My third podcast in the last couple of months, this time with Chuck Joiner again, of MacVoices. And we talked a pretty good bit about Bushel and Mobile Device Management. Thanks to Chuck formatting this whole thing pretty awesome and helping bring my explanations to a point where they actually make sense!
krypted January 29th, 2015
Apple’s Device Enrollment Program (DEP for short) allows you to automatically setup devices with the settings you need on devices that your organization purchases. In Bushel, we give you the ability to link an Apple DEP account up with your Bushel account. This allows devices to add themselves automatically to your Bushel when the devices are activated. We tend to think this is the coolest thing since sliced bread and so we want to make sure you know how to use the feature.
To get started, log into your Bushel and click on Devices. Here, click the button for Device Enrollment Program.
Download your certificate and go to deploy.apple.com and log into your Device Enrollment Program account. Click on Manage Servers in the Deployment Programs sidebar.
Next, click on Add MDM Server and provide the certificate we gave you and a name. Once Bushel has been added to your Device Enrollment Program (DEP) account, click on Assign by Serial Number to add your first device. Assuming the device is part of your DEP account, enter the serial number for the device and choose which server (the one you just added) that the device should reach out to on activation to pull settings from.
Once you’ve added the server, you’ll be greeted by a screen that says Assignment Complete. You can now wipe the device and upon reactivation the device will pull new settings from your Bushel.
Click OK and you can add more devices. Once your devices are added into the Apple DEP portal they will automatically appear in the DEP screen of your Bushel. Click on a device to assign a username and email address, if you will be using email.
krypted November 21st, 2014
OS X has a command called rvictl, which can be used to proxy network communications from iOS devices through a computer over what’s known as a Remote Virtual Interface, or RVI. To setup an rvi, you’ll need the udid of a device and the device will need to be plugged into a Mac and have the device paired to the Mac. This may seem like a lot but if you’ve followed along with a couple of the other articles I’ve done recently this should be pretty simple. First we’ll pair:
Then tap Trust on the device itself. Then we’ll grab that udid with idevice_id:
Next, we’ll setup a rvi with rvictl and the -s option (here I’m just going to grab the udid since I only have one device plugged into my computer):
rvictl -s `idevice_id -l`
Then we can list the connections using rvictl with the -l option:
Next, we’ll run a tcpdump using this newly constructed rvi0:
tcpdump -n -i rvi0
Next, we’ll get a lot of logs. Let’s fire up the Nike FuelBand app and refresh our status. Watching the resultant traffic, we’ll see a line like this:
22:42:29.485691 IP 192.168.0.12.57850 > 184.108.40.206.443: Flags [S], seq 3936380112, win 65535, options [mss 1460,nop,wscale 5,nop,nop,TS val 706439445 ecr 0,sackOK,eol], length 0
There’s an IP in there, 220.127.116.11. We can look this up and see that the servers are sitting on Amazon Web Services and verify it’s Nike. Watching the traffic with tcpdump we can then obtain GET, POST and other information sent and received. Using wireshark we could get even more detailed data.
Overall though, this article is meant to focus on the iOS side of this and not on debugging and refining the approach to using tcpdump/wireshark. rvictl is a great tool in the iOS development cycle and for security researchers that are looking into how many of the apps on iOS devices exchange data. Enjoy.
krypted November 19th, 2014
You can do some pretty simple testing of ports and network communications using strategies I’ve outlined in the past with tcpdump, trace route, telnet, curl, stroke and of course ping. However, netcat has a few interesting things you can do with it; namely actually run a port super-quickly to test traffic between subnets, forcing scans of ipv6 traffic, debugging sockets, keeping connections alive, parodying through SOCKS 4 and 5 and just checking for daemons that are listening rather than actually sending data to them.
In this first example, we’re going to just check that Apple’s web server is accessible (adding -v for verbose output):
/usr/bin/nc -v www.apple.com 80
The result would be pretty verbose
found 0 associations
found 1 connections:
src 10.10.20.176 port 50575
dst 18.104.22.168 port 80
rank info not available
TCP aux info available
Connection to www.apple.com port 80 [tcp/http] succeeded!
