krypted.com

Tiny Deathstars of Foulness

April 26th, 2016

Posted In: Apple TV, iPhone, Mac OS X, Mac OS X Server, Mac Security, MacAdmins Podcast

Tags: , , , , , , ,

Leave a Comment

Apple School Manager is a portal used to create classes, import students, manage Managed Apple IDs, and link all these things together. You can use a Student Information System (SIS) to create these classes, import students, etc. But, only if you have a SIS with an API that Apple links to. If you don’t, you’ll need to import data using csv files. And you’ll need to import four csv files: Classes, Instructors, Staff, and of course Students.

Many schools will already have this data in Active Directory or another LDAP-based solution. Here, we’ll look at getting the information out of Active Directory and into csv. The LDIFDE utility exports and imports objects from and to Active Directory using the ldif format, which is kinda’ like csv when it gets really drunk and can’t stay on one line. Luckily, ldif can’t drive. Actually, each attribute/field is on a line (which allows for arrays) and an empty line starts the next record. Which can make for a pretty messy looking file the first time you look at one. The csvde command can be used to export data into the csv format instead. In it’s simplest form the ldifde command can be used to export Active Directory objects just using a -f option to specify the location (the working directory that we’re running the ldifde command from if using powershell to do so or remove .\ if using a standard command prompt):

ldifde -f .\ADExport.ldf

This exports all attributes of all objects, which overlap with many in a target Active Directory and so can’t be imported. Therefore, you have to limit the scope of what you’re exporting, which you can do in a few ways. The first is to only export a given OU (in this case called Students, but you could do one for Teachers, one for each grade, etc). To limit, you’ll define a dn with a -d flag followed by the actual dn of the OU you’re exporting and then you’d add a -p for subtree. In the following example we’ll export all of the objects from the sales OU to the StudentsOUExport.ldf file:

ldifde -d "OU=Students,DC=krypted,DC=local" -p subtree -f .\StudentsOUExport.ldf

Once you have the ldif file, you’ll want to convert it from ldif to csv. Some apps to do so:

Once you have the file in csv form, you can import it using the Apple School Manager web interface.

April 22nd, 2016

Posted In: Articles and Books, iPhone, Mac OS X, Mac OS X Server, Mac Security

Tags: , , ,

Leave a Comment

Casper 9.9 has shipped! After the most thorough of testing and field enablement, JAMF has shipped Casper 9.9, with tons of new awesomeness for iOS 9.3. You now have the ability to do Lost Mode, which allows you to see where a lost device is, and allows your users the peace of mind that their privacy is protected by informing them that administrators looked at the location of a device (and you can assign a custom Lost Mode message, for example providing a reward for the return of a lost device). You can also manage a number of Notification Center features. You now have the ability to use the Classroom App in conjunction with education device deployments. You now have the ability to unlock new, great payloads, such as placing badges where you want them on a home screen. You can also now use the B2B App Store with Casper. And for the first time, you also have the ability to show and hide apps!

And cool new features aren’t limited to iOS. Casper can also now manage Active Directory bindings with DEP devices using the Active Directory/LDAP payloads, streamlining those workflows in a more supportable fashion. And manage user account types. This brings us closer and closer to true zero-touch deployments. And lots of issues are resolved that make your installation (e.g. detecting Java versions) and management (e.g. some cool new screens) more and more stable and user friendly with each release!

So log into JAMF Nation, and check out Casper 9.9 in your testing environment, and unlock all the new coolness. 🙂

Screen Shot 2016-03-31 at 11.04.27 AM

March 31st, 2016

Posted In: iPhone, JAMF, Mac OS X, Mac OS X Server, Mac Security, Mass Deployment

Tags: , , , , ,

Merry Christmas ya’ll!

On the first day of Christmas my true love gave to me one 32 gig iPad

On the second day of Christmas my true love gave to me two bash one-liners

On the third day of Christmas my true love gave to me three Red Hat servers

On the fourth day of Christmas my true love gave to me four email blasts

On the fifth day of Christmas my true love gave to me five retweets

On the sixth day of Christmas my true love gave to me six regular expressions

On the seventh day of Christmas my true love gave to me seven lines of perl

On the eighth day of Christmas my true love gave to me eight app store apps

On the ninth day of Christmas my true love gave to me nine AWS instances

On the tenth day of Christmas my true love gave to me ten Active Directory forests

On the eleventh day of Christmas my true love gave to me 11 crappy python scripts

On the twelfth day of Christmas my true love gave to me 12 craft brews

xmas-ornament-computer-ram

December 25th, 2014

Posted In: iPhone, Mac OS X, Mac OS X Server, Mac Security, Mass Deployment

Tags: , , , , , , , , , , , , , ,

There are a number of tools available for using Syslog in a Windows environment. I’ll look at Snare as it’s pretty flexible and easy to configure. First download the snare installation executable from http://sourceforge.net/projects/snare. Once downloaded run the installer and simply follow all of the default options, unless you’d like to password protect the admin page, at which point choose that. Note that the admin page is by default only available to localhost.

Once installed, run the “Restore Remote Access to Snare for Windows” script.

Screen Shot 2014-04-10 at 10.56.43 AM

Then open http://127.0.0.1:6161 and click on Network Configuration in the red sidebar. There, we can define the name that will be used in syslog (or leave blank to use the hostname), the port of your syslog server (we used 514 here) and the address of your syslog server (we used logger here but it could be an IP or fqdn).

Screen Shot 2014-04-08 at 10.58.04 AM

 

Once you have the settings you’d like to use, scroll down and save your configuration settings. Then, open Services and restart the Snare service.

Screen Shot 2014-04-08 at 10.56.22 AM

Then run the Disable Remote Access to Snare for Windows option and you’re done. Now, if you’re deploying Snare across a lot of hosts, you might find that scripting the config is faster. You can send the Destination hostname (here listed as meh) and Destination Port (here 514) via regedit commands (Destination and DestPort respectively) and then restart the service.

Screen Shot 2014-04-08 at 10.56.51 AM

I’ll do another article at some point on setting up a logstash server to dump all these logs into. Logstash can also parse the xml so you can search for each attribute in the logs and with elasticsearch/hadoop/Kibana makes for an elegant interface for parsing through these things.

April 13th, 2014

Posted In: Active Directory, Windows Server, Windows XP

Tags: , , , , , , ,

Trusts in Active Directory allow objects from one Domain or Forest to access objects in another Domain or Forest and allows administrators. To setup a trust:

  • Login with a user in the Domain Admins group if you are setting up a Domain trust or Enterprise Admins if you are setting up a Forest trust (if you cannot use an account in one of these groups, you can use an account in the Incoming Forest Trust Builders group)
  • Open Administrative Tools
  • Open Active Directory Domains and Trusts
  • Right-click the name of the domain
  • Click Properties
  • Click on the Trust tab
  • Click New Trust
  • Click Next
  • Click on the Trust Name page
  • Type the DNS or NetBIOS name of the forest you are connecting to
  • Click Next.
  • Click on the Trust Type page
  • Click Forest trust
  • Click Next
  • Click on the Direction of Trust page
  • To create a two-way (transitive) forest trust, click Two-way or if you’d only like to share objects one-way, click One-way
  • If One-way, choose the direction of the trust
  • Click continue to complete the wizard

Once completed, click on the Trust tab to view the trust. Then open a group, go to add a member and click on the Location button. At this screen you should see your domain and then below it another that has an icon with three triangles, similar to the Hyrule logo in Zelda. In fact, a lot of Active Directory is similar to Zelda, such as where do I find that sword, where’s the shield, etc. Just without a princess…

Anyway, you can then limit who can access the trust using the Selective authentication options in the Outgoing Trust Properties page if needed.

April 9th, 2014

Posted In: Active Directory, Windows Server

Tags: , , , , ,

Changing the Forest Mode in Active Directory can be scripted. I find this useful when regression testing such tasks in a sandbox (e.g. restore image, automate login, change mode, run tests, etc). The script is very simple. First, you’ll import he ActiveDirectory modules:

Import-Module -Name ActiveDirectory

Then you’ll check for the mode prior to running:

Get-ADForest | Format-Table ForestMode

Then you’ll change the forest and domain modes (one per line):

Set-ADForestMode –Identity “krypted.com” –ForestMode Windows2008Forest
Set-ADDomainMode –Identity “krypted.com” –DomainMode Windows2008Domain

Then you’ll report the result:

Get-ADForest | Format-Table Name , ForestMode

The end result could be as simple as three lines if just testing:

Import-Module -Name ActiveDirectory
Set-ADForestMode –Identity “krypted.com” –ForestMode Windows2008Forest
Set-ADDomainMode –Identity “krypted.com” –DomainMode Windows2008Domain

April 8th, 2014

Posted In: Active Directory, Mass Deployment, Windows Server, Windows XP

Tags: , , ,

You can use PowerShell to pretty much get anything you want out of Active Directory. Let’s say you want to see when the last time a user changed their password was. You can use the Get-ADUser commandlet to obtain any attribute for a user in the Active Directory schema. To use Get-ADUser, you’ll need to define a scope. In this example, we’ll do so using the -filter option and filter for everyone, using an *. That could be a lot of data, so we’re also going to look for the property, or attribute of PasswordLastSet using the -Properties option:

Get-ADUser –filter * -Properties PasswordLastSet

We can then add a little more logic and pipe the output to a conditional statement that just looks at who hasn’t ever changed their password.

Get-ADUser –filter * -Properties PasswordLastSet | Where { $_.passwordLastSet –eq $null }

A more common task, we could also look for the last 90 days, using “(get-date).adddays(-90)” in our filter. We don’t want to display disabled users, so we could do something like this (note the curly brackets allow us to compound search):

Get-ADUser -filter {(passwordlastset -le $90days) -AND (enabled -eq $True)}

April 1st, 2014

Posted In: Active Directory, Windows Server

Tags: , , , , , ,

Here’s a little powershell script to enable mailboxes based on an OU and put their new mailbox into a given database. To customize, change OU=ORGANIZATIONALUNIT,DC=companyname,DC=com to the DN for the OU you are configuring. Also, change DATABASENAME to the name of the information store that you’d like to use for the mailboxes in that OU.

Import-module activedirectory

$OUusers = Get-ADUser -LDAPfilter ‘(name=*)’ -searchBase {OU=ORGANIZATIONALUNIT,DC=companyname,DC=com}
foreach($username in $OUusers)
{
Enable-Mailbox -Identity $username.SamAccountName -database {DATABASENAME}
}

March 21st, 2014

Posted In: Microsoft Exchange Server, Windows Server

Tags: , , , , , ,

Next Page »