Problems using a Mac as a headless build server

App Store Distribution & Marketing General
asmxyz OP
Created Sep ’23
Replies 2
Boosts 0
Views 1.2k
Participants 3

My team has a Mac desktop we use as a build server to do tests, packaging, codesigning, and notarization. The service was kicked off inside a cron job, but we started encountering issues with codesigning (codesign errSecInternalComponent).

Eventually we tried turning the service into a LaunchAgent and codesigning now works, presumably because it now has access to the user's keychains. However, this means the service doesn't start until someone logs the user into the console, which is pretty inconvenient at times. We are also finding that the machine is now inaccessible remotely, over SSH and VNC, until there's a console login at the physical host. Our institutional security policies require the use of FileVault and disallow auto-login, and our IT folks haven't suggested any workarounds.

What is the recommended way to configure a Mac desktop as a headless server that can reboot without user interaction? We don't, and can't, use XCode. We develop a multi-platform application written in Java.

Replies  2
Boosts  0
Views  1.2k
Participants  3
DTS Engineer OP
Apple
Sep ’23

we started encountering issues with code signing

Yep.

We are also finding that the machine is now inaccessible remotely, over SSH and VNC, until there's a console login at the physical host.

That doesn’t make sense. SSH is completely independent of the user logged in at the GUI. Screen sharing has a bunch of options in this space, but it definitely lets you log in over screen sharing.

What is the recommended way to configure a Mac desktop as a headless server that can reboot without user interaction?

To start, there is no solution that’ll work with FileVault. The whole point of FileVault is to protect data at rest. You’ll have to get an exception from your IS folks on that front.

Assuming you can resolve the FileVault side of things, your options are:

  • Automatic login

  • Screen sharing

  • SSH

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

0
ksuther OP
Sep ’23

This is how we secure our build Macs:

  • Enable auto-login of a user account to be fault tolerant to power failures (this requires disabling FileVault and running the boot partition unencrypted)
  • Create a separate partition with encryption enabled and don't save the encryption password in the keychain
  • Put all Jenkins data, source code, and everything else on the encrypted partition
  • Use a separate keychain to store any important keychain items and have the keychain automatically lock when the computer sleeps or shuts down

This will allow you to remotely access the Mac if it reboots, but all sensitive data will still be encrypted until you SSH/VNC in and unlock everything.

We also run a launchd daemon that automatically locks the screen if it detects a USB device is plugged or unplugged as an extra layer of physical security.

0
Problems using a Mac as a headless build server
First post date Last post date
 
 
Q