Archive

Archive for the ‘Jamf Pro’ Category

Managing AWS-hosted VMs using EC2 Systems Manager

May 30, 2017 Leave a comment

I’ve been doing a lot of work recently with Linux VMs that are hosted on Amazon Web ServicesEC2 service. As part of this work, I’ve been working on two problems in parallel:

  • Enabling automation of certain management commands for the VMs
  • Securing SSH

Part of the issue was that I thought I needed to have SSH available to enable remote administration. If that was true, I also needed to secure SSH access so that I could use it and malicious third parties couldn’t. However, whatever method I chose also needed to be easily accessible to my team so that they could access the AWS-hosted VMs in case of an emergency where I wasn’t available.

I went through a few iterations of SSH solutions, including investigating multi-factor authentication and setting up SSH bastions. In the end though, I discovered a surprising solution that fixed both of my problems: AWS’s EC2 Systems Manager

Systems Manager allowed me to do the following:

  1. Manage my Linux VMs on EC2 without using SSH
  2. Block SSH access on my Linux VMs
  3. Run commands on multiple VMs at once
  4. Create a library of frequently used tasks and run those commands without needing to re-enter the scripts used to run those tasks.
  5. Not spend extra money on a management solution because AWS makes Systems Manager available at no cost to AWS customers.

For more details, please see below the jump.

Read more…

Creating Jamf Pro QuickAdd installer packages which do not install the Jamf Pro management user account

May 27, 2017 Leave a comment

Jamf Pro-managed Macs usually have a management account on the Mac, which is normally created as part of the Mac’s enrollment in the Jamf Pro service. This may cause issues in some Mac environments, where the creation of local user accounts is tightly controlled to help minimize opportunities for malicious third parties to compromise unused accounts.

To help protect against the Jamf Pro management account being compromised, Jamf has added some protections. These protections include including the ability to set a random password for the account on a per-machine basis and the ability to rotate the password on a regular basis.

Screen Shot 2017 05 26 at 9 06 02 PM

Depending on your needs though, it is also possible avoid setting up the Jamf Pro management account on Macs. The reason for this is that the Jamf Pro agent by and large does not need the Jamf Pro management account in order to work properly.

As of Jamf Pro 9.99.0, the Jamf Pro management account is used for the following:

If you are not using Jamf’s Remote application for remote screen sharing, or enabling the Jamf Pro management account for FileVault 2, it is not necessary to install the Jamf Pro management account on Jamf Pro-managed Macs at all. For more details, see below the jump.

Read more…

Installing and configuring the Jamf Infrastructure Manager on Red Hat Enterprise Linux

April 29, 2017 1 comment

I recently needed to configure Jamf’s Jamf Infrastructure Manager (JIM) to provide a way for a Jamf Pro server hosted outside a company’s network to be able to talk to an otherwise inaccessible Active Directory domain.

The documentation on how to set up an Infrastructure Manager covers the essentials of how to do it, but doesn’t include any screenshots or have information about how to access the logs to help debug problems. After some research and working with the JIM a bit, I was able to figure out the basics. For more details, see below the jump.

Read more…

Categories: Casper, Jamf Pro, JSS, Linux

S3 server side encryption not supported with Jamf Pro cloud distribution points

April 23, 2017 Leave a comment

As part of a project I’m working on, I needed to set up a cloud distribution point for a Jamf Pro server in Amazon Web Services. AWS -hosted cloud distribution points use a bucket in Amazon’s S3 service to store the files hosted by the distribution point. To help secure the S3 bucket, I enabled S3 server-side encryption. This encryption provides data at rest protection for files stored in a S3 bucket and is managed by Amazon’s S3 service.

Once that security was enabled, I was unable to then upload either installer .pkgs or .dmgs to the S3 bucket associated with the cloud distribution point using any of the following methods:

The unusual part was that the installer would look like it would upload and appear as a valid package when viewed from the Jamf Pro web console.

Screen Shot 2017 04 23 at 12 19 02 PM

Screen Shot 2017 04 23 at 12 19 23 PM

However, if I viewed the S3 bucket from the AWS console, the actual installer files would not be present in the S3 bucket.

Encrypted CDP S3 bucket

For more details, see below the jump.

Read more…

Identifying which Active Directory account is logged into Enterprise Connect

April 12, 2017 4 comments

As more Mac environments move away from binding Macs to Active Directory and using AD mobile accounts, and towards using local accounts in combination of tools like NoMAD and Apple’s Enterprise Connect, it’s become more challenging to identify which people are logged into which computers. While mobile Active Directory accounts will use the username and password of the person’s AD account, there is no such certainty with local user accounts.

Fortunately, my colleague Joe Chilcote recently let me know that it’s possible to query the logged-in user’s login keychain and get the username of the Active Directory account which is logged into Enterprise Connect. This can be accomplished by running the following command as the logged-in user:

/usr/bin/security find-generic-password -l "Enterprise Connect" $HOME/Library/Keychains/login.keychain | awk -F "=" '/acct/ {print $2}' | tr -d "\""

That should produce output similar to that shown below:

computername:~ username$ /usr/bin/security find-generic-password -l "Enterprise Connect" $HOME/Library/Keychains/login.keychain | awk -F "=" '/acct/ {print $2}' | tr -d "\""
AD_username_here
computername:~ username$

It’s also possible to leverage this technique to update the User and Location section of a particular computer managed by a Jamf Pro server. For more information, see below the jump.

Read more…

Running multiple Jamf Pro policies via custom trigger

April 8, 2017 2 comments
Categories: Casper, Jamf Pro, Scripting

Running all Jamf Pro policies in a specified category via the API

April 6, 2017 2 comments

As part of a project I’m working on, I need to run several policies from a Jamf Pro server using a script which is using the Jamf Pro agent to run policies. However, I also want to maintain maximum flexibility and retain the ability to add, remove or change policies as required without needing to change the script.

My colleague Marc provided a solution for this by letting me know that it was possible to use the Jamf Pro API to pull down a list of policies associated with a specific category and then running those policies in the order provided by the API. For more details, see below the jump.

Read more…

Categories: Casper, Jamf Pro, Scripting
%d bloggers like this: