15 Apr April 2022 – MacAdmins Meeting
April 20, 2022 – University of Utah, MacAdmins Meeting
The University of Utah, MacAdmins Meeting is held monthly virtually on the 3rd Wednesday of each month at 11 AM Mountain Time. Presentations cover Apple technology and integration in a heterogeneous university enterprise environment.
This month’s meeting will be held on Wed, April 20th, 2022 at 11 AM MT and we will provide live broadcasts and archives that will be made available 2-3 days after the meeting.
If you have suggestions on presentations or interest in presenting, questions, or comments, please use the Contact Us option.
All you Need to Know if You’re Binding Macs – Sean Rabbitt, Jamf
When Microsoft released a patch to prevent the domain controller spoofing problem in CVE-2021-42287, it broke the binding of macOS & Linux to Active Directory (AD). The fix requires an update of Active Directory servers, but there’s still some confusion on release dates and if we’ll need a client-side patch or not. 
In this presentation, you will learn:
- How managing a Mac is different between Mobile Device Management (MDM() and Active Directory binding
- How to manage local user accounts on a Mac and still use a central directory source of truth
- Planning for an unbound Mac future
We’ll also discuss different options for password and account management like the Apple Kerberos SSO Extension, NoMAD, Jamf Connect, and others options.
Apple Kerberos SSO Extension
In macOS 10.15, Apple also added its own SSO extension for on-premise Active Directory Domains. This effectively replaces Apple’s Enterprise Connect product.
The Kerberos extension offers the following functionality:
- Allows local Mac users to acquire a Kerberos ticket-granting ticket (TGT) so they can seamlessly access services such as web services, file services, and applications.
- Allows the user to change their Active Directory password, be notified when the password is close to expiring, and change their local Mac password so it matches their Active Directory password.
- Use third-party scripts or apps to perform tasks based on state changes with the SSO extension.
NoMAD
NoMAD is open-source software that gives Mac users the Single Sign-On experience of Active Directory without requiring a bind to AD. With Single Sign-On, the user experience is much improved for authenticating to websites, file shares, certificate provisioning, Exchange, DFS, printers, and more.
Jamf Connect
Jamf Connect is an application that allows administrators to manage authentication by connecting a user’s local macOS account to their organization’s cloud identity (network account). The following IdPs are supported in Jamf Connect Login: Google Identity, IBM Cloud Identity, Microsoft Azure AD, Okta, OneLogin, and PingFederate. You can configure Jamf Connect Login with configuration profiles sent via MDM or installed locally on a computer.
About Sean Rabbitt
Sean was born a small human child and has since gotten larger. He is currently a Sr. Consulting Engineer for Identity and Access Management at Jamf where he writes a lot of documentation that people ignore. He is often seen in an Airstream trailer traveling the country.
- Video – To view the archived presentation video, click here.
- Slides – To view the archived presentation slides, click here.
How to Manage the Dock with dockutil – Mischa van der Bent, Jamf
Now that dockutil has been rewritten in Swift, we needed to dust off my scripts and want to review the management options that we have for managing the dock. Where ever you need to manage the complete Dock or need to be sure some applications are always in the Dock or start after enrollment with a standard Dock, in this session we will cover it all.
dockutil is a command-line utility for managing macOS dock items. It is currently written in Swift.
- Compatible with macOS Big Sur & Monterey (use 2.x version for older OSes)
- Add, List, Move, Find, Remove Dock Items
- Supports Applications, Folders, Stacks, URLs.
- Can act on a specific dock property list (.plist) or every dock .plist in a folder of home directories
About Mischa van der Bent
Mischa van der Bent, I have been supporting Apple devices since the late 90s. Had a couple of Apple IT roles before starting my own company which grew into an Apple Authorized Enterprise Reseller. Currently working as a Consulting Engineer at Jamf, and helping organizations understand how to manage, deploy and support Apple devices on any scale, from small businesses to large international enterprises. The goals are to keep it simple, connect the dots and automate what is possible.
- Video – To view the archived presentation video, click here.
- Slides – To view the archived presentation slides, click here.
Fully Automated Lab Mac Deployment – Graham Williams, University of Wales Trinity Saint David
Deploying Apple devices can come with challenges. Deploying them in a multi-user lab environment can come with far more. But what happens when you can’t be there all night, and you need to deploy or refresh an entire lab of machines?
In this session, we’ll go through what it takes to create a true zero-touch deployment for a multi-user lab environment. From brand new in box to user ready. When we’re finished, all you’ll need to do is plug it in.
This will cover how to prepare the workflow to take the device from ordering, to PreStage via Automated Device Enrolment (DEP). Using these building blocks, we are able to take a device from the default log-on screen of PreStage, and automatically log it in with our newly created account. Next, we make use of further Smart Groups, Scripts, Policies, Extension Attributes, and DEPNotify. More Smart Groups, Scripts, Policies, and one of my favorite features, Inventory Preload, and make use of NoMAD, and NoMAD Login to make our device truly user ready.
About Graham Williams
Graham Williams is a Systems Administrator with almost 15 years of successful experience in administration and deployment within the education sector. Graham works in a small, but dynamic team within IT at the University of Wales Trinity Saint David. His work now primarily revolves around the management and deployment of Apple devices, but also covers an array of Microsoft services and products, making him platform-agnostic. Outside of work, Graham can be found enjoying various sports having completed events such as Ironman Wales, and 50 km ultra-marathons.
- Video – To view the archived presentation video, click here.
- Slides – To view the archived presentation slides, click here.
Open Discussion
Questions, comments, problems, and fixes.
Directions
Due to the coronavirus (aka Covid-19) crisis, this meeting will not be meeting in person but will currently be done virtually using Zoom video communications architecture.
- Require a Password to Join This meeting will require a password to join the meeting. Information will be emailed via a campus internal list, but if you are external and want to attend the meeting, please use the contact us form to receive details. Else, the archive of the meeting will be available 2-3 days after the live meeting.
-
- Waiting Room When joining the meeting you will be placed in the Waiting Room by default and the hosts will give you access to the live meeting.
- Waiting Room When joining the meeting you will be placed in the Waiting Room by default and the hosts will give you access to the live meeting.
- Miscellaneous We will also implement other settings and safeguards to secure the meeting.
Archived Presentation(s)
- Archives of the presentations will be available on this web page.
No Comments