Archive
Managing AWS-hosted VMs using EC2 Systems Manager
I’ve been doing a lot of work recently with Linux VMs that are hosted on Amazon Web Services‘ EC2 service. As part of this work, I’ve been working on two problems in parallel:
- Enabling automation of certain management commands for the VMs
- Securing SSH
Part of the issue was that I thought I needed to have SSH available to enable remote administration. If that was true, I also needed to secure SSH access so that I could use it and malicious third parties couldn’t. However, whatever method I chose also needed to be easily accessible to my team so that they could access the AWS-hosted VMs in case of an emergency where I wasn’t available.
I went through a few iterations of SSH solutions, including investigating multi-factor authentication and setting up SSH bastions. In the end though, I discovered a surprising solution that fixed both of my problems: AWS’s EC2 Systems Manager
Systems Manager allowed me to do the following:
- Manage my Linux VMs on EC2 without using SSH
- Block SSH access on my Linux VMs
- Run commands on multiple VMs at once
- Create a library of frequently used tasks and run those commands without needing to re-enter the scripts used to run those tasks.
- Not spend extra money on a management solution because AWS makes Systems Manager available at no cost to AWS customers.
For more details, please see below the jump.
Creating Jamf Pro QuickAdd installer packages which do not install the Jamf Pro management user account
Jamf Pro-managed Macs usually have a management account on the Mac, which is normally created as part of the Mac’s enrollment in the Jamf Pro service. This may cause issues in some Mac environments, where the creation of local user accounts is tightly controlled to help minimize opportunities for malicious third parties to compromise unused accounts.
To help protect against the Jamf Pro management account being compromised, Jamf has added some protections. These protections include including the ability to set a random password for the account on a per-machine basis and the ability to rotate the password on a regular basis.
Depending on your needs though, it is also possible avoid setting up the Jamf Pro management account on Macs. The reason for this is that the Jamf Pro agent by and large does not need the Jamf Pro management account in order to work properly.
As of Jamf Pro 9.99.0, the Jamf Pro management account is used for the following:
- To provide SSH connectivity for Jamf’s Remote application
- To provide the option of enabling the management user account for FileVault 2
If you are not using Jamf’s Remote application for remote screen sharing, or enabling the Jamf Pro management account for FileVault 2, it is not necessary to install the Jamf Pro management account on Jamf Pro-managed Macs at all. For more details, see below the jump.
Application blacklisting using management profiles
When deploying Macs for use in classrooms or for training, there is occasionally a requirement that certain applications must be blocked from running. Usually, this is to make sure that the student or test taker using the Mac is not able to use the blocked applications because it would distract them or otherwise cause problems.
On iOS, there is a way to do this via the blacklistedAppBundleIDs key available in the Restrictions payload. However, this key is not available on macOS and Macs will ignore the blacklist.
On macOS, there is the ability to set an application whitelist via Profile Manager but not a blacklist.
However, the profile specification does include the ability to configure an application blacklist using the pathBlackList key in the settings managed by the com.apple.applicationaccess.new payload.
For more details, see below the jump.
Looking up DUNS numbers for Apple’s VPP program
As part of an ongoing project, I needed to set up a new Apple VPP account for use with a test environment. The reason I did this was that I didn’t want to cause conflicts with our production VPP account. When I went to set up the account though, I ran into an interesting problem.
As part of the VPP account setup, I needed to provide a DUNS number. However, the DUNS number I had belongs to a company based outside of the US and Apple’s US VPP enrollment site would only accept DUNS numbers associated with US addresses. Instead, I needed to use the DUNS number for my company’s US subsidiary in place of the DUNS number that I had. The problem was that I had no idea what that DUNS number was.
After some research, I found a way to look up the DUNS number I needed and was able to successfully register my test environment’s VPP account with Apple. For more details, see below the jump.
Apple filesystem session at MacDeployment 2017
The same week that I’ll be speaking at MacDevOpsYVR 2017, I’ll also be speaking at MacDeployment 2017:
MacDeployment is taking place in Calgary, Canada from June 8th – 9th, 2017. My session will be an overview of Apple’s past and present filesystems, with an introduction to Apple File System (APFS) and a discussion of its current state of development.
You can see the entire list of speakers at http://macdeployment.ca/speakers
Apple filesystem session at MacDevOpsYVR 2017
I’ll be speaking at MacDevOpsYVR 2017, which is taking place in Vancouver, Canada from June 5th – 6th, 2017. My session will be an overview of Apple’s past and present filesystems, with an introduction to Apple File System (APFS) and a discussion of its current state of development.
You can see the entire list of speakers at https://www.macdevops.ca/speakers/
Using base64 encoding to include binary files inside scripts
When writing scripts, it’s sometimes useful to be able to be able to include and deploy binary files as part of the script run. An example of this would be if you want to use MySQL 5.6 and later’s option for creating a MySQL connection file. This is a file that allows you to store MySQL authentication inside an encrypted file named .mylogin.cnf.
Rather than trying to script the creation of a MySQL connection file, where the creation process would involve placing the MySQL authentication credentials in a readable format inside the script, it is easier and more secure to build the connection file manually on one machine and then encode the encrypted MySQL connection file into ASCII text using base64 encoding. Once encoded, the ASCII text can be decoded as part of a script designed to deploy the still-encrypted MySQL connection file to a desired location.
For more details on how to use base64 encoding, please see below the jump.
Der Flounder 
Recent Comments