Install-Package to fill User-Template or existing User-Library

At my client, the main tools for keeping Macs up running are Absolute Manage and Apple Remote Desktop. So I have to find a way to deploy files to Users or preparing Macs in advanced with a preconfigured User-Template.

One method is to take over the screen of the User, navigate to the Library and drag-and-drop the files.

Hmmm… It can be done this way… but.

Another way: using the Copy-Functions of Apple Remote Desktop in the menu, where destination-path etc. can be specified.

A little bit better…

With an Installer-Package things can be done more straightforward and it goes like this:

The installer copies the files to /tmp on the target.

A Postinstall-Script checks for all users and copies the files from /tmp to the User-Directories and changes to the right permissions:

## postinstall
localUsers=$( dscl . list /Users UniqueID | awk '$2 >= 501 {print $1}' )
for userName in "$localUsers"; do
cp -R /tmp/INSTALLATIONFILE-OR-DIRECTORY /Users/$userName/Library/Preferences/
chown -R $userName /Users/$userName/Library/Preferences/INSTALLATIONFILE-OR-DIRECTORY
exit 0

With On-Demand-Calls from Users (Ring-ring-ring… “Hello, my SAP is broken, can you help?”) a message with osascript can give delightful results:

osascript -e 'tell app "System Events" to display dialog "Your SAP-Settings are refreshed!" buttons {"OK"} '

A little but more subtle? Notification Center:

osascript -e 'display notification "Your SAP-Settings are refreshed!" with title "Installation Message"'

In preparing the Mac for upcoming users, the files have to be copied into the User-Template:

cp -R /tmp/INSTALLATIONFILE-OR-DIRECTORY /System/Library/User\ Template/English.lproj/Library/Preferences/

sysadminctl: our new friend

While Mac OS X grew out of NetInfo into Opendirectory with bringing the not so obvious dscl-Commands, Yosemite got even more improvements with a new User-Management-Command: sysadminctl.

The command creates a user, sets home directory, updates a password or deletes the user-account:

-deleteUser [-secure || -keepHome]
-newPassword -oldPassword [-passwordHint ]
-resetPasswordFor -newPassword [-passwordHint ]
-addUser [-fullName ] [-UID ] [-password ] [-hint ] [-home ] [-admin] [-picture ]

The purpose of dscl (type man dscl and you know what I mean) is more about the general directory-management of Mac OS X and its processes, while sysadminctl is esp. about real human users.

Inspired by the work of the JAMF-User-Community and the necessity at my client, I created a script that works from Mac OS X Mavericks to ElCapitan for creating a local User-account.

It checks what kind of Mac OS X-Version is installed and depending on $OSXVERSION , the commands sysadminctl or dscl is started.

# holger bartels, 2015
if [ "$(id -u)" != "0" ]; then
echo "Sorry, you are not root."
exit 1
# === For creating a User we need some input! ===
echo "Enter your desired user name: "
echo "Enter a full name for this user: "
echo "Enter a password for this user: "
read -s PASSWORD
# ====
# A list of (secondary) groups the user should belong to
# This makes the difference between admin and non-admin users.
echo "Is this an administrative user? (y/n)"
if [ "$GROUP_ADD" = n ] ; then
    SECONDARY_GROUPS="staff"  # for a non-admin user
elif [ "$GROUP_ADD" = y ] ; then
    SECONDARY_GROUPS="admin _lpadmin _appserveradm _appserverusr" # for an admin user
    echo "You did not make a valid selection!"
# ====
# check the OS X Version
OSXVERSION=$(sw_vers -productVersion | awk -F '.' '{print $2}')
# Create a UID that is not currently in use
echo "Creating an unused UID for new user..."
# Find out the next available user ID
MAXID=$(dscl . -list /Users UniqueID | awk '{print $2}' | sort -ug | tail -1)
#if 10.10 or more then run
if [[ "$OSXVERSION" -ge 10 ]]; then
echo "Your installation is 10.10+. Using sysadminctl. "
sysadminctl -addUser $USERNAME -fullName "$FULLNAME" -UID=$USERID -password $PASSWORD
        #if 10.7 to 10.9 then run
	elif [[ "$OSXVERSION" -ge 7 ]]; then
        echo "Mac OS 10.7 - to 10.9 is installed, using dscl."
	# Create the user account by running dscl (normally you would have to do each of these commands one
	# by one in an obnoxious and time consuming way.
	echo "Creating necessary files..."
	dscl . -create /Users/$USERNAME
	dscl . -create /Users/$USERNAME UserShell /bin/bash
	dscl . -create /Users/$USERNAME RealName "$FULLNAME"
	dscl . -create /Users/$USERNAME UniqueID "$USERID"
	dscl . -create /Users/$USERNAME PrimaryGroupID 20
	dscl . -create /Users/$USERNAME NFSHomeDirectory /Users/$USERNAME
	dscl . -passwd /Users/$USERNAME $PASSWORD
	# Create the home directory
	echo "Creating home directory..."
	createhomedir -c 2>&1 | grep -v "shell-init"
# Add user to any specified groups
echo "Adding user to specified groups..."
dseditgroup -o edit -t user -a $USERNAME $GROUP
echo "Created user #$USERID: $USERNAME ($FULLNAME)"
exit 0

This can be a quick answer for al these situations like this:
Phonecall of a Group-Leader: “Hello, we got a new volunteer, and she’s starting to work now.”
Sure, there are policies, rules to follow, a user-management with MS Active Directory… But to be honest (by experience): who cares in the free world of business. It will be done somehow later.

Create SSH-Key and copy to a remote machine

Verry simple and quite obvious to do – but often not used: Keyboardless authentication via SSH is a must and not an exception.

Create your Keyfile (don’t share the private key, please :) ):

ssh-keygen -t rsa
Copy the public key to the remote machines:

cat ~/.ssh/ | ssh USERNAME@$REMOTEHOST "mkdir ~/.ssh; cat >> ~/.ssh/authorizedkeys"

Login with out typing passwords. It saves time and improves security!

Playing with ~/.bash_profile and “alias” for often connected hosts gives a lot more comfort.

Import System-Certificates with

It is pretty easy to deploy certificates to a bunch of Macs via an installer and a postinstall-script or via

For example, the installer copies the certificates to a hidden directory, the postinstall-script imports the files into the System-Keychain and adds the Trust-Settings.

First, setup a Testing-Mac, import the Certificates and mark them as always trusted. In my case, it was about the Proxy-Server-Certificates, which have to be on all machines.

Export the Trust-Settings into a .plist-File:

security trust-settings-export -d /Users/Shared/trust_settings.plist

Then copy the certificates and the ‘trust_settings.plist’ to your Machine.

Next, on the client this command imports the certificates into the System-Keychain

security add-trusted-cert -d -r trustRoot -k "/Library/Keychains/System.keychain" "/my/path/to/my/certificate.cer"


security trust-settings-import -d /my/path/to/my/trust_settings.plist

imports the Trust-Settings.

If you have JAMF CasperSuite or other possibilities to deploy Configuration Profiles, you should definitely do it with these more powerful abilities.

If not, this can be a huge timesaver.

Mac Cleaning for the Rest of Us

Since Mac OS X came out, the necessity for cleaning the Mac from unused Log-Files, Caches etc became also more urgent, esp. in the productive and professional environment.

There are many of great tools out there, esp. Onyx, which gives powerful options for keeping the Mac up healthy.

Very nice! But in a professional environment a lot of clicks to do! Imagine: You have 300 Macs for Graphic-Designers complaining about crashing Adobe InDesign or slow Application-Starts and sadly JAMF CasperSuite with the awesome Selfheal-Package placed in is not available.

So one can shrink the most common tasks into these four:

  • Clear Log Files
  • Clear Font Caches
  • Rebuild Boot Caches
  • Repair DiskPermissions (okay with 10.11 ‘El Capitan’ this will not work anymore)
  • Reboot


# Delete Log-Files
find /private/var/log/asl -type f -name ‘*.asl’ -ctime +7 -print0 | xargs -0 rm -f &
echo "Logfiles are cleaned!"
sleep 5
#clear FontCaches
atsutil databases -remove &
echo "Font Caches are removed!"
# Rebuild dyld-Shared Caches
update_dyld_shared_cache -force &
echo "Boot-Process got enhancements!"
diskutil repairPermissions / &
echo "Permissions are checked and repaired!"
sleep 2
echo "This Mac will reboot in 5 Seconds"
sleep 5
osascript -e 'tell app "loginwindow" to «event aevtrrst»'

Wrap it with Platypus into an Application and go for it.