you can click on the OS X version multiple times so it will show Build and Serial Number also.
  • Make backups if appropriate and make sure you can recover from them.
• Install options:
  • Using OS X recovery disk (700MB) by booting computer while holding the option key.
    • Restore from Time Machine Backup
    • Reinstall OS X.
    • Use disk utility to prepare/fix disk for installation.
  • Install from DVD.
  • Install from internet source.
  • Upgrade by downloading OS X Mountain Lion from the App Store.
    • Installation process will delete installer application. Quit the installer if you want to upgrade several computers or create a full OS X recovery disk.
• Possible destination disk (startup volume) situations preventing installation:
  • Disk is faulty (hardware). In system information you can check the service and support coverage status.
  • Disk contains Time Machine backups.
  • Disk does not use required GUID (GPT) partitioning scheme.
  • Disk is not formatted as Mac OS Extended (Journaled) volume.
  • Disk needs to be slightly resized (reduced with 128MB).
  • Disk uses software RAID or uses nonstandard Boot Camp partitioning. Installation is possible, but OS X Recovery HD cannot be created.
• Installation disk can be an external disk as well. Does not need to be internal disk.
• For monitoring and/or troubleshooting open the “Installer log” during installation or after installation use the “Console” application and open the “/var/log/install.log”.

Initial configuration steps

• Configuration can be performed:
  • Manually using Setup Assistant/System Setup at user/system initialization.
  • Manually using the System Preferences app.
  • Manually by editing configuration files.
  • Automated using configuration profiles.
• You can configure the computer name from within System Preferences, Sharing.
• Software updates:
  • Software update preferences apply to all users now with Mountain Lion.
  • Keep in mind that OS X system updates can be bigger than 1 GB. Consider deploying a central software update server. Alternatively download updates to a local repository from http://support.apple.com/downloads.
  • Client configuration for using a central software update server is not possible from within the GUI. Use a profile instead.
• Setup Assistant helps getting the system configured properly for users. Includes by example language, keyboard, network settings, migration assistant, location settings, Apple ID, iCloud, time zone, registration and setting the computer account. The computer account is the only initial administrative user account.
  • Migration assistant provide options to migrate settings, accounts and data:
    • From another Mac. Using ethernet of firewire. Requires Mac OS X v10.4 or later and it should be updated to the latest version.
  • From a Windows PC.
  • From Time Machine or another disk (including external disks or other Macs in target disk mode connected via FireWire or Thunderbolt).
• Configuration profile
  • Originally created to provide easy setup for iOS devices.
  • Is a document that includes instructions for specific system settings and/or applications.
  • Filename extension is .mobileconfig
  • Verify the profile content and its result by testing it properly.
  • Consider signing configuration profiles for added security.
  • Install by simply double clicking if you have administrative privileges.
  • Can be created using 3rd party tools or these ones created by Apple:
    • iPhone Configuration Utility.
    • Apple Configurator application.
    • Profile Manager service of OS X server.
  • Can be distributed:
    • In any way you would distribute any other file (b.e. e-mail, fileserver, website).
    • Using push for OS X systems that are enrolled in a management server like by example OS X Server Profile Manager.
  • Open Profiles in System Preferences to see the profiles on a computer.
    • Profiles will only show in System Preferences if a Profile is installed.
  • More information in the Technical White Paper: Managing OS X with Configuration Profiles.

OS X Recovery

• Replaces functionality previously accessed via OS X installation DVD.
• Provides access to:
  • Configuration and troubleshooting utilities.
    • Disk Utility, storage-related administration and maintenance.
    • Firmware Password Utility, secure startup process by disabling all alternate startup modes without a password.
    • Network Utility, network and internet troubleshooting utility.
    • Terminal, UNIX CLI of OS X. Most useful command: resetpassword
      • Reset password via Terminal.
        • Also resets home folder permissions to default.
        • Consider mitigating risks by setting a firmware password and/or enabling FileVault 2.
  • Restore from Time machine Backup.
  • Reinstall OS X.
• By default located on the primary system disk. Macs with newer firmware can start up from an Apple server over the internet and access OS X Recovery features.
• Accessed by restarting while holding command+R
• Hold option key for startup manager with all boot options, including external OS X Recovery disks.
• When disks are protected by FileVault 2, the disk needs to be unlocked before performing actions.
• In OS X Recovery, Ethernet and Wi-Fi networking is available if the network provides DHCP services.
  • Can also browse the internet.
• External OS X Recovery disk creation options:
  • Create a minimal OS X Recovery disk using the OS X Recovery Disk Assistant.
    • You need to download the Recovery Disk Assistant.
    • Must have a local hidden Recovery HD partition.
    • Requires only 1GB (USB flash) disk.
    • Requires local admin account.
    • Requires GPT and Mac OS Extended (Journaled) partitioning.
    • Supported by Apple.
    • Does not contain OS X installation assets, need to be downloaded from internet.
  • Create a full OS X Recovery disk.
    • Includes the OS X installation assets. Make sure you create and use full OS X Recovery disks only for systems that are supported with a specific OS X version.
    • Requires 8GB (USB flash) disk.
    • Use disk utitlity on the disk and configure InstallESD.dmg as the source.
    • Requires GPT and Mac OS Extended (Journaled) partitioning.
• You can change your startup disk from within OS X recovery using:
  • Apple menu, Startup Disk.
  • Menu, Quit OS X utilities, choose Startup Disk.

Applications

• The Installer application simplifies installation of packaged application installations.
• The Installer /private/var/log/install.log can be viewed with the Console application.
• You can view the installed applications using the System information application.
• New features/options for Installer applications introduced with OS X 10.5:
  • Users may specify home folder as installation folder.
  • Dynamic installation package that remains up-to-date when there is Internet access.
  • Network installation packages download latest version from server during installation.
  • Support for signed packages to increase security and reliability.

Local user accounts and groups

• Types of user accounts
  • Sharing only user
    • Only non authenticated access to shared files and folder.
    • Cannot log in and no home folder.
  • Guest user
    • By default only non authenticated access to shared files.
    • The home folder, settings and history will be deleted on logoff.
    • Optionally enable guest user account support for unauthenticated login.
      • Will have same access as standard user.
      • Can restart or shutdown your Mac. Could compromise system during startup.
      • Consider disabling, changing permissions and/or applying parental controls.
  • Standard user
    • Standard user cannot install software.
    • Managed user is a standard user to whom parental controls apply. By example:
      • Limit the allowed applications.
        • Limit App Store Apps.
        • Limit Other Apps.
          • Parental controls are not honored by most 3rd party applications (b.e. FireFox and Outlook), keep this in mind when limiting applications.
        • Limit Widgets
        • Limit Utilities
      • Web – unrestricted access, try to limit access to adult websites, Allow access to only specific websites.
      • (Bedtime) Time Limits – weekday time limits, weekend time limits, prevent access during specific times.
      • People – allow communication only with approved addresses for Game Center, Mail and Messages.
      • Other – Restrict access to dicatation services, printers, password changes, optical media and the dock.
      • Maintain Safari, Messages and Application usage logs (both allowed and attempted but denied access).
    • Parental controls preferences can be managed remotely from another Mac OS X on the local network if you Allow Remote Setup.
    • Parental controls preferences is a limited subset of the more extensive managed preferences system available when using OS X Server.
  • Administrative user
    • Initial account created during Mac set up.
    • Can modify anything on the computer. Including other administrative user accounts and the root account.
    • Can be used for daily use, but better is to adhere to principle of least privilege. Prevents catastrophic results of by example user errors, viruses or malicious scripts/applications.
  • Root user (System Administrator)
    • Disabled by default.
    • Enable using Directory Utility. Use Finder, Go To, /System/Library/CoreServices/
      • In Directory Utility, Directory Editor, Systems Administrator.
• Administer users accounts and groups using Users & Groups.
  • Use secondary (or Control) click on a user to access advanced options.
    • User ID, Group, Account name, Login shell, Home directory, UUID and Aliases.
      • UUID is used for group membership and ACLs.
  • Using Login Options you can configure to join a Network Account Server (Active Directory, LDAPv3, NIS).
• User account information stored in XML in /var/db/dslocal/nodes/Default/users , accessible by root.
• In Users & Groups you can configure Login Options (shown in login screen) like:
  • Set a master password that can be used to reset the password of a user even when it’s logged on.
  • Auto login (disabled by default).
  • Show list of available users (enabled by default).
  • Password hints after three wrong password attempts.
  • Configure fast user switching (enabled by default).
    • Not supported for network accounts.
    • When using fast user switching:
      • you can run into contention issues with applications, documents or devices that cannot be used by multiple users simultaneously.
      • Attached external storage devices are available for all users in read/write. Disk images are available in read only. Only network shares remain secure.
  • Configure the Mac to use accounts hosted from a shared network directory. By example from OS X Server.
• Home folders
  • Default location for local home folder is /Users/<accountname>
  • By default includes the following items:
    • Desktop
    • Documents
    • Downloads
    • Library
      • Hidden by default in OS X Lion and later. Access through Finder menu, Go, holding the option key.
      • Includes many non-document resources like files, fonts, contacts, keychains, mailboxes, favourites, screen savers, widgets and many other application resources.
    • Movies
    • Music
    • Pictures
    • Public
      • Drop Box
  • Optionally contains:
    • Applications (preferred location for application installations)
    • Sites (legacy folder for upgraded or migrated computers, viewable for others).
  • Content only accessible for user (and root).Exceptions:
    • The Public folder where others have read access.
    • The Drop Box folder inside public folder where others have write and only the owner of the home folder can view it.
    • By default, files and folder put at the root of the home folder will be viewable by other users. Permissions can be modified ofcourse.
    • /Users/Shared
    • System Administrator (root) has access.
  • Options for migrating and restoring home folders:
    • Using Migration Assistant.
      • Automates many steps.
      • Can use data from disks or other computers (including Windows).
      • Cannot be used if you need to reformat the disk containing the data.
      • Migration Assistant runs as part of the OS X Setup Assistant with new installations but can also be run manually afterwards.
        • Legacy FileVault-protected users accounts can only be migrated during the initial OS X Setup Assistant process.
    • Using a manual restore.
      • Is useful when you need to reformat the disk containing the data, because you will copy the data to a different disk before reformat.
      • Can also be used when an account has been deleted and the home folder content is still in /Users/Deleted Users
      •  Basic steps:
        • Document the user account name.
        • Copy the user’s home folder to different disk. Make sure hidden files/folders like the Library are included as well.
        • On new install create and admin account with a different name than the account to be restored.
        • Copy the backup to the /Users folder. Make sure hidden files/folders like the Library are included as well.
        • In Users & Groups Preferemces create the user’s account with the same account name and choose to use the existing folder when prompted.
• Customization
  • Move menu items on the right side of the menu bar (menulets) by dragging the menu item while holding down the Command key. Example include the wireless icon and the volume icon.
• Passwords
  • Users can change their passwords using Users & Groups preferences. It even includes a Password Assistant that can help generate a strong password. You can also use Security & Privacy.
  • Resetting passwords
    • Reset Regular and Legacy FileVault user account passwords using:
      • User & Group preferences with an administrator account for regular user accountss and with the Master Password for Legacy FileVault accounts.
      • Master Password
        • Does not require an admin account.
        • Enable and set in Users & Groups preferences.
        • At login when user enters incorrect password three times, a prompt will appear to rest the password using the master password.
      • Apple ID. At login when a non-Legacy FileVault user enters an incorrect password three times, and the account is associated with an Apple ID you can reset the local account password by logging authenticating with your Apple ID.
      • Reset Password in OS X Recovery.
    • Reset Master password
      • Reset using Users & Groups preferences.
      • Delete /Library/Keychains/FileVaultMaster.cer and /Library/Keychains/FileVaultMaster.keychain files.
    • Reset Apple ID
      • Follow the instructions on https://iforgot.apple.com
    • FileVault 2 password
      • After three incorrect password logins, you need to reset the password using a Recovery Key that you can you can write down / store somewhere or you can store it with Apple. If you store it with Apple you need to configure security questions and answers. To recover the key you can contact AppleCare if it is supported in your region.
  • Login Keychain is normally synchronized with the account password. By resetting the account password it will not be in sync anymore. At first new logon however you will be presented with options to remedy this.

System Security Settings

• System and security settings include, but are not limited to:
  • Logging out after x minutes of inactivity.
  • Automatically update safe downloads list
  • Requiring administrator password to access locked preferences.
  • Requiring password after sleep or screensaver.
    • Lock computer using:
      • Control+Shift+Eject for lock (screen off)
      • If fast user switching is enabled, click the user account name in the top right corner and choose Login WIndow.
      • Configure keychain to show in menu bar, choose lock screen there.
  • Disabling automatic login.
  • Configuring a login message or policy banner.
  • Configuring to allow applications downloaded from:
    • Mac App Store
    • Mac App Store and identified developers
    • Anywhere
  • Encryption (FileVault).
  • Firewall.
  • Location services (can be limited to specific applications).
  • Apps that are allowed to access your contacts.
  • Disable remote control infrared receiver.
  • Option to send diagnostics and usage data to Apple.
• Legacy OS X FileVault (prior to OS X Lion)
  • Only protects data in user’s home folder (not full disk encryption).
  • Incompatible with many system management and backup applications.
  • Deprecated, it is advised to use FileVault 2 instead. Requires:
    • Disabling all Legacy FileVault users.
    • Enough free space to be able to make a decrypted copy of home folder data. If this is not the case, consider manually migrating a copy of the home folder.
• Find My Mac / Find My iPhone (iCloud)
  • Remotely locate, lock, erase (or wipe) and display a message on the Mac or an iOS device using http://www.icloud.com
  • Requires active internet connection.
  • Requires local OS X Recovery partition.
  • Requires iCloud and Find My Mac to be enabled.
  • Systems with Find My Mac enabled also feature a “Guest”mode when the system is restarted. This increases the chance that the system will be used and will be able to access the internet, in turn helping locate the device.
• Firmware Password
  • Setting the Firmware Password prevents unauthorized users from using any startup-interrupt keyboard shortcuts.
  • You can still boot from another startup disk if you hold the Option key when you start the Mac and enter the correct password.
  • When the Firmware Password is lost:
    • Many Mac models before 2010 allow for the Firmware Password to be reset by removing some of the system memory. Then restart the Mac while holding the Command-Option-P-R keys.
    • For Mac models of 2010 or later you need to visit an Apple Authorized Service provider to clear the firmware password.
• Application security
  • Besides operating system and hardware security, it’s also important to use secure applications.
  • Safari security

Keychain Management

• The keychain contains securely stored passwords, keys, web forms, secure notes and certificates.
  • Some website information may be store in cookies instead of in the keychain.
• The local account password is not in the keychain.
• If you forget a keychain’s password, its contents are lost forever due to encryption.
• Managed using the Keychain Access application.
  • Add/remove keychains, secure notes and password items.
  • View passwords stored in the keychain and change them.
  • Import/open keychains.
  • Configure Keychain login settings to lock after x minutes or when sleep is initiated
  • Verify or repair Keychain files using Keychain First Aid (requires password).
  • Certificate assistant to create, request and configure certificates.
  • Set preferences:
    • Show status in menu bar (easy access to keychain and to lock screen)
    • First aid options
    • Certificate options (including certificate revocation list settings)
• Keychain files
  • /Users/<useraccountname>/Library/Keychain/login.keychain
    • Each user has its own keychain. By default the password matches the user’s account password so it will unlock and use its content automatically.
    • A user can create multiple keychains and with different passwords for added security. Consider by example electronic banking accounts.
  • /Libary/Keychain/System.keychain
    • Contains non user specific authentication data like passwords for wireless networks, 802.1X, network passwords, Kerberos, Legacy FileVault and Apple Push Service.
    • All users benefit from the keychain, only administrative users can modify.
  • /Libary/Keychain/FileVaultMaster.Keychain
    • Encrypted with the FileVault master password.
  • /System/Library/Keychains
    • Contains root certificates.
    • All users benefit from the keychain, only administrative users can modify.

File Systems

• File Systems and Storage
  • Managed using Disk Utility.
    • Dynamic disk repartitioning since OS X 10.5 with specific filesystems/options.
    • Provides secure erase options. Most secure (7-pass erase).
      • Meets US DoD standards according to Apple.
      • This may detoriate life expectancy for SSD.
    • Secure erase an item in CLI using srm command.
    • Create new volumes in an encrypted format.
      • It is however not possible to convert an existing Mac OS Extended volume to an encrypted volume with Disk Utility. You can do this using Finder though.
        • Requires disk to be using GPT.
        • For the system volume, FileVault 2 needs to be enabled.
    • To erase or repartition disks that contain encrypted volumes you need to first erase the encrypted volume or decrypt it.
    • Disk utility displays startup disk and its partitions first.
  • Partition schemes:
    • GPT (GUID Partition Table).
      • Default for Intel-based Mac. Boot only supported on Intel.
      • Can be accessed from PowerPC Mac OS X 10.4.6 or later.
    • MBR (Master Boot Record).
      • Used by non-Mac + devices/peripherals (USB stick/memory cards).
      • Mac cannot boot from it.
    • APM (Apple Partition Map).
      • Default PowerPC-based Mac. Boot only supported on PowerPC.
      • Can be accessed from Intel-based Mac.
  • Most commonly used volume formats in OS X:
    • Mac OS Extended. All options include
      • Journaled (helps preserve volume structure integrity)
      • Encrypted
        • Full disk XTS-AES 128 encryption, used by FileVault 2.
        • Not compatible with OS X prior to OS X Lion.
        • Cannot be dynamically repartitioned.
        • Existing non-encrypted disk can be converted to encrypted disk.
      • Case sensitivity. By default, Mac OS Extended format is case-preserving but case-insensitive. You can choose it to be case sensitive, but many (3rd party) applications may experience issues and it is not supported.
    • Unix File System (UFS).
    • MS DOS File System / (Extended) File Allocation Table (FAT32, ExFAT)
    • NT File System (NTFS). Read-only by default. Can add read-write support with 3rd party apps
• FileVault 2
  • If a local user is still configured to use Legacy FileVault, you cannot enable FileVault 2.
  • If there are multiple local users, you can selectively grant users the ability to unlock and decrypt the protected system disk allowing them to start up the system by entering their password.
  • Users whose password has been changed on the local system will continue to be FileVault enabled. After passwords resets from the network directory server, the user will however not be allowed to unlock the local FileVault 2 system disk. Re-enable the account for FileVault in Security & Privacy.
  • When enabled, login window appears faster because startup is initiated from a special EFI booter on the Mountain Lion Recovery HD. User has to authenticate.
  • If a user forgets their password, use the recovery key. If both are not available, the data will be lost.
  • If FileVault 2 is enabled, other security features also turned on to ensure security.
    • Password required to log in after sleep and to exit screensaver.
    • After initial startup, only users enabled in FileVault will be able to log in, other users need an administrator to log in first.
• File and folder actions
  • In Finder, use File, Quick Look (Command+Y) to determine folder size and item count.
  • Secure erasing files is possible using Finder in combination with Secure Empty Trash.
  • Remounting volumes on a connected disk requires first unmounting and ejecting remaining volumes, then physically disconnecting and reconnecting the disk and then remounting. With Disk Utility you can do this without physically disconnecting and reconnecting.
  • Properly unmounting/ejecting volumes helps minimizing the risk of data corruption.
  • If a disk was improperly unmounted, a file system diagnostic will be run on the disk before it remounts volumes. This might take a while. Verify by checking if fsck process is running using the Activity Monitor application.
  • Unmounting/ejecting volumes might fail because files might be in use. You can quit all programs, log out, restart the computer or use 3rd party applications like What’s Keeping Me (WKM) to resolve this.
  • To encrypt files using finder, go the desktop and use CTRL+click on the volume you want to encrypt. Then enter the password you want to use.
• Permissions (privileges) and Sharing
  • Only users and processes with root account access can ignore file permissions.
  • View and modify permissions using Finder. Get Info for single item,Inspector for multiple.
    • Get Info - Select file/directory, Finder menu, File, Get Info
      (or select file/directory and press Command+I).
      • When changing permissions, Get Info remembers previous settings so you can revert.
    • Show Inspector - Finder menu, File, hold Option, Show Inspector
      (Option+Command+I)
    • Add/remove users and groups using the + or – icons.
    • Change privileges using the drop down boxes.
    • Use the cog icon to revert privilege changes on files.
    • You can also propagate privilege changes recusively to items in the folder by using the “Apply to enclosed items…” option.
      • Cannot be easily reverted.
      • Locked items remain in their Original state.
  • Permissions can be verified and repaired:
    • In Disk Utility.
    • In Terminal
      • For a folder:
        • sudo chmod -R 755 <path>
        • chown root:wheel <path>
      • For the system: sudo diskutil repairPermissions /
  • Ownership for Permissions:
    • Owner. By default the creator of the file/folder.
    • Group. By default, group inherited from the folder it was created in. Mostly:
      • Belong to staff (primary group for local standard users)
      • Belong to wheel (primary group of root system account)
      • Belong to admin groups.
    • Everyone. Used to define access for those who are not owner and not part of a group (includes local, sharing and guest users).
  • File permissions:
    • Read & Write
    • Read Only
    • No Access
  • Folder permissions:
    • Read & Write
    • Read Only
    • Write Only (Drop Box), can copy/move files to it, but not browse it.
    • No Access
  • More details about UNIX-style permissions on Wikipedia.
  • Access Control Lists (ACL) and Access Control Entries (ACE)
    • Developed to expand on UNIX permissions architecture to provide more control and flexibility.
    • Similar to Windows-based NTFS permissions and UNIX NFSv4.
  • Effective permissions
    • ACLs trump standard UNIX permissions.
    • Effective permissions are based on a combination of permissions.
  • Effective permissions examples
    • Read & Write folder
      • Read & Write file
        • Can edit file content
        • Can view or copy file
        • Can move or delete file
        • Can rename file
      • Read Only file
        • Can’t edit file content
        • Can view or copy file
        • Can move or delete file
        • Can rename file
    • Read Only Folder
      • Read & Write file
        • Can edit file content
        • Can view or copy file
        • Can’t move or delete file
        • Can’t rename file
    • Read Only file
      • Can’t edit file content
      • Can view or copy file
      • Can’t move or delete file
      • Can’t rename file
    • Read Only Folder
      • Read & Write file
        • Can edit file content
        • Can view or copy file
        • Can’t move or delete file
          • Beware: Many applications will not be able to save changes to files in Read Only folders because they attempt to replace the original file instead of revising the file content.
        • Can’t rename file
    • Read Only file
      • Can’t edit file content
      • Can view or copy file
      • Can’t move or delete file
      • Can’t rename file
    • Read & Write folder
      • Read & Write Locked File (locked file prevents non owner from modifying, moving, deleting or renaming. Sticky bit is similar)
        • Only owner can edit file content
        • Can view or copy file, but copies are locked
        • Only owner can move or delete
        • Only owner can rename file
  • Permission behaviour when moving, copying or creating new files and folders
    • New files/folders will inherit permissions of its parent.
  • Permissions for Nonsystem Volumes
    • With external disks files and folders can easily be used on multiple computers. The issue however is that these computers don’t share the same user account database. As a result interpreting file ownership can be an issue.
    • To prevent access issues, ownership is ignored on nonsystem volumes by default in OS X. If this is undesirable (security), you can override this using Finder, Get Info and unchecking “Ignore ownership on this volume”.
  • UNIX Permissions and the Terminal application
    • File and folder permissions
      • Read (r–) = 4
      • Write (-w-) = 2
      • Execute (–x) = 1, necessary for opening folder.
      • No access (—) = 0
    • For directories permissions have a leading d. It could look like : drwxr-xr-x
    • For files permissions having a leading -. It could look like : -rw-r--r--
    • View permissions using ls -le
    • The first three characters after the leading character define the Owner privileges, the next three the Group privilege and the last three the Others privileges.
    • Setting privileges this way can be annoying. There is a numerical alternative:
      • 0 = No access
        1 = Execute
        2 = Write
        4 = Read
      • Permissions range from no access 0 (—) to full access 7 (rwx).
      • drwxr-xr-x translates to 755 for the directory (leading d character).
      • -rw-r--r-- translates to 644 for the file (leading – character)
    • Change ownership using chown
      • By example: sudo chown useraccountname “~/Documents/file.pdf”
      • man chown for more info (q to quit).
    • Modify permissions/ACLs chmod.
      • By example: sudo chmod 777 “~/Documents/file.pdf”
      • man chmod for more info (q to quit).
•  File System and permission Troubleshooting
  • Some troubleshooting tools have already been discussed in the previous part.
  • Keep in mind that you can also use Target disk mode on supported systems and disks.
  • Recover data using Time Machine is applicable.
  • Consider 3rd part disk recovery utilities.
  • Troubleshooting permissions issues in Mac OS X

Data management

• Hidden Items and Shortcuts
  • By default the Finder hides much of the complexity of OS X from the user.
  • Items can be hidden in two ways:
    • UNIX style, using a period “.” at the beginning will hide from Finder and Terminal.
    • OS X style, setting the item’s hidden flag will hide only from finder.
    • The user’s Library folder is hidden by default. Go to Finder, Go and hold the Option key to reveal the Library.
    • Finder, Go, Go to Folder (Command-Shift-G) to manually enter path.
  • Bundles and Packages
    • Are common folders that contain related software and resources. By example .app, .bundle, .framework, .plugin, .download, etc.
    • Finder treats them as single files.
    • By default users cannot navigate them with Finder. To show content, use right click (control+click) and choose “Show Package Contents”.
    • Tools for creating and modifying bundles and packages are available to those with Mac Dev Center access.
  • File System shortcuts
    • Not to be confused with shortcuts in Dock or the Finder sidebar.
      • Save references to Original items as part of their config files.
    • Real File System Shortcuts appear as individual files that can be located anywhere on a volume.
    • Types of File System Shortcuts. Comparison when used with 100MB file:
      • Alias
        • Can be created with Finder
          • Finder menu, File, Make Alias (Command+L).
          • Right click (Control+click), Make Alias.
          • Click and drag the original item while holding down the Option and Command keys.
        • Useless in Command-Line tools like Terminal. They think aliases are files, not references.
        • More resilient to location changes of the original items. Finder even has option “Fix Alias”.
        • Finder, Get Info, shows Kind: Alias and size of 1.2 MB.
        • Used by Finder, File, New Burn Folder.
      • Symbolic Links
        • Can be created only in Terminal.
        • Can be used in CLI and Finder.
        • Pointers to the file system path of the original item.
        • Symbolic link is broken when original file changes location. Replacing file is no problem.
        • Finder, Get Info, shows Kind: Alias and size of 35 bytes.
      • Hard links
        • Can be created only in Terminal.
        • Can be used in CLI and Finder.
    • Removing original item does not remove hard links.
    • Used by Time Machine.
    • Finder, Get Info, shows Kind: <original file type> and size <original file size>.
• System Resources
  • Found in Library  through Finder (Go, hold Option key, Library).
  • System resource hierarchy domains (keep in mind when troubleshooting).
    • User (deprecated, might still be used by applications though).
    • Local (available to all local user accounts, includes root Applications and root Library folder).
    • Network (configure automounted share to enable).
    • System (all items necessary to provide core system functionality).
  • When multiple copies of similar resources exist in different domains, the resource most specific to the user will be used.
  • Some of the Library items and the domains they can be found in:
    • Application Support (in User and Local)
      • Often contains help files, templates or resources.
    • Extensions (in Local and System)
      • Also called kernel extensions.
      • Low-level drivers that attach to kernel, core or OS and provide support for hardware, networking and peripherals.
    • Fonts (in every Library folder)
      • Use System Information view installed fonts.
      • Use Font Book to manage fonts in a GUI (fonts can be added, removed, disabled, verified, restored to default).
      • 3rd party font-management tools are available.
      • Applications may need restart before font is available.
      • If font for all users, place in /Library/Fonts
      • If font for current user, place in ~/Library/Fonts
      • Mac OS X font search order: /System/Library, /Network/Library, ~/Library
      • Outline fonts (vector fonts) include TrueType fonts, OpenType fonts and Postscript fonts.
    • Frameworks (in every Library folder)
      • Repositories of shared code.
      • Use System Information to view loaded frameworks.
    • Keychains (in every Library folder)
      • Contains securely stored passwords, keys, web forms, secure notes and certificates.
    • LaunchDaemons and LaunchAgents (in Local and System)
      • Define processes that start automatically via the launchd process.
      • LaunchAgents for processes to run when user is logged in.
      • LaunchDaemons for processes to run in background even when no user is logged in.
    • Logs (in every Library folder)
      • Use Console to view logs.
    • PreferencePanes (in every Library folder)
      • Can be found in System Preferences.
      • Possibly useful 3rd party preference panes.
    • Preferences (in User and Local)
      • Contains files with system and application preferences.
    • Startup Items (in Local and System)
      • Precursors to LaunchDaemons and LaunchAgents.
      • Apple discourages the use of Startup Items. Currently launchd still supports many Startup Items, but may not be true for future versions.
      • Generally installed by 3rd party software that hasn’t been updated.
• Metadata and Spotlight
  • Metadata describes content. By example names, paths, creation and modification dates, permissions, extended attributes (color label) and flags (hidden).
  • You can add custom metadata to your files/folders by entering Spotlight comments in the Get Info and Inspector from the Finder.
  • Apple uses a forked file system:
    • Makes complex items appear as a single item in the file system, while it actually consists of a data fork and a resource fork.
    • Only fully supported on Mac OS Extended File System volumes.
    • Legacy file systems like FAT, Xan and older NFS shares do not know how to properly store meta data:
      • AppleDouble file format used to work around this:
        • Metadata stored seperately in ._<filename>
        • Invisible in Finder (and Windows Explorer by default).
        • Some files have trouble with being split up.
    • NTFS supports alternative data streams (similar to file forking) and is used by OS X when writing to NTFS based SMB shares.
  • Spotlight search
    • Access by pressing Command+Space or clicking the looking glass icon in the top menu bar. Access the Spotlight window using Option+Command+Space.
    • Spotlight goes beyond local filesystem search. It is able to search e-mail, shared files from other Mac clients, servers, airdisk volumes, Time Machine backups, Wikipedia and even results from your default web search engine.
    • Search results are grouped by type. By example Applications, System Preferences, Documents, Messages, PDF documents, Webpages.
    • Using Spotlight preferences customize locations not to index, categories to be included and the order in which they are presented.
    • When you hover over search results, contents of files can be shown as a preview using Quick Look. Examples include e-mails or PDF files and iWork and Microsoft Office files (even when these applications are not installed). These previews are even dynamic, allowing you to browse through them and making it easier to find what you’re looking for.
    • Advanced Spotlight search operations include AND, OR, NOT, ranges, is, matches, contains, begins with, ends with. You can also use multiple criteria in a single search (use Finder and click the + icon).
    • Searches can be saved if desirable.
    • Spotlight uses indexing for search results.
      • New volumes are automatically indexed.
        • Ignoring requires manual configuration.
      • Shared volumes from other computers are not indexed. Spotlight can connect to indexes on AFP shares hosted on OS X Server.
      • Location of indexes:
        • At the root of every volume in a folder .Spotlight-V100
        • For Legacy FileVault user at the root level inside the encrypted home folder.
        • In application defined location, for mail by example in:  ~/Library/Mail/Envelope Index
    • When experiencing issues with Spotlight consider forcing index rebuild by deleting index and restarting the computer.
    • Spotlight filters search results based on permissions. This means results on locally attached non-system volumes will be shown as well by default because owership is ignored.
    • Spotlight Plug-Ins
      • Can be created by Apple (/System/Library/Spotlight) or third parties (/Library/Spotlight or ~/Library/Spotlight).
      • Determine what is indexed. It provides functionality to:
        • Extract and index metadata
        • Extract and index content of filetypes like mail, PDF, iWork, Office, Photoshop.
        • Use or search (meta)data from applications.
        • Search in other places like by example Wikipedia
• File Archives
  • Archiving is saving copies of information to another location or format better suited for long-term storage or network transfer.
  • Archiving options include (Zip) Archives and Disk Images
    • (Zip) Archives
      • Created using Finder.
      • Highly compatible with other operating systems.
      • Easy way to archive relatively small amounts of data.
      • Finder decompresses in the same folder as the source by default.
      • Archive utility gives more control over (de)compression preferences.
        • /System/Library/CoreServices/Archive Utility.app
          (take a look in this folder for even more useful tools).
        • Archive Utility contains a preference pane Archive that can be installed in System Preferences. To do this in Finder, right click (Control+click) Archive Utility.app and select “Show Package Contents”. Then double click /Contents/Resources/Archives.prefPane
        • Cannot compress any mounted volume.
    • Disk Images
      • Created using Disk Utility.
        • Size can be up to 2 TB.
        • Can be read-only or read/write.
        • Can be compressed.
        • Can be encrypted (128-bit or 256-bit AES).
        • Can be fixed size or expendable (sparse disk image).
        • Disk image format can be converted by saving it to a new copy.
        • Supports any partition scheme or volume format that OS X supports.
      • By default only OS X can access. Other OS requires 3rd party tools.
      • Files that contain entire virtual disks and volumes.
        • Image can only be created from volume that can temporarily be dismounted.
      • Can be treated like a removable volume (mount/unmount).
• Time Machine
  • Time machine is Apple’s solution for easily creating backups.
    • Enabled by default.
    • User must select backup disk. System auto scans network for Time Machine network share or waits for you to attach external disk.
    • Choose the disk to use and whether or not to use encryption.
      • Even though it is possible to backup to a second partition of the local disk, it is not recommended since it does not provide protection against disk failure or loss of the computer.
    • Configuration, preferences and backup status can be accessed from
      • The Time Machine icon in the menu bar
      • Time Machine in System Preferences
      • Secondary click (Control+click) Time Machine
  • Time machine can backup:
    • To any local Mac OS X volume except for the startup volume.
    • To Apple Filing Protocol (AFP) network shares hosted by OS X Server or Time Capsule wireless base station.
  • Compression is not used for performance reasons.
  • Encryption is supported. Password is saved to the local system keychain for automatic retrieval. Needs to be entered manually when the disk is connected to a different computer.
  • In OS X Mountain Lion support has been added for multiple Time Machine backup disks.
    • Allows for more flexibility.
    • Makes strategies for storing backups offsite easier.
    • Allows for combining local backups and backups to network share.
  • In OS X Mountain Lion Time Machine supports local snapshots.
    • Backups can be made even when the backup disk is not available.
    • Backups are made to the local disk, which means it is not a true backup because in the event of hardware failure everything will be gone. It does however provide a way to go back in time as long as there are no hardware issues.
    • Only enabled on Mac portables with Time Machine left in “On” state.
    • Notification if 10 days passed without backup to the backup disk.
    • The amount of disk space used by local snapshots can be found in About This Mac, More Info, Storage. Space used on the system volume used for local snapshots appears as “Backups”.
  • System sleep can prevent Time Machine backups.
    • With OS X Mountain Lion, Time Machine can backup while in Power Nap mode.
  • Backup procedure
    • Entire file system backups are created hourly by the backupd process by default.
      • To only backup manually, turn off Time Machine and start manually by secondary clicking (control+click) Time Machine application.
      • Backups to local disks can be postponed by disconnecting the disk.
    • Manual backups can be initiated using the Time Machine icon in the menu bar.
    • Time Machine copies almost all content of the file system to the backup volume.
    • If you don’t perform a full backup of your system volume, you cannot perform a full restore. This means you have to install OS X first and then restore the rest.
    • Time Machine Backup exclusions.
      • Files that can be easily restored or are not important are ignored.
        • System log files are excluded.
        • Spotlight index is excluded.
        • Files in trash are excluded.
        • Software developers can specify application data not to backup.
        • You can modify the configuration file that specifies what to ignore: /System/Library/CoreServices/backupd.bundle/Contents/Resources/StdExclusions.plist
        • In Time Machine preferences you can also configure exclusions.
    • Between backups, background process monitors changes. With next backup only change items are copied to the backup volume. Then the new content is combined with hard link file system pointers to the previous backup content to create a simulated point-in-time state and save space.
    • Time machine “ages out” data to save space.
      • Notification when older items need to be deleted for new backups.
      • Hourly backups are kept for 1 day.
      • Daily backups are kept for 1 week.
      • Weekly backups until the backup volume is full.
      • Time machine always keeps at least one copy of every item that is still on your current file system.
  • Time Machine caveats
    • Not suitable for large files that change often (and only a few bytes).
      • File needs to be backupped completely again.
      • Uses lots of space on backup volume.
      • Causes “aging out” of backups, limiting restore history.
    • Can only backup Legacy FileVault accounts when the user is logged out.
    • Time Machine caveats
  • Restore using Time Machine application
    • Easy graphical user interface (GUI). By secondary clicking (Control+click) Time Machine application you can:
      • Enter Time Machine.
      • Browse other Time Machine disks.
    • Graphical user interface is available from within some applications, but most will present you with a historical view in Finder.
      • Apps with Time Machine restore integration including Apple created apps like Address Book, Mail and iPhoto.
        • To access Time Machine for these applications make sure the application is in the foreground and then start Time Machine either from the menu bar or from the Dock.
    • Local snapshots (not really backupped) show as grey tickmarks in the timeline, while regular backups have pink tickmarks. If pink tickmarks appear dimmed, it’s because the Time Machine backup disk is currently unavailable.
    • Legacy FileVault users cannot access home folder backup via Time Machine application.
  • Restore via Migration Assistant
    • Can be used to restore complete user home folder (also for Legacy FileVault user) or other nonsystem data.
  • Restore an entire system using OS X Recovery
    • Only possible when you did not exclude items from the system volume backup.
    • Scans for local and network Time Machine backup volumes.
  • Restore using Finder manually
    • When GUI restore is not working, you can browse backup with Finder since file system features are used that are part of standard Mac OS Extended volumes.
    • Directly modifying Time Machine backup contents can damage backup hierarchy. Default file system permissions prevent write access.
    • Backup locations:
      • Local snapshots are cached locally to a hidden folder:
        /Volumes/MobileBackups
        • Items in this location aren’t permanent. They will eventually be copied to backup disk and then erased on the local disk.
      • Time Machine backups on local disks are located in the root of the backup volume in a folder named Backups.backupdb
        • Folder contains a subfolder for each computer backed up on this volume. Then for each computer there are subfolders with the date and time of the backup.
      • Time Machine network backups are located at the root of the share, most commonly named Backups.
        • Each computer’s backup is saved as a seperate sparse disk image file with the computer’s sharing name.
        • When you browse the sparse disk image, similar structure is used as with Time Machine backups on local disks.

Applications and Processes

• Application Installation
  • Installation using Mac App Store. Requires internet, Apple ID and admin authentication.
    • Purchasing apps from Mac App Store requires OS X 10.6.6 or later.
    • When you want to re-install an application you’ve purchased from the Mac App Store or if you want to install the application to another device, go to “Purchases” in the App Store.
    • Applications in the Mac App Store need to meet several requirements and have gone through a verification process before they are available.
      • This is for quality reasons and to minimize the risk that applications are harmful (b.e. malware, privacy).
      • As of June 2012, application has to be sandboxed.
      • Application is code signed.
      • If harmful applications were able to get through the initial process, Apple can quickly pull the application from their store.
    • Create an Apple ID from the iTunes Store or the iOS App Store if you only want it to be able to install free items.
    • Applications are tied to your Apple ID.
      • If purchases are made using an iCloud account, you can enable automatic downloading of purchased applications. This comes in handy when you own multiple Mac computers. There are limitations though, see the iTunes Store Terms and Conditions.
    • Automatic updates are enabled by default and you get notifications about available updates.
      • If you don’t see updates you should be seeing, force the Mac App Store to reevaluate your installed software. Hold the Option key, open Mac App Store, click Updates, release Option key.
    • Mac App Store access can be disabled or limited for user with parental controls. You can specify specifically allowed apps or you can specify to allow only apps that are appropriate for specific age groups.
      • Do not delete Mac App Store, is required to perform system updates.
  • Traditional installation methods
    • Four primary application environments in OS X are:
      • Native OS X applications
        • Can be created using Cocoa and Carbon.
          • Cocoa
            • Apps run on iOS and Mac OS X.
            • Primarily based on Objective-C.
            • Full support 64-bit graphical apps.
            • Latest OS X features can be used.
          • Carbon
            • Still works in Mountain Lion, but deprecated.
            • Primarily based on C and C++.
            • No full support 64-bit graphical apps.
            • Latest OS X features cannot be used b.e. Auto Save and iCloud services.
      • UNIX commands
      • Java applications
        • Java application environment originally developed by Sun Microsystems. Now owned and primarily maintained by Oracle Corporation.
        • The goal in Java is to create nonplatform-specific apps.
        • Java Runtime Environments currently available for OS X:
          • Java SE 6 not included with OS X, instead it will auto download and install the first time it is needed.
            • Requires administrative permissions.
          • Oracle supplies Java SE 7.
        • Both environments can be installed side-by-side.
        • When you know Java is needed, consider including it in the standard install.
        • Managed using /Applications/Utilities/Java Preferences
        • Check installed version in System Preferences, Other.
      • UNIX applications that use the X Window System
        • Previous OS X versions included the Apple version of X11.
        • In Mountain Lion, X11 is not included anymore. When you try to run it from within applications, support article HT5293 will be shown in the browser with a link to the XQuartz project for X11. XQuartz 2.7.2 or later is recommended.
    • Other (non primary) application environments in OS X.
      • Legacy Mac applications
        • Applications created for Mac OS 9 with PowerPC.
        • Classic compatibility environment is used to to run Mac OS 9 apps, but is not supported since OS X 10.5
        • Rosetta Compatibility environment is used to run PowerPC based apps but is not supported since Lion.
      • Unix applications
        • Mac OS X 10.5 and later are POSIX and Unix 03 compliant.
        • Mac OS X system foundation named Darwin is baed on the open source FreeBSD (Free Berkely Software Distribution) Unix CLI.
        • Mostly accessed using Terminal.
• Application Security
  • While applications in the Mac App Store have gone through a process that also evaluates security, this is not the case for other applications. To protect against bad software, OS X includes the following technologies:
    • Process Security
      • Processes started by user will have access similiar to that of the user.
      • If system privileges are needed, you need to provide credentials, granting the application system level access (b.e. installations).
    • Application Sandboxing
      • Application and process sandboxing limits access to what is needed through a sophisticated arrangement of rules.
      • Sandboxing is an optional feature.
        • Apple sandboxed all applications and processes that could benefit from it
      • The majority of sandbox rules are created by developers.
      • Some sandbox rules are user initiated.
        • User opening a specific file outside of the sandbox.
        • Other examples of user-initiated access are found in Security & Privacy under Privacy.
    • Code Signing
      • Secure signed application and process code support since OS X 10.5
      • Code is verified on disk AND while it’s running.
      • Used in OS X Mountain Lion for automatically identifying trust for new app installs.
      • Also provides application identification for other parts of the system, including keychain, personal application firewall, parental controls preferences, application settings and managed client settings.
      • Developers can use the Mac App Store system to code sign their application even though they won’t use the Mac App store.
    • File Quarantine
      • Introduced in OS X 10.5
      • File quarantine service displays warning on attempt to open item downloaded from an external source like the Internet.
      • Quarantined items include documents, scripts and disk images.
      • File quarantine requires that the item is marked for quarantine by the application that downloaded it. Built-in OS X applications do this, but 3rd party applications might not.
      • Files copied to the Mac from by example a share or a USB drive also do not trigger file quarantine.
      • Administrative users can permanently clear quarantine, users cannot.
      • Apple maintains a list of known malicious software that is updated automatically via OS X software update mechanism. It is stored in:
        /System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/XProtect.plist
      • More info : HT3662 “About file quarantine in OS X”
    • Gatekeeper
      • Introduced in Mountain Lion.
      • Leverages both code signing and file quarantine.
      • You can choose one of these options to allow applications downloaded from:
        • Mac App Store
          • When a version of the application is available from the Mac App Store, when you download it from somewhere else it is not allowed.
        • Mac App Store and identified developers (default setting)
          • Developers can use an Apple-verified code signing certificate to identify their applications and that contains their unique developer ID.
            • File quarantine dialog will be shown for downloaded applications.
            • Blocks non (properly) signed apps.
            • Daily check with Apple for blacklisted developer signatures. If an app from a blacklisted developer is installed on the user’s system it will not open.
        • Anywhere
          • Similar to previous OS X versions.
          • All applications are allowed regardless of source.
          • File quarantine dialog will be shown for downloaded applications.
      • Identifies modified/damaged applications regardless of security.
      • You can temporarily bypass/override gatekeeper. In Finder secondary click (Control+click) the application and choose open. Then confirm you want to open the application from the unidentified developer.
        • Once you’ve bypassed Gatekeeper for an application, it will be considered an exception and will open normally.
        • Use instead of setting security to “Anywhere” if possible.
        • Will not work for applications that automatically open other background or child applications (also trigger GateKeeper).
          • Temporarily set security to “Anywhere” until app has been installed and is working correctly.
• Installing applications
  • Traditional Installation Methods
    • Drag-and-drop installations
      • Generally used for less complex application installations.
      • Some items will be installed by simply double clicking. By example fonts, preference panes, screen savers and widgets.
      • Install by dragging and dropping application file to desired folder.
        • In general OS X doesn’t care where it is located. Keep in mind though that some locations are more appropriate and secure than others.
        • Many developers simplify the proces by using a Finder window background that encourages users to copy applications to an appropriate directory. TextWrangler by example does this.
      • Often the following folders are used for applications:
        • For all users : /Applications
          • Only administrative users can modify.
        • For the current logged on user : ~/Applications
          • User has to create this.
    • Installation packages
      • Generally used for complex application installations (.pkg or .mpkg).
      • Default deployment mechanism for most Apple software updates and third-party software that requires install of items in multiple locations.
      • Installer application is opened when you open an installation package and will guide you through the installation.
        • By clicking the lock icon in the top right corner in Installer, you can view the certificate and its path.
        • On occasion third-party installers may be used (.app)
      • Often requires administrative user authentication, because frequently install items that can affect other users and the operating system.
• Updating installed applications
  • Apple software and software from Mac App Store is updated automatically by default. Configure using Software Update in System Preferences.
  • Third-party software can provide self-update option.
  • Manually update software.
• Removing installed applications
  • Drag and drop to the Trash.
  • For Mac App Store applications only:
    • Open Launchpad, hold option key, click “x” button.
    • Open Launchpad, hover the applicaton, click and hold until “x” button appears and then click the “x” button.
  • Application uninstaller in rare occasions if 3rd party installer was used.
• Document Management
  • Auto Save and document Versions
    • The idea is that users shouldn’t worry about saving files (after initial save).
    • This is combined with versions to provide users more control/flexibility.
    • Auto Save applications have file menu option “Duplicate” instead of “Save As” (after the initial save). Holding Option key will also show “Save As”.
    • Auto-save applications in Mountain Lion also add “Rename…” and “Move To…” to the file menu.
    • If the title bar of an application contains “Edited” this is also a visual cue that the application auto saves.
    • You can easily go back to previous versions using File, Browse All Versions …
      • Versions browser restore GUI similar to Time Machine GUI.
        • Can use copy and paste using Command+C and Command+V or using secondary click (Command+click).
        • To delete a version, select the document name in the title bar and select “Delete this version”.
      • Versions are stored in : /.DocumentRevision-V100 at the root of the disk containing original document.
        • Locked by default.
          • Manually (un)lock a file by clicking on the file name in the title bar and selecting lock or unlock. When it is locked, this also shows in the title bar.
      • Document Version history is maintained only on the volume where the original document is saved. If you send a file by mail or any other way, it does not include the version history.
      • If Time Machine is enabled, version history will use these backups (integration) and you will be able to go back further.
    • Most Apple-designed applications in Mountain Lion support Auto Save and Versions including TextEdit, Pages, Preview, Numbers and KeyNote.
    • You can disable Auto Save by going to System Preferences, General and selecting “Ask to keep changes when closing documents”.
      • Can cause delay and require manual action for logout.
  • Automatic Resume
    • Resume after logout is enabled by default.
      • If disabled, forcibly override by holding Option key when logging out
    • Resume after quit is disabled by default. Enable from System Greferences, General by deselecting “Close windows when quitting an application”.
    • Allows supported applications to maintain their current state event if the user logs out or the application is quit by automatically saving the documents and the state of the application.
    • Supported applications can also be automatically quit by the system when system resources are running low. Only idle applications are quit.
  • iCloud integration to save in iCloud (introduced with OS X Mountain Lion).
    • Requires user signed in to iCloud with Documents & Data enabled.
    • Only Mac App Store applications are able to save to iCloud. Examples include TextEdit, Preview, Pages, Numbers and Keynote.
    • Using the file menu of a supported application like TextEdit you can use “Save as” or “Duplicate To” to save in iCloud.
    • When opening supported application (TextEdit), it shows a new iCloud document browser interface which also can be manually opened using File, Open.
      • Open files stored in iCloud or upload files to iCloud by dragging them onto the iCloud document browser interfade.
      • In title bar switch between “iCloud” and local resources “On My Mac”.
      • Browser interface of specific app only shows files managed by app.
      • iCloud documents can be managed using finder as well:
        ~/Library/Mobile Documents/ with subfolders for each service/app.
    • Similar to iOS, you can create folders in the iCloud document browser interface by dragging a document onto another document.
    • Move local files to iCloud by clicking name in title bar, move to iCloud.
    • Quick Look can also be used by pressing space.
    • Secondary click (Control+click) includes more options, including sharing.
    • iCloud synchronization is performed in the background nearly instantaneous.
    • iCloud synchronizes data locally if multiple devices on the same network share and iCloud account for efficiency.
    • You can also manage iCloud documents using http://www.icloud.com
  • OS X Launch Services
    • Determines action when user double clicks file.
    • Maintains database that maps file types to appropriate apps.
    • Many common file types are mapped to built-in applications like Preview, Pages and TextEdit if the primary application is missing.
    • If no appropriate application can be found, you get a prompt that allows you to either choose an application manually or to search suggests search the Mac App Store for a compatible application.
    • In Finder you can either secondary click a file (Control+click) and choose Open With or use Finder, Get Info, Open With to:
      • Determine the current default application for this file.
      • Choose appropriate application to open the file with.
      • Manually browse for an application that is not in this list.
      • Search the Mac App Store for a compatible application.
      • You can also choose to always use the chosen application for this file.
    • From Finder you can use Get Info (Command+I) or Inspector (Option+Command+I) to do the same as described above. It also allows you to change the default application for all files of this filetype though. To do this, under “Use this application to open all documents like this one” click the “Change All…” button and confirm.
  • Quick Look
    • Quick look shows an interactive preview of files including videos.
    • Supports many document formats.
    • Is used in Spotlight when you hover over a document.
    • Can be openend (and closed) by pressing Space in Finder, Time Machine restore interface, most open and save browser dialogs, Mail, other applications.
    • Provides previews for other views including Cover Flow, Get Info, Inspector.
    • Plugins can be found in /Library/QuickLook or ~/Library/QuickLook
    • 3rd parties can create Quick Look plugins.
• Application Management and Troubleshooting
  • Process types
    • Applications
      • Started by user.
    • Commands
      • Started by user.
      • CLI
    • Daemons
      • Runs in background as system.
      • Usually start at startup and keeps running.
      • Rarely have UI.
    • Agents
      • Runs only when user is logged on.
  • Process Features
    • OS X Process Performance Features balances resources without letting any single process hog all resources.
    • Symmetric multiprocessing (multi cpu/gpu cores and threads)
    • Simultaneous 32-bit and 64-bit support
      • Most Apple software is 64-bit now.
        • Using Finder, Get Info or Inspector shows Kind: Application (32-bit) for 32-bit applications. The 64-bit applications show as Kind: Application.
      • Process that handles Dashboard runs both 32-bit and 64-bit widgets.
      • System Preferences prompts to restart when you switch between 32-bit and 64-bit preference panes.
      • 32-bit drivers, software and plugins need to be considered.
        • 32-bit plugins will not work in 64-bit application. From the Finder Get Info or Inspector you can secondary click (Control+click) and selecting “Open in 32-bit mode” as a workaround.
    • “Open in Low Resolution” checkbox is available on Macs with Retina display to disable high res assets that might be incompatible with older app plug-ins.
  • Memory management features
    • Protected memory (process memory is seperate from other processes).
    • Dynamic memory allocation (efficient use of real and virtual memory).
    • Secure memory allocation (execute disable and address space layout randomization)
  • System Information gathers information about installed applications when opened.
    • Includes name, version number, modification date, application type and if it was purchased from the Mac App Store (does not show for apps included in OS X).
    • Scans:
      • /Applications
      • /Applications/Utilities
      • ~/Applications
      • /System/Library/CoreServices
      • Other Applications folders at the root of any mounted volumes.
  • Monitoring Processes with Activity Monitor
    • By default shows columns with for each process the ID (PID), name, user, % CPU, threads, Real Mem and the kind : Intel (64-bit) or Intel.
    • Shows system wide summary stats for CPU, System Memory, Disk Activity, Disk Usage and Network.
      • System Memory “page ins” and “page outs” are totals since last system startup. High number of page outs indicates system does not have enough real memory, slowing performance.
    • By default shows only processes for current. Change with drop-down box.
    • Search box can be used to filter processes.
    • From Menu, View you can:
      • Modify (additional) columns to be shown
        • CPU Time
        • # Ports
        • Real Private Memory, Real Shared Memory,  Virtual Private Memory
        • Messages Sent
        • Messages Received
        • Sudden Termination (yes=app supports automatic resume)
        • Sandbox (yes=app is sandboxed)
      • Modify update frequency
      • Filter Processes
    • Can be used to Quit Process, Inspect and Sample Process.
  • For more detailed info, take a look at Instruments application of Xcode Tools Package.
  • Application troubleshooting
    • General application troubleshooting steps you can use:
      • Check if application is compatible with used OS X version. Mac OS X v10.6 and later protect against certain incompatible software that can quit unexpectedly or cause other issues.
      • Try another document
      • Restart application
      • Try another application
      • Restart computer
      • Try another user account
      • Check diagnostic reports in Console application created at crash/hang
        • ~/Library/Logs/DiagnosticReports
        • Log is <application> with extension .crash .hang or .spin
        • Can also use File, New System Log Query to perform custom search across most common logs.
      • Delete application’s cache files in:
        • /Library/Caches
        • ~/Library/Caches
        • ~/Library/Saved Application State
      • Replace preference file
      • Replace application resources / reinstall application
  • Forcibly quit application
    • In Apple menu, Force Quit (Command+Option+Escape).
    • In Dock, on the application do a secondary click (Control+Click) or click and hold. Then hold the Option key and click “Force Quit”.
    • In activity monitor, select application, Quit Process, Force Quit.
      • Only GUI method to quit processes of other users/system.
  • Preference troubleshooting
    • Common application resource to cause problems.
    • Can be found in any Library folder. Normally in ~/Library/Preferences for user related preferences and /Library/Preferences for general preferences.
      • Folder naming example: com.apple.dashboard.plist
    • Most application and system preferences saved as property list (plist) files.
      • Contain both internal application configuration and user preferences.
      • Plist file can be XML or binary encoded. Both can easily be viewed using Quick Look. For editing, you can use tools like xCode that can be found in the Mac App Store.
      • Often change, increased risk of corruption.
        • Apple worked hard to safeguard its apps and preferences against corruption.
        • 3rd party applications that use the Apple preference model recognize corrupt file, ignore it and create a new one.
        • Many 3rd party applications use own proprietary preference models that are not as resilient. Could lead lead to crashing during startup or frequent crashes in general.
      • Rename preference file, have app create new with original settings.
      • Some applications do not use property list files. Consult the documentation or developer to find out what files are used for what and where they are stored.
  • Application Resource Troubleshooting
    • Corrupted application software can cause issues, but rare.
    • Associated nonpreference resources can be a source of application problems as well. Examples include resources from local and user Library folders like fonts, plug-ins and keychains and items in the Application Support folder.
    • When troubleshooting:
      • Knowing the application behaviour is crucial.
      • Some applications store resources in ~/Documents as well.
      • Check if issue affects all users or specific users only to narrow possible causes.
      • Check application and diagnostic report logs to determine which resources the application tried to access when it crashed.
      • If many corrupted files, file system or hardware might be faulty.
  • Assistive technologies (accessibility features in System Preferences)
    • Universal settings:
      • Enable access for assistive devices (b.e. braille devices).
      • Show Accessibility status in menu bar.
    • Seeing (assist people who have trouble seeing/cannot see)
      • Display
        • Modify cursor size
        • Modify display resolution
        • Modify brightness
        • Enhance contrast
        • Use greyscale
        • Invert colors
      • Zoom
        • Configure zooming preferences including gestures and keyboard shortcuts
      • VoiceOver (spoken-word interface)
        • Enable using Command+F5
        • Open VoiceOver Training
        • Open VoiceOver Utility
        • Enable Voiceover at login window using User & Groups Preference Pane.
        • VoiceOver is very elaborate, do the VoiceOver Training, open the VoiceOver Utility and visit the Apple VoiceOver resource website for more information.
    • Hearing (assist people who have trouble hearing/cannot hear)
      • Enable screen flash as alternative to alert sound.
      • Play stereo audio as mono.
      • Modify volume levels.
    • Interacting (assist people who have trouble interacting)
      • Keyboard
        • Enable sticky keys (enable to press a set of modifier keys as a sequence, instead of all at once).
        • Enable slow keys (configure delay between key press and activation of the key press).
        • Open keyboard preferences
          • Key repeat detection configuration
          • Keyboard brightness (backlight) settings
          • Enable use of F1, F2, etc. keys as standard function keys (when selected press Fn key to use special features printed on the key).
          • Modifier keys (option key, control key, command key and caps lock).
          • Change keyboard type.
      • Mouse & Trackpad
        • Enable Mouse Keys (use keyboard to emulate mouse)
        • Configure double-click speed
        • Ignore built-in trackpad when mouse or wireless trackpad is present.
        • Trackpad options (scroll speed, scroll type, dragging)
        • Mouse options (scroll speed)
      • Speakable Items (spoken commands)
        • Settings
          • Speakable items on/off
            • Voice can be modified using Dictation & Speech preferences.
          • Upon recognition, “Speak command acknowledgement” on/off and what sound to play.
        • Listening Key
          • Change listening key
          • Listening method
            • Listen only when key is pressed.
            • Listen continuously with keyword
        • Commands
          • Enable, disable and configure command sets.
  • Dashboard and Widgets
    • Provides instant access to Widgets.
    • Access using:
      • F12 or F4 (depending on Mac model) by default, can be changed.
      • Four finger swipe
      • CTRL + left arrow key, CTRL + right arrow key, CTRL + up arrow key
    • Add/remove widgets.
      • Add/remove using the + and – icons. When you press + you also get option “More Widgets …” that will open http://www.apple.com/downloads/dashboard/ where you can find more widgets in multiple categories.
      • If you download the widget with Safari, it auto prompts for install. If you aquire it another way, double click in Finder.
      • Widget applications are subject to quarantine and Gatekeeper.
      • You can also very easily create your own custom widgets from (parts of) webpages in Safari by choosing File, Open in Dashboard and selecting the part you want to include in your Dashboard.
    • Stored system wide in /Library/Widgets and for users in ~/Library/Widgets
    • launchd process starts at user log in, launchd starts Dock process. First time user attempts to access Dashboard, Dock process starts Dashboard process.
    • Dashboard runs with user privileges.
    • Download of 3rd party widget cannot be prevented, but use can be restricted using Parental Controls preferences.
    • Troubleshooting Widgets
      • Reset from Dashboard by clicking once on the widget and pressing Command+R. An animation indicates it has been reset.
      • Forcibly quit the dashboard process and restart it. Alternatively restart all processed by logging out the user and logging back in again.
      • Similar to troubleshooting other applications, consider removing preference files for the specific Widget and restarting the dashboard.
      • Remove all Dashboard and Widget preference files, log out, log in.

