14 Nov 2019 JNUC – Presentation Resources and Links
The following resources & links are in reference to my presentation from the 2019 Jamf Nation User Conference (JNUC) on “Building A Custom Set of Tools That Bridge the Support Gap to Jamf”. It covered our Apple infrastructure history, our road to Jamf Pro including integration, transition and current Jamf Pro infrastructure. Lastly, I covered an overview of some of our custom tools & methodologies that have developed & implemented with our Jamf Pro integration.
Jamf has posted my JNUC 2019 presentation to YouTube…
Here are the presentation slides…
Resources & Links
Radmind Autoimage Creator
This is a process and script the automatically creates never booted Apple Software Restore (ASR) images, with multiple configurations (i.e. kiosk, staff, lab, lab pro apps, etc) and multiple operating system versions on a single macOS client system running any macOS operating system.
Setup NetBoot Service on Mac OS X 10.6.x Client – Setup
This is a process & script that we used to work around the NetBoot process/implementation in our decentralized environment by programmatically setting up the NetBoot service on Mac OS X 10.6.x client in locations that had challenges with our centralized NetBoot server.
Setup NetBoot Service on Mac OS X 10.6.x Client – Diskless NetBoot
This outlines the diskless NetBoot and steps to modify the rc.netboot to support RAM Disk. In certain, situations you never want to use a client’s local disk for the NetBoot shadow file, like if you want to run hard disk utilities like Disk Utility or Disk Warrior, or for us, if we want to run the file system maintenance software we use, radmind, out-of-context.
This is an in-depth presentation that we presented on Mac OS X 10.4 Server’s NetBoot & NetInstall process, creating NetBoot & NetRestore image, setting up & using NetRestore PHPServices and tools like Apple Remote Desktop and NetBoot Filter Manager.
Automatic Disabling SIP With El Capitan Upgrade – Blog
This blog covers the process of disabling System Integrity Protection (SIP) with El Capitan Upgrade. We do NOT recommend disabling SIP, but due to our previous client management system using Radmind, which manages the entire file system (aka tripwire). Apple’s System Integrity Protection would conflict with this management due to conflicting areas of the file system restricted by it. So, we disabled SIP file system protection on macOS El Capitan and using a similar method with macOS Sierra.
Automatic Disabling SIP With El Capitan Upgrade – GitHub
This is our GitHub repository with the script used to programmatically disable System Integrity Protection’s file system protections (or others) and sample LaunchDaemon item.’
Bypassing Apple’s System Integrity Protection
This is a blog post by Patrick Wardle, using our methodology to outline how an attacker can easily bypass Apple’s System Integrity Protection (SIP) on a fully patched macOS system.
Modifying Open File Descriptor Limits on OS X – Blog
This is a blog post outlining the process and sample LaunchDaemon items to modify the open file descriptor limits on Mac OS X or macOS. Radmind is a suite of Unix tools that we use to maintain the file system of our OS X computers. Radmind uses a tool called fsdiff to compare all the files on the hard disk. When fsdiff would run we would get errors saying that there were too many files open and we would need to increase the limit. The issue became more widespread when we started running Radmind though a JAMF policy. The policy added an additional layer of abstraction from the OS. We fixed the issue by having two different LaunchDaemons start and set the limit descriptors. We have reduced the problem that we were having with fsdiff and other radmind suite tools.
NoMAD’s main purpose is to help move your Macs off binding to AD while still getting all of the functionality. Keep your users on local accounts and let NoMAD manage their interaction with AD by allowing them to sign in with their AD account to get Kerberos tickets, certificates for 802.1X connections and other functions without having to have a mobile account. We use this in our environment to limit issues by using a “loose bind” vs “binding” Mac’s to our campus active directories and local accounts.
NoMAD Login AD
NoMAD Login AD, or NoLoAD for short is a replacement login window for macOS 10.12 and higher. It allows you to log in to a Mac using Active Directory accounts, without the need to bind the Mac to AD and suffer all the foibles that it brings. We use it in our environment to provide a “loose bind” to our campus Active Directory infrastructure.
Kinobi is an external patch server (or patch source) for Jamf Pro. It provides a simple interface for creating and editing patch definitions, as well as the appropriate endpoints for Jamf Pro to connect to. The introduction of Patch Management in Jamf Pro 9.93 significantly expanded Jamf’s software management, adding the ability to gain insight into the versioning information of software on enrolled Macs. However, Jamf Pro’s in-built Patch Management solution currently only supports the tracking of software titles from no more than a dozen popular vendors. Kinobi, supporting Jamf Pro 10.2 or later, allows you to extend this patch management functionality to all Mac applications within your environment by creating and defining your own software titles and patches. We use the open-source version of Kinobi in our environment to provide external patch management for Jamf Pro. We are hoping they provide an option for API access either via open-source or a low cost for an environment that we don’t want or need the commercial options with automatically receive new patch definitions or packaged created directly by the company.
NetSUS an open-source project by Jamf that runs on Linux distributions and is an internally hosted Software Update Server (SUS) allowing management & staging of Apple client software updates. We also use the server to host our external patch server, Kinobi.
Device-Based Internet Access – Blog
This is a blog that outlines implementing NDES/SCEP with Jamf Pro to provide device-based certificates in our university environment. We use this service/methodology on shared, student checkout or classroom checkout Apple laptops. We had this working about 1 year + before our campus centralized group could authorize and support it as a campus support service available to other campus departments/groups.
AEiOS (Automated Enterprise iOS) – GitHub
This is our Github project for the AEiOS project. AEiOS is a python library designed to aid the automation of Apple iOS device management, configuration, and imaging. Originally designed for our in-house Student Checkout iPads, we wanted to provide our students and patrons the ability to use our iPads without restrictions as if they were personal devices. Users can configure the devices however they like, install their own applications, and even use iCloud, while we (MacAdmins) maintain user data privacy between each checkout. By integrating the best features of Apple’s Apple Configurator, Device Enrollment Program (DEP), Mobile Device Management (MDM) and Volume Purchase Program (VPP). We have created a completely automated, and truly zero-touch solution for iOS device checkout using free and native Apple macOS solutions that require no interaction by our very busy support staff other than plugging in with check-in.
AEiOS (Automated Enterprise iOS) – Blog
This is a blog post, covering our Github project, references to Mac Admins Podcast, Episode 123: AEiOS and Sometimes Y where it was discussed with developer Sam Forester. Also, it outlined other possible solutions like Apple Configurator & Automator, Apple Provisioning Utility (APU), GroundControl, Jamf Setup and Reset and libimobiledevice.
AEiOS (Automated Enterprise iOS) – Mac Admins Podcast: Episode 123: AEiOS and Sometimes Y
This is a Mac Admin Podcast where Sam Forester from the University of Utah joins the pod this week to talk about AEiOS, a tool for managing iPads in an automated and managed fashion, using a bunch of tools to make sure that the iPad ends up personalized for its temporary user. Sam takes us from the development process to how they use AEiOS in their day-to-day operations, and how you could, too.
We have developed a methodology of managing enterprise and/or shared environment unfriendly applications that have evolved over the years at the Marriott Library or other locations on campus that we support. We affectionately call it the “Crappy App” model which we use sanitize applications with exceptional requirements.
This is a Jamf Pro based Python application that automates and implements a framework to offboard, secure erase and document deprecated Mac systems. We use this to automate the process for Mac systems being sent to our campus property surplus or stored for future projects or distributions.
This is a python script that was originally designed to help clean up user home folders on shared, frequently-used machines. We use it in some student labs that have persistent login information where the users’ home folders can accumulate and aren’t deleted for long periods of time. It is also used to manage shared drives that have a tendency to fill up quickly like audio or video studios.
This is a blog post given an in-depth overview and our usage of the Cleanup Manager python script.
Display Manager programmatically manages Mac displays, including display resolution, refresh rate, rotation, brightness, screen mirroring, and HDMI underscan. Its primary intended purpose is to allow system administrators and developers to automatically configure any number of Mac displays, by use of the command-line scripts and the Display Manager Python library.
Firmware Password Manager
This is a python script that automates the management of firmware passwords across a fleet of Mac systems including enabling, disabling, updating passwords, etc.
Tugboat is a cross-platform python GUI application that we use to manage inventory in Jamf Pro, that allows auditing, adding, updating and searching for computer records. Provides a simplified interface to users focusing only on inventory vs management or use of Jamf Pro.
Mac System Age Estimate – Extension Attribute
This is a Python script to report the estimated age of a Mac system. We use it with our inventory python GUI application, Tugboat with our Jamf Pro server.
This duplicates much of the original recon.exe binary that was deprecated and uses JAMF’s REST API to upload the inventory information. Using JAMF’s API is a safe and reliable way to read and write data to your JAMF instance. Recce was originally meant to replace the features provided by the deprecated recon.exe Windows application provided by JAMF. However, it became clear during development that Recce could become a framework for adding unmanaged machines of other operating systems as well.
Here are some songs from bands I have played guitar for in the past…
Road Frisbee – Hanging On
Pocket Change – Jack Da Ripper
Colorblind – Silence
Colorblind – Insane