Weekly News Summary for Admins — 2019-05-17

This Monday, macOS 10.14.5 (and all the related updates) dropped. The timing was surprising, but became clearer when the news on a new group of Intel CPU vulnerabilities arrived as well.

10.14.5 brings some mitigations to these vulnerabilites, but to be sure, you would have to disable Hyperthreading on your CPU(s) which brings up to 40% performance hit.

With 10.14.5 the new notarization rules for applications and kernel extensions arrive as well. All of this is once again demonstrating the importance (and the challenges) of IT being able to quickly roll-out and support system updates.

There are still a few spots left for the “Introduction to Scripting macOS” class on May 27/28!

If you would rather get the weekly newsletter by email, you can subscribe to the Scripting OS X Weekly Newsletter here!! (Same content, delivered to your Inbox once a week.)

On Scripting OS X

News and Opinion

Apple Updates



  • mikeymikey: “macOS Mojave 10.14.5 (18F132)… ”
  • Jason Broccardo on Twitter: “#macadmins n.b. the both the 10.14.5 and iTunes Device Support Update updates have trailing spaces when you are looking at the CLI softwareupdate listing. If you want to CLI install you’ll need to account for that.”
  • Marnin: “When using the Time Server payload on earlier version of macOS 10.14, the time zone was not getting set properly.”
  • Ken Case: “Today Apple released macOS Mojave 10.14.5, which fixes a CoreAnimation drawing issue that was affecting customers using large OmniOutliner and OmniPlan documents. If you’re a Mac customer using Mojave, I strongly recommend updating!”


MacAdmins on Twitter

  • Caleb Coy: “Was just reminded that the #macadmins Slack community turns 4 this weekend. I don’t know about y’all, but a lot has happened for me in that time and having this community has helped so much.”
  • Daniel Jalkut: “Heads up Mac developers: the ”codesign –preserve-entitlements=runtime“ parameter does not actually preserve the runtime flag. Radar #50697511.”
  • Timo Perfitt: “Interesting that the additional recovery partition key combos are only available if you have installed 10.12.4 or later at least once.”
  • Adam Codega: “A configuration profile is never late. Nor is it early; it arrives precisely when it means to.”
  • Kitzy: “macOS Mojave 10.14.5 has been out for over 48 hours now. Still no sign of it in Jamf’s patch management. It’s frustrating that Jamf finally got the mechanics of patch management down but crippled it by making us all rely on Jamf for patch definitions that are slow to update.”
  • Ricky Mondello: “Did you know that you can drag Safari’s Downloads popover by its title into being a detached, free-standing window, so you can more easily monitor your long-running downloads?”

Bugs and Security

Support and HowTos

Scripting and Automation

Updates and Releases

To Listen

Just for Fun


There are no ads on my webpage or this newsletter. If you are enjoying what you are reading here, please spread the word and recommend it to another Mac Admin!

If you want to support me and this website even further, then consider buying one (or all) of my books. It’s like a subscription fee, but you also get a useful book or two extra!

Scripting OS X

Weekly News Summary for Admins — 2019-05-10

More 10.15 and iOS13 rumors (or previews), Microsoft goes Terminal and open source and leaks the Chromium-based Edge browser for Mac, Mac admins continue to explore the effects of the 10.14.5 notarization requirements, and Adobe ‘unauthorizes’ old versions.

In additonal news, I will be giving Scripting Classes at Pro Warehouse in Amsterdam. The first class is a two-day “Introduction to Scripting macOS.” If you are interested, you can get more information and register here!

If you would rather get the weekly newsletter by email, you can subscribe to the Scripting OS X Weekly Newsletter here!! (Same content, delivered to your Inbox once a week.)

On Scripting OS X

News and Opinion

MacAdmins on Twitter

  • mikeymikey: “Just sharing this out here – because I didn’t know this detail – and codesign and spctl don’t show this particular reason for Gatekeeper rejection”
  • William Smith: “Download Microsoft Edge (Canary) for Mac, Reference the chromium.org key/value pairs here: www.chromium.org/administrators/policy-list–3 Use “com.microsoft.Edge.Canary” domain to manage (plist or configuration profile).”
  • Patrick Fergus: “I annotated Adobe’s “authorized” applications table with “marketing” versions. Note “if an Adobe product is not listed in the table below, all versions continue to be authorized.””

Bugs and Security

Support and HowTos

Scripting and Automation

Apple Support

Updates and Releases

To Listen

Just for Fun


There are no ads on my webpage or this newsletter. If you are enjoying what you are reading here, please spread the word and recommend it to another Mac Admin!

If you want to support me and this website even further, then consider buying one (or all) of my books. It’s like a subscription fee, but you also get a useful book or two extra!

Scripting OS X

Tryton News: Tryton Release 5.2

@ced wrote:

We are proud to announce the 5.2 release of Tryton. This is the first minor release which means that it will be supported for 1 year only.
As usual the migration from previous series is fully supported. Some manual operation may be required, see Migration from 5.0 to 5.2.

This release will be presented at the Tryton – Unconference Marseille – June 4th-7th, 2019

Here is the list of the most noticeable changes:
(For a more complete list, see the change log of each package)


Changes For The User

We have a new widget which allows to edit HTML content using a WYSIWYG editor. The widget is available in both clients. It can be used for example to edit a product description field for a web shop site.

We have reworked the CSV import/export to be more user-friendly. For example, the saved exports are now available directly under the print toolbar like if it was a report.
We also use by default the locale configuration to format the data (e.g. date and numbers). This provides a better operating system integration with the used programs.
The CSV import can now update existing records if their ID is provided.

The calendar view (which allows to display records on a calendar) already had a month and week view. Now it has also a day view thanks to Release of GooCalendar 0.5.

We improved the visibility of the notes and attachments. There is now a different color between unread and read notes. We display also the total of notes (instead of only the unread). The desktop client now has a badge to warn about the presence of notes or attachments, when the toolbar only shows icons.
Desktop resources notification Web resources notification

We have simplified the definition of a scheduled task (also known as cron). The method to run is now a selection (no need to know the internal names). The user selects an interval from minutes to months and can also select the corresponding time. For example to force a task to run every 5 days at :clock230: 2:30am. This is very useful for expensive task that should run when the system is less busy.

We use a range for the number fields on the filter box. The behavior is to create a range between the two values if they are different. And by default when the first part is modified, it update the second to the same value. But when the second part is modified, the first is not. This is the best compromise we found to be the less obstructive to the user but still to provide a powerful option.

When the result of a search is empty and the user has setup an offset, we reduce this offset until there is some result to show. This prevents to confuse the user who may think, there is no result if the offset stays too high.

Searches against codes and numbers have been improved to only match if the search text matches with the starting of the code or number. This is better than matching any parts of the code or number as it is what most users would expect.

One type of error messages that is very difficult to understand for the user, are the access errors. They were very generic and most of the time users could not find a solution by themselves. To improve the situation we show in such error messages, the ids of the record for which the access is forbidden and also the name of the rules that are infringed.

Desktop Client

Now that the desktop client has dropped the support of GTK+2, we can use new widgets from GTK+3 such as the ShortcutsWindow. This window is displayed with the shortcut CTRL+F1 and additionally provides a search functionality.

Another possibility with GTK+3 is to replace the filter popup window by a nicer Popover . This also solves a focus issue that happened on some window managers.

We have been struggling for some releases on providing the best size for the dialogs. We think we have finally found the best solution. The dialog builder searches in the form that it will displayed, if there are any widgets that needs to be expanded. If it found one than the default size will be 150px less than the size of the main window, otherwise the size will be computed from the natural size of each widget.

We missed two shortcuts on One2Many widget to be fully usable with only the keyboard. So we added a shortcut to switch the view and one to remove (and not delete) the selected record.

We added the support of drag & drop on the binary widget (like it already exists on the attachment button).

On the desktop client, we first show the login dialog before the main application window. This has a side effect that it is not possible to know the running version before being connected. As this can lead to some incomprehension if the user is using a wrong client version to connect to a server, we display on the login dialog the client version number.
Desktop login window with version number

The column rendering has been improved which allows now to edit the reference field using a Selection and a Many2One cells and the binary column are using clickable icon cells.

Web Client

The design of the CSV export/import on the web client was not in the best shape. So we put some effort to redesign it to be closer to the desktop client standard.

Also a nice feature of the desktop client is the ability to select a range of records with Shift+Click. This feature was missing on the web client and we added it. Now if you select a first record than click on another one with Shift pressed, the client will select all the records between them.

Another missing feature from the desktop client is now implemented: the ability to create attachment by drag & drop on the toolbar button.

In order to improve the navigation between tabs in the web client, we allow to use Alt+Tab to switch between them.

The URL in the browser can be shared between users to open the same view. But it was missing the definition of the “tab domain”. This is fixed now. If the view has tabs, the URL will contain their definition and other users will see them also.


To simplify the account creation, we merged the two concepts of type and kind. Now everything is defined on the type. This is simpler for the user because now an account only requires a name, a parent and a type (inherited by default from the parent). Also new, a type can have multiple usage like revenue and expense etc.
All the standard charts of accounts have been updated to this new format.

Sometimes you want to deduct from a supplier invoice and a credit note from the same supplier. We have added a wizard that groups lines from the same party and leave the remaining to the right account. All the grouped lines are reconciled together but delegates their status to the remaining line. So the invoices and credit notes will be marked only once the remaining line will be reconciled also.
Only one payment needs to be created for the remaining line.
The payment wizard warns about if the selected lines could be grouped with others before creating the payments.

Once an invoice is paid, the existing payment lines are replaced by the list of the lines used for the reconciliations. This shows to the user the exact way the invoice was paid.

When an invoice is refunded by a credit note using the credit wizard, its state is set to cancel instead of paid. This gives a better picture of the reality.


The report 303 has been updated to the latest version and it displays the amount to compensate from the previous periods. The new template can be applied on older versions.
We added two more reports for Spain:

  • The VAT listing with the Spanish codes
  • The EC operation list


The accounts 400 and 410 has been changed into view as they must contain the sum of respectively all accounts starting by 40 and those starting by 41.


We added the product and category criteria to the analytic rule engine. This allows to write more complex automatic rules.
Now those rules are only applied to the income statement lines as it is a most expected usage of analytic accounting.
Since the introduction of the rule engine, it was clear that the mandatory flags on analytic roots were no more useful (even annoying). So we removed them.


In addition to the users and party, we can now use an employee field as recipient of a notification.


Until now, we had only the European VAT identifier by default. But Tryton aims to be usable all around the world. So we added all the party identifier available in python-stdnum library and we flagged those that can be used as tax identifier.
If you are missing an identifier, we encourage you to contribute it to python-stdnum so it will be available in the next release.

Sometimes, users encode phone number without any country prefix. Until now, this raised a validation error. Now Tryton tries to find a country from the party that works. By default it tries all the countries from the addresses.


Until now, the product supplier definition was only available per product but not per variant. This is corrected now. The product suppliers defined on the variant are used first and if none match the criteria (e.g. the right supplier), the product suppliers are searched.


We found that the picking algorithm may choose a children location, even if there were products available in the source location. This was astonishing for the user, so we decided to pick first in the source location before the children locations.

Now we allow to consume products from a supplier consignment directly to a customer. Tryton will create the corresponding supplier invoice line and the customer invoice line.

Until now a unit price was set by default when a stock move was created manually. We stopped this behavior because the proposed unit price was most of the time wrong. So we prefer that the user actually set it if it is required as it will be more accurate.

New Modules

Account Statement Rule

The account_statement_rule module allows to define rules to automatically complete statement lines from imported files.

Marketing Automation

The marketing_automation module allows marketing actions to be automated. It is based on scenarios and activities that are executed on selected records.

Sale Product Customer

The sale_product_customer module defines customer’s names and codes for products and/or variants. A reference to the customer’s product is added to the sale line.

User Role

The user_role module allows to assign roles to user instead of groups. A Role is defined by a set of groups. When a role is added to a user, it overrides the existing groups. A role can be added to a user for a period.

Web Shortener

The web_shortener module allows URLs to be shortened. It counts the number of times the URL is accessed and optionally triggers action.

New Languages

This release receive translations for those new languages: Estonian, Turkish and Finnish.
If you want to add your language or improve existing one, see how to contribute to the translations.

Changes For The Developer

In this release, we remove the support of Python 3.4 which has reached its end-of-life the last March.

A new type of view has landed in Tryton. It is the list-form which is a combination of the list and the form views. It displays on a list an editable form for each record. This gives more control on the layout than the standard list view but it is less performant on large sets of records.

We added a new widget HTML. This widget allow the user to edit HTML content using a WYSIWYG editor (we choose TinyMCE ). The editor plugins, CSS and class can be customized per model and field and it support translated fields.
This widget can be used for example to edit a product description which will be used on a web-shop. In this case, Tryton can be configured to reuse the CSS file from the web-shop to show the same rendering.
The widget is also used to edit HTML report template like for the emails.

We added a console to the server. This console starts within a transaction and provide access to all objects. The transaction must be explicitly commit otherwise it is roll-backed. The console is by default interactive or it runs the code piped to its standard input.
Such console can be useful when developing to test a function or check data but it can also be useful on production to execute a correction script.

Some efforts have been put on improving the internal cache of Tryton. Now it follow the transaction by storing only committed data and clearing for other transactions once the current transaction is committed.
The synchronization of the caches between different processes (optionally on different hosts) can be configured to use a database channel. In this case the cache is synchronized instantly instead of being based on a timeout.
The cache instances can be configured to automatically invalidate data that stayed in the cache for a specific amount of time. This is useful when storing data that depend on time or on external sources.
Finally, we allowed to control the cache duration of the RPC requests per procedure. The definition of the RPC can have cache attribute which defines the duration to store the result in the cache. The clients use this information and re-use the cached result instead of calling the method as long as the cache is valid. By default, we activated the cache on the common method that have almost static result like ModelView.fields_view_get, ModelView.view_toolbar_get etc. This allowed to reduce by about ⅔ the average number of requests.

By default, the Tryton server uses thread/fork for concurrency. This is not optimal for the long-polling requests that go to the bus. So we added an option to start the server with a corountine model. This is done thanks to the gevent library.
So the common setup is to start a server with thread/fork for the common requests and another one with coroutine for the bus request.

As we could have a second server for the bus request, it is now possible to redirect the bus request to this second server thanks to the url_host configuration. The clients will follow the redirection automatically.
As this redirection can point to a different domain, it is also possible to authorize the cross-origin resource sharing via the configuration.

Sometimes we would like to extend the string or the help text of a field. But the translations did not correctly handle such case because they create an entry for the full text. Now we introduce the concept of partitioned string. It is a Python object that behaves like a string but it keeps the history (parts) of how it was constructed. We use this new object for the string and help text of the field. And we create a translation entry for each part in order to get a modular translation.

We can now search on keys of Dict of fields using the Tryton’s ORM. On PostgreSQL back-end, Dict fields can be stored as a JSON. In this case, the database can use indexes to speed-up the query.
It is also possible to order the search result based on the keys of Dict fields.
The keys with null value are also automatically cleaned.

In order to make Tryton even more modular, the definition of the fields (which is sent to the clients) is now created by the field itself. This allows to create custom fields like the Geometry field of trytond-gis and add new properties like the dimension and geometry_type.

Some times we need to acquire a lock on a record but without modify it (see issue8012). So we added a ModelSQL.lock method which locks the passed records if the database support it or just lock the all table.

Until now, all the errors were raised using the two same exceptions UserError and UserWarning. This was not great for testing nor to catch a specific error.
So we removed the methods raise_user_error and raise_user_warning to replace them by the Python raise statement. This allows to use custom exceptions inheriting from one of the two bases.
As we need to set on the exception the error message for the user, we created a new model to store all the messages ir.message. It can be used with the new gettext tool to get the message in the language of the user.

In order to detect quickly bugs, the Function field raises now a NotImplementedError when we try to set a value but it does not have any setter method.

Until now the ModelStorage.read-API allows to read the field of the model but also the fields of Many2One and Reference targets. The API has been extended to read related xxx2Many fields . Reading a xxx2Many field results in a list of dictionaries with the requested values and always the id . The name of the key is suffixed by a dot, to avoid name space collisions. :warning: The former API for Many2One has been changed to stay consistent.

Some modules have extras dependency. In order to test them, the ModelTestCase has a new attribute extras which is a list that contains the extra modules to activate when running the test. This ensure to cover all the cases.

The domain inversion which allows the client to fill or limit the value of a field based on the existing domain, can now enforce the model of the reference fields.

Desktop Client

In order to prepare the future version 4 of GTK, a effort has been put to remove all the GTK warnings. This required to replace some deprecated widgets like Gtk.Table by Gtk.Grid etc. And finally, we could drop the usage of pygtkcompat, the library for backward compatibility with the version 2 of GTK.

The list views can now have multiple renderers per column. This allowed to edit Reference field with two cells: a selection for the model and a many2one for the record.

Web Client

The desktop client supported plugins since a long time. Now the web client can also be customized with plugins. The default “Translate view” has been implemented as example.

In order to modernize our Javascript code, we started to support defining property on our class implementation. Now the Javascript code is more similar to its Python counterpart which ease the maintenance and avoid bugs.

The web client now supports the expand, height and width attributes. This reduce again the gap between the feature of both clients.



Fetching the sources from Strip service is quite slow (about 1s per source). So we added a cache of 15’ on the sources of a customer. It is of course cleared if the customer is modified.

Since version 5.0, Tryton has a queue to execute task in background. This queue is now used to charge and capture Stripe payments.


As we have already on the purchase request the method find_best_supplier, we added also find_best_product_supplier.


For performance reason, we changed the fallback unit used by Product.get_sale_price to the sale unit instead of the default unit. This allows services (like a web-shop) to make a single call to retrieve the sale price of all the products without having to make unit conversion.

Following the changes on the sale, the description on sale opportunity is now also optional.

Posts: 1

Participants: 1

Read full topic

Planet Python

Weekly News Summary for Admins — 2019-05-03

The big news this week was that Apple has started removing certain iOS applications which allow fine-grained parental controls for their children’s iPhones and iPads. The first post on this in the New York Times speculated that Apple was removing products that compete with Screen Time. However, Apple clarified that these companies are using MDM (Mobile Devices Management servers) to get the features, which is a “guideline violation.”

Since this discussion involves MDM, I believe it is very relevant to Mac and iOS administrators.

You could discuss whether these services should be using MDM to get the feature set their customers desire. You could have (the ever repeating) discussion on how Apple reverses years’ worth of approvals because they now suddenly realize the app has been in violation all along. You could question how fair and reasonable the 30 days ultimatum for an updated app without MDM was, since there is no other API with a similar feature set, and how well the ultimatum was communicated.

But I want to point out that MDM enrollment, both on iOS and macOS, has to be manually initiated the user, and approved with a passcode. This required user approval, is a big hurdle for automated delpoyments, something which administrators are longing for.

The workaround for this, according to Apple is Automated Device Enrollment (formerly known as DEP) where the chain of possession from Apple, through a reseller, to the purchasing organisation is proven and logged in Apple’s servers. Even with DEP, user approval of the management features is necessay at first boot.

There have been cases where malware has installed MDM profiles on iOS and Macs and supposedly user approval should protect from these cases. Yet, when a service or application, which promises a solution the user desires, asks for approval, the user will click anything.

Users are trained to approve these security dialogs. The more dialogs the system throws at the user, the more they are trained to quickly approve and authorize them without really reading or understanding. Too much user approval can be detrimental to its purpose.

MDM servers need certificates from Apple to work. They need to register with the push notification service to communicate with the clients. The client applications that are distributed through the iOS and Mac App Stores, need developer certificates from Apple.

Apple would have many options to control and block malicious actors in this field without hurting legitimate services and administrators seeking automation.

If you would rather get the weekly newsletter by email, you can subscribe to the Scripting OS X Weekly Newsletter here!! (Same content, delivered to your Inbox once a week.)

📰News and Opinion

Parental Control Apps/MDM

🐦MacAdmins on Twitter

  • mikeymikey: “Different techniques, different goals. Internet recovery has been modified multiple times over the years (example change in 10.12.4), whereas netboot was a device independent standard that would have needed a total overhaul for Secure Boot.”
  • Steve Troughton-Smith: “Just 35 days to WWDC! 35 days to iOS apps on the Mac, 35 days to multi-window iPad homescreen revamp, 35 days to Dark Mode on iOS”
  • Steve Troughton-Smith: “Dashboard isn’t the only thing gone in 10.15 — so is 32-bit app & plugin support, Carbon, Ink, QuickTime 7 & QuickTime plugins, PPTP, and hardware RAID. You will get Python 3.7 and Ruby 2.6, at least” (Python 3 alongisde the soon-to be EOL’ed Python 2.7 would be good news.)
  • Emily kw, ph.d.: “Hello. I’m a Sr. Systems Engineer for a Fortune 25 company. I am not interested in your Technical Support Specialist job offers. Goodbye.”

🐞Bugs and Security

🔨Support and HowTos

🤖Scripting and Automation

🍏Apple Support

♻Updates and Releases

🎈Just for Fun

📚 Support

There are no ads on my webpage or this newsletter. If you are enjoying what you are reading here, please spread the word and recommend it to another Mac Admin!

If you want to support me and this website even further, then consider buying one (or all) of my books. It’s like a subscription fee, but you also get a useful book or two extra!

Scripting OS X

Weekly News Summary for Admins — 2019-04-26

I am traveling with just my iPad this week, so this is the first time that I am assembling the newsletter entirely on iOS. It has been an interesting challenge. I built a shortcut which copies a page from Safari in Markdown format, something that Byword on Mac does automatically on drag’n drop, but Byword on iOS does not.

If there are any errors or differences in this week’s newsletter because of that, please be tolerant. Since I am traveling and somewhat distracted, there may have been a post or news that I missed. Please tell me and I will add it next week! (Contact info at the end of the letter.)

If you would rather get the weekly newsletter by email, you can subscribe to the Scripting OS X Weekly Newsletter here!! (Same content, delivered to your Inbox once a week.)

News and Opinion

MacAdmins on Twitter

  • Bertrand Pourcel: “Command-IT : la conférence pour les pros du monde Apple”
  • William Lam: “Been getting asked about our progress with ESXi on new 2018 Apple Mac Mini Here’s quick summary …”
  • Ben Toms: “Kernel extensions signed after April 7th, 2019 must be notarized in order to load on macOS 10.14.5.”
  • Kitzy: “So @SlackHQ, an app specifically aimed for enterprise use, doesn’t support enterprise deployment.”
  • Eric Holtam: “TIL about wdutil and sudo wdutil info for showing wireless info.”

Bugs and Security

Support and HowTos

Scripting and Automation

Apple Support

Updates and Releases

Just for Fun


There are no ads on my webpage or this newsletter. If you are enjoying what you are reading here, please spread the word and recommend it to another Mac Admin!

If you want to support me and this website even further, then consider buying one (or all) of my books. It’s like a subscription fee, but you also get a useful book or two extra!

Scripting OS X