Network Configuration

• Network Essentials
  • 7 layer OSI model (Open Systems Interconnection Reference Model).
  • Network interface can be physical or virtual (b.e. VPN).
  • Network protocl defines a set of standard rules dor data representation, signaling, authentication, or error detection across network interfaces (b.e. TCP/IP).
  • Network service
    • In the context of System Preferences, Network, it describes configuration assigned to interface. By example Ethernet, Firewire, Wi-Fi, Bluetooth PAN.
    • In another context it describes a service like by example File Sharing services, messaging services, collaboration services, DHCP services, DNS services, etc.
  • MAC address, 48-bit, 00:1C:B3:D7:2F:99,first 3 groups define OUI (Organizationally Unique Identifier) while the last three groups define the device.
  • TCP/IP
    • Data is split into multiple packets, that are then being re-assembled in order at the cost of some overhead.
    • Transmission Control Protocol (TCP) ensures data arrives complete (reliable).
    • Internet Protocol (IP) provides network addressing and data routing.
  • UDP (User Datagram Protocol)
    • Does not guarantee reliability or ordering of data, but less overhead. Used for by example DNS, media streaming, VoIP.
  • IPv4, 32-bit, 4 billion globally unique addresses, 4 octets each within range 0-255 (b.e. 192.168.1.1), private address space ranges used with Network Address Translation (NAT) to translate between public and private IP and to make the most out of limited number of globally unique addresses.
  • Subnet mask, only required for IPv4. Declares which part of IP address defines the network the device is on, notation can be four octets (b.e. 255.255.255.0) or Classless Inter Domain Routing – CIDR (b.e. /24), used to determine if communication is local.
  • Router address / gateway, reroute traffic between networks they bridge, uses routing tables.
  • IPv6, 128 bit, 2^128 globally unique addresses, eight groups of four-digit hex seperated by colon (b.e. 2C01:0EF9:0000:0000:0000:0000:142D:57AB), omit one or more consecutive sections of zeroes, using a double colon (::) b.e. (2C01:0EF9::142D:57AB).
  • Address Resolution Protocol (ARP) maps IP to MAC and stores in table for fast switching.
  • Domain Naming System (DNS), translates DNS name to IP (forward lookup) or IP to DNS name (reverse lookup), hierarchical structure with at the top the “root” or “.” domain.
  • Dynamic Host Configuration Protocol (DHCP), DHCP server provides IP addressing automatically to DHCP clients. Can include DNS and other options as well.
    • Enabled by default for Ethernet and Wi-Fi interfaces in OS X.
    • In some cases, DHCP Client ID needs to be configured in advanced settings.
    • IPv6 addressing information is auto detected as well. Automatic IPv6 configuration is not provided by standard DHCP or PPP services though.
    • If multiple DHCP servers available, first one that responds will be used.
  • Bonjour is Apple’s implementation of Zero configuration networking (Zeroconf). A group of technologies that includes service discovery, address assignment, and hostname resolution. Bonjour locates devices such as printers, other computers, and the services that those devices offer on a local network using multicast Domain Name System (mDNS) service records (UDP5353).
    • OS X also uses SMB to auto discover other devices/file services.
    • Local Bonjour requires no configuration.
    • Wide-Area Bonjour requires Mac to be configured to use DNS server and search domain that supports the protocol.
    • Register your Mac for Wide Area Bonjour from Sharing, edit and then selecting the checkbox “Use dynamic global hostname”. You can then enter Hostname, user, password and choose to “Advertise services in this domain using Bonjour”.
    • Bonjour name is <computername>.local by default.
    • On OS X 10.5 and higher, Bonjour and SMB cannot be disabled through GUI.
• Network configuration, viewing and troubleshooting
  • Initial networking configuration is handled by Setup Assistant that runs the first time you start up after a new OS X installation.
    • If you don’t configure during inital setup, Mac auto enables any active network interface (including connecting to unrestricted wireless networks) and attempts to configure via DHCP.
  • Network in System Preferences
    • Shows network services
      • Based on interfaces (b.e. Ethernet, Firewire, Thunderbolt, Wi-Fi (PAN), Bluetooth PAN, USB cellular GPRS/3G, virtual interface).
      • Can be added and removed.
      • Service status lights:
        • Green = Connected and configured
          • Does not guarantee correct TCP/IP config.
        • Red = Not Connected
          • No cable
          • Disconnected (not always on interface b.e. VPN)
          • Settings might be incorrect
        • Yelllow = Connected but not properly configured
          • Connection active, TCP/IP no correct config.
          • Wi-Fi is on, but not connected
          • Bluetooth PAN is in Unknown state, no IP.
        • No light / Greyed out = Disabled
      • Can turn off Wi-Fi and bluetooth.
      • Advanced allows you to configure IP addressing, DNS, WINS (netbios name, workgroup, WINS servers), 802.1X, Proxies and hardware (speed, duplex, MTU size).
        • MTU packet size for internet traffic is 1500 bytes by default. If network uses Jumbo Frames, adjust accordingly.
      • Using the Action button (gear/cog icon) for services, you can:
        • Duplicate, rename, (de)activate services
        • Set service order (priority with multiple active services).
        • Import / export configuration.
        • manage virtual interfaces.
          • PPoE (Point-to-Point Protocol over Ethernet)
          • VPN (Virtual Private Network)
          • VLAN (Virtual Local Area Network)
          • Link aggregate (teaming)
          • 6 to 4 (tunnel between IPv4 and IPv6)
      • Deactivating or deleting a network service from the list is the only way to disable a hardware network interface in OS X.
        • Network service interfaces can only be deleted if they’re not part of a configuration profile. If necessary modify using the Profiles system preference.
    • Lets you choose current location (b.e. home) and lets you edit available locations and the settings you want to use for other locations (b.e. work). The default location is named Automatic.
      • If multiple locations have been created, you can also switch location by clicking the Apple menu icon and selecting Location.
    • “Assist me …” provides option “Network Diagnostics” to help troubleshoot and resolve issues.
    • “Network Setup Assistant” helps with setting up a new connection.
    • When modifying configuration, it is not applied immediately. Use apply or revert.
    • Applying new configuration or switching location, may disrupt connection.
    • When multiple service types are available for the same network, OS X will auto determine the preferred interface. By example wired is preferred over wireless and is considered the primary active network service interface.
      • Automatic source routing ensures related incoming and outgoing connections use the same interface, regardless of service order.
  • Network utility application (also available in OS X Recovery)
    • Info (for all interfaces MAC, IP, speed, status, vendor, model, statistics).
      • Often en0 interface is the first internal Ethernet port and en1 Wi-Fi.
    • Netstat (routing table, statistics for each protocol, multicast info, state of all current socket connections)
    • Ping (unlimited pings or x number of pings).
      • Ping might be blocked by firewalls.
    • Lookup (forward and reverse DNS lookup)
    • Traceroute
      • Ping might be blocked by firewalls.
    • Whois (domain to look up and whois server to get whois info from)
    • Finger (enter user name and domain to get info about user)
    • Port Scan
  • Wi-Fi
    • Wi-Fi icon in the menu bar can be used to view, join, create (ad-hoc) network and can also be used to access Network Preferences.
      • Use “Join Other Network” to join network with invisible network where the SSID is not broadcasted.
      • Access Wi-Fi Diagnostics by holding option while clicking Wi-Fi icon.
        • Create Diagnostic Report. Collects information about Bonjour services, nearby networks, Wi-Fi performance and runs a number of diagnostic tests.
        • Turn On Debug Logs. Enables basic or advanced logging to diagnose the state of the network.
        • Capture Network Traffic. Captures all network traffic on the Wi-Fi, Ethernet or Bluetooth interfaces.
    • Supported auth: WEP, WPA(2), WPA(2) Enterprise (per-user authentication)
      • At join WPA(2) Enterprise as admin, pass is saved to system keychain. All users can connect and Mac auto connects at start/wake.
    • If you join and authenticate to a WPA/WPA2 Enterprise, an 802.1X service configuration is created automatically. May also prompt for certificate validation. Will also be saved to system keychain by default.
    • If a captive portal is detected for the wireless network you joined, a window showing the portal’s sign-in page will be opened.
    • In Advanced settings of Wi-Fi you can configure whether administrator authorization is required to:
      • Create computer-to-computer networks
      • Change networks
      • Turn Wi-Fi on or off
  • Bluetooth
    • Icon con be configured to show in the menu bar.
      • Set Bluetooth to on, off or discoverable.
      • Send file
      • Browse Device
      • Set up Bluetooth Device
      • Open Bluetooth Preferences
    • Holding option while clicking icon in menu bar reveals extra option:
      • Create diagnostics report on the desktop
  • VPN
    • OS X includes VPN support out-of-the-box for:
      • L2TP over IPsec (UDP 1701)
      • Point-to-Point Tunneling Protocol – PPTP (TCP 1723)
      • Cisco IPSec (UDP 4500)
    • VPN is easiest to configure using configuration profile. See Profiles.
    • VPN status icon can be shown in the menu bar and can also be used to establish a VPN connection.
    • Options vary for each VPN type.
      • Authentication options
        • User Authentication
          • Password
          • RSA SecurID
          • Certificate
          • Kerberos
          • CryptoCard
        • Machine Authentication
          • Shared Secret
          • Certificate
            • Group Name (Optional)
      • Advanced options (not supported in the built-in Cisco IPsec client)
        • Options
          • Session
            • Disconnect when switching user accounts
            • Disconnect when user logs out
            • Send all traffic over VPN connection
          • Advanced
            • Use verbose logging
        • VPN on Demand (only with certificate-based authentication)
          • Automatically creates VPN connection.
          • Configure domains where VPN on Demand should be used and specify which configuration should be used for each domain.
        • TCP/IP
          • IPv4 config (using PPP, manually, off)
          • IPv6 config (auto, manually or link-local only)
        • DNS
          • DNS servers (configure one or more)
          • Search domains (configure one or more)
        • Proxies
          • Select protocols to configure
          • enable/disable : Exclude simple hostnames
          • Bypass proxy settings for specific Hosts and Domains.
          • Enable/disable : Use Passive FTP Mode (PASV)
    • Some VPN services require a 3rd party VPN client. VPN might also need to be configured using a 3rd party tool and might not be configurable from Network in system preferences.
    • Troubleshoot using /var/log/system.log using Console.
  • 802.1X Configuration
    • Can be used to secure wired and wireless networks.
    • Supported methods for automatic configuration:
      • User-selected Wi-Fi network with WPA(2) Enterprise authentication
      • Administrator-provided 802.1X configuration profile
        • Only method for non Wi-Fi 802.1X
        • Double click local copy of configuration profile or having Mac managed by a Mobile Device Management (MDM) solution like OS X Server through Profile Manager.
  • IP Proxies
    • Supports proxy for FTP, HTTP(S), streaming (RTSP),Socks and Gopher.
    • Supported configuration methods
      • Using manual configuration
      • Using local or network hosted proxy auto-config (PAC) files
      • Using Web Proxy Auto Discovery Protocol (WPAD)

• Network Troubleshooting
  • Apple provides many resources for network configuration and troubleshooting at http://www.apple.com/support/networking/
  • Determine network issue area
    • Local (hardware, settings, cabling)
    • Network (hardware, settings, cabling)
    • Network service (applications, settings, daemons)
  • Main tools are Network preferences, Network Diagnostics and Network Utility.
  • Common network issues
    • Ethernet connectivity issue troubleshooting considerations:
      • Local cable (try other cable, check if not substandard cable, check NIC lights if appropriate)
      • Local settings and switch port settings (speed/duplex)
      • Ethernet status in System Preferences, Network
      • Ethernet stats in Network Utility (send errors, recv errors, collisions)
      • Switch port statistics (send errors, recv errors, collisions)
      • Other physical cables in the path (patch panel, switch)
      • Other physical ports (patch panel, switch)
      • Check driver/firmware version
    • Wi-Fi Connectivity issue troubleshooting considerations:
      • Use Wi-Fi icon in menu bar to:
        • Check if connected to correct wireless network.
        • Check connection status
      • Check driver/firmware version
      • Hold the Option key while clicking the Wi-Fi icon in the menu bar:
        • Shows statistics for the currently selected Wi-Fi network:
          • PHY Mode: b.e. 802.11n
          • Channel : b.e. 11  (2.4 GHz)
          • BSSID (Basic service set identification) which is the MAC address of the access point.
          • Security: b.e. WPA2 Enterprise
          • RSSI (Received Signal Strength Indication). indication of the power level being received by the antenna. The higher the RSSI (or less negative), the stronger the signal. : b.e. -45
          • Transmit rate in Mbit/s : b.e. 120
          • MCS (Modulation and Coding Scheme) Index : b.e. 23
      • Reveals option “Open Wi-Fi Diagnostics” that allows you to “Create Diagnostic Report”, “Turn on Debug Logs” or “Capture Network Traffic”.
    • DHCP Service Issues troubleshooting considerations:
      • Local settings configured to use DHCP ?
      • Self-assigned (link-local / APIPA) address (169.254.x.x) used ?
        • Shows as Self-Assigned in Network preferences.
        • Client can only connect with other network devices on the local network in the same subnet (no gateway)
      • More people / devices with problems ?
        • Check if DHCP server and service is working.
        • Check for connectivity from the client to the DHCP server/service.
          • DHCP request forwarding (iphelper) necessary and working ?
          • Firewall not blocking ?
        • Check if scope is exhausted.
        • Check for rogue DHCP servers.
    • DNS Service Issues Troubleshooting considerations:
      • Local settings configured correctly (IP, subnet mask, gateway, DNS).
        • Configured correctly in DHCP ?
        • Rogue DHCP ?
      • Keep in mind that in most cases the topmost network service interface is the primary and is used for all DNS resolution (except if primary network interface is lacking router/gateway configuration).
      • Do only specific hosts (or specific zones) not resolve (correctly) ?
      • Flush/reset the DNS cache using Terminal:
        OS X 10.6: sudo dscacheutil -flushcache
        OS X (Mountain) Lion: sudo killall -HUP mDNSResponder
      • More people / devices with problems ?
        • Check if DNS server and service is working correctly.
        • Check for connectivity from the client to the DNS server/service.
          • Firewall not blocking ?

Network Services

• Network services
  • Network Services Architecture
    • Client-Server architecture (mail, internet, etc.)
    • Protocols and ports used. List of well known ports products.
    • Network service identification using by example:
      • IP
      • DNS
      • Dynamic Service Discovery.
        • Browse local and WAN resources like browsing network shares from Finder or locating network printers using Print & Fax preferences.
        • Used by built-in network applications like Messages, Image Capture iPhoto, iTunes, Safari and OS X Server.
        • Used by 3rd party network applications.
        • Bonjour Service Discovery Protocol
        • AppleTalk network browsing protocol unsupported for OS X 10.6 and later.
    • Network Service Account Settings / Authentication
      • Can be deployed using local copies of a configuration profile or managing Mac using Mobile Device Management (MDM) solution like Profile Manager in OS X Server.
      • Mail, Contacts & Calendars in System Preferences sets up your accounts to use with Mail, Contacts, Calendar, Messages, and other apps. Use the + and – icon to add/remove. Includes:
        • iCloud
        • Microsoft Exchange
        • Gmail
        • Twitter
        • Facebook
        • Yahoo!
        • AoL
        • vimeo
        • flickr
        • Add Other Account
          • Mail
          • Messages
          • CalDAV
          • CardDAV
          • LDAP
          • OS X Server account
            • Auto detects OS X Server >= 10.7
    • Application specifics
      • Mail version 6 (Mountain Lion)
        • Requires Microsoft Exchange Server 2007 SP1 UR4 with Exchange Web Services (EWS) enabled.
        • POP (TCP110), IMAP (TCP143), Encrypted POP (TCP995), Encrypted IMAP (TCP993). SMTP (TCP25), Encrypted SMTP (TCP25, TCP465 or TCP587). Exchange Web Services – EWS (TCP80), Exchange Web Services Secure (TCP443).
        • MAPI is not supported.
      • Notes
        • Uses IMAP mail services to save notes.
        • Can be shared with other network services using sharing.
        • Can only access network service when configured via Mail, Contacts & Calendars preference or configuration profile.
      • Calendar version 6 (previously iCal) and Reminders (tasks/to-do)
        • Ideally configured using Mail, Contacts & Calender preferences or configuration profile.
        • Calendar also features its own Setup Assistant.
        • Cannot configure Reminders seperately from Calendar.
        • Save Reminders locally or to network calendar service like:
          • Internet based calendar services like iCloud, Yahoo and Google (TCP443).
          • CalDAV collaborative calendaring.
            • Open standard
            • Uses WebDAV (TCP8008) encrypted (TCP8443)
            • OS X Server Calendar Service is based on CalDAV.
          • Exchange 2007 or newer using EWS.
          • Calendar web publishing and subscription
            • TCP80 and TCP443 (encrypted)
            • Subscribe to iCalendar files .ics hosted on WebDAV servers.
            • Allows sharing, but doesn’t provide true collaborative calendaring environment.
            • Apple hosts many calendars for many purposes on its website.
        • Reminders application creates and manages to-do calendar events. Calendar ignores to-do events.
        • Calendar email invitation
          • Uses iCalendar files.
          • Integrated with Mail to auto send/receive calendar invitations as email attachments.
      • Contacts version 7 (formerly known as Address Book)
        • Can use local. But can also use network contact services:
          • Internet-based contact services (iCloud, Google, Yahoo)
          • CardDAV contact sharing
          • Exchange 2007 or newer contact sharing
          • Directory service contacts (LDAP), configure:
            • Directly from account Setup Assistant
            • Through integration with OS X systemwide directory services (configured in User & Groups preferences).
        • Can also share contacts by clicking share button.
        • Ideally configured using Mail, Contacts & Calender preferences or configuration profile.
        • Contacts also features its own Setup Assistant.
        • You can update contact information from other services in Mail, Contacts & Calendars preferences by selecting the service and clicking “Update Contacts”.
      • Messages version 7 (formerly known as iChat)
        • Supports ten-way audio conferencing, four-way video conferencing, peer-to-peer file sharing, remote screen sharing, and high-resolution Messages Theater for sharing video from supported applications.
        • Depending on features used, TCP and UDP ports need to be opened. Even though outdated, this KB document may be of help.
        • Ideally configured using Mail, Contacts & Calender preferences or configuration profile.
        • Messages also features its own Setup Assistant for configuring chat network service accounts.
        • Supports:
          • iCloud iMessage
            • Can communicate with iOS devices.
            • Can only be configured with Mail, Contacts & Calender preferences.
            • Highly efficient for devices that rely on battery power (based on Apple push).
            • Does not support advanced features like video conferencing, screen sharing and Messages Theater.
          • Internet Messaging services (AOL Instant Messenger/AIM, Yahoo!, Google Talk)
          • Privately hosted messaging services based on open source Jabber servers:
            • Uses eXtensible Messaging and Presence Protocol – XMPP (TCP5222) or encrypted (TCP5223).
            • b.e. OS X Server Messages service.
          • Ad hoc messaging
            • Bonjour network discovery protocol is used to automatically find other Messages or iChat users.
            • No configuration necessary.
  • File Sharing Protocols
    • OS X provides built-in support for file service protocols:
      • Apple Filing Protocol – AFP v3 (TCP548) encrypted SSH (TCP22)
        • Supports all features of Mac OS Extended file system.
      • Server Message Block – SMB (TCP139+445)
        • Mainly used by Windows, but also other platforms use it.
        • Supports many features of Mac OS Extended file system.
        • OS X supports Distributed File Service (DFS) referrals.
      • Web-based Distributed Authoring and Versioning – WebDAV (TCP80) and encrypted (TCP443)
        • Extends HTTP service with basic read/write file services.
        • Use the http prefix in the connect to server screen.
      • File Transfer Protocol – FTP (TCP20+21)
        • Supported
        • Finder mounts FTP shares as read only.
        • Secure FTP – FTPS (TCP989+990).
          • Commands are encrypted, but data is not.
          • Supported in Terminal, but not in Finder.
          • Not to be confused with SSH File Transfer Protocol – SFTP (TCP22)
            • Uses SSH encryption.
            • Commands and data are encrypted.
            • Supported in Terminal and Finder.
  • Connecting to File Shares
    • Connecting to File Shares Using Finder
      • Automatically discovered shared resources can be browsed
        • In Sidebar
          • Shared category shows first eight computers + All… that links to the Finder Network folder.
            • The Network folder is not a standard folder. Updated dynamically with discovered network file services and currently mounted file systems.
          • Access the Network folder directly by going to the Devices category, <device name>, Network (Command+Shift+K).
      • Manually connect by entering the address of the server.
        • Using Menu, Go, Connect To Server (Command+K),enter:
          • Protocol – afp:// , smb:// , nfs:// , http:// , https:// , ftp:// or ftps://
          • Server – ip, fqdn, bonjour name
          • Share / resource name
        • For connecting to DFS, read this KB article.
        • When connected, server is added to Sidebar in Shared.
    • File Share Authentication
      • Automatic authentication is attempted using these methods:
        • Kerberos when using Kerberos SSO authentication.
        • Using previously saved authentication info in keychain when using non-Kerberos authentication.
        • Authenticate as guest.
      • Manual authentication
        • In Finder in Shared category select Server and choose “Connect As”. Then select either:
          • Connect as Guest
          • Registered User
            • Enter user name and password and optionally save credentials in keychain
          • Using an Apple ID
            • Only for AFP share using Apple ID
            • Only shows when local Mac and computer hosting the share run OS X
            • Local account must be tied to Apple ID
    • File Share mount / dismount
      • Mounted File Shares show in the Finder Sidebar and will also show in any application’s Open dialog.
        • It will also show in the Save As / Duplicate dialog if you select <computer name> in the Where field and then use the arrow down button next to the Save As field.d
      • When authenticated to file services, you are presented with the list of shared volumes your account is allowed to access. Select the shared volumes you want to mount (use Command key to select multiple).
      • You can dismount volumes by pressing the Eject icon next to the server in Finder.
      • You can automatically mount file shares for users: Go to Users & Groups, select account, Login Items, + , select share you want to add.
        • Alternatively create shotcuts / aliases in Dock, Desktop or in Finder.
          • Drag and drop from Finder sidebar or the Network browser to login items on the Dock does not work. Instead do this from the Desktop or from the Computer location in the Finder using Menu, Go, Computer (Shift+Command+C).
  • Troubleshooting Network Applications and File Sharing service
    • Check application specific configurations and preferences.
    • Mail
      • Mail app includes tool: Menu, Window, Connection Doctor.
      • Apple online mail Setup Assistant helps configure mail.
    • Messages
      • Messages app includes tool: Menu, Video, Connection Doctor. View conference statistics, chat capabilities and Messages error log.
        • Note: Connection Doctor is just for Mail and Messages application.
          • For troubleshooting network/internet connection issues you should use network diagnostics instead. It can be found under System Preferences, Network, Assist me, Diagnostics.
          • For home users, initially configuring is simplied by using the Network Setup Assistant. It can be found under System Preferences, Network, Assist me, Assistant.
          • Network Tools app includes ping, lookup, etc.
    • File Sharing Service troubleshooting
      • Windows servers prior to 2008 include Services for Macintosh (SFM) which only provides the legacy AFP 2 file service. While OS X is still compatible with AFP 2, it is optimized for AFP 3.1
        • There are many known performance issues with AFP 2, so try to avoid using it.
        • Use SMB instead if possible or use 3rd party product like Group Logic ExtremeZ-IP for AFX 3.1 support.
        • Legacy AFP on OS X requires specific configuration.
• Host Sharing and Personal Firewall
  • OS X already includes many of the core technologies that make OS X Server possible.
  • Host Sharing Services (configured using Sharing)
    • DVD or CD Sharing (Remote Disc)
      • Only shares Optical Disc
      • Cannot configure user-specific access
      • Can only access using Bonjour
      • When enabled, launchd process listens and when request comes in, starts ODSagent process that listens for requests on very high randomly selected TCP port.
      • Accessible only from Macs using Finder sidebar or Migration Assistant
    • File Sharing
      • AFP (AppleFileServer process), SMB (smbd process)
      • Only standard and administrative have users access by default.
    • Printer sharing
      • Covered in detail later on.
    • Scanner sharing
      • Only for Macs using Bonjour and Image Capture application.
        • Use Image Capture also for sharing a digital camera.
      • When enabled, launchd process listens and when request comes in, starts Image Capture Extension Background process that listens for requests on very high randomly selected TCP port.
      • Using Sharing preferences you can enable specific scanners.
      • When using network scanner sharing, keep in mind that other computers on the network can see what’s on the scanner bed. Especially with sensitive information.
    • Remote Login (sshd)
      • SSH, SCP, SFTP (Secure File Transfer Protocol)
    • Remote Management – Apple Remote Desktop (ARD) application.
      • Screen Sharing is a subset of ARD. Both provide the VNC service.
    • Remote Apple Events
      • Allows applications and AppleScripts on another Mac to communicate with applications and services on your Mac.
      • Often used to facilitate automated AppleScript workflows between applications running on seperate Macs.
      • When enabled, launchd process listens for TCP+UDP 3130 and when request comes in, starts AEServer background process as needed.
      • By default just non-guest users can access. Can limit using Sharing.
    • Screen Sharing – System Screen Sharing (AppleVNCServer)
      • Screen Sharing Methods in OS X:
        • System Screen Sharing
        • Messages Screen Sharing
        • Apple Remote Desktop (ARD).
      • Screen sharing is a subset of ARD remote management service. When Remote Management is enabled, Screen Sharing inaccessible.
      • Modified version of cross-platform Virtual Network Computing – VNC protocol (TCP+UDP5900) that includes clipboard, file sharing and optional encryption (when using ARD or OS X Lion or later).
        • Should integrate with 3rd party VNC solutions.
      • Backwards compatible with OS X 10.5 or later
      • Screen sharing to virtual desktop supported with OS X Lion or newer.
      • By default only administrative users can access. You can optionally specify users/groups to allow access, or allow guest access (either view only or control with password).
      • When attempting to access Mac computer’s screen sharing, current logged-in user must authorize the session.
      • You can access a system’s screen sharing by:
        • Finder, sidebar, shared, select Mac, click Share Screen.
        • Finder, menu, Go, Connect to Server, vnc://<computer>
        • The methods above start the Screen Sharing application. You can also start it directly from /System/Library/CoreServices/
        • Using a 3rd party VNC client.
      • You can connect:
        • By asking for permission
        • As a registered user
        • Using an Apple ID
      • Depending on remote computer’s system, the following three situations can occur:
        • Remote computer not a Mac running OS X
          • You connect to its current screen.
        • Remote computer is Mac running OS X
          • No one logged in.
            • You connect to its current screen.
          • Authenticated as currently logged-in user.
            • You connect to its current screen.
          • Authenticated as different user than the one currently using the Mac.
            • You can choose to log in to a virtual screen or to Share Display with a currently logged on user (user has choice to allow or not).
      • When Screen Sharing application is active, all keyboard commands are sent to the remote computer (including keyboard shortcuts)
    • Screen Sharing – Messages Screen Sharing
      • Messages application can be used for screen sharing while also being able to use voice and instant messages.
      • Supports reverse screen sharing.
      • Does not require Mac to have Screen Sharing enabled.
      • Requires OS X 10.5 or later.
      • Cannot force user to share screen. User decides to allow or not.
    • Screen Sharing – Apple Remote Desktop 3 (ARD) Remote Management
      • Most complete Screen Sharing solution included in OS X.
      • ARD administration software provides advanced functionality: http://www.apple.com/remotedesktop.
        • Remotely gather system information, usage statistics, change settings, add/remove files and software, send UNIX commands, perform almost any management task.
      • ARDagent listens for incoming administration requests (UDP3283).
      • AppleVNCServer listens for screen sharing requests (TCP5900).
      • You can configure who has access and what they are allowed to do.
    • Internet Sharing – NAT (natd), DHCP (bootpd), DNS (named)
    • Bluetooth Sharing
  • Host Network Identification Methods in OS X:
    • IP: used by any network host, configure using Network.
    • DNS name: used by any network host, configure on DNS server.
    • Computer name: used by Mac (AirDrop+Bonjour), configure using Sharing.
    • Bonjour Name: used by any Bonjour host, configure using Sharing.
    • Netbios name: used by any SMB host, configure using Network.
  • AirDrop (peer-to-peer Wi-Fi file sharing service)
    • Only available on newer Mac models.
      • If your Mac is supported, AirDrop can be accessed using Finder, Go, Airdrop (Shift+Command+R). Depending on your preferences, it might also be in the finder sidebar.
    • Scans for AirDrop systems within Wi-Fi range every time you select the window.
      • Both users don’t have to be connected to the same Wi-Fi network.
    • For other systems to show up in AirDrop, the other System must also have the AirDrop window selected in Finder.
    • Icons in AirDrop window are based on Mac computer’s logged-in user account.
    • Name in AirDrop defaults to Mac computer name as set in Sharing. If current logged-in user has Apple ID associated and you have the user in your Contacts.
    • Transfer files by simply drag and drop. Requires confirmation by both parties.
  • Personal Firewall
    • Disabled by default.
    • Enable and configure using Security & Privacy.
      • By default incoming traffic allowed for connections that where initiated from your Mac and for any signed software of enabled service.
    • Firewall options you can configure:
      • Block all incoming connections (except those required for basic Internet services such as DHCP, Bonjour and IPSec).
      • Specify which applications to allow/block incoming conections for:
        • Add/remove applications manually and specify action.
        • Adding/removing services in Sharing, affects the items.
        • When new applications requests network access, you will get a dialog asking whether to allow or deny.
      • Automatically allow signed software to receive incoming connections.
      • Enable stealth mode (do not respond to/acknowledge ICMP ping, etc).
        • Adds complexity when troubleshooting.
    • Traditional firewall uses rules based on service port numbers, which can be troublesome with applications that use dynamic ports. Modern firewall like thatin OS X uses adaptive technology that allows connections based on applications and service needs (also closes ports when not needed anymore).
      • port-based firewall ipfw is still in OS X as well. Use terminal or config files to configure.
    • Firewall logging always enabled. Use Console: /private/var/log/appfirewall.log
  • Shared Service Troubleshooting
    • Determine where the likely cause of the issue is.
      • One client affected, then probably local client issue.
        • Software
        • Hardware
        • Configuration (network, application)
        • User error
        • Authentication
      • More clients affected
        • Might be Mac providing shared service
          • Application/Service
          • Local firewall
          • Software
          • Hardware
          • Configuration
        • Might be network related
          • Network firewall
          • Routing
          • Switch
          • Switches
        • Might be related to other services the shared service depends on (b.e. DNS or LDAP/Active Directory).

