The JSS has the ability to upload multiple .vpptokens, and using those, you can upload separate tokens for sites and then provide App Store apps to different sites based on each having some autonomy by having their own token. This is a pretty cool feature. And using the GUI, you can see when each token expires. You can also see a list of tokens using the API. To see a full list of all the tokens, we’ll just use a basic curl command here:
curl -s -u myuser:mypassword https://kryptedjamf.jamfcloud.com/JSSResource/vppaccounts
This provides an array of output that has the number of tokens in <size> and the id of each along with their name in <id> and <name> respectively, as follows
<?xml version="1.0" encoding="UTF-8"?><vpp_accounts><size>2</size><vpp_account><id>2</id><name>test</name></vpp_account><vpp_account><id>3</id><name>test2</name></vpp_account></vpp_accounts>
Once you know the id of a token, you can pull a bunch of information about that token using the following command:
curl -s -u myuser:mypassword https://kryptedjamf.jamfcloud.com/JSSResource/vppaccounts/id/2
The output would be as follows, with the expiration_date indicated:
<?xml version="1.0" encoding="UTF-8"?><vpp_account><id>2</id><name>test</name><contact/><service_token>xxxxxxxxxxyyyyyyyyyyyzzzzzzzzzaaaaaaaabbbbbbbbbbccccccc</service_token><account_name>krypted</account_name><expiration_date>2017/06/30</expiration_date><country>US</country><apple_id/><site><id>-1</id><name>None</name></site><populate_catalog_from_vpp_content>true</populate_catalog_from_vpp_content><notify_disassociation>true</notify_disassociation></vpp_account>
Or to limit the output to just the expiration date of the token, we’ll use sed to constrain:
curl -s -u myuser:mypassword https://kryptedjamf.jamfcloud.com/JSSResource/vppaccounts/id/2 | sed -n -e 's/.*<expiration_date>\(.*\)<\/expiration_date>.*/\1/p'
The output should just be a standard date, as follows:
You can then loop through the output of the vppaccounts, build an IFS array, and display the dates for each, listing sites that are about to expire. For anyone that has a lot of sites with individual tokens, this might come in handy. Enjoy.
Hat tip: I thought I’d have to do this using a database query, but it turns out that the field where the stoken is stored contains encrypted data different than the initially encoded base64, which I showed how to decrypt at What’s Really In A VPP Token File from Apple’s VPP?. This is to keep that data private. Instead, hat tip to Christian Dooley, who figured out that this is actually available in the API instead, and therefore I didn’t have to hit the database directly to write this article.
krypted June 30th, 2016
Posted In: JAMF
API, Casper, expiration date, mdm, site, token, vpp
I’ve worked with a lot of organizations switching between Mobile Device Management (MDM) solutions in my career. And I’ve seen the migration projects go both really, really well, and really, really poorly. In most cases, the migration is somewhat painful no matter what you do. But in this (my first) article on the JAMF blog, I try and organize my thoughts around a few things to look out for when migrating between MDMs/MAMs, and some context/experience around those.
krypted June 23rd, 2016
Posted In: Articles and Books, iPhone, JAMF, Mac OS X
Apple, devices, iPad, iPhone, MAC, mdm, Migration
I’m a bit late in posting this, but better late than never! In this episode, we interview the venerable Arek Dreyer about his upcoming book, and learn a little of his origin story! More on that in issues to come I’m sure!
krypted June 15th, 2016
Posted In: Mac OS X, Mac OS X Server
Apple, arek dreyer, ios, managing apple devices, mdm
When building an MDM, you look for a lot of workflows to make the lives of end users easier. One of those is Managed App Config, which is a technology from Apple that allows an MDM to inject information into an app when the app is sent to a device. Because all apps are different, it’s up to the application developer to build in support both for the feature itself, as well as for any variables they’d like to make possible for an MDM to send to an app. For example, an app might make server and username available, so that when a user opens the app, they need only provide their password. Or based on an Active Directory group, you might have a location within the app to direct a user to, a different server, or even a different schema for the username.
This is the simplest example, but there are hundreds of other things I wanted to do. And app vendors were actually very open to building these features. But they all asked “OK, so what do I do.” And the last thing I wanted to tell them was to use up some cockamamie naming convention that I made up off the top of my head. So, much smarter people than I have come up with all the conventions to help standardize this otherwise chaotic awesomeness. And they’ve created a website, with IBM, JAMF, MobileIron, and AirWatch as the founding members for, and published best practices. From the site:
A community focused on providing tools and best practices around native capabilities in mobile operating systems to enable a more consistent, open and simple way to configure and secure mobile apps in order to increase mobile adoption in business. Users benefit with instant mobile productivity and a seamless out-of-the box experience, and businesses benefit with secure work-ready apps with minimal setup required while leveraging existing investments in Enterprise Mobility Management (EMM), VPN, and identity solutions. Ultimately, your apps are simpler to configure, secure and deploy.
To learn more about standardizing Managed App Config, check out the AppConfig Community Site
This goes a long way in making one of the coolest features for MDM much, much more useable. Hope you enjoy!
krypted February 28th, 2016
Posted In: iPhone, JAMF, Mass Deployment
appconfig community, JAMF, managed app config, mdm, standardization, standards
There are a lot of payloads that MDM and profiles can manage in iOS. Restrictions are probably the one I get the most questions about. And most are pretty self-explanatory. Sooooo, rather than open Profile Manager every time I need to see the list, here it is:
- Allow use of Camera
- Allow FaceTime
- Allow screenshots and screen recording
- Allow AirDrop (supervised only)
- Allow iMessage (supervised only)
- Allow voice dialing while device is locked
- Allow Siri
- Allow Siri while device is locked
- Enable Siri profanity filter (supervised only)
- Allow user-generated content in Siri (supervised only)
- Allow iBooks Store (supervised only)
- Allow installing apps using Apple Configurator and iTunes
- Allow installing apps using App Store (supervised only)
- Allow automatic app downloads (supervised only)
- Allow removing apps (supervised only)
- Allow in-app purchase
- Require iTunes Store password for all purchases
- Allow iCloud backup
- Allow iCloud documents & data
- Allow iCloud Keychain
- Allow managed apps to store data in iCloud
- Allow backup of enterprise books
- Allow notes and highlights sync for enterprise books
- Allow iCloud Photo Sharing
- Allow My Photo Stream (disallowing can cause data loss)
- Allow automatic sync while roaming
- Force encrypted backups
- Force limited ad tracking
- Allow Erase All Content and Settings (supervised only)
- Allow users to accept untrusted TLS certificates
- Allow automatic updates to certificate trust settings
- Allow trusting new enterprise app authors
- Allow installing configuration profiles (supervised only)
- Allow modifying account settings (supervised only)
- Allow modifying device name (supervised only)
- Allow modifying Find My Friends settings (supervised only)
- Allow modifying passcode (supervised only)
- Allow modifying Touch ID fingerprints (supervised only)
- Allow modifying restrictions (supervised only)
- Allow modifying Wallpaper (supervised only)
- Allow pairing with non-Configurator hosts (supervised only)
- Allow documents from managed sources in unmanaged destinations
- Allow documents from unmanaged sources in managed destinations
- Treat AirDrop as unmanaged destination
- Allow Handoff
- Allow Spotlight Suggestions
- Allow Touch ID to unlock device
- Force Apple Watch wrist detection
- Allow pairing with Apple Watch (supervised only)
- Require passcode on first AirPlay pairing
- Allow predictive keyboard (supervised only)
- Allow keyboard shortcuts
- Allow auto correction (supervised only)
- Allow spell check (supervised only)
- Allow Define (supervised only)
- Allow Wallet notifications in Lock screen
- Show Control Center in Lock screen
- Show Today view in Lock screen
krypted February 5th, 2016
Posted In: iPhone
ios, iPad, iPhone, mdm, payloads, Restrictions
Bushel shipping a new feature this week call Blueprints. Blueprints are similar to groups, and allow you to assign different options in Bushel to different devices that have a blueprint assigned to them. This also allows you to define one device per blueprint and therefore have different options for different computers. Pretty cool on a few different fronts. And it provides a lot of flexibility for some really, really cool new features we’ve planned for the product.
For more on this great new feature, check out this great article from the new Bushel Product Manager, Michael Devins
krypted December 10th, 2015
Posted In: Bushel, iPhone
blueprints, bushel, Groups, mdm
Apple Configurator 2 is a great new evolution in iOS initial and configuration management. And there are lots of great options. And to help you wrap your head around all this new fun stuff, I’ve written up a quick and dirty guide for using Apple Configurator 2
It’s not completely done, but it will be shortly. Hope this help someone. Enjoy!
krypted November 14th, 2015
Posted In: Apple Configurator, iPhone, Mass Deployment
blueprints, change wallpaper, configuration, Enrollment, guide, how to use apple configurator 2, ios, iPad, iPhone, MAC, mdm, profiles, setup
The new iPad Pro is pretty much the most ridiculously luxurious device I’ve seen in a long, long time. It’s huge. There are still many of the same limitations as on an iPad. The lack of browser plug-ins keeps us from accessing certain types of content. There isn’t access to the Finder as with OS X. But the screen is ridiculously massive and provides a whole new way to view data. It’s a beautiful, marvelous piece of technology. When we were looking at Bushel
and the blog
on on it, we suddenly found the top and bottom bars of Safari to be just a bit too much lost screen real estate. And it made me think of yet another benefit of Web Clips: getting more screen real estate.
Click Here To Read More On Web Clips And iOS on the Bushel Blog
krypted November 13th, 2015
Posted In: Bushel, iPhone
bushel, mdm, Removable, Web Clips
Financial services is an interesting business when it comes to what you need to do to meet your regulatory requirements. With so much data and the services that enable you to access data moving to the cloud, it can be hard to keep up with how solutions meet any regulatory requirements you might have. At the end of the day, you’re primarily concerned about customer data leaking out of your environment and making sure that you can report on every single thing that happened in an environment. Whatever help we can provide in this article, make sure that you vet anything against what the individuals that review your regulatory requirements say.
Click Here to Continue Reading More On blog.bushel.com
krypted November 13th, 2015
Posted In: Bushel
Apple, Blog, ios, MAC, mdm, os x
« Previous Page
Blueprints are a new option in Apple Configurator 2. Blueprints allow you setup a template of settings, options, apps, and restore data, and then apply those Blueprints on iOS devices. For example, if you have 1,000 iOS devices, you can create a Blueprint with a restore item, an enrollment profile, a default wallpaper, skip all of the activation steps, install 4 apps, and then enabling encrypted backups. The Blueprint will provide all of these features to any device that the Blueprint is applied to.
But then why not call it a group? Why call it a Blueprint? Because the word template is boring. And you’re not dynamically making changes to devices over the air. Instead you’re making changes to devices when you apply that Blueprint, or template to the device. And you’re building a device out based on the items in the Blueprint, so not entirely a template. But whatever on semantics.
To get started, open Apple Configurator 2.
Click on the Blueprints button and click on Edit Blueprints.
Notice that when you’re working on Blueprints, you’ll always have a blue bar towards the bottom of the screen. Blueprints are tiled on the screen, although as you get more and more of them, you can view them in a list.
Right-click on the Blueprint. Here, you’ll have a number of options. As you can see below, you can then Add Apps. For more on adding Apps, see this page
You can also change the name of devices en masse, using variables, which I explore in this article
For supervised devices, you can also use your Blueprints to change the wallpaper of devices, which I explore here
Blueprints also support using Profiles that you save to your drive and then apply to the Blueprints.
Blueprints also support restoring saved backups onto devices, as I explore here
For kiosk and single purpose systems, you can also enter into Single App Mode programmatically.
You can also configure automated enrollment, as described here
. Overall, Blueprints make a great new option in Apple Configurator 2. These allow you to more easily save a collection of settings that were previously manually configured in Apple Configurator 1. Manually configuring settings left room for error, so Blueprints should keep that from happening.
krypted November 11th, 2015
Posted In: Apple Configurator, Mac OS X, Mass Deployment
Apple, Apple Configurator, backups, blueprints, Enrollment, ios, iPad, iPhone, mdm, profiles, restore, single app mode, supervision, wallpaper
— Next Page »