krypted.com

Tiny Deathstars of Foulness

The following is a list of common tools used to manage Apple devices. Do you use something that isn’t on this list? Comment it and I’ll try and add it! In order to remain vendor agnostic I am trying to list solutions in alphabetical order by category. A brief explanation of each category, being as follows:
  • Antivirus: Solutions for scanning Macs for viruses and other malware.
  • Automation Tools: Scripty tools used to automate management on the Mac
  • Backup: I highly recommend bundling or reselling some form of backup service to your customers, whether home, small business, or large enterprises. The flexibility to restore a device from a backup when needed is one of the most important things to keep costs at a manageable level and put devices back into the hands of customers in an appropriate time frame.
  • CRM: Mac-friendly tools used to track contacts and communications with those contacts.
  • Collaboration Suites: Once upon a time, a Mac server was great for shared calendars, contacts, and email. But most businesses aren’t going to want anything to do with the repercussions of potential downtime that can happen on a mail server. Nothing will get your hard-earned customers to fire you faster than an email outage. So while the Mac server is listed, consider cloud options, for optimal customer retention.
  • DEP Splash Screens and Help Menus: Tools that make the DEP and service desk process more user friendly by providing more information to users.
  • Development Tools, IDEs and Text Editors: Tools used when building scripts, writing and debugging software, and manipulating text.
  • Digital Signage and Kiosks: I put these in here, because I know a lot of organizations that have made a great little addition revenue stream by reselling or deploying these tools on behalf of their customers. I have friends that have also created managed service offerings just around these tools. Overall, it’s a possible new revenue stream and as an added bonus, you’ll likely have an NFR so you can have pretty cool signage in your office (if you’re into that kind of thing).
  • Directory Services: Tools that provide primarily on-premesis access to a shared directory of services and allow for single-sign on to those services.
  • File Sharing: Mac-centric cloud and on premises tools to share and synchronize files.
  • Identity Management: Providers of predominantly SAML based Single-Sign On solutions that federate security for Apple devices to access web-based services.
  • Imaging and Configuration Tools: Tools used to place devices into a given state or create that state. This includes traditional Mac including tools as well as those built for iOS. 
  • Line of Business: Traditionally Mac-focused solutions that automate various business functions.
  • Log Collection and Analysis: Centralized logging has been a necessity for large, growing fleets of devices. Modern tools can store large amounts of logs from client computers and allow fast and complex searching so you can triangulate issues quickly and effectively. As an added benefit, you can also centralize logs for network appliances, allowing you to isolate the source of issues across an entire ecosystem of devices.
  • Management Suites: Tools used to manage settings on Apple Devices. Each is marked as MDM, Agent-based, or both.
  • Print Servers: Servers that either provide access to printers or allow for more granular printing features, such as cost accounting.
  • Productivity Tools: Tools you might use to manage lists or other assets.
  • Remote Control and Management: These tools allow you to take control of the screen, keyboard, and mouse of devices. I can’t tell you which are the best. But I can tell you that I want my remote control solutions to be cross-platform, to be cloud-based, to prompt users for acceptance of the remote control session, and to audit connections so I know who is taking over what devices.
  • Print Servers: I’ve always hated printers. Whether the old Fiery print services, a common LPR-based printer, or one of the shared printing services, I still can’t stand managing printers. Printers jam, they break, the drivers seem to be rife with problems for every other operating system update, printers are often connected to via ad-hoc networks (like Bonjour), and you often need special software to access the cool features. All-in-all, printers suck, but these tools might make them just a tad bit easier to use, or if not, help to account for who is using them so your customers can bill their departments back as much as possible.
  • Point of Sale (PoS): Similar to digital signage, but you might also operate a storefront or track customer data in one of these solutions.
  • Remote Management: Tools used to take control of the screen of an Apple device.
  • Security Tools: Tools used to manage firewalls, filevault, and perform other tasks required to secure Macs, based on the security posture of a given organization.
  • Service Desk Tools: These tools are for ticketing and ticket management. It’s always great if you can pick one that actually integrates with both your billing solution and the various other techie bits you choose to use.
  • Software Packaging and Package Management: Tools for normalizing software for mass distribution on Apple platforms.
  • Storage: Apple-focused solutions for sharing files.
  • Troubleshooting, Repair, and Service Tools: Tools used to fix logical problems with hard drives, check hardware for issues, repair various system problems, or just clean up a Mac.
  • Virtualization and Emulation: Not all software runs on a Mac. Customers will have certain tasks that may require a Windows machine. You can use Citrix or a Microsoft Terminal Server to provide for that potential requirement. Or, especially if users need data from their Windows apps when offline, you can use a local virtualization tool.

Antivirus

  • AVG: Basic antivirus and spyware detection and remediation.
  • Avast: Centralized antivirus with a cloud console for tracking incidents and device status.
  • Avira: Antivirus and a browser extension. Avira Connect allows you to view device status online.
  • BitDefender: Antivirus and malware managed from a central console.
  • CarbonBlack: Antivirus and Application Control.
  • Cylance: Ransomware, advanced threats, fileless malware and malicious documents in addition to standard antivirus.
  • Kaspersky: Antivirus with a centralized cloud dashboard to track device status.
  • Malware Bytes: Antivirus and malware managed from a central console.
  • McAfee Endpoint Security: Antivirus and advanced threat management with a centralized server to track devices.
  • Sophos: Antivirus and malware managed from a central console.
  • Symantec Mobile Device Management: Antivirus and malware managed from a central console.
  • Trend Micro Endpoint Security: Application whitelisting, antivirus, ransomware protection in a centralized console.
  • Wandera: Malicious hot-spot monitoring, jailbreak detection, web gateway for mobile threat detection that integrates with common MDM solutions.

