Script to set two time servers on a Mac stoped working with High Sierra

rdagel
New Contributor II

I have a script that sets two time servers on our Macs so they can reach one while they are in the office and one while they are out of the office as we do not allow access to the apple time server while in the office. It worked fine on Sierra but stoped working on High Sierra. I think it is not letting the ntp.conf file be written to in High Sierra.

Anyone know of another way to do it in High Sierra?

Here is the script.

Primary Time server for MyCompany Macs

TimeServer1=time.mycompany.com

Secondary Time Server for My Company Macs, used outside of The Company network

TimeServer2=time.apple.com

Set the primary network server with systemsetup -setnetworktimeserver

Using this command will clear /etc/ntp.conf of existing entries and

add the primary time server as the first line.

/usr/sbin/systemsetup -setnetworktimeserver $TimeServer1

Add the tertiary time server as the second line in /etc/ntp.conf

echo "server $TimeServer2" >> /etc/ntp.conf

Start Syncing Time with NetworkTime Server

/usr/sbin/systemsetup -setusingnetworktime On

21 REPLIES 21

ericbenfer
Contributor II

That process is still working for me.
Can you edit /etc/ntp.conf manually? vi or nano?

reddrop
New Contributor III

This will still work in high sierra

#!/bin/bash
NTPSERVER="ntp.internaldomain.com";

if [ "$4" != "" ]; then
    NTPSERVER=$4;
fi

/usr/sbin/systemsetup -setusingnetworktime off

#Set specific time server
/usr/sbin/systemsetup -setnetworktimeserver "$NTPSERVER"
sleep 5
echo "server time.asia.apple.com" >> /etc/ntp.conf
echo "server time.euro.apple.com" >> /etc/ntp.conf
echo "server pool.ntp.org" >> /etc/ntp.conf
sleep 5

/usr/sbin/systemsetup -setusingnetworktime on

cdegaeta
New Contributor III

Can anyone post confirmation if this script still works as of 10.13.6? We have a local office NTP server set as the primary and the secondary server being time.apple.com. However even after running this script on remote computers if the battery drains on said computers they are not checking time.apple.com for the time.

I have a computer up and running that I'm testing this with and was able to reproduce this issue. If anyone has any ideas it would be much appreciated. What's odd is the argument -getnetworktimeserver only shows 1 server in the response, but ntp.conf does show the additional server entry for time.apple.com.

Thanks!

Nix4Life
Valued Contributor

I use a modified version of that script the sets the time zone and sets up location services, I just rolled it out to 10.13.6 machines. I am OOO today but can start a test tomorrow.

cdegaeta
New Contributor III

Thanks Nix, really appreciate the help!

rdagel
New Contributor II

I ended up running the script on a Sierra computer, capture the file that gets changed and then create a package of it then deploy that to new computers. This way I can make sure they get the correct info.

cdegaeta
New Contributor III

I haven't tried on a Sierra computer for reference yet. But from what I gather with my research, there's no reason it won't work because it used ntpd as opposed to timed. I'll see if I can find one to test with for comparison. But I'm really looking for a solution geared for High Sierra.

cdegaeta
New Contributor III

Confirmed. The script works in Sierra but not High Sierra.

Will continue to test but looking forward to the other responses. Thanks!

sdagley
Honored Contributor II

EDIT: Something is definitely "odd" about /etc/ntp.conf now, but in theory it is still used so I've edited my original post. See Has anyone got the time? for more info on High Sierra time changes. It doesn't offer a solution however.

cdegaeta
New Contributor III

OK, so I updated the Sierra computer that I just tested on to High Sierra. And the script no longer works.

So I just confirmed that timed fails to check for additional time servers if the primary server cannot be reached. I've submitted this bug to Apple on the dev site, hopefully they get it resolved with Mojave.

On that note, anyone have any ideas for a work around? I know I can either manually edit the hosts file or change the DNS record on the router, however that will then cause other security issues with the setup here (it's complicated to explain, but in short I'm not in complete control over here).

sdagley
Honored Contributor II

I just confirmed what @cdegaeta reported, High Sierra only uses a primary server. In a previous organization, I had the internal DNS redirect time.apple.com to an internal time server so no modification to the server list was necessary. That might not fly with your network group, but it is an effective solution, and I would argue the simplest since it's a change on just your DNS rather than on every Mac.

rdagel
New Contributor II

If you edit the /etc/ntp.conf on a seirra mac then package and install on a high sierra, it will let you use both. Some companies are really strict about editing DNS and this was the workaround i had to use.

sdagley
Honored Contributor II

@rdagel Can you confirm your Macs are using the secondary time server if the primary isn't accessible? I did a manual edit and kicked the network time service but it did not try my internal server when time.apple.com didn't respond. I know the manual edit worked as making my internal time server the primary did result in time being synchronized.

cdegaeta
New Contributor III

I second @sdagley's response. Can you provide more details @rdagel about how you packaged it up? Thanks!

Nix4Life
Valued Contributor

Hi Guys,

Okay I too, was able to confirm the findings with 10.13.6. So I read the link and did a bit of digging on the interwebs. I was able to get a hint here.

" With SIP enabled you can just copy the file: sudo cp /System/Library/LaunchDaemons/org.ntp.ntpd-legacy.plist /Library/LaunchDaemons/ and modify it to be 'Enabled' then run it: sudo launchctl load -w /Library/LaunchDaemons/org.ntp.ntpd-legacy.plist – Pierz Jun 21 at 21:25"

I ran ntpq -p and saw all timeservers listed, with "usqas2-ntp-001(time.apple.us)". I waited a few minutes and ran ntpq -p again, but this time only "usqas2-ntp-001(time.apple.us)" was shown and my system had synced. lastly if I ran systemsetup -getnetworktimeserver it still returned my 1st internal time server, which the system is initially set for. Still grinding

marklamont
Contributor III

the even simpler way to fix this is to create internal dns records for time.apple.com etc and point them to your internal ntp servers. That way no changes are required at all.

cdegaeta
New Contributor III

Thanks for your help @Nix4Life! So I've actually decided to submit this as a bug to Apple. I'm sure they just brought over timed from iOS as is and since you cannot specify a time server in iOS they probably didn't think to add support for multiple servers. I'm hoping I'm right about this hunch but we'll see.

@marklamont While that quick fix may work some some, it won't work for my situation. Per organization security, the local time server has to be set as the primary server. I can adjust the DNS records for remote offices to re-direct to time.apple.com, but this will not help me for telecommuters.

marklamont
Contributor III

I think you have may my idea the wrong way round, you redirect the apple time server names to your local time servers. Then if internal you get time internal and if external from apple. 51d8a408af964fb4b3051771cde3cb0f
Then create host records in the domain pointing to your time servers. That way the local server is the primary server, assuming your clients dns queries your local dns servers.
You can even block ntp on the firewall then.

cdegaeta
New Contributor III

Right, but that would require setting the computers to time.apple.com as the primary which goes against the security rules (even though it is being re-directed to the internal server). I know it sounds dumb, but these are the constraints I'm stuck working behind.

cdegaeta
New Contributor III

FYI, Apple closed off the bug report with this response:

We don’t plan on supporting multiple NTP servers. If the network admin for your network wants to dns hijack time-*.apple.com on your network, you can (it’ll even cover phones on your network), but timed is single-DNS. If you’re using a DNS address that is also possible outside of your network, then you can expose it externally, and resolve a different list of IPs inside and outside.

cburk2018
New Contributor II

@cdegaeta mind sharing that bug report number? I've been fighting this for a crazy amount of time and I'm starting to suspect my skews are affecting other services (like authentication).