Plan B is a remediation program for managed Macs. It is meant to be run to re-install other management software.
- Secure download of disk images from an Internet-facing server.
- Installation of package files contained on the disk images.
- Validation of server certificate against explicitly trusted certificate authorities only.
- Support for client certificate authentication to ensure only trusted clients can access the server.
- URL construction to download packages based on a client's configuration in a plist.
- Extensive logging of presented certificate details for auditing and MITM detection.
- No external dependencies; the compiled program is tiny and can be easily deployed.
First, create a Web server which will host disk images containing a single .pkg
package file on each .dmg
disk image file.
There is a shell script included in this directory to generate a public-key infrastructure, if one is not already in place. There are also many excellent guides and programs, like easy-rsa
, available online.
If the server has enabled client certificate authentication, first install the client certificate and private key to system keychain. You may first need to convert them to PKCS#12 format with something like, openssl pkcs12 -export -in client.crt -inkey client.key -certfile ca.pem -out client.p12
. Otherwise, the program will perform server certificate validation only.
Compiling Plan B requires a modern version of Xcode, available from Apple's Developer site.
-
Download the source code with
git clone https://github.com/google/macops-planb
-
Change directory into the repo
cd macops-planb
-
Install required CocoaPods with
pod install
-
Open the Xcode project with
open planb.xcworkspace
-
Edit
main.m
and changekBaseURL
to the URL of the server and folder containing disk images. By default, the program will usehttps://mac.internal.megacorp.com/pkgs/
-
Edit
main.m
and change thepackages
array to match the names of disk image names and their contained packages' receipt names. By default, the program will constructpkg1/package1-stable.dmg
and forget the receipt for packagecom.megacorp.package1
prior to re-installation, and so on. -
Edit
main.m
and change thekMachineInfo
to match a machine information plist, which may contain aConfigurationTrack
value, for example. This value is used to construct the disk image suffix, likepackage1-stable.dmg
,package1-testing.dmg
orpackage1-unstable.dmg
. This is useful if you have machines on multiple configuration tracks. -
Edit
roots.pem
and change the contents to include a single or multiple PEM-encoded certificate authority certificates you wish to trust for server validation. By default, the program will useGeoTrust Global CA
, the authority used to sign Google's intermediate CA, however you should use the CA which has signed the server's certificate or the server's intermediate certificate. -
Compile the program with
xcodebuild -workspace planb.xcworkspace -scheme planb -configuration Release
. It will appear in./Build/Products/Release/planb
The planb binary must be run as root in order to install packages. It will run on its own without any external dependencies.
It is recommended to create a simple script to determine the health of the machine, for example by checking the last successful run date of the primary management software, and running Plan B if the condition is not met. This script can then be started periodically as a system launch daemon.
Have a look at the planb_check
shell script and the com.megacorp.planb.plist
launch daemon property list for an example.
In our environment, we have a wrapper tool for Puppet, which verifies the configuration run was successful and updates the timestamp on a file. We track this in planb_check
and base the decision to kick off planb
from it.