Automation Tools

  • AutoCasperNBI: Automates the creation of NetBoot Images (read: NBI’s) for use with Casper Imaging.
  • AutoDMG: Takes a macOS installer (10.10 or newer) and builds a system image suitable for deployment with Imagr, DeployStudio, LANrev, Jamf Pro, and other asr-based imaging tools.
  • AutoNBI: Automates the the build and customization of Apple NetInstall Images.
  • Dockutil: Command line tool for managing dock items.
  • Homebrew: Package manager for macOS. Cakebrew: provides a pretty GUI for Homebrew.
  • Jamf Migrator: Copy assets from one Jamf server to another.
  • Jamjar: Synergises jamf, autopkg & munki into an aggregated convergence that cherry-picks functionality from each products core competency to create an innovative, scalable & modular update framework.
  • MacPorts: An open-source community initiative to design an easy-to-use system for compiling, installing, and upgrading either command-line, X11 or Aqua based open-source software on Macs.
  • Precache: Programmatically caches Mac and iOS updates rather than waiting for a device to initiate caching on a local caching server.
  • Outset:  Automatically processes packages, profiles, and scripts during the boot sequence, user logins, or on demand.
  • Spruce:  Locates items in Jamf Pro that you aren’t currently using (out of date scripts, packages, etc).
  • Recategorizer:  Recategorize policies and packages in Jamf Pro.

Backup 

  • Acronis: Centrally managed backups with image-based restores.
  • Archiware: Centrally managed backups to disk and tape with a variety of agents for backing up common Apple requirements, such as Xsan.
  • Arq: One-time fee cloud-based backups and unlimited storage.
  • Backblaze: Unlimited continuous backup with a 30 day rollback feature.
  • Carbon Copy Cloner: File or disk-based cloning of files for macOS.
  • Carbonite: SaaS or local-server based backups of Mac clients.
  • Crashplan: Backup to cloud and local storage with a great deduplication engine.
  • Datto: Local and cloud backup and restore, as well as cloud failover for various services.
  • Druva: Backup for local computers as well as some backup for cloud services.
  • Quest Backup (formerly Netvault): Can backup Mac clients and Xsan volumes to a centralized tape or disk-based backup server.
  • SuperDuper!: Duplicates the contents of volumes to other disks.
  • Time Machine: Built-in backup tool for macOS.

Collaboration Suites and File Sharing

  • Atlassian: Development oriented suite including wiki (Confluence), issue tracking (Jira), messaging (HipChat) and other tools.
  • Box: File sharing in the cloud.
  • Dropbox: File sharing in the cloud.
  • Egnyte: Caches assets from popular cloud-based services so they’re accessible faster on networks where they’re frequently accessed.
  • G Suite: Shared Mail, Contacts, Calendars. Groupware, accessible from the built-in Apple tools, Microsoft Outlook, and through the web.
  • Kerio Connect: Shared Mail, Contacts, Calendars. Groupware, accessible from the built-in Apple tools, Microsoft Outlook, and through the web.
  • macOS Server: Shared Mail, Contacts, Calendars. Groupware, accessible from the built-in Apple tools, Microsoft Outlook, and through the web. Should be used in smaller environments, and it is strongly recommended to look at third party SaaS-based solutions as potential replacements for this solution.
  • Office 365: Shared Mail, Contacts, Calendars. Groupware, accessible from the built-in Apple tools, Microsoft Outlook, and through the web.

CRM

  • Daylite: Mac tool for managing contacts and communications with those contacts.
  • Hike: Mac tool for managing contacts and communications with those contacts.
  • Elements CRM: Mac tool for managing contacts and communications with those contacts. (EOL)
  • GroCRM: iOS tool for managing contacts and communications with those contacts.

DEP Splash Screens and Help Menus

  • ADEPT: Adds a splash screen for DEP enrollments so users can see what is happening on their devices.
  • DEPNotify: Adds a splash screen for DEP enrollments so users can see what is happening on their devices.
  • HelloIT: Customizable help menu so users can get information about their systems or IT support.
  • MacDNA: Customizable help menu so users can get information about their systems or IT support.
  • SplashBuddy: Adds a splash screen for DEP enrollments so users can see what is happening on their devices.

Development Tools, IDEs and Text Manipulators

  • aText: Replaces abbreviations with frequently used phrases you define.
  • Atom: A modern text editor with bells and whistles that make it work like an IDE for common scripting languages.
  • BBEdit: A modern text editor with bells and whistles that make it work like an IDE for common scripting languages.
  • Charles Proxy: A proxy tool that can be used to inspect traffic so you can programmatically reproduce the traffic or reverse engineer what is happening when trying to solve issues or build tools.
  • CocoaDialog: Create better dialog boxes than with traditional tools like AppleScript.
  • Coda: An IDE and a modern text editor with bells and whistles that make it work like an IDE for common scripting languages.
  • Dash: Offline access to 150+ API documentation sets.
  • Docker: Containerization tool.
  • FileMaker: Rapid application development software from Apple.
  • git: Code versioning, merging, and tracking – and with github, a repository to put code into and share code.
  • Hopper Disassembler: Disassemble binaries as part of reverse engineering and security testing.
  • Microsoft Visual Studio: An IDE for a variety of languages.
  • MacDown: An open source tool for creating and editing Markdown. 
  • MySQL Workbench: Create and edit MySQL databases and use to build complex queries.
  • Navicat Essentials: Create and edit MySQL databases and use to build complex queries.
  • Pashua: Creating native Aqua dialogs from programming languages that have none or only limi­ted support for graphic user inter­faces on Mac OS X, such as Apple­Script, Bash scripts, Perl, PHP, Python, and Ruby.
  • Platypus: creates native Mac OS X applications from interpreted scripts such as shell scripts or Perl, Ruby and Python programs.
  • Script Debugger: Tools like a dictionary explorer and more IDE-esque features for building AppleScript applications.
  • SequelPro: Create and edit MySQL databases and use to build complex queries.
  • Snippets Manager: Collect and organize code snippets
  • SourceTree: GUI tool for Git and Github.
  • SublimeText: A modern text editor with bells and whistles that make it work like an IDE for common scripting languages.
  • TextExpander: Replaces abbreviations with frequently used phrases you define.
  • TextWrangler: A modern text editor with bells and whistles that make it work like an IDE for common scripting languages.
  • Tower: A modern text editor with bells and whistles that make it work like an IDE for common scripting languages.
  • VisualJSON: Simple JSON pretty-viewer for the Mac.
  • Xcode: Apple tool for writing apps and scripts in common languages.

Digital Signage and Kiosks

  • Carousel Digital Signage: Run Digital Signage from an AppleTV.
  • Kiosk Pro: Turn any iPad into a single-user kiosk tool, manageable via an API (e.g. with a Jamf Pro integration).
  • Risevision: Run Digital Signage from a Mac.

