Java 8 without the Adware (aka Java8Unjunker)

So you’ve heard the Ask toolbar is now bundled with Java 8 Update 40 for the Mac?
Yep, apparently it is.

Ask

Fortunately there’s a simple workaround! Let’s take control of our Macs and do a little spelunking into this new installer app.

Right or Control-Click the Java 8 Update xx.app and choose Show Package Contents

Show Package Contents

Navigate into Contents then Resources folder
Eureka we’ve found it: JavaAppletPlugin.pkg
JavaAppletPlugin_LocationLet’s run it!

Gatekeeper_Java8

Aw snap. It seems the package isn’t signed and Gatekeeper is not happy about that. I’m flabbergasted that they’d sign the installer app but not the package inside? (Update: I’m really flabbergasted!)

Control or right-click on JavaAppletPlugin.pkg and choose Open

Java 8 PKG Open

Click Open

Open JavaAppletPlugin

Here we are. Your unsigned Java installer awaits.

Installer

Alternately… Java8Unjunker.command

script I just made to do the same thing plus some other nice things like: name the package and un-quarantine it. Of course being a script it’s not signable! Gatekeeper will balk if it’s on. You’ll need to right-click and choose Open as before.

Shell

Drag in your Java 8 Updater xx.app

Unjunker1

Press Enter.
Voilà! A folder with your package ready to double-click and go.

Unjunker2

Enjoy.

TMI…

#!/bin/bash

#Java 8 Unjunker - Joel Bruner
#Simply moves the JavaAppletPlugin.pkg package out of the installer app (which installs the Ask Toolbar) to the Desktop, renames and Un-Quarantines it

#touch file for debugging
[ -f /tmp/debug ] && set -x

#take command line argument too
sourceApp="$1"

#check to see if path provided is present and valid
#otherwise get the path
while [ -z "$sourceApp" -o ! -d "$sourceApp" ]; do
echo -n "Drag in Java 8 Update xx.app and press enter: "
read sourceApp
done

#get the version from the app
sourcePKGVersion=$(defaults read "$sourceApp"/Contents/Info CFBundleVersion)

#make Desktop folder and copy pkg to it, renamed
echo "Creating Directory ~/Desktop/Java $sourcePKGVersion"
mkdir ~/Desktop/"Java $sourcePKGVersion"
echo "Copying JavaAppletPlugin.pkg to ~/Desktop/Java $sourcePKGVersion/JavaAppletPlugin_${sourcePKGVersion}.pkg"
cp "$sourceApp"/Contents/Resources/JavaAppletPlugin.pkg ~/Desktop/"Java $sourcePKGVersion"/JavaAppletPlugin_${sourcePKGVersion}.pkg

#since Oracle doesn't sign the pkg just the .app we need to strip the quarantine xa off to suppress the warning
xattr -d com.apple.quarantine ~/Desktop/"Java $sourcePKGVersion"/JavaAppletPlugin_${sourcePKGVersion}.pkg

echo "Java Unjunked. Opening Folder."
open ~/Desktop/"Java $sourcePKGVersion"

 

 

 

RecoveryHD Updater now with PKG building

** Update: Recovery HD updaters packages for 10.11 will only work when run in OS X 10.11, previous packages could run in different OSesnot so for 10.11

Updated April 6, 2015: createRecoveryHDUpdater 15.4.6.command – built PKG now is targetable to volumes other than /

Released Feb 28, 2015: createRecoveryHDUpdater 15.2.28.command

Recovery15.2.28

Building off the previous work the updated script will now create a nicely named dmg

recoverydmg_icon

Containing both an interactive script for updating disks and a new script to create a .pkg!

recoverydmg_2scripts

 

The fruits of RecoveryHD PKG Maker.command:

recoverypkg_iconCustom Bundle ID is interactively provided, the PackageVersion is matched to the OS release. Signing identity is asked for in the script but not tested (my cert might be broken, YMMV). The target of the package is always / – an exercise for the reader to change the postinstall script to use Installer’s variables to affect the target The exercise to make the .pkg targetable has been exercised by me… Enjoy!

 

BASH parameter fun

Some exercises in handling parameters in a script:

Using BASH_ARGV to loop through all arguments

#!/bin/bash
#debugging output
[ -f /tmp/debug ] && set -x

#Loop Though the arguments provided
#BASH places arguments in reverse order in BASH_ARGV array
#Start at end of array (ARGC – 1)
for (( i=$(( $BASH_ARGC – 1 )); i>=0; i– )); do
item=”${BASH_ARGV[$i]}”
echo “\$$(( $BASH_ARGC – $i )): $item”
done

Loop through all arguments with special handling of first and last only

#!/bin/bash
[ -f /tmp/debug ] && set -x
##loop through parameters, start with end of BASH_ARGV
for (( loopNumber=1, i=$(( $BASH_ARGC - 1 )); i>=0; i--, loopNumber++ )); do
#do something special for first and last
if [ $i -eq $(( $BASH_ARGC - 1 )) ]; then
conditionalString="(I am the first one!)"
elif [ $i -eq 0 ]; then
conditionalString="(I am the last one!)"
else
unset conditionalString
fi
echo Arg $loopNumber: ${BASH_ARGV[$i]} $conditionalString
done

Loop through all arguments with special handling of first and everything else

#!/bin/bash
[ -f /tmp/debug ] && set -x

##loop through parameters, start with end of BASH_ARGV
for (( loopNumber=1, i=$(( $BASH_ARGC – 1 )); i>=0; i–, loopNumber++ )); do

#if not the last don’t restart dock
if [ $i -eq $(( $BASH_ARGC – 1 )) ]; then
unset conditionalString
conditionalString=”(I am the first)”
else
conditionalString=”(I am not the first)”
fi

echo Arg $loopNumber: ${BASH_ARGV[$i]} $conditionalString
done

Loop through all arguments with special handling of the last and everything else

#!/bin/bash
[ -f /tmp/debug ] && set -x

##loop through parameters, start with end of BASH_ARGV
for (( loopNumber=1, i=$(( $BASH_ARGC – 1 )); i>=0; i–, loopNumber++ )); do

#if not the last don’t restart dock
if [ ! $i -eq 0 ]; then
conditionalString=”(I am not the last)”
else
unset conditionalString
#conditionalString=”(I am the last)”
fi

echo Arg $loopNumber: ${BASH_ARGV[$i]} $conditionalString
done

(WordPress is bugging the heck out of me with the code tags breaking when their are line breaks… sorry, that’s an exercise for the Googler)

Apple Remote Desktop 3.7.1

Apple has release Remote Desktop Admin 3.7.1

The release notes are sparse, as usual:

This update improves the overall stability and reliability of the Remote Desktop application. It includes the following specific improvements.

  • Prevents an issue that could cause the OS X Firewall to block Remote Desktop connections. See Additional Information below.
  • Improves reliability of the kickstart command.
  • Fixes the “Display full screen” option in Control & Observe preferences.

Hmmm, I didn’t see a bullet point titled: “Fixed insane memory and CPU usage issues”

ARD Ridiculous Memory Usage

Just installed the update. Fingers crossed.

Update: The answer is no… they didn’t fix runaway memory usage.

ARD371 Cray Cray Mem Usage Remote Desktop Screen Usage

Downloading Safari 6

So when Safari 6 came out, Apple did away with download links from their Support site.
Why? Who knows. But it’s a real pain when you have børked install or install a Developer preview (which sometimes will not register in Software Updates and need to get up to the latest release.)

I contributed this tip to Apple Discussions in the HT5275 Safari 6 download thread and am reposting here as well since I repeatedly keep going back to get the command I authored! (No I don’t run Apple Software Update server, I have my own distribution methods for work that don’t involve merging software update catalogs and other ridiculous things OS X Server requires you to do if you dare run various OS X versions and don’t run the latest server). I parenthetically digress.

Here’s the Terminal command to spit out some Safari6 URLs (OS X 10.6-10.8):

curl -s $(strings /System/Library/PrivateFrameworks/SoftwareUpdate.framework/SoftwareUpdate | grep http | grep sucatalog) | grep Safari6 | grep pkg

It’ll give you something like this:
<string>http://swcdn.apple.com/content/downloads/18/32/041-6651/147ugedbeiqpz43czixlgawayfoa7tjyjv/Safari6.1MountainLion.pkg</string><string>http://swcdn.apple.com/content/downloads/47/40/041-6648/a9y00qwi8esz3gl5v2gfik1p3rgvn7zftz/Safari6.1Lion.pkg</string>

I know, not pretty right? But what you can do then is copy and paste the URL into Safari’s Address/Search bar and hit Option-Enter which will then download it.

Viola. A Safari 6 package.

Update for 10.9:
Now when you grep SoftwareUpdate there are multiple URLs for the seed programs, the easiest way to deal with this and still be generic is to loop through all the URLs grepping for Safari

for URL in $(strings /System/Library/PrivateFrameworks/SoftwareUpdate.framework/SoftwareUpdate | grep http | grep sucatalog); do curl -s "$URL" | grep Safari | grep pkg; done

Naming Conventions! Please, Apple?

Apple, there was a time when your updates had naming conventions for the various platforms there were targeted for. Suffixes like Tiger, Leopard, Snow, etc. made it easy to identify for what platform an update package was intended.

SnowSecurityUpdates
Names used to be useful, who did you hire between April and September of 2012?

But then something happened. Somewhere after Snow Leopard 2012-002 and the first appearance of the 10.7/10.8 Java updates: form trumped function and all useful naming conventions were removed.

Which Java
Elegantly named and informational useless packages. Beautiful.

In the case of Java not just the platform name, but even what release number was removed too! Oh sure, someone took the time to change the disk image volume name, thanks, but once it was copied out of there, good luck in keeping things straight! Since these are flat packages now, Finder can’t tell you the version number in column view anymore, either.

WhichSecurityUpdate
What platform are you for? Should I just chuck all these at a machine and see what sticks?

How about the latest security updates? They all named the same! What a mess! Note that now even the disk image names are all the same too and the system has to resort to appending numbers on the volume name to avoid naming conflicts.

So Apple, if you are going to keep putting out security updates for older platforms then let’s stop pretending there is only one OS X release out there and start naming updates appropriately! Please? Thanks!

P.S. I’ve submitted a bug and mirrored it at Open Radar, if you are a systems administrator who is also irked by this trend of needless naming minimalism I encourage you to file a bug report and see if we can turn this around!

Silverlight: the next plugin Apple will be blocking

Shhh… Silverlight’s been updated for Mac

So by shear accident, I was in Windows 7 via Boot Camp today. I decided to run updates and actually look at what was being updated. I noticed there was a new Silverlight update, 5.1.20125.0, speak of the devil, in my XProtect Plugin Checker post, not long ago, I speculate when Silverlight will be blocked by Apple because of a security update. Security bulletin MS13-022 explains the critical nature of this for Windows and Mac, if you want to see an MS engineer tell you it’s Priority 1 this month you can visit the Microsoft March 2013 security update page. You’ll need Silverlight to watch the video, but don’t worry it won’t give you prompt you to update. Neither does Netflix. Apparently Microsoft haven’t pulled the trigger to alert users with old Silverlight plugins! Are they waiting for this 14.9MB package to replicate around the world to all the Akamai distribution servers or something? I think it’s done now.

Whither Thou Goest Check for Updates (or Preferences for that matter)?

So I decided to double check my auto-update settings in Silverlight. Would you like to check your Silverlight Preferences? The easy way is to Control-Click/Right-Click on Silverlight content and select About Silverlight from the menu. But take a real world example: you are at a site that won’t load it’s Silverlight content because the caches need cleaning! (This really happened to someone I had to support remotely via email).

Let’s go spelunking!
Opening Silverlight Preferences the hard way:

Navigate to /Library/Internet Plug-Ins
Control-Click on Silverlight.plugin and Show Package Contents
Navigate into Contents/Resources
Double click Silverlight Preferences.app

Or type this in at Terminal:

open /Library/Internet\ Plug-Ins/Silverlight.plugin/Contents/Resources/Silverlight\ Preferences.app

I ended up making a .command file to do this, zipped it up, and emailed it so the user could simply empty the Silverlight caches and get back to work (if this was for real work or Netflix I’m not sure…) but regardless, a Preference Pane would be kinda nice MS Silverlight dev folks! All it has to do, at bare minimum, is open this very same app inside the plugin bundle (so we don’t have to dig for it). That’s what the Oracle Java 7 prefPane does. I digress here’s my settings:

SilverlightUpdates

Yep that’s set…
OK so Microsoft doesn’t think this Priority 1 update needs updating yet on the Mac?

For fun, in the same folder you can run UpdatePrompt.app to see this:

SilverlightUpdatePrompt

Clicking Install now launches the URL: http://go2.microsoft.com/fwlink/?LinkId=116053 which will automatically start downloading the newest version of Silverlight.

Exploring the XProtect Factor

Now, I though to myself, if Microsoft doesn’t start getting people to update, I think I know what Apple’s gonna do… but they haven’t done it yet. So I did. I edited my XProtect.meta.plist and blocked Silverlight myself:

XprotectMetaBlockSilverlight

Just wedged it right in there with TextWrangler! Now, what happens when I visit a Silverlight page in Safari?

Blocked @ Netflix

Boom, blocked. Aha! This mechanism is quite extensible to whatever plugin Apple deems insecure. Interestingly though, this warning will appear only once in Safari.

Blocked Small

After that your Silverlight content will simply not load and you won’t be told why. The bundle name and version are set under the PreviouslyAnnouncedBlockedPlugins key in com.apple.Safari.plist and that’s it. Clicking OK in a hurry without reading the message might leave you scratching your head, while repeatedly clicking reload at Netlflix.

Safari Warning XML

Taking a peek at my XProtectPluginChecker I see it’s able to compare the installed version to the values XProtect.meta.plist has. My script is working dynamically, as planned, yay! (I fixed a couple bugs the first few days after posting so re-download if you were an early bird user)

XProtectPluginChecker-silverlightBlockedSo while you may not be seeing this yet I have a strong feeling you will… and when you do XProtectPluginChecker will let you know.

System Administrator Bonus

Say, Mac SysAdmins, wanna disable Silverlight on all your deployed Macs right now? Why? Maybe you want to turn it off right away and worry about installing the update later? BTW this does not block the plugin in Firefox (they have their own mechanism), Safari only.

sudo /usr/libexec/PlistBuddy -x -c "add :PlugInBlacklist:10:com.microsoft.SilverlightPlugin dict" /System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/XProtect.meta.plist
sudo /usr/libexec/PlistBuddy -x -c "add :PlugInBlacklist:10:com.microsoft.SilverlightPlugin:MinimumPlugInBundleVersion string 5.1.20125.0" /System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/XProtect.meta.plist

That’ll get your XProtect.meta.plist PluginBlacklist dictionary looking something like this (version vary between 10.6 and 10.7/10.8 machines):

XProtectXML Viola, your Silverlight don’t work no more. :] Now go update it!

 

 

XProtect Plugin Checker

Are you a system administrator or power user who needs a quick way to check if your Flash or Java plugins have been blocked by Apple? Like so:XProtectPluginChecker Menu 2

Then XProtectPluginChecker is the status menu app for you!

XProtect Plugin Checker iconClick to download.

Written in BASH, sprinkled with PlistBuddy/awk/sed-Fu with a dash of mdfind magic, and wrapped with Platypus, the aim is for XProtect Plugin Checker to be able to dynamically accommodate any additions Apple might make to the Plugin Blacklist, although only Flash and Java seem to be in their crosshairs right now, who knows? Silverlight might be next, given its lack of updates (going on 10 months).

A bonus idea for making this more useful is to make a launchd script that watches the XProtect plist file(s) then fires off the XProtectPluginChecker script when they change, emailing the results to you, because knowing is half the battle!

If you find this useful or if you have some hiccups with it, let me know. UPDATE: Now with comments enabled! :]

Also related, myXProtectStatus is a similar style menu status script that lists the malware threats Apple is blocking.

Check Multiple iMacs for 1TB Seagate Repair Program Eligibility

Apple recently announced that certain iMacs with 1TB Seagate hard drives are eligible for replacement. If you have one iMac it’s easy to check it on their website here.

However if you have a lot of iMacs at your company you might prefer to do this a bit more quickly! The following command can be sent via ARD:

curl  "https://supportform.apple.com/201107/SerialNumberEligibilityAction.do?cb=iMacHDCheck.response&sn=$(ioreg -c "IOPlatformExpertDevice" | awk -F '"' '/IOPlatformSerialNumber/ {print $4}')" 2>/dev/null

To explain: It’s using curl to send a request to the Apple URL, the sn= field is populated with the results of the ioreg command, which is cleaned up with awk (thanks OS X Hints), stderr of curl is sent to /dev/null so you don’t get the download/progress output that curl usually displays.

Another variation is if you already have a list of serial numbers, separated with some sort of whitespace. You can put them in a bash variable and loop though them locally:

serialNumbers="QP0231XXXPK
QP0240XXYRU
D25FP1TXXXJT
QP6481XXXUW"

for number in $serialNumbers; do echo $number $(curl "https://supportform.apple.com/201107/SerialNumberEligibilityAction.do?cb=iMacHDCheck.response&sn=$number" 2>/dev/null); done

This outputs the serial number queried and the response from the Apple server on each line. E03 the response you’ll be looking for. I’ll leave it to you the reader if you want to do any additional cleanup of the output, here’s a sample:

QP0231XXXPK iMacHDCheck.response({"ERROR_CODE":"E08","ERROR_DESC":"Valid iMac SN but WoM is outside of program range"})
QP0240XXXRU iMacHDCheck.response({"ERROR_CODE":"E03","ERROR_DESC":"Valid iMac SN has Seagate HDD - covered by program"})
D25FP1TXXXJT iMacHDCheck.response({"ERROR_CODE":"E07","ERROR_DESC":"Valid iMac SN with NO Seagate HDD"})
QP6481XXXUW iMacHDCheck.response({"ERROR_CODE":"E02","ERROR_DESC":"Serial ID is not iMac."})

 

10.7.4: Return of partial volume and brightness shortcuts

Yes folks, the shorcuts for partial volume and brightness are back in 10.7.4! After users had grown to love and know Option-Shift-Volume Key and Option-Shift Brightness Key in previous versions  of OS X (10.4, 10.5, and 10.6), Apple yanked the rug out from under users with 10.7. Well, now 9 1/2 months later they are finally back. Rejoice.

Now start filing those bug reports for the insane amounts of inactive memory being used and not released to Free… :/