Tag Archives: JAMF

Uncategorized

Bring Out Yer Apps with Autopkg! (Maybe with a little help)

(Guest post by Allister Banks)

Working with modern tools in the ‘auto’(dmg/pkg) suite, it sure reinforces the old chestnut, ‘it’s turtles XML all the way down.’ The thing that struck me when first diving into using autopkg was that different product recipes could potentially have a good amount of similarities when they share common processors. One example is drag-drop apps that can be discovered with an ‘appcast’ URL, which, in my recollection, became common as the Sparkle framework gained popularity.

This commonality is exactly the type of thing sysadmins like myself seek to automate, so I built a few helper scripts to 1. discover what apps have appcast URLs, 2. generate the base download recipe, and further, the 3. pkg-building recipe that can use the download recipe as a ‘parent’, and the 4. munki or JSS recipes which can nest the pkg recipe in it. Recursivity is the new black.

screnshotsOfCode

Please do take a look if you feel you’ve got apps that folks haven’t built recipes for yet, and laugh at/use/fork my code as you see fit!

Mac OS X Mass Deployment

Announcement (Cross Post) – JSS Add-on for Autopkg

(Guest Post by Allister Banks)

Chocolate+PeanutButter

As Venn diagram circles go, many folks in our community are getting into autopkg, and there’s even more that already use the JAMF Casper Suite. Over on the 318.com blog there’s an announcement for a new ‘processor’ add-on that can be installed with autopkg, that therefore can leverage the JSS API to fulfill many of the functions which up until present only Munki enjoyed. Please do read the release notes and give it a try!

Mac OS X Mass Deployment

Restart Tomcat Using jssutil

I recently needed to restart tomcat on a JSS (my fault not theirs). Because I had other processes running on the same box, I used the jssutil command to restart the tomcat service, using jssutil along with the rt verb:

jssutil rt

Turned out I had screwed things up a little more than all that so tomcat didn’t come back on its own, to get the service to kick back on, use the same command along with the startTomcat verb:

jssutil startTomcat

certifications iPhone Mac OS X Mac OS X Server Mac Security Mass Deployment public speaking

Penn State MacAdmins Back for 2013

Last year, I had a great time at the Penn State MacAdmins conference. There were tons of smart people to mingle with and everyone had plenty to discuss when it came to managing the Mac. There were a lot of people from education but also plenty from companies. The talks were well run and the conference location, the Penn Stater, was awesome. I love how it’s like a big winding maze.

Having gone to school in a town like State College (Athens, GA), I’ve always had a warm spot for cute college towns. And State College is clearly a special place. I’d recommend a trip there to anyone that loves places like Ann Arbor, Norman, Stillwater, Opelika, Corvallis, Blacksburg, Madison, Manhattan (Kansas), Ithaca, Iowa City, Ames, Morgantown, Lafayette (Indiana), Lawrence, Champaign, Logan, College Station and of course, Oxford Mississippi (Ole Miss is a truly special place).

So you’re lucky then, ’cause the Penn State MacAdmins Conference is back for 2013, being held in beautiful State College, PA at Penn State University. The Conference is May 22nd through 24th with a new introductory Boot Camp being held the day before (May 21st) to prep admins for the rest of the conference. And May is one of the best times to visit a place like this. Spring is in the air, kids are getting ready to graduate, the flowers are in bloom and of course, there’s no more snow to be shoveled. A month later and the school would practically be shut down, the town a ghost town.

But in late May, college towns are electric. So don’t just stay at the Penn Stater the whole time, go explore downtown and that Nittany Lion thing – and the spot where Joe Pa’s statue used to be. Take a carriage ride, swing by the Governor’s Pub, have some red meat at Otto’s and of course, perform the underclassmen ritual of throwing up on College Ave! And yes, there’s a College Ave, as there should be. Anyway, the social element of a conference like this is great. Meet those people you tell to RTFM on the ‘ole Enterprise List, the people whose feeds you read and the people whose feeds you deleted  ’cause they talk about college football too much…

The Call for Proposals is now open, so to submit a talk, use http://macadmins.psu.edu/conference/submit-proposals.

This year, there will also be sponsors. To sponsor, see http://macadmins.psu.edu/conference/sponsorships.

Or to attend, see http://macadmins.psu.edu/conference/registration.

To sign up for the conference newsletter, see http://psu.us4.list-manage.com/subscribe?u=acd8b6acc541596a7bdf8e517&id=d37a7e26fd.

And for an example of what you are in store for:

PS – There are 12 teams in the Big 10. While at State College, make sure to remind everyone wearing blue of this fact.

Mass Deployment

More Information On Session From JAMF Nation

JAMF has posted some information on the session I did at JAMF Nation User Conference a few days ago. I’m guessing they’ll be posting the videos up there soon enough.

More information at http://www.jamfsoftware.com/news/2012/10/25/session-mass-ios-deployments.

Mac OS X Mac OS X Server Mass Deployment

Keynote From JAMF Nation

In case you were there and would like a copy, here’s the slides from the presentation I did this week at the JAMF Nation User Conference 2012. If you weren’t there, then perhaps they will help you in some way.

JNUC2012

The session was recorded so I’ll try and post when it becomes available for download.

iPhone Mass Deployment

Using Apple Configurator To Automate Casper MDM Enrollment

Enrolling iPads into the JAMF Casper MDM solution is done through Apple Configurator, messages or using links deployed to iOS devices as web clips. When doing larger deployments the enrollment process can be automated so that devices are automatically enrolled into Casper MDM when they are set up using an Enrollment Profile that is manually downloaded from Casper and deployed to device. Additionally, a certificate can be needed if the certificate is not included in the profile, an option available as a checkbox in the setup. While you hopefully won’t need to download the certificate, we’ll start there:

Obtain the Certificate for the JSS Server

To obtain the trust certificate from the JSS Server:

  1. Open the web interface for the JSS.
  2. When prompted to trust the certificate, click on the disclosure triangle and then the checkbox to trust the cert, providing the administrative credentials when prompted.
  3. Open Keychain Utility.
  4. Click in the search field.
  5. Search for JSS.
  6. Control-click on the name of your server’s “Built-in Certificate Authority” entry.
  7. Choose the option to Export.
  8. When prompted, provide a name for the certificate in the Save As fiel.
  9. Choose a location to save the certificate to using the Where field.
  10. The .cer format is sufficient for our purposes.
  11. Click Save.

Download the Enrollment Profile

To download an enrollment profile from Casper MDM:

  1. Log into the web interface of the JSS.
  2. Click on the link for Mobile Device Enrollment
  3. At the Mobile Device Enrollment Invitations screen, click on the Enrollment Profiles tab.
  4. At the Enrollment Profiles screen, click on Download for the appropriate profile (for most environments there should only be one)
  5. Once the profile is downloaded, it will automatically attempt to enroll the computer you are downloading it from in the Profiles System Preferences pane.
  6. Click on Cancel.
  7. Click on the downloads link in Safari.
  8. Click on the magnifying glass icon to see the .mobileconfig file.

You have now downloaded the .mobileconfig file that will enroll devices into Casper MDM.

Add the Profile To Apple Configurator:

To deploy the profile through Apple Configurator:

  1. Open Apple Configurator on the client computer.
  2. Click on Prepare in the row of icons along the top of the screen.
  3. Drag the profile (by default currently called MDM-iOS5.mobileconfig) from the Finder into the list of Profiles.
  4. The profile then appears in Apple Configurator (in this example, called MDM-iOS5).

Deploy The Casper MDM Enrollment Profile Through Apple Configurator

Once the profile is installed in Apple Configurator, let’s deploy it. In this example, don’t configure any other options. To deploy:

  1. Set the name to be blank, numbering should be disabled, Supervision should be off, iOS should be set to No Change, “Erase before installing” should be unchecked, Don’t Restore Backup should be set in the Restore field.
  2. Check the box for the newly added profile (MDM-iOS5 in this example).
  3. Click on the Prepare button.
  4. At the “Are you sure you want to apply these settings to all USB-connected devices?” screen, click on the Apply button.
  5. The subsequent screen shows when devices are being configured. Here, dock the device to receive the profile (note, all docked iOS devices are going to be configured with this profile).
  6. Once the device is connected, the profile will begin to install. You are then prompted to “Tap device to install profile”.
  7. On the device, tap on the Install button.
  8. At the Warning screen, tap Install.
  9. Once the Profile is installed, tap Done.
  10. You have now been enrolled.

If you then wish to unenroll, simply remove the profiles by tapping on profiles and then tapping on the Remove button. Per the MDM API, a user can elect to remove their device from management at any point, so expect this will happen occasionally, even if only by accident.

Mac OS X Mac OS X Server Mac Security Mass Deployment

Using the Software Update Service on Mountain Lion Server

The software patching configuration built into most operating systems is configured to open a box at home, join your network and start using the computer right away. As environments grow from homes to offices and then offices grow into enterprises, at some point software updates and patches need to be managed centrally. Mountain Lion, as with its OS X Server predecessors has a Software Update service. The service in the Server app is known as Software Update and from the command line is known as swupdate.

The Software Update service, by default, stores each update in the /var/db/swupd directory. The Software Update servie is actually comprised of three components. The first is an Apache server, invoked by the /Applications/Server.app/Contents/ServerRoot/System/Library/LaunchDaemons/com.apple.swupdate.host.plist LaunchDaemon. This LaunchDaemon invokes a httpd process and clients access updates from the server based on a manifest of updates available in the sucatalog. These are synchronized with Apple Software Updates via /Applications/Server.app/Contents/ServerRoot/usr/sbin/swupd_syncd, the LaunchDaemon for swupdate at /Applications/Server.app/Contents/ServerRoot/System/Library/LaunchDaemons/com.apple.swupdate.sync.plist. The Apache version is now Apache/2.2.22.

Clients can be pointed at the server then via a Profile or using the defaults command to edit the /Library/Preferences/com.apple.SoftwareUpdate.plist file. The contents of this file can be read using the following command:

defaults read /Library/Preferences/com.apple.SoftwareUpdate.plist

To point a client to a server via the command line, use a command such as the following:

sudo defaults write /Library/Preferences/com.apple.SoftwareUpdate CatalogURL http://updates.krypted.com:8088/index.sucatalog

But first, you’ll need to configure and start the Software Update service. Lucky you, it’s quick (although quick in a hurry up and wait kind of way). To get started, open the Server app and then click on the Software Update service.

By default, updates are set to simply mirror the Apple servers, by default, enabling each update that Apple publishes, effectively proxying updates. You can use the Manual button if you would like to configure updates to either manually be approved and manually synchronized or just manually approved but automatically copied from Apple. Otherwise click on the ON button and wait for the updates to cache to simply mirror the Apple servers.

If you would like to manually configure updates, click on the Manual option and then click on the Updates tab.

The first item in the Updates tab is the “Austomatically download new updates” checkbox. This option downloads all of the updates but does not enable them. The Updates tab also displays all available updates. click on one and then click on the cog-wheel icon towards the bottom of the screen to configure its behavior (Download, Enable, Disable, Remove and View Update).

Note: The only option for updates in an Automatic configuration environment is disable.

The service can be managed using serveradmin. To start Software Update, use the start option, followed by the swupdate service identifier:

sudo serveradmin start swupdate

To stop the service, replace start with stop:

sudo serveradmin stop swupdate

To see the status of the service, including the location of updates, the paths to log files, when the service was started and the number of updates running, use the fullstatus option:

sudo serveradmin fullstatus swupdate

The output of which appears as follows:

swupdate:state = "RUNNING"
swupdate:lastChecktime = 2012-08-04 17:04:45 +0000
swupdate:syncStatus = "DONE"
swupdate:syncServiceState = "RUNNING"
swupdate:setStateVersion = 1
swupdate:lastProductsUpdate = 2012-08-04 17:07:10 +0000
swupdate:logPaths:swupdateAccessLog = "/var/log/swupd/swupd_access_log"
swupdate:logPaths:swupdateErrorLog = "/var/log/swupd/swupd_error_log"
swupdate:logPaths:swupdateServiceLog = "/var/log/swupd/swupd_syncd_log"
swupdate:readWriteSettingsVersion = 1
swupdate:checkError = no
swupdate:pluginVers = "10.8.91 (91)"
swupdate:updatesDocRoot = "/var/db/swupd/"
swupdate:hostServiceState = "RUNNING"
swupdate:autoMirror = no
swupdate:numOfEnabledPkg = 0
swupdate:servicePortsAreRestricted = "NO"
swupdate:numOfMirroredPkg = 0
swupdate:autoMirrorOnlyNew = no
swupdate:startTime = 2012-08-04 17:04:45 +0000
swupdate:autoEnable = no

There are also a number of options available using the serveradmin settings that aren’t exposed to the Server app. These include a feature I used to use a lot in the beginning of deployments with poor bandwidth, only mirroring new updates, which is available to swupdate via the autoMirrorOnlyNew option. To configure:

sudo serveradmin settings swupdate:autoMirrorOnlyNew = yes

Also, the service can throttle bandwidth for clients. To use this option, run the following command:

sudo serveradmin settings swupdate:limitBandwidth = yes

And configure bandwidth using the syncBandwidth option, as follows:

sudo serveradmin settings swupdate:syncBandwidth = 10

To automatically sync updates but not enable them (as the checkboxes allow for in the Server app, use the following command:

sudo serveradmin settings swupdate:autoEnable = no

The port (by default 8088) can be managed using the portToUse option, here being used to set it to 80 (clients need this in their catalog URL from here on out):

sudo serveradmin settings swupdate:portToUse = 80

Finally, administrators can purge old packages that are no longer needed using the PurgeUnused option:

sudo serveradmin swupdate:PurgeUnused = yes

One of the biggest drawbacks of the Software Update service in OS X Mountain Lion Server in my opinion is the fact that it does not allow for serving 3rd party packages, from vendors such as Microsoft or Adobe. To provide those vendors with a manifest file and a quick little path option to add those manifest files, a nice middle ground could be found between the Mac App Store and the built in software update options in OS X. But then, we wouldn’t want to make it too easy.

Another issue many have had is that users need administrative passwords to run updates and don’t have them (technically this isn’t a problem with the OS X Server part of the stack, but it’s related). While many options have come up for this, one is to just run the softwareupdate command for clients via ARD or a similar tool.

Many environments have used these issues to look at tools such as reposado or third party patch management tools such as JAMF Software’s the Casper Suite (JAMF also makes a reposado-based VM that mimics the swupdate options), FileWave, Absolute Manage and others. Overall, the update service in Mountain Lion is easily configured, easily managed and easily deployed to clients. It is what it needs to be for a large percentage of OS X Mountain Lion (10.8) Server administrators. This makes it a very viable option and if you’ve already got a Mountain Lion computer sitting around with clients not yet using a centralized update server, well worth enabling.

Note: Managing multiple Software Update Servers has changed in OS X Mountain Lion Server, see my previous post for more information on these changes.

cloud Mac OS X Mac Security Mass Deployment

Removing DigiNotar Trust in OS X

DigiNotar got hacked awhile back. And more and more issues seem to continue to surface as a result (most notably spoofing Google). Read this article for more info on it, but I’m not gonna’ rehash it all right now. Instead, let’s correct it. To do so, we’ll use the security command. Then we’ll use the delete-certificate option along with the -Z operator, which allows inputing (or outputting when installing certificates) a SHA1 has of a certificate. Root Certificates (those that appear under the System Roots section of the Keychain Access application) are all located in the /System/Library/Keychains/SystemRootCertificates.keychain keychain and so we’ll specify that as well:

sudo security delete-certificate -Z C060ED44CBD881BD0EF86C0BA287DDCF8167478C "/System/Library/Keychains/SystemRootCertificates.keychain"

And that’s it, push out the security command through ARD or a policy and you’re untrusting DigiNotar. To verify removal, use the find-certificate option and either attempt to find via the SHA1 hash (-Z again) or use the email address as follows:

security find-certificate -e info@diginotar.nl "/System/Library/Keychains/SystemRootCertificates.keychain"

Keep in mind that the certificate can always be re-added to the SystemRootCertificates.keychain when they get all their little issues sorted out.

Mac OS X Mac OS X Server Mac Security Mass Deployment

The Mac OS X App Store & Managed Environments

The Mac OS X App Store was released earlier this month as a part of the Mac OS X 10.6.6 update. The App Store, with over 1,000 applications (including a couple of server tools), allowing people to download and install applications on Mac OS X computers without needing to understand how to click through the screens of a standard package installer, drag applications from disk images into the /Applications folder or basically how to do practically anything except for click and provide a valid credit card number. As with the App Store that debuted with the iPhone, the App Store for Mac OS X is clearly aimed at residential customers, but being that these computers are used in enterprises around the world, the impact to managed environments cannot be discounted. I decided to do plenty of testing and reading before I wrote this up, so hopefully you’ll find it helpful, if not very timely.

The first and probably most important aspect of the App Store to most who are charged with managing large numbers of Mac OS X computers is that only administrative users can install software from the App Store. This little fact makes the App Store itself a non-issue for most enterprises, who do not make typical users administrative users. Because only administrative accounts can download and install applications, there is little risk created from leaving the App Store on client computers.

Applications installed from the App Store can only be deployed into the /Applications directory. These applications are owned by System, with read-only access given to the wheel group and everyone else. No ACLs are used, so while a single user purchases the software any user on the system can open it. If you copy the software to another computer then you will be prompted to authorize it using the same Apple ID that was used to purchase it.

When an administrative user purchases an application, they are not prompted for a system password, only an App Store password, which uses the same Apple ID used for the iTunes Store and the iOS App Store. Application updates are handled using the familiar Updates screen borrowed from the iOS App Store, which includes the nifty Update All option.

As far as controlling the user’s experience with the App Store, there are a few options. Administrators can remove the App Store application bundle (which can be replaced any time) from /Applications. Administrators can also black list the application using managed preferences/parental controls. A Dock item is added by default and can be removed as well. Removing both the Dock item and the Application bundle will then remove the App Store menu item from the Apple menu. You can also block the hosts at apple.com, which includes itunes.apple.com, ax.itunes.apple.com, ax.init.itunes.apple.com, albert.apple.com, metrics.sky.com and possibly gs.apple.com. These will communicate over ports 80 and 443, according to the operation being used. There is also a launch daemon at /System/Library/LaunchAgents/com.apple.storeagent.plist that should be unloaded and likely removed if you’re going to outright disable the App Store. However, the only real way I would personally disable is using a managed preference.

There is also a property list file for the App Store that can be used to manage the application in Workgroup Manager in ~/Library/Preferences/com.apple.storeagent.plist. However, there isn’t much that can be done here at this time.

Because applications are tied to users, when a user moves computers you will want to backup and restore the applications for the user. To do so, here’s the captain obvious article for ya’: http://support.apple.com/kb/HT4482.

The App Store is not a replacement for a good patch management system. Software distribution cannot be managed centrally using the App Store and Software Update Server in Mac OS X Server does not currently cache applications from the App Store. Trying to think of a way to shoehorn the App Store into a software distribution system such as JAMF’s Casper Suite, Absolute Manage or FileWave is just asking for a world of pain, so let’s pretend that we never brought it up. If your organization isn’t able to license one of the aforementioned products, check out Star Deploy from http://www.stardeploy.com/StarDeploy/Home.html or munki from http://code.google.com/p/munki. Finally, I think that Apple’s done a great job with the App Store for a version 1 release. I think that my wife loves it and that over time if Apple chooses to do more with it then great; otherwise, all of the options we’ve been using, from the installer command on, are still at our disposal.