Directory Services and Authentication Tools

  • Apple Enterprise Connect: Tool sold through Apple that connects to Active Directory environments without binding to Active Directory.
  • AdmitMac: Adds support for fringe Active Directory requirements.
  • JumpCloud: Run your directory service in the cloud.
  • LDAP: Open source directory service.
  • macOS Server Open Directory: Directory service installed in macOS Server that is based on OpenLDAP.
  • Microsoft Active Directory: Centralized directory service from Microsoft.
  • Nomad: Connects clients to Active Directory environments without binding to Active Directory. And has some other nifty features.

Identity Management

  • Centrify: Provide federated login across common web services and other SAML-capable solutions, as well as resolve common issues with Active Directory. Also has an integrated profile management tool for compliance.
  • Duo Mobile
  • LastPass Enterprise: Provide federated login across common web services and other SAML-capable solutions
  • Microsoft Azure Active Directory: Active Directory with Azure in the cloud.
  • NoLo
  • Okta: Provide federated login across common web services and other SAML-capable solutions
  • OneLogin: Provide federated login across common web services and other SAML-capable solutions
  • Ping Identity: Provide federated login across common web services and other SAML-capable solutions

Imaging and Configuration Tools

  • Apple Configurator: Configure iOS and tvOS devices en-masse, automate MDM enrollment, and distribute data.
  • Blast Image Configquickly restore and configure a Macintosh back to a known state (10.12.2 and below)
  • createOSXInstallPackage: create an installer package from an “Install OS X.app” or an InstallESD.dmg. (10.12.4 and below)
  • Deep Freeze: Freeze the state of a Mac.
  • DeployStudio: Free imaging server for Macs.
  • FileWave Lightning: Local device imaging.
  • Google Restor: Image macOS computers from a single source. It is an application intended to be run interactively on a machine.
  • Ground Control: Mass deploy (and enroll) iOS devices.
  • Imagr: Open Source imaging and netinstall tool for macOS.
  • libimobiledevice: Suite of tools to configure, inspect, wipe, etc for iOS devices.
  • WinClone: Create windows images for deployment onto Macs.

Log Collection and Analysis

  • Elastic Search: Open Source, very fast log analysis.
  • RobotCloud Dashboard: Provides more granular and intuitive visibility into devices managed by Jamf Pro.
  • Splunk: Big data log analysis.
  • Tableau: Big data analysis.
  • Watchman Monitoring: Mac focused monitoring agents that inspects common third party tools.
  • Zentral: Open source, built on ElasticSearch, but with hooks into lots of other tools and custom recipes for Mac logs.

Management Suites

Misc

  • Jamf NetSUS: Reposado packaged up for Jamf servers.
  • InfineaIQ: Peripheral management software.
  • Reposado: An open source interpretation of the Apple Software Update Server.
  • Sassafras Keyserver: Centralized software license management server.

Point of Sale

  • Checkout: Point of sale solution that can run on Apple devices.
  • Lightspeed Point of sale solution that can run on Apple devices.
  • Paygo: Point of sale solution that can run on Apple devices.
  • Posim: Point of sale solution that can run on Apple devices.
  • Shopkeep: Point of sale solution that can run on Apple devices.
  • SquareUp: Point of sale solution that can run on Apple devices.
  • Vend: Point of sale solution that can run on Apple devices.
  • Papercut: Printer cost accounting for the Mac.
  • Printopia: Allows for better printing from iOS devices.

Productivity Tools

  • Alfred: Application Launcher for the Mac.
  • Amphetamine: Keep your Mac running when certain apps are open.
  • Evernote: Make lists and sync them to a cloud service, accessible from iOS and the Mac.
  • ITGlue: Store credentials and information about common IT tools in a SaaS-based database.
  • OmniPlan: Project planning and management tool to make Gantt charts.
  • OmniGraffle: Flowchart and network diagraming tool for the Mac.
  • Slack: Messaging and team management tool.
  • Trello: Make lists and sync them to a cloud service, accessible from iOS and the Mac.
  • WunderlistMake lists and sync them to a cloud service, accessible from iOS and the Mac.

Remote Management

  • Apple Remote Desktop: Apple tool for remotely controlling other Macs, sending packages to Macs, and running scripts on Macs over a LAN or directly to an IP address.
  • Bomgar: Appliance that allows for cross-platform remote control of devices.
  • CoRD: RDP client.
  • LogMeIn: Cross-platform remote control utility.
  • GoToMyPC: Cross-platform remote control utility.
  • Remote Desktop: The official RDP client for the Mac.
  • Remotix: RDP and VNC server with lots of bells and whistles.
  • TeamViewer: Cross-platform remote control utility.
  • VNC: Open source protocol for remote control, which many of the above tools are based on.

Security Tools

  • Cauliflower Vest: Store FileVault keys on a centralized server.
  • chainbreaker: Forensically acquire keychain information on a Mac.
  • Crypt: FileVault 2 Escrow solution.
  • Digital Guardian: Data Loss Prevention.
  • Google Santa: Binary blacklisting and whitelisting for the Mac.
  • iOS Location Scraper: Dump the contents of the location database files on iOS and macOS.
  • iOS Frequent Location Scraper: Dump the contents of the StateModel#.archive files located in /private/var/mobile/Library/Caches/com.apple.routined/
  • Little Snitch: Provides information about what is accessing network resources and where those resources are.
  • MacForensicsLab: A suite of tools from BlackBag Tech for the acquisition and analysis of forensically acquired Apple devices.
  • Macquisition: A suite of tools from BlackBag Tech for the acquisition and analysis of forensically acquired Apple devices.
  • Objective-See: ‘s KnockKnock, Task Explorer, BlockBlock, RansomWhere?, Oversight, and KextViewr, tools for finding more information about ports and services running on machines.
  • Osquery: Query for information on Macs in a live, granular search.
  • osxcollector: A forensic evidence collection & analysis toolkit for OS X
  • Portecle: Create and manage keystores, keys, certificates, certificate requests, and certificate revocation lists.
  • PowerBroker: Enable standard users on a Mac to perform administrative tasks without entering elevated credentials.
  • Prey: Track Mac and iOS devices if they’re stolen.
  • Recon: A forensic capture and analysis suite for Macs.

