Tag Archives: iPad

iPhone Mac OS X Mac OS X Server

Apple ID Bulk Importer

May 12, 2013 – 6:00 am

Some iOS and/or OS X deployments require us to create a boatload of Apple IDs. This could be to redeem VPP codes, to do iOS backups, to configure Messages, now giving the ability for OS X Server users to password reset for themselves, etc. I have sat and manually created Apple IDs for a number of clients. I’ve created dozens at a single sitting and there are some serious annoyances and challenges with doing so manually. For example, you’re gonna’ fat finger something. If you type 10 things in for 50 accounts then it’s hard to imagine you’re not gonna’ mess something up in one of those 500 fields. It’s also time consuming and well, just annoying.
AppIcon

approval payday loans

Then, along came a script. That script allowed us to create loads of IDs on the fly. Now, we have a very nice GUI tool called the Apple ID Automation Builder that can be used to batch create a number of Apple IDs on the fly. Brought to us by Greg Moore and hosted by enterpriseios.com, this is one of those rare finds that is a serious time saver and very valuable when you need it in your bat belt. Great little tool, well worth the money and I look forward to providing Greg with plenty of accolades should we ever meet!

Tags , , , , , , , , | Permalink | Comments Off
Articles and Books iPhone Mass Deployment

Apperian’s New Goodness: Remote Control for iPad

December 19, 2012 – 11:19 am

Tags , , , , , , | Permalink | Comments Off
iPhone Mac OS X Mac OS X Server Mac Security Mass Deployment Network Infrastructure

The New Caching Service In OS X Server

December 17, 2012 – 5:00 am

These days, new services get introduced in OS X Server during point releases. OS X now has a Software Caching server built to make updates faster. This doesn’t replace Apple’s Software Update Server mind you, it supplements. And, it’s very cool technology. “What makes it so cool” you might ask, given that Software Update Server has been around for awhile. Namely, the way that clients perform software update service location and distribution with absolutely no need (or ability) for centralized administration.

Let’s say that you have 200 users with Mac Minis and an update is released. That’s 200 of the same update those devices are going to download over your Internet connection, at up to 2 to 3 gigs per download. If you’re lucky enough to have eaten at the Varsity in Atlanta, just imagine trying to drink one of those dreamy orange goodnesses through a coffee stirrer. Probably gonna’ be a little frustrating. Suck and suck and suck and it’ll probably melt enough to make it through that straw before you can pull it through. For that matter, according to how fast your Internet pipe is, there’s a chance something smaller, like an update to Expensify will blow out that same network, leaving no room for important things, like updates to Angry Birds!

Now, let’s say you have an OS X Server running the new Caching service. In this case, the first device pulls the update down and each subsequent device uses the WAN address to determine where the nearest caching service is. If there’s one on the same subnet, provided the subnet isn’t a Class B or higher, then the client will attempt to establish a connection to the caching service. If it can and the update being requested is on that server then the client will pull the update from the server once the signature of the update is verified with Apple (after all, we wouldn’t want some funky cert getting in the way of our sucking). If the download is stopped it will resume after following the same process on a different server, or directly from Apple. The client-side configuration is automatic so provides a seamless experience to end users.

Pretty cool, eh? But you’re probably thinking this new awesomeness is hard as all heck to install. Well, notsomuch. There are a few options that can be configured, but the server is smart enough to do most of the work for you. Before you get started, you should:

  • Be running Mountain Lion with Server 2.2 or better.
  • Install an APNS certificate first, described in a previous article I wrote here.
  • Have an ethernet connection on the server.
  • Have a hard drive with at least 50GB free in the server.
  • The server must be in a Class C or smaller LAN IP scheme (no WAN IPs can be used with this service, although I was able to multihome with the WAN off while configuring the service)

Once all of the requirements have been met, you will need to install the actual Caching Service. To do so, open Server.app from the /Applications directory and connect to the server with which you would like to install the Caching service.

Click on Caching from the SERVICES section of the Server sidebar. Here, you have 3 options you can configure before starting the service. The first is which volume with which to place updates. This should typically be a Pegasus or other form of mass storage that is not your boot volume. Use the Edit… button to configure which volume will be used. By default, when you select that volume you’ll be storing the updates in the Library/Server/Caching/Data of that volume.

The next button is used to clear out the cache currently used on the server. Click Reset and the entire contents of the aforementioned Data directory will be cleared.

Next, configure the Cache Size. Here, you have a slider to configure about as much space as you’d like, up to “Unlimited”. You can also use the command line to do some otherwise unavailable numbers, such as 2TB.

Once you’ve configured the correct amount of space, click on the ON button to fire up the service. Once started, grab a client from the local environment and download an update. Then do another. Time both. Check the Data folder, see that there’s stuff in there and enjoy yourself for such a job well done.

Now, let’s look at the command line management available for this service. Using the serveradmin command you can summon the settings for the caching service, as follows:

sudo serveradmin settings caching

The settings available include the following results:

caching:ReservedVolumeSpace = 25000000000
caching:SingleMachineMode = no
caching:Port = 0
caching:SavedCacheSize = 0
caching:CacheLimit = 0
caching:DataPath = "/Volumes/Base_Image/Library/Server/Caching/Data"
caching:ServerGUID = "FB78960D-F708-43C4-A1F1-3E068368655D"
caching:ServerRoot = "/Library/Server"

Don’t change the caching:ServerRoot setting on the server. This is derived from the root of the global ServerRoot. Also, the ServerGUID setting is configured automatically when connecting to Apple and so should not be set manually. When you configured that Volume setting, you set the caching:DataPath option. You can make this some place completely off, like:

sudo serveradmin settings caching:DataPath = "/Library/Server/NewCaching/NewData"

Now let’s say you wanted to set the maximum size of the cache to 800 gigs:

sudo serveradmin settings caching:CacheLimit = 812851086070

To customize the port used:

sudo serveradmin settings caching:Port = 6900

The server reserves a certain amount of filesystem space for the caching service. This is the only service I’ve seen do this. By default, it’s about 25 gigs of space. To customize that to let’s say, ‘around’ 50 gigs:

sudo serveradmin settings caching:ReservedVolumeSpace = 50000000000

To stop the service once you’ve changed some settings:

sudo serveradmin stop caching

To start it back up:

sudo serveradmin start caching

Once you’ve started the Caching service in OS X Server and familiarized yourself with the serveradmin caching options, let’s look at the status options. I always use fullstatus:

sudo serveradmin fullstatus caching

Returns the following:

caching:Active = yes
caching:state = "RUNNING"
caching:Port = 57466
caching:CacheUsed = 24083596
caching:TotalBytesRequested = 24083596
caching:CacheLimit = 0
caching:RegistrationStatus = 1
caching:CacheFree = 360581072384
caching:StartupStatus = "OK"
caching:CacheStatus = "OK"
caching:TotalBytesReturned = 24083596
caching:CacheDetails:.pkg = 24083596

The important things here:

  • An Active setting of “yes” means the server’s started.
  • The state is “STARTED” or “STOPPED” (or STARTING if it’s in the middle).
  • The TCP/IP port used 57466 by default. If the caching:Port setting earlier is set to 0 this is the port used by default.
  • The CacheUsed is how much space of the total CacheLimit has been used.
  • The RegistrationStatus indicates whether the server is registered via APNS for the service with Apple.
  • The CacheFree setting indicates how much space on the drive can be used for updates.
  • The caching:TotalBytesRequested option should indicate how much data has been requested from clients while the caching:TotalBytesReturned indicates how much data has been returned to clients.

Look into the /Library/Server/Caching/Config/Config.plist file to see even more information, such as the following:

<key>LastConfigURL</key>
<string>http://suconfig.apple.com/resource/registration/v1/config.plist</string>
<key>LastPort</key>
<integer>57466</integer>
<key>LastRegOrFlush</key>
<date>2012-12-16T04:33:13Z</date>

There are also a number of other keys that can be added to the Config.plist file including CacheLimit, DataPath, Interface, ListenRanges, LogLevel, MaxConcurrentClients, Port and ReservedVolumeSpace. These are described further at http://support.apple.com/kb/HT5590.

As you can see, this provides the host name of the server and path on that server that the Caching server requires access to, the last port connected to and the last date that the contents were flushed.

In the Data directory that we mentioned earlier is a SQLite database, called AssetInfo.db. In this database, a number of files are mentioned. These are in a file hierarchy also in that Data directory. Client systems access data directly from that folder.

Finally, the Server app contains a log that is accessed using the Logs option in the Server app sidebar. If you have problems with the service, information can be accessed here (use the Caching Service Log to access Caching logs).

The Caching Service uses the AssetCache service, located at

/Applications/Server.app/Contents/ServerRoot/usr/libexec/AssetCache/AssetCache,

then starts as the new user _assetcache user. It’s LaunchDaemon is at

/Applications/Server.app/Contents/ServerRoot/System/Library/LaunchDaemons/com.apple.AssetCache.plist.

Note: In my initial testing it appeared that after rebooting devices, that iOS updates were being cached; however, several have reported that this is not yet possible. I’ll try and replicate and report my findings later.

Tags , , , , , , , , , , , , , , , | Permalink | Comments Off
iPhone

SimpleMDM Now With Apps

November 20, 2012 – 7:00 am

SimpleMDM has updated their Mobile Device Management solution (my original writeup is here) to now include the ability to manage apps. The apps functionality really comes in two flavors. The first is the ability to load up an app. This is handled handed by clicking on Settings in the right hand navigation bar and then at the Settings pop-over, clicking on Apps. Here, you can load up an internal, enterprise app or an App Store app.

Once you’ve loaded an app you can deploy it to devices by clicking on a group and then using the contextual menu to “Assign Apps.” Simple, as the name implies.

The second aspect of SimpleMDM is to white and blacklist apps. Doing so is done by clicking on the contextual menu and then clicking on Rules. Here, you can Allow or Disallow any app that has been loaded into the app catalog.

 

Tags , , , , , , , , , , , , , | Permalink | Comments Off
Mac OS X Mac OS X Server Mass Deployment

Keynote From JAMF Nation

October 26, 2012 – 11:47 am

In case you were there and would like a copy, here’s the slides from the presentation I did this week at the JAMF Nation User Conference 2012. If you weren’t there, then perhaps they will help you in some way.

JNUC2012

The session was recorded so I’ll try and post when it becomes available for download.

Tags , , , , , , , , , , , | Permalink | Comments Off
iPhone

Restricting Access To Sites On iOS Devices

October 19, 2012 – 12:48 pm

One of the more common requests we get for iOS devices is to restrict what sites on the web that a device can access. This can be done in a number of ways. The best, in my experience, has been using a proxy.

In Apple Configurator 1.2 there’s an option for a Global HTTP Proxy for Supervised devices. This allows you to have a proxy for HTTP traffic that is persistent across apps.

Each Wi-Fi network that you push to devices also has the ability to have a proxy associated as well. This is supported by pretty much every MDM solution, with screens similar to the following, which is how you do it in Apple Configurator.

The above has I am all about layered defense, though. Or if a proxy is not an option then having an alternative. Another way to disable access to certain sites is to outright disable Safari and use another browser. This can be done with most MDM solutions as well as using a profile. To see what this would look like using Apple Configurator, see the below profile.

Now, once Safari has been disabled, you then need to provide a different browser. There are a number of third party browsers available on the App Store. Some provide enhanced features such as Flash integration while others remove features or restrict site access.

In this example we’re using the K9 Web Protection Browser. This browser is going to just block sites based on what the K9 folks deem appropriate. Other browsers of this type include X3watch, Mobicip (which can be centrally managed and has a ton of pretty awesome features), bSecure (which ties in with their online offerings for reporting, etc) and others.

While this type of thing isn’t likely to be implemented at a lot of companies, it is common in education environments and even on kiosk types of devices. There are a number of reasons I’m a strong proponent of a layered approach to policy management for iOS. By leveraging proxies, application restrictions, reporting and when possible Mobile Device Management, it becomes very possible to control the user experience to an iOS device in such a way that you can limit access to web sites matching a certain criteria.

Tags , , , , , , , , , , , , , , , , , | Permalink | Comments Off
iPhone

Volume Purchasing Program Now Available In More Countries

September 5, 2012 – 5:00 am

The Volume Purchasing Program is a program from Apple that allows you to buy gift codes en masse for distribution to users, either by mail merging them and sending them out or using a special tool for distribution, such as Apple Configurator or an MDM solution. If you’re in the United States and work with iOS, you’ve likely been using the Volume Purchasing Program for awhile. But for users in Australia, Canada, France, Germany, Italy, Japan, New Zealand, Spain and the United Kingdom, the Volume Purchasing Program is new and probably being well received.

The Volume Purchasing Program allows users to receive the codes and install/purchase software without being gifted money to do so, although in most cases the users will need Apple IDs. This is because the Volume Purchasing Program still requires codes to be redeemed, although if you’re using Apple Configurator you can deploy apps without tying them to unique AppleIDs.

Overall, the Volume Purchasing Program is a great way to be able to control and manage app expenditures, and for users in the newly added countries, will help with deployments large and small. To access the Volume Purchasing Program site, see http://www.apple.com/business/vpp. To quote Apple:

Deliver essential business apps to your employees with the Volume Purchase Program, now available in Australia, Canada, France, Italy, Germany, Japan, New Zealand, Spain, the UK, and the US. VPP makes it easy to purchase iOS apps in any quantity and distribute them to your users. You can also have custom apps built for your company’s unique needs. Search thousands of useful apps, specify any quantity, and use a corporate credit card to complete your purchase. Download the updated VPP Guide for details.

Tags , , , , , , , , , , , , , , , , , , , | Permalink | Comments Off
iPhone Mass Deployment

Backing Up And Restoring iOS Devices in iTunes

August 9, 2012 – 5:00 am

For many iOS deployment projects, iTunes is used as the primary deployment vehicle for the devices. iTunes can be used to “Backup” and “Restore” an iPad, similar to how you image desktop and laptop computers.

The actual deployment process is straight forward. First we’ll create a backup in iTunes. Then we can deploy the backup using the Restore option within iTunes. Provided the backup is encrypted, the Restore option will maintain the maximum amount of data available. For example, if a device has been activated then the fact that it has been activated is maintained across a restore. As are the applications that are installed on the device.

Create iTunes Backup

To Create an iTunes Backup:

  • Open iTunes and dock the device with the master configuration.
  • Check the box to “Encrypt local backup.”
  • At the Set Password screen, provide a password for the encrypted backup.
  • In order to ease restore, check the box for “Remember this password in my keychain (passwords are set to user names).
  • Control-click on the name of the device in the DEVICES section.
  • Click on “Back up”.
  • If prompted, click Set Password (subsequent backups will not require passwords).

Restoring with iTunes

To Restore an iTunes Backup:

  • Open iTunes and dock the device to be restored.
  • Control-click on the device.
  • Click “Restore from Backup”
  • At the “Restore From Backup” screen, select the name used in the previous backup.
  • Click Restore.
  • If prompted, enter the Password.
  • Rename the iPad once the restore process is complete.
  • Once the Restore is complete, if prompted to “Set Up Your iPad”, uncheck the Automatically sync songs and videos to my iPad box and “Automatically sync apps to my iPad”, putting the students Active Directory name in the Name field and clicking Done
Tags , , , , , , , , , , , , | Permalink | Comments Off
iPhone Mass Deployment

Using Apple Configurator To Automate Casper MDM Enrollment

August 8, 2012 – 5:00 am

Enrolling iPads into the JAMF Casper MDM solution is done through Apple Configurator, messages or using links deployed to iOS devices as web clips. When doing larger deployments the enrollment process can be automated so that devices are automatically enrolled into Casper MDM when they are set up using an Enrollment Profile that is manually downloaded from Casper and deployed to device. Additionally, a certificate can be needed if the certificate is not included in the profile, an option available as a checkbox in the setup. While you hopefully won’t need to download the certificate, we’ll start there:

Obtain the Certificate for the JSS Server

To obtain the trust certificate from the JSS Server:

  1. Open the web interface for the JSS.
  2. When prompted to trust the certificate, click on the disclosure triangle and then the checkbox to trust the cert, providing the administrative credentials when prompted.
  3. Open Keychain Utility.
  4. Click in the search field.
  5. Search for JSS.
  6. Control-click on the name of your server’s “Built-in Certificate Authority” entry.
  7. Choose the option to Export.
  8. When prompted, provide a name for the certificate in the Save As fiel.
  9. Choose a location to save the certificate to using the Where field.
  10. The .cer format is sufficient for our purposes.
  11. Click Save.

Download the Enrollment Profile

To download an enrollment profile from Casper MDM:

  1. Log into the web interface of the JSS.
  2. Click on the link for Mobile Device Enrollment
  3. At the Mobile Device Enrollment Invitations screen, click on the Enrollment Profiles tab.
  4. At the Enrollment Profiles screen, click on Download for the appropriate profile (for most environments there should only be one)
  5. Once the profile is downloaded, it will automatically attempt to enroll the computer you are downloading it from in the Profiles System Preferences pane.
  6. Click on Cancel.
  7. Click on the downloads link in Safari.
  8. Click on the magnifying glass icon to see the .mobileconfig file.

You have now downloaded the .mobileconfig file that will enroll devices into Casper MDM.

Add the Profile To Apple Configurator:

To deploy the profile through Apple Configurator:

  1. Open Apple Configurator on the client computer.
  2. Click on Prepare in the row of icons along the top of the screen.
  3. Drag the profile (by default currently called MDM-iOS5.mobileconfig) from the Finder into the list of Profiles.
  4. The profile then appears in Apple Configurator (in this example, called MDM-iOS5).

