Tag Archives: trust

iPhone Mass Deployment

Using Apple Configurator To Automate Casper MDM Enrollment

Enrolling iPads into the JAMF Casper MDM solution is done through Apple Configurator, messages or using links deployed to iOS devices as web clips. When doing larger deployments the enrollment process can be automated so that devices are automatically enrolled into Casper MDM when they are set up using an Enrollment Profile that is manually downloaded from Casper and deployed to device. Additionally, a certificate can be needed if the certificate is not included in the profile, an option available as a checkbox in the setup. While you hopefully won’t need to download the certificate, we’ll start there:

Obtain the Certificate for the JSS Server

To obtain the trust certificate from the JSS Server:

  1. Open the web interface for the JSS.
  2. When prompted to trust the certificate, click on the disclosure triangle and then the checkbox to trust the cert, providing the administrative credentials when prompted.
  3. Open Keychain Utility.
  4. Click in the search field.
  5. Search for JSS.
  6. Control-click on the name of your server’s “Built-in Certificate Authority” entry.
  7. Choose the option to Export.
  8. When prompted, provide a name for the certificate in the Save As fiel.
  9. Choose a location to save the certificate to using the Where field.
  10. The .cer format is sufficient for our purposes.
  11. Click Save.

Download the Enrollment Profile

To download an enrollment profile from Casper MDM:

  1. Log into the web interface of the JSS.
  2. Click on the link for Mobile Device Enrollment
  3. At the Mobile Device Enrollment Invitations screen, click on the Enrollment Profiles tab.
  4. At the Enrollment Profiles screen, click on Download for the appropriate profile (for most environments there should only be one)
  5. Once the profile is downloaded, it will automatically attempt to enroll the computer you are downloading it from in the Profiles System Preferences pane.
  6. Click on Cancel.
  7. Click on the downloads link in Safari.
  8. Click on the magnifying glass icon to see the .mobileconfig file.

You have now downloaded the .mobileconfig file that will enroll devices into Casper MDM.

Add the Profile To Apple Configurator:

To deploy the profile through Apple Configurator:

  1. Open Apple Configurator on the client computer.
  2. Click on Prepare in the row of icons along the top of the screen.
  3. Drag the profile (by default currently called MDM-iOS5.mobileconfig) from the Finder into the list of Profiles.
  4. The profile then appears in Apple Configurator (in this example, called MDM-iOS5).

Deploy The Casper MDM Enrollment Profile Through Apple Configurator

Once the profile is installed in Apple Configurator, let’s deploy it. In this example, don’t configure any other options. To deploy:

  1. Set the name to be blank, numbering should be disabled, Supervision should be off, iOS should be set to No Change, “Erase before installing” should be unchecked, Don’t Restore Backup should be set in the Restore field.
  2. Check the box for the newly added profile (MDM-iOS5 in this example).
  3. Click on the Prepare button.
  4. At the “Are you sure you want to apply these settings to all USB-connected devices?” screen, click on the Apply button.
  5. The subsequent screen shows when devices are being configured. Here, dock the device to receive the profile (note, all docked iOS devices are going to be configured with this profile).
  6. Once the device is connected, the profile will begin to install. You are then prompted to “Tap device to install profile”.
  7. On the device, tap on the Install button.
  8. At the Warning screen, tap Install.
  9. Once the Profile is installed, tap Done.
  10. You have now been enrolled.

If you then wish to unenroll, simply remove the profiles by tapping on profiles and then tapping on the Remove button. Per the MDM API, a user can elect to remove their device from management at any point, so expect this will happen occasionally, even if only by accident.

Mac OS X Mac OS X Server Mac Security Mass Deployment

The OS X Application Layer Firewall Part 3: Lion

In a couple of previous articles I looked at automating the Application Layer Firewall in OS X. These are pretty common articles that get back-linked to the site, so I decided to update them earlier, rather than later, in the Lion release. The tools to automate firewall events from the command line are still stored in /usr/libexec/ApplicationFirewall. And you will still use socketfilterfw there for much of the heavy lifting. However, now there are much more helpful and functional options in socketfilterfw that will allow you to more easily script the firewall.

Some tricks I’ve picked up with alf scripting:

  • Configure the firewall fully before turning it on (especially if you’re doing so through something like Casper or Absolute Manage where you might kick yourself out of your session otherwise).
  • Whatever you do, you can always reset things back to defaults by removing com.apple.alf.plist file from /Library/Preferences replacing it /usr/libexec/ApplicationFirewall/com.apple.alf.plist.
  • Configure global settings, then per-application settings
  • To debug: “/usr/libexec/ApplicationFirewall/socketfilterfw -d”

In /usr/libexec/ApplicationFirewall is the Firewall command, the binary of the actual application layer firewall and socketfilterfw, which configures the firewall. To configure the firewall to block all incoming traffic:

/usr/libexec/ApplicationFirewall/socketfilterfw --setblockall on

A couple of global options that can be set. Stealth Mode:

/usr/libexec/ApplicationFirewall/socketfilterfw --setstealthmode on

Firewall logging:

/usr/libexec/ApplicationFirewall/socketfilterfw --setloggingmode on

To start the firewall:

/usr/libexec/ApplicationFirewall/socketfilterfw --setglobalstate on

While it would be nice to think that that was going to be everything for everyone, it just so happens that some environments actually need to allow traffic. Therefore, traffic can be allowed per signed binary. To allow signed applications:

/usr/libexec/ApplicationFirewall/socketfilterfw --setallowsigned on

This will allow all TRUSTEDAPPS. The –listapps option shows the status of each filtered application:

/usr/libexec/ApplicationFirewall/socketfilterfw --listapps

This shows the number of exceptions, explicitly allowed apps and signed exceptions as well as process names and allowed app statuses. There is also a list of TRUSTEDAPPS, which will initially be populated by Apple tools with sharing capabilities (e.g. httpd & smbd). If you are enabling the firewall using a script, first sign your applications that need to allow sharing but are not in the TRUSTEDAPPS section by using the -s option along with the application binary (not the .app bundle):

/usr/libexec/ApplicationFirewall/socketfilterfw -s /Applications/MyApp.app/Contents/MacOS/myapp

Once signed, verify the signature:

/usr/libexec/ApplicationFirewall/socketfilterfw -v /Applications/MyApp.app/Contents/MacOS/myapp

Once signed, trust the application using the –add option:

/usr/libexec/ApplicationFirewall/socketfilterfw --add /Applications/MyApp.app/Contents/MacOS/myapp

To see a list of trusted applications. You can do so by using the -l option as follows:

/usr/libexec/ApplicationFirewall/socketfilterfw -l

If, in the course of your testing, you determine the firewall just isn’t for you, disable it:

/usr/libexec/ApplicationFirewall/socketfilterfw --setglobalstate off

Or to manually stop it using launchctl (should start again with a reboot):

launchctl unload /System/Library/LaunchAgents/com.apple.alf.useragent.plist
launchctl unload /System/Library/LaunchDaemons/com.apple.alf.agent.plist

If you disable the firewalll using launchctl, you may need to restart services for them to work again.