Tiny Deathstars of Foulness

The JSS has the ability to upload multiple .vpptokens, and using those, you can upload separate tokens for sites and then provide App Store apps to different sites based on each having some autonomy by having their own token. This is a pretty cool feature. And using the GUI, you can see when each token expires. You can also see a list of tokens using the API. To see a full list of all the tokens, we’ll just use a basic curl command here:

curl -s -u myuser:mypassword

This provides an array of output that has the number of tokens in <size> and the id of each along with their name in <id> and <name> respectively, as follows

<?xml version="1.0" encoding="UTF-8"?><vpp_accounts><size>2</size><vpp_account><id>2</id><name>test</name></vpp_account><vpp_account><id>3</id><name>test2</name></vpp_account></vpp_accounts>

Once you know the id of a token, you can pull a bunch of information about that token using the following command:

curl -s -u myuser:mypassword

The output would be as follows, with the expiration_date indicated:

<?xml version="1.0" encoding="UTF-8"?><vpp_account><id>2</id><name>test</name><contact/><service_token>xxxxxxxxxxyyyyyyyyyyyzzzzzzzzzaaaaaaaabbbbbbbbbbccccccc</service_token><account_name>krypted</account_name><expiration_date>2017/06/30</expiration_date><country>US</country><apple_id/><site><id>-1</id><name>None</name></site><populate_catalog_from_vpp_content>true</populate_catalog_from_vpp_content><notify_disassociation>true</notify_disassociation></vpp_account>

Or to limit the output to just the expiration date of the token, we’ll use sed to constrain:

curl -s -u myuser:mypassword | sed -n -e 's/.*<expiration_date>\(.*\)<\/expiration_date>.*/\1/p'

The output should just be a standard date, as follows:


You can then loop through the output of the vppaccounts, build an IFS array, and display the dates for each, listing sites that are about to expire. For anyone that has a lot of sites with individual tokens, this might come in handy. Enjoy.

Hat tip: I thought I’d have to do this using a database query, but it turns out that the field where the stoken  is stored contains encrypted data different than the initially encoded base64, which I showed how to decrypt at What’s Really In A VPP Token File from Apple’s VPP?. This is to keep that data private. Instead, hat tip to Christian Dooley, who figured out that this is actually available in the API instead, and therefore I didn’t have to hit the database directly to write this article.

June 30th, 2016

Posted In: JAMF

Tags: , , , , , ,

Trying our best to get better, like if you were to watch Star Wars Episodes I through VI, the MacAdmins podcast now has an Episode II. No Jar Jar, but I’m there, so close enough!

Screen Shot 2016-04-05 at 12.02.01 AM

Find it at


April 5th, 2016

Posted In: Articles and Books, Mac OS X, Mac OS X Server, Mac Security, MacAdmins Podcast, Mass Deployment

Tags: , , , , ,

As promised, here’s the presentation I gave this morning at the MacAD UK Conference in London. It is incredibly well put together and all the presentations thus far have just been fantastic. Congrats to the entire team at Amsys and the speakers for such a great show!

MacADUK 2016 Presentation

February 9th, 2016

Posted In: public speaking

Tags: , , , ,

You can leverage the API built into the Casper Suite to do lots and lots of cool stuff, without interacting directly with the database. Here, I’ll use a simple curl command in a bash script that has myuser as the username for a server and mypassword as the password. The server is Basically, we’re going to ask the computers and mobiledevices tables for all their datas. Once we have that, we’ll constrain the output to just the size attribute for each using sed:

curl -s -u myuser:mypassword | sed -n -e 's/.*<size>\(.*\)<\/size>.*/\1/p'
curl -s -u myuser:mypassword | sed -n -e 's/.*<size>\(.*\)<\/size>.*/\1/p'

This same logic can then be applied to any payload of XML data coming out of a REST API. Some API’s have different options to constrain output of a request, some don’t. But no matter whether there is or isn’t, you can loop through a bunch of statements like this. Why would you look to the API to constrain data, etc? Well, it comes down to a cost issue. Each time you run the above commands, you’re costing yourself runtime, you’re taxing the server with potentially a substantial query, and you’re potentially transferring a considerable amount of data over the wires between you and where the script is being run. So if the API is smart enough to give you less data, then you might as well do that. In this case, it isn’t, but if you apply this same sed logic in other scripts, it’s great to be cognizant of remaining as efficient as you can.

December 18th, 2015

Posted In: JAMF

Tags: , , , , , , , , ,

Enrolling iPads and iPhones into JAMF’s Casper suite can be done through Apple Configurator 2, text messages, email invitations, Apple’s Device Enrollment Program (DEP), or using links deployed to iOS devices as web clips. When doing larger deployments the enrollment process can be automated so that devices are automatically enrolled into Casper when set up using an Enrollment Profile that is manually downloaded from Casper and deployed to device. Additionally, a certificate can be needed if the certificate is not included in the profile, an option available as a checkbox in the setup. While you hopefully won’t need to download the certificate, we’ll cover that as well:

Download the Enrollment Profile

To download an enrollment profile from Casper MDM:

  1. Log into the web interface of the JSS.
  2. Click on the link along the top navigation bar for Mobile Devices.
  3. Click on Enrollment Profiles in the sidebar.Screen Shot 2015-12-07 at 1.47.40 PM
  4. Click on the plus sign (+).
  5. Provide a new name for the profile.Screen Shot 2015-12-07 at 1.48.07 PM
  6. Click on the User and Location Information tab.
  7. Enter any of the information you wish to have associated with this account when the profile is used to enroll a device into the JSS (not required – use this if you want your devices to have these associated, like if you use Configurator to setup departments and then associate a blueprint to each department and use an enrollment profile per blueprint).
  8. At the Enrollment Profiles screen, click on Download for the appropriate profile (for most environments there should only be one).
  9. Click on the Save button.
  10. Click on the General tab.
  11. Click on the Download button to download a .mobileconfig file that contains enrollment information.Screen Shot 2015-12-07 at 1.56.12 PM
  12. Click on the Trust Profile button to download the trust profile (a .mobileconfig with our cer).
  13. Once the profile is downloaded, it will automatically attempt to enroll the computer you are downloading it from in the Profiles System Preferences pane.Screen Shot 2015-12-07 at 1.57.25 PM
  14. Click on Cancel.
  15. Click on your downloads and you have now downloaded the two .mobileconfig files that will enroll devices into Casper. Note that if you have a cert signed by a CA you shouldn’t need the Trust Profile.

Add the Profile To Apple Configurator:

To deploy the profile through Apple Configurator:

  1. Open Apple Configurator 2 on the client computer.Screen Shot 2015-12-07 at 1.42.56 PM
  2. Click File and then click on New Blueprint.
  3. Provide a name for your Blueprint.Screen Shot 2015-12-07 at 2.16.06 PM
  4. Once the new Blueprint is created, click on it.
  5. Click on Profiles. 
  6. Click Add Profiles…Screen Shot 2015-12-07 at 2.24.08 PM
  7. Manually add the first profile by browsing to it.
  8. Drag any other profiles into the list.
  9. Apply the Blueprint to devices to see if it works.

If you then wish to unenroll, simply remove the profiles by tapping on profiles and then tapping on the Remove button. Per the MDM API, a user can elect to remove their device from management at any point unless the device is supervised (and then it’s harder but still possible to remove the device from management), so expect this will happen occasionally, even if only by accident.

December 10th, 2015

Posted In: Apple Configurator, iPhone, JAMF, Mass Deployment

Tags: , , , , ,

The jamfHelper binary is used to deploy an alert to client computers that are enrolled in the JSS. This can be a full screen alert with headings, icons, text, and countdowns. This could also just be a small utility window that informs a user that something was installed. You can do similar tasks with push notifications, but I find that a lot of times an APNs update will disappear before someone can click on it. Therefore, we can use the jamfHelper binary to send alert screens in OS X.

We’ll go through a couple of minor examples here. The first is to send a window called KRYPTED that is full screen, with test as the text and “test heading” as a larger bolded heading. Here, we’ll use -title to send a title to the screen, -windowType to set the type as fs, -description for our text payload and finally -heading for the heading on the screen:

/Library/Application\ Support/JAMF/bin/ -title "KRYPTED" -windowType fs -description "test" -heading "test heading"

We called the helper using the full path to the jamfHelper binary, located at /Library/Application\ Support/JAMF/bin/ You might have this stored elsewhere. We also quoted our title, description, and heading. Doing so allows us to use more than one word. I find that I frequently expand variables in this command, so make sure to expand them properly.

The second example we’ll run through is using a little utility window (more similar to a push notifications screen than many of the others). This is a small screen, with a location that you can easily control. Notice that the above command was full screen, so you couldn’t see the title. Here, we’ll display a title and then just a little quick text that says “Firefox is now on your computer”

/Library/Application\ Support/JAMF/bin/ -title "Firefox" -windowType hud -description "Firefox" -description "Firefox is now on your computer"

Which results in a screen that looks like this.

Screen Shot 2015-12-07 at 11.10.31 AM

If you used the hud windowType instead of utility in the above command, your screen would look as follows.

Screen Shot 2015-12-07 at 11.10.50 AM

There are other ways to do things like this (e.g. bighonkintext), but if you use Casper, this is integrated, requires no other languages (e.g. python), and is simple. Enjoy!

