Archive
Updated Jamf Pro MDM lock script to add reporting feature
Previously, I’d written a script to manage sending device lock commands using the Jamf Pro Classic API. After writing it, I thought that it would be a good idea if the script could also generate a report that could be handed off to others so I forked the script and updated it to generate a report in .tsv format. Since others might prefer the original script without the automatically generated report, I left that one alone and have made the forked copy into its own script. For more details, please see below the jump.
Using the Jamf Pro API to send device lock commands via MDM to multiple Macs
Most Mac admins have had this conversation at one point or another over the course of their careers:
“$Very Important Person left their Mac behind in a cab! What do we do?”
“OK, no worries. We can send a command to lock the computer or have it erase itself. Do you want it locked or wiped?”
At that point, the admin pulls up their MDM admin console and depending on what the response was (lock or wipe), send out the appropriate MDM command accompanied by a PIN code. Once received, the Mac will then turn itself into a paperweight which does or doesn’t erase itself.
Doing these one at a time is a pretty straightforward process. For example, here’s how it looks in Jamf Pro to send a device lock command via MDM:
1. Log into Jamf Pro using an account which can send lock commands via MDM.
2. Go to the appropriate computer inventory record.
3. Select the Management tab.
4. In the Management Commands section of the Management tab, click the Lock Computer button.
5. Enter the PIN code which will later be used to unlock the Mac. If desired, you can also enter a message which will appear on the lock screen.
6. Click the Lock Computer button.
7. Click the OK button in the confirmation window.
Once the device lock command has been sent, the Lock Computer button’s text should temporarily change to Command Sent.
For a small number of machines (10 or less), the method outlined above works fine. But once you get beyond that number, this process gets time-consuming and unwieldy. Fortunately, there is also a way to use the Jamf Pro Classic API to send device lock commands. For more details, please see below the jump.
Using curl for telnet testing on macOS High Sierra and later
As part of introducing macOS High Sierra, Apple removed the telnet tool from macOS. This was part of Apple’s overall effort to improve security, as telnet does not use encryption and its traffic can be intercepted and read. However, telnet did (and does) serve a useful function as a quick way to check if it is possible to connect to a remote server on a particular port.
While there are alternative tools available for this task (like netcat), it’s also possible to still create a telnet connection on macOS using another tool: curl
For more details, please see below the jump.
AutoPkg repo and logfile cleanup scripts for use with autopkg-conductor
As part of running autopkg-conductor over a long period of time, you may see a large percentage of disk space used on the Mac where you’re running AutoPkg and autopkg-conductor. This is because AutoPkg doesn’t remove older files from ~/Library/AutoPkg/Cache and autopkg-conductor does not remove older logfiles from ~/Library/Logs. To assist with this issue, I’ve written a couple of scripts. For more details, please see below the jump.
Using Signing Manager with autopkg-conductor
I’ve recently been working with Twocanoes Software’s Signing Manager in combination with my autopkg-conductor tool for managing AutoPkg runs. I’m happy to report it’s possible, but you may need to make some adjustments to how autopkg-conductor is being launched. For more details, please see below the jump.
Using Markdown comments to add search keywords to Self Service descriptions
For those using Jamf Pro’s Self Service, one of the handier features can be the Search function built into the app. This search is able to examine Self Service policies and use the information in the policy and Self Service description to populate its search results. For the most part, just the displayed information in the policy should allow Self Service’s search to display relevant policies.
However, you may have a need to force the search process to include policies that would otherwise fall outside of the search parameters. For those who need this ability, thanks to Self Service’s support of Markdown it’s possible to invisibly add search keywords to a Self Service policy description. For more details, please see below the jump.
Jamf Pro server installer for macOS being retired
As part of the release notes for Jamf Pro 10.28, there is this note in the Deprecations and Removals section:
Support ending for the Jamf Pro Server Installer for macOS — Support for using the Jamf Pro Installer for macOS will be discontinued in a future release. Mac computers with Apple silicon are not supported by the Jamf Pro Installer for macOS. If you want to migrate your Jamf Pro server from macOS to Jamf Cloud, contact Jamf Support. If you want to keep your server on premise, you can migrate your Jamf Pro server from macOS to one of the following servers: Red Hat Enterprise Linux, Ubuntu, or Windows. For more information, see the Migrating to Another Server Knowledge Base article.
For those folks who are running on-premise Jamf Pro servers on Macs, it looks like it’s time to contact Jamf Support and plan a migration if you haven’t already. As of March 17th, 2021, Jamf’s published support for running Jamf Pro includes the following OS, database and Java versions:
| Recommended Configuration: | |
| Operating Systems: | |
| Windows Server 2019 | |
| Ubuntu Server 20.04 LTS | |
| Red Hat Enterprise Linux 7.x | |
| macOS 10.15.5 | |
| Database software versions: | |
| MySQL 8.0 – InnoDB | |
| Amazon Aurora (MySQL 5.7 compatible) | |
| MySQL 5.7.8 or later – InnoDB | |
| Java version: | |
| OpenJDK 11 | |
| Minimum Supported: | |
| Operating Systems: | |
| Windows Server 2016 | |
| Windows Server 2012 R2 | |
| Ubuntu Server 18.04 LTS | |
| macOS 10.14.5 | |
| Database software versions: | |
| MySQL 5.7.8 – InnoDB | |
| MySQL 5.7.8 on Amazon RDS – InnoDB | |
| Java version: | |
| Oracle Java 11 |
Using Twocanoes’ Signing Manager to sign AutoPkg-built installer packages
As part of many application or package building workflows, there is a requirement to sign the end result to guarantee that the app or package has not been tampered with. With the advent of Apple’s notarization process, this has become even more important because an app or installer package must be signed before it can be notarized.
However, in order to sign apps or packages, you must have the signing certificate available. This has often meant putting copies of Apple signing certificates, complete with the certificate’s private key, onto the Mac or Macs used to build the application and/or installer package. This has security concerns because if the signing certificate’s private key is compromised, you must now revoke the existing certificate, get a new one from Apple and re-sign everything that used that now-revoked signing certificate.
To assist with the security concerns, Twocanoes Software has developed Signing Manager. This tool provides a way to centralize hosting of signing certificates and make their signing capabilities securely available to Macs which need them. In my own case, I’m investigating Signing Manager in the context of signing AutoPkg-built installer packages. For more details, please see below the jump.
Selectively removing the drop shadow from screenshots on macOS Big Sur
One of my personal preferences with macOS is removing the drop shadow from screenshots. On macOS Catalina and earlier, I was able to to turn off drop shadows on screenshots by running the following commands:
defaults write com.apple.screencapture disable-shadow -bool true killall SystemUIServer
This appears to not work on fresh installs of macOS Big Sur, though it appears to still work on Big Sur Macs who had the setting applied prior to upgrading to Big Sur. However, when using keyboard shortcuts to make screenshots, it looks like there’s a way to selectively add or remove the drop shadow at the time of making the screenshot. For more details, please see below the jump.
Listing the full OS installers available from Apple’s Software Update feed on macOS Big Sur
One of the changes in macOS Big Sur is that the softwareupdate command has been updated with new functionality.
| usage: softwareupdate <cmd> [<args> …] | |
| ** Manage Updates: | |
| -l | –list List all appropriate update labels (options: –no-scan, –product-types) | |
| -d | –download Download Only | |
| -i | –install Install | |
| <label> … specific updates | |
| -a | –all All appropriate updates | |
| -R | –restart Automatically restart (or shut down) if required to complete installation. | |
| -r | –recommended Only recommended updates | |
| –list-full-installers List the available macOS Installers | |
| –fetch-full-installer Install the latest recommended macOS Installer | |
| –full-installer-version The version of macOS to install. Ex: –full-installer-version 10.15 | |
| –install-rosetta Install Rosetta 2 | |
| –background Trigger a background scan and update operation | |
| ** Other Tools: | |
| –dump-state Log the internal state of the SU daemon to /var/log/install.log | |
| –evaluate-products Evaluate a list of product keys specified by the –products option | |
| –history Show the install history. By default, only displays updates installed by softwareupdate. | |
| –all Include all processes in history (including App installs) | |
| ** Options: | |
| –no-scan Do not scan when listing or installing updates (use available updates previously scanned) | |
| –product-types <type> Limit a scan to a particular product type only – ignoring all others | |
| Ex: –product-types macOS || –product-types macOS,Safari | |
| –products A comma-separated (no spaces) list of product keys to operate on. | |
| –force Force an operation to complete. Use with –background to trigger a background scan regardless of "Automatically check" pref | |
| –agree-to-license Agree to the software license agreement without user interaction. | |
| –verbose Enable verbose output | |
| –help Print this help |
Among the changes is the ability to scan Apple’s Software Update feed and display a list of the currently available full OS installers. To access this list, run the command below with root privileges:
softwareupdate --list-full-installers
The list you receive will be dependent on whether or not your Mac can run a particular OS version. As an example, here’s the list you would receive inside of a VMware VM as of March 3rd, 2021.
Once you have the right macOS installer identified, you can use the softwareupdate tool to download it.
One thing to be aware of is that multiple versions of a macOS full installer may show up in the Software Update feed. As an example of this, the list above includes multiple entries for macOS 10.15.6 and 10.15.7. These installers would be for hardware-specific builds of that macOS version’s full installer. Unfortunately, it’s not easy to tell the various installers apart using the softwareupdate command because the build number is not included.
If you do need to be able to download an installer with a specific build number, I recommend using the installinstallmacos.py tool. This tool also references the Apple Software Update feed, so the information you get back should be similar but also include the relevant build numbers for the macOS full installers.
Recent Comments