Tag Archives: ios

Bushel iPhone Mac OS X Mac OS X Server Mac Security Mass Deployment Minneapolis

Bushel: The Device Enrollment Program (DEP) In Action

Apple’s Device Enrollment Program (DEP for short) allows you to automatically setup devices with the settings you need on devices that your organization purchases. In Bushel, we give you the ability to link an Apple DEP account up with your Bushel account. This allows devices to add themselves automatically to your Bushel when the devices are activated. We tend to think this is the coolest thing since sliced bread and so we want to make sure you know how to use the feature.

Setup Device Enrollment Program in Bushel

To get started, log into your Bushel and click on Devices. Here, click the button for Device Enrollment Program.

XcKrpO-M0gXF27l0exLKtVbNMLdI1itn8ThiXRqW3xQ

Download your certificate and go to deploy.apple.com and log into your Device Enrollment Program account. Click on Manage Servers in the Deployment Programs sidebar.

Screen-Shot-2014-10-14-at-2.12.49-PM

Next, click on Add MDM Server and provide the certificate we gave you and a name. Once Bushel has been added to your Device Enrollment Program (DEP) account, click on Assign by Serial Number to add your first device. Assuming the device is part of your DEP account, enter the serial number for the device and choose which server (the one you just added) that the device should reach out to on activation to pull settings from.

Screen-Shot-2014-10-14-at-2.13.53-PM

Once you’ve added the server, you’ll be greeted by a screen that says Assignment Complete. You can now wipe the device and upon reactivation the device will pull new settings from your Bushel.

Screen-Shot-2014-10-14-at-2.13.58-PM

The Device Enrollment Program in Bushel

Click OK and you can add more devices. Once your devices are added into the Apple DEP portal they will automatically appear in the DEP screen of your Bushel. Click on a device to assign a username and email address, if you will be using email.

xdWSZrVkYs6wWHgmzfmdkOdmZjSXVMDqrypOkqCaC3w-1

Good luck!

iPhone Mac Security Network Infrastructure

Listen To iOS Network Communications

OS X has a command called rvictl, which can be used to proxy network communications from iOS devices through a computer over what’s known as a Remote Virtual Interface, or RVI. To setup an rvi, you’ll need the udid of a device and the device will need to be plugged into a Mac and have the device paired to the Mac. This may seem like a lot but if you’ve followed along with a couple of the other articles I’ve done recently this should be pretty simple. First we’ll pair:

idevicepair pair

Then tap Trust on the device itself. Then we’ll grab that udid with idevice_id:

idevice_id -l

Next, we’ll setup a rvi with rvictl and the -s option (here I’m just going to grab the udid since I only have one device plugged into my computer):

rvictl -s `idevice_id -l`

Then we can list the connections using rvictl with the -l option:

rvictl -l

Next, we’ll run a tcpdump using this newly constructed rvi0:

tcpdump -n -i rvi0

Next, we’ll get a lot of logs. Let’s fire up the Nike FuelBand app and refresh our status. Watching the resultant traffic, we’ll see a line like this:

22:42:29.485691 IP 192.168.0.12.57850 > 54.241.32.20.443: Flags [S], seq 3936380112, win 65535, options [mss 1460,nop,wscale 5,nop,nop,TS val 706439445 ecr 0,sackOK,eol], length 0

There’s an IP in there, 54.241.32.20. We can look this up and see that the servers are sitting on Amazon Web Services and verify it’s Nike. Watching the traffic with tcpdump we can then obtain GET, POST and other information sent and received. Using wireshark we could get even more detailed data.

Overall though, this article is meant to focus on the iOS side of this and not on debugging and refining the approach to using tcpdump/wireshark. rvictl is a great tool in the iOS development cycle and for security researchers that are looking into how many of the apps on iOS devices exchange data. Enjoy.

Bushel

Bushel Interview with Tech.mn

Slowly but surely information about what I left 318 to do has been leaking out. And I wouldn’t say leaking. More like being broadcast to the world. I’ve worked on a few little things here and there at JAMF Software since my arrival. But my core duty is to shepherd the development and strategy behind a new Mobile Device Management tool called Bushel. A little more about Bushel is available here, and I’ll likely post more about it here when the time is right:

http://tech.mn/news/2014/11/04/jamf-software-bushel-apple-device-management/

And to access the Bushel site:

http://www.bushel.com

And some of the writing that are now finding their way onto the Bushel blog:

http://blog.bushel.com

bushel-wordmark-dark@2x

Mac OS X Mac OS X Server Mac Security

qlmanage

QuickLook scans file contents before you open those files. Usually this just lets you view a file quickly. But you can also use this same technology from the command line to bring about a change to the Finder without actually opening a file. To access QuickLook from the command line, use qlmanage.

qlmanage -p ~/Desktop/MyTowel42.pdf

While open, click the space bar to go back to your Terminal session. The most notable use case here is that when you use qlmanage you don’t run the risk of changing the date/time stamp of the files.

Product Management

How Product Managers Think Users Will React To New Features

Mac OS X Server Windows Server Windows XP

Yosemite Server SMB and Windows

A few people have hit me up about issues getting Windows machines to play nice with the SMB built into Yosemite Server and Windows. Basically, the authentication dialog keeps coming up even when a Mac can connect. So there are two potential issues that you might run into here. The first is that the authentication method is not supported. Here, you want to enable only the one(s) required. NTLMv2 should be enabled by default, so try ntlm:

sudo serveradmin settings smb:ntlm auth = "yes"

If that doesn’t work (older and by older I mean old as hell versions of Windows), try Lanman:

sudo serveradmin settings smb:lanman auth = “yes"

The second is that the authentication string (can be seen in wireshark) doesn’t include the workgroup/domain. To resolve this, simply include the Server name or workgroup in the beginning of the username followed by a backslash(\). So you might do this as a username if your NetBios name were kryptedserver:

kryptedserver\charles

To get that exact name, use serveradmin again, to look at the smb:NetBIOSName attribute:

smb:NetBIOSName = "kryptedserver"

Wearable Technology

Integrate Nike Running App With Apple’s Health App

The new Health app from Apple provides a conduit to run all of your health data through on an iOS device in order to then provide you with a single pane of glass to see all of your health related data. This can include diet, workouts, weight, blood pressure, etc, provided that the vendors of such devices or apps you may use support those features. The Nike Running app (not yet for the Fuelband) is one such app. And if you track runs with Nike Running then you’ll want to setup the integration asap, as the Health app only looks at runs that are configured after you setup the integration.

To integrate the app into Health (and therefore showcase what Health can do) we’ll simply upgrade it and do so real quick. The first step is to upgrade the Nike+ Running app. To do so, open the App Store, tap on Updates and find the Nike+ Running app. Here, tap Update and provide your password.

IMG_1717

When the app is finished updating, open it. You should be prompted on the first open after the update to setup Health Access. Here, use the sliders for each of the items you’d like to sync to Health. These include your NikeFuel (the fuel points obtained per run), the Workouts and, if you have a device that tracks Heart Rate, whether or not the Running app can access that Heart Rate data. Tap Done when you’re satisfied with your settings.

IMG_1713

From within the Health app, you can then see what Health reads from and writes to the NikeFuel app. Open the Health app, tap on Fitness and then NikeFuel. Here, you can change the settings that were previously configured.

IMG_1714

The NikeFuel entry will then start to sync with your Nike account. Tapping on NikeFuel in the Health app provides you the option to Show on Dashboard, which is the first screen of your Health app. Toggle this to enable the option.

IMG_1715

Once enabled, you can see stats from your Nike Running app on the dashboard in Health. The data is then useable by other apps that can also integrate with Health, provided you allow it.

IMG_1716

When the next run is synchronized, you should see data from the run populate the NikeFuel entry on the dashboard. The FuelBand, Nike Basketball and Nike Training Club apps have not been integrated into Health. But when they are, I’ll try and remember to come back and update this article.

 

Mac OS X Mac OS X Server Mac Security Mass Deployment

One Month To The MacTech Conference!

We’re one month out.
Are you missing out?

MacTech Conference is our 3-day, immersive, technical conference specifically designed for Apple IT Pros, Enterprise, developers, and programmers.

MacTech Conference has been working hard to give you the best event in the most cost effective ways we can.  Part of the way we do that is through Pre-Registration Pricing, which expires in three weeks, and saves you $200!

MacTech Conference is not only about learning, but about forming relationships and building networks. MacTech is known for world-class speakers and content, but it’s also known for the entire experience, food, and activities.  All together, you have the opportunity to spend time with your peers, and we’ll help you get to know new people and expand your network.

As an immersive conference, we’ll have you busy from morning until night … having a whole lot of fun in the process.  And, we’ve already let you know about some of our plans including:

  • General Event Information
  • Speakers from around the globe
  • Activities including a very special visit to Disney Animation Studios
  • Workshops for your hands on, deep-dive
  • Accreditations from Microsoft and Apple

MacTech Conference is an amazing 3 day event: one you should not miss.  Now is the time to register and save $200. Meals and activities are included along with the sessions and awesome content.

Register now, and save.

Main Conference: November 5-7, 2014
Pre-Conference Workshops: Nov 4th, 2014

Manhattan Beach Marriott • Los Angeles

http://www.mactech.com/conference/

Mac Security Mass Deployment MobileMe Network Infrastructure

Network Port Testing With Netcat

You can do some pretty simple testing of ports and network communications using strategies I’ve outlined in the past with tcpdump, trace route, telnet, curl, stroke and of course ping. However, netcat has a few interesting things you can do with it; namely actually run a port super-quickly to test traffic between subnets, forcing scans of ipv6 traffic, debugging sockets, keeping connections alive, parodying through SOCKS 4 and 5 and just checking for daemons that are listening rather than actually sending data to them.

In this first example, we’re going to just check that Apple’s web server is accessible (adding -v for verbose output):

/usr/bin/nc -v www.apple.com 80

The result would be pretty verbose

found 0 associations
found 1 connections:
1: flags=82<CONNECTED,PREFERRED>
outif en0
src 10.10.20.176 port 50575
dst 23.78.138.214 port 80
rank info not available
TCP aux info available

Connection to www.apple.com port 80 [tcp/http] succeeded!
HTTP/1.0 408 Request Time-out
Server: AkamaiGHost
Mime-Version: 1.0
Date: Tue, 29 Jul 2014 15:41:34 GMT
Content-Type: text/html
Content-Length: 218
Expires: Tue, 29 Jul 2014 15:41:34 GMT

<HTML><HEAD>
<TITLE>Request Timeout</TITLE>
</HEAD><BODY>
<H1>Request Timeout</H1>
The server timed out while waiting for the browser’s request.<P>
Reference&#32;&#35;2&#46;48cf4d17&#46;1406648494&#46;0
</BODY></HTML>

If we added a -w to timeout we’ll cut out all the cruft (but wouldn’t know that the server’s at Akamai). Next, we’ll get a little more specific and fire up a test to check Apple’s push gateway at, using port 2195:

/usr/bin/nc -v -w 15 gateway.push.apple.com 2195

But, I want the cruft for the purposes of this article. Next, we can add a -4 to force connections over IPv4 and check the Apple feedback server and port 2196, also required for APNs functionality:

/usr/bin/nc -v -4 feedback.push.apple.com 2196

Right about now, something is probably happening at Apple where they’re getting sick of me sending all this data their direction, so let’s add a -z option, to just scan for daemons, without actually sending any data their way:

/usr/bin/nc -vz -4 feedback.push.apple.com 2196

Because of how NAT works, you might notice that the src port keeps changing (incrementing actually). Here’s the thing, we’re gonna’ go ahead and force our source port to stay the same as our destination port using the -p option:

/usr/bin/nc -vz -4 -p 2196 feedback.push.apple.com 2196

Now, what if this is failing? Well, let’s spin up a listener. I like to start on my own subnet, then move to another subnet on the same network and ultimately to another network so I’m checking zone-by-zone so-to-speak, for such a failure. So, we can spin up a listener with netcat in a few seconds using the -l option on another host:

/usr/bin/nc -l 2196

Then I can scan myself:

/usr/bin/nc 127.0.0.1 2196

I could also do this as a range if I forgot which port I used per host:

/usr/bin/nc 127.0.0.1 2195-2196

Now, as is often the case, if our connection problem is because data isn’t parodying, we can also use nc to check that using the -x operator followed by an IP and then : and a port. For example:

/usr/bin/nc -vz -4 -w 10 -p 2196 -x 10.0.0.2:8080 feedback.push.apple.com 2195-2196

Fun times with push notifications. Enjoy.

Mac OS X Mac OS X Server Mac Security Mass Deployment public speaking

MacAdmins 2015

I was super-bummed that I missed the MacAdmins conference at Penn State University. But, all is not lost as MacAdmins will be held July 8-10 in 2015 at the Penn Stater Conference Center and I’ll be able to see all those awesome people there next year!

In the meantime, something fun and new is the 2014 MacAdmins Playlist to maybe get exposed to some new stuff: http://spoti.fi/VTdxLX.

As an aside, here’s a fun pic of @derflounder and I (and others) doing a round table from a few years ago on the Penn State site:

Screen Shot 2014-07-15 at 1.25.10 PM