Autopkg hdiutil couldn’t unmount error

I’ve recently run into problems getting updates from Autopkg and Autopkgr to import into the Munki Repo. Most of the time I use Autopkgr (the GUI for Autopkg) because I have all of the software updates checked and I just have to Run Recipes Now and all of my software updates are downloaded and imported into the Munki Repo.

Lately, I’ve been seeing a lot of errors on various recipes, like Thunderbird, Firefox, etc. It’s always the same error for each recipe that fails. Here is an example:

Error in local.munki.VLC: Processor: CodeSignatureVerifier: Error: unmounting /path/to/recipe/VLC.dmg failed: hdiutil: couldn't unmount "disk1" - Resource busy

It turns out the Anti-Virus client is trying to scan each .dmg as its mounted and hangs the disk so it can’t be unmounted by Autopkg. I’ve configured the AV client to not scan mounted disk, but still get the same error on some of the recipes.

My workaround for this is to disable the AV client while I run Autopkg and then enable AV client once all of the updates have imported into the Munki Repo.

I create local overrides and verify the trust of all recipes before downloading so I know they are safe before they are downloaded and installed.

macOS Sierra SmartCard Commands

Here are a few useful commands for working with SmartCard pairing in macOS Sierra and later.

This command will show the hash of the user name you specify.
sc_auth list username
You can then use that hash to unpair card if you need to using the following command.
sc_auth unpair -h hash (hash is the hash string that is produced from the sc_auth list username command.)
To enable or disable native smartcard pairing all together run use the following commands.
sc_auth pairing_ui -s disable
sc_auth pairing_ui -s enable

For more information regarding the sc_auth commands you can check out the Man pages for sc_auth.

macOS High Sierra 10.13.2 supplemental update fails to install

We haven’t quite updated our fleet of Macs to macOS High Sierra for a variety of reasons. Some of our users have admin rights and performed the update themselves. We have purchased a number of new MacBook Pro’s that came pre-installed with macOS High Sierra to replace the Macs that are no longer upgradeable.

In the last few days I have had to help a couple of my High Sierra users with an issue they had with installing the OS X 10.13.2 supplemental update. They perform the update and when the computer reboots a message pops up saying “macOS cannot be installed on your computer”. The only option is to restart computer. When the user restarts the computer, they get the same error message and end up in a reboot loop.


For whatever reason it seems the installer is damaged and won’t install. Thankfully, it’s a pretty easy fix. You can boot into recovery mode holding CMD + R while computer is restarting. Go to the Apple Menu and Select Startup Disk. Select Macintosh HD (or whatever your HD name is) and reboot. This will reboot your computer and allow you to log in as normal. Go to the App store and install the supplemental update. It should install successfully this time.

macOS High Sierra: Mobile (AD) accounts unable to unlock FV Encrypted Disk

I set up two MacBook Pro w/Touchbar for two of my users.  Both computers came pre-installed with macOS High Sierra 10.13.1. I upgraded both to 10.13.2. Installed Munki, let Munki install required software, and then bound the computers to our Active Directory domain.

Next, I encrypted both computers with FileVault. Once the computers finished encrypting it was time to hand them off to the users. I had the users log on to the machine. Since I had already encrypted the computers I went to system preferences, FileVault, and clicked on Enable Users. Had users enter password and got the green check confirming that the user account was enabled. Rebooted Machine.

Upon reboot, I noticed that the Users account did not show up as an account that could unlock the encryption. Only my local admin account appeared. Because I didn’t have much time and these users needed their computer, I used the fdesetup command to add their user account to be able to unlock encrypted disk. On both computers this method worked. After I ran the command and had the user enter their password they were now able to unlock the filevault encryption.

I decided to research if anyone else had experienced this problem. The #security channel in the MacAdmins Slack had ongoing conversations about this issue. It seems that the security token is not being passed to the mobile account, which prevents that account from showing up as able to unlock the FV disk.

What worked for me on both of these computers was to add the user using the command line utility FDESetup.

Run the following command:

sudo fdesetup add -usertoadd username

It will prompt for the AD user password. Once they enter their password they should be able to unlock Filevault enabled disk.

Another suggestion I have seen, but have not tested is to run the following command from the local account once you have added your AD user account to FileVault.

sudo diskutil apfs updatePreboot /

Hopefully Apple will fix this issue soon. Until then, at least you can enable the account via command line if the GUI way does not work.

