Monday, April 20, 2015

Does Anyone Use OS X Guest User?

Our company has a few shared spaces...conference rooms...in which some Mac Minis are set up for general purpose use. You know, Vidyo video conferencing, presentations, web demos...nothing too demanding.

We've had to balance the needs of our users with our need for management and security; ease of use for our users, while mitigating potential problems that come from a shared system.

Lets try AD!

At first we had the Macs allowing people to log in via Active Directory. They had their own logins under which they could save files.

The problem was they would log in and forget to log out, leaving not just (potentially sensitive) files available but often access to their online accounts like Google. They also had the default Dock configuration, so sometimes users would try reinstalling applications that already existed on the Mac (like Chrome.)

Another issue we frequently ran into involved Keychain, the built-in OS X password management system. Users would change their password from a Windows workstation, and the next time they used the shared Mac they would often fail to update the Keychain password, leading to a constant stream of Keychain access prompts. Confused users would quickly go from annoyed to extremely frustrated, especially when trying to give a presentation or in the middle of video conferences.

The bit rot of accumulating login accounts and eating away at storage space with each new login instance was a relatively minor inconvenience compared to the Keychain password mismatches, from the usability point of view.

Let's try Guest!

The next obvious solution is to try Guest. A feature built into OS X, Guest allows users to log in without a password for a temporary session; upon logging off, all the files are deleted. Coupled with the "inactivity logout" setting found by clicking the "Advanced..." button in the Security & Privacy pane, this seemed like the ideal setup!

But alas, it wasn't.

Three big issues for the end users could have been solved with what should have been some simple tweaks to default settings. When using a system that allows temporary "guest" accounts, most Unix systems use a skeleton or template directory from which to copy files. That didn't seem to work in this case.

Our users wanted to use Chrome as a default browser; with each login Safari was reinitialized as the default. Second, the users wanted the Chrome icon available in the dock as a default available application to choose from; the idea of opening Applications or Spotlight first confused the hell out of them. And third, every time the users wanted to use Office, it would have them go through the "first run" wizard. That was not confusing, but it was understandably annoying.

But the biggest issue was one we never could figure out why it was happening. Keychain. Again.

If the system was left on and had a few login/logoffs of Guest, suddenly Keychain would complain about needing a password. Guest works, in part, by generating a random password and transparently using it where needed for the Guest login session. These temporary keychains should have disappeared when Guest logged off since the Library files, along with the rest of the home directory, were deleted when Guest logged off.

A quick sanity check from a local administrator account via SSH showed that yes, that Guest folder was actually gone when the user logged off.

But Keychain acted like the old file was still held open or cached. File's gone. Keychain's not running. LSOF didn't show an open file holding anything under a guest home directory open. Yet the only thing that cleared the errors was a complete system reboot.

A minor irritation was the number of times I'd check on the Mac only to find the Guest login still logged in after several hours, prompting a nonexistent person in the room if they were really sure they wanted to delete all the files and log off. Are you sure? Are you really sure?

Great...users would still constantly forget to log out, but instead of doing what I told it to do and log out when the inactivity timer was triggered, it would get hung up on the logoff prompt. The only thing it really did right was when it was forced to log off, it deleted all the Guest home directory files so the user's private files and potential data leaks were removed.

Guest, in theory, is a way to create a kind of temporary session for your Mac. I thought there had to be a way to customize some of the configuration (through altering some preference files in a template directory) for little things like , but some research on the Interwebz told me that there may have been a way to do that with older version of OS X, but it was rendered obsolete in newer versions.

I contacted our account rep at Apple and asked to get in touch with an engineer, which they obliged. I sent them a description of what was happening and what we were trying to do with regards to registering Office in the temporary session, customizing the default web browser selection and adding an icon to the dock, and most perplexing, the Keychain errors. I was hoping that an Apple engineer would know more about how to alter these settings (and get whatever was holding that keychain open to release it...), or set me straight if I were missing a particular way to manage the Mac clients that could control the interface.

The response:

The guest account doesn’t quite fit your requirements. You could create your own guest account and then manipulate the prefs files for default browser, office licensing file, etc. 

Other than that there are products like Deep Freeze or FileWave to manage lab or kiosk type machines. 

For the keychain issue try this on a test machine first

Delete the "User Template/English.lproj/Library/Keychains/" folder.

Guest must be suitable only for a very narrow set of use cases. I verified there wasn't a Keychains folder in that template directory, too.

It seems Guest is really kind of a worthless feature in most cases, as far as I can tell.

Last try...Deep Freeze

That brings me to the final round. We purchased several Deep Freeze licenses and created a new user named Login. I configured Login to have no password and tweaked the default home to have minimal dock icons, add the icons that were useful, told the Chrome browser it should be the default, and registered Office with generic user settings.

The login is local, so there's no worry about a password change causing Keychain to get out of sync and start spitting errors.

