Josh Levitsky

So the first Patch Tuesday of 2023 is upon us! https://www.bleepingcomputer.com/news/microsoft/microsoft-january-2023-patch-tuesday-fixes-98-flaws-1-zero-day/ The number of bugs in each vulnerability category is listed below: 39 Elevation of Privilege Vulnerabilities 4 Security Feature Bypass Vulnerabilities 33 Remote Code Execution Vulnerabilities 10 Information Disclosure Vulnerabilities 10 Denial of Service Vulnerabilities 2 Spoofing Vulnerabilities 1 Zero Day I wanted to post this here and start a thread about patching Windows OS via FileWave and the importance of having procedures in place to patch every month, but this month seems even more important. If you have any questions about how to see Windows Updates in FileWave or how to assign them to devices please ask here. If you aren't patching your machines there is serious risk and so we just wanted to raise this as an important topic.

I published this today: https://fwkb.atlassian.net/wiki/spaces/KB/pages/111181838/Script+to+Bulk+Update+auth+enrollment+username+and+client+name+from+CSV It's a really simple script that can take a CSV of serial numbers and have a device name and assigned user and change them in bulk. You can use this if you are hosted or on-premise because it uses our APIs. It'll work on macOS for sure, and likely on Linux as well. For Windows if someone had a need I could convert this pretty easily, but since iPads are the main use case I've seen for this I didn't publish a PowerShell version in the article.

Ah I see that may make sense. Even if it was that maybe the OS could use a reboot where if it's more than 7 days (for example) you might prompt the user to restart? If you want it to be user driven by notification then yah I can see where you'd want that. I confirmed the only real option may be parsing the client log currently. There isn't anything else that exposes it.

@sean_a may I ask about what your goal is on checking it from the machine itself? I checked and the best we have is the client log but I want to understand how you would use the info if you could check it didectly. Was it for a technician to easily check at a machine and you don't use the Kiosk which would have status and could force a connection? Or was the it t automate a clients fix for a broken client?

I went down a rabbit hole seeing if I could figure it out. Of course when it isn't the weekend I'll try to see if I can find a developer who can share if there is a way, but in the end I made this API script that I've attached. I also will put the code below in this reply but the file is probably better to take to avoid any mangling that could happen in the post. So it uses "jq" which you can install with homebrew by doing brew install jq. You can run it on your mac like: ./api_LastConnection.sh ABC123 If you installed jq and got it right then you will get output like below: Serial Number is 8TS1YR2 Device ID is 47247206 Last Connect UTC 2022-11-08T17:44:11.352745Z The script is flexible in that you can just pass it serial numbers and it'll look them up or make this part of a larger script that perhaps checks a list of serial numbers. The script is at least a good example of how to take a serial number and turn it in to a query for something. I know it doesn't directly answer your question but in theory the server data is just as good to ask the question to, and if you did have "jq" on your remote machines you could run the command on any of them and then from the machine itself it would query though you wouldn't want the token in a script that sits on all your machines For sure you would want if the script was on their machines that you would pass the token as an argument when you ran it. Maybe this will be helpful for this or other things. Maybe someone will improve the script. The script: #!/bin/zsh ### API SCRIPT - LAST CONNECTION ########################################## ## A script to you can run to ask the API when the mac it is run on last talked to FW ## This could also be improved by changing the ISO8601 date to an easier format in local TZ ## This uses "jq" to parse the JSON. On the mac you are running this script on you would need ## jq present so if running this on remote machines you would want jq on there or to parse ## the output with something different. ## Server URL (remember it is https://) serverURL="https://myServer.filewave.net" ## Filewave Autorization token (remember it ends with a =) token="e2UxZTxxxxxxxTViLxxxNlNzA3ZWUwxxx5NH0=" # Change this if you want to override the serial number. By default this will # take the first arg passed to the script like # ./api_LastConnection.sh ABC123 # and if no argument is passed it will get the local machine serial serialNumber="$1" ########################################################################### ## Check that the Server URL begins with https:// if [[ ! "$serverURL" =~ ^https:\/\/ ]]; then echo "Server URL incorrect (missing https://)" exit 1 fi ## Check that the Server URL does not end with a trailing slash if [[ "$serverURL" =~ \/$ ]]; then echo "Server URL incorrect (remove trailing slash)" exit 1 fi ## Check that admin has add an authorization token if [[ "$token" == "" ]]; then echo "Authorization token is missing" exit 1 fi # Only get the serialNumber if we didn't hard code it above if [[ -z "$serialNumber" ]]; then ## Get serial number of local device serialNumber=$( ioreg -c IOPlatformExpertDevice -d 2 | awk -F\" '/IOPlatformSerialNumber/{print $(NF-1)}' ) fi echo "Serial Number is $serialNumber" ## Contact Filewave to get the device ID deviceID=$( curl -skf -H "Authorization: $token" -X GET "$serverURL/api/search/v1/global?limit=12&query=$serialNumber" -H "accept: application/json" | sed -e 's/.*id":\(.*\),"url.*/\1/' ) #if [[ -z $( echo "$deviceID" ) ]]; then if [[ -z "$deviceID" || "$deviceID" == "[]" ]]; then ## If the device ID was not found echo "Device not detected in Filewave database. Be sure you have the server URL and token right." else ## If the device ID was found echo "Device ID is $deviceID" # Let's get the last connection lastConnect=$(curl -s -k -H "Authorization: $token" -X GET "$serverURL/api/devices/internal/devices/$deviceID/details/general/fields" -H "accept: application/json" -d "" | jq -r '.fields[] | .[] | select(.name == "last_check_in") | .value') echo "Last Connect UTC $lastConnect" fi exit 0 api_LastConnection.sh

