El Capitan User Template dock customisation issue

anothermacguy
New Contributor II

Hi guys,

We usually chuck a customised com.apple.dock.plist into the user template (/System/Library/User Template) so that when users (students in this case) log in with their AD credentials they all get a standard Dock setup. With El Capitan we're seeing an issue with the Downloads folder in the Dock though, where the icon in the Dock is just a plain folder with a No Access symbol; the actual link works fine though (i.e. if you click it then it actually opens the user's downloads folder correctly and they have the correct access etc.), it's just the icon in the dock which is messed up.

Switching the view to 'display as stack' and then back to 'display as folder' will fix the icon in the dock so that it shows the correct Downloads folder icon, but that's not a solution (since it needs to be done by every user on every machine).

Looking at the com.apple.dock.plist in El Capitan I'm having a hard time figuring out how the dock data is actually stored and referenced these days: there's a _CFURLString key whose string points directly to the 'template' user's (the account I used to create the plist) home directory, but given that's the case, why on Earth would the dock icon still point to the right folder for other users? Why is only the icon display in the dock affected? Surely it should be entirely broken for everyone else. Furthermore, I can change that string to be file:///gibberish, restart the machine, and although the icon now becomes a '?', it still actually works correctly and points to ~/Downloads if you click it!

So how can I set up the com.apple.dock.plist file in the user template so that all new users get a proper Downloads folder link in their Dock, along with the other icons we want them to have?

1 ACCEPTED SOLUTION

gohlinger
New Contributor

I had the same issue and discovered if you just delete the string: _CFURLString key that points to the users templet - it worked. Xcode worked best to delete the key. Good luck.

View solution in original post

25 REPLIES 25

SGill
Contributor III

Have you tried pushing out a dock configuration via a Configuration Profile instead?

Apple is blocking the System folder with SIP now and instead wants managers to switch to Profile-based configurations going forward-- from what I can tell. I used to do what you describe too, and am sorry to see that approach now blocked by default in 10.11, because it worked very well for us from 10.4-10.10.

gohlinger
New Contributor

I had the same issue and discovered if you just delete the string: _CFURLString key that points to the users templet - it worked. Xcode worked best to delete the key. Good luck.

rtrouton
Release Candidate Programs Tester

Apple has defined exceptions to SIP’s protections, in the /System/Library/Sandbox/rootless.conf file. Those exceptions are marked with asterixes.

8c2e602bfda34be29ee26f1f8069bca6

These exemptions from SIP’s protection mean that it is possible to add, remove or change files and directories within those locations. Among those exceptions is /System/Library/User Template.

273b937126994c9fa58b885f6482ff5c

SGill
Contributor III

That's good to know...thanks so much for the clarification @rtrouton

anothermacguy
New Contributor II

@gohlinger: Brilliant! Haha, never even occurred to me to try that. Removing that key entirely for the Downloads entry using PlistBuddy has done the trick - problem solved :)

@SGill: Despite the exception to the SIP protection for the User Template, we were thinking that maybe it was a SIP vagary that was causing the issue, so we disabled SIP entirely in testing via the "csrutil disable" command from recovery mode just in case. Obviously SIP was blameless in this case though :)

Thanks for your help guys!

calumhunter
Valued Contributor

I would use dockutil to build your docks for users on first login with a script https://github.com/kcrawford/dockutil

ThePhoenix
New Contributor

We are getting there.... The downloads folder in the dock is fixed but what about the one in the sidebar? It is still confused and when you turn it off and back on in Finder Preferences/sidebar you end up with two download folders. I've searched and search for that .plist file and have not found it yet.

As far as using dockutil.... The short script listed there wouldn't begin to change everything I need to change and with the first major Apple update the entire thing could change. I like the idea but I want to spend my time fixing the problem not fixing the script that fixes the problem.

Thanks for any help you can provide!

calumhunter
Valued Contributor

I don't mean to sound rude, but your problem is that you are going about it the wrong way.

Dockutil will do everything you want.

It is a better solution than the user template. Don't mess with the user template, especially apple supplied items in the user template like the dock.

Use a config profile, if that doesn't have enough functionality for you. Use dockutil.

Apple often updates the dockfixup plist which may hose your user template provided dock plist.

Instead, at a fresh user login, run dockutil to configure the dock the way you want.

Here is an example of my dockutil script.

https://gist.github.com/hunty1/b97d641bda86b51c2fc0

Nix4Life
Valued Contributor

Hi Guys; I'm still using the old FUT/FET way of configuring the dock in 10.11 with no issue ( but knowing Apple it could be changed anyday). I am starting to move away from this as @calumhunter mentioned, profiles/scripts are the way. currently looking at:
dock-master here and dockutil script with outset

LSinNY

ThePhoenix
New Contributor

Not rude at all and thanks for the response. The dock layout is the tip of the iceberg. I need to install and configure some base applications, modify favorites and home page in Safari, change most of the system preferences, change finder preferences, change view options, run terminal commands and finally some clean up scripts. We have people working on scripting this but it's very time consuming because there is no manual from Apple of course and when a new OS is released or even sometimes updates start breaking everything.

Don't misunderstand me, I think your method is useful under certain conditions and possibly the future but I'm not sure we are there yet. The way Apple has totally moved away from any support for the Enterprise I'm not sure we ever will be unless you invest in that friendly ghost software.

endor-moon
Contributor II

The default dock resides at /System/Library/CoreServices/Dock.app/Contents/Resources/en.lproj/default.plist for English users and I've been modifying this file in previous versions of OS X to change the default user dock without any issues until El Capitan came along. Two things annoy me greatly about SIP (System Integrity Protection):

1) SIP protects these previously easy-to-modify files from any modification.
2) SIP prevents me from telling the target Macintosh to NetBoot from my NetBoot server for imaging, instead demanding I physically visit each and every lab machine, boot into recovery mode, launch Terminal and disable SIP with csrutil disable. That's just nuts. We need to lobby JAMF to come up with a hidden partition of its own (like the Recovery partition) that we can boot from whenever we want to re-image. Or we need to lobby Apple to stop SIP from point 2 above. I presume most of you don't care about point 1 and have alternative ways of doing this.

And oh yes, /System/Library/CoreServices/Dock.app/Contents/Resources/com.apple.dockfixup.plist is also protected by SIP. Darn.

I never had any luck with dockutil when I tried it about a year ago when first switching from DeployStudio to Casper.

The third option is some sort of profile, yes? The thing I liked about the default dock is that it is in plist XML format, not plist binary format, so it is dead simple to modify.

calumhunter
Valued Contributor

1) modifying system files has never been a good idea
use a profile,
use a script - dockutil with outset is great. for an example heres one of mine
https://gist.github.com/hunty1/b97d641bda86b51c2fc0t

for help with the profile there is also this great tool by Michael Page
http://errorfreeit.com.au/blog/2015/4/28/dock-mastert

converting between XML and binary plists is easy with plutil -convert check the man page. But really, just use a profile or script it with dockutil.

2) 10000% agree. We need to be able to set a netboot server as a target boot device remotely. I can maybe understand the whitelist that you can set with csrutil Logging into a lab of machines to select the startup disk is horrible when before you could select them all with ARD and set the start up disk for fully automated zero touch lab rebuilds

dferrara
Contributor II

@endor-moon You can use a Configuration Profile to set the dock, yes. This is ideal if you don't want users changing the dock. If you're like us and you want to give users control, but you also want to set it up at imaging time with a specific set of apps, dockutil is ideal. I would give it another look. It takes some time to get it working properly, but it provides the best flexibility, bar none. There's even a Feature Request to get it rolled into Casper.

https://jamfnation.jamfsoftware.com/featureRequest.html?id=1982

endor-moon
Contributor II

Thanks guys, I will investigate your suggestions. I just want to set the initial dock and let users modify it on their own after that.

By the way, I put my suggestion for a hidden partition for Casper Imaging in as a feature request:

https://jamfnation.jamfsoftware.com/featureRequest.html?id=4786

jmahlman
Valued Contributor

I am going to chime in and say dockutil is definitely the way to go. We used to remove the dockfixup file to make custom docks for computers but we noticed it didn't work anymore. So now I'm working on moving all of our systems to use a universal dock creation script with dockutil.

Here's the script I'm using in our test environment: https://github.com/jmahlman/uarts-scripts/blob/master/dockMaster.sh. Very easy to work with.

rtrouton
Release Candidate Programs Tester

@calumhunter,

You can use ARD's Startup Disk feature to set a 10.11.x Mac with SIP enabled to boot from a NetBoot set:

https://forums.developer.apple.com/message/9062 (see the second post in the thread.)

endor-moon
Contributor II

@calumhunter I notice that dockutil does not claim compatibility with El Capitan, should I be concerned?

@rtrouton that's great information about SIP and NetBoot, thanks for sharing it.

And oh yes, @mm2270 said Casper has a feature to put in a hidden partition already. Perhaps we can use this to put the Casper Imaging restorable boot image there. I'm going to test it when I have time.

dferrara
Contributor II

@endor-moon I was concerned about this too, but no problems so far. The only problem I've had (not El Cap-specific) is that you may need to use sleep 30 before any dockutil commands in a login script. If the commands run before the OS is ready, you get mixed results.

calumhunter
Valued Contributor

@endor-moon Running dockutil on ALOT of 10.11 machines with out any issues, so i wouldn't be too worried.

@rtrouton Have you tested this lately? That might have been the case in the early beta's. But doesn't work for me on 10.11.2+. Even pointing it at a NBI on the same subnet fails. After sending the command in ARD the machine reboots and sits at a blank black screen for about a minute before going to a flashing question mark folder icon for another minute or two before it finally boots back into a valid system on the HD
Using ARD 3.8 FWIW

rtrouton
Release Candidate Programs Tester

@calumhunter,

I went back and re-tested on my laptop and I was able to mostly replicate your results. In my case, I got the flashing globe symbol (like it was going to NetBoot) then it timed out and booted from the internal drive.

The interesting part is that I followed up by checking the Startup Disk preferences and the NetBoot set I had set as the boot drive was showing as being set as the startup disk.

911bba1d669f4b1cbe2eb0dcf6df545f

85dba67e068e4a9e9d312da040bc754f

apizz
Valued Contributor

If I'm trying to go the way of creating a com.apple.dock.plist with all our desired Apps in User Template, is there any reason I couldn't create that via a script utilizing dockutil after initial imaging is complete and the computer reboots?

My attempts today didn't get this working for me. I was trying to take a completely bare com.apple.dock.plist file baked in a DMG with Composer, installing it during imaging for our local admin user and FUT, and then on reboot run a script to add all the apps we want to the User Template Dock.

Any reason why my method wouldn't work?

calumhunter
Valued Contributor

@aporlebeke Don't know how many times people have to be told.

Don't modify the stock apple plist in the user template. - There be dragons here with unexpected behaviour.

Use dockutil to modify the users dock plist at login. Or use a profile.

BCPeteo
Contributor II

We are using a config profile to set up the doc. In Yosemite this works fine. But in El Capitan both Documents and downloads have question marks but when i click on them they open up to the correct folders
We have these setup like this:

_CFURLString=file://localhost/~//Documents/
_CFURLString=file://localhost/~/Downloads/

Has something changed in El Cap?

BCPeteo
Contributor II

Still trying to find the solution to this issue.

I also tried _CFURLString=file://User/'WhoAmI'/Documents/ and it still shows a ? in the doc even though clicking on it brings up the correct users Documents directory

snovak
Contributor

I'm actually going to utilize the dockfixup file in my Docks, because I couldn't find a reliable way to add folders.

I don't remember what the exact source of my script was, but these were the lines I used to edit the Dock to include the Documents and Downloads folders.

#!/bin/sh
        /usr/libexec/PlistBuddy -c "delete:add-doc" "$DRIVEPATH/System/Library/CoreServices/Dock.app/Contents/Resources/com.apple.dockfixup.plist"
        /usr/libexec/PlistBuddy -c 'Add:add-doc array' "$DRIVEPATH/System/Library/CoreServices/Dock.app/Contents/Resources/com.apple.dockfixup.plist"
        /usr/libexec/PlistBuddy -c 'Add:add-doc: dict' "$DRIVEPATH/System/Library/CoreServices/Dock.app/Contents/Resources/com.apple.dockfixup.plist"
        /usr/libexec/PlistBuddy -c 'Add:add-doc:0:path string "~/Documents"' "$DRIVEPATH/System/Library/CoreServices/Dock.app/Contents/Resources/com.apple.dockfixup.plist"
        /usr/libexec/PlistBuddy -c 'Add:add-doc:0:version string "10.8.2"' "$DRIVEPATH/System/Library/CoreServices/Dock.app/Contents/Resources/com.apple.dockfixup.plist"
        /usr/libexec/PlistBuddy -c 'Add:add-doc: dict' "$DRIVEPATH/System/Library/CoreServices/Dock.app/Contents/Resources/com.apple.dockfixup.plist"
        /usr/libexec/PlistBuddy -c 'Add:add-doc:1:path string "~/Downloads"' "$DRIVEPATH/System/Library/CoreServices/Dock.app/Contents/Resources/com.apple.dockfixup.plist"
        /usr/libexec/PlistBuddy -c 'Add:add-doc:1:version string "10.8.2"' "$DRIVEPATH/System/Library/CoreServices/Dock.app/Contents/Resources/com.apple.dockfixup.plist"