Deploy The Casper MDM Enrollment Profile Through Apple Configurator

Once the profile is installed in Apple Configurator, let’s deploy it. In this example, don’t configure any other options. To deploy:

  1. Set the name to be blank, numbering should be disabled, Supervision should be off, iOS should be set to No Change, “Erase before installing” should be unchecked, Don’t Restore Backup should be set in the Restore field.
  2. Check the box for the newly added profile (MDM-iOS5 in this example).
  3. Click on the Prepare button.
  4. At the “Are you sure you want to apply these settings to all USB-connected devices?” screen, click on the Apply button.
  5. The subsequent screen shows when devices are being configured. Here, dock the device to receive the profile (note, all docked iOS devices are going to be configured with this profile).
  6. Once the device is connected, the profile will begin to install. You are then prompted to “Tap device to install profile”.
  7. On the device, tap on the Install button.
  8. At the Warning screen, tap Install.
  9. Once the Profile is installed, tap Done.
  10. You have now been enrolled.

If you then wish to unenroll, simply remove the profiles by tapping on profiles and then tapping on the Remove button. Per the MDM API, a user can elect to remove their device from management at any point, so expect this will happen occasionally, even if only by accident.

Tags , , , , , , , , , , , , , , , , | Permalink | Comments Off
iPhone

Free Hosted Mobile Device Management for iOS

August 6, 2012 – 8:26 am

SimpleMDM is a newish Mobile Device Management service that is free, from MJVLabs, the makers of Presense. Now, it’s newish and currently completely free, so there are specific cases where it’s appropriate. Currently, SimpleMDM can be used to:

  • Setup very specific mail
  • Setup SSIDs and passwords (those are the only two options)
  • Disable the App Store or require a password to access the app store
  • Configure Basic, Strong or Very Secure password requirements
  • Restrict content
  • Disable Camera &/or FaceTime
  • Disable Safari
  • Disable iCloud
  • Disable YouTube
  • Disable Multiplayer Gaming

The solution is simple to use. Just visit the website at simplemdm.com, click on Create New Account, enter your information and click the link in the email they send you. Then log in. Once logged in, the layout is very basic and workflow oriented.

Each block indicates a group of devices. By default, there’s a Default Group (similar to Everyone in Profile Manager environments) and a Quarantine Group. Click on Add Group to bring up a screen that allows you to configure most of the policies for the group.

Here, provide a name for the group and then configure the displayed options required by your organization. Click Save to save the changes. Then click on Settings in the right-hand sidebar and then click on Email Providers. Here, enter the information for your mail server, provided all required options are available.

Once you are satisfied with your mail settings, click Save (note, that accounts will be prompted for account/password at the time the profile is installed). You can also click Wireless Networks here, which has an option for SSID and Password.

Now, one thing that I find interesting about SimpleMDM is that it has the option to set a minimum version of iOS as well as block apps. To configure these options, click on the disclosure triangle to the right of a group name and click on Rules.

At the Rules screen, set the “Minimum required version of iOS” and choose whether to allow or deny apps, checking those you wish to allow or deny as needed.

I like to configure all my settings and then enroll devices. To enroll, click on the Add Device button in the right-hand sidebar.

Click on which group to add a device to, provide a name for the device that will be referenced within SimpleMDM and choose whether to text or email the enrollment profile to the user. If SMS, enter the users phone number. If Email, enter the email address and then click on the Create button.

When the user taps the profile they will be able to enroll in the SimpleMDM service.

Some things you will need a different MDM solution to do:

  • Anything that involves certificates (other than telling mail to use one, but not provide it)
  • Anything about 802.1x
  • Any pushing out of applications
  • Pushing out webclips
  • VPN, LDAP (for Contacts), Calendar (CalDAV), Contacts (CardDAV), SCEP
  • OS X management
  • APN configuration
  • Disable Siri
  • Customize In-App purchasing
  • Disable screen capture
  • Manage Photo Stream
  • Disable Popups, cookies, javascript and force the fraud warning in Safari
  • Set ratings region
  • Manage diagnostic data
  • Configure profiles to be non-removable
  • Use a web portal for enrollment from devices rather than through email/sms

Now, none of these things are anything against SimpleMDM. Features make things more complicated and it’s simple. I think more features will come. For now, if you just need these basic options then why bother with your own infrastructure. If there’s just one more thing you think you might need, make a feature request and see if it gets added. Either way, it’s cool to see what I consider the next step in the evolution of MDM, a free tool. I’d also like to see a self-serviceable open source option as well eventually, of which I know of a few projects in the works but none ready to mention. Either way, excellent first try and kudos to the developers of SimpleMDM.

Tags , , , , , | Permalink | Comments (2)

Next Page »

Next Page »