Posted on 01-14-2015 09:19 AM
I know in Windows, once a system is domain joined it automatically gets time information from the Domain Controller (no policies or scripts need to be run to do this).
For OS X I've bound Mavericks systems to our AD, but they still seem to get network time from time.apple.com, which fails because port 123 outbound is blocked.
After binding Mavericks to AD, shouldn't change it's time server from time.apple.com to whichever DC was used for authentication? Or must i run some script or policy to manually tell it to look internally for the time?
I know that sudo systemsetup -setnetworktimeserver "SOMESERVER" should do the trick, but i'd rather not set it statically since the DC might change depending on where the system is.
Posted on 01-14-2015 09:55 AM
OS X doesn't automatically change NTP servers. You can point it to one using systemsetup as you described, and then add alternates like this:
echo "server 12.34.56.78" >> /etc/ntp.conf
Posted on 01-14-2015 10:23 AM
You can set your domain as the time server (FQDN, such as domain.example.com) and it will use the domain controller it's already talking to.
Posted on 01-14-2015 10:50 AM
I've got a JAMF created script in my JSS for setting the time server. I don't recall if it was bundled in to Casper or if I pulled it off JAMF Nation.
#!/bin/sh
####################################################################################################
#
# Copyright (c) 2010, JAMF Software, LLC. All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are met:
# * Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
# * Redistributions in binary form must reproduce the above copyright
# notice, this list of conditions and the following disclaimer in the
# documentation and/or other materials provided with the distribution.
# * Neither the name of the JAMF Software, LLC nor the
# names of its contributors may be used to endorse or promote products
# derived from this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED BY JAMF SOFTWARE, LLC "AS IS" AND ANY
# EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
# WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
# DISCLAIMED. IN NO EVENT SHALL JAMF SOFTWARE, LLC BE LIABLE FOR ANY
# DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
# (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
# LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
# ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
# SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
#
####################################################################################################
#
# SUPPORT FOR THIS PROGRAM
#
# This program is distributed "as is" by JAMF Software, LLC's Resource Kit team. For more
# information or support for the Resource Kit, please utilize the following resources:
#
# http://list.jamfsoftware.com/mailman/listinfo/resourcekit
#
# http://www.jamfsoftware.com/support/resource-kit
#
# Please reference our SLA for information regarding support of this application:
#
# http://www.jamfsoftware.com/support/resource-kit-sla
#
####################################################################################################
#
# ABOUT THIS PROGRAM
#
# NAME
# setTimeServers.sh -- Set a time server.
#
# SYNOPSIS
# sudo setTimeServer.sh
# sudo setTimeServer.sh <mountPoint> <computerName> <currentUsername> <timeServer>
#
# DESCRIPTION
# This script will set a Time Server in the network settings for whichever network interface has
# been specified.
#
####################################################################################################
#
# HISTORY
#
# Version: 1.0
#
# - Created by Tedd Herman on December 29,2008
#
####################################################################################################
#
# DEFINE VARIABLES & READ IN PARAMETERS
#
####################################################################################################
# HARDCODED VALUES ARE SET HERE
timeServer=""
# CHECK TO SEE IF A VALUE WAS PASSED IN PARAMETER 4 AND, IF SO, ASSIGN TO "timeServer"
if [ "$4" != "" ] && [ "$timeServer" == "" ];then
timeServer=$4
fi
####################################################################################################
#
# SCRIPT CONTENTS - DO NOT MODIFY BELOW THIS LINE
#
####################################################################################################
OS=`/usr/bin/defaults read /System/Library/CoreServices/SystemVersion ProductVersion | awk '{print substr($1,1,4)}'`
if [ "$timeServer" != "" ]; then
if [[ "$OS" < "10.5" ]]; then
echo "Setting network time server to: $timeServer..."
/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Support/systemsetup -setnetworktimeserver $timeServer
/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Support/systemsetup -setusingnetworktime on
else
echo "Setting network time server to: $timeServer..."
/usr/sbin/systemsetup -setnetworktimeserver $timeServer
/usr/sbin/systemsetup -setusingnetworktime on
fi
else
echo "Error: The parameter 'timeServer' is blank. Please specify a time server."
fi
Then I have an extension attribute for getting the current value:
#!/bin/sh
OS=`/usr/bin/sw_vers -productVersion | /usr/bin/colrm 5`
if [[ "$OS" < "10.5" ]]; then
if [ -f /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Support/systemsetup ];then
echo "<result>`/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Support/systemsetup -getnetworktimeserver | awk '{print $4}'`</result>"
else
echo "<result>The systemsetup binary is not present on this machine.</result>"
fi
else
echo "<result>`/usr/sbin/systemsetup -getnetworktimeserver | awk '{print $4}'`</result>"
fi
From there, just scoped a policy to modify the time server as needed.
Posted on 01-14-2015 11:50 AM
In my case I just wrote a simple script to tell it to use our internal time server.
systemsetup -setusingnetworktime on -setnetworktimeserver **nameoftimeserver**
Works like a charm for us. I just have that script set to run when enrollment is complete, and once per computer.
Posted on 01-14-2015 01:02 PM
Thanks, I should of known i could of just pointed setnetworktimeserver to the domain name and it'd work.
Are you guys also setting time zone? I'm getting "Unable to determine current location at this time" on the Time Zone screen. Wireshark traces look like it's trying to connect to "gs-loc.ls-apple.com.akadns.net" over port 443, and if that's all it's using for location services it'd make sense that would fail as 443 is also blocked. Are you seeing the same? If so, i'm assuming i'll need to set it manually using systemsetup -settimezone <TIMEZONE>.
Posted on 03-07-2016 03:21 PM
I think there's a bug in this script post OSX 10.10. This line
if [[ "$OS" < "10.5" ]]; then
causes problems if you are on OS 10.10 or better, as string 10.10 and 10.11 are lexicographically less than 10.5, causing the wrong path to run. I could see this in my policy logs when I tried to run it.
I believe if you change it to
if [[ "$OS" < "$10.5" ]]; then
you'll get a correct numeric to numeric comparison that will work better. I tested this on my 10.11 machine and it works well from what I can tell.
Posted on 03-21-2016 01:57 PM
We have several sites and some are in different time zones. How would I set the time server according to network subnet?
Thanks.
Posted on 03-21-2016 05:53 PM
you would have to bake logic into the script based on timeserver and subnet. An if-then-else loop
Larry
Posted on 03-22-2016 09:37 AM
You might want to check if your DHCP is advertising the NTP service (Option_42)
Something like this...
#!/bin/sh
IPv4PrimaryService=$(echo "show State:/Network/Global/IPv4" | scutil | grep "PrimaryService" | cut -d":" -f 2- | sed "s|^[ ]*||;s|[ ]*$||")
echo "show State:/Network/Service/${IPv4PrimaryService}/DHCP" | scutil | grep "Option_"
Posted on 03-22-2016 03:26 PM
I don't think it matters which DC it picks time from, it's time zone that differs, so as long as timezone is correct it should work it out; reference time is the same globally. Eg. If I changed my time server to time.asia.apple.com I shouldn't suddenly get some time from a random location in Asia, I should still get time for my Time Zone.
We script it, using as you suggested:
systemsetup -settimezone <TIMEZONE>
As @bvrooman suggested, consider multiple time servers. If the battery runs dead and you end up with incorrect time, depending upon configuration, users may not be able to correct the time and the machine won't be able to correct itself if the time server can't be contacted, e.g. a laptop off site that is configured to sync with an internal time server.
@Swift If you know which port is in use, e.g. en0, you could query option 42 directly.
ipconfig getoption en0 dhcp_network_time_protocol_servers
dhcp options listed in the bootp man page
@mmunoz2 Depending upon how you have your AD configured, you may be able to get location info from AD. Look inside
/Library/Preferences/OpenDirectory/DynamicData/Active Directory/
You should find a plist. If sites are configured, try reading the sitename.
/usr/libexec/PlistBuddy -c "Print :ActiveDirectory:sitename " /Library/Preferences/OpenDirectory/DynamicData/Active Directory/[YOUR FILE].plist
If you wish to compare versions, comparing each part of the version independently should be reliable.
Eg.
#!/bin/bash
major_version=`sw_vers -productVersion | cut -d "." -f 1`
first_minor_version=`sw_vers -productVersion | cut -d "." -f 2`
# second_minor_version=`sw_vers -productVersion | cut -d "." -f 3`
if [ $major_version -eq 10 ]
then
if [ $first_minor_version -gt 5 ]
then
SystemSetup="/usr/sbin/systemsetup"
else
SystemSetup="/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Support/systemsetup"
fi
fi
$SystemSetup -getnetworktimeserver
exit 0
However, based on the fact that there are only two options, you could just do:
#!/bin/bash
SystemSetup="/usr/sbin/systemsetup"
if [ ! -e $SystemSetup ]
then
SystemSetup="/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Support/systemsetup"
fi
$SystemSetup -getnetworktimeserver
exit 0
Posted on 03-22-2016 06:54 PM
Hi guys -
Just wanted to point out that the version of the setTimeServers.sh script posted in the thread above is old & has been updated:
Try downloading our scripts before using older versions. We have fixed many of the scripts that are commonly used including this one. Also, if there are assets here you use that you'd like to see updated, let us know. Thanks!
Posted on 04-20-2016 11:46 AM
Might want to bounce ntpd after changing /etc/ntp.conf
?
/bin/launchctl unload /System/Library/LaunchDaemons/org.ntp.ntpd.plist
/bin/sleep 2
/bin/launchctl load /System/Library/LaunchDaemons/org.ntp.ntpd.plist
Posted on 04-20-2016 12:56 PM
I like setting multiple time servers, one internal and one external. Perhaps something like the following might get you on track.
#!/bin/bash
## turn off network time
systemsetup -setusingnetworktime off
## set global time servers
global_timeserver="0.north-america.pool.ntp.org"
## get subnet, returns something like 10.10.4
local_subnet=$(ifconfig | grep -Eo 'inet (addr:)?([0-9]*.){3}[0-9]*' | grep -Eo '([0-9]*.){3}[0-9]*' | grep -v '127.0.0.1' | cut -f1-3 -d.)
case $local_subnet in
10.10.4)
local_timeserver="10.10.4.11"
;;
10.10.5)
local_timeserver="10.10.5.11"
;;
*)
## most reliable DC
local_timeserver="10.10.2.11"
;;
esac
## in case ntp.conf file doesn't exist, create it
touch /private/etc/ntp.conf
## save current ntp.conf file
mv /private/etc/ntp.conf /private/etc/ntp.conf.orig
## create new file
echo "server $local_timeserver" > /private/etc/ntp.conf
echo "server $global_timeserver" >> /private/etc/ntp.conf
## reenable network time
systemsetup -setusingnetworktime on
Posted on 04-20-2016 01:03 PM
@brock.walters You might want to put an exit 0 at the end of your script.
Posted on 04-20-2016 01:11 PM
+1 for @leslie and multiple time servers. We actually use systemsetup to set the first time server and then add extra with an echo. As the systemsetup command will only allow one entry, you know that you will only have one entry after running the command (essentially cleaning the file for you or creating it if it doesn't exist).
Something like:
systemsetup -setnetworktimeserver $local_timeserver
echo "server $global_timeserver" >> /etc/ntp.conf
Posted on 04-20-2016 01:30 PM
Most well-behaved bash commands exit with a status of 0 on their own unless something is wrong. Exit codes can be built in to scripts to customize logging or halting behavior but most of the time when you see them they are unnecessary.
Posted on 04-20-2016 03:00 PM
Moot point since it won't ever get to the end of the script.
if/else block ends and then there's another else/fi and $4 is probably unique to your use.
Self Service apparently can suffer without neatly exiting a script:
It's good to help everyone who struggles with this, but perhaps testing may be wise if sharing scripts. At best you should expect an untested script to just error out, but worse still it could damage systems.
Posted on 04-20-2016 03:12 PM
Not sure what you mean is moot: your point about exit codes? My point isn't - most scripts don't need exit codes if they are well-formed, period, however, you can add them to modify behavior. A version of the set time server script has been available since 2008 on JAMF Nation & never had an exit 0 at the end, but, the great thing about all of the scripts you can download from JAMF Nation is that you can modify them as much or as little as you like.
Posted on 04-20-2016 03:15 PM
No, not moot about exit codes, moot that it will never reach the end of the script because the script is malformed and won't ever run successfully.
Posted on 04-20-2016 03:32 PM
Well, that's a little embarrassing... The version that is supposed to be uploaded is not. My apologies for that. We will get the script up to date but in the mean time here is what will be uploaded eventually & should be there now:
#!/bin/sh
####################################################################################################
#
# Copyright (c) 2010, JAMF Software, LLC. All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are met:
# * Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
# * Redistributions in binary form must reproduce the above copyright
# notice, this list of conditions and the following disclaimer in the
# documentation and/or other materials provided with the distribution.
# * Neither the name of the JAMF Software, LLC nor the
# names of its contributors may be used to endorse or promote products
# derived from this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED BY JAMF SOFTWARE, LLC "AS IS" AND ANY
# EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
# WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
# DISCLAIMED. IN NO EVENT SHALL JAMF SOFTWARE, LLC BE LIABLE FOR ANY
# DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
# (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
# LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
# ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
# SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
#
####################################################################################################
#
# SUPPORT FOR THIS PROGRAM
#
# This program is distributed "as is" by JAMF Software, LLC's Resource Kit team. For more
# information or support for the Resource Kit, please utilize the following resources:
#
# http://list.jamfsoftware.com/mailman/listinfo/resourcekit
#
# http://www.jamfsoftware.com/support/resource-kit
#
# Please reference our SLA for information regarding support of this application:
#
# http://www.jamfsoftware.com/support/resource-kit-sla
#
####################################################################################################
#
# ABOUT THIS PROGRAM
#
# NAME
# setTimeServers.sh -- Set a time server.
#
# SYNOPSIS
# sudo setTimeServer.sh
# sudo setTimeServer.sh <mountPoint> <computerName> <currentUsername> <timeServer>
#
# DESCRIPTION
# This script will set a Time Server in the network settings for whichever network interface has
# been specified.
#
####################################################################################################
#
# HISTORY
#
# Version: 1.0
#
# - Created by Tedd Herman on December 29,2008
#
# Version 2.0
#
# - Updated by Brock Walters Nov 8 2014
#
####################################################################################################
#
# DEFINE VARIABLES & READ IN PARAMETERS
#
####################################################################################################
# HARDCODED VALUES ARE SET HERE
timeServer=""
# CHECK TO SEE IF A VALUE WAS PASSED IN PARAMETER 4 AND, IF SO, ASSIGN TO "timeServer"
if [ "$4" != "" ] && [ "$timeServer" == "" ]
then
timeServer=$4
fi
####################################################################################################
#
# SCRIPT CONTENTS - DO NOT MODIFY BELOW THIS LINE
#
####################################################################################################
osx=$(/usr/bin/defaults read /System/Library/CoreServices/SystemVersion ProductVersion | awk '{print $1}')
maj=$(/usr/bin/defaults read /System/Library/CoreServices/SystemVersion ProductVersion | awk '{print substr($1,1,2)}')
ref=$(/usr/bin/defaults read /System/Library/CoreServices/SystemVersion ProductVersion | awk '{print substr($1,4,2)}')
if [ $maj -gt 10 ]
then
echo
echo "Check OS string format & OS X systemsetup utility for script compatibility with OS X version $osx"
echo
exit
fi
if [ "$timeServer" != "" ]
then
if [ $ref -lt 5 ]
then
echo
echo "Setting network time server to: $timeServer..."
/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Support/systemsetup -setnetworktimeserver $timeServer
/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Support/systemsetup -setusingnetworktime on
echo
else
echo
echo "Setting network time server to: $timeServer..."
/usr/sbin/systemsetup -setnetworktimeserver $timeServer
/usr/sbin/systemsetup -setusingnetworktime on
echo
fi
else
echo
echo "Error: The parameter 'timeServer' is blank. Please specify a time server."
echo
fi
Posted on 05-03-2016 09:13 AM
Hello - the fixed version of this script (identical to what is posted above) is now available on the JAMF Nation Scripts page for download. Thanks!