Preparing installer packages for installation using MDM commands

An issue that some Mac admins have had to deal with is that their system management tool is using MDM commands to install installer packages. This usually applies if the system management tool does not have an agent installed on the managed Macs and instead is using only MDM for management.

In those cases, installer packages must have the following attributes for a successful installation via MDM command:

1. Signed with an Apple Developer ID Installer certificate
2. Be a distribution installer package

For criteria #2, this references the fact that there are two kinds of modern installer packages for macOS:

• Component packages: these are the standard type of installer package, which contain an archive of files to install and the information on where the files should be installed.
• Distribution packages: These packages can contain one or more component packages, and may also include additional resources to customize and control the user interface shown in the Installer application.

Both component and distribution packages use the same icon by default, so you can’t tell the difference by visually looking at an installer package. However, you can use the xar command line tool to check inside an installer package and list the files stored inside. The reason why this helps is that all distribution packages will have a file inside named Distribution and component packages will not.

To check an installer package to see if it is a distribution package, use the command shown below:

xar -tf /path/to/pkg_name_goes_here.pkg | grep -o Distribution

view raw

gistfile1.txt

hosted with ❤ by GitHub

If it’s a distribution package, you should get output similar to this:

	username@computername ~ % xar -tf /path/to/pkg_name_goes_here.pkg | grep -o Distribution
	Distribution
	username@computername ~ %

view raw

gistfile1.txt

hosted with ❤ by GitHub

If it’s not a distribution package, you should get output similar to this:

	username@computername ~ % xar -tf /path/to/pkg_name_goes_here.pkg | grep -o Distribution
	username@computername ~ %

view raw

gistfile1.txt

hosted with ❤ by GitHub

If it is not a distribution package, you can use the productbuild command line tool to convert the installer package into a distribution package. To convert a component installer package to a distribution installer package, use the command shown below:

/usr/bin/productbuild –package /path/to/package_being_converted_to_distribution.pkg /path/to/new_distribution_package.pkg

view raw

gistfile1.txt

hosted with ❤ by GitHub

In this case, package_being_converted_to_distribution.pkg is the name of the package that you want to convert to a distribution package and new_distribution_package.pkg is the name you want to give to the newly-created distribution package.

Note: If converting a signed installer package, the new distribution package will not be signed. If needed, you will need to sign the distribution package following its creation.

Thanks to the folks in the #packaging channel of the Mac Admins Slack who assisted with providing information for this post.

Session videos and slides available from MacSysAdmin 2023

The documentation from MacSysAdmin 2023 is available, with the session slides and videos being accessible from the link below:

http://documentation.macsysadmin.se

The video of my session is available for download from here:

• Introduction to Declarative MDM: https://docs.macsysadmin.se/2023/video_h265/Day1Session4.mp4

I also like to thank Patrik Jerneheim again for inviting me to speak at this year’s MacSysAdmin.

Slides from the “Introduction to Declarative MDM” session at MacSysAdmin 2023

For those who wanted a copy of my declarative device management talk at MacSysAdmin 2023, here are links to the slides in PDF and Keynote format.

• PDF: https://tinyurl.com/MacSysAdmin2023PDF
• Keynote: https://tinyurl.com/MacSysAdmin2023Keynote

Slides from the “Introduction to Declarative MDM” session at Penn State MacAdmins 2023

For those who wanted a copy of my declarative device management talk at Penn State MacAdmins 2023, here are links to the slides in PDF and Keynote format.

• PDF: https://tinyurl.com/PSUMac2023PDF
• Keynote: https://tinyurl.com/PSUMac2023Keynote

Migrating an APNS certificate from one Apple ID to another Apple ID

As part of a recent change, I needed to migrate an APNS certificate from being associated with one Apple ID to now being associated with another Apple ID. Apple has a KBase article available which provides contact information for this, which is available via the link below:

https://support.apple.com/HT208643

For those folks with AppleCare support plans, you can also submit a ticket to AppleCare. That’s the route I took. Regardless of which support avenue you pursue, Apple will request the following information from you.

• APNS Certificate Subject DN
• APNS Certificate CN
• APNS Certificate Serial Number
• APNS Certificate Expiration Date
• The Apple ID you want to migrate from
• The Apple ID you want to migrate to

For more information, please see below the jump:

Read more…

Session videos from Jamf Nation User Conference 2022 now available

Jamf has posted the session videos for Jamf Nation User Conference 2022, including the video for my Running Jamf Pro at Scale, from SAP with ❤️ session.

For those interested, all of the the JNUC 2022 session videos are available on YouTube. For convenience, I’ve linked my session here.

Enabling full disk access for SSH on macOS Big Sur using a management profile

When connecting via SSH to a remote Mac running macOS Big Sur, Apple’s user-level privacy controls apply. You can access data in the home folder of the account you’re using to connect, but you can’t access or alter protected data in other account’s home folders.

For most use cases, this is fine. However, there may be circumstances when full disk access for SSH connections is desired. To accommodate for this, Apple added an Allow full disk access for remote users checkbox in the Remote Login settings in System Preference’s Sharing preference pane.

This setting can normally only be enabled by the logged-in user sitting at that Mac. However, there is a way to manage this with a configuration profile. For more details, please see below the jump.

Read more…

Updated Jamf Pro MDM lock script to add reporting feature

Previously, I’d written a script to manage sending device lock commands using the Jamf Pro Classic API. After writing it, I thought that it would be a good idea if the script could also generate a report that could be handed off to others so I forked the script and updated it to generate a report in .tsv format. Since others might prefer the original script without the automatically generated report, I left that one alone and have made the forked copy into its own script. For more details, please see below the jump.

Read more…

Using the Jamf Pro API to send device lock commands via MDM to multiple Macs

Most Mac admins have had this conversation at one point or another over the course of their careers:

“$Very Important Person left their Mac behind in a cab! What do we do?”
“OK, no worries. We can send a command to lock the computer or have it erase itself. Do you want it locked or wiped?”

At that point, the admin pulls up their MDM admin console and depending on what the response was (lock or wipe), send out the appropriate MDM command accompanied by a PIN code. Once received, the Mac will then turn itself into a paperweight which does or doesn’t erase itself.

Doing these one at a time is a pretty straightforward process. For example, here’s how it looks in Jamf Pro to send a device lock command via MDM:

1. Log into Jamf Pro using an account which can send lock commands via MDM.
2. Go to the appropriate computer inventory record.

3. Select the Management tab.

4. In the Management Commands section of the Management tab, click the Lock Computer button.

5. Enter the PIN code which will later be used to unlock the Mac. If desired, you can also enter a message which will appear on the lock screen.

6. Click the Lock Computer button.

7. Click the OK button in the confirmation window.

 

Once the device lock command has been sent, the Lock Computer button’s text should temporarily change to Command Sent.

 

For a small number of machines (10 or less), the method outlined above works fine. But once you get beyond that number, this process gets time-consuming and unwieldy. Fortunately, there is also a way to use the Jamf Pro Classic API to send device lock commands. For more details, please see below the jump.

Read more…

Using an Activation Lock bypass code from Jamf Pro to clear Activation Lock on a Mac

As part of macOS Catalina, Apple introduced Activation Lock for Macs. As on iOS, Activation Lock is an anti-theft feature designed to prevent activation of a Mac if it’s lost or stolen.

Activation Lock on Macs does have some requirements in order for it to work. The Mac must:

• Run macOS Catalina or later
• Use the Apple T2 Security chip
• Two-factor authentication must be enabled on the Apple ID used for enable Activation Lock.
• Secure Boot must be enabled with Full Security settings and Disallow booting from external media selected.

 

Once these requirements are satisfied, Activation Lock is automatically enabled when Apple’s Find My service is enabled.

However, having Activation Lock turn on when Find My is enabled can lead to situations where it’s enabled by an employee on company-owned equipment. When this happens, companies, schools or institutions need a way to bypass Activation Lock without needing to know anything about the Apple ID used by the employee.

To provide this bypass, Apple has made it possible for companies, schools and institutions to use their MDM solution to clear Activation Lock. For more details, please see below the jump:

Read more…