Tag Archives: ios

iPhone Mac OS X Mac OS X Server Mac Security

Casper 9.62 Is Out!

Casper 9.62 is now out! And holy buckets, look at all the stuff that got fixed in this release:

Casper-Suite-9.62-Release-Notes_320_414_84_1416419790

http://resources.jamfsoftware.com/documents/products/documentation/Casper-Suite-9.62-Release-Notes.pdf?mtime=1416856726

PS – There’s also some api improvement goodness!

Bushel iPhone Mass Deployment

How To View What Payloads Do To Devices

You can see exactly what Bushel, and other MDM platforms do to your OS X devices using the System Information utility. As with all Mobile Device Management (MDM) solutions that interface with OS X, you can use the About this Mac menu item under the Apple menu at the top of the screen to bring up the System Information utility. When you open this tool, you will see a lot of information that can be derived about your devices. Scroll down the list and click on Profiles. Here, you will see all of the Device and User profiles that have been installed on your computer, the payloads within each profile and the keys within each payload.

Screen Shot 2014-12-01 at 12.00.11 PM

Inside each profile there are a few pieces of information that define how the profile operates on the computer. Click on one to see the specific details for each Payload. Payloads are a collection of settings that a policy is changing. For example, in the above  screenshot, allowSimple is a key inside the com.apple.mobiledevice.passwordpolicy payload. This setting, when set to 1 allows simple passcode to be used on the device. When used in conjunction with the forcePIN key (as seen, in the same payload), you must use a passcode, which can be simple (e.g. 4 numeric characters).

Using these settings, you can change a setting in Bushel and then see the exact keys in each of our deployed payloads that changed when you change each setting. Great for troubleshooting issues!

Bushel iPhone Mac OS X Mac OS X Server Mac Security Mass Deployment

Bushel Goes Into Invitation Mode!

Yesterday the Bushel team finished some new code. This code allows you to refer your friends to Bushel! This skips the codes that everyone was waiting for and lets people create accounts immediately!

Screen Shot 2014-11-24 at 10.07.02 PM

From your home screen, click on Invite Friends. Or from the Account screen, scroll down to the section that says “Invite friends to join Bushel”. From here, you can post codes to Facebook, Tweet codes, post codes to LinkedIn and even email them.

We’re not going into general availability just yet. But we’re definitely making it easier long-term to sign up and use Bushel! We hope you love it as much as we do!

Since we’re still architecting how these final screens look, the final features and stress testing the servers, also if you’re testing the system please feel free to fill out our feedback form so we know what you think of what we’re doing and where we’re going!

Or if you’re still waiting for a code, use this link to skip that process https://signup.bushel.com?r=fd0fcf9e6d914a739d29c90421c0fb45.

Bushel iPhone Mac OS X Mac OS X Server Mac Security Mass Deployment Minneapolis

Bushel: The Device Enrollment Program (DEP) In Action

Apple’s Device Enrollment Program (DEP for short) allows you to automatically setup devices with the settings you need on devices that your organization purchases. In Bushel, we give you the ability to link an Apple DEP account up with your Bushel account. This allows devices to add themselves automatically to your Bushel when the devices are activated. We tend to think this is the coolest thing since sliced bread and so we want to make sure you know how to use the feature.

Setup Device Enrollment Program in Bushel

To get started, log into your Bushel and click on Devices. Here, click the button for Device Enrollment Program.

XcKrpO-M0gXF27l0exLKtVbNMLdI1itn8ThiXRqW3xQ

Download your certificate and go to deploy.apple.com and log into your Device Enrollment Program account. Click on Manage Servers in the Deployment Programs sidebar.

Screen-Shot-2014-10-14-at-2.12.49-PM

Next, click on Add MDM Server and provide the certificate we gave you and a name. Once Bushel has been added to your Device Enrollment Program (DEP) account, click on Assign by Serial Number to add your first device. Assuming the device is part of your DEP account, enter the serial number for the device and choose which server (the one you just added) that the device should reach out to on activation to pull settings from.

Screen-Shot-2014-10-14-at-2.13.53-PM

Once you’ve added the server, you’ll be greeted by a screen that says Assignment Complete. You can now wipe the device and upon reactivation the device will pull new settings from your Bushel.

Screen-Shot-2014-10-14-at-2.13.58-PM

The Device Enrollment Program in Bushel

Click OK and you can add more devices. Once your devices are added into the Apple DEP portal they will automatically appear in the DEP screen of your Bushel. Click on a device to assign a username and email address, if you will be using email.

xdWSZrVkYs6wWHgmzfmdkOdmZjSXVMDqrypOkqCaC3w-1

Good luck!

iPhone Mac Security Network Infrastructure

Listen To iOS Network Communications

OS X has a command called rvictl, which can be used to proxy network communications from iOS devices through a computer over what’s known as a Remote Virtual Interface, or RVI. To setup an rvi, you’ll need the udid of a device and the device will need to be plugged into a Mac and have the device paired to the Mac. This may seem like a lot but if you’ve followed along with a couple of the other articles I’ve done recently this should be pretty simple. First we’ll pair:

idevicepair pair

Then tap Trust on the device itself. Then we’ll grab that udid with idevice_id:

idevice_id -l

Next, we’ll setup a rvi with rvictl and the -s option (here I’m just going to grab the udid since I only have one device plugged into my computer):

rvictl -s `idevice_id -l`

Then we can list the connections using rvictl with the -l option:

rvictl -l

Next, we’ll run a tcpdump using this newly constructed rvi0:

tcpdump -n -i rvi0

Next, we’ll get a lot of logs. Let’s fire up the Nike FuelBand app and refresh our status. Watching the resultant traffic, we’ll see a line like this:

22:42:29.485691 IP 192.168.0.12.57850 > 54.241.32.20.443: Flags [S], seq 3936380112, win 65535, options [mss 1460,nop,wscale 5,nop,nop,TS val 706439445 ecr 0,sackOK,eol], length 0

There’s an IP in there, 54.241.32.20. We can look this up and see that the servers are sitting on Amazon Web Services and verify it’s Nike. Watching the traffic with tcpdump we can then obtain GET, POST and other information sent and received. Using wireshark we could get even more detailed data.

Overall though, this article is meant to focus on the iOS side of this and not on debugging and refining the approach to using tcpdump/wireshark. rvictl is a great tool in the iOS development cycle and for security researchers that are looking into how many of the apps on iOS devices exchange data. Enjoy.

Bushel

Bushel Interview with Tech.mn

Slowly but surely information about what I left 318 to do has been leaking out. And I wouldn’t say leaking. More like being broadcast to the world. I’ve worked on a few little things here and there at JAMF Software since my arrival. But my core duty is to shepherd the development and strategy behind a new Mobile Device Management tool called Bushel. A little more about Bushel is available here, and I’ll likely post more about it here when the time is right:

http://tech.mn/news/2014/11/04/jamf-software-bushel-apple-device-management/

And to access the Bushel site:

http://www.bushel.com

And some of the writing that are now finding their way onto the Bushel blog:

http://blog.bushel.com

bushel-wordmark-dark@2x

Mac OS X Mac OS X Server Mac Security

qlmanage

QuickLook scans file contents before you open those files. Usually this just lets you view a file quickly. But you can also use this same technology from the command line to bring about a change to the Finder without actually opening a file. To access QuickLook from the command line, use qlmanage.

qlmanage -p ~/Desktop/MyTowel42.pdf

While open, click the space bar to go back to your Terminal session. The most notable use case here is that when you use qlmanage you don’t run the risk of changing the date/time stamp of the files.

Product Management

How Product Managers Think Users Will React To New Features

Mac OS X Server Windows Server Windows XP

Yosemite Server SMB and Windows

A few people have hit me up about issues getting Windows machines to play nice with the SMB built into Yosemite Server and Windows. Basically, the authentication dialog keeps coming up even when a Mac can connect. So there are two potential issues that you might run into here. The first is that the authentication method is not supported. Here, you want to enable only the one(s) required. NTLMv2 should be enabled by default, so try ntlm:

sudo serveradmin settings smb:ntlm auth = "yes"

If that doesn’t work (older and by older I mean old as hell versions of Windows), try Lanman:

sudo serveradmin settings smb:lanman auth = “yes"

The second is that the authentication string (can be seen in wireshark) doesn’t include the workgroup/domain. To resolve this, simply include the Server name or workgroup in the beginning of the username followed by a backslash(\). So you might do this as a username if your NetBios name were kryptedserver:

kryptedserver\charles

To get that exact name, use serveradmin again, to look at the smb:NetBIOSName attribute:

smb:NetBIOSName = "kryptedserver"

Wearable Technology

Integrate Nike Running App With Apple’s Health App

The new Health app from Apple provides a conduit to run all of your health data through on an iOS device in order to then provide you with a single pane of glass to see all of your health related data. This can include diet, workouts, weight, blood pressure, etc, provided that the vendors of such devices or apps you may use support those features. The Nike Running app (not yet for the Fuelband) is one such app. And if you track runs with Nike Running then you’ll want to setup the integration asap, as the Health app only looks at runs that are configured after you setup the integration.

To integrate the app into Health (and therefore showcase what Health can do) we’ll simply upgrade it and do so real quick. The first step is to upgrade the Nike+ Running app. To do so, open the App Store, tap on Updates and find the Nike+ Running app. Here, tap Update and provide your password.

IMG_1717

When the app is finished updating, open it. You should be prompted on the first open after the update to setup Health Access. Here, use the sliders for each of the items you’d like to sync to Health. These include your NikeFuel (the fuel points obtained per run), the Workouts and, if you have a device that tracks Heart Rate, whether or not the Running app can access that Heart Rate data. Tap Done when you’re satisfied with your settings.

IMG_1713

From within the Health app, you can then see what Health reads from and writes to the NikeFuel app. Open the Health app, tap on Fitness and then NikeFuel. Here, you can change the settings that were previously configured.

IMG_1714

The NikeFuel entry will then start to sync with your Nike account. Tapping on NikeFuel in the Health app provides you the option to Show on Dashboard, which is the first screen of your Health app. Toggle this to enable the option.

IMG_1715

Once enabled, you can see stats from your Nike Running app on the dashboard in Health. The data is then useable by other apps that can also integrate with Health, provided you allow it.

IMG_1716

When the next run is synchronized, you should see data from the run populate the NikeFuel entry on the dashboard. The FuelBand, Nike Basketball and Nike Training Club apps have not been integrated into Health. But when they are, I’ll try and remember to come back and update this article.