Peripherals and Printing

• Peripherals and Drivers
  • Peripheral technologies
    • Peripheral connectivity types
      • Peripheral buses – general pupose to connect external device
      • Expansion buses – expand HW compatibility / extra connect options
      • Storage buses – access storage devices
      • Audio and video connectivity
    • Each connection is specialized for particular communication. Combination of technologies often required for peripheral.
    • Use System Information to view connected peripherals and connection types.
    • Peripheral buses examples
      • FireWire 400/800 (IEEE-1394)
        • Hot-pluggable.
        • Can be daisy-chained.
        • Up to 63 simultaneous devices using hubs.
        • Can supply about 7 watts per port (instead of 2.5 of USB).
        • Standard interface for many digital video devices.
        • Allows Mac to be used in target disk mode without OS.
        • Firewire 400 max 400 Mbit/s, FireWire 800 max 800 Mbit/s.
        • Firewire 800 port backwards compatible with Firewire 400.
        • USB and Thunderbolt are replacing FireWire because it is cheaper and/or better.
      • Universal Serial Bus (USB) 1.1 / 2.0 / 3.0
        • Hot-pluggable.
        • Can be daisy-chained.
        • Up to 127 devices per USB host controller.
        • Most Macs have two external USB host controllers.
        • Port may supply up to 2.5 watts of power (500 mA at 5v) to power device (instead of 7 watts with Firewire).
          • Unpowered hubs split power between ports, usually supplying only 0.5 watts (100 mA) each.
          • System displays warning and disables device if not enough power is available for device. System information displays current available to and desired by device.
        • USB 1.1 , 1.5-12 Mbit/s
        • USB 2.0 , max 480 Mbit/s theoretically in reality lower.
        • USB 3.0 , max 5 Gbit/s , often blue inside of connector.
        • USB versions are backwards compatible.
      • Bluetooth (BT)
        • Short range wireless 1-10m peripheral connection.
        • Standard originally developed by Ericsson for phone headsets. Used for headsets, mice, keyboard, printers, cell phones.
        • Not designed for fast wireless connections like WiFi.
        • Power efficient (works with low power devices).
        • Bluetooth versions:
          • BT 1.2 (712 kb/s)
          • BT 2.1 + Extended Data Rate – EDR (3Mbit/s)
          • BT 3.0 + High Speed – HS (24Mbit/s)
          • BT 4.0 + Low energy support (200kbit/s)
        • Newer Mac systems (2011+) support all BlueTooth versions. Previous Mac compatible with OS X Mountain Lion (without Xserve) support up to 2.1 + EDR.
      • Thunderbolt
        • Provides 2 bidirectional 10Gbit/s channels (20Gbit/s in and 20Gbit/s out simultaneously).
          • Future versions planned to provide up to 100 Gbit/s channels.
        • Up to 10W of power to connected devices.
        • Max cable length 3 meters
          • Optical cabling available soon (100m no power)
        • Combines PCI Express and DisplayPort data into single connection and cable.
        • Supports hub or daisy chain of up to six devices (up to two of these devices being high-resolution displays).
        • One cable can be used for multiple purposes. By example the Apple Thunderbold display is connected with the Mac through a single Thunderbolt cable and provides high-definition digital display, built-in camera, microphone, audio speakers, 3-port USB hub, FireWire port, Gigabit Ethernet port and an additional Thunderbolt port for another display.
    • Expansion Buses examples
      • PCI Express (PCIe)
        • PCIe 1.x (32 Gb/s)
        • PCIe 2.x (64 Gb/s), backwards compatible
      • ExpressCard 34 – based on PCIe and USB (2.5 Gb/s)
    • Storage Buses examples
      • Advanced Technology Attachment – ATA (133 MB/s)
        • Only 2 drives per controller.
      • Serial ATA – SATA
        • SATA300 (3 Gb/s) or SATA600 (6 Gb/s)
        • External SATA (eSATA)
      • Small Computer System Interface – SCSI (320 MB/s)
        • Up to 16 drives per controller
      • Serial Attached SCSI – SAS (3 Gb/s)
        • Up to 16384 devices using expanders
      • Fibre Channel (up to multiple GB/s)
        • Relatively expensive
        • Apple Xsan network storage built around it
    • Audio and Video Connectivity
      • Analog stereo audio
      • TOSLINK digital audio
      • Composite video (640×480)
      • S-Video (640×480)
      • Video Graphics Array – VGA (2048×1536)
      • Digital Video Interface – DVI (1920×1200)
      • Dual-Link DVI – DVI-DL (2560×1200)
      • Mini DisplayPort (3840×2160)
        • Multiple versions with different specs.
        • Thunderbolt uses same connector form factor.
      • High Definition Multimedia Interface – HDMI (3840×2160)
        • Multiple versions with different specs.
  • Bluetooth (BT) peripherals
    • Configure using Bluetooth in System Preferences or using the menu icon.
      • Make sure BT is enabled on your Mac.
      • Options:
        • Turn BT mode on/off.
        • Turn discoverable mode on/off.
        • Enable/disable BT icon in menu bar.
          • In menu bar you can see paired devices, edit settings for these devices and also access general BT settings and preferences.
        • BT sharing setup.
        • Press the + or – icon to add/remove device (including pairing using Bluetooth Setup Assistant).
    • Discoverable mode advertises Mac as BT resource to any device within range. For security reasons only enable when pairing to a peripheral.
    • Paired devices are shown by clicking on the Bluetooth icon in the Menu bar. By clicking on the device you can adjust settings like the name.
  • Peripheral troubleshooting
    • Peripheral Device Classes (based on function)
      • Human Input Devices (HID) – Keyboard, mouse, trackpad, gamepad.
      • Storage devices – hard disk, flash disk, optical drive, iPod.
      • Printers
      • Scanners – Using Image Capture Framework and Image Capture app.
        • Supports both local and shared scanners.
      • Digital cameras
      • Video devices – uses Quicktime framework
      • Audio devices – uses Core Audio framework
    • Peripheral Device Drivers
      • OS is intermediary between peripherals and applications. Application needs to support the device class, while OS handles technical details of communicating with each model of peripheral in that class.
      • Some peripherals are supported via generic class drivers, while others require their own specific driver.
        • Driver needs to be installed before connecting peripheral.
      • Device driver implementations in OS X include:
        • Kernel Extensions (KEXTs)
          • Adds peripheral support at OS X kernel.
          • Load and unload with system automatically.
          • Some are hidden, most in /Library/Extensions or /System/Library/Extensions
          • Examples include HID, storage devices and audio and video devices.
          • Currently loaded KEXTs can be viewed using System Information, Extensions.
          • Mountain Lion is the first OS X version that requires kernel startup in 64-bit mode.
            • Third-party KEXTs that haven’t been upgraded to 64-bit won’t work and will be ignored.
        • Framework plug-ins
          • Adds specific peripheral support to framework.
          • By example adds support for additional scanners and digital camers to Image Capture framework.
        • Applications
          • Application is specifically written for peripheral.
          • By example iTunes for iPod, iPhone and iPad.
    • General Peripheral Troubleshooting
      • Check System Information
      • Check cables and hardware.
      • Try on different computer.
      • Latest driver/firmware  and software?
        • Check System Information Utility, Software – Extensions
        • If latest, try older versions (downgrade) ?
      • Sufficient USB power ?
      • Tried reconnecting peripheral ?
      • Tried using different port, cable, device, etc ?
      • Tried restarting computer ?
      • Tried unplugging other devices ?
• Print and Scan
  • Print system architecture
    • OS X uses Common Unix Printing System 1.6 (CUPS) to manage local printing.
      • Uses Internet Printing Protocol (IPP) for managing printing tasks.
      • Uses PostScript Printer Description (PPD) files as basis for drivers.
        • non-Postscript printers can also be described using PPD.
    • Process
      • User prints, spool is generated in /var/pool/cups, cupsd passes spool through print chain (series of filter process) that transform it to a format understood by the destination printer and sends it to it.
        • When printed from app in GUI or Terminal print command, Portable Document Format (PDF) is generated as spool.
        • When printed from the command line, a PostScript (PS) file is generated.
    • Configure printer settings
      • Associate printer driver with printer device.
        • Default OS X installation only includes Apple and generic print drivers (saves space).
        • Installation requires administrative
        • If you add a printer for driver not available, will download using Apple software update service.
        • Apple supplies driver downloads for most popular models.
        • Preferrably use Apple provided drivers, otherwise download directly from manufacturer.
        • Apple built-in drivers installed in /System/Library/Printers
        • 3rd part in /Library/Printers
          • Primarily in PPD folder, but may differ.
  • Print and scan configuration
    • Configure or check config using Print & Scan preferences.
    • Locally connected printers show local Mac  sharing name as location.
    • When you physically plug in local printer and if administrative user:
      • Auto installs driver if Mac already has driver.
      • Prompted with automatic software update installer if driver isn’t installed, but is available from Apple.
      • Nothing happens auto when driver is unavailable.
    • Configure auto-discovered network printer
      • Must be added manually.
        • From File, Print in any application, printer dropdown box, select auto detected printer.
        • Using Print & Scan.
        • You can add network printer on local network (bonjour, shared on other Mac or AirPort Base station.
        • Apropriate drivers are aquired from Mac that is sharing the network printer.
    • Configure non auto-discovered network printer
      • Must be added manually.
      • From File, Print in any application, printer dropdown box, add printer.
      • Using Print & Scan.
      • Using /System/Library/CoreServices/AddPrinter
    • Add printer window options
      • Default (usb, firewire, network auto detect printer)
      • Fax (select modem port)
      • IP (Line Printer Daemon – LPD, Internet Printing Protocol – IPP, HP JetDirect printer).
        • Might require manual driver specification fom dropdown box Print Using. You can use spotlight to narrow the search.
      • Windows (SMB)
        • Might require manual driver specification fom dropdown box Print Using. You can use spotlight to narrow the search.
    • Print & Scan options
      • Add/remove printer.
      • Set printing defaults (printer + paper size).
      • Open print queue
      • Edit an existing configuration and check supply levels.
      • Open scanner and enable/disable sharing options.
    • From Sharing preference, configure shared printers and user permissions.
      • By default users can re-share printers. In general not desired.
  • Managing print jobs
    • OS X features unified Print dialog that combines previously seperate Page Setup (document size, orientation and scale settings) and Print dialog (all other printer settings).
    • For backwards compatibility, OS X allows older applications to seperate the dialogs.
    • Some applications may use custom dialogs.
  • Basic printing
    • Choose File, Print (or press Command+P) to print.
      • Some apps may bypass the print dialog if Command+P is used.
      • Print dialog often shows preview and starts with default settings.
      • You can override settings like Printer, Copies, Two-Sided, Pages to print, PDF (print to PDF, print to PostScript).
        • Use Show details for more options.
          • Bottom half shows application specific printing settings.
          • You can save print presets.
            • Stored in : ~/Library/Preferences/com.apple.print.custompresets.plist
            • Application specific settings cannot be saved to preset.
            • Manage presets by selecting Show Presets.
  • PDF Tools workflow options:
    • Default: Open PDF in Preview, Save as PDF, Save as PostScript, Fax PDF, Add PDF to iTunes, Mail PDF, Save PDF to Web Recipients Folder.
    • You can manually add PDF workflows to /Library/PDF Services or ~/Library/PDF Services
    • You can create custom PDF workflows using /Applications/Utilities/AppleScript Editor or /Applications/Automator application
  • Managing Printer Queues
    • Access printer queue:
      • If printer queue already open, click Dock icon.
      • Using Print & Scan preferences by selecting device, Open Print Queue.
      • Using finder ~/Library/Printers
        • Drag folder to Dock for easier access.
    • Queue options (re-order job, pause job, delete job, settings and scanner if it’s a multifunctional).
  • Print system troubleshooting
    • Check printer queue (connection issue, paused, stuck jobs)
    • Check page and print settings.
    • Check PDF output of the application because that part in the CUPS workflow might cause an issue. Then it’s generic issue and not specific application printing issue.
    • Check if you can print from another application.
    • Check cabling.
    • Check printer hardware status (visual, menu, tooling).
    • Check phone line and settings for fax issues.
    • Use peripheral troubleshooting techniques for local printers.
    • Use network troubleshooting techniques for network printers.
    • Delete and reconfigure printers.
    • Update/reinstall drivers.
    • Repair installed software disk permissions using the Disk Utility Repair Permissions feature.
    • Review CUPS log files.
      • While in any printer queue application choose Printer, Log & History. Opens Console utility to CUPS error_log. Can also access_log and page_log in /private/var/log/cups
      • Manually open above files using Finder.
      • CUPS error_log may not exist if CUPS service hasn’t yet logged any serious print errors.
    • For advanced print system management and troubleshooting, access Mac CUPS web interface http://localhost:631
    • Reset the entire print system:
      • Print & Scan preferences, secondary click (Control+click) in the printer list and choose “Reset Printing System”.
      • Print & Scan preferences, option+click the minus “-” button.
      • This will clear all configured devices, shared settings, custom presets and queued print jobs.

