When building an MDM, you look for a lot of workflows to make the lives of end users easier. One of those is Managed App Config, which is a technology from Apple that allows an MDM to inject information into an app when the app is sent to a device. Because all apps are different, it’s up to the application developer to build in support both for the feature itself, as well as for any variables they’d like to make possible for an MDM to send to an app. For example, an app might make server and username available, so that when a user opens the app, they need only provide their password. Or based on an Active Directory group, you might have a location within the app to direct a user to, a different server, or even a different schema for the username.
This is the simplest example, but there are hundreds of other things I wanted to do. And app vendors were actually very open to building these features. But they all asked “OK, so what do I do.” And the last thing I wanted to tell them was to use up some cockamamie naming convention that I made up off the top of my head. So, much smarter people than I have come up with all the conventions to help standardize this otherwise chaotic awesomeness. And they’ve created a website, with IBM, JAMF, MobileIron, and AirWatch as the founding members for, and published best practices. From the site:
A community focused on providing tools and best practices around native capabilities in mobile operating systems to enable a more consistent, open and simple way to configure and secure mobile apps in order to increase mobile adoption in business. Users benefit with instant mobile productivity and a seamless out-of-the box experience, and businesses benefit with secure work-ready apps with minimal setup required while leveraging existing investments in Enterprise Mobility Management (EMM), VPN, and identity solutions. Ultimately, your apps are simpler to configure, secure and deploy.
To learn more about standardizing Managed App Config, check out the AppConfig Community Site.
This goes a long way in making one of the coolest features for MDM much, much more useable. Hope you enjoy!
krypted February 28th, 2016
You can leverage the API built into the Casper Suite to do lots and lots of cool stuff, without interacting directly with the database. Here, I’ll use a simple curl command in a bash script that has myuser as the username for a server and mypassword as the password. The server is myserver.jamfcloud.com. Basically, we’re going to ask the computers and mobiledevices tables for all their datas. Once we have that, we’ll constrain the output to just the size attribute for each using sed:
curl -s -u myuser:mypassword https://myserver.jamfcloud.com/JSSResource/computers | sed -n -e 's/.*<size>\(.*\)<\/size>.*/\1/p'
curl -s -u myuser:mypassword https://myserver.jamfcloud.com/JSSResource/mobiledevices | sed -n -e 's/.*<size>\(.*\)<\/size>.*/\1/p'
This same logic can then be applied to any payload of XML data coming out of a REST API. Some API’s have different options to constrain output of a request, some don’t. But no matter whether there is or isn’t, you can loop through a bunch of statements like this. Why would you look to the API to constrain data, etc? Well, it comes down to a cost issue. Each time you run the above commands, you’re costing yourself runtime, you’re taxing the server with potentially a substantial query, and you’re potentially transferring a considerable amount of data over the wires between you and where the script is being run. So if the API is smart enough to give you less data, then you might as well do that. In this case, it isn’t, but if you apply this same sed logic in other scripts, it’s great to be cognizant of remaining as efficient as you can.
krypted December 18th, 2015
Posted In: JAMF
Enrolling iPads and iPhones into JAMF’s Casper suite can be done through Apple Configurator 2, text messages, email invitations, Apple’s Device Enrollment Program (DEP), or using links deployed to iOS devices as web clips. When doing larger deployments the enrollment process can be automated so that devices are automatically enrolled into Casper when set up using an Enrollment Profile that is manually downloaded from Casper and deployed to device. Additionally, a certificate can be needed if the certificate is not included in the profile, an option available as a checkbox in the setup. While you hopefully won’t need to download the certificate, we’ll cover that as well:
Download the Enrollment Profile
To download an enrollment profile from Casper MDM:
Add the Profile To Apple Configurator:
To deploy the profile through Apple Configurator:
If you then wish to unenroll, simply remove the profiles by tapping on profiles and then tapping on the Remove button. Per the MDM API, a user can elect to remove their device from management at any point unless the device is supervised (and then it’s harder but still possible to remove the device from management), so expect this will happen occasionally, even if only by accident.
krypted December 10th, 2015
In case anyone missed this fact: I love to write. The nerdier the content, the better. And when I heard that the JAMF Nation User Conference had a session for InfoSec (and specifically around how we do vulnerability assessments), I knew that was my kind of session. So, the marketing team was kind enough to let me write it up. Here it is on the JAMF Software blog: http://www.jamfsoftware.com/blog/jamf-software-security-and-vulnerability-assessments/.
krypted October 13th, 2015
Posted In: JAMF
Bushel gives you three devices for free. But you can get more free devices if you like the product and choose to share it with your friends and family. To do so is pretty straight forward. Simply click on the Accounts icon in the sidebar and then click on the Profile tab. Here, towards the bottom of the screen, you’ll see the Referrals section.
krypted October 13th, 2015
The JAMF Nation User Conference (JNUC) is coming, from October 13th to 15th in Minneapolis, Minnesota. The JNUC always makes me think of all kinds of nerdy things to do. And Minneapolis is totally full of nerd culture events. So here’s some to consider (not including the Lync, Sharepoint and other not-very-mac-esque events):
There are more mini-events being added on the JNUC Mini-Event page on JAMF Nation all the time. Check that out at the Mini-Event page on JAMF Nation. There are lots of spots around town to host meetups and the such, if you’re after that. I posted a lot of breweries here (and a pedal pub if you’re feeling like getting serious about it all), but keep in mind if you’re looking for less alcohol and more quiet/professional stuffs, there’s a pretty deep set of Mac shops in the Twin Cities with spaces that might loan you some room, such as Code42.
And if you’re into Maker Spaces and the such, check out:
krypted September 4th, 2015
Posted In: JAMF
As the largest Apple IT gathering in the world rapidly approaches, we want to give you an early glimpse into the great presentations at the JAMF Nation User Conference (JNUC).
We are excited to announce that we’ve added the first ten JNUC sessions to our site. With sessions for education and commercial organizations, you’re sure to find presentations to meet your needs. Highlights include best practices for preparing Macs for online testing, ways to bring Apple’s Volume Purchase Program (VPP) and Device Enrollment Program (DEP) to life in your environment, and methods for mitigating and addressing Mac security threats.
Haven’t registered yet? There’s still time, but hurry. We’re nearing our capacity.
krypted August 26th, 2015
Posted In: Mac OS X
When you enroll devices into Bushel, you’ll be prompted for a name and email address. We use these two fields to setup the mail profile for users and display who has that device. You can see who a device is assigned to by clicking on the device in Bushel and checking out the Assigned To card, shown here.
krypted June 11th, 2015
The jamf binary comes with a lot of cool little features that you can use to script things quickly, because JAMF has already built things to help you. We’ll look at two really quick. The first is the deleteAccount verb which, surprisingly, deletes accounts. With that verb, you’ll use the -username operator to define a given user that you’d like to remove. That username is defined as the short name (or what dscl shows) of a given user. For example, if I wanted to remove the user rorygilmore, I’d run the following command:
/usr/sbin/jamf deleteAccount -username rorygilmore
You can then provide a popup on the screen that you completed that action:
/usr/sbin/jamf displayMessage -message “rorygilmore has been deleted"
You can then add a new user, using the createAccount verb. To do so, run the jamf binary using the createAccount verb. This verb provides for a number of options, including a short name (-username), a full name (-realname), a password (-password), a home directory (-home) and a default shell (-shell). If you want the user to be an admin of the system you can also add an -admin option. Below, we’ll string it all together:
/usr/sbin/jamf createAccount -username lorelaigilmore -realname "Lorelai Gilmore" -password lukedanes -home /Users/lorelai -shell bash -admin
When I do this stuff I like to run a quick recon again:
If you have any questions, you can use the help verb to see what all this thing can do:
And if you need more information on a given verb, run the help verb followed by the one you need more information on:
/usr/sbin/jamf help policy
krypted October 6th, 2014
I was super-bummed that I missed the MacAdmins conference at Penn State University. But, all is not lost as MacAdmins will be held July 8-10 in 2015 at the Penn Stater Conference Center and I’ll be able to see all those awesome people there next year!
In the meantime, something fun and new is the 2014 MacAdmins Playlist to maybe get exposed to some new stuff: http://spoti.fi/VTdxLX.
As an aside, here’s a fun pic of @derflounder and I (and others) doing a round table from a few years ago on the Penn State site:
krypted July 15th, 2014