Plan B is a remediation program for managed Macs. It is meant to be run to re-install other management software.
- Secure download of disk images from an Internet-facing server.
- Installation of package files contained on the disk images.
- Validation of server certificate against explicitly trusted certificate authorities only.
- Support for client certificate authentication to ensure only trusted clients can access the server.
- URL construction to download packages based on a client's configuration in a plist.
- Extensive logging of presented certificate details for auditing and MITM detection.
- No external dependencies; the compiled program is tiny and can be easily deployed.
First, create a Web server which will host disk images containing a single
.pkg package file on each
.dmg disk image file.
There is a shell script included in this directory to generate a public-key infrastructure, if one is not already in place. There are also many excellent guides and programs, like
easy-rsa, available online.
If the server has enabled client certificate authentication, first install the client certificate and private key to system keychain. You may first need to convert them to PKCS#12 format with something like,
openssl pkcs12 -export -in client.crt -inkey client.key -certfile ca.pem -out client.p12. Otherwise, the program will perform server certificate validation only.
Compiling Plan B requires a modern version of Xcode, available from Apple's Developer site.
Download the source code with
git clone https://github.com/google/macops-planb
Change directory into the repo
Install required CocoaPods with
Open the Xcode project with
kBaseURLto the URL of the server and folder containing disk images. By default, the program will use
main.mand change the
packagesarray to match the names of disk image names and their contained packages' receipt names. By default, the program will construct
pkg1/package1-stable.dmgand forget the receipt for package
com.megacorp.package1prior to re-installation, and so on.
main.mand change the
kMachineInfoto match a machine information plist, which may contain a
ConfigurationTrackvalue, for example. This value is used to construct the disk image suffix, like
package1-unstable.dmg. This is useful if you have machines on multiple configuration tracks.
roots.pemand change the contents to include a single or multiple PEM-encoded certificate authority certificates you wish to trust for server validation. By default, the program will use
GeoTrust Global CA, the authority used to sign Google's intermediate CA, however you should use the CA which has signed the server's certificate or the server's intermediate certificate.
Compile the program with
xcodebuild -workspace planb.xcworkspace -scheme planb -configuration Release. It will appear in
The planb binary must be run as root in order to install packages. It will run on its own without any external dependencies.
It is recommended to create a simple script to determine the health of the machine, for example by checking the last successful run date of the primary management software, and running Plan B if the condition is not met. This script can then be started periodically as a system launch daemon.
Have a look at the
planb_check shell script and the
com.megacorp.planb.plist launch daemon property list for an example.
In our environment, we have a wrapper tool for Puppet, which verifies the configuration run was successful and updates the timestamp on a file. We track this in
planb_check and base the decision to kick off
planb from it.