Archive
Installing and configuring the Jamf Infrastructure Manager on Red Hat Enterprise Linux
I recently needed to configure Jamf’s Jamf Infrastructure Manager (JIM) to provide a way for a Jamf Pro server hosted outside a company’s network to be able to talk to an otherwise inaccessible Active Directory domain.
The documentation on how to set up an Infrastructure Manager covers the essentials of how to do it, but doesn’t include any screenshots or have information about how to access the logs to help debug problems. After some research and working with the JIM a bit, I was able to figure out the basics. For more details, see below the jump.
Using IAM roles on Amazon Web Services to generate temporary credentials for EC2 instances
While working on a project involving Amazon Web Services, I ran across the concept of being able to use temporary credentials with AWS’s Command Line Interface (awscli) tool. When using the awscli tool, it is necessary to provide authentication credentials so that the aws tool is able to authorize its actions with AWS. When running the awscli tool on an EC 2 instance, AWS has provided a way to get temporary authentication credentials on demand, through the use of IAM roles.
In my research on the topic, I found a lot of posts showing how to use temporary credentials, but not a lot of information on how to set up the needed IAM roles. After some additional research, in addition to trial and error, I was able to figure out the IAM role setup process. For more details, see below the jump.
S3 server side encryption not supported with Jamf Pro cloud distribution points
As part of a project I’m working on, I needed to set up a cloud distribution point for a Jamf Pro server in Amazon Web Services. AWS -hosted cloud distribution points use a bucket in Amazon’s S3 service to store the files hosted by the distribution point. To help secure the S3 bucket, I enabled S3 server-side encryption. This encryption provides data at rest protection for files stored in a S3 bucket and is managed by Amazon’s S3 service.
Once that security was enabled, I was unable to then upload either installer .pkgs or .dmgs to the S3 bucket associated with the cloud distribution point using any of the following methods:
- Web console package upload
- Casper Admin
- AutoPkg using JSSImporter
The unusual part was that the installer would look like it would upload and appear as a valid package when viewed from the Jamf Pro web console.
However, if I viewed the S3 bucket from the AWS console, the actual installer files would not be present in the S3 bucket.
For more details, see below the jump.
Session videos available from MacAD UK Conference 2017
A number of session videos (including mine) have been posted from MacAD UK 2017. For those interested, the videos are available on YouTube via the link below:
https://www.youtube.com/playlist?list=PLe6gxSMzV0S9JhDowmWNSGesQ16F_ZmUB
For convenience, I’ve linked my session here.
Office 2016 DefaultsToLocalOpenSave setting change as of Office 2016 15.33.x
As part of the release of Office 2016 15.33.0, a number of managed preference options have been added and some have changed from what they were before. An example of one that has changed is the DefaultsToLocalOpenSave management setting, which sets the Open and Save options in Office 2016 apps to default to On My Mac instead of Online Locations.
In Microsoft Office 2016 15.32.x and earlier, the DefaultsToLocalOpenSave setting could only be managed by running a command similar to the one below on the individual user accounts:
/usr/bin/defaults write "/path/to/user/homefolder/Library/Group Containers/UBF8T346G9.Office/"com.microsoft.officeprefs DefaultsToLocalOpenSave -bool true
To set this for all accounts on a particular Mac, I had written the following script:
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| # Set the Open and Save options in Office 2016 apps to default to | |
| # "On My Mac" instead of "Online Locations" in the default user template | |
| for USER_TEMPLATE in "/System/Library/User Template"/* | |
| do | |
| /usr/bin/defaults write "${USER_TEMPLATE}/Library/Group Containers/UBF8T346G9.Office/"com.microsoft.officeprefs DefaultsToLocalOpenSave -bool true | |
| done | |
| # Set the Open and Save options in Office 2016 apps to default to | |
| # "On My Mac" instead of "Online Locations" in the user folders | |
| # located in /Users, then fixes the permissions on the affected | |
| # file so that the file is owned by the user folder's owner rather | |
| # than being owned by root. | |
| for USER_HOME in /Users/* | |
| do | |
| USER_UID=`basename "${USER_HOME}"` | |
| if [ ! "${USER_UID}" = "Shared" ]; then | |
| if [ ! -d "${USER_HOME}/Library/Group Containers/UBF8T346G9.Office" ]; then | |
| /bin/mkdir -p "${USER_HOME}/Library/Group Containers/UBF8T346G9.Office" | |
| /usr/sbin/chown "${USER_UID}" "${USER_HOME}/Library" | |
| /usr/sbin/chown "${USER_UID}" "${USER_HOME}/Library/Group Containers" | |
| /usr/sbin/chown "${USER_UID}" "${USER_HOME}/Library/Group Containers/UBF8T346G9.Office" | |
| fi | |
| if [ -d "${USER_HOME}/Library/Group Containers/UBF8T346G9.Office" ]; then | |
| /usr/bin/defaults write "${USER_HOME}/Library/Group Containers/UBF8T346G9.Office/"com.microsoft.officeprefs DefaultsToLocalOpenSave -bool true | |
| /usr/sbin/chown "${USER_UID}" "${USER_HOME}/Library/Group Containers/UBF8T346G9.Office/"com.microsoft.officeprefs.plist | |
| fi | |
| fi | |
| done |
As of Microsoft Office 2016 15.33.x, this setting can now be set at the global level for all users by running the following command with root privileges:
/usr/bin/defaults write /Library/Preferences/com.microsoft.office DefaultsToLocalOpenSave -bool true
I’ve posted an updated script for manage this setting to GitHub, available via the link below:
This setting can now also be managed with a profile, so I’ve created a .mobileconfig file and posted it here on Github:
https://github.com/rtrouton/profiles/tree/master/Office2016DefaultToLocalSave
Identifying which Active Directory account is logged into Enterprise Connect
As more Mac environments move away from binding Macs to Active Directory and using AD mobile accounts, and towards using local accounts in combination of tools like NoMAD and Apple’s Enterprise Connect, it’s become more challenging to identify which people are logged into which computers. While mobile Active Directory accounts will use the username and password of the person’s AD account, there is no such certainty with local user accounts.
Fortunately, my colleague Joe Chilcote recently let me know that it’s possible to query the logged-in user’s login keychain and get the username of the Active Directory account which is logged into Enterprise Connect. This can be accomplished by running the following command as the logged-in user:
/usr/bin/security find-generic-password -l "Enterprise Connect" $HOME/Library/Keychains/login.keychain | awk -F "=" '/acct/ {print $2}' | tr -d "\""
That should produce output similar to that shown below:
computername:~ username$ /usr/bin/security find-generic-password -l "Enterprise Connect" $HOME/Library/Keychains/login.keychain | awk -F "=" '/acct/ {print $2}' | tr -d "\""
AD_username_here
computername:~ username$
It’s also possible to leverage this technique to update the User and Location section of a particular computer managed by a Jamf Pro server. For more information, see below the jump.
Building VMs on ESXi using esxi_macos_vm_creation.sh
As part of my testing workflow, I’ve been using VMs running on a ESXi server running ESXi 6.5. To help me quickly build those VMs, I have been using a script named esxi_macos_vm_creation.sh for building VMs. This script is forked from Tamas Piros’s auto-create script for standing up Linux VMs on free ESXi:
https://github.com/tpiros/auto-create
My fork of the auto-create script is designed to create and configure virtual machines with Apple operating systems as the guest OS, hosted on a VMware ESXi server running on Apple hardware. The script assumes that the virtual machines are built using copied VMDK disk files, where the VMDK files are generated by AutoDMG and vfuse. For more details, see below the jump.
Expanding partition size in an ESXi-hosted macOS VM
As part of working on a project recently, I ran into an unexpected problem with ESXi-hosted Mac VMs. For these VMs, I was creating VMDK files from AutoDMG-generated disk images, using vfuse to convert the disk image into a VM with ESXi-compatible VMDK disk image files.
My workflow looked like this:
1. Create disk image using AutoDMG.
2. Use vfuse to create VMDK files using a command similar to the one shown below:
sudo vfuse -i /path/to/autodmg_created_disk_image_here --esx
3. Upload the VMDK files to a convenient location on my ESXi server
4. Set up a new VM, using copies of uploaded VMDK files for the VM boot disk.
5. Resize the new VM to the desired size using VMware’s vmkfstools utility.
6. Start up the VM.
After logging in, I ran the following command to enable macOS to recognize and use the unallocated space from the VM resizing:
diskutil resizeVolume / R
Normally, this command is able to do a live re-sizing of the boot partition to use all available unallocated space. However, this time the re-sizing process failed and the following error was displayed:
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| computername:~ username$ diskutil resizeVolume / R | |
| Note: Your partition map does not use the entire space of your whole-disk. You should use "diskutil repairDisk" and then repeat this command. | |
| Resizing to full size (fit to fill) | |
| Started partitioning on disk0s2 Macintosh HD | |
| Verifying the disk | |
| Verifying file system | |
| Using live mode | |
| Performing live verification | |
| Checking Journaled HFS Plus volume | |
| Checking extents overflow file | |
| Checking catalog file | |
| Checking multi-linked files | |
| Checking catalog hierarchy | |
| Checking extended attributes file | |
| Checking volume bitmap | |
| Checking volume information | |
| The volume Macintosh HD appears to be OK | |
| File system check exit code is 0 | |
| Resizing | |
| Error: -5341: MediaKit reports partition (map) too small; if you recently grew your whole-disk, you should run whole-disk repair | |
| computername:~ username$ |
How to fix this? For more details, see below the jump.
Running multiple Jamf Pro policies via custom trigger
As a follow-up to my previous post about running multiple Jamf Pro policies via the API, my colleague John Kitzmiller pointed out that it was possible to achieve similar functionality by using a custom trigger. For more details, see below the jump.
Running all Jamf Pro policies in a specified category via the API
As part of a project I’m working on, I need to run several policies from a Jamf Pro server using a script which is using the Jamf Pro agent to run policies. However, I also want to maintain maximum flexibility and retain the ability to add, remove or change policies as required without needing to change the script.
My colleague Marc provided a solution for this by letting me know that it was possible to use the Jamf Pro API to pull down a list of policies associated with a specific category and then running those policies in the order provided by the API. For more details, see below the jump.
Der Flounder 
Recent Comments