krypted.com

Tiny Deathstars of Foulness

Tomcat logs events into the system log. You can use the get-wmiobject commandlet to see events. Here, we’ll look at a JSS and view only system events: Get-WmiObject Win32_NTLogEvent -ComputerName $jss -Filter "LogFile='system' We can then use AND to further constrain to specific messages, in this case those containing Tomcat: Get-WmiObject Win32_NTLogEvent -ComputerName $jss -Filter "LogFile='system' AND (Message like '%Tomcat%') We can then further constrain output to those with a specific EventCode with another compound statement: Get-WmiObject Win32_NTLogEvent -ComputerName $jss -Filter "LogFile='system' AND (Message like '%Tomcat%') AND (EventCode=1024) For a comprehensive list of Windows event codes, see https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/default.aspx. You could instead use get-eventlog to see system logs. For example, the following will list the latest 100 entries in the system log: Get-Eventlog -LogName system -Newest 1000 And the following lists the number of unique entries in descending order using Sort-Object, along with the -Property option set to count: Get-Eventlog -LogName system -Newest 1000 | Sort-Object -Property count -Descending And the following would additionally constrain the output to entries with the word Tomcat using the -Message option: Get-Eventlog -LogName system -Newest 1000 -Message "*Tomcat*" | Sort-Object -Property count -Descending And to focus on a server called jss, use the -ComputerName option: Get-Eventlog -LogName system -Newest 1000 -Message "*Tomcat*" -ComputerName "localhost" | Sort-Object -Property count -Descending

July 11th, 2017

Posted In: JAMF, Windows Server

Tags: , , , , , , ,

July 3rd, 2017

Posted In: MacAdmins Podcast

Tags: , , , , , ,

I mentioned mdmclient when I gave the talk on the inner workings of Mobile Device Management, or MDM. There, I spent a lot of time on APNs and profiles, but just kinda’ spoke about mdmclient in terms of it being the agent that runs on macOS to provide mdm parity for the Mac. The mdmclient binary is located at /usr/libexec/mdmclient and provides pretty limited access to see how the Mac reacts to and interprets information coming from a device management provider. I had been meaning to do a write-up on mdmclient and document what it can do since it first shipped. But as luck would have it, @Mosen on the Slacks beat me to the punch with a fantastic resource at https://mosen.github.io/profiledocs/troubleshooting/mdmclient.html. So here I’d like to focus on just 3 examples of using mdmclient. The first is to see what insight an MDM has to the applications installed (whether that information is actually committed to a database somewhere or not) using QueryInstalledApps: /usr/libexec/mdmclient QueryInstalledApps Here, we can see an array output of each bundle installed:
{BundleSize = 27457223; Identifier = “com.hipchat.HipChat”; Name = HipChat; ShortVersion = “3.1.6”; Version = “3.1.6”;}
Now, we can end up with duplicates, and so focus on just the unique Identifier keys, as follows: /usr/libexec/mdmclient QueryInstalledApps | grep Identifier | uniq The second iteration is to see installed profiles. The most basic of these, is to see user profiles, which can be obtained using QueryInstalledProfiles, as follows: /usr/libexec/mdmclient QueryInstalledProfiles Now, I could see using the profiles command with the -L option that I have a profile to configure office365 on my machine: profiles -L charlesedge[1] attribute: profileIdentifier: com.jamfsw.office365.a5f0e328-ea86-11e3-a26c-6476bab5f328 There are 1 user configuration profiles installed for ‘charlesedge’ So to see what that same information looks like, when queried from an MDM solution: /usr/libexec/mdmclient QueryInstalledProfiles QueryInstalledProfiles then returns:
({HasRemovalPasscode = 0; IsEncrypted = 0; PayloadContent = ( {PayloadDisplayName = “Charles Edge’s Office 365”; PayloadIdentifier = “com.jamfsw.office365.a5f0e328-ea86-11e3-a26c-6476bab5f328.exchange.a5f2ccd9-ea86-11e3-b1e0-6476bab5f328”; PayloadType = “com.apple.ews.account”; PayloadUUID = “a5f2ccd9-ea86-11e3-b1e0-6476bab5f328”; PayloadVersion = 1;}); PayloadDescription = “This will configure your Office 365 account for your Mac.”; PayloadDisplayName = “Charles Edge’s Office 365”; PayloadIdentifier = “com.jamfsw.office365.a5f0e328-ea86-11e3-a26c-6476bab5f328”; PayloadOrganization = “JAMF Software”; PayloadRemovalDisallowed = 0; PayloadUUID = “a5f0e328-ea86-11e3-a26c-6476bab5f328”; PayloadVersion = 1; SignerCertificates = ();})
You can then take action based on this type of information, allow you to either fill a database for agent-based management, or simply take action if something is missing, etc. QueryInstalledProfiles covers user profiles. To see system, you’ll need installedProfiles: /usr/libexec/mdmclient installedProfiles | grep "Profile Name" Run without the grep for a considerably more verbose amount of information. Finally, let’s look at one more piece of information, which is the hash for the iTunes Store. That’s a point I’ve made a number of times, that the iTunes account email address is never provided to an MDM, once associated to a device or user on a device. Instead, there’s a hash of the account. These are important with VPP, as it allows for reversing (according to the MDM) which users have claimed which apps, or which users are using a given app, as well as how many devices they’re accessing those from. To see a hash, as an MDM sees it: /usr/libexec/mdmclient QueryAppInstallation | grep iTunesStoreAccountHash There’s a lot more you can do here, and I’m sure we’ll see a lot more over time. However, the work from @mosen combined with the opening up of the documentation on profiles and the mdm protocol helps to shed some light on how things work under the hood, and how we can use these features to provide greater programatic management for the Mac. For example, to grab that iTuneshash from earlier, as a Jamf extension attribute you could use the following: https://github.com/krypted/ituneshash/blob/master/ituneshash.sh

April 28th, 2017

Posted In: Mac OS X, Mac OS X Server, Mac Security

Tags: , , , , , , ,

November 22nd, 2016

Posted In: JAMF, MacAdmins Podcast

Tags: , , ,

There’s a new JSS companion tool, called JSS MUT, which allows you to perform mass actions based on a CSV. Basically, set fields and enforce mobile device names (becoming a very common need out there). If you’re a JSS admin, it’s a nice tool, and a big should out to Michael Levenick for making it free! 5860001_orig Official website is at http://jssmut.weebly.com. Hat tip to Trey Howell for clueing us in! 🙂

July 18th, 2016

Posted In: JAMF

Tags: , , , , ,

An hour into my first Reddit AMA with some super-excellent JAMFs!
AMA w/ Charles Edge and the Apple management experts at JAMF Software from macsysadmin

June 24th, 2016

Posted In: Apple Configurator, Articles and Books, Business, iPhone, JAMF, Mac OS X, Mac OS X Server, Mac Security, Mass Deployment

Tags: ,

When building an MDM, you look for a lot of workflows to make the lives of end users easier. One of those is Managed App Config, which is a technology from Apple that allows an MDM to inject information into an app when the app is sent to a device. Because all apps are different, it’s up to the application developer to build in support both for the feature itself, as well as for any variables they’d like to make possible for an MDM to send to an app. For example, an app might make server and username available, so that when a user opens the app, they need only provide their password. Or based on an Active Directory group, you might have a location within the app to direct a user to, a different server, or even a different schema for the username. This is the simplest example, but there are hundreds of other things I wanted to do. And app vendors were actually very open to building these features. But they all asked “OK, so what do I do.” And the last thing I wanted to tell them was to use up some cockamamie naming convention that I made up off the top of my head. So, much smarter people than I have come up with all the conventions to help standardize this otherwise chaotic awesomeness. And they’ve created a website, with IBM, JAMF, MobileIron, and AirWatch as the founding members for, and published best practices. From the site:
A community focused on providing tools and best practices around native capabilities in mobile operating systems to enable a more consistent, open and simple way to configure and secure mobile apps in order to increase mobile adoption in business. Users benefit with instant mobile productivity and a seamless out-of-the box experience, and businesses benefit with secure work-ready apps with minimal setup required while leveraging existing investments in Enterprise Mobility Management (EMM), VPN, and identity solutions. Ultimately, your apps are simpler to configure, secure and deploy.
To learn more about standardizing Managed App Config, check out the AppConfig Community Site. Screen Shot 2016-02-27 at 9.29.02 AM This goes a long way in making one of the coolest features for MDM much, much more useable. Hope you enjoy!

February 28th, 2016

Posted In: iPhone, JAMF, Mass Deployment

Tags: , , , , ,

You can leverage the API built into the Casper Suite to do lots and lots of cool stuff, without interacting directly with the database. Here, I’ll use a simple curl command in a bash script that has myuser as the username for a server and mypassword as the password. The server is myserver.jamfcloud.com. Basically, we’re going to ask the computers and mobiledevices tables for all their datas. Once we have that, we’ll constrain the output to just the size attribute for each using sed: curl -s -u myuser:mypassword https://myserver.jamfcloud.com/JSSResource/computers | sed -n -e 's/.*<size>\(.*\)<\/size>.*/\1/p' curl -s -u myuser:mypassword https://myserver.jamfcloud.com/JSSResource/mobiledevices | sed -n -e 's/.*<size>\(.*\)<\/size>.*/\1/p' This same logic can then be applied to any payload of XML data coming out of a REST API. Some API’s have different options to constrain output of a request, some don’t. But no matter whether there is or isn’t, you can loop through a bunch of statements like this. Why would you look to the API to constrain data, etc? Well, it comes down to a cost issue. Each time you run the above commands, you’re costing yourself runtime, you’re taxing the server with potentially a substantial query, and you’re potentially transferring a considerable amount of data over the wires between you and where the script is being run. So if the API is smart enough to give you less data, then you might as well do that. In this case, it isn’t, but if you apply this same sed logic in other scripts, it’s great to be cognizant of remaining as efficient as you can.

December 18th, 2015

Posted In: JAMF

Tags: , , , , , , , , ,

Enrolling iPads and iPhones into JAMF’s Casper suite can be done through Apple Configurator 2, text messages, email invitations, Apple’s Device Enrollment Program (DEP), or using links deployed to iOS devices as web clips. When doing larger deployments the enrollment process can be automated so that devices are automatically enrolled into Casper when set up using an Enrollment Profile that is manually downloaded from Casper and deployed to device. Additionally, a certificate can be needed if the certificate is not included in the profile, an option available as a checkbox in the setup. While you hopefully won’t need to download the certificate, we’ll cover that as well: Download the Enrollment Profile To download an enrollment profile from Casper MDM:
  1. Log into the web interface of the JSS.
  2. Click on the link along the top navigation bar for Mobile Devices.
  3. Click on Enrollment Profiles in the sidebar.Screen Shot 2015-12-07 at 1.47.40 PM
  4. Click on the plus sign (+).
  5. Provide a new name for the profile.Screen Shot 2015-12-07 at 1.48.07 PM
  6. Click on the User and Location Information tab.
  7. Enter any of the information you wish to have associated with this account when the profile is used to enroll a device into the JSS (not required – use this if you want your devices to have these associated, like if you use Configurator to setup departments and then associate a blueprint to each department and use an enrollment profile per blueprint).
  8. At the Enrollment Profiles screen, click on Download for the appropriate profile (for most environments there should only be one).
  9. Click on the Save button.
  10. Click on the General tab.
  11. Click on the Download button to download a .mobileconfig file that contains enrollment information.Screen Shot 2015-12-07 at 1.56.12 PM
  12. Click on the Trust Profile button to download the trust profile (a .mobileconfig with our cer).
  13. Once the profile is downloaded, it will automatically attempt to enroll the computer you are downloading it from in the Profiles System Preferences pane.Screen Shot 2015-12-07 at 1.57.25 PM
  14. Click on Cancel.
  15. Click on your downloads and you have now downloaded the two .mobileconfig files that will enroll devices into Casper. Note that if you have a cert signed by a CA you shouldn’t need the Trust Profile.
Add the Profile To Apple Configurator: To deploy the profile through Apple Configurator:
  1. Open Apple Configurator 2 on the client computer.Screen Shot 2015-12-07 at 1.42.56 PM
  2. Click File and then click on New Blueprint.
  3. Provide a name for your Blueprint.Screen Shot 2015-12-07 at 2.16.06 PM
  4. Once the new Blueprint is created, click on it.
  5. Click on Profiles. 
  6. Click Add Profiles…Screen Shot 2015-12-07 at 2.24.08 PM
  7. Manually add the first profile by browsing to it.
  8. Drag any other profiles into the list.
  9. Apply the Blueprint to devices to see if it works.
If you then wish to unenroll, simply remove the profiles by tapping on profiles and then tapping on the Remove button. Per the MDM API, a user can elect to remove their device from management at any point unless the device is supervised (and then it’s harder but still possible to remove the device from management), so expect this will happen occasionally, even if only by accident.

December 10th, 2015

Posted In: Apple Configurator, iPhone, JAMF, Mass Deployment

Tags: , , , , ,

In case anyone missed this fact: I love to write. The nerdier the content, the better. And when I heard that the JAMF Nation User Conference had a session for InfoSec (and specifically around how we do vulnerability assessments), I knew that was my kind of session. So, the marketing team was kind enough to let me write it up. Here it is on the JAMF Software blog: http://www.jamfsoftware.com/blog/jamf-software-security-and-vulnerability-assessments/. Screen Shot 2015-10-13 at 5.29.22 PM

October 13th, 2015

Posted In: JAMF

Tags: , ,

Next Page »