Apple’s Configurator application (now Apple Configurator 2 because it’s an irrefutable rule that adding more numbers to things makes them intrinsically better) is an essential tool in the enterprising Mac IT persons’ toolbox. Initially it was designed as the way to build profiles that you’d put onto iPads, but it’s increasingly become a sort of multitool that you can use to build configuration profiles on an ad hoc basis, and even to resuscitate dead T2-enabled Macs.
It’s great, except that (as is the way of things) updates not only introduce fixes but occasionally add new and interesting problems. More specifically (and the reason I’m writing all of this nonsense) is that I spent a frustrating hour or two this week trying to work out why in the name of all that’s good and true Apple would see fit to remove the Shared Secret field from the VPN configuration portion of the Configurator. I’d been building config profiles to post on an intranet for a client, so imagine my surprise when instead of seeing a field where I could pop in the Shared Secret I saw… well. Nothing. Nothing at all. And that was a problem.
Do you see a field for the Shared Secret? No. You do not. Neither do I.
So, a problem. But every problem is a solution waiting to be discovered, and happily enough this one is the most enjoyable kind of head-scratcher; the kind that can be solved with a modicum of common sense and only minor trickery. Happier yet, the .config files generated by Apple Configurator are basically just Property List files that can be opened by a text editor and tweaked. It’s just a case of knowing what tweaks to make.
First, figuring out what to add to the .config file. The mysterious removal of the Shared Secret field showed up with the most recent version of Apple Configurator (2.12.1), but prior versions allowed you to set that configuration, so digging out an older .config file and opening it allows you to see what’s different, thus:
One of these is not like the other.
The older .config file (on the right), includes this text:
So, copying that into the new, non-shared-secreted .config file should theoretically add the shared secret into the configuration. Great! There’s just one more piece of the puzzle – encoding the shared secret itself. There are websites out there that will allow you plug in text and covert it to Base64, but it’s simple enough to do it via the Terminal. Let’s say your shared secret is… well, let’s just call it sharedsecretpassword:
echo -n 'sharedsecretpassword' | base64
Which will translate sharedsecretpassword to c2hhcmVkc2VjcmV0cGFzc3dvcmQ=
…hit “Save”, et voila. You’ll now have a functional VPN config file that can be deployed with the shared secret (even though Apple Configurator doesn’t seem to want you to).
One thing that’s become abundantly apparent during this long, disease-vectored sequester we all seem to be on is that this time represents a wonderful opportunity to get the kind of frank, honest feedback about ourselves that only our nearest and dearest can bestow. And when I mean “bestow” I mean “crush all illusions about how you are perceived by the people who are around you the most.”
Two things that I’m being educated on of late are that I am not as amusing as I think and I am I’m also fussy about things in ways that are frequently incompatible with other people. Not in big, interesting ways (I mean, I’m not a monster), but in small, frustrating ways. I like my coffee very specifically made from one very specific coffee shop that my coffee friends look down on as being The Bad Coffee Shop, and will ruthlessly subvert and hijack plans so that said Bad Coffee Shop ends up being our ultimate destination. Being masked and gloved and PPE’d and socially distanced hasn’t changed that – it’s just made it more apparent and troublesome.
It’s nothing personal. It’s just that I know that the Bad Coffee Shop is secretly the Best Coffee Shop. I’m capable of sustaining the position that my way is really the only correct way, even while cheerfully acknowledging that said position is, in fact, tangibly incorrect. I call it the “Grand Irrefutable Theory of Self Deception™” because it’s my flaw and the very least I should be able to do is name the wretched thing.
Take Finder views, for example. I like them when they look like this:
This is the way you should be.
…because the Column view is clearly superior, and everyone should look at their files that way. It’s so much better! You can zip up and down directory hierarchies quickly and simply! I’m right!
Not everyone feels that way – mostly because of the afore-mentioned “Grand Irrefutable Theory of” etc. Some people (philistines and malcontents in the main) prefer the old fashioned icon view, thus:
Why?
It’s unfortunate that some of us have to work with these poor, misguided folks, but there’s no reason why you should have to put up with their ham-fisted insanity when there’s a better way.
Your Mac knows how you like your files positioned and your preferred view and retains that information in tiny, invisible files that it creates in each directory you access. These files are .DS_Store files, where “DS” stands for “Desktop Services”. They’re difficult to open and inspect, but once you crack one open and took a look it’s clear that they contain information about the window’s position on screen, the window view, icon size, relative position inside the window, the status and visibility of the window bar icons, the sidebar, backgrounds, snap-to-grid, stacks and so on and so forth. Whenever you change view or move something around those changes are update in the .DS_Store file so that next time you open that window it appears exactly the way you left it.
Which is great if it’s your computer, but not so great if it’s a share on a server that is also accessed by nincompoops and dunderheaded ne’er-do-wells who prefer icon view for some insane, incalculable reason, because the moment they open that window they see your (superb, intelligent, morally-superior) layout and not their stupid mess. And then they change it to reflect the way they like to do things and then when you open it again it’s all awful and you have to step away and go lie down in a dark, cool room for a while.
Happily, there’s a way to tell your computer to not make those .DS_Store files, which locks in as default the nonsensical, asinine way that your idiot colleagues and co-workers like to use their stuff – simply fire up the Terminal and enter the following:
Once you’ve done that then your colleagues will be able to set up the way they view those files according to whatever the inchoate voices in their heads tell them to, and you won’t have to put up with that. Instead, the next time that you access that folder you’ll be able to set the view appropriately. Like the misunderstood genius that you are. Right? Right.
Here’s fun. Back in the Halcyon Days of 1982 one Richard McClintock made an interesting discovery – the origins of Lorem Ipsum (you know, the filler text you occasionally find padding out web pages and anywhere requiring placeholder material), thus:
Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum.
Mr McClintock – in a letter to Before & After magazine in 1994 – pointed out that the full passage was originally an excerpt from Cicero’s ethical treatise “The Extremes of Good And Evil” which was the number one hot bestseller of 45 B.C (probably). At some point in the sixteenth century – so the theory goes – an annoyed typesetter threw Cicero’s text into his press along with some filler, nonsense words in order to pad out enough text to mockup different types and fonts for a book, and then due to tradition and institutional laziness it stuck around for the next five hundred years and is still popping up today whenever You Just Need To Put Something There.
The thing is that it turns out there’s enormous value in having something on tap that you can use as a quick, reliable placeholder. It makes your life easier, you don’t have to constantly reinvent the wheel and go find new material to put into place, and it’s widely recognized for what it is; not actual content, but something to fill empty space until actual content can be substituted and you can go back to work.
But this isn’t my typeset blog; this is my macOS IT blog. And I’m not here to talk about placeholder text; I’m here to talk about placeholder processes. Hmm? What’s that? Well, I’m glad you asked. Meet kernel_task – the Lorem Ipsum of the macOS world.
When your Mac is running something particularly demanding then the chances are that whatever the “something” is will be using a lot of the CPU. You can see this in the Activity Monitor.app – sorting by % CPU will show you which apps or services are using the most system resources. The more CPU a process or program uses the more power it consumes, and the more heat it generates. And that’s fine; well-engineered computers and devices are built with heat tolerance and dissipation in mind (well, most are. I had a colleague who blew through three – yes, three – cheap PC laptops that all melted while my slightly more expensive PowerBook kept on ticking in support of the Sam Vimes Theory of Boots). Still, there are times and circumstances where it pays to have a way to throttle the activity of your computer to allow it to cool down – and this is that kernel_task does.
Simply put, it’s a process that the computer fires up whenever it decides that it’s running too hot, specifically to block other processes and applications from using the processor. Google Chrome wants to use a hundred percent of your CPU? Sorry; it’ll have to wait. kernel_task is using that right now, except all it’s doing is twiddling its thumbs, waiting for the computer to cool down while the fans run. Once things are back to an acceptable operating temperature then kernel_task frees up more and more resources until finally it all but disappears…
It probably says something about mildly disturbing about my character that I’m borderline obsessed with online security. That might sound like a setup for some kind of epic humble-brag (“I suppose my greatest weakness is that I’m too dedicated to doing this thing that is awesome” etc), but honestly, if you want to distract me from anything useful then start talking to me about IT security and I’ll break out the grey beard and pocket protector and suddenly turn from the dapper bon vivant my clients know and love into an utter, utter adenoidal bore.
Freudian theory would dictate that I’m clearly hiding some terrible, dark set of secrets that make me preternaturally concerned with discovery and deceit, but I’m frankly baffled as to what they could be. I mean, my greatest flaws are that I lie about going to the gym, play Dungeons and Dragons over Zoom with other nerds on Thursday nights and my secret addiction is about thirty-five dollars a week in espresso and not opioids or persons of negotiable value. It’s distressingly low-stakes stuff. My midlife crises are of the existential variety and not the acting-out type. I’m… well. I’m pretty dull.
And it’s probably that inherent, unrelenting dullness that makes me interested in security, simply because a lot of it so cerebral and complex, and scratches all the itches that speak to philately and not philandery. Still, there are nuances that are potentially interesting to people who don’t lick their chops when they hear about end-to-end encryption and start banging on about said subject while their loved ones roll their eyes at the dinner table and exchange just-let-him-get-it-out-of-his-system looks, and those nuances also happily seem to fall into the category of things-I’m-sometimes-asked-about, and so here we are in paragraph three and I’m about to talk about masking your IP address. I’ll try and make this painless.
Practicing safe browsing is common sense in this day and age. It’s not simply a case of hiding your location and details from the authorities out of (probably justifiable) paranoia about The Man nor is it about using anonymity to go and do illegal things on the internet. Okay, it’s partly about those things, but it’s more about the value of privacy in an age where the commoditization of the individual has become the chief form of currency. Advertisers track you, build profiles of you, push products and content at you, increasingly crafting narratives and information designed to feed their ideas of who you are economically and demographically. Andrew Lewis put it concisely into this quote: “If you are not paying for it, you’re not the customer; you’re the product being sold.” It’s an unfortunate condition of using the internet, and it’s kind of gross. But there are simple, easy, legitimate ways to take yourself off the market.
VPNs and Proxies are a simple and effective way to mask your location and presence on the internet, and Tor is a technology that essentially uses an alternate network altogether. There are pros and cons to each.
A VPN creates a Virtual Private Network – an encrypted channel between you and the endpoint you’re accessing on the internet.
Pro: When you connect to a VPN you’re essentially telling your computer that it has a special network interface, and that when data is sent out via that interface it is encrypted and protected and – as far as the world is concerned – you’re actually at the end point. A prime use for VPNs is connecting from a remote location – coffee shop, airport, home – to an office network. You host a VPN at the office and connect to it remotely, and as soon as you do so then your office network thinks that you’re on its local network and in your office and not using the Shake Shack™ guest Wifi network in Irvine, CA. The sketchy guy at the table near the door can’t eavesdrop on the traffic going into and out of your computer, and you can access all the resources you have in the office (servers, printers etc) just as if you were actually on the office network – because in a very real sense, you are on the office network.
Con: VPNs don’t always work. Oh, sure, they mostly work just fine, but it’s entirely possible for VPN traffic to be blocked or throttled by ISPs and local networks – particularly if you’re running your own VPN out of your office/remote location. If you don’t run or roll your own and prefer to use a commercial VPN solution (you know, the kind you pay ten bucks a month for) then you need to read some fine print and do some research. Sure, any data you send to and from those VPN providers is securely encrypted, but there’s nothing preventing them from logging what you access on the internet once you’re connected to them. Some VPN providers will swear blind that they don’t keep logs, but that’s not always factually correct.
Proxies are much like VPNs in that traffic you send or receive goes is handled on your behalf by a third party.
Pro: Proxies are reasonably fast, and proxies are flexible; where a VPN sends everything out of your computer as encrypted traffic to a remote location, a proxy can be set up for a particular service or program. Want to use one proxy for web traffic on Safari and another for gaming? Fiddly, but doable. Also, proxies are relatively simple to set up and inexpensive.
Con: Proxies are not as fast as VPNs. And they do a miserable job of securing your data. That guy at Shake Shack™ might as well be like that kid John Ellison when you were in eighth grade who you had pass a note to Hannah Davis during math class to ask if she’ll go out with you. Yes, he’s going to be able to read everything, and No, she was never going to date you with that haircut.
Tor is the one I get asked about least. I think that’s because Tor doesn’t really use the internet as we know it; instead it routes traffic through multiple volunteer networks.
Pro: Tor is secure. Like, really, really secure. It’s less a product and more a system of stripping your data of identifying information, adding layers of encryption and then funneling your data through multiple networks. To use Tor you’ll need the Tor browser (based on Firefox).
Con: The Tor browser is great and allows you to use the Tor network, but on the other hand it’s not infallible. You have to trust the operator of the exit node you’re connected to, who can potentially track your information and activity. Additionally, the Tor browser only protects data on that browser – anything else sent out on your computer is something that your ISP can track, and additionally your ISP can see that you’re using Tor.
So, what does this all get you? Well, it’s clear that there are pros and cons to proxies, Tor and VPNs. But can you mix and match to get the best of all worlds?
Sort of. You can combine a Tor and a proxy by connecting to Tor via a proxy – which isn’t a great idea because then the connection between you and the Tor network goes through an unencrypted proxy. The other way round is marginally better – if you connect to a proxy through Tor then your traffic would end up finally exiting through a proxy and thus the ISP would have no proof that you were using Tor. But it’d be slow. Like, slow.
No, the better move is to combine VPN and Tor. Using those two together isn’t what you’d call fast, either. But if you’re using a VPN to encrypt your traffic to the Tor network then you’re getting the best of all possible worlds; route obfuscation and end-to-end-encryption. Your data is encrypted when it enters the Tor network and your origin IP address is likewise protected…
Right. Last time I wrote about how to configure your Mac to optionally use a Yubikey as a hardware authentication device – you plug the Yubikey in to a free USB port and you can then use the PIN for that key to log in to your user account – which is handy if you don’t want to have to mess around with your regular password. However, allowing it as an optional method of authentication isn’t the same thing as requiring it as a method of authentication. In other words, if you didn’t have your Yubikey handy then you could type in your password and still be able to use your computer, but maybe there are times and circumstances where you’d like to disable the ability to use a password entirely and substitute it with a Yubikey.
Yes. It really is this tiny.
This isn’t as crazy as it seems. Gather around the fire, friends, and let me recount a tale from the long, long ago; a fragment from a distant time, a ghostly antiquity from the Turn Of The Century.
A long time ago I worked at a design/branding agency where I had the unenviable duty of acting as a sort of media archivist as well as general IT factotum. This translated to being the guy who – if you needed to pull a work file from an archived job from three years ago – knew where to find the DVD with the data burned onto it. (This was almost twenty years ago. Storage space was expensive and DVDs were cheap. It was a different time, whippersnapper!) I didn’t particularly enjoy this condition of my employ, but it was fine. We used an obscure media-tracking application that had been put into effect some years beforehand and was full of an enormous amount of data that we were stuck with – we tried a lot of abortive attempts to shunt the massive, proprietarily-created weird database that the application used into some kind of form that we could slap on the office intranet with no real effect, so I was stuck doing it by hand; now and again I’d have someone show up and give me a time and a project name and I’d go dig through the archive and pull out the data, and everyone would be happy. To a degree. Okay, all parties would be equally frustrated, but would at least be good-natured and mutually apologetic about it.
Except for one guy, who was kind of a jerk. He thought that this was a ridiculous arrangement – and while I agreed with this in both theory and practice I at least understood that you can’t cram two hundred gigabytes of data into a one hundred gigabyte RAID and that being as this was the case it a necessary evil that it took a few minutes to go dig up old work. He didn’t. And he didn’t like waiting for me to go find the data for him, so because he wasn’t long on confrontation and trying to be proactive he thought the logical first move was that he should try and break into my computer and go find the data for himself.
I don’t think it’s controversial to run the following opinion up the flagpole: This was a dick move. But he was pretty sneaky about it – it took me a while to figure this out, but as the IT guy I’d usually be one of the first people in the office each morning and there were plenty of times that I’d find him there already, in a vile mood, loitering around my office. Sometimes my desk was in disarray (inasmuch as that was possible considering I’d spent years perfecting the platonic ideal of disarray). Once or twice I caught him sitting at my desk with my computer turned on and at the login screen. Just waiting for me to get there, he’d say.
And then, one day, I went to fix… I don’t remember. Probably something to do with QuarkXpress (because it was twenty years ago and QuarkXpress broke so badly and so often that whole careers were made out of fixing the thing), but that’s not important. I was at his desk and saw, stuck on a post-it note, my login password for my computer. He’d been watching me type on the keyboard when I logged in and I think he’d piecemealed it together over time.
