krypted.com

Tiny Deathstars of Foulness

Ever wanted to be able to view devices from your Jamf server from within your Freshdesk environment? Well, I just posted a new integration on the Jamf Marketplace just for Freshdesk.


This plugin will display a search bar on the right side of the screen. Enter a serial number to find your devices. If a match is found, you’ll see information on the device (note: this is up on GitHub so you can change what fields you see).

If you don’t find anything that matches a given pattern, you’ll get an error.

April 2nd, 2018

Posted In: JAMF, Product Management

Tags: , ,

Hey look, there’s a new category on the Jamf Marketplace, available at https://marketplace.jamf.com/apps/#category=AppConfig,selecting the AppConfig category. The new AppConfig category gives administrators of any MDM that supports AppConfig access to a set of apps that support AppConfig. If you have an app that isn’t listed here, feel free to let me know. 

What does this mean? Well, AppConfig is a way of sending data into an app. App config allows a customer to deploy settings into applications on iOS devices in much the same way that settings can be sent into a Mac app via the defaults command. This means an end user could get an app installed on their device from the iOS App Store, a custom app, or a B2B app and that app would have any settings the user might need to connect to servers or configure the experience.

So what is Managed App Config? At it’s most basic, you identify a label and a value in XML and send it to an iOS device that’s running iOS 7 or later (e.g. via Jamf 9 and up). The vendor who makes the app has to basically define what those settings are. Which brings up an interesting problem never fully addressed with defaults domains: standardization and ease-of-use (although MCX was close). 


AppConfig.org  is a consortium of MDM vendors and software vendors that maintain the emerging AppConfig standards around Managed App Config (within the confines of what Apple gives vendors) and then makes a feed of settings for apps that conform to those standards. Jamf is a founding member of Appconfig.org, along with MobileIron and AirWatch. Examples of what you could put into the AppConfig.org feed include 
  • Enabling certain features of apps
  • Server URLs
  • Logos (if they’re pulled dynamically)
  • Text labels
  • Language packs

To see a list of apps that are available, check out http://www.appconfig.org. 

Managed App Config options are set by vendors at compile time within the code and then the XML sent with the app is parsed by the app at installation time. If you’re a software vendor who wants to get started with AppConfig, check out the Spec Creator from Jamf Research or get in touch with the developer relations team from any MDM vendor.

If you’re a customer of an app and would like to leverage Managed App Config and your vendor isn’t listed on the appconfig.org site, get in touch with them, as this is the future of app management and chances are that you won’t be the only organization looking to unlock this type of feature. 

Let’s look at how this actually works. The Managed App Config options per supported app are available on a feed. The feed is available at http://d2e3kgnhdeg083.cloudfront.net. Here, as follows, you’ll see a list of all of the apps supported.


You can then copy the path for an app, such as com.adobe.Adobe-Reaser/1/appconfig.xml and append it to the end of the URL to get the feed for that specific app. You can test this using http://d2e3kgnhdeg083.cloudfront.net/com.adobe.Adobe-Reader/1/appconfig.xml to see output as follows.


Here, note that most of these fields are key value pairs defined by Adobe (in this example at least). You can enable or disable features of Adobe Reader using these keys. The same is true with a tool like Box that might want a more granular collection of settings than a feature like Managed Open In. 

Once you have the XML, you can then copy it to the clipboard and paste it into the App Configuration tab of an app, as follows. 

Finally, Apple has sample code available at https://developer.apple.com/library/content/samplecode/sc2279/Introduction/Intro.html

March 13th, 2018

Posted In: iPhone, JAMF

Tags: , , , , , , ,

Been working on a new plugin to embed device details from Jamf Pro into Jira Service Desk. It looks a little like this:


To access the plugin, see the links below.

https://github.com/krypted/Jira-Device-Lookups-in-Jamf

February 13th, 2018

Posted In: JAMF

Tags: , , , , ,

Here’s a quick extension attribute to check for OSX/MaMi. Basically, I’m just looking for one of the two DNS servers that always gets put into the list. From what I’ve seen they always come in pairs.  Below is a gist.
Oh and thanks Katie for noticing my errant space! 😉

January 23rd, 2018

Posted In: JAMF, Mac OS X

November 19th, 2017

Posted In: JAMF, MacAdmins Podcast

Tags: , , , ,

Jamf is proud to announce zero-day support for macOS High Sierra, iOS 11, and tvOS 11 with the release of Jamf Pro 9.101. In addition to compatibility for all of Apple’s fall operating systems, Jamf Pro 9.101 also includes new features that include the latest payloads, restrictions and MDM commands.

Highlights of what’s new:

macOS High Sierra

  • Zero-touch provisioning of Mac devices with the Apple File System (APFS)
  • Cisco Fast Lane quality of service (QoS) support for apps
  • New security settings and configurations
  • New restrictions, including the ability to defer software updates for up to 90 days

iOS 11

  • An MDM command to upgrade non-DEP supervised devices to iOS 11
  • New restrictions, including AirPrint, manual VPN settings and systems app deletion

tvOS 11

  • Defining Home screen layout on an Apple TV
  • Showing or hiding specific tvOS apps
  • Restricting tvOS media content and ability to modify device name
  • Setting passwords for Apple TV devices to share automatically to specific iPads

Healthcare Listener enhancements and more

In addition to providing pre zero-day support for Apple’s upcoming operating systems, Jamf Pro 9.101 extends the power of the Healthcare Listener to add support for tvOS by making the remote wipe command available for Apple TV devices. Further, Jamf Pro 9.101 includes a new API for Lost Mode, new settings for re-enrollment, and security enhancements for the deployment of in-house iOS apps.

Next steps:

You can download Jamf Pro 9.101 through Jamf Nation in the “My Assets” page. If you’re using a hosted version at jamfcloud.com, the upgrade will be done automatically. If you regularly schedule your upgrade, please contact your Account Representative to schedule your upgrade. To locate your account representative, see https://www.jamf.com/jamf-nation/my/account-team.

For more information on this release, download the release notes. If you have any questions about this release or anything else, please do not hesitate to reach out.


Download Jamf Pro 9.101 now

September 12th, 2017

Posted In: JAMF

Tomcat logs events into the system log. You can use the get-wmiobject commandlet to see events. Here, we’ll look at a JSS and view only system events: Get-WmiObject Win32_NTLogEvent -ComputerName $jss -Filter "LogFile='system' We can then use AND to further constrain to specific messages, in this case those containing Tomcat: Get-WmiObject Win32_NTLogEvent -ComputerName $jss -Filter "LogFile='system' AND (Message like '%Tomcat%') We can then further constrain output to those with a specific EventCode with another compound statement: Get-WmiObject Win32_NTLogEvent -ComputerName $jss -Filter "LogFile='system' AND (Message like '%Tomcat%') AND (EventCode=1024) For a comprehensive list of Windows event codes, see https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/default.aspx. You could instead use get-eventlog to see system logs. For example, the following will list the latest 100 entries in the system log: Get-Eventlog -LogName system -Newest 1000 And the following lists the number of unique entries in descending order using Sort-Object, along with the -Property option set to count: Get-Eventlog -LogName system -Newest 1000 | Sort-Object -Property count -Descending And the following would additionally constrain the output to entries with the word Tomcat using the -Message option: Get-Eventlog -LogName system -Newest 1000 -Message "*Tomcat*" | Sort-Object -Property count -Descending And to focus on a server called jss, use the -ComputerName option: Get-Eventlog -LogName system -Newest 1000 -Message "*Tomcat*" -ComputerName "localhost" | Sort-Object -Property count -Descending

July 11th, 2017

Posted In: JAMF, Windows Server

Tags: , , , , , , ,

Here’s a new extension attribute at https://github.com/krypted/ituneshash/blob/master/ituneshash.sh for grabbing the hash ID used for iTunes Store accounts, useful with VPP: #!/bin/sh # # # #Jamf Pro Extension Attribute to return the App Store Account Hash for iTunes #Note that the return is null if one is not found # # result=`/usr/libexec/mdmclient QueryAppInstallation | grep iTunesStoreAccountHash | sed '/.*\"\(.*\)\".*/ s//\1/g'` echo "<result>$result</result>" The output is something like:
<result>oBSmAAAa0nUAAACBHe5AaALlNBg=</result>
Which would bring the string into Jamf Pro

April 26th, 2017

Posted In: JAMF, Mac OS X, Mac OS X Server, Mac Security

Tags: , , , ,

There is a new service in macOS, called Tetherator. Tethered-caching is a script that allows you to easily and quickly interact with the tethered-caching service, which has a few kinda’ cool options. This is on a client, and really speeds up all that crazy provisioning stuff you do. It can also check for the presence of a macOS Caching Server and use that as a source for the cache. The tethered-caching script is located at /usr/bin/tethered-caching. Before you do anything with the service, check the status. That’s done with the -s option (there’s also a -v option to get verbose): tethered-caching -s The results before activated should be as follows:
2017-02-28 10:44:45.730 AssetCacheTetheratorUtil[3665:182657] Tetherator is disabled: (no error) 2017-02-28 10:44:45.746 AssetCacheActivatorUtil[3666:182664] Built-in caching server can be activated. 2017-02-28 10:44:45.762 AssetCacheActivatorUtil[3667:182673] Built-in caching server is deactivated: (no error)
Then start the service using the -n option in tethered-caching, along with the IP range to be used: tethered-caching -n 192.168.1.0 This sets the ListenRanges key in the plist and should result in an activation process that appears as follows:
Starting tethered caching… 2017-02-28 10:47:59.691 AssetCacheActivatorUtil[3848:192902] Built-in caching server can be activated. 2017-02-28 10:47:59.706 AssetCacheActivatorUtil[3849:192910] Built-in caching server is deactivated: (no error) Filtering the log data using “subsystem == “com.apple.AssetCache” AND messageType == 16″ Timestamp (process)[PID] 2017-02-28 10:48:05.098735-0600 localhost AssetCache[2882]: [com.apple.AssetCache.builtin] Built-in Caching Server activated. Exiting to allow re-launch. 2017-02-28 10:48:05.207493-0600 localhost AssetCache[2882]: [com.apple.AssetCache.builtin] Built-in Caching Server shutting down (0) 2017-02-28 10:48:07.362926-0600 localhost AssetCache[3862]: [com.apple.AssetCache.builtin] Built-in Caching Server version 170 started 2017-03-02 10:45:53.753 AssetCacheTetheratorUtil[29283:2526186] Tetherator enabled. Started tethered caching. To stop it, press control+c once.
At this point, you’re calling /usr/bin/AssetCacheLocatorUtil to register and then start /usr/libexec/AssetCache/AssetCache via /System/Library/Preferences/Logging/Subsystems/com.apple.AssetCacheServices.plist which defaults read nets: {Activator = {}; "DEFAULT-OPTIONS" = { "Default-Privacy-Setting" = Public; "Enable-Oversize-Messages" = 1; "Event-Log" = { Enabled = Inherit;}; Level = { Enable = Inherit; Persist = Inherit;}; TTL = {Debug = 0;Default = 10;Info = 10;};}; Daemon = {}; Extensions = {}; Framework = {}; Tetherator = {};} The AssetCache preferences can be seen by catting /Library/Preferences/com.apple.AssetCache.plist: Activated = 0; CacheLimit = 0; DataPath = "/Library/Caches/com.apple.AssetCache"; LastConfigData = ; LastConfigURL = "http://suconfig.apple.com/resource/registration/v1/config.plist"; LastPort = 50775; ListenRanges = ({first = "192.168.1.1";last = "192.168.1.254";}); ListenRangesOnly = 1; LocalSubnetsOnly = 0; PeerLocalSubnetsOnly = 1; Port = 0; PublicRanges = automatic; ReservedVolumeSpace = 2000000000; SavedCacheDetails = {}; SavedCacheDetailsOrder = ("Mac Software","iOS Software","Apple TV Software",iCloud,Books,"iTunes U",Movies,Music,Other); SavedCacheDetailsStrings = {All the language keys as arrays - which I cut out to truncate the contents of the plist read}; SavedCacheSize = 0; ServerGUID = "C5F29418-6158-4D3B-9162-XXX"; Version = 1; Note that in the above, the LastConfigData key is pulled at activation by curling http://suconfig.apple.com/resource/registration/v1/config.plist. I’ve truncated the key as it’s kinda’ long… A simple command that will be pretty common is to increase the size of the cache. To do so, you’d just edit that CacheLimit key to be the number that you want the cache to be. In the following example, we’re writing the CacheLimit key into AssetCache.plist at 100 gigs: defaults write /Library/Preferences/com.apple.AssetCache.plist CacheLimit -int 100000000000 There’s also com.apple.AssetCache.builtin.plist in /Library/LaunchDaemons which starts the builtin AssetCache, AssetCacheC, and CacheDelete service. Once started, you will have a sqlite3 database called AssetInfo.db at /Library/Caches/com.apple.AssetCache. A basic structure of how data is stored includes the following tables:
  • ZAFFINITY with the following column: Z_PK INTEGER PRIMARY KEY, Z_ENT INTEGER, Z_OPT INTEGER, ZLASTSAVED TIMESTAMP, ZID VARCHAR
  • ZASSET with the following columns: Z_PK INTEGER PRIMARY KEY, Z_ENT INTEGER, Z_OPT INTEGER, ZMD5OFFSET INTEGER, ZTOTALBYTES INTEGER, ZCREATIONDATE TIMESTAMP, ZLASTACCESSED TIMESTAMP, ZCHECKSUM VARCHAR, ZGUID VARCHAR, ZINDEX VARCHAR, ZLASTMODIFIEDSTRING VARCHAR, ZNAMESPACE VARCHAR, ZURI VARCHAR, ZMD5CONTEXT BLOB
  • Z_METADATA with the following columns: Z_VERSION INTEGER PRIMARY KEY, Z_UUID VARCHAR(255), Z_PLIST BLOB
  • Z_MODELCACHE with just the Z_CONTENT column
  • TABLE Z_PRIMARYKEY with the following columns: Z_ENT INTEGER PRIMARY KEY, Z_NAME VARCHAR, Z_SUPER INTEGER, Z_MAX INTEGER
Once enabled, updates will be cached to the computer that the service is enabled on, metadata stored in the previously mentioned database, and then change ports and network ranges when needed.