HTTP/1.0 408 Request Time-out
Date: Tue, 29 Jul 2014 15:41:34 GMT
Expires: Tue, 29 Jul 2014 15:41:34 GMT
The server timed out while waiting for the browser’s request.<P>
If we added a -w to timeout we’ll cut out all the cruft (but wouldn’t know that the server’s at Akamai). Next, we’ll get a little more specific and fire up a test to check Apple’s push gateway at, using port 2195:
/usr/bin/nc -v -w 15 gateway.push.apple.com 2195
But, I want the cruft for the purposes of this article. Next, we can add a -4 to force connections over IPv4 and check the Apple feedback server and port 2196, also required for APNs functionality:
/usr/bin/nc -v -4 feedback.push.apple.com 2196
Right about now, something is probably happening at Apple where they’re getting sick of me sending all this data their direction, so let’s add a -z option, to just scan for daemons, without actually sending any data their way:
/usr/bin/nc -vz -4 feedback.push.apple.com 2196
Because of how NAT works, you might notice that the src port keeps changing (incrementing actually). Here’s the thing, we’re gonna’ go ahead and force our source port to stay the same as our destination port using the -p option:
/usr/bin/nc -vz -4 -p 2196 feedback.push.apple.com 2196
Now, what if this is failing? Well, let’s spin up a listener. I like to start on my own subnet, then move to another subnet on the same network and ultimately to another network so I’m checking zone-by-zone so-to-speak, for such a failure. So, we can spin up a listener with netcat in a few seconds using the -l option on another host:
/usr/bin/nc -l 2196
Then I can scan myself:
/usr/bin/nc 127.0.0.1 2196
I could also do this as a range if I forgot which port I used per host:
/usr/bin/nc 127.0.0.1 2195-2196
Now, as is often the case, if our connection problem is because data isn’t parodying, we can also use nc to check that using the -x operator followed by an IP and then : and a port. For example:
/usr/bin/nc -vz -4 -w 10 -p 2196 -x 10.0.0.2:8080 feedback.push.apple.com 2195-2196
Fun times with push notifications. Enjoy.
krypted July 29th, 2014
If you do deployments of Apple products, there are a few conferences to look at. Based on where you are and what industry you are in, some of these are better than others. But if you use the Casper Suite or are considering doing so, it would be really hard to beat JNUC, the JAMF Nation User Conference.
And yes, I’d of said all this and posted this even if I hadn’t of come to work here a week and a half ago! So come one, come all to Minneapolis. And if you’re really nice, we’ll hook you up with some good old fashioned Minnesota lutefisk!
krypted June 11th, 2014
I enjoy going to MacIT so much. Paul Kent ran a great little conference in Monterrey one year and I am so glad that I started going to Macworld around that time. I missed it last year while trying to trim back on the travel and am pretty stoked I got to get there again this year. Special thanks to everyone I saw and was able to hang out with. Considering there isn’t a single person I didn’t want to hang out with, sorry if I didn’t see you or get to spend any time. Thanks to Duncan and Kevin White for making time to do the podcasts (hopefully the background noise is low enough so we can get them posted!).
Also, this is a top-notch production. Kathy, Paul, the board (Arek, Dan, John, Kevin, Duncan, etc) and everyone else I’ve ever interacted with there are absolutely amazing. I would love nothing more than to not get a chance to speak next year because a flood of amazing talks burst on the scene. Start thinking about what you could talk about now so I can show up and sit in the back and watch you do your thing!
And if you were in my session and asked about the presentation when the conference site was on the fritz (which could have also been my fault BTW), the presentation is here: MacIT 2014
krypted March 31st, 2014
The good folks at Amsys have built a nice little app called Services Test for verifying outbound connectivity to critical services to make iOS devices work. If you are having problems connecting to these services or activating devices, simply open the App and tap on the play button in the upper right hand corner of the screen.
Click on the Info button to see what each of these servers do during the activation and management process.
The app can also test a few common server services, including connecting to an OS X Server, Casper and AirWatch. These are typical services used in an iOS and Mac environment.
Overall, this is a really nice little app for testing connectivity to typical iOS services and a very nice tool Amsys is providing to the community!
krypted January 17th, 2014
Posted In: iPhone
Recently I woke up and my daughter was sitting on me watching something on the iPad. As I woke ever so slightly I realized that she was watching Transformers the movie on Netflix. I’m not typically a helicopter dad, hovering over her every move, but I did realize amidst the explosions that ya’, I might want to take some of the things I learned writing the book on locking these things down and put a few very basic measures in place to keep her from seeing something she shouldn’t. After all, she’s gotten about as good at navigating around the thing as I am (and these days she’s getting pretty acclimated with iOS 7).
So let’s look at some basic precautions that parents can take to keep their kids sandboxed into just the material they feel confident with. For starters, the built-in security precautions. These are basically all in the Security app and each comes with repercussions that I’ll go into with each step, so you can decide for yourself if you actually give a crap about them.
The nuclear option is to enable a passcode so the child can only use the device when supervised. I did not do this myself for the home iPad for a variety of reasons: sometimes she locks the device while I’m driving, sometimes she wants to use the device when she wakes up at 6am after I was up hacking stuff ’till 4am and well, because I want the device to be as much hers as mine. So I don’t want to enable a passcode that the she does not know, but you might.
To set a passcode, open the Settings app from the home screen and tap on General in the Settings sidebar (or to not setup a passcode, skip to the next section).
Or to lock the screen when the iOS device goes to sleep, tap Passcode Lock.
If you’re going to enable a passcode, at the Passcode Lock screen, tap on Turn Passcode On and when prompted provide the passcode.
Once you’ve enabled a passcode it’s worth noting that if the passcode is entered improperly too many times the device will be wiped. However, it’s now encrypted and meets certain policy restrictions (e.g. if you use it with an Exchange server at work as well).
Restrictions allow you to disable various features of iOS, including Safari, the Camera, FaceTime, iTunes, iBookstore, App Store, App deletion, Siri and even using explicit language with poor Siri. Additionally, you can control what kind of media can be purchased on the iTunes store. To get started, tap on Restrictions in the General app.
Here, you will see that pretty much everything is allowed by default. You have the option to disable very specific items.
When you enable Restrictions you will be prompted for a Passcode, which can be used to override or disable the restrictions at a later date. This, clearly, you wouldn’t want to share with the child.
Tap Enable Restrictions and note that we’re going to go ahead and enable a few and then postpone a couple of others until the end of the article because they will keep us from completing steps we want to complete later. The restrictions many will want to enable (which disables the feature):
Note: You can also lock the volume level here, although I usually don’t with ours as it just causes problems/arguments and a general desire not to use headphones, which I have a general desire to be used when watching many of her shows.
Another Note: You can browse content that you’ve blocked but not purchase/download that content, so know that if you’re not going to put a passcode on devices, or hide them when children aren’t supposed to use them.
Once you’ve enabled all the restrictions you’d like, leave the Restrictions portion of the General app and then go back in, just to verify that the passcode you used earlier still works. Also note that the Accessibility options can be great for those with disabilities, but I usually don’t enable any of them otherwise.
Remove Your Stuff
Still in the Settings app, tap on Mail, Contacts , Calendars. Now this is painful as it basically means that no, the iPad isn’t really yours like you thought it was, but remove your mail accounts. Otherwise, the kids will send mail to the entire Mac Enterprise list like mine did a few years ago. Yup, it will happen and thousands of people will laugh at you (or in my case they’ll just laugh at you more than usual). Once removed the Mail, Contacts, Calendars screen in the Settings app will just show you an option to “Add Account…” as seen here.
Also don’t forget that Facebook, Twitter, Instagram and all the other awesome reasons you bought the thing can end up getting photobombed with pictures she took while sitting in the back seat, tinkering around with Photo Booth. I actually don’t mind these with random characters or pictures my daughter posts of her tinkering with the camera app, so I don’t bother removing them, it’s more email specifically and only because you never know who she’s gonna’ hit up there.
Netflix is one of those funny places where children can spend hours, and while enamored with poster frames of interesting shows, kids can see things you might not want them to see. You can install an App and people can log into each profile and see a queue of shows, but also shows that they might be interested in. Profiles are not password protected, so users can select whichever profile they choose. But, it’s a start. I like to associate a different image with each user. To setup profiles, log into Netflix, hover the mouse over your name and then click on Manage Profiles. Here, create each desired profile and for any children who you want to try and limit, click Edit and then check the “This is a profile for kids under 12″ checkbox.
Note: Profiles have a side benefit which is that you don’t see My Little Pony on your queue and your child doesn’t see Sacha Baron Cohen movies in their queue.
I also like to assign an image for each (click the red image in the lower right corner of the avatar for each user to select their own image. Make sure the whippersnapper knows which image they’re to use, and it will be awhile before they realize they can just switch profiles if something’s blocked and they want to watch it. It will be punishment enough logging into a profile that doesn’t have a bunch of cartoons on it (okay mine does) so they won’t want to use anyone elses profile.
Once you’re done you’ll get a cute login prompt on the device, when you log into Netflix.
Anyway, next is the hard part, move all the stuff you want to watch to your profile and leave the kid stuff in their profile (after all, I’m sure that like me they have more crap in their queue than you do!). I did this by having the iPad in my hand and a laptop. I looked at the list on the iPad to see what I wanted to add to my own queue (whoops, they call them lists now) and deleted things from the other profile with the iPad.
