A brave new frontier

We’re going to try something new for IT support requests in the School, by migrating most support communication to Office 365 and Microsoft Teams. I’ve added everyone currently using Macs or iOS devices which are Jamf enrolled to the new MPSupport team – the rest of the School will follow in due course. You can access the team at:

https://go.qub.ac.uk/mpsupport

Staff and PGRs will be enrolled by us, or can self-enrol by visiting the site. Undergrads are welcome to join, or access the site as guests.

You can use Teams via web app, or native packages for Windows and macOS, as well as iOS and Android. On Macs and PCs which are enrolled in our management systems the Teams app should be automatically installed for you.

The advantages of Teams are that it’s a more interactive format, allowing everyone to take part if they so desire – and I hope you will. Also, with four support staff in MP now, email is increasingly inefficient; with Teams we can all see help requests and respond more quickly. The options are to try Teams, or switch to the Site Help Desk software which central IT uses. You likely don’t want to deal with that!

Teams is going to be more important in the University going forward. It’s great for impromptu file sharing and group notebooks & wikis, and in the medium term things like the phone system will link into it. I’m only starting to scratch the surface of its possibilities.
If you want to learn more about Teams you can do so from Microsoft.

We’ll still be accepting emails to the usual email addresses for the moment, but please do try Teams if at all possible.

2019 new-start Mac users

If you are joining the School as a PGR or PDRA in the 2019-20 academic year and are being issued a MacBook then the information below will be of use. Please review it before making an appointment to come see the School IT staff to collect the Mac.

All new machines are registered with the Apple Device Enrolment Program (DEP) which means that they will mostly set themselves up when turned on and connected to the network. You should review this video which gives you an overview of what to expect. Please note that the video features a Thunderbolt 3 docking solution which we are not giving out this year – instead we are issuing a USB-C hub for most users. In addition, when the registration wizard is running, do not use accented characters when entering your name – at best they will be ignored, more likely the wizard will hang.

Once the basic setup has completed, you will find yourself at the Mac desktop. If you’re not familiar with macOS then you should review the information available from macOS Help option under Help. You may also find this link useful.

If you are familiar with macOS, you’ll need to know about the way we run our systems.

VMWare Academic Program

The School is a member of the VMWare Academic Program – VMAP – which provides Maths & Physics staff and students with access to a range of VMWare software at no cost.

If you would like access to the VMAP storefront, email mp.support@qub.ac.uk with your details, and an account will be set up for you. You will get an email from e5.onthehub.net with a login link; your username will be your QUB email address, and you can use the ‘forgot password’ option to set a password. The account is valid for a year – it will need to be revalidated after that.

Once logged on to the VMAP storefront you can ‘buy’ a zero cost copy of the relevant VMWare product – VMWare Fusion for macOS, VMWare Workstation for Windows/Linux. You will be provided with a download link for the installer, and a serial number to activate the package. You can always access the serial number from your account history if you lose it.

Once you have installed VMWare you will need to create a virtual machine. This must use a properly licensed operating system. For Linux VMs this is simple – just download the relevant ISO for your preferred distro and use the new VM setup wizard. For Windows VMs we can provide you with a pre-configured VM image which uses the University licensed Windows 10 Enterprise.

You should be aware that VM images are large and use a lot of disk space – the Windows 10 image starts around 20GB and only gets larger. You will probably want to exclude the directory the image is stored in from your regular backup solution (eg. Time Machine) or OneDrive as they simply don’t deal well with large files which are constantly changing.

App Store shennanigans

At present we use Munki/Managed Software Centre to distribute some Apple programs which are typically installed using the Mac App Store – Pages, Numbers, Keynote, and iMovie. We do this for a few reasons, most of which come down to not being sure that everyone using one of our Macs will have an App Store account.

Our work-around, which is tacitly approved by Apple, is to install the programs on one Mac using a managed AppleID and then bundle them up and install on all our other machines. Mostly this works fine, but can lead to a little confusion when the App Store on the client Mac offers to update one of the programs, which then triggers a prompt for the password for the managed AppleID. The solution in this case is to ignore that prompt and allow Munki to push out the updates for Pages, Numbers, Keynote, and iMovie.

Obviously this is not the absolute best user experience. Once all of our systems are enrolled in Device Management we will be able to use the official Apple method for App management, the Volume Purchase Plan (VPP). This will let us push App Store apps to managed devices (macOS and iOS) and this will hopefully stop these moments of confusion.

Device Management

To enhance our management capabilities for Windows, macOS, and iOS systems we are deploying some new device management systems over the coming months.

For Windows systems are are upgrading our existing Chocolatey installation from the free release to Chocolatey for Business. Most of the changes from this will be transparent to end users, but there will be a user-accessible private App Store which will allow automated installation and updates for selected packages.

We are also participating in the University-wide roll-out of KACE systems management for Windows, which provides us with reporting facilities which all allow us to ensure that Windows and Office patches are deployed in a timely manner.

On the Apple side of things we have just commissioned a Jamf Pro installation which will complement the existing Munki infrastructure for macOS, and provide new management capabilities for iOS. It will also allow us to use the Apple Device Enrollment Program (DEP) to auto-configure new devices, and gives us access to remote lock and wipe capabilities for lost systems.

Initial deployments of Jamf Pro are commencing with Astrophysics machines and will then spread to the rest of Physics, before finally assimilating the Mathematicians.

The goal for these deployments is to enhance both our security posture and user experience. Many changes will be transparent to users, but where user action is needed instructions will be available from this page.

XQuartz 2.7.10 and libXt / Motif / IDL

Something of an obscure one here, but documented in case anyone else finds this useful.

XQuartz 2.7.10 introduces changes to the Xt library which can have a significant impact on older Motif applications. In IDL, for example, using the dialog_pickfile() function leads to an instant crash with an error message:

IDL> file=dialog_pickfile()
Warning: Dialog style must be XmDIALOG_MODELESS.
Error: attempt to add non-widget child "dsm" to parent "idl" which supports only widgets

This will probably affect any application built expecting the older version of XQuartz – so while IDL users were the first to notice this I imagine others will have the same problem sooner or later.

The solution (aside from filing bug reports against Motif) is to edit the DYLD_LIBRARY_PATH environment variable so that it includes the directory /opt/X11/lib/flat_namespace/

In the specific case of IDL, the idl startup script (/Applications/exelis/idl/bin/idl) contains a section which amends that variable. It’s an sh script, so if your shell is bash then it should pick up your edits. However many IDL users are also SSWIDL users, and they usually have their shell set to tcsh. In that case it’s probably simplest to edit the ‘idl’ script as follows, around line 245:

if [ "$DYLD_LIBRARY_PATH" = "" ]; then
    DYLD_LIBRARY_PATH="/opt/X11/lib/flat_namespace:$BIN_DIR"
    #DYLD_LIBRARY_PATH="$BIN_DIR"
else
    DYLD_LIBRARY_PATH="/opt/X11/lib/flat_namespace:$BIN_DIR:$DYLD_LIBRARY_PATH"
    #DYLD_LIBRARY_PATH="$BIN_DIR:$DYLD_LIBRARY_PATH"
fi

I’ve left the original lines there, but commented out. Also be aware that the lines above may wrap here but should be left complete in the actual file!

Obviously you should make a backup copy of the original ‘idl’ script before doing this; you’ll probably need to run this as root due to file permissions, hence ‘sudo nano’ will be your friend.

For people on the Maths & Physics munki server I will push out an updated script via Managed Software Center.

Update – apparently some people use the IDLDE environment, and the fix above doesn’t fix that. There is another edit to make to the ‘idl’ script, just past the change above:

if [ "$APPLICATION" = "idlde" ]; then
    # add bindir for idlde shareable libraries
    #DYLD_LIBRARY_PATH="$BIN_DIR_IDLDE:$DYLD_LIBRARY_PATH"
    DYLD_LIBRARY_PATH="/opt/X11/lib/flat_namespace:$BIN_DIR_IDLDE:$DYLD_LIBRARY_PATH"
    IDL_START_DIR_DARWIN=`pwd`
    export IDL_START_DIR_DARWIN
fi

For MSC users this is included in v1.1 of the patch.

I have been in contact with Harris tech support – at the moment they suggest rolling back to XQuartz 2.7.9 but so far as I can tell the changes detailed above are an acceptable workaround, and I prefer to keep current for security reasons.

Update 2Harris tech support article which now says basically the same thing!

 

Chrome can’t connect to google.com – irony overload detected

An interesting problem started to pop up for Chrome users starting on Friday 14th – Chrome was unable to connect to any Google website. Other browsers were fine, but Chrome was having none of it.

A recent update to Chrome seems to be favouring the use of Google’s new QUIC protocol to connect to their servers, rather than HTTP(S). At the moment QUIC is blocked at the campus firewall so this doesn’t work, but Chrome doesn’t seem to want to give up, and decides that if it can’t have QUIC then you’re getting nothing.

At the moment the only way to fix things is to block the use of QUIC. Open a new Chrome tab, and enter the address:

chrome://flags/#enable-quic

and change the popup menu from ‘Default‘ to ‘Disabled‘. Chrome will then ask to restart and once that’s done all should be well again.

Screenshot of Google Chrome QUIC settings

 

Update – 19th Oct – Networks are aware of the issue and working to enable QUIC through the firewall. The issue has been replicated on a lot of Macs and also Windows 10 systems.

Update 2 – 19th Oct – Even with the firewall allowing QUIC to pass through it seems that Chrome v54 – which started auto-deployment last week – has a bug which triggers this issue. There similar reports on the Chrome releases blog. We may have to wait for Google to fix this! Chrome v53 seems to behave properly – either using QUIC or else falling back to HTTPS as it should.

Update 3 – 21st Oct – Chrome 54.0.2840.71 has been released which appears to fix this problem! If you disabled QUIC I don’t see much to gain by re-enabling unless you’re feeling keen.

Sierra printing ‘anomaly’

I installed Sierra on my Mac today as there didn’t seem to be any major known issues affecting my configuration, and I had updated all my core apps to Sierra compliant versions. So far I’ve found one anomaly.

When printing to the MFDs I keep getting prompted for my AD credentials. My Mac isn’t bound to the AD, but in pervious versions of OS X when I had entered my staff number and password, and selected to store them in the Keychain, I would never be prompted for them again. Printing ‘just worked’. On Sierra I get the prompt for credentials each time; the dialog is pre-filled with the correct data so all I need to do is hit enter or click OK, but it’s annoying!

I have tested this on various machines, both upgrades to Sierra and fresh installs, and on new and upgraded user accounts. All show the same behaviour. It seems the same as discussed on this thread in Apple Discussions. I don’t think this is a change for the better, so I have lodged a bug report with Apple.

Update 16 December 2016 – Apple has addressed this issue with macOS 10.12.2 by adding a preference to revert to the previous behaviour.

macOS Sierra

OS X is now macOS, and macOS 10.12 shipped yesterday. You may well be seeing prompts to download and install from the App Store. At the moment I suggest waiting a few weeks to let the initial bugs be found by others, and for the inevitable .1 release to come out.

Third party software is still being updated for Sierra; while developers have had access to beta versions there are always glitches with the actual release. For example, Mathematica is known to have issues with some localisations.

Symantec has support for Sierra in their latest Mac release and I am working to get a copy of that uploaded to Managed Software Centre ASAP. Other software updates will be uploaded when they’re available!

I’m not dead…

Just spending the summer writing documentation. Yay.

I discovered today – via the staff roundup – that staff now have access to Office365. This gives us web apps, 1TB of space on OneDrive, and install rights for Office on PCs, Macs, phones, and tablets. So no more buying O365 licenses to use on iPad Pros!

Point a browser at https://office365.qub.ac.uk to have a look around. You can use your QOL credentials, in the form staffno@ads.qub.ac.uk, to activate Office on iPads, etc.