krypted.com

Tiny Deathstars of Foulness

There are a lot of payloads that MDM and profiles can manage in iOS. Restrictions are probably the one I get the most questions about. And most are pretty self-explanatory. Sooooo, rather than open Profile Manager every time I need to see the list, here it is:

  • Allow use of Camera
  • Allow FaceTime
  • Allow screenshots and screen recording
  • Allow AirDrop (supervised only)
  • Allow iMessage (supervised only)
  • Allow voice dialing while device is locked
  • Allow Siri
  • Allow Siri while device is locked
  • Enable Siri profanity filter (supervised only)
  • Allow user-generated content in Siri (supervised only)
  • Allow iBooks Store (supervised only)
  • Allow installing apps using Apple Configurator and iTunes
  • Allow installing apps using App Store (supervised only)
  • Allow automatic app downloads (supervised only)
  • Allow removing apps (supervised only)
  • Allow in-app purchase
  • Require iTunes Store password for all purchases
  • Allow iCloud backup
  • Allow iCloud documents & data
  • Allow iCloud Keychain
  • Allow managed apps to store data in iCloud
  • Allow backup of enterprise books
  • Allow notes and highlights sync for enterprise books
  • Allow iCloud Photo Sharing
  • Allow My Photo Stream (disallowing can cause data loss)
  • Allow automatic sync while roaming
  • Force encrypted backups
  • Force limited ad tracking
  • Allow Erase All Content and Settings (supervised only)
  • Allow users to accept untrusted TLS certificates
  • Allow automatic updates to certificate trust settings
  • Allow trusting new enterprise app authors
  • Allow installing configuration profiles (supervised only)
  • Allow modifying account settings (supervised only)
  • Allow modifying device name (supervised only)
  • Allow modifying Find My Friends settings (supervised only)
  • Allow modifying passcode (supervised only)
  • Allow modifying Touch ID fingerprints (supervised only)
  • Allow modifying restrictions (supervised only)
  • Allow modifying Wallpaper (supervised only)
  • Allow pairing with non-Configurator hosts (supervised only)
  • Allow documents from managed sources in unmanaged destinations
  • Allow documents from unmanaged sources in managed destinations
  • Treat AirDrop as unmanaged destination
  • Allow Handoff
  • Allow Spotlight Suggestions
  • Allow Touch ID to unlock device
  • Force Apple Watch wrist detection
  • Allow pairing with Apple Watch (supervised only)
  • Require passcode on first AirPlay pairing
  • Allow predictive keyboard (supervised only)
  • Allow keyboard shortcuts
  • Allow auto correction (supervised only)
  • Allow spell check (supervised only)
  • Allow Define (supervised only)
  • Allow Wallet notifications in Lock screen
  • Show Control Center in Lock screen
  • Show Today view in Lock screen

February 5th, 2016

Posted In: iPhone

Tags: , , , , ,

Leave a Comment

Enrolling iPads and iPhones into JAMF’s Casper suite can be done through Apple Configurator 2, text messages, email invitations, Apple’s Device Enrollment Program (DEP), or using links deployed to iOS devices as web clips. When doing larger deployments the enrollment process can be automated so that devices are automatically enrolled into Casper when set up using an Enrollment Profile that is manually downloaded from Casper and deployed to device. Additionally, a certificate can be needed if the certificate is not included in the profile, an option available as a checkbox in the setup. While you hopefully won’t need to download the certificate, we’ll cover that as well:

Download the Enrollment Profile

To download an enrollment profile from Casper MDM:

  1. Log into the web interface of the JSS.
  2. Click on the link along the top navigation bar for Mobile Devices.
  3. Click on Enrollment Profiles in the sidebar.Screen Shot 2015-12-07 at 1.47.40 PM
  4. Click on the plus sign (+).
  5. Provide a new name for the profile.Screen Shot 2015-12-07 at 1.48.07 PM
  6. Click on the User and Location Information tab.
  7. Enter any of the information you wish to have associated with this account when the profile is used to enroll a device into the JSS (not required – use this if you want your devices to have these associated, like if you use Configurator to setup departments and then associate a blueprint to each department and use an enrollment profile per blueprint).
  8. At the Enrollment Profiles screen, click on Download for the appropriate profile (for most environments there should only be one).
  9. Click on the Save button.
  10. Click on the General tab.
  11. Click on the Download button to download a .mobileconfig file that contains enrollment information.Screen Shot 2015-12-07 at 1.56.12 PM
  12. Click on the Trust Profile button to download the trust profile (a .mobileconfig with our cer).
  13. Once the profile is downloaded, it will automatically attempt to enroll the computer you are downloading it from in the Profiles System Preferences pane.Screen Shot 2015-12-07 at 1.57.25 PM
  14. Click on Cancel.
  15. Click on your downloads and you have now downloaded the two .mobileconfig files that will enroll devices into Casper. Note that if you have a cert signed by a CA you shouldn’t need the Trust Profile.

Add the Profile To Apple Configurator:

To deploy the profile through Apple Configurator:

  1. Open Apple Configurator 2 on the client computer.Screen Shot 2015-12-07 at 1.42.56 PM
  2. Click File and then click on New Blueprint.
  3. Provide a name for your Blueprint.Screen Shot 2015-12-07 at 2.16.06 PM
  4. Once the new Blueprint is created, click on it.
  5. Click on Profiles. 
  6. Click Add Profiles…Screen Shot 2015-12-07 at 2.24.08 PM
  7. Manually add the first profile by browsing to it.
  8. Drag any other profiles into the list.
  9. Apply the Blueprint to devices to see if it works.

If you then wish to unenroll, simply remove the profiles by tapping on profiles and then tapping on the Remove button. Per the MDM API, a user can elect to remove their device from management at any point unless the device is supervised (and then it’s harder but still possible to remove the device from management), so expect this will happen occasionally, even if only by accident.

December 10th, 2015

Posted In: Apple Configurator, iPhone, JAMF, Mass Deployment

Tags: , , , , ,

I love answering a question with a question. Is asr still in OS X? Is NetInstall still in OS X Server? Can OS X still NetBoot? Does System Image Utility still work? The answer to all of these is yes. Therefore, the answer to “Is imaging dead” is clearly no. Is it on its way out, maybe. Debatable. Is it changing? Of course. When does Apple not evolve?

What have we seen recently? Well, the rhetoric would point to the fact that imaging is dying. That seems clear. And this is slowly coming out of people at Apple. The word imaging is becoming a bad thing. But, as a customer recently asked me, “what do you do when a hard drive fails and you need to get a system back up”? My answer, which of course was another question was “what do you do when that happens with an iPad?” The answer is that you Restore.

What is the difference between an Image and a Restore? Yes, I meant to capitalize both. Yes, I realize that’s not grammatically correct. No, I don’t care. It’s my prose, back off. But back to the point. What is the difference between the two? Am Image can have things inserted into /Applications, /Library, and even /System (since it’s not booted, it’s not yet protected by SIP). An Image can have binaries and scripts automatically fire, that Apple didn’t bake into the factory OS. On an iPad, when you Restore, you explode an .ipsw file onto disk that can’t be altered and acts as an operating system.

The difference here is that one is altered, the other isn’t. Additionally, iOS ripsaw files only contain drivers for the specific hardware for a given device (e.g. one for iPad Mini and another for iPhone 6). But, you have pre-flight and post-flight tasks you need to perform. Everyone understands that. Think about automation via profiles. You can run a script with a profile. You can apply a profile at first boot. You can install a package (the future of packages is IMHO more debatable than the future of images) and a .app with a profile. These might take a little more work than it does with a NetInstall and System Image Utility. But then, it might not. You’d be surprised what’s easier and what’s actually harder (for now) with this new workflow. Complexities are more logistical than technical.

So, Imaging is dead, long live Restoring? Arguably, any older workflows you have will be fine for some time. So any good article has a call to action somewhere. The call to action here is to try to subtly shift your deployment techniques. This involves implementing a DEP strategy where possible. This involves putting the final nails in the coffin of monolithic imaging. This involves moving to as thin an image as possible. This involves (I can’t believe I’m saying this) de-emphasizing scripting in your deployment process. This also involves completing the move that you’ve hopefully started already, from MCX to profile or mdm-based management.

What else do you think this involves? Insert running commentary below!

December 5th, 2015

Posted In: iPhone, Mac OS X, Mac OS X Server, Mac Security, Mass Deployment

Tags: , , , , , , , , ,

Who still says “like a boss?” I guess I did. Get over it. But don’t get over spam. Especially annoying are the ones we know we accidentally signed up for. Because it’s our own darn fault. But luckily, there’s a lot more tools for dealing with bulk mail (solicited or unsolicited) these days. Most modern email clients have the ability to deal with spam. Exchange/Office 365 has clutter and junk. You can build rules on sites. You can use spam assassin on your servers. But, there’s also a nice little app called unroll.me. Once you sign up you’ll have 3 ways of dealing with each message: request removal from a list, mark as rolled up into a single daily digest, or mark as good email.

Download it here. The app works a lot like something like Tinder. You swipe right to like something, left to not like something. Facebook should implement this into your timeline!

Screen Shot 2015-12-01 at 2.34.08 PM

If you decide to mark emails as digests, you’ll get an email once a day that looks like this:

Screen Shot 2015-12-01 at 2.20.58 PM

This works great for organizations that actually properly remove you from lists (which is surprisingly most). Using this swiping type of workflow, you can knock through 100 or more emails in 10-15 minutes. For organizations that don’t respect unfollow or stop sending me your crap emails, there’s also always just marking them as spam. The only problem with this is that you likely have a phone, a computer, a home computer, and maybe a tablet. No one wants to mark the same email as spam four times and then potentially have emails disappearing and not being able to figure out which computer they were marked as junk on.

There are lots and lots of options for this type of thing. But given the ease of use an quick evisceration I can do on my mailbox, I rather like unfollow.me. Give it a shot. You might hate it. I don’t.

December 3rd, 2015

Posted In: Apps, cloud, Network Infrastructure

Tags: , , , , ,

Click for lightning. Merge-your-damn-self.

barker

But if you commit with a well written message (and not just a period to get past a sanity check), I’m happy. Tom Hardy likes it when you tell me wtf.

via GIPHY

November 29th, 2015

Posted In: Mac OS X, Mac OS X Server, Mac Security

Tags: , , , , , , , , ,

This is my 3,000th post on Krypted.com. The past 3,000 posts have primarily been about OS X Server, Mac automation, Mac deployment, scripting, iOS deployments, troubleshooting, Xsan, Windows Servers, Exchange Server, Powershell, security, and other technical things that I have done in my career. I started the site in response to a request from my first publisher. But it took on a mind of its own. And I’m happy with the way it’s turned out.

My life has changed a lot over these past 11 years. I got married and then I got divorced. I now have a wonderful daughter. I became a partner and the Chief Technology Officer of 318 and helped to shape it into what was the largest provider of Apple services, I left Los Angeles and moved to Minnesota, left 318 to help start up a new MDM for small businesses at JAMF Software called Bushel, and now I have become the Consulting Engineering Manager at JAMF. In these 11 years, I have made a lot of friends along the way. Friends who helped me so much. I have written 14 more books, spoken at over a hundred conferences, watched the Apple community flourish, and watched the emergence of the Post-PC era.

In these 11 years, a lot has happened. Twitter and Facebook have emerged. Microsoft has hit hard times. Apple has risen like a phoenix from those dark ashes. Unix has proved a constant. Open Source has come into the Mac world. The Linux gurus are still waiting for Linux on the desktop to take over the world. Apps. iOS. iPad. Mobility. Android. Wearables. Less certifications. More admins. And you can see these trends in the traffic for the site. For example, the top post I’ve ever written is now a list of Fitbit badges. The second top post is a list of crosh commands. My list of my favorite hacking movies is the third top post. None of these have to do with scripting, Apple, or any of the articles that I’ve spent the most time writing.

That’s the first 3,000 posts. What’s next? 3,000 more posts? Documenting the unfolding of the Post-PC era? Documenting the rise and fall of more technologies? I will keep writing, that’s for sure. I will continue doing everything I can to help build out the Apple community. And I will enjoy it. I’ve learned a lot about writing along this path. But I have a lot more to learn.

Unknown

The past 3,000 posts have mostly been technical in nature. I’ve shown few of my opinions, choosing to keep things how-to oriented and very technical. Sure, there’s the occasional movie trailer when I have a “squee” moment. But pretty technical, overall. I’ve been lucky to have been honored to speak at many conferences around the world. One thing I’ve noticed over the past few years is that when people ask me to speak at conferences, they ask me to speak about broader topics. They don’t want me doing a technical deep dive. People use the term thought leader. And while I don’t necessarily agree, maybe it’s time I step up and write more of those kinds of articles here and there.

I’ve learned so much from you these 11 years. But I feel like I’ve barely scratched the surface. I look forward to learning together over the course of the next 3,000 posts! Thank you for your support. Without it, I’d have probably stopped at 10 articles!

November 16th, 2015

Posted In: 318, Apps, Articles and Books, Bushel, Business, certifications, Mac OS X, Mac OS X Server, Mac Security, Mass Deployment, Microsoft Exchange Server, Minneapolis

Tags: , , , , ,

Apple Configurator 2 is a great new evolution in iOS initial and configuration management. And there are lots of great options. And to help you wrap your head around all this new fun stuff, I’ve written up a quick and dirty guide for using Apple Configurator 2.

Screen Shot 2015-11-04 at 10.02.03 PM

It’s not completely done, but it will be shortly. Hope this help someone. Enjoy!

November 14th, 2015

Posted In: Apple Configurator, iPhone, Mass Deployment

Tags: , , , , , , , , , , , ,

Financial services is an interesting business when it comes to what you need to do to meet your regulatory requirements. With so much data and the services that enable you to access data moving to the cloud, it can be hard to keep up with how solutions meet any regulatory requirements you might have. At the end of the day, you’re primarily concerned about customer data leaking out of your environment and making sure that you can report on every single thing that happened in an environment. Whatever help we can provide in this article, make sure that you vet anything against what the individuals that review your regulatory requirements say.

Click Here to Continue Reading More On blog.bushel.com

November 13th, 2015

Posted In: Bushel

Tags: , , , , ,

Blueprints are a new option in Apple Configurator 2. Blueprints allow you setup a template of settings, options, apps, and restore data, and then apply those Blueprints on iOS devices. For example, if you have 1,000 iOS devices, you can create a Blueprint with a restore item, an enrollment profile, a default wallpaper, skip all of the activation steps, install 4 apps, and then enabling encrypted backups. The Blueprint will provide all of these features to any device that the Blueprint is applied to.

But then why not call it a group? Why call it a Blueprint? Because the word template is boring. And you’re not dynamically making changes to devices over the air. Instead you’re making changes to devices when you apply that Blueprint, or template to the device. And you’re building a device out based on the items in the Blueprint, so not entirely a template. But whatever on semantics.

To get started, open Apple Configurator 2.

Screen Shot 2015-11-04 at 1.00.24 PM

Click on the Blueprints button and click on Edit Blueprints.

Screen Shot 2015-11-04 at 1.00.33 PM

Notice that when you’re working on Blueprints, you’ll always have a blue bar towards the bottom of the screen. Blueprints are tiled on the screen, although as you get more and more of them, you can view them in a list.

Screen Shot 2015-11-04 at 1.00.47 PM

Right-click on the Blueprint. Here, you’ll have a number of options. As you can see below, you can then Add Apps. For more on adding Apps, see this page.

Screen Shot 2015-11-04 at 1.00.55 PM

You can also change the name of devices en masse, using variables, which I explore in this article.

Screen Shot 2015-11-04 at 1.01.11 PM

For supervised devices, you can also use your Blueprints to change the wallpaper of devices, which I explore here.

Screen Shot 2015-11-04 at 1.01.21 PM

Blueprints also support using Profiles that you save to your drive and then apply to the Blueprints.

Screen Shot 2015-11-04 at 1.01.29 PM

Blueprints also support restoring saved backups onto devices, as I explore here.

Screen Shot 2015-11-04 at 1.01.39 PM

For kiosk and single purpose systems, you can also enter into Single App Mode programmatically.

Screen Shot 2015-11-04 at 1.02.25 PM

 

You can also configure automated enrollment, as described here. Overall, Blueprints make a great new option in Apple Configurator 2. These allow you to more easily save a collection of settings that were previously manually configured in Apple Configurator 1. Manually configuring settings left room for error, so Blueprints should keep that from happening.

November 11th, 2015

Posted In: Apple Configurator, Mac OS X, Mass Deployment

Tags: , , , , , , , , , , , , ,

One of the common tasks to perform when doing some larger iOS deployments is to restore an iOS device as part of setting the device up for users. Restoring a device will retain a few things like icon placement on a device. To restore a device, we’ll first create a backup, described here. As of Apple Configurator 2, you can use iTunes and Apple Configurator 2-sourced backups of devices. You can also now assign the restore task to a Blueprint or do so manually.

To get started with restoring a device, first plug in a device and open Apple Configurator.

Screen Shot 2015-11-04 at 11.12.24 AM

Right-click on a device and then choose the Restore from Backup… option.

Screen Shot 2015-11-04 at 11.12.28 AM

You’ll then be prompted to verify that you want to restore the device. To restore the device, click Restore.

Screen Shot 2015-11-04 at 11.12.39 AM

At the “Restore from the backup screen”, select the backup to use as your restore point and click Restore.

Screen Shot 2015-11-04 at 11.12.56 AM

When prompted, provide the password for the backup and click on the Restore Backup button.

Screen Shot 2015-11-04 at 11.13.04 AM

If the device has been prepared, you will be prompted to approve the restore. Assuming you actually want to restore the device, click on the Restore button.

Screen Shot 2015-11-04 at 11.13.19 AM

You will need to accept the iOS licensing agreement. Click Accept when prompted.

Screen Shot 2015-11-04 at 11.13.32 AM

The restore will start.

Screen Shot 2015-11-04 at 11.13.44 AM

You can also assign a Back Up to a Blueprint. Then, any time the Blueprint is assigned to a device, you will restore the selected backup. To do so, bring up the Edit Blueprint screen and then right-click on the Blueprint to edit.

Screen Shot 2015-11-04 at 11.16.17 AM

Select Restore from Backup… from the menu and select the appropriate backup. Then, when the Blueprint is applied to a device, the device will be restored using the selected backup.

November 9th, 2015

Posted In: Apple Configurator, iPhone, Mass Deployment

Tags: , , , , , ,

Next Page »