As promised, here’s the presentation I gave this morning at the MacAD UK Conference in London. It is incredibly well put together and all the presentations thus far have just been fantastic. Congrats to the entire team at Amsys and the speakers for such a great show!
krypted February 9th, 2016
Posted In: public speaking
You can leverage the API built into the Casper Suite to do lots and lots of cool stuff, without interacting directly with the database. Here, I’ll use a simple curl command in a bash script that has myuser as the username for a server and mypassword as the password. The server is myserver.jamfcloud.com. Basically, we’re going to ask the computers and mobiledevices tables for all their datas. Once we have that, we’ll constrain the output to just the size attribute for each using sed:
curl -s -u myuser:mypassword https://myserver.jamfcloud.com/JSSResource/computers | sed -n -e 's/.*<size>\(.*\)<\/size>.*/\1/p'
curl -s -u myuser:mypassword https://myserver.jamfcloud.com/JSSResource/mobiledevices | sed -n -e 's/.*<size>\(.*\)<\/size>.*/\1/p'
This same logic can then be applied to any payload of XML data coming out of a REST API. Some API’s have different options to constrain output of a request, some don’t. But no matter whether there is or isn’t, you can loop through a bunch of statements like this. Why would you look to the API to constrain data, etc? Well, it comes down to a cost issue. Each time you run the above commands, you’re costing yourself runtime, you’re taxing the server with potentially a substantial query, and you’re potentially transferring a considerable amount of data over the wires between you and where the script is being run. So if the API is smart enough to give you less data, then you might as well do that. In this case, it isn’t, but if you apply this same sed logic in other scripts, it’s great to be cognizant of remaining as efficient as you can.
krypted December 18th, 2015
Posted In: JAMF
Enrolling iPads and iPhones into JAMF’s Casper suite can be done through Apple Configurator 2, text messages, email invitations, Apple’s Device Enrollment Program (DEP), or using links deployed to iOS devices as web clips. When doing larger deployments the enrollment process can be automated so that devices are automatically enrolled into Casper when set up using an Enrollment Profile that is manually downloaded from Casper and deployed to device. Additionally, a certificate can be needed if the certificate is not included in the profile, an option available as a checkbox in the setup. While you hopefully won’t need to download the certificate, we’ll cover that as well:
Download the Enrollment Profile
To download an enrollment profile from Casper MDM:
Add the Profile To Apple Configurator:
To deploy the profile through Apple Configurator:
If you then wish to unenroll, simply remove the profiles by tapping on profiles and then tapping on the Remove button. Per the MDM API, a user can elect to remove their device from management at any point unless the device is supervised (and then it’s harder but still possible to remove the device from management), so expect this will happen occasionally, even if only by accident.
krypted December 10th, 2015
The jamfHelper binary is used to deploy an alert to client computers that are enrolled in the JSS. This can be a full screen alert with headings, icons, text, and countdowns. This could also just be a small utility window that informs a user that something was installed. You can do similar tasks with push notifications, but I find that a lot of times an APNs update will disappear before someone can click on it. Therefore, we can use the jamfHelper binary to send alert screens in OS X.
We’ll go through a couple of minor examples here. The first is to send a window called KRYPTED that is full screen, with test as the text and “test heading” as a larger bolded heading. Here, we’ll use -title to send a title to the screen, -windowType to set the type as fs, -description for our text payload and finally -heading for the heading on the screen:
/Library/Application\ Support/JAMF/bin/jamfHelper.app/Contents/MacOS/jamfHelper -title "KRYPTED" -windowType fs -description "test" -heading "test heading"
We called the helper using the full path to the jamfHelper binary, located at /Library/Application\ Support/JAMF/bin/jamfHelper.app/Contents/MacOS/. You might have this stored elsewhere. We also quoted our title, description, and heading. Doing so allows us to use more than one word. I find that I frequently expand variables in this command, so make sure to expand them properly.
The second example we’ll run through is using a little utility window (more similar to a push notifications screen than many of the others). This is a small screen, with a location that you can easily control. Notice that the above command was full screen, so you couldn’t see the title. Here, we’ll display a title and then just a little quick text that says “Firefox is now on your computer”
/Library/Application\ Support/JAMF/bin/jamfHelper.app/Contents/MacOS/jamfHelper -title "Firefox" -windowType hud -description "Firefox" -description "Firefox is now on your computer"
Which results in a screen that looks like this.
If you used the hud windowType instead of utility in the above command, your screen would look as follows.
There are other ways to do things like this (e.g. bighonkintext), but if you use Casper, this is integrated, requires no other languages (e.g. python), and is simple. Enjoy!
krypted December 8th, 2015
I’ve written a number of articles on automating MDM enrollments using Apple Configurator in the past. In Apple Configurator 2, there are some new options that make the process much easier than it’s ever been in the past. To get started, let’s open Apple Configurator 2 and click on a Blueprint we’d like to apply to devices being prepared during a mass iPad or iPhone enrollment through Apple Configurator. Control-click on the Blueprint to set up for automated enrollment and click on the Prepare button.
At the Organization screen, select the organization you’d like to enroll your device in and click on the Next button.
At the Server screen, select to enroll in an MDM server.
At the Define an MDM Server screen, type the name of a server and click Next.
The server is then located and provided the Apple Configurator 2 system can communicate with the server, you’ll get a choice of the MDM service to enroll into. Select the certificate and click Next.
At the Supervise Devices screen, select whether you’d like to supervise devices enrolled using Apple Configurator 2. Click Next.
At the Configure iOS Setup Assistant screen, choose whether to skip some screens during the initial configuration of the device and click on Prepare.
Now, during the preparation in Apple Configurator, you’ll be able to enroll iOS devices into Profile Manager (or another MDM) en masse.
Additionally, the traditional method of enrollment (Configurator 1) still works. Here, you’d download a trust profile, done using the name in the upper right corner of the Profile Manager interface and then choosing Download Trust Profile.
You’ll also need the Enrollment Profile, accessed using the plus sign (+) in the lower left corner of the screen and choosing Enrollment Profile.
The two are then added to the Profiles of a blueprint in Apple Configurator 2. You can also use the Settings for a device group to set placeholders for devices so they’re automatically assigned to a group during mass enrollments like this.
Overall the options in Apple Configurator 2 with Profile Manager or another MDM are way easier to use than in previous versions. I think a lot of new administrators will be able to easily get used to this workflow. Enjoy!
krypted November 4th, 2015
The latest and greatest of the Enterprise Mac Admin’s Guide is now available for Pre-Order at http://www.amazon.com/Enterprise-Mac-Administrators-Guide-Second/dp/1484217055/ref=sr_1_1?s=books&ie=UTF8&qid=1445529968. This is an interesting update. If you happened to see the previous edition, I’d described more about Casper than most of the other third party products on the market.
In this edition, there’s still an equal amount of information on Casper, but now there’s also more information on FileWave, and a whole chapter on the open source toolchain of products, including Munki and AutoPKG. The main reason I decided to update this title was actually the change from focusing on directory services (which still has plenty of page count) to focusing on profile management.
The most substantial update to the book was Bill Smith though. Bringing him in as a co-author provided a lot of new insight, new content, and a good bit of cleaned up text. He’s been great to work with!
This was a pretty big update, so hope you enjoy!
krypted October 22nd, 2015
We’d love your help to make the Casper Suite better! And we’re trying to be pretty organized about how we’re trying to get there (being organized and getting better are both ongoing efforts at most organizations) and letting our admins take a stab at helping us to prioritize various initiatives. One way we’re trying to make the product better is in UX. So if you have some time and want to help us organize the various tasks and workflows in Casper, please feel free to take this quick UX study at https://jamf.optimalworkshop.com/optimalsort/edge!
Thanks for helping us make your life easier!
krypted October 20th, 2015
Posted In: JAMF
JAMF Software has long had 0 day support for new Apple releases. The latest version of Bushel allows you to enroll El Capitan devices. Casper 9.8 also allows you to enroll devices. There are certainly going to be subsequent updates that allow us to do even more. This was a tricky one, as the jamf binary had to be moved and there were some new enrollment policies, to keep your Apple devices as secure as possible!
Bushel is SaaS, so it’s available today. Casper should be updated. You can access our installers using your My Assets page on JAMF Nation. Happy updating!
krypted September 20th, 2015
As we’ve grown, one of the most exciting things for the team has been to watch our customers use Bushel to help solve some of their workplace problems. A few have shared their stories with us, and we’re excited to highlight one here on our blog. If you’re inspired to share your own, we’d love to hear from you! Reach out anytime at email@example.com.
krypted July 23rd, 2015
Mobile Device Management (MDM) is an additional layer of securing provided to a standard deployment of mobile devices. In the Apple management context, MDM provides our customers with a way to make sure that they can monitor devices, that devices fit within the boundaries of what our customers consider to be good security, making it easier to setup devices (by quickly providing WiFi information, helping to deploy apps, etc) and of course by getting a good inventory of the devices you have out there in the wild.
krypted July 13th, 2015