One thing that I love about Octopress is the support is GREAT! I’ve posted several questions in the past month in troubleshooting new features with Octopress; with Brandon Mathis providing quick, easy to understand, and pleasant replies. You also have the resources of other Octopress/Jekyll users in using their plugins to enhance your site such as adding adding Flickr images or embedding Twitter posts by referencing their unique identifier. This is all done by using each third-party’ (Flickr or Twitter) dev environments.

Twitter API Token

I wanted a plugin that will pull and display a tweet it as if it was being viewed on a browser (as seen on this post). My quick Google searching resulted in this Jekyll plugin https://github.com/rob-murray/jekyll-twitter-plugin which seemed perfect as it was a gem that could be defined vs. having to install a plugin. The only change I needed to perform from the setup documentation was the gem needed to be declared inside the group :jekyll_plugins do section vs. under the main list (see my current Gemfile as the example). The Twitter plugin performs API calls and pulls the tweet as desired and displays it perfectly (example as illustrated in the jekyll-twitter-plugin’s README.md).

In order to place API calls to Twitter you need to create an API application by going to https://apps.twitter.com/app/new and filling out their form. Once it’s complete you can see your new App listed in the https://twitter.com/settings/applications section on your Twitter account. Your new app has four important items to make API calls:

  • consumer_key
  • consumer_secret
  • access_token
  • access_token_secret

To use these tokens, you have two choices: embed them into your shell environment or declare them into your Octopress environment. I personally use the fish shell, and for whatever reason I couldn’t set the variables correctly, so now I’ll have to attempt option #2. But wait! That means my super-secrete, special, precious keys may be in the public as I push my code changes to a github repo (for better support by Brandon)! That won’t work! I did a little more research and found that Jekyll has the ability to reference multiple .yml files to build or server a site by using the -c flag. Example: 1

jekyll s -c _config.yml,_AccessKeys.yml,_localhost.yml --drafts

I then created a “AccessKeys.yml” that now stores all my API tokens and made sure that the new .yml file is listed in my .gitignore. Tokens are safe, fancy API stuff works, and I’m happy.

Footnotes


  1. The _localhost.yml in this example is using the same jekyll "-c" feature by declaring my site as "http://localhost:4000" so I can look and verify how my page will be displayed without publishing to my site directly. When I do publish, I perform a "jekyll b -c _config.yml,_AccessKeys.yml; octopress deploy".

Generic Ubuntu Server Setup Scripts for Networking and VMware Tools

Lately I’ve been doing a lot of Ubuntu Server installs for JumpStarts with their intended use to become a JSS or JDS server. It’s easy to spin up a full clone or linked clone on my laptop, but when I’m at customer’s location they usually only have an ISO that was downloaded some time ago… so we’re starting from scratch. With a brand new Ubuntu Server VM, there are a few steps that you need to perform to make your life easier in the long run.

Server Setup

On ever Ubuntu Server setup there are a couple of items that you should do first before trying to install the JDS or JSS installers. We need the following:

  • Server FQDN (hopefully you have already populated your internal DNS with the associated IP address)
  • Networking info (IP Address, gateway, subnet mask, etc)
  • Install openssh-server (and possibly curl) on our new VM

Assuming we have the above items, console into your new Ubuntu VM and perform a sudo apt-get install openssh-server so we can SSH into the box from Terminal (it’s much easier to work with). We can then scp ubuntuSetup.sh and execute the script to make sure you have the latest and greatest version of Ubuntu Server (since this is from an ISO that who knows how long ago) by doing a apt-get update and apt-get dist-upgrade. These updates may take some time, so be patient if you decided to run these commands.

Next we’re going to input our FQDN and Networking info into the script so it can update the following files on our behalf:

  • /etc/hosts
  • /etc/hostname
  • /etc/network/interfaces

This script is available on SRT’s public github repo at: https://github.com/stonyrivertech/SRT-Public/blob/master/VMWare/ubuntuSetup.sh, watch it in action below.

Ubuntu Server Setup Script Demo

VMware Tools

The next script makes sure that you have the proper VMware Tools installed on Ubuntu Server just in case you need to share a folder on your host computer to your Ubuntu server. The storage point will be /mnt/hgfs/<<your folder name>>. This script will try to mount the CDROM on your VM, so be sure it is pointing to the VMware Linux Tools ISO by choosing Virtual Machine => Install VMware Tools.

#!/bin/bash

# This script was developed BY Stony River Technologies (SRT)
# ALL scripts are covered by SRT's License found at:
# https://raw.github.com/stonyrivertech/SRT-Public/master/LICENSE 

# Created by Justin Rummel
# Version 1.0.0 - 11/15/2012

# Modified by
# Version 


### Description 
# Goal is to install VMWare Tools on an Ubuntu Server.  Don't forget to mount the CD first! 

# variables
cdMNT="/mnt/cdrom/"
cdDEV="/dev/cdrom/"

### Be sure to select "Install VMWare Tools" from the "Virtual Machine" dropdown menu in VMWare Fusion
[ ! -d "${cdMNT}" ] && { echo "creating ${cdMNT}"; sudo mkdir "${cdMNT}"; } || { echo "${cdMNT} already exists.  Moving on..."; }
[ ! -d "${cdDEV}" ] && { echo "mounting ${cdDEV} to ${cdMNT}"; sudo mount "${cdDEV}" "${cdMNT}"; }

vmTGZ=`find "${cdMNT}" -name "VMwareTools*"` 2>/dev/null

cd /tmp
if [ -e "${vmTGZ}" ]; then
	cp "${cdMNT}${vmTGZ}" ./
	tar xzvf "${vmTGZ}" 
	cd vmware-tools-distrib/
	sudo apt-get install build-essential
	sudo apt-get install build-essential linux-headers-`uname -r`
	sudo ./vmware-install.pl --default
	sudo reboot
else
	echo "Something went wrong.  Stopping now."
	exit 1
fi
exit 0
Integrating (and Debugging) Windows Active Directory LDAP Connection With JAMF Software's JSS

I’m guessing you are looking at your JSS screen trying to connect an LDAP server, specifically Active Directory (AD), but things are not going well. First of all, breath. There have been countless times when I’m performing a JumpStart and things “just don’t work” in terms of integrating the JSS and Active Directory, especially if your AD is anything beyond the standard “Next, Next, Next” installation process when it was initially setup.

Network Environment Debugging

First, we’re going to do some simple network debugging that I usually perform once I’m onsite to make sure the AD environment is providing the necessary DNS records. I’m hosting this example environment on my laptop via VMware Fusion 7.1 Pro with:

  • one VM running Windows Server 2012 R2 as my AD and DNS server
  • one VM running Ubuntu 14.04.1 as my JSS
  • one VM running OS X Yosemite as my “Admin Station”

All VMs are essentially on the same isolated network as I have configured each VM to use “NAT” for their Network Settings. My AD server’s FQDN is dc01.pretend.co with an IP address of 192.168.204.10/24 while my JSS server’s FQDN is jss.pretend.co with the static IP address of 192.168.204.11/24 and the gateway (my laptop) is 192.168.204.2/24. I’ve configured my test AD server to have the domain of “PRETEND” and it is also providing DNS (forwarding to the gateway), and both the JSS and “Admin Station” are pointing to the AD server for DNS lookups.

Debugging DNS overview

For debugging the AD environment, I’m going to do a host of the “pretend.co” which should give me a list of all the domain controllers, next I would verify the forward and reverse DNS names to IP address of my domain controllers, then finally verify some LDAP SRV records.

#!/bin/bash

# This script was developed BY Stony River Technologies (SRT)
# ALL scripts are covered by SRT's License found at:
# https://raw.github.com/stonyrivertech/SRT-Public/master/LICENSE 

# Created by Justin Rummel
# Version 1.0.0 - 2015-1-21

# Modified by
# Version 

### Description 
# Script to check AD DNS environment

### Variables
dns_server=`dig +noall +identify | cut -d\( -f2 | cut -d\) -f1`
dns_Ethernet=`networksetup -getdnsservers Ethernet`
dns_WiFi=`networksetup -getdnsservers Wi-Fi`

### Functions
ethernet () {
	[[ "${dns_Ethernet}" == "${dns_server}" ]] && { test Ethernet; exit 0;} || { wifi; }
}

wifi () {
	[[ "${dns_WiFi}" == "${dns_server}" ]] && { test Wi-Fi; exit 0;} || { echo "Are you online?  Not sure so I'll stop now."; exit 1; }
}

test () {
	service="${1}"
	echo -e "Network tests are performed using your ${service} interface"	

	domain=`networksetup -getsearchdomains "${service}"`
	echo -e "DNS Search domain is ${domain}"
	echo -e "\n"

	dcs=`host "${domain}"`
	echo -e "Here is a list of your Domain Controllers\n ${dcs}"
	echo -e "\n"

	echo -e "Testing your Reverse DNS"
	dcIP=`host "${domain}" | tail -n 1 | awk -F " " '{print $NF}'`
	dnsReverse=`host "${dcIP}"`
	echo -e "${dnsReverse}\n"

	echo -e "Testing your Forward DNS"
	dcName=`echo "${dnsReverse}" | awk -F " " '{print $NF}' | sed 's/\.$//'`
	dnsForward=`host "${dcName}"`
	echo -e "${dnsForward}\n"

	echo -e "Testing your Service DNS records for Kerberos (there should be some results)"
	dig -t SRV _ldap._tcp."${domain}" +short
	dig -t SRV _kerberos._tcp."${domain}" +short
	dig -t SRV _kpasswd._tcp."${domain}" +short
}

ethernet

exit 0;

Here is the result of my test environment. You’re results should hopefully have more AD serviers populated, but otherwise it would be close to this gist:

What to look for when debugging DNS

Your “dns_server” should be the IP address for one of your domain controllers. With that said, only your internal AD DNS servers should be listed in a client’s network settings. Providing internal and external DNS options (like Google’s or OpenDNS) in your DHCP scope settings will only confuse an Apple device. If any of these commands return unexpected results, there is something wrong with your network.

LDAP testing

Next lets make sure that we are dealing with the standard ldap port of 389 with an administrator account that should be allowed to view the entire directory tree if needed.

ldapsearch -H ldap://dc01.pretend.co -b "dc=pretend,dc=co" -x -D "PRETEND\administrator" -W -L "(objectClass=group)" name member

Here is a link to a gist that shows the expected results. You should get some positive looking results. If you get an error, you have restricted AD so much that simple lookup queries are not working. Go talk to your AD guy and find out what they have done to AD to be so cranky.

JSS LDAP Setup - Active Directory

When the Active Directory LDAP setup assistant works, it’s great! Just remember some of these tips:

  • “Hostname or IP Address” is the FQDN of a Domain Controller
  • For your LDAP server account, it’s looking for your DOMAIN (e.g. PRETEND) along with an AD Administrator account username and password (or better yet a Service Account).
  • Have two test AD accounts ready where one user is known to be in a group and not in another (like yourself and another employee that is NOT in IT). We’ll test to make sure the lookups are displaying the correct user info and group membership.

JSS LDAP Setup - Manual

Sometimes the LDAP setup assistant just doesn’t work. No matter how many ways you enter your DOMAIN and then provide authentication credentials it never gets pass the verification. In these cases, we’ll use the manual configuration method and verify our settings from the following screen shots.

Key items to look for are:

  • Server and Port should be your FQDN of a domain controller and 389 unless you have enabled LDAPS. Then you made your own nightmare.
  • Yes, that is what a Distinguished Name (DN) looks like. Find the FULL path.
  • On your User Mappings, sometimes organizations will have multiple CNs or OUs in the same level. If so, just use dc=domain,dc=tld and search your whole domain. And yes, that may take longer.
  • Verify the LDAP Attributes carefully. Email is sometimes just mail.
  • The group Mappings have the same issues as User Mappings. You may need to move it to dc=domain,dc=tld and it will take longer.
Google Domains Now Does Dynamic DNS

So I was really hoping for some invite codes from Google Domains while it was still in private beta. This way everyone would shower me with love and affection, and in return for I would provide my precious invite codes… but Google just had to kill my dreams and make it available for everyone! The nice thing is there must have been some great feedback from previous beta testers as some changes have been applied since my review two weeks ago (I never received a feedback request, so I cannot take any credit).

Here’s a list of the updates:

  • We improved the search and suggestion experience because you requested help finding the perfect domain name.
  • We added over 60 new domain name endings like .company, .florist and .coffee because you requested more choices as you search.
  • We created a simple dashboard to manage your domain, website and email settings because you requested these actions be only one click away.
  • We integrated with Blogger so you can create a blog and easily connect it to your domain because you requested more options as you start building your web presence.
  • We improved integration with website builders so you can quickly view and compare themes and plans because you wanted to know more about the available options before signing up.
  • We added dynamic DNS so you can setup your domain and keep it pointing to the same computer even when the IP address changes because you requested this for your business.
Making it easier to get your business online with Google Domains

It’s that last bullet that I’m excited about, Dynamic DNS! I logged into my account to searched around for the new Dynamic DNS interface and couldn’t find the right location. Since googleing “Google Domains” is somewhat pointless in returning decent results (much like OSX’s security command), I did what I thought was the unthinkable and used Google Domains new support chat feature! I was directed to review the DNS Section, then “Synthetic records” area for a new added dropdown option for Dynamic DNS.

Add Google Domains

From there you can define a subdomain (or “@” wildcard would work as well) and Google will provide you with a new 16 character randomly generated unique username and password. You must then configure your DynDNS application of choice (such as DDclient and INADYN) to use these values. Google has a support page that explains how to configure these settings.

Add Google Domains

Unfortunately, my Verizon FiOS router does not have a setting for Google Domains (can’t complain since it was JUST released), but I will be sending a feature request through my “inside resources”.

Bushel: 'You put your Apple things in here' for small businesses

Bushel is an Apple device (OSX and iOS) management tool that will assist with items that would normally frustrate people once you try to deploy/issue more than three devices. So I’m please to share (if you haven’t seen already) that Bushel is now available to the public! I’ve had a chance to review Bushel for a couple of months since its first private beta release during JAMF Software’s National User Conference and have been quite impressed.

Features

Your Bushel web interface is hosted for you on Bushel’s servers. This helps companies who either don’t want to deal with having a server internally (knowing how to configure, setup internal and external networking, and/or with the maintenance requirements), or a company that fully embraces the a cloud infrastructure. I see this as a great positive! If you have a company policy that states “no cloud infrastructures” will be used then you are most likely too big for Bushel.

Enrolling your Apple devices is made easy by either logging into your Bushel account and clicking on the “Enroll” button, inviting people by email, or by using Apple’s Device Enrollment Program (DEP).

Installing Apps can be done by using Apple’s Volume Purchasing Program (VPP) where the company purchases liscenses for their employees and assigns the apps as needed, or by “Deploy from App Store” which will recommend an App and the employee can purchase themselves.

Assistance in Email configuration is also provided by Bushel for Exchange (Office365 and Google Apps EDU/Business/Gov would be included), non Google Apps, Yahoo, or plain IMAP/SMTP (like you would get from an Apple Server). If you don’t know the settings for these services (Exchange/Google/Yahoo/etc) do a quick google search of “insert_service_here SMTP settings” and the answer should be on the first page of results.

Finally, the limited Security option settings available to set are:

  • Require a Passcode
  • Auto Lock an OSX or iOS device after “x” minutes
  • Disable iCloud backups
  • Protect company data for Apps that are installed by Bushel (most likely done by VPP).

If you have any questions about VPP or DEP, Bushel has a great FAQ that helps answers these questions. You may also want to review my own article of Working with VPP and DEP Apple IDs.

Who is the target audience?

THAT is the big question that I’ve been trying to answer for the past couple of months. To better answer that question you need to read the blog post from Bushel themselves.

The Bushel team consists mostly of people who were involved in small businesses before coming to JAMF (and those who grew JAMF from a small business). We believe in small businesses. And we believe in the innovative workgroups that exist similarly to small businesses within large enterprises. We believe in smaller, self-managing classrooms. We want to make your life better. We want to help you have the best possible experience with Apple products. Because we believe in Apple and we believe in you

Why Bushel Exists, And What That Means To You

Bushel is for small businesses or a departments of a larger business. Bushel highlights some example scenarios in their “manual” (I’m putting this in quotes because Bushel is simple that doesn’t really need a manual, and it is designed that way on purpose!).

Use Cases

The common trend is there is a small group of people who have a need to slightly manage some devices (more than what would be acceptable to do the same repetitive thing on one device at a time), however they don’t have a full IT person to take care of them. Or, there is a consultant that could help with the setup of Bushel, but then handover the control to that small group. As long as the settings on the OSX/iOS devices that you want to control fall into the feature list above, Bushel is PERFECT! “But wait, there’s more”… you can try out everything for FREE for up to three devices. When you want to get more advance options (custom iOS restrictions or application install outside of the Mac App Store), that is when you need to start looking at a product geared for the Enterprise… like the Casper Suite!