Service Desk Tools

  • Freshdesk: Case/ticket management that allows for automatic billing via Freshbooks.
  • Salesforce Cases: Case/ticket management that automatically integrates with SalesforceCRM.
  • ServiceNow: Case/ticket management with an expansive marketplace for integrations.
  • Webhelpdesk: Case/ticket management.
  • Zendesk: Case/ticket management with an expansive marketplace for integrations.

Software Packaging and Package Management

  • Autopkg: Automate the creation of Mac software distribution packages using recipes.
  • CreateUserPkg: Creates packages that create local user accounts when installed. (10.12 and below).
  • JSSImporter: Connects Autopkg to Jamf Pro.
  • Iceberg: Create Mac software distribution packages.
  • InstallApplication: Dynamically download packages for use with MDM’s InstallApplication.
  • ipaSign: Programmatically resign ipa files with a new key.
  • Jamf Composer: Create Mac software distribution packages.
  • Luggage: Open Source project to create a wrapper that makes pkgs for Macs so you can have peer review of a package by examining the diffs between versions of a Makefile.
  • Munkipkg: A simple tool for building packages in a consistent, repeatable manner from source files and scripts in a project directory.
  • Pacifist: A shareware application that opens Mac OS X .pkg package files, .dmg disk images, and .zip, .tar, .tar.gz, .tar.bz2, and .xar archives and allows you to extract individual files and folders out of them.
  • Payload Free Package Creator: An Automator application that uses AppleScript, shell scripting and pkgbuild behind the scenes to create payload-free packages.
  • QuickPkg: Create Mac software distribution packages.
  • Simple Package Creator: Create Mac software distribution packages.
  • Suspicious Package: View the contents of Mac software distribution packages.
  • Whitebox Packages: Create Mac software distribution packages.

Storage

  • Netatalk: Better AFP connectivity to Windows and other storage platforms from a Mac.
  • Promise: Apple-vetted direct attached storage (DAS), storage area networking (SAN), etc. 
  • Synology: Storage appliances tailored to working with the Mac.
  • Xsan: The built-in Apple SAN filesystem.

Troubleshooting, Repair and Service Tools

  • AppCleaner: Clean up unneeded files on a Mac.
  • AppleJack: Repair disks/permissions and cleans cache/swap files from single user mode when a Mac can’t fully boot.
  • Bartender: Manage items in the menu bar on a Mac.
  • CleanMyDrive: Drag-and-drop files directly to any drive, check disk stats and automatically clean hidden junk from external drives.
  • Data Rescue: Data recovery tool for Mac.
  • Disk Doctor: Repairs logical drives and cleans up unneeded files.
  • DiskWarrior: Repair logical volume corruption on Macs.
  • Drive Genius: Automates monitoring for hard drive errors, finds duplicate files, allows for repartition of volumes, clones volumes, performs secure erase and defragmentation.
  • Disk Inventory X: Visual representation of what’s on a logical volume in macOS.
  • EasyFind: Find files, folders, or contents in any file without indexing through Spotlight.
  • iStumbler: Wireless discovery tool for Mac that can locate Wi-Fi networks, Bluetooth devices, Bonjour services, and perform spectrum analysis.
  • GeekTool: Put script output and logs directly on the desktop of a Mac.
  • Google PlanB: Remediate Macs that fall out of a given state by performing a secure download of disk images and then putting the device into a management platform.
  • GrandPerspective: Visual representation of what’s on a logical volume in macOS.
  • Hardware Monitor: Read hardware sensor information on a Mac.
  • Lingon: Create, manage, and delete LaunchAgents and LaunchDaemons on macOS.
  • Memtest OS X: Test each RAM module in a Mac.
  • Network Radar: Network scanning and mapping tool.
  • nMap: Advanced port scanning, network mapping, and network troubleshooting.
  • Peak Hour: Network performance, quality and usage monitoring.
  • Omni DiskSweeper: Find and remove unused files in macOS to conserve and reclaim disk space.
  • OnyX: Verify the startup disk and structure of system files, run maintenance and cleaning tasks, configure settings(e.g. for the Finder, Dock, Safari), delete caches, and rebuild various databases and indexes. 
  • Push Diagnostics: Test port and host access for APNs Traffic.
  • Stellar Phoenix: Mac data recovery tool.
  • TechTool Pro: Drive repair, RAM testing, and data protection.
  • TinkerTool: Graphical interface for changing preferences on a Mac that would otherwise need to be managed with the defaults command.
  • Xirrus Wi-Fi Inspector: Search for Wi-Fi network, site surveys, troubleshoot Wi-Fi connectivity issues, locate Wi-Fi devices, and detect rogue Apps.

Virtualization and Emulation

  • Anka veertu: Run Virtual Machines on a Mac. 
  • Citrix: Publish Windows application sessions that end users connect to from a Mac using standard RDP clients.
  • Parallels: Run Virtual Machines on a Mac. 
  • Microsoft Windows Terminal Server: Publish Windows sessions that end users connect to from a Mac using standard RDP clients.
  • vFuse: Script to create a VMware Fusion VM from a DMG that hasn’t been booted.
  • VirtualBox: Run Virtual Machines on a Mac. 
  • VMware Fusion: Run Virtual Machines on a Mac. 

Honorable Mention

  • The MacAdmins Slack: Join a community of 15,000 other Admins charged with managing large fleets of Apple devices.
  • Apple Developer Program: Sign up for a developer account in order to get access to beta resources and documentation not otherwise available.
  • AppleSeed Program
  • Your Apple SE
  • Coffee… lots and lots of coffee

November 13th, 2017

Posted In: iPhone, Mac OS X

15 Comments

Added 3 new flags into precache tonight: –jamfserver, –jamfuser, and –jamfpassword. These are used to provide a Jamf Pro server (or cloud instance), the username to an account that can list the mobile devices on that server, and a password to that account respectively. Basically, when you provide these, the script will pull a unique set of models and then precache updates for them. It’s similar to grabbing a list of devices: curl -s -u myuser:mypassword https://myserver.jamfcloud.com/JSSResource/mobiledevices And then piping the output of a device list to: perl -lne 'BEGIN{undef $/} while (/<model_identifier>(.*?)<\/model_identifier>/sg){print $1}' And then running that array as an input to precache.py. Hope this helps make the script more useful!

May 13th, 2017

Posted In: iPhone, Mac OS X Server

Tags: , , , , , ,

If you’re in need of MDM in Japanese or German, Jamf Now shipped support for those languages last week. To switch languages, click on your name once logged in, and then click on the language you would like to use. Enjoy.

May 1st, 2017

Posted In: iPhone, Mac OS X, Mac OS X Server, Mac Security, Mass Deployment

Tags: , , ,

April 23rd, 2017

Posted In: iPhone, MacAdmins Podcast, Mass Deployment

Tags: , , , ,

After updating an iPhone, maybe it’s stuck. Doesn’t happen much, but it can happen. When it does, it’s great if you’ve got a backup of your phone. And those traditional means of restarting, resetting, and restoring don’t work any more. Or at least they do, but they’ve moved. If you need to DFU or restore your device, starts by plugging the phone into a computer running iTunes. Then press and hold the power button down for 3 seconds and press the volume down button while you’re holding that power button. Hold both down for about 10 seconds and let go of the power button, holding the volume down button for 5 more seconds. This process is pretty specific and I’ve often had to do it 3-4 times to get it just right. If you see the Apple logo at boot, the device is just rebooting (and that’s usually all I’ve needed). But if you really need it to go into restore or DFU-mode, you’ll want to see the screen that says Plug Into iTunes. Once you see that, you are in restore mode. If you want to be in DFU mode, you’ll want it right in the middle, where the screen is black.

April 11th, 2017

Posted In: iPhone

Tags: , , , , , , ,

There is a new service in macOS, called Tetherator. Tethered-caching is a script that allows you to easily and quickly interact with the tethered-caching service, which has a few kinda’ cool options. This is on a client, and really speeds up all that crazy provisioning stuff you do. It can also check for the presence of a macOS Caching Server and use that as a source for the cache. The tethered-caching script is located at /usr/bin/tethered-caching. Before you do anything with the service, check the status. That’s done with the -s option (there’s also a -v option to get verbose): tethered-caching -s The results before activated should be as follows:
2017-02-28 10:44:45.730 AssetCacheTetheratorUtil[3665:182657] Tetherator is disabled: (no error) 2017-02-28 10:44:45.746 AssetCacheActivatorUtil[3666:182664] Built-in caching server can be activated. 2017-02-28 10:44:45.762 AssetCacheActivatorUtil[3667:182673] Built-in caching server is deactivated: (no error)
Then start the service using the -n option in tethered-caching, along with the IP range to be used: tethered-caching -n 192.168.1.0 This sets the ListenRanges key in the plist and should result in an activation process that appears as follows:
Starting tethered caching… 2017-02-28 10:47:59.691 AssetCacheActivatorUtil[3848:192902] Built-in caching server can be activated. 2017-02-28 10:47:59.706 AssetCacheActivatorUtil[3849:192910] Built-in caching server is deactivated: (no error) Filtering the log data using “subsystem == “com.apple.AssetCache” AND messageType == 16″ Timestamp (process)[PID] 2017-02-28 10:48:05.098735-0600 localhost AssetCache[2882]: [com.apple.AssetCache.builtin] Built-in Caching Server activated. Exiting to allow re-launch. 2017-02-28 10:48:05.207493-0600 localhost AssetCache[2882]: [com.apple.AssetCache.builtin] Built-in Caching Server shutting down (0) 2017-02-28 10:48:07.362926-0600 localhost AssetCache[3862]: [com.apple.AssetCache.builtin] Built-in Caching Server version 170 started 2017-03-02 10:45:53.753 AssetCacheTetheratorUtil[29283:2526186] Tetherator enabled. Started tethered caching. To stop it, press control+c once.
At this point, you’re calling /usr/bin/AssetCacheLocatorUtil to register and then start /usr/libexec/AssetCache/AssetCache via /System/Library/Preferences/Logging/Subsystems/com.apple.AssetCacheServices.plist which defaults read nets: {Activator = {}; "DEFAULT-OPTIONS" = { "Default-Privacy-Setting" = Public; "Enable-Oversize-Messages" = 1; "Event-Log" = { Enabled = Inherit;}; Level = { Enable = Inherit; Persist = Inherit;}; TTL = {Debug = 0;Default = 10;Info = 10;};}; Daemon = {}; Extensions = {}; Framework = {}; Tetherator = {};} The AssetCache preferences can be seen by catting /Library/Preferences/com.apple.AssetCache.plist: Activated = 0; CacheLimit = 0; DataPath = "/Library/Caches/com.apple.AssetCache"; LastConfigData = ; LastConfigURL = "http://suconfig.apple.com/resource/registration/v1/config.plist"; LastPort = 50775; ListenRanges = ({first = "192.168.1.1";last = "192.168.1.254";}); ListenRangesOnly = 1; LocalSubnetsOnly = 0; PeerLocalSubnetsOnly = 1; Port = 0; PublicRanges = automatic; ReservedVolumeSpace = 2000000000; SavedCacheDetails = {}; SavedCacheDetailsOrder = ("Mac Software","iOS Software","Apple TV Software",iCloud,Books,"iTunes U",Movies,Music,Other); SavedCacheDetailsStrings = {All the language keys as arrays - which I cut out to truncate the contents of the plist read}; SavedCacheSize = 0; ServerGUID = "C5F29418-6158-4D3B-9162-XXX"; Version = 1; Note that in the above, the LastConfigData key is pulled at activation by curling http://suconfig.apple.com/resource/registration/v1/config.plist. I’ve truncated the key as it’s kinda’ long… A simple command that will be pretty common is to increase the size of the cache. To do so, you’d just edit that CacheLimit key to be the number that you want the cache to be. In the following example, we’re writing the CacheLimit key into AssetCache.plist at 100 gigs: defaults write /Library/Preferences/com.apple.AssetCache.plist CacheLimit -int 100000000000 There’s also com.apple.AssetCache.builtin.plist in /Library/LaunchDaemons which starts the builtin AssetCache, AssetCacheC, and CacheDelete service. Once started, you will have a sqlite3 database called AssetInfo.db at /Library/Caches/com.apple.AssetCache. A basic structure of how data is stored includes the following tables:
  • ZAFFINITY with the following column: Z_PK INTEGER PRIMARY KEY, Z_ENT INTEGER, Z_OPT INTEGER, ZLASTSAVED TIMESTAMP, ZID VARCHAR
  • ZASSET with the following columns: Z_PK INTEGER PRIMARY KEY, Z_ENT INTEGER, Z_OPT INTEGER, ZMD5OFFSET INTEGER, ZTOTALBYTES INTEGER, ZCREATIONDATE TIMESTAMP, ZLASTACCESSED TIMESTAMP, ZCHECKSUM VARCHAR, ZGUID VARCHAR, ZINDEX VARCHAR, ZLASTMODIFIEDSTRING VARCHAR, ZNAMESPACE VARCHAR, ZURI VARCHAR, ZMD5CONTEXT BLOB
  • Z_METADATA with the following columns: Z_VERSION INTEGER PRIMARY KEY, Z_UUID VARCHAR(255), Z_PLIST BLOB
  • Z_MODELCACHE with just the Z_CONTENT column
  • TABLE Z_PRIMARYKEY with the following columns: Z_ENT INTEGER PRIMARY KEY, Z_NAME VARCHAR, Z_SUPER INTEGER, Z_MAX INTEGER
Once enabled, updates will be cached to the computer that the service is enabled on, metadata stored in the previously mentioned database, and then change ports and network ranges when needed.

