Thursday, February 28, 2013

Search function on this blog is broken

I'm sorry to report that for the past several weeks the search function on this blog has been broken.  It returns "no results" to every enquiry. 

It seems to be a very common problem and there are lots of posts on Google's help site about it- unfortunately there is no fix as of yet. 

Since this blog is used as a knowledge base the search function is vital.  If Google can't resolve the problem soon I am going to switch to a hosting provider.

Very sorry for the problem!

Saturday, February 23, 2013

Casper package installs fail: Cannont mount distribtuion point

There is an issue deploying packages via Self Service and policies to bound Mac clients (with the user logged in) when the distribution point is on a Windows server and the deployment method is set to "force distribution point to use AFP/SMB".  Under these conditions, package installs can fail with an error of "Cannot mount distribution point."

The root cause of the problem is down to the fact that the bound Mac is attempting to mount the distribution point with the user's AD credentials and not the "casperinstall" account that has permission to the share.

The easiest work-around is to first enable IIS on the Windows server then on the JSS go to /Settings/Servers/Distribution Point/HTTP and put a tick in "HTTP Downloads are enabled for this Distribution Point".


In your policies make sure to remove the tick from "Force Distribution Points to use AFP/SMB instead of HTTP".


The advantage of HTTP package distribution is that it allows interrupted downloads to restart.  The disadvantage is that it is slower than AFP/SMB.

Anyone using a bound Apple server as a Distribution Point should also make sure that web services are turned on before attempting to use HTTP package installs.

Monday, February 18, 2013

Mountain Lion Server: An SSL error has occurred and a secure connection to the server cannot be made

After a recent Server.app update I was unable to log into a Mountain Lion server. 

I deleted Server.app from the Applications folder and downloaded it again from the App Store.  When I launched Server.app after the download it asked for the administrator credentials and then displayed the error "An SSL error has occurred and a secure connection to the server cannot be made."


My solution was to open Keychain Access, click on "System" (under Keychains) and then "Keys" (under Categories) and delete all the keys referencing my server name.  This includes both public and private keys so OS X will prompt if you really, really, want to do it.

I also removed the certificates for the server under System/My Certificates as well as "com.apple.servermgrd".

I crossed my fingers and restarted the server.  I logged in as local admin, launched Server.app and was able to configure it normally.  After the server was up and running I looked in Keychain Access and all the certificates had been re-populated.

Apple's KB on the problem wins the prize for the least helpful tech note ever.  You can see for yourself here:  http://support.apple.com/kb/TS4493.  All they suggest is upgrading to Server 2.2.1.  Guess what I was running when I encountered the error?  2.2.1.  What upgrade locked me out of my server?  2.2.1.  Thanks guys!

Saturday, February 2, 2013

Safari Oracle Java Blocking: RESOVED

Oracle has released Version 7 Update 13 build 1.7.0_13-b20 that addresses the security concerns outlined in this Apple KB: http://support.apple.com/kb/HT5647

The Oracle Java update can be downloaded here: http://java.com/en/download/mac_download.jsp?locale=en

Users who have been unable to access Juniper VPN and other web-based Java apps from Mac clients should download and install the patch, this should restore functionality.

Friday, February 1, 2013

Safari Blocking Oracle 7.11.21 Plug-in: Can't Connect to Juniper VPN

The war between Apple and Java continues.  Apple is blocking the latest Java saying that it is susceptible to malware. 

We have received several reports that Mountain Lion clients are unable to contact the Juniper VPN launch page.  The users are presented with an error that says "Blocked Plug-in":


They may also be prompted that Java is out of date and that they should download Java:


They are then redirected to the Oracle download page.  Even after they download the latest Java, they will still see the "Blocked Plug-in" error.  The cause of this error appears to be Apple's anti-malware protection.

The only work-around we have found is to do the following:

Go to /System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/

Type "sudo pico XProtect.meta.plist"

Look for the line "MinimumPlugInBundleVersion"










Note that the version is set to 1.7.11.22 but the latest version of Oracle Java is 1.7.11.21.  This prevents the browser from loading the current Oracle Java because it says the minimum version is .22 but the latest is currently .21

It is possible to edit the "MinimumPlugInBundleVersion" and change the minimum value to 1.7.11.21:






After making the change, save the file, restart Safari and go to the VPN page- you should be able to log in.

Not only is this affecting Juniper VPN but several of our other web-based Java apps.