Stoked that we got to interview Michael Lynn (@mikeymikey) for the MacAdmins podcast. It turned out to be a great episode on the future of Mac management and MDM. I’m glad we were able to have him join in! Pepijn and Marcus did a great job as well, so all round, a great episode. Hope you enjoy!
Or find it on the Podcast site at http://podcast.macadmins.org/2016/10/24/episode-13-mdm-me-maybe/
krypted October 24th, 2016
Automating OS installations is going to eventually be about as easy on macOS as it is in iOS (er, if you have MDM that is). But in the meantime, it’s getting a bit more challenging. The obvious way Apple would prefer this to happen these days is via the startosinstall command that first shipped with El Capitan and with brtool getting moved around all the time, and becoming less of a thing, there’s one quick and easy thing you can do:
sudo "/Applications/Install macOS Sierra.app/Contents/Resources/startosinstall" --applicationpath "/Applications/Install macOS Sierra.app" --agreetolicense --nointeraction --volume /Volumes/Macintosh\ HD
In the above command, we’ve dropped “Install macOS Sierra.app” on a machine. While you’d guess that it would find the application path based on its own surname, we went ahead and supplied it as that seems to basically be a thing. Basically, –agreetolicense keeps us from having to run some expect scripts to accept a license agreement, –nointeraction suppresses as many of the screens as possible, and –volume allows us to install to any volume we’d like. This isn’t fully automated, but I have been able to layer in some more logic to quit apps before the script fires and then expect out other items from the script to automate a restart, watching for osinstallersetupd as a key.
This is all a bit bulkier than just using something like createOSXinstallPkg but it’s important to mention that there are a number of system components that are allowed for in SIP that use osinstallersetupd and so this blessed mechanism is likely the future until you can trigger an OS upgrade (and update I suppose) using an MDM command.
krypted October 23rd, 2016
The JSS has the ability to upload multiple .vpptokens, and using those, you can upload separate tokens for sites and then provide App Store apps to different sites based on each having some autonomy by having their own token. This is a pretty cool feature. And using the GUI, you can see when each token expires. You can also see a list of tokens using the API. To see a full list of all the tokens, we’ll just use a basic curl command here:
curl -s -u myuser:mypassword https://kryptedjamf.jamfcloud.com/JSSResource/vppaccounts
This provides an array of output that has the number of tokens in <size> and the id of each along with their name in <id> and <name> respectively, as follows
<?xml version="1.0" encoding="UTF-8"?><vpp_accounts><size>2</size><vpp_account><id>2</id><name>test</name></vpp_account><vpp_account><id>3</id><name>test2</name></vpp_account></vpp_accounts>
Once you know the id of a token, you can pull a bunch of information about that token using the following command:
curl -s -u myuser:mypassword https://kryptedjamf.jamfcloud.com/JSSResource/vppaccounts/id/2
The output would be as follows, with the expiration_date indicated:
<?xml version="1.0" encoding="UTF-8"?><vpp_account><id>2</id><name>test</name><contact/><service_token>xxxxxxxxxxyyyyyyyyyyyzzzzzzzzzaaaaaaaabbbbbbbbbbccccccc</service_token><account_name>krypted</account_name><expiration_date>2017/06/30</expiration_date><country>US</country><apple_id/><site><id>-1</id><name>None</name></site><populate_catalog_from_vpp_content>true</populate_catalog_from_vpp_content><notify_disassociation>true</notify_disassociation></vpp_account>
Or to limit the output to just the expiration date of the token, we’ll use sed to constrain:
curl -s -u myuser:mypassword https://kryptedjamf.jamfcloud.com/JSSResource/vppaccounts/id/2 | sed -n -e 's/.*<expiration_date>\(.*\)<\/expiration_date>.*/\1/p'
The output should just be a standard date, as follows:
You can then loop through the output of the vppaccounts, build an IFS array, and display the dates for each, listing sites that are about to expire. For anyone that has a lot of sites with individual tokens, this might come in handy. Enjoy.
Hat tip: I thought I’d have to do this using a database query, but it turns out that the field where the stoken is stored contains encrypted data different than the initially encoded base64, which I showed how to decrypt at What’s Really In A VPP Token File from Apple’s VPP?. This is to keep that data private. Instead, hat tip to Christian Dooley, who figured out that this is actually available in the API instead, and therefore I didn’t have to hit the database directly to write this article.
krypted June 30th, 2016
Posted In: JAMF
I’ve worked with a lot of organizations switching between Mobile Device Management (MDM) solutions in my career. And I’ve seen the migration projects go both really, really well, and really, really poorly. In most cases, the migration is somewhat painful no matter what you do. But in this (my first) article on the JAMF blog, I try and organize my thoughts around a few things to look out for when migrating between MDMs/MAMs, and some context/experience around those.
krypted June 23rd, 2016
I’m a bit late in posting this, but better late than never! In this episode, we interview the venerable Arek Dreyer about his upcoming book, and learn a little of his origin story! More on that in issues to come I’m sure!
krypted June 15th, 2016
When building an MDM, you look for a lot of workflows to make the lives of end users easier. One of those is Managed App Config, which is a technology from Apple that allows an MDM to inject information into an app when the app is sent to a device. Because all apps are different, it’s up to the application developer to build in support both for the feature itself, as well as for any variables they’d like to make possible for an MDM to send to an app. For example, an app might make server and username available, so that when a user opens the app, they need only provide their password. Or based on an Active Directory group, you might have a location within the app to direct a user to, a different server, or even a different schema for the username.
This is the simplest example, but there are hundreds of other things I wanted to do. And app vendors were actually very open to building these features. But they all asked “OK, so what do I do.” And the last thing I wanted to tell them was to use up some cockamamie naming convention that I made up off the top of my head. So, much smarter people than I have come up with all the conventions to help standardize this otherwise chaotic awesomeness. And they’ve created a website, with IBM, JAMF, MobileIron, and AirWatch as the founding members for, and published best practices. From the site:
A community focused on providing tools and best practices around native capabilities in mobile operating systems to enable a more consistent, open and simple way to configure and secure mobile apps in order to increase mobile adoption in business. Users benefit with instant mobile productivity and a seamless out-of-the box experience, and businesses benefit with secure work-ready apps with minimal setup required while leveraging existing investments in Enterprise Mobility Management (EMM), VPN, and identity solutions. Ultimately, your apps are simpler to configure, secure and deploy.
To learn more about standardizing Managed App Config, check out the AppConfig Community Site.
This goes a long way in making one of the coolest features for MDM much, much more useable. Hope you enjoy!
krypted February 28th, 2016
There are a lot of payloads that MDM and profiles can manage in iOS. Restrictions are probably the one I get the most questions about. And most are pretty self-explanatory. Sooooo, rather than open Profile Manager every time I need to see the list, here it is:
krypted February 5th, 2016
Posted In: iPhone
Bushel shipping a new feature this week call Blueprints. Blueprints are similar to groups, and allow you to assign different options in Bushel to different devices that have a blueprint assigned to them. This also allows you to define one device per blueprint and therefore have different options for different computers. Pretty cool on a few different fronts. And it provides a lot of flexibility for some really, really cool new features we’ve planned for the product.
For more on this great new feature, check out this great article from the new Bushel Product Manager, Michael Devins.
krypted December 10th, 2015
Apple Configurator 2 is a great new evolution in iOS initial and configuration management. And there are lots of great options. And to help you wrap your head around all this new fun stuff, I’ve written up a quick and dirty guide for using Apple Configurator 2.
It’s not completely done, but it will be shortly. Hope this help someone. Enjoy!
krypted November 14th, 2015
The new iPad Pro is pretty much the most ridiculously luxurious device I’ve seen in a long, long time. It’s huge. There are still many of the same limitations as on an iPad. The lack of browser plug-ins keeps us from accessing certain types of content. There isn’t access to the Finder as with OS X. But the screen is ridiculously massive and provides a whole new way to view data. It’s a beautiful, marvelous piece of technology. When we were looking at Bushel and the blog on on it, we suddenly found the top and bottom bars of Safari to be just a bit too much lost screen real estate. And it made me think of yet another benefit of Web Clips: getting more screen real estate.
krypted November 13th, 2015