March 27th, 2017

Posted In: Apple Configurator, Apple TV, Apple Watch, iPhone, JAMF, Mac OS X, Mac OS X Server, Mass Deployment, precache

Tags: , , ,

Organizations frequently have another party write iOS apps for them. When doing so, the organization typically wants to sign the .ipa (how iOS apps are deployed) prior to deploying the app to users. To do so, you would sign the .ipa with your provisioning profile. To make doing so easier, here’s ipasign, a python script that does most of the work for ya’:

September 27th, 2016

Posted In: iPhone, Mac OS X, Mac OS X Server

Tags: , , , ,

Profile Manager first appeared in OS X Lion Server as the Apple-provided tool for managing Apple devices, including Mobile Device Management (MDM) for iOS based devices as well as Profile management for OS X based computers, including MacBooks, MacBook Airs, Mac Minis, Mac Pros and iMacs running Mac OS X 10.7 and up. Profile Manager has seen a few more updates over the years, primarily in integrating new MDM options provided by Apple and keeping up with the rapidly changing MDM landscape. Apple has added DEP functionality, content distribution, VPP, and other features over the years. In El Capitan Server, there are plenty of new options, including the ability to deploy VPP apps to devices rather than Apple IDs. In this article we’ll get Profile Manager setup and perform some basic tasks.

Preparing For Profile Manager
Before we get started, let’s prep the system for the service. This starts with configuring a static IP address and properly configuring a host name for the server. In this example, the hostname will be osxserver.krypted.com. We’ll also be using a self-signed certificate, although it’s easy enough to generate a CSR and install it ahead of time. For the purposes of this example, we have installed Server from the App Store (and done nothing else with Server except open it the first time so it downloads all of its components from the web) and configured the static IP address using the Network System Preferences. Next, we’ll set the hostname to odr using the scutil tool.

sudo scutil --set HostName odr.krypted.com

Then the ComputerName:

sudo scutil --set ComputerName odr.krypted.com

And finally, the LocalHostName:

sudo scutil --set LocalHostName our

Now check changeip:

sudo changeip -checkhostname

The changeip command should output something similar to the following:

Primary address = 192.168.210.201 Current HostName = odr.krypted.com DNS HostName = odr.krypted.com The names match. There is nothing to change. dirserv:success = "success"

If you don’t see the success and that the names match, you might have some DNS work to do next, according to whether you will be hosting DNS on this server as well. If you will be hosting your own DNS on the Profile Manager server, then the server’s DNS setting should be set to the IP address of the Server. To manage DNS, start the DNS service and configure as shown previously:

screen-shot-2016-09-26-at-9-57-55-am

Provided your DNS is configured properly then changeip should work. If you’re hosting DNS on an Active Directory integrated DNS server or some other box then just make sure you have a forward and reverse record for the hostname/IP in question. Profile Manager is built atop the web service, APNS and Open Directory. Next, click on the Web service and just hit start. While not required for Profile Manager to function, it can be helpful.

We’re not going to configure anything else with this service in this article so as not to accidentally break Profile Manager. Do not click on anything while waiting for the service to start. While the indicator light can go away early, note that the Web service isn’t fully started until the path to the default websites is shown (the correct entry, as seen here, should be /Library/Server/Web/Data/Sites/Default) and a View Server Website link is shown at the bottom of the screen. If you touch anything too early then you’re gonna’ mess something up, so while I know it’s difficult to do so, be patient (honestly, it takes less than a minute, wait for it, wait for it, there!).

screen-shot-2016-09-26-at-9-58-31-am

Once the Web service is started and good, click on the View Server Web Site link at the bottom and verify that the Welcome to OS X Server page loads.

Setting Up Profile Manager
Provided the Welcome to OS X Server page loads, click on the Profile Manager service. Here, click on the Configure button.

screen-shot-2016-09-26-at-8-56-47-am

At the first screen of the Configure Device Management assistant, click on Next.

screen-shot-2016-09-26-at-10-01-23-am

Assuming the computer is not yet an Open Directory master or Replica, and assuming you wish to setup a new Open Directory Master, click on Create a new Open Directory domain at the Configure Network Users and Groups screen.

screen-shot-2016-09-26-at-10-03-15-am

Then click on Next. At the Directory Administrator screen, provide the username and password you’d like the Open Directory administrative account to have (note, this is going to be an Open Directory Master, so this example diradmin account will be used to authenticate to various Apple tools if we want to make changes to the Open Directory users, groups, computers or computer groups from there). Once you’re done entering the correct information, click Next.

screen-shot-2016-09-26-at-10-03-43-am

At the Organization Information screen, enter your information (e.g. name of Organization and administrator’s email address). Keep in mind that this information will be in your certificate (and your CSR if you submit that for a non-self-signed certificate) that is used to protect both Profile Manager and Open Directory communications. Click Next.

screen-shot-2016-09-26-at-10-04-43-am

At the Confirm Settings screen, make sure the information that will be used to configure Open Directory is setup correctly. Then click Set Up (as I’ve put a nifty red circle next to – although it probably doesn’t help you find it if it’s the only button, right?).

