krypted.com

Tiny Deathstars of Foulness

If you’re in need of MDM in Japanese or German, Jamf Now shipped support for those languages last week. To switch languages, click on your name once logged in, and then click on the language you would like to use.

Enjoy.

May 1st, 2017

Posted In: iPhone, Mac OS X, Mac OS X Server, Mac Security, Mass Deployment

Tags: , , ,

I mentioned mdmclient when I gave the talk on the inner workings of Mobile Device Management, or MDM. There, I spent a lot of time on APNs and profiles, but just kinda’ spoke about mdmclient in terms of it being the agent that runs on macOS to provide mdm parity for the Mac. The mdmclient binary is located at /usr/libexec/mdmclient and provides pretty limited access to see how the Mac reacts to and interprets information coming from a device management provider.

I had been meaning to do a write-up on mdmclient and document what it can do since it first shipped. But as luck would have it, @Mosen on the Slacks beat me to the punch with a fantastic resource at https://mosen.github.io/profiledocs/troubleshooting/mdmclient.html. So here I’d like to focus on just 3 examples of using mdmclient. The first is to see what insight an MDM has to the applications installed (whether that information is actually committed to a database somewhere or not) using QueryInstalledApps:

/usr/libexec/mdmclient QueryInstalledApps

Here, we can see an array output of each bundle installed:

{BundleSize = 27457223;
Identifier = “com.hipchat.HipChat”;
Name = HipChat;
ShortVersion = “3.1.6”;
Version = “3.1.6”;}

Now, we can end up with duplicates, and so focus on just the unique Identifier keys, as follows:

/usr/libexec/mdmclient QueryInstalledApps | grep Identifier | uniq

The second iteration is to see installed profiles. The most basic of these, is to see user profiles, which can be obtained using QueryInstalledProfiles, as follows:

/usr/libexec/mdmclient QueryInstalledProfiles

Now, I could see using the profiles command with the -L option that I have a profile to configure office365 on my machine:

profiles -L

charlesedge[1] attribute: profileIdentifier: com.jamfsw.office365.a5f0e328-ea86-11e3-a26c-6476bab5f328
There are 1 user configuration profiles installed for ‘charlesedge’

So to see what that same information looks like, when queried from an MDM solution:
/usr/libexec/mdmclient QueryInstalledProfiles

QueryInstalledProfiles then returns:

({HasRemovalPasscode = 0;
IsEncrypted = 0;
PayloadContent = (
{PayloadDisplayName = “Charles Edge’s Office 365”;
PayloadIdentifier = “com.jamfsw.office365.a5f0e328-ea86-11e3-a26c-6476bab5f328.exchange.a5f2ccd9-ea86-11e3-b1e0-6476bab5f328”;
PayloadType = “com.apple.ews.account”;
PayloadUUID = “a5f2ccd9-ea86-11e3-b1e0-6476bab5f328”;
PayloadVersion = 1;});
PayloadDescription = “This will configure your Office 365 account for your Mac.”;
PayloadDisplayName = “Charles Edge’s Office 365”;
PayloadIdentifier = “com.jamfsw.office365.a5f0e328-ea86-11e3-a26c-6476bab5f328”;
PayloadOrganization = “JAMF Software”;
PayloadRemovalDisallowed = 0;
PayloadUUID = “a5f0e328-ea86-11e3-a26c-6476bab5f328”;
PayloadVersion = 1;
SignerCertificates = ();})

You can then take action based on this type of information, allow you to either fill a database for agent-based management, or simply take action if something is missing, etc.

QueryInstalledProfiles covers user profiles. To see system, you’ll need installedProfiles:

/usr/libexec/mdmclient installedProfiles | grep "Profile Name"

Run without the grep for a considerably more verbose amount of information.

Finally, let’s look at one more piece of information, which is the hash for the iTunes Store. That’s a point I’ve made a number of times, that the iTunes account email address is never provided to an MDM, once associated to a device or user on a device. Instead, there’s a hash of the account. These are important with VPP, as it allows for reversing (according to the MDM) which users have claimed which apps, or which users are using a given app, as well as how many devices they’re accessing those from. To see a hash, as an MDM sees it:

/usr/libexec/mdmclient QueryAppInstallation | grep iTunesStoreAccountHash

There’s a lot more you can do here, and I’m sure we’ll see a lot more over time. However, the work from @mosen combined with the opening up of the documentation on profiles and the mdm protocol helps to shed some light on how things work under the hood, and how we can use these features to provide greater programatic management for the Mac.

For example, to grab that iTuneshash from earlier, as a Jamf extension attribute you could use the following: https://github.com/krypted/ituneshash/blob/master/ituneshash.sh

April 28th, 2017

Posted In: Mac OS X, Mac OS X Server, Mac Security

Tags: , , , , , , ,

Here’s a new extension attribute at https://github.com/krypted/ituneshash/blob/master/ituneshash.sh for grabbing the hash ID used for iTunes Store accounts, useful with VPP:

#!/bin/sh
#
#
#
#Jamf Pro Extension Attribute to return the App Store Account Hash for iTunes
#Note that the return is null if one is not found
#
#
result=`/usr/libexec/mdmclient QueryAppInstallation | grep iTunesStoreAccountHash | sed '/.*\"\(.*\)\".*/ s//\1/g'`
echo "<result>$result</result>"

The output is something like:

<result>oBSmAAAa0nUAAACBHe5AaALlNBg=</result>

Which would bring the string into Jamf Pro

April 26th, 2017

Posted In: JAMF, Mac OS X, Mac OS X Server, Mac Security

Tags: , , , ,

April 23rd, 2017

Posted In: iPhone, MacAdmins Podcast, Mass Deployment

Tags: , , , ,

MySQL usually pulls settings from a my.cnf file. However, you can end up with settings in include files, which can be defined in the my.cnf using the following directives:

include /home/mydir/myopt.cnf
includedir /home/mydir

Because of this, and the fact that you might not have access to all locations of .cnf files on a filesystem, you can also grab them using the SHOW VARIABLES option within SQL, obtained by

/usr/local/mysql/bin/mysql -uroot -p mypassword -e "SHOW VARIABLES;" > /tmp/SQLSettings.txt

In the above command, -uroot defines we’ll be accessing with the root user, -p defines the password (listed as mypassword) and the -e defines that we want to execute a command and then quit. We then use > to dump the output into the defined file.

April 21st, 2017

Posted In: Mac OS X, SQL

Tags: , , ,

10.12.4 gives us a new option to recheck enrollment via DEP! You can now use the -N flag to recheck a DEP configuration and, if a computer is not enrolled in the correct listing, move the enrollment. This should makes of r an ability to move devices between server, change the URL string in an enrollment profile, and recheck for the removal of an enrollment profile.

To use the option, simply run profiles with the -N option (with elevated privileges):

sudo profiles -N

For the Mac, there are a lot of ways to programmatically handle enrollment, so this is a nice new feature, but not a game changer. But, while not yet available in iOS, if the same functionality could be had with, say, a MDM command, then you would be able to migrate iOS devices between MDMs, provided you already put the data in place so policies ran as expected.

April 18th, 2017

Posted In: Mac OS X, Mac OS X Server, Mac Security

There’s a macOS tool called AssetCacheLocatorUtil located at /usr/bin/AssetCacheLocatorUtil. The output is in… stderr. Because stderr is so fun to work with (note that sed -i only works with stdin). So, to update the caching server(s) you are using and only print the IP address of those, you’d do the following:

/usr/bin/AssetCacheLocatorUtil 2>&1 | grep guid | awk '{print$4}' | sed 's/^\(.*\):.*$/\1/' | uniq

If you use Jamf Pro and would like to use this as an extension attribute, that’s posted here: https://github.com/krypted/cachecheck. I didn’t do any of the if/then there, as I’d usually just do that on the JSS.

April 17th, 2017

Posted In: Mac OS X, Mac Security, Mass Deployment, Network Infrastructure, precache

Tags: , , , , , , , , , ,

I recently had an issue where QuickLook was crashing every time I clicked on certain file types. I thought they were unsupported by QuickLook. But it turns out that they were animated and trying to start while the QuickLook animation was starting. So disable the QuickLook animation and the files appeared as intended. To do so, write a key called QLPanelAnimationDuration into the global defaults database, with a -float value of 0, as follows:

defaults write -g QLPanelAnimationDuration -float 0

April 16th, 2017

Posted In: Mac OS X

Tags: , ,

April 13th, 2017

Posted In: MacAdmins Podcast

After updating an iPhone, maybe it’s stuck. Doesn’t happen much, but it can happen. When it does, it’s great if you’ve got a backup of your phone. And those traditional means of restarting, resetting, and restoring don’t work any more. Or at least they do, but they’ve moved.

If you need to DFU or restore your device, starts by plugging the phone into a computer running iTunes. Then press and hold the power button down for 3 seconds and press the volume down button while you’re holding that power button. Hold both down for about 10 seconds and let go of the power button, holding the volume down button for 5 more seconds.

This process is pretty specific and I’ve often had to do it 3-4 times to get it just right. If you see the Apple logo at boot, the device is just rebooting (and that’s usually all I’ve needed). But if you really need it to go into restore or DFU-mode, you’ll want to see the screen that says Plug Into iTunes. Once you see that, you are in restore mode. If you want to be in DFU mode, you’ll want it right in the middle, where the screen is black.

April 11th, 2017

Posted In: iPhone

Tags: , , , , , , ,

« Previous PageNext Page »