An hour into my first Reddit AMA with some super-excellent JAMFs!
AMA w/ Charles Edge and the Apple management experts at JAMF Software from macsysadmin
krypted June 24th, 2016
Posted In: Apple Configurator, Articles and Books, Business, iPhone, JAMF, Mac OS X, Mac OS X Server, Mac Security, Mass Deployment
JAMF, reddit AMA
When building an MDM, you look for a lot of workflows to make the lives of end users easier. One of those is Managed App Config, which is a technology from Apple that allows an MDM to inject information into an app when the app is sent to a device. Because all apps are different, it’s up to the application developer to build in support both for the feature itself, as well as for any variables they’d like to make possible for an MDM to send to an app. For example, an app might make server and username available, so that when a user opens the app, they need only provide their password. Or based on an Active Directory group, you might have a location within the app to direct a user to, a different server, or even a different schema for the username.
This is the simplest example, but there are hundreds of other things I wanted to do. And app vendors were actually very open to building these features. But they all asked “OK, so what do I do.” And the last thing I wanted to tell them was to use up some cockamamie naming convention that I made up off the top of my head. So, much smarter people than I have come up with all the conventions to help standardize this otherwise chaotic awesomeness. And they’ve created a website, with IBM, JAMF, MobileIron, and AirWatch as the founding members for, and published best practices. From the site:
A community focused on providing tools and best practices around native capabilities in mobile operating systems to enable a more consistent, open and simple way to configure and secure mobile apps in order to increase mobile adoption in business. Users benefit with instant mobile productivity and a seamless out-of-the box experience, and businesses benefit with secure work-ready apps with minimal setup required while leveraging existing investments in Enterprise Mobility Management (EMM), VPN, and identity solutions. Ultimately, your apps are simpler to configure, secure and deploy.
To learn more about standardizing Managed App Config, check out the AppConfig Community Site
This goes a long way in making one of the coolest features for MDM much, much more useable. Hope you enjoy!
krypted February 28th, 2016
Posted In: iPhone, JAMF, Mass Deployment
appconfig community, JAMF, managed app config, mdm, standardization, standards
You can leverage the API built into the Casper Suite to do lots and lots of cool stuff, without interacting directly with the database. Here, I’ll use a simple curl command in a bash script that has myuser as the username for a server and mypassword as the password. The server is myserver.jamfcloud.com. Basically, we’re going to ask the computers and mobiledevices tables for all their datas. Once we have that, we’ll constrain the output to just the size attribute for each using sed:
curl -s -u myuser:mypassword https://myserver.jamfcloud.com/JSSResource/computers | sed -n -e 's/.*<size>\(.*\)<\/size>.*/\1/p'
curl -s -u myuser:mypassword https://myserver.jamfcloud.com/JSSResource/mobiledevices | sed -n -e 's/.*<size>\(.*\)<\/size>.*/\1/p'
This same logic can then be applied to any payload of XML data coming out of a REST API. Some API’s have different options to constrain output of a request, some don’t. But no matter whether there is or isn’t, you can loop through a bunch of statements like this. Why would you look to the API to constrain data, etc? Well, it comes down to a cost issue. Each time you run the above commands, you’re costing yourself runtime, you’re taxing the server with potentially a substantial query, and you’re potentially transferring a considerable amount of data over the wires between you and where the script is being run. So if the API is smart enough to give you less data, then you might as well do that. In this case, it isn’t, but if you apply this same sed logic in other scripts, it’s great to be cognizant of remaining as efficient as you can.
krypted December 18th, 2015
Posted In: JAMF
Casper, casper API, constrain the output of XML output, JAMF, MAC, pull number of computers, pull number of mobile devices, query, REST, sed
Enrolling iPads and iPhones into JAMF’s Casper suite can be done through Apple Configurator 2, text messages, email invitations, Apple’s Device Enrollment Program (DEP), or using links deployed to iOS devices as web clips. When doing larger deployments the enrollment process can be automated so that devices are automatically enrolled into Casper when set up using an Enrollment Profile that is manually downloaded from Casper and deployed to device. Additionally, a certificate can be needed if the certificate is not included in the profile, an option available as a checkbox in the setup. While you hopefully won’t need to download the certificate, we’ll cover that as well:
Download the Enrollment Profile
To download an enrollment profile from Casper MDM:
Add the Profile To Apple Configurator:
- Log into the web interface of the JSS.
- Click on the link along the top navigation bar for Mobile Devices.
- Click on Enrollment Profiles in the sidebar.
- Click on the plus sign (+).
- Provide a new name for the profile.
- Click on the User and Location Information tab.
- Enter any of the information you wish to have associated with this account when the profile is used to enroll a device into the JSS (not required – use this if you want your devices to have these associated, like if you use Configurator to setup departments and then associate a blueprint to each department and use an enrollment profile per blueprint).
- At the Enrollment Profiles screen, click on Download for the appropriate profile (for most environments there should only be one).
- Click on the Save button.
- Click on the General tab.
- Click on the Download button to download a .mobileconfig file that contains enrollment information.
- Click on the Trust Profile button to download the trust profile (a .mobileconfig with our cer).
- Once the profile is downloaded, it will automatically attempt to enroll the computer you are downloading it from in the Profiles System Preferences pane.
- Click on Cancel.
- Click on your downloads and you have now downloaded the two .mobileconfig files that will enroll devices into Casper. Note that if you have a cert signed by a CA you shouldn’t need the Trust Profile.
To deploy the profile through Apple Configurator:
- Open Apple Configurator 2 on the client computer.
- Click File and then click on New Blueprint.
- Provide a name for your Blueprint.
- Once the new Blueprint is created, click on it.
- Click on Profiles.
- Click Add Profiles…
- Manually add the first profile by browsing to it.
- Drag any other profiles into the list.
- Apply the Blueprint to devices to see if it works.
If you then wish to unenroll, simply remove the profiles by tapping on profiles and then tapping on the Remove button. Per the MDM API, a user can elect to remove their device from management at any point unless the device is supervised (and then it’s harder but still possible to remove the device from management), so expect this will happen occasionally, even if only by accident.
krypted December 10th, 2015
Posted In: Apple Configurator, iPhone, JAMF, Mass Deployment
Apple Configurator, automate enrollment, Casper, ios, JAMF, profile
In case anyone missed this fact: I love to write. The nerdier the content, the better. And when I heard that the JAMF Nation User Conference had a session for InfoSec (and specifically around how we do vulnerability assessments), I knew that was my kind of session. So, the marketing team was kind enough to let me write it up. Here it is on the JAMF Software blog: http://www.jamfsoftware.com/blog/jamf-software-security-and-vulnerability-assessments/
krypted October 13th, 2015
Posted In: JAMF
JAMF, Security, Vulnerability
Bushel gives you three devices for free. But you can get more free devices if you like the product and choose to share it with your friends and family. To do so is pretty straight forward. Simply click on the Accounts icon in the sidebar and then click on the Profile tab. Here, towards the bottom of the screen, you’ll see the Referrals section.
To Read More About Inviting Your Friends To Bushel To Get More Free Devices Forever on the Bushel Blog
krypted October 13th, 2015
Posted In: Bushel, JAMF
Blog, bushel, consumerization of IT, free devices, ios, iPad, iPhone, JAMF, MAC
The JAMF Nation User Conference (JNUC) is coming, from October 13th to 15th in Minneapolis, Minnesota. The JNUC always makes me think of all kinds of nerdy things to do. And Minneapolis is totally full of nerd culture events. So here’s some to consider (not including the Lync, Sharepoint and other not-very-mac-esque events):
- October 13th
- October 14th
- October 15th
There are more mini-events being added on the JNUC Mini-Event page on JAMF Nation all the time. Check that out at the Mini-Event page on JAMF Nation
. There are lots of spots around town to host meetups and the such, if you’re after that. I posted a lot of breweries here
(and a pedal pub if you’re feeling like getting serious about it all), but keep in mind if you’re looking for less alcohol and more quiet/professional stuffs, there’s a pretty deep set of Mac shops in the Twin Cities with spaces that might loan you some room, such as Code42
And if you’re into Maker Spaces and the such, check out:
krypted September 4th, 2015
Posted In: JAMF
JAMF, jnuc, MAC, MacBrained, Maker, Makerspace, Mini-Event
As the largest Apple IT gathering in the world rapidly approaches, we want to give you an early glimpse into the great presentations at the JAMF Nation User Conference (JNUC).
We are excited to announce that we’ve added the first ten JNUC sessions to our site. With sessions for education and commercial organizations, you’re sure to find presentations to meet your needs. Highlights include best practices for preparing Macs for online testing, ways to bring Apple’s Volume Purchase Program (VPP) and Device Enrollment Program (DEP) to life in your environment, and methods for mitigating and addressing Mac security threats.
Haven’t registered yet? There’s still time, but hurry. We’re nearing our capacity.
Secure your spot and start making your travel plansand accommodations before it’s too late. We hope you can make it!
krypted August 26th, 2015
Posted In: Mac OS X
conference, dep, ios, JAMF, JAMF Nation User Conference, jnuc, MAC, vpp
When you enroll devices into Bushel, you’ll be prompted for a name and email address. We use these two fields to setup the mail profile for users and display who has that device. You can see who a device is assigned to by clicking on the device in Bushel and checking out the Assigned To card, shown here.
Move Devices To New Users In Bushel
krypted June 11th, 2015
Posted In: Bushel, iPhone, JAMF, Mac OS X
Associate, bushel, JAMF, New Users
« Previous Page
The jamf binary comes with a lot of cool little features that you can use to script things quickly, because JAMF has already built things to help you. We’ll look at two really quick. The first is the deleteAccount verb which, surprisingly, deletes accounts. With that verb, you’ll use the -username operator to define a given user that you’d like to remove. That username is defined as the short name (or what dscl shows) of a given user. For example, if I wanted to remove the user rorygilmore, I’d run the following command:
/usr/sbin/jamf deleteAccount -username rorygilmore
You can then provide a popup on the screen that you completed that action:
/usr/sbin/jamf displayMessage -message “rorygilmore has been deleted"
You can then add a new user, using the createAccount verb. To do so, run the jamf binary using the createAccount verb. This verb provides for a number of options, including a short name (-username), a full name (-realname), a password (-password), a home directory (-home) and a default shell (-shell). If you want the user to be an admin of the system you can also add an -admin option. Below, we’ll string it all together:
/usr/sbin/jamf createAccount -username lorelaigilmore -realname "Lorelai Gilmore" -password lukedanes -home /Users/lorelai -shell bash -admin
When I do this stuff I like to run a quick recon again:
If you have any questions, you can use the help verb to see what all this thing can do:
And if you need more information on a given verb, run the help verb followed by the one you need more information on:
/usr/sbin/jamf help policy
krypted October 6th, 2014
Posted In: Mac OS X, Mac OS X Server, Mac Security, Mass Deployment
createAccount, delete users, gilmore girls, help, JAMF, jamf binary, policy, recon, script
— Next Page »