Building a Signed Package with The Luggage

Recently I wanted to be able to sign a package that I was building with The Luggage.

Since The Luggage is calling pkgbuild to build the package, I took a look at the pkgbuild documentation and determined that the following argument was needed :
--sign "Common name of signing cert"

The question then became : how to add this to my Makefile? Taking a look at luggage.make I saw that PB_EXTRA_ARGS is the variable used to contain the arguments for the pkgbuild command.

To add my signing argument, I simply added this line :
PB_EXTRA_ARGS+= --sign "Developer ID Installer: John Doe (ID12345678)"
This appends my –sign argument to the list of pkgbuild arguments and can be placed anywhere after the statement that includes luggage.make.

Enabling Syntax Highlighting for vim in Mac OS X

Mac OS X ships with the vim editor, which supports syntax highlighting.  By default, however, syntax highlighting is not turned on.  Fortunately it is not hard to enable it.

Settings for vim are controlled by two files, one controlling settings globally and the other controlling settings for the user.  /usr/share/vim/vimrc is the file that will control the global settings.  changes made to this file will affect all users of the machine. On a new build of 10.9, here is what the file contains :

" Configuration file for vim
set modelines=0 " CVE-2007-2438

" Normally we use vim-extensions. If you want true vi-compatibility
" remove change the following statements
set nocompatible " Use Vim defaults instead of 100% vi compatibility
set backspace=2 " more powerful backspacing

" Don't write backup file if vim is being called by "crontab -e"
au BufWrite /private/tmp/crontab.* set nowritebackup
" Don't write backup file if vim is being called by "chpass"
au BufWrite /private/etc/pw.* set nowritebackup

The file for controlling vim settings for the user is ~/.vimrc By default, this file does not exist. To turn on syntax highlighting, we can simply create a text file by that name and add this line :

syntax on

vim will now use syntax highlighting the next time a file is opened. But what if you don’t care for the default color scheme? We can set the color scheme by adding a second line to the .vimrc file like so :

syntax on
colo desert

My favorite color scheme is desert, I find it works nice with my preferred Terminal color scheme (Homebrew). To see what color schemes ship with Mac OS, look at /usr/share/vim/vim73/colors The .vim files in this directory are the color schemes. Just try different ones by changing the .vimrc file and find the one you like best.

Powershell Script to Query for Bitlocker Keys in Active Directory

In my organization, we are using Bitlocker to encrypt Windows 7 computers. We are storing the recovery keys in Active Directory, this stores the key as an attribute of the computer object. I recently wanted to generate a report of the bitlocker status of the computer objects in AD. I found out I could do this pretty easily in Powershell, and thought I would document that here.  My inspiration for this script came from this Technet Gallery script

To start, we need the Quest ActiveRoles Management Shell for for Active Directory.   This is available for free from Quest and can be downloaded from here.  This should be downloaded and installed on the workstation that is going to be used to run the script.  With this installed, we are ready to take a look at the script.

# Check to make sure the path has been specified otherwise display a message and exit the script
if (!$CsvFilePath) {
Write-Host ""
Write-Host "Path not not specified!"
Write-Host "Please specify the path for the output as a parameter e.g. : "
Write-Host ".\Get-BitlockerComputerReport.ps1 """c:\reports\BitlockerReport.csv""""

Continue reading

More on Displaying the Bitlocker Wizard with Windows 8 and MDT 2012 U1

I a previous post, I detailed how to get the Bitlocker wizard page to appear when deploying Windows 8 pro.

I recently confirmed another case where the wizard does not show up. I became aware of this thread on Technet because another user linked to my previously mentioned blog post.

I was able to confirm after a bit of testing, that when using the Windows 8 Enterprise evaluation media, MDT does not show the Bitlocker wizard page. At this point, I am not sure of the reason for this.

Sending Email Notification from MDT 2012

In my recent rework of my Build and Capture sequences that are used for updating my reference images, I thought it would be nice to have an email notification when the process was done.  This post is to show how I did this.

I did this using Powershell’s Send-MailMessage cmdlet.  This provides a simple way to send a message via SMTP, and this MDT 2012u1 provides support for Powershell scripts it seemed a logical choice.  Since I wanted to send the message at the end of a Capture process, I needed to be able to send the message from the WindowsPE environment. Continue reading

Of Black Boxes and Complex Systems

I am currently re-reading John Lienhard’s The Engines of Our Ingenuity and I came across this nugget that I think we can apply to IT.

We must teach students that someone else’s subject matter is not a black box, that those boxes can and must be opened.  What one fool can do, another fool can also do, and any student is smart enough to open any other student’s black box.  That in turn brings us back to the matter of systems.  Once we realize that we cannot deal with part of a system in isolation, it becomes very clear that encasing knowledge in boxes is one of the most destructive things we do. [page 171]

I find that last sentence to be very powerful.  While Lienhard is talking about educating engineering students in this passage, I feel that this can be applied to IT organizations.  If we allow ourselves to become too compartmentalized, then we are less efficient at trouble shooting and will provide less satisfactory service to our constituents.

Don’t misunderstand me here, I understand that there  is a place (and even need) for a separation of duties and a system of checks and balances.  The problem arises when we start guarding information and building silos around our disciplines. When we do this, we make both ourselves and those around us less effective.

Edit : For more from John Lienhard visit

Displaying the Bitlocker Wizard Pane with Windows 8 Pro and MDT 2012 Update 1

Using MDT 2012 Update 1 with ADK, I built and captured a Windows 8 Pro image to enable my institution to more easily do some testing with Windows 8. After setting up a task sequence to deploy this reference image I noticed something unexpected. When choosing the Win 8 task sequence, I was not presented with the Bitlocker wizard pane. The wizard pane was showing up fine for my Win 7 task sequences.

I posed the question on the MDT-OSD email list, and Michael Niehaus to the rescue! Turns out there is logic in the MDT scripts to determine if the edition of Windows is a “Premium SKU” to determine what features are available. Since I was using Windows 8 Pro instead of Enterprise it was not getting marked as a premium SKU.

Of course, since Win 8 Pro does support Bitlocker (Win 7 Pro did not), this is a bug. A user posted a bug report to Microsoft along with some work around code. If you have a Connect account, you can see the bug report here.

The work around :

In ZTIUtility.vbs add the following two lines of code after line 3846 :

</p><p></p><p>case "PROFESSIONAL", "PROFESSIONALE", "PROFESSIONALN"</p><p> If Left(oEnvironment.Item("OSCurrentVersion"), 3) &gt;= 6.2 Then IsHighEndSKUEx = True</p><p></p><p>

Update 1-14-2014 :

Hat tip to this Post on This bug still exists in MDT 2013 and Windows 8.1 has been released since the writing of this post. The above lines of code have been changed to allow for Windows 8.1 (changed from equal to greater than or equal).

Packaging a LaunchAgent Script with The Luggage

Previously, I showed how to install Luggage, and how to package a drag and drop app.  In this installment, we will look at how to package up a LaunchAgent script.

We will work with a simple script to mount a couple of file shares when a user logs into their computer.  To set it up as a LaunchAgent, we need two pieces.  First, the script itself ( needs to be copied to /Library/Scripts/Myorg and everyone should have read and execute permissions.  Second, a plist (com.myorg.connectshares.plist) file which controls the execution of the script needs to be copied to /Library/LaunchAgents and and everyone should have read permissions. Continue reading

Installing Novell ZCM Adaptive Agent in MDT 2012

The Novell ZCM Adaptive Agent is an example of an application that needs to be installed at deployment time and should not be included in the reference image.  In general, MDT Lite Touch handles installing applications at deployment time quite nicely.

The Adaptive agent, however is an example of an install process that does not play nice with MDT.  It really is a quite horrible installer.  First, lets take a look at the installer and what it does. Continue reading