Brian Van Peski - macOS Adventures

How to get MacBook Display Size via Script

“I need to get the screen size for each device in my fleet”, I was told.

I had to scratch my head for a second and ask some followup questions. Did they mean the currently user-set resolution? The maximum possible resolution of the display?

It turns out, they wanted a way to programatically capture the size of the physical hardware display in inches for use in renaming the Apple laptops in their fleet. They needed to use the display size as part of the laptop hostnames for asset/inventory purposes.

Fair enough! How do we find that? Doesn’t Apple usually include the display size in the model name like “MacBook Air, 13-inch 2020”?

system_profiler seems like the most obvious choice to find that model name. While it does offer specs related to a display’s resolution, it does not provide the actual display size. You could certainly reverse engineer the display size using the resolution and some pixel math, but it wasn’t the approach I wanted to take and I knew it would be a headache given different PPI specs for various models. You could also create a dictionary with every single model identifier and its screen size and then match them up in a script, but that would be cumbersome and not very future proof. So we’ve got to find something else to work with.

How to script System Settings on macOS Sonoma

I’ve been tracking and cataloging all the different components of System Settings for a while now, and now that the latest version of macOS is out in the wild, I wanted to dive into macOS Sonoma and see if anything new was worth noting in System Settings.

System Settings remains nearly exactly the same as it was in macOS Ventura as far as high-level sidebar categories go, but if you dig deeper you will find a few new sub-menu items that you can open with a shell script. Let’s take a deeper look at what’s new.

Merch!

While I’ve always had a knack for computers, I didn’t find my way into working with them as an engineer until after college. As seems to be common in our industry, I’ve got a creative side and I went to school to study graphic design rather than computer science. I still try to find opportunities to express that creative energy through the generation of office memes, slack emojis, and visually appealing documentation.

Over the years I’ve taken several jokes from around the office and turned them into shirt designs to gift to the team. I thought that others in the tech community might also get a chuckle out of them, so I’m making these t-shirt designs available for purchase. A new design featuring the logo of this blog has been launched alongside some of more classic designs I’ve created over the years.

If dorky shirt designs are of interest to you, head on over to my store to purchase one!

See ya at MacAdmins!

I’ll be at MacAdmins Conference this week. Hope to see some of you there!

Four ways to determine if macOS Rapid Security Response updates have been installed on your fleet.

Well, it happened. Apple has used the macOS Rapid Security Response feature for the first time since announcing it at WWDC.

It’s designed to enable quicker and more frequent security patching for the latest Apple operating systems, especially for WebKit-related flaws that affect Safari and other apps that use Apple’s built-in browser engine. If you’re looking for additional reading on what RSR is and how it works, the articles below are a good starting point:

It’s worth noting that this specific update is only available to the latest version of macOS 13.3.1, and that Apple has stated that security updates and patches may only be available to the latest versions of macOS moving forward.

If that doesn’t drive some urgency to update your Mac fleet, I don’t know what will. But how do you determine which computers have been successfully patched?

If you look up the macOS version on a patched mac with sw_vers -productVersion, it still reports 13.3.1. Same with inspecting /System/Library/CoreServices/SystemVersion.plist. If you click on About This Mac, the window does properly list 13.3.1 (a), with the (a) indicating that the Rapid Security Response update has been applied.

How do we determine if the Rapid Security Response update was installed programmatically?

ScreenNudge v1.7

It’s been a while since I first announced ScreenNudge, a tool designed to help guide end users towards approving Screen Recording for applications that require it. I’ve added a few tweaks and improvements that I hope you’ll enjoy.

If you want to download the latest script, you can find it on GitHub. If you want a breakdown of the changes, keep reading.

How to Identify macOS Update History

As an admin, you may need to look up a list of previously installed software updates for a device. You can do this pretty easily with system_profiler and the SPInstallHistoryDataType command.

/usr/sbin/system_profiler SPInstallHistoryDataType

This will spit out a complete list of updates installed on the device and their source and installation date, sorted by date.

    Slack:

      Version: 4.25.0
      Source: 3rd Party
      Install Date: 3/29/22, 8:12 AM

    Apple Configurator:

      Version: 2.15.1
      Source: Apple
      Install Date: 3/29/22, 12:03 PM

    Keynote:

      Version: 12.0
      Source: Apple
      Install Date: 4/7/22, 8:41 AM

    macOS 12.3.1:

      Version: 12.3.1
      Source: Apple
      Install Date: 4/10/22, 12:22 PM

This is useful, but let’s say I want to only show macOS update history. In fact, I want to precisely determine, “Has this device updated to macOS Ventura from a previous version of macOS?”. If not, then it likely came preinstalled with macOS Ventura or has been wiped and restored with macOS Ventura.

So let’s dive in and figure out how we can accomplish our end goal…

UnActivation Lock v1.5

In last week’s post on how to disable and prevent user-based Activation Lock, I highlighted a script that I wrote that can prompt users to log out of Find My Mac if a Mac has Activation Lock enabled, which allows the MDM to put a “disallow user-based Activation Lock” key in place on the machine. (If you’d like a deep dive on Activation Lock, I’d encourage you to re-visit that blog post).

With the initial release of that script pushed out the door, I got to work on the improvements I wanted to add for the next revision. In addition to my own list, I also included some feedback and feature requests that I received from the mac admin community.

If you want to download the latest script, you can find it on GitHub. If you want a breakdown of the changes, keep reading.

A Guide to Disabling & Preventing iCloud Activation Lock

It’s time for an adventure down the rabbit hole that is iCloud Activation Lock!

Apple’s iCloud Activation Lock feature is one of those features from Apple that is great for personal users and device security, but can be an absolute pain for admins.

I have spoken to many an admin who has a pile of MacBooks or iPads sitting in their office that are activation locked, sometimes with no method of recovery for getting back into those laptops. It’s such an issue that oftentimes perfect useable laptops have to be sold for parts because they cannot be re-used without the Activation Lock being removed from the device.

How do these devices get activation locked by users in the first place?

Keep in mind, there are two types of Activation Lock (device-based and user-based).

From Apple’s documentation:

There are two types of Activation Lock available to organizations:

Device-based: Device-based Activation Lock requires Apple School Manager, Apple Business Manager, or Apple Business Essentials and is generally simpler to manage for organizations. It enables MDM to fully control enabling and disabling of Activation Lock through server-side interactions.

User-based: User-based Activation Lock requires the user to have a personal iCloud account and for them to enable Find My. This method allows the user to lock an organization-owned device to their personal iCloud account if the MDM solution has allowed Activation Lock.

I will be focusing on user-based Activation Lock in this post (Device-based Activation Lock as of this writing, only applies to iPadOS and iOS).

I’m going to break this blog post into two sections: Steps you can take for devices that are already activation locked, and some thoughts on how to prevent Activation Lock in the first place.

How to open every section of macOS Ventura System Settings

Awhile back I wrote about identifying panes in System Preferences in order to figure out how to deep link directly to specific parts of System Preferences. That resulted in a near complete dictionary on how to open nearly every single section of System Preferences via script in macOS Monterey.

macOS settings have changed drastically in macOS Ventura, bringing with it a new name (System Settings) as well as a unified visual interface that has been a bit divisive among the apple community. A recent post from Rich Trouton reminded me to take a look at System Settings now that macOS Ventura has been released, and create a revised list that reflects the changes that were made in the latest operating system.

You can find the complete compiled list of macOS Ventura’s System Settings here.

A few observations regarding the new System Settings:

Apple seems to be using a new “extension” schema for items in System Settings as referenced by the new .extension naming you see in the screenshot below. However, some of the bulkier sections of the app have maintained their previous .preference schema, particularly Privacy (open "x-apple.systempreferences:com.apple.preference.security?Privacy) and Accessibility
Even though the new app is called System Settings, the URL scheme still retains it’s systempreferences designation of x-apple.systempreferences
Apple is still mixing .preference and .preferences in their URL schemes, although most of that comes from legacy stuff that is still compatible.
All sections of System Settings support URLScheme now! In Monterey, it was a mixed bag and depended on if an individual pane supported URLSchemes or not.