Mac OS X WPA2 Enterprise Authentication Using a Microsoft CA - Part 1

Getting a Macintosh to join a corporate wifi network that uses a certificate from a Microsoft certificate authority for authentication is pretty easy after Mountain Lion (OS X 10.8) added support for DCE/RPC certificate requests. There are four primary tasks to accomplish this:

  • Bind the Mac to Active Directory
  • Add the Microsoft CA to the keychain
  • Request a Machine certificate from the CA
  • Configure the wifi network using the certificate for authentication

Configuration Profiles

These tasks can all be done using configuration profiles. Configuration profiles are XML files that can be created/edited by hand or through various tools like OS X Server Profile Mananager. You can do this in a single configuration profile if desired, but I recommend splitting these into multiple profiles. By using multiple configuration profiles you are able to more easily make changes and troubleshoot problems that may be profile-related. For example, if all the items are in a single profile and you want to remove the wifi settings, you will also undbind the machine from Active Directory.

Active Directory Binding

Apple has a whitepaper that describes binding a Mac to AD. There is also a KB article describing all the parameters in detail. I recommend using a dedicated profile with a single payload just for the AD binding.

AD Profile

AD Profile

AD Profile General

AD Profile General

In the description field of the general section of all my profiles I include a version number to keep track of profile revisions. You can also require a password to prevent users from removing the profile without authorization.

How you configure the profile will depend on your environment. At a minimum you will need to provide:

  • Server Hostname - Just entering the domain name should let the client find a domain controller on its own. It is not recommended to enter a specific domain controller name as this may change.
  • Username/Password - This is the name and password of an account with rights to join machines to AD. Using default groups this would be at least Account Operator but I’d recommend creating an account just for domain joining machines to the domain that has less rights.
  • Client ID - This is the hostname of the Macintosh. In the example below, I use the naming convention “MAC” followed by the machine’s serial number. %SerialNumber% is a payload variable that will resolve to the serial number of the client the computer it is installed on. Apple has a list of payload variables that are supported.
  • Organizational Unit - The default location for machine accounts in Active Directory is the computers container which is specified by entering “cn=computers,dc=domain,dc=com” however if your organization puts machines into an alternate OU then the format is “ou=foo,ou=bar,dc=domain,dc=com”. Note the syntax difference between the default computers container (cn=computers) and the custom organizational unit (ou=foo,ou=bar).
  • Create mobile account at login - This is not strictly required but it is recommended. If you neglect to create a mobile account at login then the user will not be able to log in when not on your corporate network.
Directory Payload

Directory Payload

Other settings worth noting in your AD binding profile are under the Administrative tab. Here you can add additional usernames and/or groups that are automatically granted administrative rights on your Macintosh machines. By default the default Active Directory groups enterprise admins and domain admins are included. It is also worth noting that the namespace defaults to domain which may create some naming issues with your mobile accounts. With the namespace set to domain, local user profiles are created in /Users/DOMAIN\userid/ , which has a backslash in the folder name. In general, this is a valid character but some apps (Powerpoint, I’m looking at you!) may not work well with files in the user’s home directory when named this way. It’s also just generally unpleasant and awkward to work with. Changing the namespace to forest will result in mobile profiles in the format /Users/userid/ which is counterintuitive, but nevertheless the desired naming convention.

Administrative Tab

Administrative Tab

Part 2 covers the rest of the process.

Locking Mac OS X With a Keyboard Shortcut

On Windows computers, in a work environment, I've always had the habit of locking my screen whenever I walk away by hitting either Windows-L or Ctrl-Alt-Del and then Enter (because "lock this computer" is selected by default in the dialog displayed after Ctrl-Alt-Del).  For the past few years of using a Mac at my workplace I've missed this functionality. There are various workarounds like displaying the keychain status in the menu bar (this adds a quick "Lock Screen" menu option), screensaver hot corners, assigning a script to a keyboard shortcut, etc. but I never found a simple and stock solution. It finally occurred to me when looking at some keyboard shortcuts recently that you can achieve this by setting "Require password immediately after sleep" in Security & Privacy and then simply hitting Shift-Control-Power to put the display to sleep.  It's a much better solution and pretty easy to do once you develop in the habit.

EDIT:  I had googled this a few years ago and never found this tip, but now I see that lots of others have come up with this same idea.

Sync a Shared Calendar with Active Sync on Google Apps

When you use ActiveSync to sync your mail, contacts, and calendars with Google Apps there is an annoying extra step required to add a shared calendar to each device that you sync.  You need to go to https://m.google.com/sync/settings/ and select your device and then select the calendars you wish to sync to that device.  You have to go to the link from your mobile device too, just to make it even more annoying. Every time I get a new mobile device I always need to track down the link.  I should just bookmark it, but in the past it used to just take a little googling and the answer would pop right up.  But since Google dropped ActiveSync support for the masses, most of my google results either return the new way of doing it, which seems like it should work but doesn't affect ActiveSync, or articles about Google dropping support for ActiveSync.

Anyway, this blog post will serve as my bookmark and maybe help out other Google Apps users that are trying to find the link as well.

Grand Circus

Two weeks ago my manager told me that our VP of IT had gotten us 5 seats in any class offered by Grand Circus, a new Detroit tech training startup.  The only stipulation was that at least one of the seats had to be in the Build an iPhone App course.  Presumably he wants to see some internal iOS development come out of this.  Needless to say, all 5 of us opted for the iPhone class. The place is pretty much exactly what you would imagine if someone told you that they were taking a class at a hot new tech startup (they've even been named a Google tech hub, whatever that is).  There are unconventional weeble chairs in the lobby, kegs of disappointingly old beer, whiteboard paint in the classroom (we just write on the walls here man, it's cool), etc.

grandcircus

Although it almost seems like a parody of itself I still think the class will be cool. It's actually a little fun to be part of the Detroit Tech Scene even though I'm the cynical old guy that finds it all sort of amusing.  Nevertheless, I've been wanting to learn iOS programming for a few years now but I just never seem to find the motivation to dig into it.  Taking a class will force me to focus on it which is exactly what I need right now.  The downside is that it's a 10 week class, 2 nights a week, and I'm also enrolled in a class for my Master's Degree at OU so this semester will be rough.

Save SCCM Inventory Troubleshooting Information

A coworker asked me this morning if I remembered troubleshooting an SCCM file inventory issue a few years ago.  We had to create a special file that would cause SCCM to save software inventory information.  I barely even remembered doing it, much less what what the name the file and where to put it.  It took a little googling to track it down so I figured I'd write a quick blog entry for my own future reference since I no longer actively do SCCM administration. The short answer to create one of following files:

  • %systemroot%\system32\ccm\inventory\temp\archive_reports.sms  (32-bit)
  • %systemroot%\SysWOW64\ccm\inventory\temp\archive_reports.sms (64-bit)

When SCCM sees this file it will keep copies of the XML files that contain inventory scan information which would ordinarily be deleted.  You should delete this file when you are done troubleshooting or you will eventually run out of space.

You can find more details about this file as well as two other special SCCM files, no_sms_on_drive.sms and skpwi.dat, on this technet blog post.

GMail vs Outlook.com

In my last post I described migrating my email from Google apps to Outlook.com. My migration was successful but it only lasted around a week before I switched back to Google and paid the $50/year for EAS support. From a strictly email point of view I was pretty happy with Outlook.com.  I can't say I have a strong preference for either Gmail or Outlook.com.  I do find Outlook.com's sidebar ads more intrusive that Gmail's ads.  I never really even noticed the ads in my Gmail and now that I'm on the paid version of Google Apps for Business, I have no ads at all.

At first I thought I preferred the Outlook.com calendar.  It looks a bit nicer than Google.  The integrated weather forecast is a very cool feature.  But after using it for a while I'm not a fan of the animated drop down thing you use to move between mail, calendar, skydrive, etc.  It looks nice but takes more clicks.  I prefer the simple google toolbar.  Switching between day/week/month view in Outlook takes more clicks as well.  The Google calendar just seems to be faster to navigate in general.

I'm in grad school and last semester as an experiment I used Googe Drive/Google Docs for all my schoolwork.  Note taking, paper writing, etc.  It worked out really well, better than using a full office suite.  I never had to worry about saving my documents, or having them available from whichever computer or device I had on hand at the moment.  Google Docs has an integrated research tool that makes is incredibly easy to insert footnotes as references in your documents.  I also found that I prefer to submit my papers as PDF rather than DOCX or RTF, that way there is no issue with formatting or compatibility.  Google Docs can export your files as PDF, DOCX, RTF, and a few others.  I played around a bit with SykDrive/Office Web Apps and found that it doesn't do any of this.  Office Web Apps is a pretty nice suite but it is very basic and can't really compete with Google Apps yet.  Also, even after years of exposure, I'm still not a fan of the Office Ribbon.  Finally, there is no SkyDrive syncing app for Mac OS X which means I'm completely trusting my stuff to "the cloud" with no simple offline recovery options.  So even though I can still use Google Apps without Gmail, I just felt like I preferred the more integrated approach.

The final straw came when I was attempting to view a picture that my wife sent me and I got a message that my Silverlight plugin was out of date.  Hey, thanks for reminding me that I have Silverlight installed, I should remove that as soon as I get done moving my mail back to Google.

 

Migrating from Google Apps to Outlook.com

There was a lot of publicity about Google’s decision to drop support for Google Sync.  Google Sync is Google’s implementation of Exchange ActiveSync and it was a much better way to configure your gmail on an iPhone than the default method which uses IMAP.  EAS provides immediate push email and seems to be better than CALDAV/CARDDAV for syncing contacts and calendar information as well.  IMAP pulls down email every 15 minutes at best.

When Google dropped support for EAS, existing phones were grandfathered in.  However, I recently installed the iOS 7 beta on my iPhone and Google is treating it like a new phone, meaning they are not allowing me to use EAS any longer.  After a few hours of using IMAP I was already getting frustrated.  I started using Google’s Gmail app, which uses Apple’s push notification service to alert you that you have new email.  This was okay... the Gmail app has advantages and disadvantages over the native iOS mail app but I could live with it.  However, when I created an appointment in my google calendar using a browser and it still hadn’t synced down to my phone calendar after several hours I knew something had to be done.

For most Gmail users the options are limited.  You pretty much have to deal with it or change your email address and move to a new provider.  I was in good situation because I had been using Google Apps to host email for my kevinbecker.org domain.  I was on the free tier, which no longer exists but, once again, I am grandfathered in.  This means I had two options, both of which would let me keep my existing email address.  Option one is to upgrade to Google Apps for business which costs $50/year for each account but provides EAS support as well as some other perks.  The other option is to change to another email provider for my domain.  I found that Microsoft offers free domain hosting for Outlook.com mail services, which naturally includes EAS support, so I decided to give it a try.

I’ll give a quick overview of the basic process, followed by a detailed guide for those that are interested.  Any feedback is appreciated if I left anything out or if the process changes in the future.

Overview

  • Setup your domain at domains.live.com
  • If you want to move your Gmail to Outlook.com, don’t create your MX record yet, verify your domain with a TXT record instead
  • Recreate your email account for your new domain
  • Sign in to your new email account at Outlook.com and configure it to use POP3 to pull your email from your Gmail account.  This may take a very long time.
  • Export your Gmail calendar as an ICS file and import it into your Outlook.com account
  • Export your Gmail contacts to an Outlook formatted CSV and import them into your Outlook.com account
  • Change the DNS MX for your domain record to point to Microsoft’s SMTP server
  • Enjoy free EAS support for your mobile devices

Initial Setup

Go to domains.live.com  and create or sign in with an existing Microsoft ID.

Click “Add a domain” and enter the domain name you are using for Google Apps.

Choose “Set up Outlook.com for my domain”.  Don’t worry, this will not immediately change your mail.

You will get a message telling you that you need to prove ownership of the domain by creating a DNS record.  Do not do the “Mail Setup” portion yet.  This step changes your MX record to start delivering your mail to Microsoft instead of Google.  If you are ready to make the switch immediately then you can do this now, but I wanted to get everything configured first to make the switch more seamless.  So instead I did the optional "Prove Domain Ownership" step.  Once you’ve proven domain ownership you can setup your email accounts so everything is ready before you change the MX record.

Create the TXT record as described.  The details will vary depending on who is hosting the DNS for your domain.  My DNS is provided by hostmonster.com as part of my webhosting service.  If google is hosting your DNS then, presumably, they provide an interface for modifying records, if not you may need to move your DNS from Google to somewhere else like dyn.com.

Back to domains.live.com.  At some point, depending on DNS propagation times, you will be able to access the “Member Accounts” section.  Now you can create your email account so that it is ready to start receiving email as soon as the MX record is changed to point to Microsoft’s mail servers.

Once the account is created you can sign into it at Outlook.com using your full email address but it will not be recieving any email yet.  If your email address is not the same address that you used for your Microsoft ID when setting up the custom the domain, you may need to sign out and sign in again with the correct account.

 

Moving Your Mail

Sign into your Google Apps email and select the gear icon in the upper right and select “Settings”

Select the “Forwarding and POP/IMAP” tab along the top and verify that POP is enabled for all mail.

If you do not already have a second email alias for your account you will have to add one now.  Again, from the gear icon in the upper right, select “Manage this domain”

Go to Users and select your username and then select “Add a nickname”

Now sign in to your account at outlook.com

Click the gear in the upper right and select “More mail settings”

Select “Your email accounts” and add a “Send and receive account”

For the email address you must use the nickname you just created in Google Apps.  This is because Outlook.com thinks it is already hosting your primary email address, so to get your email from Google you’ll need to use the nickname.

Select advanced options and for the incoming POP3 server address use “pop.gmail.com” port 995.  Check “Require SSL” and “Leave copy of messages on the server”.  This way you can always go back to google if you decide that Microsoft is not working out.

The outgoing SMTP server is not important.

Your gmail should start to slowly trickle into your new outlook inbox.  It took me around 24 hours to get everything.

Once all my mail had migrated over, I had several hundred legitimate email messages that got moved to my junk folder.  After selecting them all and marking them “not junk” I then selected my entire inbox and marked it all as read.

Moving Your Calendar

The mail was the hardest part.  Moving your calendar is simple.

From your Google Apps calendar, click the gear icon in the upper right and select “Settings”

Select the “Calendars” tab and near the middle of the screen there should be an option to “export calendars”.

This will download a zipped ics file with all of your calendar info.

Now go to your Outlook.com calendar and select “Import”

Choose “Import into existing calendar” and select the file you just downloaded. (unzip it first)

Moving Your Contacts

Moving your contacts is very similar to moving your calendar.

From your Google Apps contacts, click the “More” button and select “Export”

The default is “all contacts” which might be excessive.  This will have anyone you’ve ever sent to or received email from.  I just exported “My Contacts” which is a group of contacts that I have specifically added.

For the format, choose “Outlook CSV”

This will download a CSV file.

Now go to your Outlook.com contacts (called People)

There is a box offering to add contacts from various sources, including Google.  I’m not sure what exactly would happen when synced with Google this way but we are making a clean break so select “Import from file” and select the CSV file that was just downloaded.

Make the Switch

Now it’s time to update your MX record.  Again, the details will vary depending on your DNS provider but basically you’ll need to delete any existing MX records that point to google and create the new MX record for Microsoft.  The details for the MX record are described in your domain management page at domains.live.com.  Be sure to sign in with the correct Microsoft ID.  That is, you may have to sign out of your new Outlook.com account unless it is the same account that you used when setting up the domain.  I also had a CNAME entry for mail.kevinbecker.org pointing to ghs.googlehosted.com which I deleted and recreated pointing it to go.domains.live.com.  If you want a similar setup you will also need to create the mail.yourdomain.com entry for your domain at domains.live.com under “Custom Addresses”  You can do this for multiple different services like mail, maps, skydrive, etc but I only wanted mail.

 Enjoy

That's basically it.  There may be a delay for your DNS changes but you can now set up your mobile device to use EAS for your new outlook.com address.  You will need to manually set the server to m.outlook.com.  Leave the domain empty and use "user@domain.tld" for your username.

Tunnel SSH through a proxy on MacOS X Mountain Lion

Until recently my workplace allowed direct ssh traffic to pretty much anywhere.  They recently blocked this, which makes sense from a security point of view but is very inconvenient at times.  Luckily it is pretty easy to tunnel ssh through our http proxy so I can still get to external hosts and they can still monitor what I am doing. The first step is to install Xcode if you haven't already.  In Mountain Lion, Xcode is now available through the Mac App Store.  After you've installed Xcode, you'll need to install the command line tools.  Launch Xcode and go to Preferences > Downloads to install the command line tools.

Next, download corkscrew.  The corkscrew README has more or less everything you need to know from here, but the basic procedure is to launch Terminal and then enter the following commands:

cd ~/Downloads
tar -xfv corkscrew-2.0.tar
cd corkscrew-2.0
./configure --host=apple

The configure command is the only part that varies from the README.  Without specifying the host I was getting an error "configure: error: can not guess host type; you must specify one".  After configure is done, then run two more commands.

make
sudo make install

Next you will need to create the file ~/.ssh/config if it doesn't already exist and add the following lines, where proxy.example.com is your proxy server and 8080 is the port it is listening on:

ProxyCommand /usr/local/bin/corkscrew proxy.example.com 8080 %h %p

If your proxy requires authentication like mine then you need to modify your ~/.ssh/config slightly.

ProxyCommand /usr/local/bin/corkscrew proxy.example.com 8080 %h %p ~/.ssh/myauth

And then also create the file ~/.ssh/myauth and put your username and password for the proxy in it.

username:password

You should also modify the permissions on myauth for a little added security.

chmod 600 ~/.ssh/myauth

Lastly, I only want to go through the proxy for external hosts.  The current setup will apply to all hosts.  You can modify the entry in the ~/.ssh/config file to apply only to a particular host or hosts.  If you only have a small number of hosts you need to access the simplest way would be to just put each entry on one line separated by whitespace.  If you want to get more advanced you can use pattern matching as described in the ssh config manpage.

Host host1.external.com host2.external.com
ProxyCommand /usr/local/bin/corkscrew proxy.example.com 8080 %h %p ~/.ssh/myauth

 

Reverse Scrolling on Windows 8

Somehow I managed to get a Mac Mini for my primary work desktop (even though my job is primarily Windows based).  I also have a company MacBook Air and an iMac at home.  So basically grown so used to the reverse scrolling introduced in Mac OS Lion that Windows drives me crazy now.  We've been evaluating Windows 8 and I'm trying to use it as my primary OS to immerse myself but I just can't take the "normal" scrolling, especially when I'm using it on my MacBook. There are lots of links on the internet pointing to 3rd party tools to modify this but eventually I found a better solution, editing one registry key.  That blog specifies Windows 7 but it also works on Windows 8.  In addition to "FlipFlopWheel" I also changed "FlipFlopHScroll".

The steps, as copied from Volker Voecking's blog are:

  1. Find the hardware ID of the mouse
    • Go to the mouse control panel
    • Select “Hardware” tab
    • Click “Properties” button
    • Select “Details” tab
    • From the drop-down list choose “Hardware IDs”
    • Save the VID*** entry ( e.g. VID_045E&PID_0039 )
  2. Find and change the corresponding configuration settings in the registry
    • Run regedit.exe
    • Open Key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\HID
    • Here you should find an entry for the hardware ID of your mouse
    • In all sub-keys of the hardware id key look for the “DeviceParameters” key and change the “FlipFlopWheel” value from 0 to 1
  3. Make it work
    • Unplug the mouse
    • Count to five :-)
    • Plug the mouse back in

Safari 6 Never Remember Passwords for Any Site

I never configure my browser to remember passwords for me.  I work on too many different computers to rely on my browser to remember things for me so I have my own system to keeping track of passwords.  Usually the first time I get a popup offering to remember my password on a new computer or browser I immediately go into the preferences and turn the feature off completely. After upgrading to Mountain Lion, which included Safari 6, I couldn't find this option.  You can choose to never remember passwords for a particular website but you are still prompted at least once for every website.  I asked google right after I upgraded and didn't find an answer but after upgrading two more macs and living with Mountain Lion for a few weeks the popups were starting to wear on me.  Luckily by this time, google had an answer.  Apparently it the option is now under "autofill" instead of "passwords".  If you turn off "usernames and passwords" you won't be prompted to remember any more passwords.  Thanks google!