This stuck in my craw because it was my computer. As in, not the-computer-that-work-issued-me because all the budget went into gear for the design teams and the computer they gave me had some serious hardware defects, but my computer as in the-one-that-I-bought-with-my-own-money-and-kept-at-my-office-desk. Still, things being as they were, there was little I could do about this except be creative about it, so I was creative about it. For one thing, I changed all my passwords. For another, I put my boot volume on a fast external drive and took it home with me every night. With no operating system there was nothing for him to snoop on. Effective, but drastic, and horribly insecure because if something terrible had happened to that drive (lost, stolen, destroyed) it would have significantly impacted my job performance. Everything was backed up, but it would have cost some time to restore things to their former glory.
Still, while he was a fairly senior person in the company there was a lot of information on that drive that for one reason or another couldn’t live on a server share and also was not for his eyes – after all, as well as finding DVDs and fixing QuarkXpress I also supported the CEO and had a couple of projects I was working on for her on there that the rest of the rank and file should absolutely not know anything about.
(Sidebar: On the slim chance that the offending party might ever read this – you know who you are and I’m still mad about it.)
If there’d been a way to secure login to that computer with a token that I could have kept on a keychain – say, a Yubikey – then this would have been a considerably simpler problem to navigate. That guy could have written passwords or PIN numbers down all day long, but without my hardware token plugged into the thing he’d have been pulling his hair out in frustration. And that would have been a thing of beauty.
It turns out that setting up macOS to only allow authentication via Yubikey/Smartcard isn’t terribly complicated. There are a few hoops to jump through, but the procedure itself isn’t vastly involved. However, there are a few caveats that I’d encourage you bear in mind before going forward.
Firstly, enable the root user (open /System/Library/CoreServices/Applications/Directory Utility and choose “enable root access). Having root enabled on your Mac is generally regarded as A Bad Thing for many excellent reasons, but we’re about to go mucking around at the bottom of the Marianas Trench of the operating system, so having God Mode on tap in case things go awry is a must. You can (and should) always turn it off again once we’re done.
Secondly, make sure you have a good backup before you start anything. If something unexpected happens (bizarre system crash, power cut, bad stick of RAM, freak Act of God) then you could incur significant loss of data – or more precisely, significant loss of access to your data.
Assuming you’ve taken both of these into account, we’ll need to change some things in /etc/pam.d – which I wrote about a few weeks back and took a run at an explanation of the mechanics of the thing that might be worth a read.
In case things go awry we’ll do some backing up in /etc/pam.d – I have my Yubikey set up and enabled for sudo and login, so to make a copy of the default, non-tinkered-with configurations for each you should enter the following two commands:
Note: It is important to back these up prior to changing anything. If you mis-type something and don’t have these files backed up then you’re in a world of hurt, but if you have these files backed up and root access enabled then you can log in as root at the loginwindow and copy these files back to their default names/locations.
Next, if you want to use your PIN instead of your password when executing sudo then replace the contents of /etc/pam.d/sudo with this text:
At this point you’ll now be required to use your Yubikey PIN instead of your password whenever you want to use sudo – it’s not for everyone, but my PIN is deep in my muscle memory and it’s a lot faster than typing in my password. If you want to change it back then I implore you to make sure that you open the backup you created and then sudo pico /etc/pam.d/sudo and manually make the changes you want rather than deleting the /etc/pam.d/sudo file, because it’s awfully hard to use your keys to unlock your front door when you’ve just chucked the things in the drain.
If you want to force the use of a PIN/Yubikey to log in to the computer then you’ll need to likewise change the contents of /etc/pam.d/login to this:
Finally, create a new file on your Desktop by firing off touch ~/Desktop/smartcard.mobileconfig and then pico ~/Desktop/smartcard.mobileconfig and copy in this wall of text:
Close out of the Terminal, find the smartcard.mobileconfig file you just created, double-click on it and install it.
All things being equal, you should now have your computer set up to require the Yubikey for logging in. If you pull the key out and try and log in you’ll get a password prompt, but neither your password nor your PIN will work until you plug the key in. Likewise, unlocking System Preference Panes or any other task that requires an admin password.