Keeping up with the Mac Admins

It’s been a while since I’ve been able to sit down for a moment and write. There are many posts I’d like to write, or, at least get started on, but I have not had the time. I am currently studying for my Linux + certification. Studying has consumed my already limited time.

I wanted to take a break from studying and write a quick posts for those who may have just started as a Mac Admin. I don’t claim to be a Mac Guru, but along the way I have found some valuable resources, which have taught me a lot about Mac administration. I thought I’d share these invaluable resources with you.

Believe it or not Twitter is a wealth of knowledge for Mac Administrators. If you don’t have a Twitter account, I suggest you sign up. If you search #macadmins you can find a lot of current information on what’s happening in the Mac community. You will also figure out who you should follow on Twitter for the current events in Mac administration.

Next. If you’ve never heard of Slack or  don’t know about the Mac Admins slack channel, you need to sign up right away. There are over 12 thousand Mac Admins on the Mac Admins slack channel. You can join channels such as HighSierra, Munki, MicrosoftOffice, etc. The list goes on and on. To sign up for slack go to and create an account. You won’t be sorry. Become an active participant. You will learn so much, and contribute your knowledge.

Finally, I highly recommend the MacAdmins podcast hosted by Tom Bridge. New episodes are published every Monday. The podcast is entertaining and informative. The information I have learned from this podcast, I have been able to share with my organization to solve real world problems. Just go there. Listen. You won’t regret it.  Search for MacAdmins in your podcast player or go to for the shows and show notes.

Anyway, back to studying…

Mac OS X Active Directory Binding issues

I think it’s pretty common knowledge that Macs in an Active Directory environment tend to run into binding issues. In our environment we have issues attempting to bind, as well as already bound macs losing binding.

Recently the problem got a lot worse in our AD environment. It’s a rare occasion that I can get a Mac to bind to the domain on the first attempt. Usually I get an error message “Authentication Server cannot be contacted”. If I’m using the Directory Services GUI, I will have to sit at the computer and repeatedly enter the user name and password to keep attempting to bind computer. Sadly, I’ve counted and it’s taken over 30 attempts in some cases to get a computer to bind. Many of my fellow SA’s experience the same problems.

The other problem is that we are a large organization with sites all across the country. The binding issues seems to be isolated to our center. I’ve opened up several tickets with the network and domain controller team, but they can’t replicate the problem on their end. At this point we are stuck in a finger pointing game.

The following commands can help you troubleshoot Active Directory issues with your Mac. Continue reading

GDAL image not found error

This post is more of a reminder to myself if I ever run into this issue again. If it helps someone else who runs into this issue, that’s even better.

We are a science heavy shop and most of our users write programs using Python. To help maintain a consistent environment we install Anaconda Python for our users to use. This way the programming environment is contained in the Anaconda environment and if anything breaks it’s easy enough to trash the Anaconda folder and start all over.

One of my users created a Python Env installing Python 3.5 so he could move from Python 2.7 to 3.5. When he went to use GDAL, specifically the gdalwarp command, he got the following error: image not found. After repeated creations of new environments and a couple uninstalls I found some info on stackoverflow that helped. It seems the version of gdal installed by Anaconda was 2.0.0 and not compatible with the newer versions of python. After running the following command he was able to use GDAL and gdalwarp commands without issue.

conda install -c conda-forge gdal=2.1.3


Getting Started with Adobe CC and Munki

I have been tasked by my organization to install Adobe Creative Cloud apps on our twenty plus users computers who use it. We don’t utilize the teams or enterprise dashboard. Just the trusty ol’ serial number and Creative Cloud Packager.

This post is going to focus on getting Adobe Creative Cloud apps added to the Munki repo and successfully pushed out to users with no errors or Munki continuous install loops. The end goal is for the user to install the Adobe CC apps using Munki, and not require the user to sign in to Creative Cloud Desktop App in order to use the program. When the program is launched it should open and work.

Note: This post assumes you have some basic knowledge of Munki, MunkiAdmin (GUI for Munki) and a Munki Repo is setup and running.


Munki Tools, MunkiAdmin (GUI for Munki), Adobe Creative Cloud Packager, TextWrangler


Continue reading