Category: Apple

Find MacOS installer path

willjessiamLeave a comment

When you do an upgrade of MacOS, it can be hard to locate the download package as it caches to disk.

Sometimes you may want to see the progress of the download, the size of the file or just troubleshoot an issue with the upgrade process. The following steps show you what commands to run to identify the path of the installer.

  1. Login to your Mac, open System Preferences, Software Update and start the update process
  2. Launch the Terminal app and change to root by running sudo su and enter your local admin password
  3. Maximise your Terminal to fit the screen. The next command needs as much screen real estate as possible
  4. Once you are root, run fs_usage -f filesys . This will enumerate all active disk I/O on the system. Data will be printed to the console very quickly, so once you see something with a path containing InstallAssistant.pkg.partial you can press Ctrl+C to break
  5. If you can see the entire path that references the InstallAssistant.pkg, then all good, jump to step 10. If not, do the following to locate the full path
  6. With the part of the path that you can see, you should see a random string, that may look something like this puuz6c0epc7o0ozyovvi6tjxhzpf6uf04. Use the find command to locate the full path by running the following:
  7. find / -name "puuz6c0epc7o0ozyovvi6tjxhzpf6uf04" 2>&1 | grep -v "Operation not permitted"
  8. Note that we remove results from the search that result in “Operation not permitted” so that we can reduce search noise
  9. After some time, we should see something like  /private/var/folders/zz/zyxvpxvq6csfxvn_n00000s0000068/C/com.apple.SoftwareUpdate/swcdn.apple.com/content/downloads/00/60/071-05432-A_QOY2QE0UMR/puuz6c0epc7o0ozyovvi6tjxhzpf6uf04s/ returned, which is the path we are looking for
  10. Now, if you cd to the folder above, you can monitor the download progress on disk with ls -lha
  11. After the file has downloaded, it will be moved to /Applications/MacOS "version" install.app and will remain here until the installation has completed. If you want to take a copy of the package, copy it from this location before the install is complete

Apple iPad Activation via MDM and courier.push.apple.com

willjessiamLeave a comment

Activating an iPad with your MDM platform is usually a straight forward process.Your hardware vendor associates your device enrollment program (DEP) code with the device, your DEP platform tells your MDM that the device belongs to you and when you turn the device on for the first time, it phones home, gets directed to MDM, your configuration profiles are pushed and the iPad gets activated, enrolled and managed. Simple right?

Turns out, there is an odd thing that Apple does that may cause problems if you use a proxy or content gateway for accessing the internet when you do the initial activation.

Enter courier.push.apple.com. This is a placeholder DNS record, which is designed to assist with load balancing the activation process. As we’ll find out, the way this DNS record is used is not standard and it helps to understand how it works when troubleshooting activating a device behind a proxy.

First, some lookups:

PS C:\> Resolve-DnsName -Name courier.push.apple.com -DnsOnly

Name                           Type   TTL   Section    NameHost
----                           ----   ---   -------    --------
courier.push.apple.com         CNAME  279   Answer     courier-push-apple.com.akadns.net

So courier.push.apple.com is a CNAME for courier-push-apple.com.akadns.net . Let’s see where courier-push-apple.com.akadns.net goes.

PS C:\> Resolve-DnsName -Name courier-push-apple.com.akadns.net -DnsOnly

Name                        Type TTL   Section    PrimaryServer               NameAdministrator           SerialNumber
----                        ---- ---   -------    -------------               -----------------           ------------
akadns.net                  SOA  180   Authority  internal.akadns.net         hostmaster.akamai.com       1560251729

As we can see courier-push-apple.com.akadns.net does not resolve. It just returns the SOA record for the domain.

We can also confirm that this is not a geographical DNS inconsistency by querying alternate DNS servers in different parts of the world.

