Archive for the ‘Jamf Pro’ Category

Identifying Self Service policies with blank descriptions

September 16, 2019 Leave a comment

As part of setting up Self Service policies in Jamf Pro, it’s nice to include a description for your customers of what they’re getting when they select a particular Self Service policy.

Screen Shot 2019 09 16 at 2 37 05 PM

However, sometimes folks forget to add these descriptions and it can be hard to figure this out later which ones were missed without manually checking each policy.

Screen Shot 2019 09 16 at 2 16 38 PM

To help with situations like this, I have a script which does the following:

  1. Checks all policies on a Jamf Pro server.
  2. Identifies which ones are Self Service policies which do not have descriptions
  3. Displays a list of the relevant policies

For more details, please see below the jump.

Read more…

Monitoring Jamf Infrastructure Managers on Red Hat Enterprise Linux

August 23, 2019 Leave a comment

A vital component of a Jamf Pro server setup is usually its LDAP connection to a directory service (usually an Active Directory server.) This connection allows the Jamf Pro server to not only leverage the directory service’s users and groups, but also automatically populate information about the owner of the device by doing a lookup in LDAP as part of a computer‘s or mobile device’s inventory update and assist with providing user-specific policies in Self Service.

As more folks move from using self-hosted Jamf Pro servers to now having Jamf host them in Jamf Cloud, this LDAP connection usually requires an LDAP proxy in order to securely connect a Jamf Cloud-hosted Jamf Pro instance to a company’s internally-hosted directory service. Jamf provides an LDAP proxy for this purpose in the form of the Jamf Infrastructure Manager (JIM). 

Because the LDAP connection is so vital, it’s just as vital that the JIM stay up and working all the time. To assist with this, I’ve written some scripts to assist with monitoring and reporting for a JIM running on Red Hat Enterprise Linux. For more details, please see below the jump.

Read more…

The Jamf Pro Push Proxy service, service token renewal and Jamf Nation credentials

August 18, 2019 Leave a comment

Jamf Pro has the ability to push notifications to devices with Self Service installed. This function is enabled using a Jamf-specific service known as the Jamf Push Proxy.

Screen Shot 2019 08 13 at 12 36 58 PM

Screen Shot 2019 08 13 at 12 37 15 PM

To enable this service to work with your Jamf Pro server, you need to set up a push proxy server token using the process shown below:

1. Log into your Jamf Pro server as an administrator.
2. Go to Settings > Global Management > Push Certificates.

Screen Shot 2019 08 13 at 12 08 21 PM

3. Click the New button.

Screen Shot 2019 08 13 at 12 07 46 PM

4. Select the Get proxy server token from Jamf Authorization Server option and click the Next button.

Screen Shot 2019 08 13 at 12 03 57 PM

5. Provide credentials for a Jamf Nation user account and click the Next button.

Screen Shot 2019 08 13 at 12 04 17 PM

6. If successful, you should be notified that the proxy server token has been uploaded to your Jamf Pro server. Click the Done button.

Screen Shot 2019 08 13 at 12 04 44 PM

7. The proxy server token should appear listed as Push Proxy Settings in the Push Certificates screen.

Screen Shot 2019 08 13 at 2 13 26 PM

Once the Push Proxy service has been enabled for your Jamf Pro server, you can use the notifications options in your Self Service policies to provide notifications in Self Service and Notification Center when desired.

Screen Shot 2019 08 13 at 12 37 37 PM

For more details, please see below the jump.

Read more…

Categories: Jamf Pro

Enabling debug logging for the JAMFSoftwareServer log on Jamf Pro limited access nodes

August 2, 2019 Leave a comment

As part of working on an issue with Jamf Support, I needed to enable debug logging for the JAMFSoftwareServer.log log file on my Jamf Pro server. This is normally a pretty straightforward process:

1. Log into your Jamf Pro server.

2. Go to Management Settings: Jamf Pro Information: Jamf Pro Server Logs.

Screen Shot 2019 08 02 at 10 30 49 AM

3. Click the Edit button.

Screen Shot 2019 08 02 at 10 38 29 AM

4. Check the checkbox for Enable Debug Mode.

Screen Shot 2019 08 02 at 10 38 20 AM

5. Click the Save button.

Screen Shot 2019 08 02 at 10 31 23 AM

6. Verify that the log has changed into debug mode.

Screen Shot 2019 08 02 at 10 31 35 AM

However, what do you do about Jamf Pro servers which are set to limited access? The admin console is disabled on limited access nodes, which means you can’t use the admin console’s functionality to enable debug logging. There is a way, but it means editing some Tomcat settings. For more details, please see below the jump.

Read more…

Checking the SSL certificate used by an Active Directory domain controller

March 19, 2019 2 comments

Yesterday, Jamf sent out the following notification in advance of the release of Jamf Pro 10.11.0:

One part of the message which caused some concern is this section:

Additionally, any LDAP server connections using LDAPS will require that the hostname of the LDAP server match the Common Name (CN) on the certificate that is uploaded to the Jamf Pro Server. A mismatch will prevent communication between the LDAP server and Jamf Pro Server.

What’s being referred to here is what’s known as an SSL hostname mismatch error, which is a sign that the SSL certificate being used to secure the connection isn’t configured correctly. But how can you tell with the SSL certificate used on an Active Directory domain controller? For more details, please see below the jump.

Read more…

Providing access to macOS software updates via Jamf Pro’s Self Service

February 5, 2019 10 comments

For a number of OS releases, Apple made both macOS software updates and Mac App Store (MAS) updates available via the MAS Updates page. I was able to use this to provide an easy way for customers to check for available software updates using Jamf Pro’s Self Service

As of macOS Mojave though, Apple moved macOS software updates to the Software Update preference pane in System Preferences.

Screen Shot 2019 02 05 at 10 56 41 AM

Opening the Software Update preference pane will automatically trigger a check for available macOS updates, so it’s possible to approximate the previous behavior by running the following command without root privileges:

open /System/Library/PreferencePanes/SoftwareUpdate.prefPane

When this command is run via the command line, the following actions take place:

  1. System Preferences launches
  2. The Software Update preference pane automatically loads
  3. The Mac automatically checks for macOS updates.

For folks using Jamf Pro, this command can be leveraged to provide a way for customers to easily check for macOS software updates on their own schedule. For more details, see below the jump.

Read more…

Backing up macOS management policies from Jamf Pro

December 21, 2018 1 comment

When working with computer management policies on Jamf Pro, especially more complex policies, I prefer to download then and back them up to GitHub or a similar internal source control tool. The reasons I do this are the following:

  1. I have an off-server backup for the policies
  2. I can track changes to the groups
  3. If needed, I can make a change to a policy and upload via the API instead of having to edit in the web console.

Up until recently, I didn’t have a good process for handling this but after some work, I was able to build a script which does the following:

  1. If any policies were previously downloaded, back up existing downloaded policies into a .zip file
  2. Download the policy information as XML
  3. Properly format the downloaded XML
  4. Identify the display name of the policy.
  5. Identify the category of the policy.
  6. Save the downloaded XML as Policy Name Here.xml to a specified download directory, based on the category that the policy is in.

The reason the script archives previously downloaded policies are the following:

  1. In case something goes wrong with the download, I still have the previously archived copy.
  2. The script can clear out the existing download directory and have only the latest version of the policy stored inside.

For more details, please see below the jump.

Read more…

%d bloggers like this: