Archive

Author Archive

Workaround for timeouts when deleting installer packages from Jamf Pro

April 22, 2021 Leave a comment

I use AutoPkg and JSSImporter to keep my Jamf Pro server updated with the latest installers for the software used by my shop. However, this means that I usually have a large number of no-longer-needed installers stored in my Jamf Pro server’s distribution point and I need to periodically clear the obsolete packages out by deleting them. Recently, as part of removing 500+ unneeded packages from Jamf Pro using a script, I noticed the following behavior occurring:

1. Run an API command similar to the one below:

username@computername ~ % /usr/bin/curl -su username:'password' "https://jamf.pro.server.here/JSSResource/packages/id/1213" -X DELETE

2. Long pause (around 60 seconds)
3. Receive the following output:

<html>
<head><title>504 Gateway Time-out</title></head>
<body>
<center><h1>504 Gateway Time-out</h1></center>
</body>
</html>

4. Check the package and it has been deleted from Jamf Pro.

The 504 Gateway Time-out error indicated that either the load balancer in front my Jamf Pro server was timing out before the API command could report success or failure. I was seeing this behavior when running the API commands manually or as part of a script, so I decided to see if I saw the same behavior when deleting the package from the Jamf Pro admin console. When I checked, I did.

I sent in a support request to Jamf to ask about this and there is a PI open for this:

PI-009627: Having a large amount of packages uploaded to a distribution point can cause various timeouts

For others experiencing this issue, while Jamf addresses this product issue, the workaround for the timeout issue is (if possible) to increase the timeout value. In my case, increasing the load balancer timeout from 60 seconds to 120 addressed the timeout issue and allowed my API and GUI package deletions to complete successfully without timing out.

Note: This does not fix the issue of the package deletion taking a while. It just makes sure that the deletion command, either via the API or using the GUI in the admin console, doesn’t timeout before reporting success or failure.

Categories: Jamf Pro, Jamf Pro API

Using the Jamf Pro API to mass-delete obsolete packages and scripts

April 16, 2021 2 comments

If you’re using AutoPkg and tools like jamf-upload or JSSImporter to automate the uploading of packages and scripts to your Jamf Pro server, it may be necessary to periodically delete a large number of now-obsolete installer packages or scripts from your server. To help with this, I’ve written a couple of scripts to help automate the deletion process by using a list of Jamf IDs and the API to perform the following tasks:

  1. Delete the relevant installer packages or scripts.
  2. Generate a report of which packages or scripts were deleted.

For more details, please see below the jump.

Read more…

Using Markdown comments to add search keywords to Self Service descriptions

April 2, 2021 Leave a comment

For those using Jamf Pro’s Self Service, one of the handier features can be the Search function built into the app. This search is able to examine Self Service policies and use the information in the policy and Self Service description to populate its search results. For the most part, just the displayed information in the policy should allow Self Service’s search to display relevant policies.

However, you may have a need to force the search process to include policies that would otherwise fall outside of the search parameters. For those who need this ability, thanks to Self Service’s support of Markdown it’s possible to invisibly add search keywords to a Self Service policy description. For more details, please see below the jump.

Read more…

Connecting to AWS EC2 instances via Session Manager

April 1, 2021 Leave a comment

When folks have needed command line access to instances running in Amazon Web Service’s EC2 service, SSH has been the usual method used. However, in addition to using SSH to connect to EC2 instances in AWS, it is also possible to connect remotely via Session Manager, one of the services provided by AWS’s Systems Manager tool.

Session Manager uses the Systems Manager agent to provide secure remote access to the Mac’s command line interface without needing to change security groups and allow SSH access to the instance. In fact, Session Manager allows remote access to EC2 instances which have security groups configured to allow no inbound access at all. For more details, please see below the jump.

Read more…

Jamf Pro server installer for macOS being retired

March 17, 2021 1 comment

As part of the release notes for Jamf Pro 10.28, there is this note in the Deprecations and Removals section:

Support ending for the Jamf Pro Server Installer for macOS — Support for using the Jamf Pro Installer for macOS will be discontinued in a future release. Mac computers with Apple silicon are not supported by the Jamf Pro Installer for macOS. If you want to migrate your Jamf Pro server from macOS to Jamf Cloud, contact Jamf Support. If you want to keep your server on premise, you can migrate your Jamf Pro server from macOS to one of the following servers: Red Hat Enterprise Linux, Ubuntu, or Windows. For more information, see the Migrating to Another Server Knowledge Base article.

Screen Shot 2021 03 17 at 1 55 31 PM

For those folks who are running on-premise Jamf Pro servers on Macs, it looks like it’s time to contact Jamf Support and plan a migration if you haven’t already. As of March 17th, 2021, Jamf’s published support for running Jamf Pro includes the following OS, database and Java versions:

Recommended Configuration:
Operating Systems:
Windows Server 2019
Ubuntu Server 20.04 LTS
Red Hat Enterprise Linux 7.x
macOS 10.15.5
Database software versions:
MySQL 8.0 – InnoDB
Amazon Aurora (MySQL 5.7 compatible)
MySQL 5.7.8 or later – InnoDB
Java version:
OpenJDK 11
Minimum Supported:
Operating Systems:
Windows Server 2016
Windows Server 2012 R2
Ubuntu Server 18.04 LTS
macOS 10.14.5
Database software versions:
MySQL 5.7.8 – InnoDB
MySQL 5.7.8 on Amazon RDS – InnoDB
Java version:
Oracle Java 11

view raw
gistfile1.txt
hosted with ❤ by GitHub

Using Twocanoes’ Signing Manager to sign AutoPkg-built installer packages

March 6, 2021 Leave a comment

As part of many application or package building workflows, there is a requirement to sign the end result to guarantee that the app or package has not been tampered with. With the advent of Apple’s notarization process, this has become even more important because an app or installer package must be signed before it can be notarized.

However, in order to sign apps or packages, you must have the signing certificate available. This has often meant putting copies of Apple signing certificates, complete with the certificate’s private key, onto the Mac or Macs used to build the application and/or installer package. This has security concerns because if the signing certificate’s private key is compromised, you must now revoke the existing certificate, get a new one from Apple and re-sign everything that used that now-revoked signing certificate.

To assist with the security concerns, Twocanoes Software has developed Signing Manager. This tool provides a way to centralize hosting of signing certificates and make their signing capabilities securely available to Macs which need them. In my own case, I’m investigating Signing Manager in the context of signing AutoPkg-built installer packages. For more details, please see below the jump.

Read more…

Selectively removing the drop shadow from screenshots on macOS Big Sur

March 4, 2021 Leave a comment

One of my personal preferences with macOS is removing the drop shadow from screenshots. On macOS Catalina and earlier, I was able to to turn off drop shadows on screenshots by running the following commands:

defaults write com.apple.screencapture disable-shadow true
killall SystemUIServer

This appears to not work on fresh installs of macOS Big Sur, though it appears to still work on Big Sur Macs who had the setting applied prior to upgrading to Big Sur. However, when using keyboard shortcuts to make screenshots, it looks like there’s a way to selectively add or remove the drop shadow at the time of making the screenshot. For more details, please see below the jump.

Read more…

Categories: Documentation, macOS

Listing the full OS installers available from Apple’s Software Update feed on macOS Big Sur

March 3, 2021 1 comment

One of the changes in macOS Big Sur is that the softwareupdate command has been updated with new functionality.

usage: softwareupdate <cmd> [<args> …]
** Manage Updates:
-l | –list List all appropriate update labels (options: –no-scan, –product-types)
-d | –download Download Only
-i | –install Install
<label> … specific updates
-a | –all All appropriate updates
-R | –restart Automatically restart (or shut down) if required to complete installation.
-r | –recommended Only recommended updates
–list-full-installers List the available macOS Installers
–fetch-full-installer Install the latest recommended macOS Installer
–full-installer-version The version of macOS to install. Ex: –full-installer-version 10.15
–install-rosetta Install Rosetta 2
–background Trigger a background scan and update operation
** Other Tools:
–dump-state Log the internal state of the SU daemon to /var/log/install.log
–evaluate-products Evaluate a list of product keys specified by the –products option
–history Show the install history. By default, only displays updates installed by softwareupdate.
–all Include all processes in history (including App installs)
** Options:
–no-scan Do not scan when listing or installing updates (use available updates previously scanned)
–product-types <type> Limit a scan to a particular product type only – ignoring all others
Ex: –product-types macOS || –product-types macOS,Safari
–products A comma-separated (no spaces) list of product keys to operate on.
–force Force an operation to complete. Use with –background to trigger a background scan regardless of "Automatically check" pref
–agree-to-license Agree to the software license agreement without user interaction.
–verbose Enable verbose output
–help Print this help
view raw gistfile1.txt hosted with ❤ by GitHub

Among the changes is the ability to scan Apple’s Software Update feed and display a list of the currently available full OS installers. To access this list, run the command below with root privileges:

softwareupdate --list-full-installers

The list you receive will be dependent on whether or not your Mac can run a particular OS version. As an example, here’s the list you would receive inside of a VMware VM as of March 3rd, 2021.

Screen Shot 2021 03 03 at 8 26 35 AM

Once you have the right macOS installer identified, you can use the softwareupdate tool to download it.

One thing to be aware of is that multiple versions of a macOS full installer may show up in the Software Update feed. As an example of this, the list above includes multiple entries for macOS 10.15.6 and 10.15.7. These installers would be for hardware-specific builds of that macOS version’s full installer. Unfortunately, it’s not easy to tell the various installers apart using the softwareupdate command because the build number is not included.

If you do need to be able to download an installer with a specific build number, I recommend using the installinstallmacos.py tool. This tool also references the Apple Software Update feed, so the information you get back should be similar but also include the relevant build numbers for the macOS full installers.

 

Categories: Mac administration, macOS

Backing up Der Flounder Revisited

February 12, 2021 2 comments

Nine years ago, I wrote a post on how I backup this blog. Overall, the reasons I’m backing up haven’t changed:

  • I like this blog and don’t want to see it or its data disappear because of data loss.
  • WordPress.com’s free hosting doesn’t provide me with an automated backup method.

To create the backups, I make a nightly mirror using HTTrack. As time has passed and host machines were replaced, I’ve moved the backup host a few times. For the last move, I decided for budgetary reasons to move off of using Macs and onto a Raspberry Pi. For those wanting to know more, please see below the jump.

Read more…

Categories: Backup, Linux, Raspberry Pi

FileVault login screen differences between Intel and Apple Silicon Macs

January 17, 2021 6 comments

As new Apple Silicon Macs (ASM) have begun making their way to organizations which use FileVault encryption to secure their fleets, a difference between Intel Macs and ASMs has become apparent.

Intel Macs:

  • Supports account icons and password blanks at the FileVault login screen
  • Unable to support username blanks at the FileVault login screen
  • Unable to support smart cards for login at the FileVault login screen

Screen Shot 2021 01 16 at 5 50 36 PM

ASMs:

  • Supports account icons and password blanks at the FileVault login screen
  • Supports username and password blanks at the FileVault login screen
  • Supports smart cards for login at the FileVault login screen

Screen Shot 2021 01 16 at 6 00 32 PM

Screen Shot 2021 01 16 at 6 13 52 PM

Why the differences between platforms? For more details, please see below the jump.

Read more…

%d bloggers like this: