Archive
Creating Jamf Pro QuickAdd installer packages which do not install the Jamf Pro management user account
Jamf Pro-managed Macs usually have a management account on the Mac, which is normally created as part of the Mac’s enrollment in the Jamf Pro service. This may cause issues in some Mac environments, where the creation of local user accounts is tightly controlled to help minimize opportunities for malicious third parties to compromise unused accounts.
To help protect against the Jamf Pro management account being compromised, Jamf has added some protections. These protections include including the ability to set a random password for the account on a per-machine basis and the ability to rotate the password on a regular basis.
Depending on your needs though, it is also possible avoid setting up the Jamf Pro management account on Macs. The reason for this is that the Jamf Pro agent by and large does not need the Jamf Pro management account in order to work properly.
As of Jamf Pro 9.99.0, the Jamf Pro management account is used for the following:
- To provide SSH connectivity for Jamf’s Remote application
- To provide the option of enabling the management user account for FileVault 2
If you are not using Jamf’s Remote application for remote screen sharing, or enabling the Jamf Pro management account for FileVault 2, it is not necessary to install the Jamf Pro management account on Jamf Pro-managed Macs at all. For more details, see below the jump.
Application blacklisting using management profiles
When deploying Macs for use in classrooms or for training, there is occasionally a requirement that certain applications must be blocked from running. Usually, this is to make sure that the student or test taker using the Mac is not able to use the blocked applications because it would distract them or otherwise cause problems.
On iOS, there is a way to do this via the blacklistedAppBundleIDs key available in the Restrictions payload. However, this key is not available on macOS and Macs will ignore the blacklist.
On macOS, there is the ability to set an application whitelist via Profile Manager but not a blacklist.
However, the profile specification does include the ability to configure an application blacklist using the pathBlackList key in the settings managed by the com.apple.applicationaccess.new payload.
For more details, see below the jump.
Identifying which Active Directory account is logged into Enterprise Connect
As more Mac environments move away from binding Macs to Active Directory and using AD mobile accounts, and towards using local accounts in combination of tools like NoMAD and Apple’s Enterprise Connect, it’s become more challenging to identify which people are logged into which computers. While mobile Active Directory accounts will use the username and password of the person’s AD account, there is no such certainty with local user accounts.
Fortunately, my colleague Joe Chilcote recently let me know that it’s possible to query the logged-in user’s login keychain and get the username of the Active Directory account which is logged into Enterprise Connect. This can be accomplished by running the following command as the logged-in user:
/usr/bin/security find-generic-password -l "Enterprise Connect" $HOME/Library/Keychains/login.keychain | awk -F "=" '/acct/ {print $2}' | tr -d "\""
That should produce output similar to that shown below:
computername:~ username$ /usr/bin/security find-generic-password -l "Enterprise Connect" $HOME/Library/Keychains/login.keychain | awk -F "=" '/acct/ {print $2}' | tr -d "\""
AD_username_here
computername:~ username$
It’s also possible to leverage this technique to update the User and Location section of a particular computer managed by a Jamf Pro server. For more information, see below the jump.
Building VMs on ESXi using esxi_macos_vm_creation.sh
As part of my testing workflow, I’ve been using VMs running on a ESXi server running ESXi 6.5. To help me quickly build those VMs, I have been using a script named esxi_macos_vm_creation.sh for building VMs. This script is forked from Tamas Piros’s auto-create script for standing up Linux VMs on free ESXi:
https://github.com/tpiros/auto-create
My fork of the auto-create script is designed to create and configure virtual machines with Apple operating systems as the guest OS, hosted on a VMware ESXi server running on Apple hardware. The script assumes that the virtual machines are built using copied VMDK disk files, where the VMDK files are generated by AutoDMG and vfuse. For more details, see below the jump.
Expanding partition size in an ESXi-hosted macOS VM
As part of working on a project recently, I ran into an unexpected problem with ESXi-hosted Mac VMs. For these VMs, I was creating VMDK files from AutoDMG-generated disk images, using vfuse to convert the disk image into a VM with ESXi-compatible VMDK disk image files.
My workflow looked like this:
1. Create disk image using AutoDMG.
2. Use vfuse to create VMDK files using a command similar to the one shown below:
sudo vfuse -i /path/to/autodmg_created_disk_image_here --esx
3. Upload the VMDK files to a convenient location on my ESXi server
4. Set up a new VM, using copies of uploaded VMDK files for the VM boot disk.
5. Resize the new VM to the desired size using VMware’s vmkfstools utility.
6. Start up the VM.
After logging in, I ran the following command to enable macOS to recognize and use the unallocated space from the VM resizing:
diskutil resizeVolume / R
Normally, this command is able to do a live re-sizing of the boot partition to use all available unallocated space. However, this time the re-sizing process failed and the following error was displayed:
How to fix this? For more details, see below the jump.
Creating macOS installer disk images for VMware Fusion and ESXi with create_macos_vm_install_dmg
I’ve had a tool available for a while named create_vmware_osx_install_dmg, but it looks like it has reached the end of the road with macOS 10.12.3. The reason for this is because macOS 10.12.4 has introduced a change that prevents the addition of third-party packages to the OS installer. create_vmware_osx_install_dmg uses the addition of a third-party installer package, so unfortunately this tool cannot be used to generate 10.12.4 or later OS installers.
That said, I still want to be able to create macOS installer disk images for VMware Fusion and ESXi, so I’ve forked create_vmware_osx_install_dmg into a new script named create_macos_vm_install_dmg. create_macos_vm_install_dmg will generate stock OS installer disk images for the following OS versions:
- Mac OS X 10.7.x
- OS X 10.8.x
- OS X 10.9.x
- OS X 10.10.x
- OS X 10.11.x
- OS X 10.12.x
This script does not use a third-party package, so it is able to build a macOS 10.12.4 installer disk image. For more details, see below the jump.
Third-party installer packages may not be installable by the macOS 10.12.4 OS installer
With the release of macOS 10.12.4, it appears that Apple has made a change to the OS installer that blocks the installation of third-party packages which have been added to the OS installer. In my testing, I’ve verified the following tools are affected:
Note: There may be others, this list is what I’ve tested.
In each case, the OS install process proceeds without issues until the OS installer tries to install the third party installer package. At that point, the installation process fails and displays the message shown below:
The package "Package Name Goes Here" is not signed. Quit the installer to restart your computer and try again.
The error message displayed is misleading however, as this message may also appear if the package has been signed with a Developer ID Installer certificate.
In testing done by myself and others, we have found that there is one circumstance where you can still add a third-party installer package:
- If you are building a NetInstall NetBoot set using System Image Utility
- If the package is signed with a Developer ID Installer certificate.
Otherwise, the only installer packages I’ve seen which install correctly are packages which have been signed by Apple itself.
For more details, see below the jump.
Recent Comments