PS C:\> Resolve-DnsName -Name courier-push-apple.com.akadns.net -DnsOnly -Server 8.8.8.8

Name                        Type TTL   Section    PrimaryServer               NameAdministrator           SerialNumber
----                        ---- ---   -------    -------------               -----------------           ------------
akadns.net                  SOA  163   Authority  internal.akadns.net         hostmaster.akamai.com       1560251729

PS C:\> Resolve-DnsName -Name courier-push-apple.com.akadns.net -DnsOnly -Server 1.1.1.1

Name                        Type TTL   Section    PrimaryServer               NameAdministrator           SerialNumber
----                        ---- ---   -------    -------------               -----------------           ------------
akadns.net                  SOA  133   Authority  internal.akadns.net         hostmaster.akamai.com       1560251729

PS C:\> Resolve-DnsName -Name courier-push-apple.com.akadns.net -DnsOnly -Server 211.11.195.114

Name                        Type TTL   Section    PrimaryServer               NameAdministrator           SerialNumber
----                        ---- ---   -------    -------------               -----------------           ------------
akadns.net                  SOA  180   Authority  internal.akadns.net         hostmaster.akamai.com       1560251729

PS C:\> Resolve-DnsName -Name courier-push-apple.com.akadns.net -DnsOnly -Server 212.234.34.121

Name                        Type TTL   Section    PrimaryServer               NameAdministrator           SerialNumber
----                        ---- ---   -------    -------------               -----------------           ------------
akadns.net                  SOA  145   Authority  internal.akadns.net         hostmaster.akamai.com       1560251729

PS C:\> Resolve-DnsName -Name courier-push-apple.com.akadns.net -DnsOnly -Server 167.233.5.204

Name                        Type TTL   Section    PrimaryServer               NameAdministrator           SerialNumber
----                        ---- ---   -------    -------------               -----------------           ------------
akadns.net                  SOA  14    Authority  internal.akadns.net         hostmaster.akamai.com       1560251729

Google, Cloudflare as well as name servers in France, Germany and Korea all return an SOA for courier-push-apple.com.akadns.net

A quick google of this strange behavior reveals people resolving load balanced endpoints for courier-push-apple.com.akadns.net, namely 'x'.courier-push-apple.com.akadns.net, eg. 1.courier-push-apple.com.akadns.net , 2.courier-push-apple.com.akadns.net , 3.courier-push-apple.com.akadns.net etc.

After working with an extremely helpful engineer at Apple, it was determined that the load balancing for activating iPad’s is done on the device its self. Rather than DNS telling the device which endpoint to hit, the device prepends a number like '1' to the start of courier-push-apple.com.akadns.net to make it 1.courier-push-apple.com.akadns.net. When we look up these names, we get a much different result. 

PS C:\> Resolve-DnsName -Name 1.courier-push-apple.com.akadns.net -DnsOnly

Name                           Type   TTL   Section    NameHost
----                           ----   ---   -------    --------
1.courier-push-apple.com.akadn CNAME  48    Answer     apac-au-courier-4.push-apple.com.akadns.net
s.net

Name       : apac-au-courier-4.push-apple.com.akadns.net
QueryType  : A
TTL        : 15
Section    : Answer
IP4Address : 17.57.145.37


Name       : apac-au-courier-4.push-apple.com.akadns.net
QueryType  : A
TTL        : 15
Section    : Answer
IP4Address : 17.57.145.36

PS C:\> Resolve-DnsName -Name 2.courier-push-apple.com.akadns.net -DnsOnly

Name                           Type   TTL   Section    NameHost
----                           ----   ---   -------    --------
2.courier-push-apple.com.akadn CNAME  60    Answer     apac-au-courier-4.push-apple.com.akadns.net
s.net

Name       : apac-au-courier-4.push-apple.com.akadns.net
QueryType  : A
TTL        : 60
Section    : Answer
IP4Address : 17.57.145.36


Name       : apac-au-courier-4.push-apple.com.akadns.net
QueryType  : A
TTL        : 60
Section    : Answer
IP4Address : 17.57.145.37

PS C:\> Resolve-DnsName -Name 3.courier-push-apple.com.akadns.net -DnsOnly

Name                           Type   TTL   Section    NameHost
----                           ----   ---   -------    --------
3.courier-push-apple.com.akadn CNAME  19    Answer     apac-au-courier-4.push-apple.com.akadns.net
s.net

Name       : apac-au-courier-4.push-apple.com.akadns.net
QueryType  : A
TTL        : 55
Section    : Answer
IP4Address : 17.57.145.36

Name       : apac-au-courier-4.push-apple.com.akadns.net
QueryType  : A
TTL        : 55
Section    : Answer
IP4Address : 17.57.145.37

PS C:\> Resolve-DnsName -Name 10.courier-push-apple.com.akadns.net -DnsOnly

Name                           Type   TTL   Section    NameHost
----                           ----   ---   -------    --------
10.courier-push-apple.com.akad CNAME  55    Answer     apac-au-courier-4.push-apple.com.akadns.net
ns.net

Name       : apac-au-courier-4.push-apple.com.akadns.net
QueryType  : A
TTL        : 55
Section    : Answer
IP4Address : 17.57.145.37

Name       : apac-au-courier-4.push-apple.com.akadns.net
QueryType  : A
TTL        : 55
Section    : Answer
IP4Address : 17.57.145.36

Here in Australia, the 'x'.courier-push-apple.com.akadns.net endpoints are a CNAME for an A record of apac-au-courier-4.push-apple.com.akadns.net which resolves to the same two load balanced IPs.

If however I query a name server in Germany, i get much different results.

PS C:\> Resolve-DnsName -Name 10.courier-push-apple.com.akadns.net -DnsOnly -Server 167.233.5.204

Name                           Type   TTL   Section    NameHost
----                           ----   ---   -------    --------
10.courier-push-apple.com.akad CNAME  5     Answer     eu-central-courier-4.push-apple.com.akadns.net
ns.net

Name       : eu-central-courier-4.push-apple.com.akadns.net
QueryType  : A
TTL        : 52
Section    : Answer
IP4Address : 17.57.146.165

Name       : eu-central-courier-4.push-apple.com.akadns.net
QueryType  : A
TTL        : 52
Section    : Answer
IP4Address : 17.57.146.169

Name       : eu-central-courier-4.push-apple.com.akadns.net
QueryType  : A
TTL        : 52
Section    : Answer
IP4Address : 17.57.146.164

Name       : eu-central-courier-4.push-apple.com.akadns.net
QueryType  : A
TTL        : 52
Section    : Answer
IP4Address : 17.57.146.167

Name       : eu-central-courier-4.push-apple.com.akadns.net
QueryType  : A
TTL        : 52
Section    : Answer
IP4Address : 17.57.146.166

This time we get 5 load balanced IPs in the Central Europe region. None of this is unusual of course and we expect this type of behavior from modern CDN’s. The slightly unusual thing here is that courier-push-apple.com.akadns.net resolves to nothing and this is by design. What is supposed to happen during device activation is that the device queries courier.push.apple.com, which returns courier-push-apple.com.akadns.net. The very act of receiving this name host as a response on the device tells the code that is running during activation to prepend a number to courier-push-apple.com.akadns.net, making it a valid DNS query. The device now hits 'x'.courier-push-apple.com.akadns.net and receives a response from a server which allows the normal activation process to occur.

Now to the point of the article. What happens if your device requests courier.push.apple.com via your proxy server and the proxy looks up courier.push.apple.com to make sure its valid before returning the response. The proxy sees that the resultant response of courier-push-apple.com.akadns.net resolves to nothing and squashes the response since it goes nowhere. The device now, sitting and waiting for a response, never gets it and decides that it wont proceed with activation, because no server is responding to it.

How do you fix this issue? Depends on your proxy. Depends on your environment. I don’t currently have an answer but I’m working on it and may do another blog post depending on the outcome. Hopefully if your stuck on this issue this clarifies things for you in regards to how iPads interact with courier.push.apple.com.

Side note: This article is helpful to review when looking at push notification firewall requirements.

Thanks for reading – Jesse