Archive

Archive for the ‘Jamf Pro’ Category

Slides from the “Running Jamf Pro at Scale, from SAP with ❤️” session at Jamf Nation User Conference 2022

September 28, 2022 Leave a comment

For those who wanted a copy of my scaling talk at Jamf Nation User Conference 2022, here are links to the slides in PDF and Keynote format.

PDF: https://tinyurl.com/jnuc2022pdf
Keynote: https://tinyurl.com/jnuc2022key

Microsoft Defender tamper protection status detection for Jamf Pro

September 13, 2022 Leave a comment

As a follow-up to my earlier post about working with Microsoft Defender’s tamper protection, I’ve written an Extension Attribute for Jamf Pro which detects and reports on Defender’s tamper protection status. For more details, please see below the jump.

Read more…

Categories: Jamf Pro, Scripting

Jamf Pro 10.41.0 and SSL verification alerts

September 12, 2022 2 comments

Following an upgrade to Jamf Pro 10.41.0, you may notice that you have an alert showing in the Jamf Pro admin console.

Screen Shot 2022 09 12 at 10 39 33 AM

When you click on the alert, you will see the following alert notification.

Verification of SSL certificates is disabled.

There will be a link to enable SSL certificate verification.

Screen Shot 2022 09 12 at 10 39 51 AM

If you click that link, it’ll take you to Management Settings: Computer Management – Management Framework: Security.

Screen Shot 2022 09 09 at 10 15 26 AM

So now what? For more details, please see below the jump.

Read more…

Jamf Pro Server software no longer supported on macOS as of Jamf Pro 10.37.0

February 21, 2022 2 comments

To follow up on my earlier posts on the Jamf Pro Server Installer for macOS being retired, Jamf has added the following to the Deprecations and Removals section of the Jamf Pro 10.36.0 release notes:

Support Ending for Hosting Jamf Pro Server on macOS—Starting with the release of Jamf Pro 10.37.0, hosting the Jamf Pro server on macOS will no longer be supported. Mac computers with Apple silicon are not supported by the Jamf Pro Installer for macOS. In addition, the Jamf Pro Installer for macOS will not be available to download. The Jamf Pro utilities that were included in the Jamf Pro Installer for macOS—Composer, Jamf Admin, Jamf Recon, and Jamf Remote—will be made available as a separate download.

If you want to migrate your Jamf Pro server from macOS to Jamf Cloud, contact Jamf Support. If you want to keep your server on premise, you can migrate your Jamf Pro server to one of the following servers: Red Hat Enterprise Linux, Ubuntu, or Windows. For more information, see the Migrating to Another Server article.

Screen Shot 2022 02 21 at 9 28 09 AM

For those folks who are running on-premise Jamf Pro servers on Macs, I strongly recommend contacting Jamf Support right now and plan a migration if you haven’t already. As of February 21st, 2022, Jamf’s published support for running Jamf Pro includes the following OS, database and Java versions:


Recommended Configuration:
Operating Systems:
Windows Server 2019
Ubuntu Server 20.04 LTS
Red Hat Enterprise Linux 7.x
Database software versions:
MySQL 8.0.27 – InnoDB
Amazon Aurora (MySQL 5.7 compatible)
MySQL 5.7.36 or later – InnoDB
Java version:
OpenJDK 11
Minimum Supported:
Operating Systems:
Windows Server 2016
Windows Server 2012 R2
Ubuntu Server 18.04 LTS
macOS 10.15 (Support for the Jamf Pro Installer for macOS and hosting Jamf Pro server on macOS will be discontinued with the release of Jamf Pro 10.37.0.)
macOS 10.14 (Support for the Jamf Pro Installer for macOS and hosting Jamf Pro server on macOS will be discontinued with the release of Jamf Pro 10.37.0.)
Database software versions:
MySQL 5.7.36 – InnoDB
MySQL 5.7.8 on Amazon RDS – InnoDB
Java version:
Oracle Java 11

view raw

gistfile1.txt

hosted with ❤ by GitHub

Categories: Jamf Pro, macOS

Jamf Pro server installer for macOS retirement planned for March 2022

January 14, 2022 1 comment

To follow up on my earlier post on the Jamf Pro Server Installer for macOS being retired, Jamf has added the following to the Deprecations and Removals section of the Jamf Pro 10.35.0 release notes:

Support ending for the Jamf Pro Server Installer for macOS—Support for using the Jamf Pro Installer for macOS will be discontinued in a future release (estimated removal date: March 2022). Mac computers with Apple silicon are not supported by the Jamf Pro Installer for macOS. If you want to migrate your Jamf Pro server from macOS to Jamf Cloud, contact Jamf Support via Jamf Account. If you want to keep your server on premise, you can migrate your Jamf Pro server from macOS to one of the following servers: Red Hat Enterprise Linux, Ubuntu, or Windows. For more information, see the Migrating to Another Server article.

Screen Shot 2022 01 14 at 10 23 54 AM

 

For those folks who are running on-premise Jamf Pro servers on Macs, I strongly recommend contacting Jamf Support and plan a migration if you haven’t already. As of January 14th, 2022, Jamf’s published support for running Jamf Pro includes the following OS, database and Java versions:


Recommended Configuration:
Operating Systems:
Windows Server 2019
Ubuntu Server 20.04 LTS
Red Hat Enterprise Linux 7.x
Database software versions:
MySQL 8.0 – InnoDB
Amazon Aurora (MySQL 5.7 compatible)
MySQL 5.7.13 or later – InnoDB
Java version:
OpenJDK 11
Minimum Supported:
Operating Systems:
Windows Server 2016
Windows Server 2012 R2
Ubuntu Server 18.04 LTS
macOS 10.15
macOS 10.14
Database software versions:
MySQL 5.7.13 – InnoDB
MySQL 5.7.13 on Amazon RDS – InnoDB
Java version:
Oracle Java 11

view raw

gistfile1.txt

hosted with ❤ by GitHub

Categories: Jamf Pro, macOS

Backing up Self Service icon graphic files from Jamf Pro

January 12, 2022 Leave a comment

While working with Self Service policies on Jamf Pro, I prefer to download the graphic files used for the Self Service icons and back them up to GitHub or a similar internal source control tool. The reasons I do this are the following:

  1. I have an off-server backup for the graphic files.
  2. I can track changes to the Self Service policy icons.

To help me manage this, I have a script which does the following:

  1. Use the Jamf Pro Classic API to identify which policies are Self Service policies with icons.
  2. Download each Self Service icon’s graphic file using the URI for each file.
  3. Save the downloaded graphics file to a specified download directory, using a filename format like shown below:

policy_name_here-jamf_pro_policy_id_here-graphics_file_name_here

As part of the download process, any spaces are removed from the graphic file’s file names and the policy names. Any colons ( : ) are likewise replaced with dashes ( ) to prevent problems for the macOS filesystem.

For more details, please see below the jump.

Read more…

Identifying Intel Macs with Secure Enclave using Jamf Pro

January 7, 2022 2 comments

Identifying Intel Macs with Secure Enclave using Jamf Pro

As part of a recent task, I needed to identify using Jamf Pro which Macs in our environment have Secure Enclave and which Macs do not. For Intel Macs, having Secure Enclave means that you have one of the following Macs:

Macs with the Apple T1 Security Chip

  • MacBook Pro (13-inch with Touch Bar, Late 2016)
  • MacBook Pro (15-inch with Touch Bar, Late 2016)
  • MacBook Pro (13-inch with Touch Bar, Mid-2017)
  • MacBook Pro (15-inch with Touch Bar, Mid-2017)

Macs with the Apple T2 Security Chip

  • iMac (Retina 5K, 27-inch, 2020)
  • iMac Pro
  • Mac Pro (2019)
  • Mac Pro (Rack, 2019)
  • Mac mini (2018)
  • MacBook Air (Retina, 13-inch, 2020)
  • MacBook Air (Retina, 13-inch, 2019)
  • MacBook Air (Retina, 13-inch, 2018)
  • MacBook Pro (13-inch, 2020, Two Thunderbolt 3 ports)
  • MacBook Pro (13-inch, 2020, Four Thunderbolt 3 ports)
  • MacBook Pro (16-inch, 2019)
  • MacBook Pro (13-inch, 2019, Two Thunderbolt 3 ports)
  • MacBook Pro (15-inch, 2019)
  • MacBook Pro (13-inch, 2019, Four Thunderbolt 3 ports)
  • MacBook Pro (15-inch, 2018)
  • MacBook Pro (13-inch, 2018, Four Thunderbolt 3 ports)

Jamf Pro doesn’t have a specific “this Mac has Secure Enclave” inventory identifier, so I decided to use Apple’s documentation on which Intel Mac models have Secure Enclave to build Jamf Pro smart groups with model identifiers. With Apple’s move to Apple Silicon processors, this list of models should not be added to in the future.

For Intel Macs equipped with T1 chips, here are the relevant model identifiers:


MacBookPro13,2
MacBookPro13,3
MacBookPro14,2
MacBookPro14,3

view raw

gistfile1.txt

hosted with ❤ by GitHub

For Intel Macs equipped with T2 chips, here are the relevant model identifiers:


iMac20,1
iMacPro1,1
MacPro7,1
Macmini8,1
MacBookAir8,1
MacBookAir8,2
MacBookAir9,1
MacBookPro15,1
MacBookPro15,2
MacBookPro15,3
MacBookPro15,4
MacBookPro16,1
MacBookPro16,2
MacBookPro16,3
MacBookPro16,4

view raw

gistfile1.txt

hosted with ❤ by GitHub

For more details, please see below the jump.

Read more…

Updated script for obtaining, checking and renewing Bearer Tokens for the Classic and Jamf Pro APIs

January 5, 2022 8 comments

Following my earlier posts on obtaining, checking and renewing Bearer Tokens for the Jamf Pro API and the deprecation of Basic Authentication for the Jamf Pro Classic API, @bryson3gps reached out to let me know there was a simpler way to get the Bearer Token which didn’t require the prior encoding of the username and password credentials in base64 format.

The command shown below will handle obtaining the token using Basic Authentication on macOS Monterey and later:


curl -X POST -u username:password -s https://server.name.here/api/v1/auth/token | plutil -extract token raw –

view raw

gistfile1.txt

hosted with ❤ by GitHub

The command shown below will handle obtaining the token using Basic Authentication on macOS Big Sur and earlier:


curl -X POST -u username:password -s https://server.name.here/api/v1/auth/token | python -c 'import sys, json; print json.load(sys.stdin)["token"]'

view raw

gistfile1.txt

hosted with ❤ by GitHub

This allows the following functions to be collapsed into one command:

  • Encoding the username and password in base64 format
  • Obtaining a Bearer Token using Basic Authentication
  • Storing the Bearer Token (if command is used in a variable.)

He also pointed out that I was using an incorrect API call for the validation check which uses HTTP status codes. What I had:


/usr/bin/curl –write-out %{http_code} –silent –output /dev/null "${jamfpro_url}/api/v1/auth/keep-alive" –request POST –header "Authorization: Bearer ${api_token}"

view raw

gistfile1.txt

hosted with ❤ by GitHub

While this worked, it was using the keepalive endpoint with a POST request, which is used to invalidate tokens and issue new ones. I’ve updated to use this instead:


/usr/bin/curl –write-out %{http_code} –silent –output /dev/null "${jamfpro_url}/api/v1/auth" –request GET –header "Authorization: Bearer ${api_token}"

view raw

gistfile1.txt

hosted with ❤ by GitHub

This API call sends a GET request to the auth endpoint, which returns all the authorization details associated with the current Bearer Token. This will work for the validation check and won’t trigger accidental invalidation of the existing Bearer Token.

With this in mind, the process of obtaining Bearer Tokens is now simplified. This affects the deprecation of the Classic API for Jamf Pro 10.35.0 and later by changing the workflow from this:

Screen shot 2022 01 04 at 5 09 20 pm

To this:

Screen Shot 2022 01 05 at 9 43 06 AM

I’ve incorporated these changes into an updated script with functions for obtaining, checking and renewing Bearer Tokens for the Classic (for Jamf Pro 10.35.0 and later) and Jamf Pro APIs. For more details, please see below the jump.

Read more…

Basic Authentication deprecated for the Jamf Pro Classic API

January 4, 2022 7 comments

As part of the release of Jamf Pro 10.35, the following note was added to the Deprecations and Removals section of the Jamf Pro 10.35.0 Release Notes:

Basic authentication — Jamf will discontinue support for Basic authentication in the Classic API in a future release of Jamf Pro (estimated removal date: August-December 2022) for enhanced security. Jamf will provide additional information at a later date. To disable Basic authentication before support is removed, contact Jamf Support via Jamf Account.

Screen Shot 2022 01 04 at 11 54 23 AM

To help folks prepare for this change, as of Jamf Pro 10.35.0, both Basic Authentication and using Bearer Tokens generated by the Jamf Pro API can be used for Jamf Pro Classic API authentication. This is noted in the New Features and Enhancements section of the Jamf Pro 10.35.0 release notes:

You can now use the Classic API to authenticate using Basic authentication or a Bearer Token retrieved through the /v1/auth/token Jamf Pro API endpoint for enhanced security. For information on Bearer Token authentication, see the Jamf developer resources: https://developer.jamf.com/jamf-pro/docs/classic-api-authentication-changes

Screen Shot 2022 01 04 at 11 54 52 AM

For more details, please see below the jump.

Read more…

Preventing user and location inventory information from being changed by the jamf binary’s recon verb

December 27, 2021 Leave a comment

You can allow or prevent local administrators on the computer from changing User and Location inventory information in Jamf Pro with the jamf binary by using the Allow local administrators to use the jamf binary recon verb to change User and Location inventory information in Jamf Pro checkbox. This is a feature which first appeared in Jamf Pro 10.20.x, but may not be well known.

Screen Shot 2020 03 17 at 10 54 47 AM

This setting is enabled by default and can be configured by navigating to Settings > Computer Management > Inventory Collection in Jamf Pro.

Screen Shot 2021 12 27 at 11 42 08 AM

Screen Shot 2021 12 27 at 11 43 13 AM

What this setting affects are the following options associated with the jamf binary’s recon verb:


-endUsername
-realname
-email
-position
-building
-department
-phone
-room

view raw

gistfile1.txt

hosted with ❤ by GitHub

Screen Shot 2021 12 27 at 12 10 53 PM

Why disable this setting? If you have workflows which leverage the user and location information stored in Jamf Pro, being able to change this setting from a managed Mac using the jamf binary’s recon verb may have security implications. In particular, PKI certificate authorities set up in Jamf Pro may use the user and location information stored in Jamf Pro to issue certificates to managed Macs.

Screen Shot 2021 12 27 at 11 39 03 AM

In the context of certificates used for authentication, being able to change the user and location stored in Jamf Pro from the managed Mac’s end may mean that an enduser with the ability to run the jamf binary’s recon verb may be able to get authentication certificates for someone other than themselves assigned to their Mac.

Screen Shot 2021 12 27 at 12 12 47 PM

If you do not have any workflows that use the recon verb’s options specified above, my advice is that you disable this setting and remove the ability of managed Macs to change the user and location information stored in Jamf Pro using the jamf binary’s recon verb.

Screen Shot 2021 12 27 at 12 02 48 PM

%d bloggers like this: