Archive

Archive for April, 2017

Installing and configuring the Jamf Infrastructure Manager on Red Hat Enterprise Linux

April 29, 2017 1 comment

I recently needed to configure Jamf’s Jamf Infrastructure Manager (JIM) to provide a way for a Jamf Pro server hosted outside a company’s network to be able to talk to an otherwise inaccessible Active Directory domain.

The documentation on how to set up an Infrastructure Manager covers the essentials of how to do it, but doesn’t include any screenshots or have information about how to access the logs to help debug problems. After some research and working with the JIM a bit, I was able to figure out the basics. For more details, see below the jump.

Read more…

Categories: Casper, Jamf Pro, JSS, Linux

Using IAM roles on Amazon Web Services to generate temporary credentials for EC2 instances

April 27, 2017 Leave a comment

While working on a project involving Amazon Web Services, I ran across the concept of being able to use temporary credentials with AWS’s Command Line Interface (awscli) tool. When using the awscli tool, it is necessary to provide authentication credentials so that the aws tool is able to authorize its actions with AWS. When running the awscli tool on an EC 2 instance, AWS has provided a way to get temporary authentication credentials on demand, through the use of IAM roles.

In my research on the topic, I found a lot of posts showing how to use temporary credentials, but not a lot of information on how to set up the needed IAM roles. After some additional research, in addition to trial and error, I was able to figure out the IAM role setup process. For more details, see below the jump.

Read more…

Categories: Amazon Web Services, Linux

S3 server side encryption not supported with Jamf Pro cloud distribution points

April 23, 2017 Leave a comment

As part of a project I’m working on, I needed to set up a cloud distribution point for a Jamf Pro server in Amazon Web Services. AWS -hosted cloud distribution points use a bucket in Amazon’s S3 service to store the files hosted by the distribution point. To help secure the S3 bucket, I enabled S3 server-side encryption. This encryption provides data at rest protection for files stored in a S3 bucket and is managed by Amazon’s S3 service.

Once that security was enabled, I was unable to then upload either installer .pkgs or .dmgs to the S3 bucket associated with the cloud distribution point using any of the following methods:

The unusual part was that the installer would look like it would upload and appear as a valid package when viewed from the Jamf Pro web console.

Screen Shot 2017 04 23 at 12 19 02 PM

Screen Shot 2017 04 23 at 12 19 23 PM

However, if I viewed the S3 bucket from the AWS console, the actual installer files would not be present in the S3 bucket.

Encrypted CDP S3 bucket

For more details, see below the jump.

Read more…

Session videos available from MacAD UK Conference 2017

April 17, 2017 Leave a comment

A number of session videos (including mine) have been posted from MacAD UK 2017. For those interested, the videos are available on YouTube via the link below:

https://www.youtube.com/playlist?list=PLe6gxSMzV0S9JhDowmWNSGesQ16F_ZmUB

For convenience, I’ve linked my session here.

Office 2016 DefaultsToLocalOpenSave setting change as of Office 2016 15.33.x

April 17, 2017 1 comment

As part of the release of Office 2016 15.33.0, a number of managed preference options have been added and some have changed from what they were before. An example of one that has changed is the DefaultsToLocalOpenSave management setting, which sets the Open and Save options in Office 2016 apps to default to On My Mac instead of Online Locations.

In Microsoft Office 2016 15.32.x and earlier, the  DefaultsToLocalOpenSave setting could only be managed by running a command similar to the one below on the individual user accounts:

/usr/bin/defaults write "/path/to/user/homefolder/Library/Group Containers/UBF8T346G9.Office/"com.microsoft.officeprefs DefaultsToLocalOpenSave -bool true

To set this for all accounts on a particular Mac, I had written the following script:

As of Microsoft Office 2016 15.33.x, this setting can now be set at the global level for all users by running the following command with root privileges:

/usr/bin/defaults write /Library/Preferences/com.microsoft.office DefaultsToLocalOpenSave -bool true

I’ve posted an updated script for manage this setting to GitHub, available via the link below:

https://github.com/rtrouton/rtrouton_scripts/tree/master/rtrouton_scripts/set_office_2016_default_save_option_to_on_my_mac

This setting can now also be managed with a profile, so I’ve created a .mobileconfig file and posted it here on Github:

https://github.com/rtrouton/profiles/tree/master/Office2016DefaultToLocalSave

Identifying which Active Directory account is logged into Enterprise Connect

April 12, 2017 4 comments

As more Mac environments move away from binding Macs to Active Directory and using AD mobile accounts, and towards using local accounts in combination of tools like NoMAD and Apple’s Enterprise Connect, it’s become more challenging to identify which people are logged into which computers. While mobile Active Directory accounts will use the username and password of the person’s AD account, there is no such certainty with local user accounts.

Fortunately, my colleague Joe Chilcote recently let me know that it’s possible to query the logged-in user’s login keychain and get the username of the Active Directory account which is logged into Enterprise Connect. This can be accomplished by running the following command as the logged-in user:

/usr/bin/security find-generic-password -l "Enterprise Connect" $HOME/Library/Keychains/login.keychain | awk -F "=" '/acct/ {print $2}' | tr -d "\""

That should produce output similar to that shown below:

computername:~ username$ /usr/bin/security find-generic-password -l "Enterprise Connect" $HOME/Library/Keychains/login.keychain | awk -F "=" '/acct/ {print $2}' | tr -d "\""
AD_username_here
computername:~ username$

It’s also possible to leverage this technique to update the User and Location section of a particular computer managed by a Jamf Pro server. For more information, see below the jump.

Read more…

Building VMs on ESXi using esxi_macos_vm_creation.sh

April 11, 2017 1 comment

As part of my testing workflow, I’ve been using VMs running on a ESXi server running ESXi 6.5. To help me quickly build those VMs, I have been using a script named esxi_macos_vm_creation.sh for building VMs. This script is forked from Tamas Piros’s auto-create script for standing up Linux VMs on free ESXi:

https://github.com/tpiros/auto-create

My fork of the auto-create script is designed to create and configure virtual machines with Apple operating systems as the guest OS, hosted on a VMware ESXi server running on Apple hardware. The script assumes that the virtual machines are built using copied VMDK disk files, where the VMDK files are generated by AutoDMG and vfuse. For more details, see below the jump.

Read more…

%d bloggers like this: