Mac Hacks (28 page)
So
where are all these new features of Profile Manager that
justify a new version number? To quote Apple’s Profile Manager 2
page:
Profile Manager simplifies deploying, configuring, and managing
them all. It’s one place where you control everything: You can create
profiles to set up user accounts for mail, calendar, contacts, and
messages; configure system settings; enforce restrictions; set PIN and
password policies; and more. Because it’s integrated with the Apple
Push Notification service, Profile Manager can send out updated
configurations over the air, automatically. And it includes web-based
administration, so you can manage your server from any modern web
browser. Profile Manager even gives users access to a self-service web
portal where they can download and install new configuration profiles,
as well as clear passcodes and remotely lock or wipe their Mac,
iPhone, or iPad if it’s lost or stolen.
Wait, it did that before... Which isn’t to say that Profile
Manager isn’t an awesome tool for the money. Apps such as Casper MDM,
AirWatch, Zenprise, etc., all have far more options, but aren’t as easy
to install, nor do they come at such a low price. Profile Manager is a
great option if all the tasks you need to perform are available within
the tool. If not, then it’s worth a look, if only as a means to learn
more about the third-party tools
you’ll ultimately end up using. One thing I can say is that Profile
Manager is a little faster and seems much more stable—in fact,
Apple
has now published scalability numbers
, which they have rarely
done in the past. You can also implement newer features with it,
including Gatekeeper and
Messages.
. Networking Hacks
WiFi has become the networking standard for homes, which is good
because it saves people a lot of trouble (imagine running CAT-5 cable from
one end of the house to the other). But just because a network is wireless
doesn’t mean you don’t have to manage it. You’ll want to secure the network,
maximize the signal, and massage the network so it performs the way you want
it to. This chapter explains how.
. Optimize Your WiFi
OS X is
keeping secrets from you! And one of those secrets is a
nifty app you can use to resolve WiFi issues and have network fun.
If you click the Wi-Fi menulet in your Mac’s menu bar, you don’t get
a lot of info: a list of nearby networks with a checkmark next to the one
you’re connected to. Not that exciting or, really, very informative. But
click the same menulet while holding down the Option key gives you a whole
slew of options (
Figure 9-1
).
super nifty app.
Let’s take a moment to demystify what the menulet is telling us.
Here’s what the grayed-out info under the name of your current network
means:
PHY Mode
tells you what mode
the network is using (b, g, or n).BSSID
is the MAC (Media
Access Control) address of the router.Channel
is the channel your
Mac is using (wireless routers use multiple channels to send the
signals back and forth).Security
indicates what type
of security the network is using.RSSI
indicates the strength
of the wireless signal.Transmit Rate
is the rate
your wireless router is working at.MCS Index
tells you which
modulation scheme your router is using.
Tip: After you Option-click the Wi-Fi menulet, you can get this
same info about networks you’re
not
connected to by
pointing your cursor at the network’s name in the list. The info pops up
in a yellow box.
All that is nifty information, but you want even more info—you want
to know
everything
. So select Open Wi-Fi Diagnostics
and let’s get going!
Once
Wi-Fi Diagnostics is up and running, you have some obvious
choices (
Figure 9-2
).
you?
If you choose Create Diagnostic Report, your Mac will check out your
Network Services, scan networks within earshot (antenna shot?) of your
Mac, run some diagnostic tests, and then monitor your WiFi performance—and
it does all of these things without intervention. All you have to do is
select the Create Diagnostic Report radio button and click Continue.
You’ll be asked for your password; after you enter it, OS X will go about
testing your WiFi and generating a report (this can take some time). When
Wi-Fi Diagnostics is done working, the Continue button will turn blue.
Click it (you’ll have to authenticate again) and a report will be
generated and saved to your desktop. While you’ll end up with a lot of
nice logs, the usefulness of the report isn’t apparent to the average
computer user.
The same goes for the other two options here: Turn on Debug Logs and
Capture Network Traffic. You’ll capture a lot of nice data (even other
WiFi networks’ data when capturing network traffic), but making sense of
the data isn’t for the fainthearted.
Does that mean that Wi-Fi Diagnostics is a bust? Nope. Remember how
the app was hidden? Turns out the app has a ton of hidden functionality,
as well. So instead of choosing one of the three options Wi-Fi Diagnostics
presents you with, select File→Network Utilities (or press Command-N).
Once you do that, you’ll see a brand-new window with four useful tabs
(
Figure 9-3
).
Performance
is the first tab, and that’s probably the one you’ll
gravitate to—after all, you need to know just how well your WiFi is
working, right? The Performance tab includes a real-time graph of signal
strength versus noise, and a separate graph showing network traffic. In
the signal-strength graph, the yellow line represents signal strength, and
the green line represents noise. It’s kind of a weird scale if you’re not
used to, it but closer to zero means the signal is stronger (we’re dealing
with negative numbers here).
roughly 45 dBm and noise is 95 dBm, a difference of 50 (a difference of
over 30 between signal and noise should be a great WiFi setup).
Note: The signal-strength graph is in dBm, which is a measure of
decibels (dB) to a milliwatt (usually abbreviated as mW, but shortened
to just m in this case). Zero dBm is 1 milliwatt, but the typical power
your Mac receives will be −10 to −60 dBm (around 100
micro
watts).That’s not a lot of energy, but it’s
enough to transfer your
data.
If you’re not satisfied with your WiFi network’s performance, the
signal-strength graph updates in real time, so you can try different
locations (sometimes a small change can make a big difference), different
channels, and other tricks to bump up your WiFi performance.
The other tabs in Network Utilities aren’t quite as exciting. The
Wi-Fi Scan tab shows all the nearby networks (even hidden ones), and the
Bonjour tab lists the locally connected devices (printers and other Macs).
Finally, the Tools tab gives you access to commonly used network tools
like Ping and Traceroute, among others; but these same tools are all also
available in Terminal with their requisite manual pages. If you’re interested in a particular tool, open up
Terminal and typemannameoftoolyou’reinterestedin
You could stop here—after all, it’s easy enough to access Wi-Fi
Diagnostics using the technique explained above. But why not make your
Mac a better place and put a Wi-Fi Diagnostics
alias
where you expect apps to be—in the
Application folder! (An alias is a link to the original item—the icon
looks
like the item and clicking it will launch or
open the original item, but the original item hasn’t been moved.) To do
that, first we’ll need to find the location of Wi-Fi Diagnostics.
Spotlight is no help, because it doesn’t index the folder where Wi-Fi
Diagnostics resides. Time for a little folder burrowing.
The Wi-Fi Diagnostics app is in your Mac’s Core Services folder,
which you can find in the Library folder of your Mac’s System folder.
That’s pretty confusing so let’s type out the path explicitly:
[Computer]/[Startup
Drive]/System/Library/CoreServices
. Follow that path (
Figure 9-4
) and you’ll find
the Wi-Fi Diagnostics app.
Diagnostics app. And once you find it, you’re free to do just about
anything you want with it.
Once you find the app, right-click its icon and select Make Alias.
Because the app is in the CoreServices folder, you’ll have to
authenticate with an administrator’s name and password before OS X will
let you make the alias. It’s not that you’re doing anything dangerous;
it’s just that OS X wants to keep the CoreServices folder unchanged. And
the CoreServices folder
will
remain unchanged
because, after you create the Wi-Fi Diagnostics alias, you’ll move it
somewhere you have easier access to it (the Applications folder is a
good choice). Even if you forget and leave the alias in the folder,
don’t worry: nothing bad will
happen.
. Secure Your Wireless Network
It
seems that everyone has a wireless network, but not everyone
is willing to take the steps necessary to secure that network. If your
network is completely open, people can intercept your packets and see
exactly what you’re doing over your network. Don’t let this happen to you:
secure that network!
Nothing is more convenient than the near-ubiquitous wireless
network: the 802.11x protocols fill the airwaves around us, put the
“mobile” in mobile computing, and give everyone a reason to seriously
consider a laptop. When out and about, an unsecured hotspot is a pathway
to free Internet usage; at home, strangers mucking about on your network
or leeching your bandwidth isn’t as appealing.
Before starting the process of locking down your network, taking the
time to investigate who’s using it can be a revealing exercise. The
process is simple; all
it requires is a quick trip to the command line, where you
type:
$ ifconfig
This command returns the seemingly inscrutable output shown in
Figure 9-5
.
this point. Still, this output gives us part of the IP address (circled)
we need for the next step in this hack.
While
the window is packed with useful information, the only part
of interest for the current purpose follows the word “broadcast,” as shown
in
Figure 9-5
. That’s the
IP address of your wireless network and the bit of information we need to
perform the next test. Back
to the command line and another simple line of code:
$ ping -c2 -i30192.168.125.255
Tip: This method won’t help you to find all network interlopers
because not every computer will respond to a ping request (if you’ve
enabled stealth mode on your Mac, this trick won’t catch it). But using
a ping command has the advantage of being quick and easy.
What the command accomplishes is straightforward: the computer sends
out a data packet, and all the computers using the network send back a
packet. It’s the command-line version of “Can you hear me now?” (Only not
nearly as annoying.) The-cpart
specifies the number of packets to send, and the-ipart indicates the amount of time you want
your computer to wait for responses. In this example, two packets were
sent, and 30 seconds was allowed for a response. The result is as
follows:
server:~ cks$ ping -c2 -i30
192.168.1.255
PING 192.168.1.255 (192.168.1.255): 56 data
bytes
64 bytes from 192.168.1.101: icmp_seq=0
ttl=64 time=0.159 ms
64 bytes from 192.168.1.1: icmp_seq=0
ttl=64 time=2.124 ms
64 bytes from 192.168.1.109: icmp_seq=0
ttl=64 time=186.949 ms
64 bytes from 192.168.1.110: icmp_seq=0
ttl=64 time=188.489 ms
In this case, the result is just what I expected: there are three
devices on the network (plus the router). Usually there are more devices
on this network, but since it’s late at night, the various iPod Touches
and iPads are sleeping. Remember that a lot of devices can legitimately be
on your network, so don’t be surprised if your list is much, much
longer.
You might not be able to tell if someone who shouldn’t be is using
your network. If you’ve only got a few devices, you’ll likely notice an
interloper. But if you’re like a lot of people, you’ve got
dozens
of things going over the network—iPhones,
iPads, TVs, Macs, game systems, iPod touches, and so on—which means that
trying to suss out the IP that doesn’t belong could be rough. That’s all
the more reason to lock down your network and change the password on a
regular basis. The method you choose to protect your network is up to you
(of course). Some methods are less work and offer less protection; some
methods are more work and make your network
seemingly
secure but are still crackable; and at least one method (which is a fair
amount of work) is considered secure. The following sections take a look
at your various options.
Most
wireless security happens inside your wireless router.
Typically, users access their router through their browser of choice. Of
course, it doesn’t do you any good to know that you can control your
router through your browser if you don’t know your router’s IP address.
You can obtain this data using the ping command (as described earlier in
this hack) and analyzing the results (one of the returned IP addresses
will be your router—usually the shortest). Let’s make it even easier
with a short list of the default IPs for most common routers:
AirPort: 192.168.2.1
Linksys: 192.168.1.1
D-Link: 192.168.0.1
Belkin: 192.168.2.1
That list obviously doesn’t cover every router, but chances are it
will cover yours.
There
are a few steps to consider taking even if you decide not
to close your network to interlopers. First, you should give the network
a new name. Routers come factory-set with names like Linksys or
D-Link—names like that practically scream “use me first—my owner hasn’t
taken the time to customize me.” So changing the name of your network to
something more meaningful (or silly) is a good idea, and kind of fun to
boot (
Figure 9-6
), like
wearing a Los Pollos Hermanos T-shirt.
descriptive the better.
Even
more important than giving your network a new name is
changing the password for your router. The default administration
settings for wireless routers are easy to find on the Internet, so there
isn’t any problem gaining access to your router if you don’t change its
password. It is also a good idea to turn off remote management so
ne’er-do-wells won’t be able to do incredibly nasty things to your
router over your wireless network (see
Figure 9-7
).
safer place.
One
of the easiest ways to add a modicum of security to your
network is to tell your browser not to broadcast its
service
set identifier
(SSID), which is the name you gave your
network or the default name set at the factory. When looking for an
unsecured network to jump on, most people just pick a name associated
with an unsecured access point (your Mac displays a lock next to secured
access points). With no SSID being flung through the air, most people
will overlook your network because if you’re not broadcasting an SSID,
your network won’t show up in their list of choices. It keeps very lazy
folk honest because it takes an extra step to find your network! Turn
off SSID by accessing your router configuration page (
Figure 9-8
).
How can you join your network if you can’t see it? To join or
rejoin the network, head up to the main OS X menu bar, click the AirPort
menulet, choose “Join Other Network,” and then type the network’s
name.
How much security does not broadcasting the SSID offer? Not a
great deal. There are a variety of programs that can detect the
unbroadcasted network name (there’s even an app built into OS X that
lets you do this), and once the name is known, the network is completely
unprotected. That said, if you live in a sea of unprotected hotspots,
turning off your SSID is probably enough to make the opportunistic
leeches look
elsewhere.
Most
routers allow you to restrict access by only letting
certain computers and devices onto your network. Routers decide which
devices to allow by checking each device’s
media access
control
(MAC) address. If you decide to filter the people
allowed on your network by MAC address, the first thing to acquire is
the MAC addresses of the devices you want to allow. For Macs connecting
to the router wirelessly, you’ll need the MAC addresses of their
devices. To retrieve this information, head to System
Preferences→Network→Wi-Fi→Advanced (see
Figure 9-9
).
MAC filtering on your wireless network.
Once you’ve compiled that information, enter the MAC addresses of
the devices you want to allow on your network. The place you enter this
information varies depending on your router, so you’ll have to go to
your router’s configuration page to discover where to enter it.
MAC address filtering is tougher to crack than simply turning off
the SSID broadcast, but it isn’t
much
tougher. Many
programs capable of discovering a hidden wireless network can
also
sniff
packets
(small bits of data
sent from your computer to the network and vice versa). Since your MAC
address is sent with each packet, and since the communication is
unencrypted, if someone wants to get on your network, all they need to
do is spoof their MAC address to match yours. On the other hand, adding
MAC filtering to a nonbroadcasting SSID increases the hassle factor of
using your network—and the hassle
can easily chase away slackers trying to get a free ride to the
Web.
Typing in all the MAC addresses you want to allow can be
tedious. Luckily, some routers will take care of the grunt work for
you! Tom Sgouros, editor of
The Big Book of Apple
Hacks
(O’Reilly, 2008), explains how he pulled it
off:
“I use a Linksys WRT54G wireless router. I logged on to the
router control web page by using a browser to open up 192.168.1.1 and
opened up the network by removing all the restrictions. Then I fired
up the two laptops that needed access to the network. Under the
Wireless tab of the router control page, I clicked Wireless MAC
Filter, then clicked the Edit MAC Filter List button. This opens
another window with places for you to fill in the MACs. But at the top
of that window, there’s another button that says Wireless Client MAC
List. Clicking that gets you a list of all the computers currently
making a wireless connection.
“Click Enable MAC Filter for each computer you want to allow
onto the network, and then click the Update Filter List button at the
bottom of this window. The MAC addresses will automatically appear in
the filter list. Scroll down that page and click Save, and all the
computers will be saved. Now, make sure that you’ve checked the box
that says only to permit listed computers to access the network, then
click Save, and you’re
done.”