Hi @Benjamin Bernert, Check this KB article: https://fwkb.atlassian.net/wiki/spaces/KB/pages/4329464 Launching the admin with a switch on macOS or Windows you can make it be in any language that is in FW. On Windows you could edit the shortcut you use and on macOS I’ve seen a couple of things where you could make a shortcut that runs a command line or you could make a 2 line script and make it executable and double click it and it’ll launch. If you need a solution on macOS that has that more defined I can post something. I hope this helps you and we are aware of the translation quality and it’s been reported as well as the desire for a setting for the app to select a language, but in the meanwhile this should make you able to run in English.

This question was on a support case and seemed worth sharing: This Restriction (Profile) “Require admin password to install or update apps”, seems to prevent VPP Apps from installing e.g. via kiosk and also preventing vpp app updates Answer: You really need to uncheck 'Require admin password to install or update apps' in your restrictions profile to stop getting the message. However, you can counter this somewhat by checking 'Restrict App Store to MDM installed apps and software updates.'

Hi @mbackwe should have a path announced by June of this year. As you mentioned centOS 7 basically has a year and a half left and we have been working on the solution with a goal of announcing it by June. I’d stay stay with centOS 7 for the moment and we will give you a path. In particular you may want to look at AlmaLinux but it won’t work for you just yet.

I used ChatGPT and popped out this code as well. It'll walk through all the users with an ID above 500 which should be all normal users, and use the duti command to set Adobe Reader for every user. duti won't be on the machine unless you put it there but you could use https://formulae.brew.sh/formula/duti to get it on your machine and then package up the /usr/local/bin/duti terminal command to use it in the script. I tested this and it did switch the 3 accounts on my laptop to use Reader. #!/usr/bin/env zsh # Get a list of all users on the system users=( $(dscl . -list /Users UniqueID | awk '$2 > 500 {print $1}') ) # Loop through each user for user in "${users[@]}"; do # Run the duti command as the current user su "$user" -c "/usr/local/bin/duti -v -s com.adobe.Reader pdf all" done

This is one approach https://technology.siprep.org/using-duti-to-script-default-applications-for-macs/ and would be good if you always wanted to enforce certain default apps. duti has always made setting default apps fairly easy.

For the Foundry: The Moodle mobile app has an update at least on iOS. https://apps.apple.com/us/app/moodle/id633359593

Thank you for choosing FileWave and being a part of our community. We are excited to continue working with you in 2023 and are committed to providing the best service and support to ensure your success with our product. Wishing you a happy and prosperous new year!

A typo was reported (Thank you). If someone is copying commands from this page they will have trouble. https://fwkb.atlassian.net/wiki/spaces/KB/pages/4329249/Automated+Backup Please note the command chmod a+x /root/scripts/backup_server_osx_linux_V4.sh Should BE: chmod a+x /root/scripts/backup_server_osx_linux.sh Due to the move command changing the file name. The article is now corrected. If you didn't catch this typo then you would find that the backup script would not be executable so it would not run.

If you are running 14.9.1 and try to upgrade the server to 14.9.2, you will encounter an error. To avoid this error, use the below command in Terminal and then run the upgrade. touch /tmp/FILEWAVE_DISABLE_PRE_UPGRADE_BACKUP When we release 14.9.3 / 14.10.0, this will be accounted for, and you should only create this file for this one upgrade. If upgrading from 14.8.0 or less to 14.9.2, you will not need to do this.

If anyone was on https://foundry.filewave.com and saw that it was not working for the past few hours there was an issue where we upgraded PHP for security and our SSO Plugin didn't work with PHP 8. We didn't catch this yesterday in testing. One major improvement in the new plugin is that now you don't have to remember to use SSO to login. It should force you to do SSO no matter what you do. If anyone has issues you can mention it here or open a support case. I'm usually on here so I'll see it or ping me on Discord.

I’m assuming in this case the users are local users and you are not using Azure/AD. If you were you would use Group Policy potentially to set this. But I found this article that seems accurate and the registry key method mentioned can easily be done with a Fileset that has a reg file and a script to do a reg import or just use powershell to write the keys. https://appuals.com/set-a-default-background-wallpaper-for-all-users-in-windows-10/ I would say to test this first by manually setting the keys and copying the wallpaper to a machine. Then make a Fileset. hope this helps get you to your solution. If someone has an already made Fileset maybe they will share it here.

An email announcement will follow to spread this more widely, but I wanted to share it here as well. As 2022 comes to a close, I wanted to share some good news on the development of FileWave communities that began earlier this year. As you know, this FileWave Community Forum launched just a few months ago. It has been well received, and we will continue to support and grow this community. Discord isn't meant to replace Alliance Forums, but instead to give you options to work with us in whatever format you feel most comfortable. In addition to the forum, we are excited to announce the launch of our new chat system on Discord. This platform will allow you to engage in real-time text and audio conversations with other customers and participate in talks and discussions about FileWave administration. Think of the voice chat as something like Twitter Spaces and Clubhouse, but specifically tailored to the needs of our FileWave community. You will see a link to it in the navigation bar here as you can see in this image. The email announcement will also have the URL. We just have it in the menu here set for only authenticated users to see it to make it more difficult for a bot to scrape the URL. Don't know what Discord is? Discord describes itself this way: "Imagine a place where you can belong to a school club, a gaming group, or a worldwide art community where just you and a handful of friends can spend time together. A place that makes it easy to talk every day and hang out more often." It's very popular as a chat platform and very community driven. A pretty quick and easy YouTube video explains how to use Discord: We hope this new chat system will provide a helpful and interactive platform for you to connect and collaborate. Thank you for your continued support and engagement in the FileWave communities. -Josh

Thanks for reporting that although not great that it's a bug.

Hey @cdegaeta this is good at least that you have worked out how to reproduce. Can you open a support case and maybe give the link over here in the description as I think it explains the issue well. Then support would probably be best to fix it if they can confirm with dev that the behavior is not desired. That would be a good next step since it does sound like the behavior changed.

I looked through our profile editor, but also https://imazing.com/profile-editor iMazing has a free profile editor that is pretty amazing (pun intended) and I don't see anything in theirs either because if there was it could be imported. So I searched a little and found this: https://discussions.apple.com/thread/8649804 and realized maybe if I enable the Web Filter on iOS that it might block Private Browsing. The profile I made looks like the below image. It appears to work on my test iPad. It does require a device to be supervised so if you use DEP you should be good.

Hi @HCCSC John H 14.9.2 will take care of newer VPP apps that have a large ID number but if you are seeing issues with existing VPP apps that show up in your console then the fix does not relate to that. However we did fix close to 200 bugs in 14.9.2 and it is very possible that your issue was addressed and I think going to 14.9.2 is a good idea and then look if there are still issues. VPP 2.0 my understanding is we can turn it on with you for a server but we've been waiting to see that it actually performs better than VPP 1.0 before making it the default. If @Pierre-Nicolas is on here I know he knows this topic, but from my understanding VPP 2.0 isn't yet much better than VPP 1.0. If you are not yet engaged with support about the VPP distribution issues then I'd say that would be good to do so @Derek Deckard's team could engage. I wish I had a quicker answer like "Yes it does fix it" but I'm not 100% sure. Searching for VPP in the Changes and Fixes in 14.9.2 section here https://fwkb.atlassian.net/wiki/spaces/DOW/pages/95125505/FileWave+Version+14.9.2 doesn't show me a VPP issue that sounds like it would relate to distribution issues.

@AnEngelsen Taking your idea of just setting the recovery options I made a fileset that does that for Windows. It just uses sc.exe to do this... sc failure FileWaveWinClient reset= 86400 actions=restart/60000/restart/60000/restart/60000 What I haven't tested yet is if I'm on FW 14.8.0 and have this set how I want and then upgrade to 14.9.2 does it persist the setting? This would be good to test to see if it stays. If it didn't persist then maybe doing this via a custom field might be better to have it keep setting it but I don't like that overhead of setting it over and over. I have also mentioned this to development that maybe we should be setting this to recover from the start without needing to set it with a fileset like this. Set FileWave Win Client Recovery.fileset.zip

I didn't get to dig in to this but one thing I wonder is if these scripts possibly break due to FileWave running them in 32bit PowerShell. In the KB https://fwkb.atlassian.net/wiki/spaces/KB/pages/4331036/Script+Best+Practices there is info in that article about using SysNative. 90% of the time when something works outside of FileWave, but then someone reports a problem running it via FileWave it's that. The other maybe 9% of the time it's that it runs fine on Windows as the current user, but perhaps behaves differently when SYSTEM runs it. That testing can be done using PsExec to launch PowerShell.exe or CMD to do testing as SYSTEM. You can get PsExec here https://learn.microsoft.com/en-us/sysinternals/downloads/psexec If you haven't used PsExec it can run things as a particular user or as SYSTEM. It's great for testing and is free.

If you are an on-premise customer who runs your own FileWave instance you may have wondered what the exact steps are to upgrade FileWave. Upgrading your FileWave Server: https://fwkb.atlassian.net/wiki/spaces/KB/pages/4328726/Upgrading+your+FileWave+Server If you are a hosted customer then we've thought of you too and have another article here: Your Hosted FileWave Server Has Been Upgraded - What Are Your Next Steps? https://fwkb.atlassian.net/wiki/spaces/KB/pages/97943556/Your+Hosted+FileWave+Server+Has+Been+Upgraded+-+What+Are+Your+Next+Steps