December 8th, 2015

Posted In: JAMF, Mac OS X, Mac OS X Server, Mac Security, Mass Deployment

Tags: , , , ,

I’ve written a number of articles on automating MDM enrollments using Apple Configurator in the past. In Apple Configurator 2, there are some new options that make the process much easier than it’s ever been in the past. To get started, let’s open Apple Configurator 2 and click on a Blueprint we’d like to apply to devices being prepared during a mass iPad or iPhone enrollment through Apple Configurator. Control-click on the Blueprint to set up for automated enrollment and click on the Prepare button.

Screen Shot 2015-11-03 at 11.18.02 PM

At the Organization screen, select the organization you’d like to enroll your device in and click on the Next button.

Screen Shot 2015-11-03 at 6.32.56 PM

At the Server screen, select to enroll in an MDM server.

Screen Shot 2015-11-03 at 6.33.00 PM

At the Define an MDM Server screen, type the name of a server and click Next.

Screen Shot 2015-11-03 at 11.17.22 PM

The server is then located and provided the Apple Configurator 2 system can communicate with the server, you’ll get a choice of the MDM service to enroll into. Select the certificate and click Next.

Screen Shot 2015-11-03 at 11.17.27 PM

At the Supervise Devices screen, select whether you’d like to supervise devices enrolled using Apple Configurator 2. Click Next.

Screen Shot 2015-11-03 at 11.17.32 PM

At the Configure iOS Setup Assistant screen, choose whether to skip some screens during the initial configuration of the device and click on Prepare.

Screen Shot 2015-11-03 at 11.17.38 PM

Now, during the preparation in Apple Configurator, you’ll be able to enroll iOS devices into Profile Manager (or another MDM) en masse.

Additionally, the traditional method of enrollment (Configurator 1) still works. Here, you’d download a trust profile, done using the name in the upper right corner of the Profile Manager interface and then choosing Download Trust Profile.

Screen Shot 2015-11-03 at 11.06.17 PM

You’ll also need the Enrollment Profile, accessed using the plus sign (+) in the lower left corner of the screen and choosing Enrollment Profile.

Screen Shot 2015-11-03 at 11.06.27 PM

The two are then added to the Profiles of a blueprint in Apple Configurator 2. You can also use the Settings for a device group to set placeholders for devices so they’re automatically assigned to a group during mass enrollments like this.

Screen Shot 2015-11-03 at 11.07.09 PM


Overall the options in Apple Configurator 2 with Profile Manager or another MDM are way easier to use than in previous versions. I think a lot of new administrators will be able to easily get used to this workflow. Enjoy!



November 4th, 2015

Posted In: Apple Configurator, iPhone, Mac OS X Server, Mass Deployment

Tags: , , , , , , , , , ,

The latest and greatest of the Enterprise Mac Admin’s Guide is now available for Pre-Order at This is an interesting update. If you happened to see the previous edition, I’d described more about Casper than most of the other third party products on the market.

Screen Shot 2015-10-22 at 11.06.21 AM

In this edition, there’s still an equal amount of information on Casper, but now there’s also more information on FileWave, and a whole chapter on the open source toolchain of products, including Munki and AutoPKG. The main reason I decided to update this title was actually the change from focusing on directory services (which still has plenty of page count) to focusing on profile management.

The most substantial update to the book was Bill Smith though. Bringing him in as a co-author provided a lot of new insight, new content, and a good bit of cleaned up text. He’s been great to work with!

This was a pretty big update, so hope you enjoy!



October 22nd, 2015

Posted In: Mac OS X, Mac OS X Server, Mac Security, Mass Deployment

Tags: , , , , ,

We’d love your help to make the Casper Suite better! And we’re trying to be pretty organized about how we’re trying to get there (being organized and getting better are both ongoing efforts at most organizations) and letting our admins take a stab at helping us to prioritize various initiatives. One way we’re trying to make the product better is in UX. So if you have some time and want to help us organize the various tasks and workflows in Casper, please feel free to take this quick UX study at!

Screen Shot 2015-10-20 at 10.10.54 AM

Thanks for helping us make your life easier!

October 20th, 2015

Posted In: JAMF

Tags: , ,

JAMF Software has long had 0 day support for new Apple releases. The latest version of Bushel allows you to enroll El Capitan devices. Casper 9.8 also allows you to enroll devices. There are certainly going to be subsequent updates that allow us to do even more. This was a tricky one, as the jamf binary had to be moved and there were some new enrollment policies, to keep your Apple devices as secure as possible!

Bushel is SaaS, so it’s available today. Casper should be updated. You can access our installers using your My Assets page on JAMF Nation. Happy updating!


September 20th, 2015

Posted In: JAMF, Mac OS X, Mac Security, Mass Deployment

Tags: , , , , , , , ,

Next Page »