Tiny Deathstars of Foulness

Stoked that we got to interview Michael Lynn (@mikeymikey) for the MacAdmins podcast. It turned out to be a great episode on the future of Mac management and MDM. I’m glad we were able to have him join in! Pepijn and Marcus did a great job as well, so all round, a great episode. Hope you enjoy!

Or find it on the Podcast site at

October 24th, 2016

Posted In: Mac OS X, Mac OS X Server, Mac Security, MacAdmins Podcast

Tags: , , , , , ,

Leave a Comment

Automating OS installations is going to eventually be about as easy on macOS as it is in iOS (er, if you have MDM that is). But in the meantime, it’s getting a bit more challenging. The obvious way Apple would prefer this to happen these days is via the startosinstall command that first shipped with El Capitan and with brtool getting moved around all the time, and becoming less of a thing, there’s one quick and easy thing you can do:

sudo "/Applications/Install macOS" --applicationpath "/Applications/Install macOS" --agreetolicense --nointeraction --volume /Volumes/Macintosh\ HD

In the above command, we’ve dropped “Install macOS” on a machine. While you’d guess that it would find the application path based on its own surname, we went ahead and supplied it as that seems to basically be a thing. Basically, –agreetolicense keeps us from having to run some expect scripts to accept a license agreement, –nointeraction suppresses as many of the screens as possible, and –volume allows us to install to any volume we’d like. This isn’t fully automated, but I have been able to layer in some more logic to quit apps before the script fires and then expect out other items from the script to automate a restart, watching for osinstallersetupd as a key.

This is all a bit bulkier than just using something like createOSXinstallPkg but it’s important to mention that there are a number of system components that are allowed for in SIP that use osinstallersetupd and so this blessed mechanism is likely the future until you can trigger an OS upgrade (and update I suppose) using an MDM command.

October 23rd, 2016

Posted In: Mac OS X, Mac OS X Server, Mac Security

Tags: , , , , , , ,

Leave a Comment

The JSS has the ability to upload multiple .vpptokens, and using those, you can upload separate tokens for sites and then provide App Store apps to different sites based on each having some autonomy by having their own token. This is a pretty cool feature. And using the GUI, you can see when each token expires. You can also see a list of tokens using the API. To see a full list of all the tokens, we’ll just use a basic curl command here:

curl -s -u myuser:mypassword

This provides an array of output that has the number of tokens in <size> and the id of each along with their name in <id> and <name> respectively, as follows

<?xml version="1.0" encoding="UTF-8"?><vpp_accounts><size>2</size><vpp_account><id>2</id><name>test</name></vpp_account><vpp_account><id>3</id><name>test2</name></vpp_account></vpp_accounts>

Once you know the id of a token, you can pull a bunch of information about that token using the following command:

curl -s -u myuser:mypassword

The output would be as follows, with the expiration_date indicated:

<?xml version="1.0" encoding="UTF-8"?><vpp_account><id>2</id><name>test</name><contact/><service_token>xxxxxxxxxxyyyyyyyyyyyzzzzzzzzzaaaaaaaabbbbbbbbbbccccccc</service_token><account_name>krypted</account_name><expiration_date>2017/06/30</expiration_date><country>US</country><apple_id/><site><id>-1</id><name>None</name></site><populate_catalog_from_vpp_content>true</populate_catalog_from_vpp_content><notify_disassociation>true</notify_disassociation></vpp_account>

Or to limit the output to just the expiration date of the token, we’ll use sed to constrain:

curl -s -u myuser:mypassword | sed -n -e 's/.*<expiration_date>\(.*\)<\/expiration_date>.*/\1/p'

The output should just be a standard date, as follows:


You can then loop through the output of the vppaccounts, build an IFS array, and display the dates for each, listing sites that are about to expire. For anyone that has a lot of sites with individual tokens, this might come in handy. Enjoy.

Hat tip: I thought I’d have to do this using a database query, but it turns out that the field where the stoken  is stored contains encrypted data different than the initially encoded base64, which I showed how to decrypt at What’s Really In A VPP Token File from Apple’s VPP?. This is to keep that data private. Instead, hat tip to Christian Dooley, who figured out that this is actually available in the API instead, and therefore I didn’t have to hit the database directly to write this article.

June 30th, 2016

Posted In: JAMF

Tags: , , , , , ,

I’ve worked with a lot of organizations switching between Mobile Device Management (MDM) solutions in my career. And I’ve seen the migration projects go both really, really well, and really, really poorly. In most cases, the migration is somewhat painful no matter what you do. But in this (my first) article on the JAMF blog, I try and organize my thoughts around a few things to look out for when migrating between MDMs/MAMs, and some context/experience around those.

Screen Shot 2016-06-23 at 11.45.32 AM

June 23rd, 2016

Posted In: Articles and Books, iPhone, JAMF, Mac OS X

Tags: , , , , , ,

I’m a bit late in posting this, but better late than never! In this episode, we interview the venerable Arek Dreyer about his upcoming book, and learn a little of his origin story! More on that in issues to come I’m sure!

June 15th, 2016

Posted In: Mac OS X, Mac OS X Server

Tags: , , , ,

When building an MDM, you look for a lot of workflows to make the lives of end users easier. One of those is Managed App Config, which is a technology from Apple that allows an MDM to inject information into an app when the app is sent to a device. Because all apps are different, it’s up to the application developer to build in support both for the feature itself, as well as for any variables they’d like to make possible for an MDM to send to an app. For example, an app might make server and username available, so that when a user opens the app, they need only provide their password. Or based on an Active Directory group, you might have a location within the app to direct a user to, a different server, or even a different schema for the username.

This is the simplest example, but there are hundreds of other things I wanted to do. And app vendors were actually very open to building these features. But they all asked “OK, so what do I do.” And the last thing I wanted to tell them was to use up some cockamamie naming convention that I made up off the top of my head. So, much smarter people than I have come up with all the conventions to help standardize this otherwise chaotic awesomeness. And they’ve created a website, with IBM, JAMF, MobileIron, and AirWatch as the founding members for, and published best practices. From the site:

A community focused on providing tools and best practices around native capabilities in mobile operating systems to enable a more consistent, open and simple way to configure and secure mobile apps in order to increase mobile adoption in business. Users benefit with instant mobile productivity and a seamless out-of-the box experience, and businesses benefit with secure work-ready apps with minimal setup required while leveraging existing investments in Enterprise Mobility Management (EMM), VPN, and identity solutions. Ultimately, your apps are simpler to configure, secure and deploy.

To learn more about standardizing Managed App Config, check out the AppConfig Community Site.

Screen Shot 2016-02-27 at 9.29.02 AM

This goes a long way in making one of the coolest features for MDM much, much more useable. Hope you enjoy!

February 28th, 2016

Posted In: iPhone, JAMF, Mass Deployment

Tags: , , , , ,

There are a lot of payloads that MDM and profiles can manage in iOS. Restrictions are probably the one I get the most questions about. And most are pretty self-explanatory. Sooooo, rather than open Profile Manager every time I need to see the list, here it is:

  • Allow use of Camera
  • Allow FaceTime
  • Allow screenshots and screen recording
  • Allow AirDrop (supervised only)
  • Allow iMessage (supervised only)
  • Allow voice dialing while device is locked
  • Allow Siri
  • Allow Siri while device is locked
  • Enable Siri profanity filter (supervised only)
  • Allow user-generated content in Siri (supervised only)
  • Allow iBooks Store (supervised only)
  • Allow installing apps using Apple Configurator and iTunes
  • Allow installing apps using App Store (supervised only)
  • Allow automatic app downloads (supervised only)
  • Allow removing apps (supervised only)
  • Allow in-app purchase
  • Require iTunes Store password for all purchases
  • Allow iCloud backup
  • Allow iCloud documents & data
  • Allow iCloud Keychain
  • Allow managed apps to store data in iCloud
  • Allow backup of enterprise books
  • Allow notes and highlights sync for enterprise books
  • Allow iCloud Photo Sharing
  • Allow My Photo Stream (disallowing can cause data loss)
  • Allow automatic sync while roaming
  • Force encrypted backups
  • Force limited ad tracking
  • Allow Erase All Content and Settings (supervised only)
  • Allow users to accept untrusted TLS certificates
  • Allow automatic updates to certificate trust settings
  • Allow trusting new enterprise app authors
  • Allow installing configuration profiles (supervised only)
  • Allow modifying account settings (supervised only)
  • Allow modifying device name (supervised only)
  • Allow modifying Find My Friends settings (supervised only)
  • Allow modifying passcode (supervised only)
  • Allow modifying Touch ID fingerprints (supervised only)
  • Allow modifying restrictions (supervised only)
  • Allow modifying Wallpaper (supervised only)
  • Allow pairing with non-Configurator hosts (supervised only)
  • Allow documents from managed sources in unmanaged destinations
  • Allow documents from unmanaged sources in managed destinations
  • Treat AirDrop as unmanaged destination
  • Allow Handoff
  • Allow Spotlight Suggestions
  • Allow Touch ID to unlock device
  • Force Apple Watch wrist detection
  • Allow pairing with Apple Watch (supervised only)
  • Require passcode on first AirPlay pairing
  • Allow predictive keyboard (supervised only)
  • Allow keyboard shortcuts
  • Allow auto correction (supervised only)
  • Allow spell check (supervised only)
  • Allow Define (supervised only)
  • Allow Wallet notifications in Lock screen
  • Show Control Center in Lock screen
  • Show Today view in Lock screen

February 5th, 2016

Posted In: iPhone

Tags: , , , , ,

Bushel shipping a new feature this week call Blueprints. Blueprints are similar to groups, and allow you to assign different options in Bushel to different devices that have a blueprint assigned to them. This also allows you to define one device per blueprint and therefore have different options for different computers. Pretty cool on a few different fronts. And it provides a lot of flexibility for some really, really cool new features we’ve planned for the product.


For more on this great new feature, check out this great article from the new Bushel Product Manager, Michael Devins.

December 10th, 2015

Posted In: Bushel, iPhone

Tags: , , ,

Apple Configurator 2 is a great new evolution in iOS initial and configuration management. And there are lots of great options. And to help you wrap your head around all this new fun stuff, I’ve written up a quick and dirty guide for using Apple Configurator 2.

Screen Shot 2015-11-04 at 10.02.03 PM

It’s not completely done, but it will be shortly. Hope this help someone. Enjoy!

November 14th, 2015

Posted In: Apple Configurator, iPhone, Mass Deployment

Tags: , , , , , , , , , , , ,

The new iPad Pro is pretty much the most ridiculously luxurious device I’ve seen in a long, long time. It’s huge. There are still many of the same limitations as on an iPad. The lack of browser plug-ins keeps us from accessing certain types of content. There isn’t access to the Finder as with OS X. But the screen is ridiculously massive and provides a whole new way to view data. It’s a beautiful, marvelous piece of technology. When we were looking at Bushel and the blog on on it, we suddenly found the top and bottom bars of Safari to be just a bit too much lost screen real estate. And it made me think of yet another benefit of Web Clips: getting more screen real estate.

Click Here To Read More On Web Clips And iOS on the Bushel Blog

November 13th, 2015

Posted In: Bushel, iPhone

Tags: , , ,

Next Page »