Category Archives: Uncategorized

How to get around having to allow Flash Player and reload every time you visit a site in Google Chrome on Mac

As of Google Chrome 62 onwards “Allowing” a site to use Flash Player is a per-session setting which is really annoying if you still visit sites that rely on Flash Player.  You can allow a site to use the plug-in and tell it to keep the setting but it will get tossed out when you close the browser.


Here’s a quick guide on how to actually allow a site like Sky Sports NZ to use Flash and save that setting permanently until the 2020 removal of Flash Player itself from Chrome.

1. Download Chrome Enterprise for Mac –  Grab the DMG for Mac

2. Also Download the Chrome bundle for Windows 64‑bit ZIP – Yes you need the Windows file as it contains the Chrome Enterprise Templates.

3. Copy the Google Chrome app into your Applications directory and replace your existing normal version of Chrome

Screen Shot 2019-04-19 at 1.35.17 PM.png

4. Open up the Chrome bundle for Windows and unzip it.  Inside the Configuration folder you’ll find a “” file.


5. Open up the .plist file edit any of the Defaults as you need for your case. Once done add in the following entries to the bottom after the last <key> </key> pair and edit the strings as needed for your use case:

<string> </string>
<string> </string>

Full info here on the available settings:

My example file, I’ve set DefaultPluginsSetting to 1, other options are as below.

  • 1 = Allow all sites to automatically run the Flash plugin
  • 2 = Block the Flash plugin
  • 3 = Click to play

1 doesn’t allow all sites as it suggests, as per the notes on the Policy page linked above:

“Automatic playback is only allowed for domains explicitly listed in the PluginsAllowedForUrls policy.  If you want to enabled automatic playback for all sites consider adding http://* and https://* to this list.”

PluginsAllowedForURLs I’ve specified are two strings for the http and https SkyGo NZ URLSScreen Shot 2019-04-19 at 1.49.41 PM.png

6.  Now we need to turn this plist file into a Profile so it can be used on Mac OS.  Download Tim Sutton’s MCXtoProfile python script to convert it from as per Googles Guide.  Download the ZIP and extract it so you have

Screen Shot 2019-04-19 at 2.01.01 PM.png

7. Put your edited file into the same directory as and run in it:

./ –plist –identifier

If you get any errors double check the syntax in your plist file.

Screen Shot 2019-04-19 at 2.04.54 PM.png

8. Copy the newly created .mobileconfig to the Mac(s) you want to allow Flash on the sites for and run it.

9. Install the Profile…

Screen Shot 2019-04-19 at 2.07.29 PMScreen Shot 2019-04-19 at 2.07.41 PMScreen Shot 2019-04-19 at 2.07.51 PM

If you want to use this in an actual Enterprise environment I’d suggest editing the .mobileconfig file to have a better name and signing it with an Apple Developer ID.

10. Finally Open up Chrome and test the site(s) you just allowed.






Ricoh SP3510N / 3500 freeze on adding

So we update users to 10.11.x all the time and I found our existing Ricoh installer pkg’s were working fine but when you went to add a Ricoh SP3510 via the Add Printer dialog it would just freeze for a long time if you left it for 30-45 mins it might actually finish….

Ricoh released a Firmware Update for the 3510 & a New Driver.

You need to flash the firmware first then install the new driver and then add the printer.  The long delay due to the “Queue” field being blank is no longer an issue.

Release notes
Version 2.08

1) Supported
– None

2) Fixed
– When “DHCP” is set to “Active” and “DNS Method” is set to “Auto-Obtain (DHCP)”, an extra character is added in the domain name.

3) Others
– In Mac OS X 10.11, if the “Queue” field is blank when adding a printer by specifying its IP address, the operating system experiences a significant delay in response time

Office 2011 – Word / PowerPoint wont let you type in text

Haven’t wrote a post for many years, thought I try to get back into the habit of documenting fixes for strange things so I’ve got them for my own reference and hopefully saves someone else some time.

So I upgraded someone from 10.8.5 with Office 2011 to 10.11.6 with Office 2011.  All was going fine and then they called and said they couldn’t type text into Word any more.  Sounded odd, can’t type in all other apps, can even type in the search bar of Word

Screen Shot 2016-10-18 at 9.17.05 AM.png

Went over and confirmed this, checked the Input Sources Menu and it was set to English Australian, US also had the same result…. Odd….

Tried clearing Word Prefs, Caches, font caches and all sorts.  Still the same result.  Tried removing and re-installing Word 2011.

But just ended up getting this error on re-install:

Microsoft Error Reporting log version: 2.0

Error Signature:
Date/Time: 2016-10-07 03:12:21 +0000
Application Name: Microsoft Office Setup Assistant
Application Bundle ID:
Application Signature: MsLi
Application Version:
Crashed Module Name: merp
Crashed Module Version:
Crashed Module Offset: 0x00004422
Blame Module Name: PowerPlantCore
Blame Module Version:
Blame Module Offset: 0x00014a81
Application LCID: 1033
Extra app info: Reg=en Loc=0x0409
Crashed thread: 0

Thread 0 crashed:

#  1  0x0000d422 in _MerpCreateSession + 0x000015CF (merp + 0x00004422)
#  2  0x9aedb79b in __sigtramp + 0x0000002B (libsystem_platform.dylib + 0x0000279b)
#  3  0xffffffff in  ( + 0x00000000)
#  4  0x99b80c38 in _abort + 0x0000009C (libsystem_c.dylib + 0x0005ec38)
#  5  0x9d4ef6f9 in ___cxa_bad_cast + 0x00000000 (libc++abi.dylib + 0x000006f9)
#  6  0x9d5115c5 in default_terminate_handler() + 0x00000110 (libc++abi.dylib + 0x000225c5)
#  7  0x9d50e5fd in std::__terminate(void (*)()) + 0x0000000E (libc++abi.dylib + 0x0001f5fd)
#  8  0x9d50e00b in __cxxabiv1::exception_cleanup_func(_Unwind_Reason_Code, _Unwind_Exception*) + 0x00000000 (libc++abi.dylib + 0x0001f00b)
#  9  0x05a7ba81 in LException::Throw(long, unsigned char const*) + 0x00000091 (PowerPlantCore + 0x00014a81)
# 10  0x05a7ba9b in LException::Throw(long) + 0x00000019 (PowerPlantCore + 0x00014a9b)
# 11  0x08dfd2a2 in UCharset::ConvertScriptToUnicode(char const*, unsigned long, short) + 0x00000054 (OutlookCore + 0x000032a2)
# 12  0x0835b4a8 in CTimeInfo::CTimeInfo() + 0x000001E4 (OutlookLegacy + 0x000024a8)

So Long Story short the ConvertScriptToUnicode part was the clue.  It turns out the user had changed the Primary OS Language in the Language & Region pane from English (New Zealand) – Primary to English (Maori) – Primary.  They were simply trying to type some Macrons in Word…  Set it back and rebooted, Office 2011 now re-installed fine and Word let us type text again…  Showed the user how todo macron’s via the input sources menu instead.

Screen Shot 2016-10-11 at 5.32.26 PM.png

Authorization File Change Log (of sorts) & Archive

I’ve been playing with VMWare Fusion Snapshots and OS builds and have compiled a repository of original etc/authorization files incase you mess yours up.  Authorization File Archive.

And the correct permissions are: permissions

A few have asked if these posts are still valid for 10.8.x & I’d like to confirm Yes they are.  I decided to go back and look at each & compare them to find the changes throughout the OS builds in the etc/authorization files.

10.7.2 to 10.7.3  Just some new strings added in to support multiple new languages.


10.7.3 to 10.7.4 – A couple of new Keys were added, brief description below:

<key></key> (Probably allows you to set who can see passwords in Safari)

<string>This right is used by Safari to show passwords </string>

<key></key>  (Probably allows you to set who can repair libraries)

<string>__APPNAME__ is trying to repair your photo library.</string>

<key></key> (Not too sure)

<string>Modify Settings</string>


10.7.4 to 10.7.5 – No Changes


10.7.5 to 10.8 – Lots of Changes, Notes below.

<key></key> (To investigate) 


<string>Used by diskmanagementd to allow access to its privileged functions</string> (To investigate) 

<key></key>  appears to be exactly the same as <key>system.preferences.softwareupdate</key>  but new rule of   <string>root-or-entitled-admin-or-app-specific-admin</string>  (app-specific-admin seems to be new as well)

<key></key> (This replaced a Podcast Producer key, to investigate)

<key></key> (To investigate) 

<key></key> (To investigate) 

<key>system.preferences.nvram</key> (To investigate) 

<key></key> (Is now a USER rule)


New Keys (abbreviated)

<key></key> (Appears the same, To investigate) 

<string>For making change to network configuration via System Configuration.</string>

<key>system.volume.</key> (Not sure about this lot of volume related keys) 







<key>app-specific-admin</key> (New Rule type, To investigate) 








10.8 to 10.8.1 – No Changes


10.8.1 to 10.8.2 - Some Changes.






<string>Login mechanism based rule.  Not for general use, yet.</string>





<string>builtin:login-begin</string> (NEW, not sure of use)


<string>builtin:login-success</string> (NEW, not sure of use)


———  Updated : 22 July 2013  ———-


10.8.2 to 10.8.4 - A few new entries


<key></key>  (Described as: __APPNAME__ needs to repair your Library to run applications)



A couple of New Wifi Strings that look very useful

<string>For restricting WiFi control</string>
<string>Used by the WirelessDiagnosticsSupport framework to restrict XPC services provided by the wdhelper daemon</string>

Adobe Flash 11.3 Enable or Disable Silent Update Package

Flash Logo

Adobe Flash Player 11.3 for Mac has a new “Silent Update” feature, detailed here:

“The background updater being delivered for Mac OS X uses the same design as the Flash Player updater on Windows. If the user chooses to accept background updates, then the Mac Launch Daemon will launch the background updater every hour to check for updates until it receives a response from the Adobe server. If the server responds that no update is available, the system will begin checking again 24 hours later. If a background update is available, the background updater can download and install the update without interrupting the end-user’s session with a prompt.”

Supposedly it will allow Flash to update itself with no user interaction but I can’t confirm this until another Flash Update comes out.  Anyway I’ve put together a really basic Package the turns the feature On for anyone who wants to give it a try.

It  simply puts a new mms.cfg files into /Library/Application Support/Macromedia/ with the following 2 lines of text:


This package can be deployed via the normal methods. (ARD, Munki, Casper)

Pic of Package IconPKG –  (use the File Menu > Download)


& here’s a PKG todo the opposite – AutoUpdateDisable = 1 & SilentAutoUpdateEnable = 0

Pic of Package Icon PKG – (use the File Menu > Download)


Checkout Greg’s package here for a Package that disables updates –


Making use of the /etc/authorization file in Lion / 10.7.x

This post will look at putting the authorization file to use in a partially managed Mac environment.  Yes some of this can be done via OD & MCX but as we’re a small environment we don’t use it nor really need it.  All testing was done with 10.7.2 and I’ve been using it with all our Mac’s up to 10.8.2 at the moment.

Q:  What’s the problem we want to solve?
: I want my users to be somewhere in between what Apple defines as a “Standard User” and a “Admin User”.  Stealing from Windows terminology,  I want them to be a “Power User”.

I want the System Preference panes marked below with red X’s to no longer require an Admin password to unlock them.  Your environment will be different to mine, so pick, choose & extend these ideas to what fits your environment.

Desired Sys Prefs

Energy Saver:  I want users to be able to set their own Sleep schedules.  I don’t want support requests from users about changing their sleep from 10 to 15minutes. Cons:   The potential downside of this is that I really don’t want them to be able to turn off  “Wake for Ethernet network access” (ARD use) but I’m hoping most won’t mess with this setting.

Print & Scan: I want laptop users to be able to add a home inkjet / laser printer. Cons:  I don’t really want them deleting or adding other printers at work so I’m not actually going to unlock this preference pane in this example.  But you may want to in your environment.  I will do it by adding the user to the lpadmin group instead.  Adding a user to the lpadmin group allows them to install or remove printers it doesn’t however unlock the Print & Scan System Preference pane but it does allow them to use the less obvious + and – buttons in that pane to make changes.  They can also use the File > Print > Printer > Add New Printer… option to add a home printer.

Network: I want laptop users to be able to adjust network settings as they travel.  Often at conferences, home or other sites, custom network settings or proxy settings are required.  Opening this up lets them adjust them as needed. Cons: Users can break their network settings which may yield a support request.

Date & Time: I want laptop users to be able to change the time zone if the ‘automatic’ feature fails.  Also if the PRAM battery fails I want users to be able to set the correct date and time. Cons:  Users can be on the wrong time zone / time which will effect things like AD based login’s.

Time Machine: I want laptop users to be able to setup a USB drive or Time Capsule at home as they’re backup device.

Not mentioned above: Software Update:  I plan to enable Software Update once I get my own Software Update Server running using Reposado.  This way I can enable standard users to update their own Mac’s via the built-in Apple system but control what updates are available via reposado.  You can also do this via Munki or this app at instead.

In my environment I’ve decided for now that I only want to open the above extra Preference Panes up for laptop users.  Desktop users I can help over the phone easily, change things remotely via ARD or go visit them.  Laptop users who are overseas or not on-site are the main concern as I can’t help them easily nor allowed to give them admin credentials.

In my environment for 10.7.x we are currently using the Apple Active Directory plug-in and Mobile User Accounts with local homes.  We add laptop users to the lpadmin group so they can install printers at home.  I do this via Apple Remote Desktop (ARD) using the Send Unix Command option:  dseditgroup -o edit -a USERNAME -t user _lpadmin if doing it locally via the command line as an admin use sudo dseditgroup -o edit -a USERNAME -t user _lpadmin  To verify the user has been added use dscl . -read /Groups/lpadmin at the command line.  Looking at the “Group Membership” field.

I am going to leverage this as it distinguishes between desktop and laptop users in our environment to achieve the outcome above. You could also create a new group and use that or use another built-in group.  Be aware that creating your own group means that you’d also need to add admin accounts to that group or the admin group itself.  By default all local admin accounts are members of the lpadmin group.  You could also use the staff or everyone group to open it wider.

So from the info in my earlier post we’re going to change the following keys in the /etc/authorization file from group admin to lpadmin using TextWrangler:


changing the bottom part of each entry above from



Note: TextWrangler will change the files owner and group, you can easily set it back via chown & chmod or just run Disk Utility – Repair Permissions which will set it back to root and wheel.

To make this even easier and ARD compatible I’ve adjusted a script from here which can be sent out via ARD to a Machine to change it immediately.  If a future apple update changes the file back to it’s original state it’s easily changed back.

#Copy the authorization file to a temporary location & make it a plist
/bin/cp -pr /etc/authorization /private/tmp/authorization.plist
# Unlock System Preferences for lpadmin group members.
/usr/libexec/PlistBuddy -c ‘Set :rights:system.preferences:group lpadmin’ /private/tmp/authorization.plist
# Unlock the Network Settings preference pane
/usr/libexec/PlistBuddy -c ‘Set lpadmin’ /private/tmp/authorization.plist
# Unlock the Time Machine preference pane
/usr/libexec/PlistBuddy -c ‘Set :rights:system.preferences.timemachine:group lpadmin’ /private/tmp/authorization.plist
# Unlock the Energy saver preference pane
/usr/libexec/PlistBuddy -c ‘Set :rights:system.preferences.energysaver:group lpadmin’ /private/tmp/authorization.plist
# Unlock the Date and Time preference pane
/usr/libexec/PlistBuddy -c ‘Set :rights:system.preferences.datetime:group lpadmin’ /private/tmp/authorization.plist
# Move file back to original location
/bin/mv /private/tmp/authorization.plist /etc/authorization

You can just copy and paste the text above into the “Send Unix Command” text area in ARD and send it as a local admin or root.  Alternatively copy the text into TextWrangler, do a save as i.e. then go to the command line and make it executable via chmod +x then run it with sudo ./ or sudo sh

This is what you’ll see when trying to unlock a pane as a standard user that you haven’t added to the lpadmin group.
Print Admin Prompt

And this is what you’ll see once you’ve added a standard user to the lpadmin group (or when logged in as an admin)

There’s other ways to achieve the same result.  You can change the key’s above from class “user” to “rule” keys and make your own rule at the bottom of the authorization file or use a built-in one but it’s much more complex & not well documented by Apple.