March 27th, 2017

Posted In: Apple Configurator, Apple TV, Apple Watch, iPhone, JAMF, Mac OS X, Mac OS X Server, Mass Deployment, precache

Tags: , , ,

The next release of iOS (10.3), macOS (10.12.4), and tvOS (10.2) bring us a host of new management features. These include DEP configuration, remote wipe, single app mode, conference room mode, and remote reboot for Apple TVs. The next evolution of iOS brings us sounds in lost mode, the ability to prevent users from connecting to unmanaged wireless networks (just make sure to push that policy after sending down the actual managed wireless networks – or eek), the option to remotely shut down and reboot devices, The Mac options includes some of the above but also restricting the feature to unlock macOS devices with Touch ID, restrict documents and desktop syncing with Apple’s iCloud service. Shared iPad environments also get new passcode policies. Jamf Pro 9.98 has also comes with Symantec PKI integration and lots, and lots, and lots of resolutions to product issues. For more, see https://www.jamf.com/blog/are-you-ready-for-apples-next-release/. For a full run-down of profile options and MDM commands: http://docs.jamf.com/9.98/casper-suite/release-notes/What’s_New_in_This_Release.html. Keeping with Apple’s evolving standards, Managed Preferences and Provisioning Profiles are being deprecated: http://docs.jamf.com/9.98/casper-suite/release-notes/Deprecations_and_Removals.html (which isn’t to say you can’t still deploy these kinds of things using your own scripts, etc). Finally, if you have a problem in your environment and want to see if it’s been fixed, for a list of defects and product improvements – see http://docs.jamf.com/9.98/casper-suite/release-notes/Bug_Fixes_and_Enhancements.html

March 23rd, 2017

Posted In: JAMF, Mac OS X, Mac OS X Server

Tags: , , , ,

Next Page »