Archive

Archive for the ‘Jamf Pro’ Category

Sending Jamf Pro notifications to Slack

June 14, 2018 Leave a comment

One of the features offered by Jamf Pro is the ability to send notifications of various events to specified email addresses. Any Jamf Pro user account can be set up to receive these emails, so they’re a convenient way to be notified about events affecting your Jamf Pro service.

These notifications include the following:

  • An instance of the Jamf Pro web application in a clustered environment fails
  • An updated patch reporting software title is available
  • Computer is enrolled using PreStage
  • Database backup fails
  • Database backup succeeds
  • Error occurs during imaging
  • Error occurs when policy runs
  • Jamf Pro account is locked out because of excessive failed log in attempts
  • Jamf Pro fails to add file to JDS instance or cloud distribution point
  • License limit is exceeded
  • One or more Memcached Endpoint(s) are not reachable
  • Restricted software violation occurs
  • Smart computer group membership changes
  • Smart mobile device group membership changes
  • Smart user group membership changes
  • SSL certificate verification is disabled
  • Tomcat is started or stopped
  • VPP token is approaching expiration date

Screen Shot 2018 06 14 at 9 26 49 AM

That said, I get enough emails on a daily basis that I’d prefer to have these notifications go to a channel in Slack. That way, my whole team can be notified about issues and there’s a searchable log of when events occurred.

There are solutions for sending notifications directly to Slack, but I wanted to avoid using middleware in favor of using the built-in notifications in Jamf Pro. Fortunately, there’s a way to do that using tools available from Slack. For more details, see below the jump.

Read more…

Categories: Jamf Pro, Slack

Disabling Jamf Pro LDAP wildcard searches to speed up user and group lookups

May 27, 2018 3 comments

When setting up Jamf Pro, one of the options you have is to integrate it with your company, school or institution’s LDAP-based directory service. Connecting Jamf Pro to LDAP allows you to query your organization’s directory service for information and also allows the use of your existing user accounts and groups when requiring logins or scoping policies.

When setting up Jamf Pro to connect to a directory service, there’s a Use Wildcards When Searching setting with the following description:

Allow partial matches to be returned when searching the LDAP directory

Screen Shot 2018 05 27 at 12 19 00 PM

What this setting does is that it allows Jamf Pro to use wildcards when making LDAP searches of your directory service. That allows Jamf Pro to return search results that may only partially match what you told it to search the directory service for.

For directory services with fewer than five thousand user accounts and/or groups, having this option enabled is usually fine. However, once the directory service is larger than that, disabling the Use Wildcards When Searching setting may dramatically speed up user and group lookups. For more details, please see below the jump.

Read more…

Categories: Active Directory, Jamf Pro, JSS

Using the Jamf Pro API to mass-delete computers and mobile devices

May 19, 2018 Leave a comment

Periodically, it may be necessary to delete a large number of computers or mobile devices from a Jamf Pro server. However, there is currently a problem in Jamf Pro 10 where trying to delete multiple devices can fail. Jamf is aware of the issue and has assigned it a product issue code (PI-004957), but it has not yet been resolved and remains a known issue as of Jamf Pro 10.4.1.

To work around this issue, you can delete computers and mobile devices one at a time. This does not trigger the performance issues seen with PI-004957, but this can get tedious if you have multiple devices to delete. To help with this, I’ve adapted an earlier script written by Randy Saeks to help automate the deletion process by using a list of Jamf IDs and the API to delete the relevant computers or mobile devices one by one. For more details, please see below the jump.

Read more…

Detecting if a logged-in user on a FileVault-encrypted Mac has a Secure Token associated with their account

May 10, 2018 1 comment

A challenge many Mac admins have been dealing with is the introduction of the Secure Token attribute, which is now required to be added to a user account before that account can be enabled for FileVault on an encrypted Apple File System (APFS) volume.

In my own shop, we wanted to be able to identify if the primary user of a Mac had a Secure Token associated with their account. The reason we did this was:

  1. We could alert the affected help desk staff.
  2. We could work with our users to rebuild their Macs on an agreed-upon schedule where their data was preserved.
  3. We could hopefully avoid working with our users on an emergency basis where their data could be lost.

To help with this, we developed a detection script. For more details, please see below the jump.

Read more…

Using QuickAdd-based user-initiated enrollment on macOS High Sierra with Jamf Pro 10.3

April 1, 2018 1 comment

Starting with Jamf Pro 10.3, user-initiated computer enrollment now has two modes:

  • macOS High Sierra: Uses an MDM profile to enroll the Mac, with the Jamf Pro agent being installed once MDM enrollment is complete.
  • macOS Sierra and earlier: Uses a QuickAdd installer package to enroll the Mac, with MDM enrollment and installation of the Jamf Pro agent being handled by the QuickAdd package.

However, it is still possible to get a QuickAdd installer package to enroll a Mac running macOS High Sierra. For more details, please see below the jump.

Read more…

User-initiated computer enrollment now using MDM profile enrollment in Jamf Pro 10.3

April 1, 2018 1 comment

One of the changes introduced in Jamf Pro 10.3 is that user-initiated computer enrollment now has two modes:

  • macOS High Sierra: Uses an MDM profile to enroll the Mac, with the Jamf Pro agent being installed once MDM enrollment is complete.
  • macOS Sierra and earlier: Uses a QuickAdd installer package to enroll the Mac, with MDM enrollment and installation of the Jamf Pro agent being handled by the QuickAdd package.

Why the difference?

Using the MDM enrollment method on macOS High Sierra will automatically enable User Approved MDM, which is necessary for full management privileges on the Mac in question. The reason is that since the user is installing the MDM profile, the user is also logically approving the MDM management and satisfying Apple’s conditions for enabling User Approved MDM.

For more details, please see below the jump.

Read more…

Backing up the contents of an AWS-hosted Jamf Pro cloud distribution point to a local directory

February 15, 2018 Leave a comment

As part of removing unused packages from a Jamf Pro cloud distribution point using @shea_craig‘s Spruce tool, I needed to first make a backup of the contents of the cloud distribution point to a local directory on my Mac. That way, in case I had made an error and deleted the wrong installer package, I had a copy of the package readily available and could re-add the package back to my Jamf Pro server.

The cloud distribution point in question is hosted out in Amazon Web Services’ (AWS) S3 service, so I decided to use AWS’s awscli command line tool‘s S3 functions to run a one-way synchronization process between the cloud distribution point in S3 and my local directory. For more details, please see below the jump.

Read more…

%d bloggers like this: