Fix NTP on OS X with no external network access

NTP is built into all recent versions of OS X and OS X Server (and OS X with

If you’re running a server, the other clients on the network can receive time updates from the server – but only if the server is able to update it’s time to an authoritative time server on the internet or other network.

If, as I was confronted with recently, you have a server and UDP Port 123 is blocked, then the server is unable to sync it’s time with any more authoritative time servers. If the server is unable to sync it’s clock, by default it refuses to give out time updates to network clients. How annoying.

With OpenDirectory, and it’s use of Kerberos, if workstations drift more than a few minutes from the server, bad things happen.

In this case, it is desirable to have all workstations sync their time to the server. Even if the time on the server isn’t completely accurate, it’s still better that all computers on the network at least agree what they think the time is, rather than having them all showing different times.

In order to do this, the NTP service running on the server must be told it’s a stratum time server. With stratum time servers, they’re authoritative with respect to what time it is. Normally, they’re connected to a highly accurate atomic clock or get an accurate time from GPS signals.

To tell our OS X server that it’s a stratum time server, edit /etc/ntp.conf and put in the following two lines. Note that is not a typo, it’s not meant to be

server # local clock
fudge stratum 10

This then tells the ntpd service on the server that it’s a Stratum 10 time server. Lower stratum numbers are higher priority and higher accuracy servers, so saying we’re at Stratum 10 means that if we do end up talking to real ntp server, it will be a lower stratum (and therefore higher priority) to our local clock.

Restart the ntp service with sudo killall -HUP ntpd

Point the network clients to the server and in very short order, they should have their clocks synchronised.


Bypass Spam Filtering in Office 365

This one is quick and easy – how do you whitelist a domain to bypass spam filtering in Office 365?

Log into the admin console at

Go to ADMIN > Exchange

In the Exchange admin centre, go to mail flow > rules

From the + dropdown menu go down to Bypass spam filtering…

Give the rule a name (e.g. Whitelist domains or bypass spam filtering)

From Apply this rule if… select The sender… > domain is and enter the domain (e.g. – don’t forget to hit the + button before you click on the OK button.

Leave the rest of the rule as-is and hit the Save button.

Getting a Fluke CableIQ to work in VMware Fusion on Mac OS X

I just got a new Fluke CableIQ qualification tester and, of course, the software and all supporting materials are Windows only.
I’m currently running Windows 7, 8 & 10 in VMware Fusion – yet Fusion wouldn’t see the USB device to attach.
It did give me a very metaphysical message on the LCD of the CableIQ however – The PC is searching within itself for the driver…

Anyway, in Fusion, you can enable USB quirks to fix recalcitrant USB devices and this is exactly what I needed to do to fix it.

From the VMware Knowledge Base article:

All I had to do was edit my .vmx file and add the following line to the bottom:

usb.quirks.device0 = "0x0f7e:0x0003 skip-reset"

I go the Vendor ID of 0x0f7e and the Product ID of 0x0003 from the vmware.log file in the Virtual Machine bundle folder.

Product Review – Encase Folding Stand Case

I’ll keep this short and sweet – the Encase Folding Stand Case is a very nice case for an iPad.
It’s thin and lightweight and more versatile than Apple’s Smart Case. Due to the unique triangular folds for the cover, it’s significantly more stable when propped up on a desk, or even on your lap.
It’s available in a wide range of colours and it’s made very well.
All-in-all, it gets the thumbs up if you need a good alternative to Apple’s case – one that retains the benefits of the OEM case and adds better features.

I’ve given this case to a friend and they really like it – it’s a lot slimmer and more lightweight than many other cases on the market.

The iPad is really a lot better supported when you have it resting against the folded case and the case can support the iPad in both landscape and portrait orientation, whereas most other cases only support the iPad in landscape mode.

Product Review – Otter Box Symmetry case for iPhone 5/5s

My mates over at Mobile Zap have sent me a new case for my phone – the Otter Box Symmetry case for iPhone 5/5s.

I’m normally a nude-device type person, however have recently been using a case to go with my Logitech case+drive (that is the best car kit I’ve yet found) so have warmed up to the idea of a case on my phone.

The Otter Box is a tiny bit bigger all round, but instead of the squared off edges, it’s more rounded so fits in the pocket just as well and is more comfortable to hold.

So, what makes this case so good? Protection.

It’s not water or dust proof or anything like that, but it is a 2-layer construction with a high-density foam in the interior with a hard plastic case on top. It’s also got a small lip of the foam around the face of the phone, so if you put your phone down face-down, the glass doesn’t actually touch the table.

The foam inner for the case seems to be flexible enough to provide drop protection, although I’m not about to drop my phone just to test this…

The only addition I’ve had to make to this case is sticking one of the Logitech case+ metal squares on the back of the case, so I can still use my car kit. Luckily the Logitech +drive mount came with a black and a a brushed stainless self-adhesive metal square, so the black square ties in perfectly with the black plastic of the case.

All-in-all, this is a very nice case – unobtrusive, slim and offering a good amount of protection for your device.

Check out the huge range of iPhone 5s cases over at Mobile Zap – they have a great range, with good prices and fast, local shipping.


Move files by date range – particularly useful for filing large amounts of email

I wanted to clean up my Sent Items folder in my email – I don’t have time to go through and manually sort them, nor do I have time to delete some and keep others. My main aim was to break them up so that I didn’t end up with over 20k items in a single folder.

What I decided to do was move them into folders based on date – Kerio Connect stores emails as .eml files in the filesystem, so individual emails are easy to deal with as files, rather than being forced to talk imap to it when I’ve got local access.

I went into the Kerio Connect Client and made my destination folder structure – A top-level folder called Sent Archive and then folders underneath this by year – 2009, 2010 etc.

Then, to move them all to where they needed to be I stopped Kerio Connect and then ran the following shell commands:

cd /usr/local/kerio/mailserver/store/mail/\ Items/#msgs
find . -type f -newermt 20090101 -not -newermt 20100101 -exec mv {} ../../Sent\ Archive/2009/#msgs/ \;
find . -type f -newermt 20100101 -not -newermt 20110101 -exec mv {} ../../Sent\ Archive/2010/#msgs/ \;
find . -type f -newermt 20110101 -not -newermt 20120101 -exec mv {} ../../Sent\ Archive/2011/#msgs/ \;
find . -type f -newermt 20120101 -not -newermt 20130101 -exec mv {} ../../Sent\ Archive/2012/#msgs/ \;
find . -type f -newermt 20130101 -not -newermt 20140101 -exec mv {} ../../Sent\ Archive/2013/#msgs/ \;
find . -type f -newermt 20140101 -not -newermt 20150101 -exec mv {} ../../Sent\ Archive/2014/#msgs/ \;
cd /usr/local/kerio/mailserver/store/mail/
find Sent* -name index.fld -execdir mv {} index.bad \;

I then restarted Kerio Connect and had it reindex the folders and everything was looking good.

FileMaker Server 13 Conflicts with Web Services Ports

FileMaker Server 13 is a bit of a pain to install – it absolutely insists with no option to change it that it MUST listen to ports 80 and 443 on whatever it’s installed on.

This is a big problem if you’re installing it on a machine that needs to be used for anything else, other than FileMaker Server.

If you’re running it on a machine with OS X Server – then the Server web services bind to ports 80 and 443 on all IP addresses on the machine. There is no way to install FileMaker Server and tell it to not use 80 and 443. Similar issue with installing it on a machine that’s running Kerio Connect. I want my mail services running on 80 and 443 thanks, not FileMaker Server.

The workaround is to install it and tell it to shut down the conflicting web server. Then, either add another IP address to the machine and edit it’s httpd.conf files to have it listen on that IP only, or have the Server websites do a reverse proxy for it.

I found it easier to edit the Listen directive in the following conf files:

/Library/Filemaker server/HTTPServer/conf/httpd.conf

/Library/Filemaker server/HTTPServer/conf/extra/httpd-ssl.conf

If you want to have it more fully integrated with Server, then you can make some config files so it can be controlled by Server – why FileMaker didn’t go down this path by default is beyond me. More info at the link below:

How To Enable 2 Factor Authentication on your iCloud Account

Apple now have enabled 2 factor verification for iCloud – 2 factor means you need two things, such as a password and a code sent to your phone, to access your account.
Enabling 2 factor authentication also means that your account cannot be accessed via ironically insecure security questions (i.e., what’s your mother’s maiden name).
Log in and enable it here:

Just be aware that you need to keep the Recovery Key in a VERY safe place – if you lose it, and you forget your password, Apple have no way to reset your password. This is good as it means that no-one else can ever reset your password and hack into your account but it also places a burden on you to keep the recovery key (or at least your password) safe as there is no way to reset your iCloud account password without the recovery key.

Can’t sysprep a Windows machine more than 3 times

It seems my Windows-fu is lacking a bit in my sysprep knowledge. As it turns out, you can’t sysprep a Windows machine more than three times.

Unfortunately you get no warning about this until you’ve run sysprep for the 3rd time and then tried to reboot the machine… Only to find that your user accounts have been deleted and the machine has been unjoined from the domain – making logging back into it rather tricky.

There seems to be a way around it, but first you need to recreate a user account on the machine.

Boot to Safe Mode with Command Prompt by rebooting and holding the F8 key.

When in the Safe Mode command prompt, type in:

net user <username> <password> /add

replace username and password with the username for the account you want to create and their desired password.

Then, type in:

net localgroup administrators <username> /add

Replacing username with the user name you specified in the first step.

Reboot and log in to your new account.

Next, follow the instructions over at the Landesk forums to fix it up and enable you to run sysprep once more.

The essential steps are:

Open regedit and look for:


Set to value: 2


Set to value: 7

Then run:

msdtc -uninstall

(wait a few seconds)

msdtc -install

(wait a few seconds)

Reboot the system.

Finally, you should be able to run sysprep once again.