screen-shot-2016-09-26-at-10-05-03-am

The Open Directory master is then created. At the Organization Information screen, enter the name of the contact information for an administrator and click on the Next button. Even if you’re tying this thing into something like Active Directory, this is going to be a necessary step (unless of course you’re already running Open Directory on the system). Once Open Directory is setup you will be prompted to provide the information for an SSL Certificate. At the Organization Information screen, enter your information and click Next.

screen-shot-2016-09-26-at-10-05-42-am

At the Configure an SSL Certificate screen, choose a certificate and click Next.

screen-shot-2016-09-26-at-10-06-06-am

This can be the certificate provided when Open Directory is initially configured, which is self-signed, or you can select a certificate that you have installed using a CSR from a 3rd party provider. At this point, if you’re using a 3rd party Code Signing certificate you will want to have installed it as well. Choose a certificate from the Certificate: drop-down list and then click on Next. If using a self-signed certificate you will be prompted that the certificate isn’t signed by a 3rd party. Click Next if this is satisfactory.

If you do not already have a push certificate installed for the system, you will then be prompted to enter the credentials for an Apple Push Notification Service (APNS) certificate. This can be any valid AppleID. It is best to use an institutional AppleID (e.g. push@krypted.com) rather than a private one (e.g. charles@krypted.com). Once you have entered a valid AppleID username and password, click Next. Provided everything is working, you’ll then be prompted that the system meets the Profile Manager requirements. Click on the Finish button to complete the assistant.

screen-shot-2016-09-26-at-10-06-38-am

When the assistant closes, you will be back at the Profile Manager screen in the Server application. Here, check the box for Sign Configuration Profiles.

screen-shot-2016-09-26-at-10-08-39-am

The Code Signing Certificate screen then appears. Here, choose the certificate from the Certificate field.

screen-shot-2016-09-26-at-10-08-59-am

Unless you’re using a 3rd party certificate there should only be one certificate in the list. Choose it and then click on OK. If you are using a 3rd party certificate then you can import it here, using the Import… selection. Then click OK to save your settings. Back at the Profile Manager screen, you will see a field for the Default Configuration Profile. If you host all of your services on the one server (Mail, Calendars, VPN, etc) then leave the box checked for Include configuration for services; otherwise uncheck it.

screen-shot-2016-09-26-at-11-52-49-am

Profile Manager has the ability to distribute apps and content from the App Store Volume Purchase Program or Apple School Manager through Profile Manager. To use this option, first sign up on the VPP site. Once done, you will receive a token file. Using the token file, check the box in Profile Manager for Volume Purchase Program” or “Apple School Manager” and then use the Configure… button to select the token file.

screen-shot-2016-09-26-at-11-54-36-am

Now that everything you need is in place, click on the ON button to start the service and wait for it to finish starting (happens pretty quickly).

screen-shot-2016-09-26-at-11-54-58-am
The process is the same for adding a DEP token. If you’re just using Profile Manager to create profiles that you’ll import into other tools (Casper, Deploy Studio, Apple Configurator, etc) you can skip adding these tokens as they’re likely to cause more problems than they help with. Once you’ve got everything configured, start the service. Once started, click on the Open Safari link for Profile Manager and the login page opens. Administrators can login to Profile Manager to setup profiles and manage devices. screen-shot-2016-09-26-at-11-57-27-am

The URL for this (for odr.krypted.com) is https://odr.krypted.com/profilemanager. Use the Everyone profile to automatically configure profiles for services installed on the server if you want them deployed to all users. Use custom created profiles for everything else. Also, under the Restrictions section for the everyone group, you can choose what to allow all users to do, or whether to restrict access to certain Profile Manager features to certain users. These include access to My Devices (where users enroll in the system), device lock (so users can lock their own devices if they loose them) and device wipe. You can also allow users to automatically enroll via DEP and Configurator using this screen. screen-shot-2016-09-26-at-8-43-36-pm

Enrolling Into Profile Manager To enroll devices for management, use the URL https://odr.krypted.com/MyDevices (replacing the hostname with your own). Click on the Profiles tab to bring up a list of profiles that can be installed manually.

screen-shot-2016-09-26-at-8-44-22-pm

From Profiles, click or tap the Enroll button. The profile is downloaded and when prompted to install the profile, click Continue.

Screen Shot 2015-09-25 at 8.58.18 PM

Then click Install if installing using a certificate not already trusted.

Screen Shot 2015-09-25 at 8.58.35 PM

Once enrolled, click on the Profile in the Profiles System Preference pane to see the settings being deployed.

Screen Shot 2015-09-25 at 8.59.12 PM
You can then wipe or lock the device from the My Devices portal. Management profiles from the MDM server are then used. Devices can opt out from management at any time. If you’re looking for more information on moving Managed Preferences (MCX) from Open Directory to a profile-based policy management environment, review this article and note that there are new options in dscl for removing all managed preferences and working with profiles in Mavericks (10.9), Yosemite (10.10), and El Capitan (10.11).

If there are any problems when you’re first getting started, an option is always to run the wipeDB.sh script that resets the Profile Manager (aka, devicemgr) database. This can be done by running the following command:

sudo /Applications/Server.app/Contents/ServerRoot/usr/share/devicemgr/backend/wipeDB.sh

Automating Enrollment & Random Management Tips
The two profiles needed to setup a client on the server are accessible from the web interface of the Server app. Saving these two profiles to a macOS computer then allows you to automatically enroll devices into Profile Manager using Apple Configurator, as shown in this previous article. When setting up profiles, note that the username and other objects that are dynamically populated can be replaced through a form of variable expansion using payload variables in Profile Manager. For more on doing so, see this article. Note: As the database hasn’t really changed, see this article for more information on backing up and reindexing the Profile Manager database.