System Startup

• OS X system startup process fail can have many causes.
• Each system startup stage has audible and/or visible cues.
• System startup stages are:
  • System initialization (processes for OS start) consists of the stages firmware, booter, kernel, system and launchd:
    • Firmware (HW test and initialization and locating and starting booter).
      • Power On Self Test (POST) + UEFI.
      • If POST succesful, startup chime sound, bright flash from power-on light and all displays show light gray background.
      • If POST fails, display may remain blank or off and you may get error codes that can manifest as tones and lights. Meaning differs per model, see http://www.apple.com/support. Firmware passes on any special startup mode instructions to the booter (see startup keys).
        • Check hardware.
        • Check cabling.
        • Go to Apple Store or Apple Authorized Service Provider.
    • Booter, loads system kernel and kernel extensions (KEXTs)
      • By default loads last specified boot file stored in NVRAM.
        • If FileVault 2 is used, system starts with OS X Recovery HD boot where user must enter credentials. Also at the end stage, the user doesn’t have to enter credentials to log on.
      • When found/succesful, dark gray Apple logo on main display.
        • Same is true when using NetBoot and downloading booter file and cached kernel info from NetBoot server. Will also add small dark gray spinning globe icon below Apple icon.
      • If no booter file found, flashing folder icon + question mark is shown.
      • If unable to load kernel, dark gray prohibited sign is shown.
        • If starting Mac from volume containing system the Mac has never booted from, the prohibited icon indicates that the version of OS X on the volume is not compatible with the Mac’s hardware. Only occurs when installing older OS X version to newer Mac, which is not supported.
        • Use Safe Boot (hold shift). Booter attempts startup volume verify and repair (dark gray progress bar). If repairs are necessary, Mac auto restarts before continuing and you need to keep holding down shift. Booter verifies  startup volume again and if ok, loads kernel and essential KEXTs again (using the cleanest and slowest process that clears caches).
      • Booter process: /System/Library/CoreServices/boot.efi
    • Kernel (provides foundation, loads additional drivers and core UNIX BSD).
      • If succesful,dark gray spinning gear below Apple logo on main display.
        • May not be noticeable on new fast models.
      • In most cases kernel is loaded by booter from cached files. It is however also located on system volume at /mach_kernel
      • If unsuccesful, try Safe Boot (hold shift).
        • If unsuccesful, reinstall OS X.
        • If succesful, issue may be 3rd party KEXT. Then start in Verbose mode (Command+V) to identify offending KEXT and move it to quarantine and reboot normally.
          • Can use Target disk mode for moving.
    • System launchd (starts non kernel process launchd that loads rest of system)
      • Process ID (PID) of 1.
        • Kernel_task is its parent process, PID 0.
      • Dark gray spinning gear disappears and white background appears briefly on all displays. If succesful login screen will be shown or the Finder if user is set to auto logon.
        • When using multiple displays you might also notice white flash on secondary display as result of launchd starting WindowServer process.
      • If unsuccesful, login screen may not be shown and/or screen may be stuck at black or white screen.
        • Safe Boot (hold shift), forces system launchd process to ignore 3rd party fonts, launch daemons and startup items.
          • If then it works:
            • Start Verbose mode, find and (re)move offending item(s).
            • Consider removing /Library/Caches.
            • Consider renaming preferences in /Library/Preferences and/or /Library/Preferences/SystemConfiguration
          • If then it still does is does not work:
            • Start Mac in single-user mode (Command+S):
              • verify and repair system volume : /sbin/fsck -fy
                keep repeating until OK.
              • Mount startup volume as read write: /sbin/mount -uw
              • Make changes like removing suspicious file.
              • Start up the system by entering the exit command or shutdown using shutdown -h now
            • Re-install OSX
      • Launchd preference files in /Library/LaunchDaemons and /System/Library/LaunchDaemons
      • Apple encourages use of launchd for all auto started processes, but legacy startup routines are supported as well:
        • Traditional Unix : /etc/rc.local (not included in OS X default)
        • launchd also starts /sbin/SystemStarter process that manages system processes as with legacy OS X startup items.
          • OS X has no built-in startup items, but SystemStarter looks in /System/Library/StartupItems and /Library/StartupItems
      • You can view the processes that are loaded by launchd using Activity monitor and selecting “All processes, hierarchically” from the dropdown box.
  • User session with the stages:
    • loginwindow process (started by launchd)
      • Launches the Dock and the Finder.
      • Can run as background process and a graphical interface application.
        • maintains user session.
  • Owned by root if no user logged on. Otherwise owned by user.
  • /System/Library/CoreServices/loginwindow.app
    • Prefer. : /Library/Preferences/com.apple.loginwindow.plist
  • loginwindow + opendirectoryd process authenticates user.
  • After login, loginwindow process runs in background
  • If loginwindow process not able to initialize the user environment:
    • User will never be given control of GUI
    • Desktop background may be shown, but Dock, Finder and applications do not load.
    • May seem that session starts, but login screen reappears.
    • Try Safe Mode login:hold shift while clicking “Log In”.
      • Does not auto open user defined login items or applications set to resume.
      • Does not start user-specific Launch Agents.
        • If Safe Mode login is succesful, consider modifying /Library/LaunchAgents and/or ~/Library/LaunchAgents
        • If Safe Mode login unsuccesful, try user account troubleshooting steps.
  • User launchd (user-specific instance started when user is authenticated)
  • If fast-switching enabled, additional loginwindow and launchd started.
  • User’s loginwindow and launchd process set up GUI by:
    • Get account info from opendirectoryd and apply settings.
      • OpenDirectory stores localuser accounts in /var/db/dslocal/nodes/Default
    • Configure mouse, keyboard, sound using user preferences.
    • Load user preferences, environment variables, devices, file permissions and keychain access.
    • Open Dock, Finder and SystemUIServer (responsible for UI elements like menu extras on right side of menu bar).
    • Auto open user’s login items.
    • Auto resume applications that were open before last logout.
  • Differences between various autostarting mechanisms:
    • launch daemons
      • Start at system initialization by root launchd.
    • startup items
      • Start at system initialization by root launchd.
    • launch agents
      • Start at system initialization by user launchd.
      • Mostly started at user environment initialisation, can also be started afterwards or on regular repeating basis as needed.
      • /System/Library/LaunchAgents , /Library/LaunchAgents or ~/Library/LaunchAgents
    • login items
      • Start at system initialization by user launchd.
  • User environment
    • User’s launchd+loginwindow process stay active while user logged in.
    • Loginwindow process monitors user session by:
      • Managing logout, restart and shutdown procedures.
      • Managing Force Quit Applications window.
      • Writing standard-error output to user’s console.log file.
    • Launchd process process monitprs user session by:
      • Restarting applications that remain open while the user is logged in. By example Finder and Dock.
      • If user’s loginwindow process is ended, all user’s applications and processes quit without saving changes. Then launchd process auto restarts loginwindow process as if Mac had just been started up (login screen or auto logon).
  • Sleep modes, logout and shutdown
    • Generally user intitiated using Apple menu or the physical power button.
      • Process or application can also initiate these actions:
        • Restart after install with Installer or Mac App Store app.
        • Energy Saver preference with e.g. auto sleep.
        • Auto logout after inactivity as set in Parental Controls.
    • Sleep does not quit open processes, while logout and shutdown does.
      • OS X feature Auto Resume is enabled by default and reopens user’s items to their previous state upon login.
      • Safe Sleep is supported on all OS X mountain Lion compatible portable Macs. They also copy entire contents of system memory to an image file on the system volume. This way no data is lost when the Mac runs out of battery power.
        • When restarting from safe sleep mode, a light gray version of Mac screen is shown together with a small progress bar. If FileVault 2 is used, credentials need to be entered first.
      • Power Nap
        • Supported for Mac systems mid 2011 or later with all flash storage.
          • SSD and Flash Storage are not the same. Flash storage is directly connected while SSD are connected to a controller instead.
        • Allows Mac to occasionally wake to low-power mode. Also known as dark wake (no display, only background tasks).
        • Many built-in OS X apps and services support Power Nap. Including Mail, Contacts, Calendar, Reminders, Notes, documents in iCloud, Photo Stream, Mac AppStore Updates, Time Machine Backup, Find My Mac updates, VPN on demand and MDM configuration profiles.
        • Power Nap only updates apps running when sleep initiated.
        • Enabled by default when Mac connected to power adapter. Can optionally be enabled when running on battery power.
          • When power level is 30% or less, Power Nap will be suspended until connected to power adapter.
        • After sleep, will wait 30 minutes before dark-waking. Then dark-wakes every hour. Update frequency varies per app.
        • Power Nap log at /var/log/zzz.log
        • Some Macs require firmware update to support Power Nap.
      • Logout
        • loginwindow process issues Quit Application event to all applications.
          • Applications that support OS X Auto Save and Resume save open documents and quit app.
          • Otherwise app asks user to save documents.
          • If the document save or application quit is not completed in 45 seconds, logout will be aborted.
          • If application quit is complete, background processes and GUI session quit, logout scripts are run and logout is written to main system.log
          • When logging out (not shutting down or restarting), new loginwindow process is started.
      • Shutdown and Restart
        • loginwindow process Logs out current user.
        • If other user logged in with fast user switching, enter administrative user authentication before forcibly quiting.
        • After all users logged out, issue quit to remaining processes
        • When all processes are quit, kernel stops system launch and shuts down the system.
          • If system not shut down, wait a while. After that, force by holding down power button.
        • If restart issued, computer firmware begins startup process.
          • With restart, full POST is not performed.  So when troubleshooting hardware, Shut Down.
• Diagnose startup issues
  • Startup shortcuts
    • If Mac firmware password is set, all startup shortcuts are disabled except for the Option key for Startup Manager that will prompt for the password.
    • Some hardware may not support startup keys (e.g. Bluetooth wireless keyboards). Keep wired USB keyboard / mouse nearby.
    • Startup shortcuts to select other system:
      • Option – Startup Manager.
      • C – Boot CD/DVD.
      • D – Start Apple Hardware Test partition on first restore DVD.
      • Command-Option-D – Start Apple Hardware test using internet connection to Apple Servers.
      • N – Start from last-used Netboot server, if none then from default Netboot server.
      • Option+N – Start from default Netboot server.
      • Command+R – Start from local OS X recovery if available, otherwise OS X internet recovery.
      • Command+Option+R – Start from OS X internet recovery.
    • Startup shortcuts to modify OS X default startup
      • Shift – Safe Boot
        • OS X diagnostic modes cannot be used on systems with FileVault 2 enabled. For more info, see this KB.
      • Command+V – Verbose mode. Shows startup progress.
      • Command+S – Single user mode. Starts only core kernel and BSD Unix functionality.
        • You’ll be logged in as root.
        • Get processes using: “ps -ax”
        • Test local TCP/IP stack using: ping -c2 127.0.0.1
          • -c2 is 2 pings.
          • Without -c2 will continue to ping until CTRL+C.
        • Examine system log file using: “less +G /var/log/system.log” b = backwards, space = forward, q = quit.
        • Change to directory  /var/db : “cd /var/db”
        • Remove file using : “rm <file>”
    • Other Startup Utilities
      • T – Target disk mode
        • Alternatively you can go to System Preferences, Startup Disk, Target Disk Mode to restart in Target Disk Mode.
      • Command+Option+P+R – Reset NVRAM settings and restart.
      • Eject, F12, mouse or trackpad – Eject removable media.

Unfortunately, there is not much information about the distribution. This is because their website is still under construction, since it was set up two days ago.

An email arrived at Phoronix this morning that the ArchBSD.net web-site is now online. This new site looks just like ArchLinux.org, but Linux references are replaced by BSD. Right now there isn’t too much information available on Arch BSD, but the news from this week states that a test ISO should be available shortly. 

While information is limited, it doesn’t appear to be a very haphazard idea. There’s references to Arch BSD going back to mid-2012 in the Arch Linux forum that appear to be by the same developer.

It appears the Arch BSD concept began in June of last year. As far as why Arch Linux is being gutted of the Linux kernel and replaced by FreeBSD, the developer wrote, “Why would I do this? If like me, you enjoy FreeBSD and love it, but also like the philosophy behind Arch Linux, which is a fast, lightweight, optimized distro, I figured why not combine the both. Even tho you could just do it on FreeBSD using the ports, not everyone wants to compile.”

There is a GitHub repository that seems to be by the same developer and for his operating system attempt. “Welcome to the ArchBSD project, currently work is still under process and there is still quite a bit of work to be done. However I am approaching to release a test ISO soon after months of work. The ArchBSD project focuses on using ArchLinux package manager on the FreeBSD distribution, to provide optimised, up to date package for FreeBSD users. This project has also chose to use Gentoo’s OpenRC init system as opposed to the default init system used by FreeBSD. Which personally I think provide a benfit of speeds and features otherwise not present in the current RC scripts.”

The most recent activity in that Arch BSD script repository is just over one week old and has lineage going back to mind-June of 2012.

For those curious about the differences between Arch and FreeBSD, there’s this Wiki comparison page written from the perspective of Arch.

The Arch BSD concept is very similar to that of Debian GNU/kFreeBSD, the pairing of the Debian GNU user-land with the FreeBSD kernel. With the last release of Debian (Squeeze), the Debian GNU/kFreeBSD port reached a rather usable state and continues to progress nicely. Debian Wheezy is also much improved for GNU/kFreeBSD.

Another similar attempt has been Gentoo/FreeBSD to have a FreeBSD-based Gentoo operating system, but that effort really hasn’t gotten off the ground compared to Debian’s work. “Gentoo/FreeBSD (or Gentoo/FBSD, or G/FBSD) is an effort to create a complete FreeBSD-based Gentoo system, sharing the complete administration facilities of Gentoo with the reliability of the FreeBSD kernel and userland. An experimental, yet incomplete release have been done, and it’s possible to install Gentoo/FreeBSD following the install guide. This project is still in its infancy. If you are interested in working on it, please send an email to the Gentoo/*BSD team.”

I have an immediate need for a Support Technician and Systems Analyst! This is a full-time, direct-hire position with an amazing client that develops highly-lauded data analytics software products.

Two Jobs: Systems Analyst and Unix engineers

Responsibilities

• Evaluate, design, implement, and maintain core IT infrastructure solutions
• Provide day-to-day support operations for back-end infrastructure (AD, Exchange, Internal Apps, Client Management, etc.)
• Solve advanced issues escalated from Desktop Support
• Deploy and maintain VTC infrastructure
• Manage backup and restore operations
• May include: Imaging Laptops, building and configuring servers, logistical support, onsite support.
• Conference Tradeshow support

Requirements

• 3+ years of relevant experience with MS Windows Active Directory and Exchange administration.
• 2+ years of scripting or development experience
• Basic to Intermediate UNIX or Linux
• Troubleshooting & Infastructure Building
• Can wear many hats.
• Demonstrated strong organizational, documentation, interpersonal, and decision making skills.

*Positions available in Palo Alto, New York, Washington DC, Canberra, UAE and London.

Contact for consideration:

David Scalisi |Email |David.C.Scalisi@Gmail.com

To view my other open positions, please goto The Purple Squirrel Home Page

Related articles

• Addendum
• Hottest Careers for College Graduates (bigfuture.collegeboard.org)
• Looking For A New Job In 2013? Here Is What Career Builder Says Will Be The Best Jobs. (hothits957.cbslocal.com)
• IT Security Manager (purplsquirrel.wordpress.com)
• How Hiring: Principal Software Engineer (networkprogrammingjobs.wordpress.com)
• Don’t Hire the Perfect Candidate (365newsng.wordpress.com)
• Three Pharmacy Technician Career Paths (answers.com)

AMAZING START-UP HIRING QA, SWQE, SOFTWARE ENGINEERS.

Related articles

• How Hiring-IT Jobs in QA, Software Engineers (networkprogrammingjobs.wordpress.com)
• QA:Recognition (fedoraproject.org)
• NowHiring: Senior Software Developer (purplsquirrel.wordpress.com)
• Job Opportunity – QA Engineer – London (covestor.com)
• Deployment SEO Strategy and Checklist | SEOmoz (seomoz.org)
• QA/Execution/Web Testing/Automation/Pip Requirements (wiki.mozilla.org)
• Job Opportunity – Senior Front End Engineer – London (covestor.com)

• How do you prevent the next $65B Ponzi scheme?
• How do you take down human trafficking networks?
• How can we help borrowers avoid foreclosure on a massive scale/stabilize housing?
• How can you prevent fraud in Medicare?Can you help governments save billions/find ways to cut spending?

If you are ready to accept the challenge we are ready to hear from you.
We are looking for members for a QA Team who are energetic, highly motivated, passionate smart and detail-oriented. In this role, you will be responsible for testing a world-class information analysis platform to make sure a successful product release. Your duties will include running test scripts, validating functionality, filing and verifying defects, and testing software for scale. This is an opportunity to join a fast growing start-up and play a real role in ensuring a successful product release.

Responsibilities

• Run test cases based on functional requirements
• Perform regression/verification testing
• File defects and verify fixed defects
• Test software for scale
• Deliver maintenance testing on time

Requirements

• BS in Engineering/CS, Information Systems, or equivalent
• Excellent analytical skills and attention to detail
• Strong problem solving and troubleshooting skills
• Ability to work in a fast-moving environment with quick turnaround goals
• Excellent teamwork skills
• Excellent written and verbal communications skills

Contact for consideration:

David Scalisi

Email Me!

To view my other open positions, please goto The Purple Squirrel Home Page

Related articles

• Addendum (shizen008.wordpress.com)
• Business Insider Is Looking For A Part-Time QA Engineer (businessinsider.com)
• Ubuntu Classroom: QA Introduction to Manual Test Cases class (ubuntuclassroom.wordpress.com)
• Dev vs QA: Should There Be a Difference? (architects.dzone.com)
• Why Software Testing Environment Should be on VirtualBox / Vmware (tech.gaeatimes.com)
• Magic Software Enterprises and QualiTest Team to Provide Manual and Automated Testing Services to Magic Customers (prweb.com)
• Continuous Improvement (GroupOn, Palo Alto 2013) (slideshare.net)
• Dev vs QA, should there really be a distinction? (javacodegeeks.com)
• QA/Execution/Web Testing (wiki.mozilla.org)

/usr/local % ln -s maven-2.1.0 maven
/usr/local % export M2_HOME=/usr/local/maven
/usr/local % export PATH=${M2_HOME}/bin:${PATH}

So what you have done is adding th bin directory of the maven binary to the command path.
Add the last two lines of export path to .bash_login which will run every time you log in to the machine.

The installation instructions are same for OSX Tiger and Leopard. I believe after Maven 2.0.6, there is a shipment of XCode along with the binary. If you have XCode, run mvn from the command line to check availability. XCode installs maven in usr/share/maven.

The same procedure is what is need to be followed if maven has to be installed in a linux machine or in Open BSD.

Here’s a small snippet in Perl which only calls du once and then sorts it. Wrapped in a shell function, which can be put in your .rc (.bashrc) for convenience:

function ds() {
        du -sh "$@" | perl -e '
                %byte_order = ( G => 0, M => 1, K => 2, k => 2, 0 => 3 );
                print map { $_->[0] } sort { $byte_order{$a->[1]} <=> $byte_order{$b->[1]} || $b->[2] <=> $a->[2] } map { [ $_, /^\s*[\d.]+([MGKk0])/, /^\s*([\d.]+)/ ] } <>'
}

(this is a changed version of http://ubuntuforums.org/showthread.php?t=885344#7).

Usage:

% ds .
195M .

or

% ds /boot/*
293M /boot/GENERIC
293M /boot/kernel
386k /boot/zfsloader
258k /boot/loader
258k /boot/pxeboot
65k /boot/zfsboot
38k /boot/gptzfsboot
35k /boot/support.4th
25k /boot/defaults
16k /boot/gptboot
15k /boot/loader.help
8.5k /boot/beastie.4th
8.5k /boot/boot
8.0k /boot/boot2
6.5k /boot/loader.4th
3.5k /boot/zfs
3.0k /boot/frames.4th
2.0k /boot/cdboot
1.5k /boot/device.hints
1.5k /boot/firmware
1.5k /boot/loader.conf
1.5k /boot/modules
1.5k /boot/screen.4th
1.0k /boot/boot0
1.0k /boot/boot0sio
1.0k /boot/boot1
1.0k /boot/loader.rc
1.0k /boot/mbr
1.0k /boot/pmbr

The purpose of this guide is to build a jail friendly host system using FreeBSD 9.1-RELEASE. The host system will run on a “root on ZFS” mirror using GPT. We will also use OpenNTPD (from ports) to keep correct time across the host/jails. Jail administration will be done using ezjail (from ports).

This is not a guide for configuring/securing FreeBSD, nor is it a guide for the advanced use of jails/ezjail.

*** THE HOST SYSTEM ***

Boot from the FreeBSD media as per usual. Choose Install, select your keyboard, set a hostname. When you get to the “optional systems components” screen make sure to pick “src” (System Source Code) as this is required to build jails. You can pick whatever else you think you’ll need, but I suggest not installing “ports” the Ports tree, as we will grab and extract this later on.

At the “Partitioning” screen drop to the shell. We will now configure a ZFS mirror with 8GB swap per drive (swap is not mirrored to increase performance).

# gpart create -s gpt ada0
# gpart create -s gpt ada1
# gpart add -s 222 -t freebsd-boot -l boot0 ada0
# gpart add -s 8G -t freebsd-swap -l swap0 ada0
# gpart add -t freebsd-zfs -l disk0 ada0
# gpart bootcode -b /boot/pmbr -p /boot/gptzfsboot -i 1 ada0
# gpart add -s 222 -t freebsd-boot -l boot1 ada1
# gpart add -s 8G -t freebsd-swap -l swap1 ada1
# gpart add -t freebsd-zfs -l disk1 ada1
# gpart bootcode -b /boot/pmbr -p /boot/gptzfsboot -i 1 ada1
# kldload opensolaris
# kldload zfs
# zpool create -f -o altroot=/mnt zroot mirror /dev/gpt/disk0 /dev/gpt/disk1
# zfs set checksum=fletcher4 zroot
# zfs create -o compression=on -o exec=on -o setuid=off zroot/tmp
# chmod 1777 /mnt/tmp
# zfs create zroot/usr
# zfs create zroot/usr/local
# zfs create zroot/usr/jails
# zfs create -o setuid=off zroot/home
# zfs create -o compression=lzjb -o setuid=off zroot/usr/ports
# zfs create -o compression=off -o exec=off -o setuid=off zroot/usr/ports/distfiles
# zfs create -o compression=off -o exec=off -o setuid=off zroot/usr/ports/packages
# zfs create -o compression=lzjb -o exec=off -o setuid=off zroot/usr/src
# zfs create zroot/usr/obj
# zfs create zroot/var
# zfs create -o compression=lzjb -o exec=off -o setuid=off zroot/var/crash
# zfs create -o exec=off -o setuid=off zroot/var/db
# zfs create -o compression=lzjb -o exec=on -o setuid=off zroot/var/db/pkg
# zfs create -o exec=off -o setuid=off zroot/var/empty
# zfs create -o compression=lzjb -o exec=off -o setuid=off zroot/var/log
# zfs create -o compression=gzip -o exec=off -o setuid=off zroot/var/mail
# zfs create -o exec=off -o setuid=off zroot/var/run
# zfs create -o compression=lzjb -o exec=on -o setuid=off zroot/var/tmp
# chmod 1777 /mnt/var/tmp
# exit

The operating system will now install, once this is complete continue on with the post installation setup. Set a root password, configure the network, set the timezone.

When you arrive at the “System Configuration” screen select any services you need, but DO NOT SELECT NTPD, this is not jail friendly. We will configure a jail friendly NTPD service from ports further on in this guide.

Continue with the post installation, enable crash dumps if you wish, add users to the host system if needed, make any changes required. Once you arrive at the “Complete” screen DO NOT REBOOT. We will now use the FreeBSD Live CD to complete the ZFS configuration.

Select Live CD and login as root.

# echo ‘zfs_enable=”YES”‘ >> /mnt/etc/rc.conf
# echo ‘zfs_load=”YES”‘ >> /mnt/boot/loader.conf
# echo ‘vfs.root.mountfrom=”zfs:zroot”‘ >> /mnt/boot/loader.conf
# vi /mnt/etc/fstab

Edit /mnt/etc/fstab so it looks like this:

Quit vi, and continue on.

# zfs unmount -a
# zpool export zroot
# zpool import -o cachefile=/tmp/zpool.cache -o altroot=/mnt zroot
# zfs set mountpoint=/ zroot
# cp /tmp/zpool.cache /mnt/boot/zfs/
# zfs unmount -a
# zpool set bootfs=zroot zroot
# zpool set cachefile=” zroot
# zfs set mountpoint=legacy zroot

You may get errors on the following “zfs set mountpoint” commands, these can be ignored.

# zfs set mountpoint=/tmp zroot/tmp
# zfs set mountpoint=/usr zroot/usr
# zfs set mountpoint=/var zroot/var
# zfs set mountpoint=/home zroot/home
# zfs set readonly=on zroot/var/empty
# reboot

FreeBSD is now configured to use ZFS on root. Once rebooted login as root and we will continue configuring the host.

A jail host must have its services only listening on the host ip. You can check which services need to be fixed by doing the following.

# sockstat | grep “\*:[0-9]“

This guide is for a basic jail host only running sendmail, syslogd and ssh from the base system. We will also add ntpd from ports. These services will all run jail friendly by the end of this guide.

By default we only require 2 ports to get the jail host up and running. These are /usr/ports/sysutils/ezjail/ and /usr/ports/net/openntpd/.

# portsnap fetch extract
# cd /usr/ports/sysutils/ezjail/ && make install clean
# cd /usr/ports/net/openntpd/ && make install clean

Once these ports are installed we will make the host jail friendly.

First edit /etc/ssh/sshd_config and uncomment and edit the ListenAddress line with the hosts IP:

#Port 22
#AddressFamily any
ListenAddress 192.168.1.100
#ListenAddress ::

Everything else will be configured in /etc/rc.conf. These are my settings, be sure to edit/configure for your setup:

hostname=”host.jailserver.net”
ifconfig_bge0=” inet 192.168.1.100 netmask 255.255.255.0″
# Jail interface aliases
ifconfig_bge0_alias0=”inet 192.168.1.101 netmask 255.255.255.0″
defaultrouter=”192.168.1.254″
sshd_enable=”YES”
# Set dumpdev to “AUTO” to enable crash dumps, “NO” to disable
dumpdev=”AUTO”
zfs_enable=”YES”
ezjail_enable=”YES”
openntpd_enable=”YES”
# Make host jail-friendly
inetd_enable=”NO”
# uncomment if inetd needed
#inetd_enable=”YES”
#inetd_flags=”-wW -a 192.168.1.100″
rpc_bind_enable=”NO”
sendmail_enable=”NO”
syslogd_enable=”YES”
syslogd_flags=”-s -b 127.0.0.1″

You can add as many interface aliases as required under “# Jail interface aliases”, these are IP addresses that the jails will use.

Now we will configure ezjail to use the ZFS filesystem, and create a new filesystem for each jail. Edit /usr/local/etc/ezjail.conf and uncomment/edit the following:

# Setting this to YES will start to manage the basejail and newjail in ZFS
ezjail_use_zfs=”YES”
# Setting this to YES will manage ALL new jails in their own zfs
ezjail_use_zfs_for_jails=”YES”
# The name of the ZFS ezjail should create jails on, it will be mounted at the ezjail_jaildir
ezjail_jailzfs=”zroot/usr/jails”

If you are interested in locking down your jail directories from normal users you can change /usr/jails permissions.

# chmod 700 /usr/jails

Now we need to run “buildworld” so ezjail can populate jails.

# chflags -R noschg /usr/obj/*
# rm -rf /usr/obj/*
# cd /usr/src
# make buildworld

Go watch a movie this is going to take a while.

Once “buildworld” is complete we will create ezjail’s basejail and templates.

# ezjail-admin update -i -p

Once this is done it is best to reboot to make sure the host is completely jail friendly.

# reboot

When the system comes back up log on as root and run the following:

# sockstat | grep “\*:[0-9]“
#

If sockstat just drops you back to the prompt your system is 100% jail friendly and we’re ready to move on to configuring a jail.

*** THE JAILED SYSTEM ***

By default ezjail will only have 1 “flavour” available “newjail”. We will tweak this a bit to make things easier when building jails.

# cp /etc/localtime /usr/jails/newjail/etc/
# cp /etc/resolv.conf /usr/jails/newjail/etc/

Now it’s time to build a jail, we will use the interface alias IP address we configured on the hosts /etc/rc.conf:

# ezjail-admin create jailname.jailserver.net 192.168.1.101

That’s it the jail is installed, but we will need to restart ezjail to pick it up.

# /usr/local/etc/rc.d/ezjail restart

Now let’s log on to the jail:

# ezjail-admin console jailname.jailserver.net

This will log you in as root, you can now configure the jailed system as required. So let’s edit /etc/rc.conf and enable ssh, we will also configure syslogd to not listen:

sshd_enable=”YES”
syslogd_flags=”-ss”

Just like the host, the jail’s services must only listen on their own IP. So be sure to edit /etc/ssh/sshd_config:

#Port 22
#AddressFamily any
ListenAddress 192.168.1.101
#ListenAddress ::

Don’t forget to set a root password, add users, you can also use ports at this point or do any normal configuration. Once you are done exit from the jail and you’ll be back on the host. Restart ezjail and you can log in using ssh as per any normal FreeBSD install.

# /usr/local/etc/rc.d/ezjail restart

Now a few tips.

*** EZJAIL TIPS ***

To stop|start|restart a jail you do /usr/local/etc/rc.d/ezjail stop|start|restart jailname.jailserver.net for example.

# /usr/local/etc/rc.d/ezjail stop jailname.jailserver.net

To delete a jail.

# /usr/local/etc/rc.d/ezjail stop jailname.jailserver.net
# ezjail-admin delete -w jailname.jailserver.net

To update the ports tree for all installed jails. This can be done while the jail is running.

# ezjail-admin update -P

Anyway that’s it, check out the ezjail man page to get more information on ezjail’s options.

So i decided to reverse protocol using wire-shark and Java decompiler. It was found that communication is not encrypted, only protection is MD5 of the agent PIN (in WIFI mode). Every packet contains from “magic” header, command type, status field and (optionally) data field. My goal is to write utility to backup/restore contacts book and calendar (yes, i don`t want to store it on google) and, possibly to make a GUI for offline browsing/editing.

Right now client is in very early stage and only able to connect to device (WIFI) and request some information. Patches, comments and suggestions are welcome.

Prototype is hosted on github – https://github.com/samm-git/one_touch_993D_gsm/blob/master/android_manager_client.pl

Talvez esse não seja o melhor espaço para discutir isso, mas não consigo me “segurar” com tantos argumentos.

Sim, posso acreditar que o Android seja realmente ‘melhor’ que o iOS, posso concordar que a ‘liberdade’ de instalar qualquer coisa seja realmente sedutor.

Há uma série de parâmetros verdadeiramente atraentes e sustentáveis que torna o Android um sedutor smartphone. Eu mesmo tenho imensa vontade de aprender a programar nesta plataforma, tenho desejo e meta. Neste ano de 2013, vou estar apto para desenvolver aplicativos nesta plataforma.

Agora, somos obrigados a reconhecer, a plataforma do Android pode ter inúmeros atrativos, liberdades e etc, mas em níveis de segurança, oferece muito mais brechas em falhas do que a plataforma iOS.

Não é à toa que mais de 100000 (cem mil) aplicativos para Android, atuam de forma ilícita, ameaçando a segurança e privacidade do conteúdo do smartphone. Não sou eu quem afirmo, mas os mais renomados sites de segurança da informação.

Não é em vão, que tal liberdade nesta plataforma, permitiu a criação de vírus, permitiu inclusive a criação de programas anti-vírus, para “eliminar” qualquer ameaça.

Isso tudo então, gera em torno do mercado capitalista. Você tem um smartphone, tem seus dados, corre risco de vírus e para isso, compra um programa de anti-vírus. Me parece uma “venda casada”, para uma liberdade subjetiva. Não que situações similares tenham ocorrido na plataforma iOS, mas a Apple teve a iniciativa (após tomar conhecimento) de impor aos desenvolvedores, condições para que o acesso à itens de privacidade fossem informados quando acessados. Muitos aplicativos foram banidos da AppStore e/ou re-escritos pelo desenvolvedor, para se enquadrar nas condições estabelecidas. Contudo, os mais de 100000 aplicativos do Android, foram solucionados?

Não quero levantar a bandeira pró Apple. Não ganho nada por isso.

Mas me vejo obrigado a fazer escolhas, opções e decidir o que seria “menos ruim” para mim.

Existe duas coisas básicas em Tecnologia da Informação, assim como em várias situações da vida: – O ideal e o possível. Sim, existem outras tantas variáveis que permitem outras tantas opções.

Da mesma forma que nosso amigo em comum, o Mandic, sempre abraça um desafio quando ouve um “impossivel fazer isso/assim/etc”, eu concordo em gênero, número e grau com ele. Sempre abraço os desafios também. No entanto, enquanto não consigo superar o desafio do “impossível”, vou me adaptando ao que tenho em mão, possível de alcançar e fazer naquele determinado momento.

Dizer que tal plataforma é melhor que a outra, é uma discussão sem fim. É a mesma coisa em discutir se o Windows da Microsoft é melhor que o Linux, da comunidade open source. Acredito que cada plataforma tem o seu melhor, para determinada função, determinada fatia, público e objetivo. Da mesma forma, vale ao discutir se o Linux, FreeBSD, OpenBSD e NetBSD quem é melhor que o outro. Cada qual tem o seu bom e o seu melhor.

Polemizar sobre as imposições que a Apple coloca na plataforma é deixar de discutir também o quanto “boazinha” a Google é com as pessoas. Ora, permitir serviços gratuitos, sempre tem um custo real nisso. Pode-se não pagar financeiramente de forma direta, mas paga-se muitas vezes com um prejuízo financeiro, muitas vezes imperceptível diretamente em nosso dia-a-dia.

Da mesma forma que Dan Brown abriu um leque de situações, imediatamente não aceitas pela grande maioria (a possível existência de uma descendência de Jesus de Nazaré – o Cristo, por exemplo), pela história (nos ensinada) que muitos conhecemos, sobre itens que ao longo de nossas vidas foram transmitidos de forma diferente. É necessário observar que o comportamento “bonzinho” que a Google transmite, pode funcionar como uma “faca de dois gumes”, ou seja, a Google pode, como companhia, estar fazendo a mesma estratégia que o filme Matrix sugeria. Então, escolher entre quem impõe uma série de itens e quem dá total liberdade, pode ser uma decisão lógica (e induzida), mas equivocada. O tanto de informação processada e armazenada pelo Google, por si só, assusta muito. Talvez saibam mais de cada um de nós, do que nós mesmos.

Sempre há um preço a ser pago, direta ou indiretamente.

Muitos ficam maravilhados quando abrem seu aplicativo de Google Maps e no último zoom, consegue ver a vista da rua, conhecida como “street view”. Realmente é uma facilidade imensa, considerando que em uma viagem ao estrangeiro, por exemplo, ter a facilidade de ver a imagem de onde deseja ir, facilita muito, principalmente quando se tem o receio que o motorista do táxi poderá querer cobrar à mais (caso do Brasil, China, México e tantos outros países). Eu mesmo utilizei várias vezes, logo que me mudei para Tokyo, onde o endereçamento foge dos padrões de nome da rua, número do imóvel; similares ao que temos no Brasil ou Estados Unidos (na ordem invertida), aqui, é pelo nome do bairro, subdivisão do bairro, número da quadra e nome do prédio. Difícil entender, mas obrigatório compreender quando se mora por aqui.

Por muito tempo, ouvia críticas que a plataforma o iOS não suportava o tão admirado ‘flash’, tornando impossível assistir vídeos no iPhone. Eu mesmo, lembro o quanto “emputecido” fiquei quando descobri, em 2007, que não iria poder assitir, no iPhone, aos vídeos que estava acostumado assistir pelo browser, pois dependia do flash e “ainda” não tinha uma versão para o iPhone (sic). A própria Adobe, parceira da Apple na plataforma de desktop, insistia que o flash para móbile era viável, confiante e estável, entre outros itens. Mas a Apple, “batia o pé” também, afirmando que seria necessário melhorar muito o flash para torná-lo viável no iOS. A Adobe no entanto, depois de muito custo e inúmeros adiamentos, admitiu que o flash realmente era pesado e prejudicial nas plataformas móveis, decidindo assim, não dar continuidade ao suporte deste produto para quaisquer dispositivo móvel. Neste caso, creio então, que a Apple teria razão? Ou não? Quem sou eu para julgar…

A insistência da Apple em apontar para novas soluções, capazes de suportar vídeo em dispositivos móveis, fez aperfeiçoar recursos pouco explorados até então (html5), por exemplo. Hoje, já é capaz de pessoas simples, com nenhum conhecimento de T.I., a assistir sua novela preferida no iPhone. Essa mesma insistência, sob o prisma do “impossível”, muitas vezes defrontados pelo Mandic, apontou para soluções até então inexistentes. É por essa razão (creio eu) que o Mandic sempre declara em suas entrevistas, que não gosta do termo “impossivel” fazer. Ele sempre se empenha em fazer, ainda que acabe encontrando uma solução até então inexistente.

Volto a insistir, não estou levantando a bandeira pró Apple, nem abraçando uma causa, mas agindo como “Advogado do Diabo”, abrindo situações onde outros pontos de vista devam ser considerados antes de debandar discussões infinitas e improdutivas.

Grato pelo desabafo.

Publiquei este texto, o qual escrevi inicialmente em um grupo fechado, no Facebook, sobre testes de aplicativos, envolvendo iOS e Android.