Next, we’ll perform one small change in the Settings for the Netflix app. Open the Settings app and scroll down in the sidebar until you see Netflix. Tap it and then turn the Wi-Fi Only option on.
This keeps you from getting an insanely high bill when the kids decide to watch Netflix using your data plan.
Install a Browser
Next, let’s install a browser so they can use the web with a little filter on it. Using a different browser means a slightly different look and feel, but it means we can limit what they’re able to use. To get started, open the App Store on the iOS device. Then, tap K9 in the search bar and install.
Once installed, try to browse a site you know to be just wrong for the kido from within the browser. Once you see the blocked page, you know you’re good.
K9 is a browser that is provided free of charge (well, there’s an ad bar that you can in app purchase to get rid of for $2.99 but close to free!) from Blue Coat, a company that makes proxy servers that filter and track internet traffic. I’m a big fan of their products and if you happen to do IT in a school district or company it might not be a bad idea to check their stuff out as well!
Now, many kids won’t need a web browser, but since you can’t access YouTube without it, you’ll end up needing one eventually. Once you’ve installed a browser it’s time to disable access to Safari. By disabling Safari you limit accessing the web to the K9 browser. To do so, open the Settings app again and tap on Restrictions.
From the Restrictions option in the Settings app, tap Off for Safari.
Then just close Safari and the app will disappear from the home screen.
Disable the App Store
Once you’ve purchased the K9 browser and all the fun games and educational whatnot that your children should have, it’s time to disable the App Store so that no further apps can be installed, such as another browser to bypass the K9 browser previously installed. To do so, open Settings app, tap General and then tap on Restrictions.
From Restrictions simply move the slider for Installing Apps to the Off position.
Close the Settings app and the App Store icon will disappear from the home screen.
Enable Guided Access (aka Kiosk Mode)
Guided Access locks a user inside a single app. Only use this if you want to hand a kid an iPad that’s in an app and not let them close the app. If you use Guided Access you likely don’t need any of the other restrictions we mentioned in this article; however, every time the kid wants to switch apps you’re going to need to provide a pin code and then open another app and then enable Guided Access mode again, which could get pretty darn annoying after awhile.
Using Guided Access is a two part process. First, enable Guided Access, which does little except set a passcode. It’s never a bad thing to enable Guided Access although I’ve seen a kid set a passcode accidentally and the device had to get wiped to undo it. Oh, did I mention, you don’t want to forget that passcode? Once enabled, we’ll restrict access to the app we no longer want users to be able to leave. Once enabled, the app is locked open until the passcode is tapped.
To enable Guided Access, open the Settings app and tap on General. Scroll down until you see Accessibility.
From the Accessibility screen, tap Guided Access.
From the Guided Access screen, tap ON.
Once enabled, you will invariably want to set a passcode (otherwise, why bother?). To do so, tap Set Passcode.
When prompted, provide a passcode.
For children I usually tap Enable Screen Sleep, which allows the device to go to sleep; however I don’t usually do so when setting these things up to actually be in a kiosk. Once you’re happy with the settings, close the app and Guided Access is working. Next, open an app and then triple-click the home button. A screen will open that allows you to Enable Guided Access, tap that from within the app you’d like to enable Guided Access for and viola, the app is locked open. Now, you can also disable certain parts of the screen and whether or not the app allows shaking the device, etc. But I find that can be a bit difficult so I don’t typically use that feature.
Once you’re done with the app, to disable Guided Access, simply triple-click on the home button again, provide the passcode and tap Disable for Guided Access to close. Managing Guided Access is difficult and I find it best for toddlers or bigger kids that might be finding themselves not-to-be-trusted for a short period of time. I mentioned this earlier, but don’t forget the passcode you use to enable Guided Access or you might find yourself wiping the device by the time all is said and done.
Use Safe DNS Servers
You can use a service like OpenDNS.com to control what Internet addresses that a device can access. To do so, first go to https://store.opendns.com/familyshield and sign up for the free account (unless you want the bells and whistles with their paid accounts).
Open the Settings app and then tap on Wi-Fi in the sidebar. From the Wi-Fi screen, enter 22.214.171.124 and 126.96.36.199 in the DNS field.
Once you enter the DNS servers, close the Settings app. Then close and re-open your browser to delete the cache and open it again to see if the new settings are blocking the naughty sites.