Device Management
Once you’ve got devices enrolled, those devices can easily be managed from a central location. The first thing we’re going to do is force a passcode on a device. Click on Devices in the Profile Manager sidebar.

screen-shot-2016-09-26-at-8-45-40-pm

Click on a device in Profile Manager’s admin portal, located at https:///profilemanager (in this case https://odr.krypted.com/profilemanager). Here, you can see:
  • General Information: the type of computer, capacity of the drive, version of OS X, build version, serial number of the system and the currently logged in user.
  • Details: UDID, Ethernet MAC, Wi-Fi MAC, Model, Last Checkin Time, Available disk space, whether Do Not Disturb is enabled and whether the Personal Hotspot is enabled.
  • Security information: If FileVault is enabled, whether a Personal Recovery is set and whether an Institutional Recovery Key has been installed.
  • Restrictions, whether any restrictions have been deployed to the device from Profile Manager.
  • Installed Apps: A list of all the apps installed (packages, App Store, Drivers, via MDM, etc).
  • In Device Groups: What groups are running on the system.
  • Certificates: A list of each certificate installed on the computer.
Screen Shot 2015-09-25 at 9.08.31 PM

The device screen is where much of the management of each device is handled, such as machine-specific settings or using the cog-wheel icon, wiping, locking, etc. From the device (or user, group, user group or device group objects), click on the Settings tab and then click on the Edit button.

screen-shot-2016-09-26-at-8-47-10-pm
Here, you can configure a number of settings on devices. There are sections for iOS specific devices, macOS specific settings and those applicable to both platforms. Let’s configure a passcode requirement for an iPad.

screen-shot-2016-09-26-at-8-47-35-pm

Click on Passcode, then click on Configure.

screen-shot-2016-09-26-at-8-48-19-pm

At the Passcode settings, let’s check the box for Allow simple value and then set the Minimum Passcode Length to 4. I find that with iOS, 4 characters is usually enough as it’ll wipe far before someone can brute force that. However, if a fingerprint can unlock your devices then more characters is fine as it’s quick to enter them. Click OK to commit the changes.

screen-shot-2016-09-26-at-8-58-34-pm

Once configured, click Save. At the “Save Changes?” screen, click Save. The device then prompts you to set a passcode a few moments later. The next thing we’re going to do is push an app. To do so, first find an app in your library that you want to push out. Right-click (or control-click) on the app and click on Show in Finder. You can install an Enterprise App from your library or browse to it using the VPP program if the app is on the store. Before you start configuring apps, click on the Apps entry in the Profile Manager sidebar.

screen-shot-2016-09-26-at-8-59-08-pm

At the Apps screen, use the Enterprise App entry to select an app or use the Volume Purchase Program button to open the VPP and purchase an app. Then, from the https:///profilemanager portal, click on an object to manage and at the bottom of the About screen, click Enable VPP Managed Distribution Services.

screen-shot-2016-09-26-at-9-00-03-pm

Click on the Apps tab.

screen-shot-2016-09-26-at-9-00-31-pm

From the Apps tab, click on the plus sign icon (“+”). At the Add Apps screen, choose the app added earlier and then authenticate if needed, ultimately selecting the app. The app is then uploaded and displayed in the list. Click Add to add to the selected group. Then, click on Done. Then click on Save… and an App Installation dialog will appear on the iOS device you’re pushing the app to. At the App Installation screen on the iPad, click on the Install button (unless you’re using Device-based VPP) and the app will instantly be copied to the last screen of apps on the device. Tap on the app to open it and verify it works. Assuming it does open then it’s safe to assume that you’ve run the App Store app logged in as a user who happens to own the app.

You can sign out of the App Store and the app will still open. However, you won’t be able to update the app as can be seen here.

Note: If you push an app to a device and the user taps on the app and the screen goes black then make sure the app is owned by the AppleID signed into the device. If it is, have the user open App Store and update any other app and see if the app then opens.

Finally, let’s wipe a device. From the Profile Manager web interface, click on a device and then from the cog wheel icon at the bottom of the screen, select wipe. At the Wipe screen, click on the device and then click Wipe. When prompted, click on the Wipe button again, entering a passcode to be used to unlock the device if possible. The iPad then says Resetting iPad and just like that, the technical walkthrough is over.

Screen Shot 2015-09-25 at 9.15.11 PM

Note: For fun, you can use the MyDevices portal to wipe your iPad from the iPad itself.

Conclusion
To quote Apple’s Profile Manager page:
Profile Manager simplifies deploying, configuring, and managing them all. It’s one place where you control everything: You can create profiles to set up user accounts for mail, calendar, contacts, and messages; configure system settings; enforce restrictions; set PIN and password policies; and more. Because it’s integrated with the Apple Push Notification service, Profile Manager can send out updated configurations over the air, automatically. And it includes web-based administration, so you can manage your server from any modern web browser. Profile Manager even gives users access to a self-service web portal where they can download and install new configuration profiles, as well as clear passcodes and remotely lock or wipe their Mac, iPhone, or iPad if it’s lost or stolen.
For the money, Profile Manager is an awesome tool. Apps such as Casper, AirWatch, Zenprise, MaaS360, etc all have far more options, but aren’t as easy to install (well, Bushel is… 😉 and nor do they come at such a low price point. Profile Manager is a great option if all of the tasks you need to perform are available within the tool. If not, then it’s worth a look, if only as a means to learn more about the third party tools and to export profiles you’ll use in other solutions.

September 27th, 2016

Posted In: iPhone, Mac OS X, Mac OS X Server

Tags: , , ,

In case you’re using DEP and haven’t noticed this, you need to accept the latest terms of service in the Apple license agreement for DEP if you’re going to continue using the service. I don’t usually post emails I get from Apple, but I can easily see orgs using accounts that don’t have email flowing to anyone that is capable of responding, so I strongly recommend you go in and accept the latest and greatest agreements so your stuff doesn’t break! Here’s the email I got from Apple:
Apple Deployment Programs Thank you for participating in the Device Enrollment Program. On September 13 Apple will release updated software license agreements. Your Program Agent must go to the deployment website and accept the following agreements to continue to use the program:
  • iOS 10 Software License Agreement
  • Software License Agreement for macOS Sierra
For more information please see this support article:https://support.apple.com/kb/HT203063.
Note: If you’re using Casper, then the errors you’ll see will be something along the lines of: Unable to Contact https://mdmenrollment.apple.com

September 12th, 2016

Posted In: iPhone, JAMF, Mac OS X, Mac OS X Server, Mac Security, MacAdmins Podcast

Tags: , , , , ,

September 10th, 2016

Posted In: Articles and Books, iPhone, Mac OS X, Mac OS X Server, Mac Security, MacAdmins Podcast

Next Page »