I had limited exposure to Deep Freeze on the Windows platform before, and no exposure to a Mac version of the application. Basically the application redirects filesystem writes to a temporary location that is wiped at restart. Unlike Guest, that only deleted files from the Guest home directory, Deep Freeze will clear changes made to the whole system. One of my favorite cathartic activities when I ran Deep Freeze on Windows was to delete the Windows subdirectory, or delete other system subfolders until Windows started throwing errors before crashing. Upon reboot, all went back to the previous configuration, system files and all. 

Note you should only do that in a "frozen" state. If the machine were thawed and the files were deleted, you were kind of boned.

Monitoring the Freeze status came from an extended report to Apple Remote Desktop, unlike the Windows version that connected to a management control program. 

The user I named "Login" had no password, making it easy to use for our users.

Deep Freeze has a setting that causes the system to reboot when you log out, causing the system to reset. So far I haven't run into a system waiting at a logoff prompt as I did for Guest, so reboots with Deep Freeze seem to be working (and resetting) fine.

Office was registered before being frozen for the Login user, so users no longer get that prompt.

And of course the Dock has the icons for the most used applications, along with Chrome set to the default web browser.

My only complaint so far with Deep Freeze has been the inability to get along with Apple's Core Storage volume driver nor Fusion Drive. We didn't have Fusion Drive-equipped systems...but I thought I'd throw that in there.

I think the Core Storage system, which is kind of like a pluggable file system for the Mac that handles features like File Vault, doesn't get along with Deep Freeze because I suspect Deep Freeze inserts itself at a similar driver level.

I was able to install Deep Freeze on most of our existing systems because I think we accidentally broke the default-Core-Storage-enabled volumes when we upgraded the hard drives in the Mac Mini's. If you didn't upgrade them and Core Storage is enabled, the fix is basically going to involve a reinstall of the operating system. That...is annoying. Especially after spending time tweaking all the settings and getting everything set up until you get to the Deep Freeze install stage, just to have it spit an error back at you.

In summary...

Does anyone actually use Guest on their Mac? If you do, what is it used for? It seems unsuitable for use as a kiosk. It can't be tweaked with regard to preferences or icons in the dock. I contacted an Apple engineer hoping I was stupidly overlooking something simple, only to be told that I was asking too much of the Guest capabilities (was I really asking all that much?)

In my opinion, with Guest being so limited, Apple should just eliminate it. Especially with that lingering Keychain bug...

Monday, April 13, 2015

Goodbye Mail.app, Hello Thunderbird

Oh, Mail.app...our love/hate relationship blossomed so quickly. I was willing to overlook your quirks for so long but some recent interactions pushed the limit beyond my tolerance levels.

I overlooked your occasional decision to just stop receiving mail. Lunchtime would roll around and I realized that I didn't get the announcement that it was ready...I'd check Gmail's web interface and the message was there, sometimes with other messages in the queue as well, but your interface was blank to new messages. I'd close you out and re-launch and the new messages would pour in. But we all have occasional lapses in attention. As long as my phone or Pavlovian response would remind me to check when you were acting up, I guess that's good enough to forgive that occasional lapse.

Then there were the times you didn't let me eject a disk. Well, an SD card, but it's treated as a disk. I'd insert the chip, and then I'd attach an image stored on the card...it was the simplest way to get images from the camera to you...to a coworker so he could retouch it for use in our badge printer. Then I'd try to eject the disk after sending the email and the operating system insisted the disk was in use. Lsof would confirm that you were holding the file open. Why?

You'd never tell me. But if I exited and relaunched you, suddenly the SD card could be ejected. I figured it was just your way of pulling a silly prank on me. Maybe it was your way of protesting frivolous use of fclose(). Or you were trying to train me to copy files to a local directory before using them as attachments. Perhaps fclose() is just hard? I don't know. You just persisted in teasing me, never telling me why.

But some sins just couldn't be forgiven. I mean, the whole "forgetting to get mail" was close...especially when I'm expected to reply to requests for help. I was fortunate enough to have multiple notification systems for that, so,...haha! Joke was on you!

Crashing the operating system was over the line. I'm not sure how it happened, exactly. I suspected it was triggered by something in the formatting of a quote from one of our vendors; I'd view the message, and part of the quote...listing all the options in the system configuration...was missing. Within a minute the operating system belched a warning that all the application memory was exhausted. I couldn't stop it once the spiral started. The interface became unresponsive and soon locked up. Secure shell no longer answered attempts to connect. The operating system just giggled at me in a permanently frozen grin. I had to power cycle the machine. If you relaunched and tried previewing that message again, BAM, memory exhaustion followed with another hard reset. This was a quirk I couldn't work around.

Well, technically I could use Gmail's web interface to clear the message, which is what I did. But if I get another message from that vendor with a quote attached, I knew it would lead to another round of hard restarts and filesystem checks. I was stuck waiting for what amounted to a denial of service attack straight to my inbox.

So it was at this point I had no choice but to say goodbye. It turns out it seems there aren't a lot of free mail clients for OS X. Maybe I didn't look hard enough. But that's okay. I decided to give Thunderbird a try. It's not perfect; it's a cross-platform client, and it shows in the way it handles the interface. It doesn't quite feel like it does things in the "Macintosh Way." But it's decent. So far it doesn't crash on me when viewing attachments. I haven't exhaustively checked everything, but I'm sure I'll discover handling issues over time, if they're there.

And you didn't make it easy to leave you, Mail! I had to search to figure out how to set Thunderbird as my "default" mail client. Turns out I had to launch YOU again and change the setting from your menus! It made no sense to me!

There are times that I miss you. I think of you every time I search for an email. It's impossible! Well, as long as I use Thunderbird's search. It's painful. There's a setting in the preferences to allow Spotlight to index messages; I end up using that instead. It's irritating, having to use a service outside the application to search for something stored in the application. But at least it works.

Well, mostly. Even after making the "default mail client change," opening messages from Spotlight search results would open using you! There's no easy way to find a way to change that. I ended up opening a question on the Apple Stack Exchange site to try fixing it.

And of course Thunderbird acts a little weird about attachments. It has a neat feature where if I type the word "attached"...like, "I attached a photo to edit for Bob's badge!"...Thunderbird will ask me if I want to attach a file. And I can navigate to the folder and attach the file in question. It appears as a "file" list in a pane near the top of my mail composer.

But I can also drag and drop the picture into the composition window. Then the image appears right in the email, much like when I attach files into your messages, Mail!

But...it's not consistent. I sent the same image in both ways, and when I received them, it was like the message was embedding the file in two different ways. How weird and annoying. I also realized that attachments don't show up in the reader. PDF's look like attached icons, and to view them I have to open them. I can't drag and drop them to other applications; with Mail, I can have our online KanBan board opened to a card where I can drop attachments to upload to that system. So I'd get a quote from a vendor, and on the card where I was tracking the purchase, I would just drag the PDF from the email to the KanBan card and it would upload. With Thunderbird I had to save the file to the disk first. Another annoyance.

There are just too many seemingly common file formats that Thunderbird doesn't know how to display inline. An annoyance. About on par with the times you wouldn't let me eject a disk after sending a file. Tolerable, I guess.

Now I'm waiting for a showstopper to appear in Thunderbird. It took awhile before I gave up on you, Mail.app. It took a long time before I hit something that I just couldn't make excuses for anymore. And I'm still sad to say goodbye; you have so much potential! I wanted you to work well. But sometimes...it felt like you just didn't get enough love from your programming team. I saw people complaining about issues similar to my memory exhaustion problem back in October, nearly 6 months ago! Couldn't this have been addressed in a patch by now?

Now I'm getting into the groove of using Thunderbird. Even if you did fix these issues, I don't know if I'll want to come back. Or I won't want to come back without a really good incentive. I suppose it's possible. Maybe someday I'll forget about your irritations and wonder why I ever left you. I'll reinstall the operating system and think it's best to just use the default client rather than go through the trouble of reconfiguring Thunderbird all over again...there sure a lot of settings to tweak, after all. Maybe at that point I'll sigh and dread making sure all my settings are properly set and decide it's best to just return to you, after writing this post becomes a distant memory.

Or the Thunderbird team will have a simple way to export settings.

Tuesday, April 7, 2015

Mac Thunderbolt Display Serial Numbers from the Command Line

A display recently "died" on one of our users. It no longer lit...turning it into a shiny work of pitch-black art...but the hub functions still worked, and remotely connecting to the system with Apple Remote Desktop shows two displays (the Thunderbolt and connected laptop.) 

In order to check the status of the Applecare warranty, I needed the serial number. This system had been previously removed from its stand and connected to a mounting arm, so I couldn't guarantee the hardware matched what was printed on the bottom of the stand. Uh-oh.

Fear not! The Mac actually has a number of fairly awesome tools available if you know where to look. The system I had connected to it was running 10.9 and the system information application wouldn't tell me the serial number of the display. 

The workaround is to open the terminal, then run:

sudo system_profiler SPDisplaysDataType

This spits out some helpful information, and buried in that information dump is a section called Displays. In that is "Thunderbolt Display:", and under that is the serial number!

Seriously handy for system information, especially if you have to ssh into a user system and look up hardware information. For more information take a gander at:

system_profiler -usage

Saturday, April 4, 2015

Upgrading GoLang From Source (Using Git)

I used to have a pretty straightforward way of upgrading my GoLang installation on the Raspberry Pi (ARM Linux). A few quick commands and a long wait as it recompiled and everything was right as rain. Then the Go team decided everything would go to Git and I had to follow suit or keep fighting to get Mercurial to work with a neglected repo.

So how do you upgrade using Git?

From the home directory where I keep my Go subdirectory:

cd go/src
git fetch
git checkout <tag>
./all.bash

Wait until baked to a golden brown and remove from the oven. Voila'.

How do you know what tag to use? And when to upgrade?

From the golang-announce list, of course. You can manually check there for latest release information or subscribe to get the announcements to your inbox.