Get a Case
Okay, so none of this is going to matter one little bit the next time the little devil decides to throw a temper tantrum. You know that shirt that says “I’m why mommy and daddy can’t have nice things” is way cheaper than an iPad, but still we let the little tykes play with the things. If we’re gonna’ do that, might as well get a good case for the thing. Otterbox makes good water and shock absorbent cases, as well as others.
Just so you don’t have to re-download all the movies you’ve bought to keep the little Cheerio-eaters busy, configure these settings again, etc. you should make a backup of the device. I wrote that up a long time ago at http://www.krypted.com/?p=8319 but it’s worth noting that you want to encrypt these backups so everything is captured.
Find My iPad/iPhone
Find My iPhone allows you to track the whereabouts of your iPhone, iPad and iPod Touch. To enable, first turn on iCloud if you haven’t already. To do so, open The Settings app and tap on iCloud in the sidebar. Enter the Apple ID you use to buy software along with the Password and then tap Sign In.
Once added, if you don’t want to sync mail, contacts, calendars, etc then flip their sliders from the ON to the OFF position. Set Find My iPad to On (or Find My iPhone if it’s not an iPad). Close the app and within a few shakes you’ll be able to track the whereabouts of devices.
Once installed, install the Find My iPhone app and log into your iCloud account or use your iCloud account to log into the MobileMe site.
When you install Find My iPhone from the App Store, you’ll use an iCloud account to view where the devices are. Mine aren’t really available in the following screen because I suck and wrote this on an airplane. But whatever… Either way, you can now chase down the bully that stole your darlings iPad and beat them with the folded up stroller, running over them four or five times in your Prius. Or maybe that’s just me. But you can’t do it on an airplane. Sorry.
Get Advanced with Profiles
You can actually lock down a lot of what iOS can do. A lot more than what’s available in the GUI. To do so, you would use something known as a profile. These can control the options we discussed in much of this article. But they can also lock down options that you didn’t even know were available, such as disabling apps not otherwise removable and locking users out of certain features of devices.
Profiles are created manually and installed via USB or email using Apple Configurator, which I co-authored a book on, available here, or they can be deployed via an MDM solution, such as Apple’s Profile Manager or some really enterprise class ones such as Casper MDM. This is much more advanced than what I intended to write here, but I’ve written a lot about MDM over the years as have others, so feel free to dive into that if you deem it necessary.
Check On the Device Routinely
No matter what you do, the device can be reset back to factory defaults and set back up. You don’t have to worry about younger kids searching the Internet and finding how to do it (like here on Apple’s site). But with older kids, check out the device every now and then and just make sure your parental controls are still in place.
This article is really meant to be an a la cartè listing of things you can do. If the kid is young enough, they’re not going to try to do anything on purpose but the older the child the more likely they will try to break out of the sandboxed environment you’ve created, if only because they see it as a challenge or simply because they can (kindof like when my daughter writes on the wall). But that isn’t to say that you shouldn’t try to do something. And what you do should be age appropriate with an eye on not letting them spend too much of your money on apps or too much of their time on the devices.
Don’t Do Too Much
But don’t do too much. Especially if the kids are older. If you do too much, then the kidos have a tendency to try and break the sandbox you build. Oddly, the less the restrictions the less they’ll try and break them. This isn’t so much an issue with the really young ones (think kindergarten and below) but as they get older it’s a bit more of a problem.
Also, keep in mind that the devices are meant to allow for a maximum level of creativity. The more you allow to happen on the device, the more creativity you may allow for. Whatever’s appropriate for the age and knowledge level of your little one!
krypted September 3rd, 2013
Some iOS and/or OS X deployments require us to create a boatload of Apple IDs. This could be to redeem VPP codes, to do iOS backups, to configure Messages, now giving the ability for OS X Server users to password reset for themselves, etc. I have sat and manually created Apple IDs for a number of clients. I’ve created dozens at a single sitting and there are some serious annoyances and challenges with doing so manually. For example, you’re gonna’ fat finger something. If you type 10 things in for 50 accounts then it’s hard to imagine you’re not gonna’ mess something up in one of those 500 fields. It’s also time consuming and well, just annoying.
Then, along came a script. That script allowed us to create loads of IDs on the fly. Now, we have a very nice GUI tool called the Apple ID Automation Builder that can be used to batch create a number of Apple IDs on the fly. Brought to us by Greg Moore and hosted by enterpriseios.com, this is one of those rare finds that is a serious time saver and very valuable when you need it in your bat belt. Great little tool, well worth the money and I look forward to providing Greg with plenty of accolades should we ever meet!
krypted May 12th, 2013
krypted December 19th, 2012