October 2022 – MacAdmins Meeting

October 2022 – MacAdmins Meeting

October 21, 2022 – University of Utah, MacAdmins Meeting


mac_mgrs_crowd

The University of Utah, MacAdmins Meeting is held monthly virtually on the 3rd Wednesday of each month at 11 AM Mountain Time. Presentations cover Apple technology and integration in a heterogeneous university enterprise environment. This month’s meeting will be held on Wed, October 19th, 2022 at 11 AM MT and we will provide live broadcasts and archives that will be made available 2-3 days after the meeting.

 

macOS Security Compliance Project – Dan Brodjieski (NASA), Bob Gendler (NIST) & Allen Golbig (Jamf)


The macOS Security Compliance Project (mSCP) is an open-source effort to provide a programmatic approach to generating security guidance. This is a joint project of federal operational IT Security staff from the National Institute of Standards and Technology (NIST), National Aeronautics and Space Administration (NASA), Defense Information Systems Agency (DISA), and Los Alamos National Laboratory (LANL). The project uses a set of tested and validated controls for macOS and maps these controls against any security guide supported by the project. Additionally, this project can be used as a resource to easily create customized security baselines of technical security controls by leveraging a library of tested and validated atomic actions (configuration settings). The project outputs customized documentation, scripts, configuration profiles, and an audit checklist based on the baseline used.

This presentation will give an update and overview of the project, details on the structure/content, and how to use it to generate compliance documentation and supporting components.

About Dan Brodjieski

Dan Brodjieski has over 20 years of Apple System Administration and Engineering experience. I am currently supporting the Cybersecurity Standards and Engineering Team (CSET) at NASA. Prior to that, I provided Apple expertise in securing and deploying macOS devices for the Department of Defense with both the Joint Service Provider (JSP) and the Defense Information Systems Agency (DISA).

About Bob Gendler

Bob Gendler is IT Specialist in the Apple world. Jamf guru, wizard of Mac Management, and mastermind of Apple trivia. Co-author and creator of the macOS Security Compliance Project.

About Allen Golbig

Allen Golbig has worked as a Mac Admin in healthcare, education, and government. He now supports the sales organization at Jamf for all things macOS security.

 

  • Video – To view the archived presentation video, click here.
  • Slides – To view the archived presentation slides, click here.



Enforce & Encourage macOS updates with S.U.P.E.R.M.A.N. – Kevin White, Macjutsu


Over the past several years, Apple has made a number of deep platform changes to both macOS and Mac hardware that have resulted in enormous shifts in how Mac computers are deployed and managed. But due to the reliability & difficulty of using one single method, it requires you to depend or fall back on multiple methods including Mobile Device Management (MDM), softwareupdate CLI tool, or softwareinstall CLI tool. Becoming a MacAdmins overly complicated & fragile Rube Goldberg macOS update machine.


S.U.P.E.R.M.A.N. optimizes the macOS software update experience. S.U.P.E.R.M.A.N. (or just “super”) is an open-source script that provides administrators with an automatic workflow to encourage and enforce macOS software updates for both Intel and Apple Silicon computers. Easily deployed via a simple Jamf Pro policy, super creates a background agent (aka LaunchDaemon) that ensures macOS software updates are applied with the least user interference possible. Further, super can also enforce macOS software updates with options for customizable deferrals and deadlines. In other words, super makes the macOS update experience better for both users and administrators alike.

Features and Options
  • Fully automated (no local user authentication required) macOS software update workflow for both Intel and Apple silicon Mac computers.
  • Customizable software updates dialogs and notifications using IBM Notifier.
  • Minimizes user downtime by automatically installing Apple software updates that don’t require a restart (Safari, Xcode, etc.) without prompting the user.
  • Minimizes user downtime by automatically downloading and preparing macOS system updates before interrupting the user to restart.
  • Automatic deferral option for user Focus, Do Not Disturb, and screen sleep assertions (presentations, meetings, etc).
  • A variety of enforcement options include maximum deferral counts, maximum deferral days, and date deadlines.
  • Background agents (LaunchDaemon) can work independently of a mobile device management (MDM) service.
  • Automatic installation of all required items and dependencies.
  • Configurable using an interactive command line super or a configuration profile.
  • Substantial validation and logging including both testing and verbose modes.

  • For computers managed by Jamf Pro:

    • Automatic inventory and policy check-in as soon as possible after the computer restarts.
    • Option to run policies prior to system update restart.
    • Option to run policies without Apple software updates and still take advantage of dialogs, notifications, deferrals, and deadline workflows.

About Kevin White

Kevin M. White has dedicated his career to mastering Apple technologies so he can share them with the world. Through his company, Macjutsu, Kevin provides professional consulting for Apple’s education and enterprise customers. Macjutsu is also part of the Jamf Services Partner program; providing professional services specific to the Jamf Pro management platform.

  • Video – To view the archived presentation video, click here.

 

Open Discussion


Questions, comments, problems, and fixes.

 

Directions


Due to the coronavirus (aka Covid-19) crisis, this meeting will not be meeting in person but will currently be done virtually using Zoom video communications architecture.

With Zoom we will implement the following security best practices:
  • Require a Password to Join This meeting will require a password to join the meeting. Information will be emailed via a campus internal list, but if you are external and want to attend the meeting, please use the contact us form to receive details. Else, the archive of the meeting will be available 2-3 days after the live meeting.

    • Waiting Room When joining the meeting you will be placed in the Waiting Room by default and the hosts will give you access to the live meeting.

  • Miscellaneous We will also implement other settings and safeguards to secure the meeting.

Archived Presentation(s)


  • Archives of the presentations will be available on this web page.
No Comments

Leave a Reply