Deleting all Jamf Pro policies in a specified category

June 8, 2020 Leave a comment

Every so often, I need to delete a bunch of Jamf Pro policies at once. One convenient way I’ve found to do this is to assign all the policies I want to delete to one category which doesn’t have any other policies assigned to it. Once assigned, I can then use the API to delete them all at once.

To assist with this task, I’ve been using a script written by Jeffrey Compton but over time I found that I wanted more functionality. To meet my own needs, I took Jeffery’s original idea and written my own script to target the policies in a particular Jamf Pro category. For more details, please see below the jump.

Read more…

Mad, bad and possibly dangerous – a cautionary tale of software installation

June 5, 2020 8 comments

In my career, I’ve run across a lot of terrible installers in a variety of forms. The one I ran across today though is noteworthy enough that I want to point it out because of the following reasons:

  1. It’s an installer application. I have opinions on those.
  2. It’s for a security product where, as part of the installation, you need to provide the username and password for an account on the Mac which has:
  • Administrator privileges
  • Secure Token

Note: I have no interest in talking to the vendor’s legal department, so I will not be identifying the vendor or product by name in this post. Instead, I will refer to the product and vendor in this post as “ComputerBoat” and leave discovery of the company’s identity to interested researchers.

For more details, please see below the jump.

Read more…

Slides from the “Introduction to MDM and Configuration Profiles” session at Penn State MacAdmins 2020

June 4, 2020 1 comment

For those who wanted a copy of my MDM and profiles talk from Penn State MacAdmins 2020, here are links to the slides in PDF and Keynote format.

Mac admin conferences in 2020

May 29, 2020 Leave a comment

With COVID-19’s disruption of travel and public gatherings, a number of Mac admin conferences have made the choice to move to an online format. This change has meant that a number of conferences which previously required paying for tickets and travel costs have now become either much cheaper or free.

For those interested, here is the current list of conferences being held online between June and October 2020:

Penn State MacAdmins
Link: https://macadmins.psu.edu/campfire-sessions-2020/
Dates: June 4, 11, 18, 30 and July 9, 16, 23, 30
Cost: Free

MacDevOps YVR
Link: https://mdoyvr.com
Dates: June 10 – 12
Cost: CAD $135 (USD $97.74 as of May 29, 2020)

Apple WWDC
Link: https://developer.apple.com/wwdc20/
Dates: June 22 – 26
Cost: Free

Jamf Nation User Conference
Link: https://www.jamf.com/events/jamf-nation-user-conference/2020/
Dates: September 29 – October 1
Cost: Free

MacSysAdmin
Link: https://www.macsysadmin.se
Dates: October 2020 (exact dates not yet posted.)
Cost: Not yet announced

Identifying and deleting Jamf Pro inventory records with duplicate serial numbers

May 26, 2020 2 comments

I recently saw an issue where several computers in Jamf Pro were showing up with the same serial number listed in their inventory records. This made it difficult to work with this serial number using the API because Jamf Pro Classic API calls may fail if we’re referencing the serial number in the API call and more than one inventory record exists with that serial number.

First off, how can this happen? Aren’t serial numbers supposed to be unique? They are, but there’s two instances where serial numbers may unfortunately be associated with more than one Mac.

Hardware repair:

When you send a Mac out for repair and the logic board is replaced as part of the repair, the Mac’s existing serial number is flashed onto the replacement logic board.

However, both the old and new logic boards have separate Unique Device Identifiers (UDID) associated with them. When enrolling a device into Jamf Pro, it is possible for a new inventory record to be set up if a device has:

  • The same serial number listed in as an existing inventory record
  • A UDID not found in other inventory records

Parallels macOS virtual machine:

macOS virtual machines set up by Parallels Desktop and other Parallels hypervisor products use the same serial number as the Mac which is running the Parallels hypervisor software. These VMs will likewise have separate Hardware UDIDs associated with them.

So what to do with these duplicate records? My recommendation is to delete them from your Jamf Pro server when you find them, especially if you do a lot of work using the API. To help with this task, a script has been developed to identify and delete unwanted duplicates. For more details, please see below the jump.

Read more…

Removing restart options from all Jamf Pro policies in a specified category

May 22, 2020 Leave a comment

As a follow-on to my previous post on removing the Restart Options section from Jamf Pro policies, I’ve written a script to target the policies in a particular Jamf Pro category. For more details, please see below the jump.

Read more…

Slides from the “SAP In The Haus” session at Futureproof IT 2020

May 18, 2020 Leave a comment

For those who wanted a copy of my talk at the Futureproof IT 2020 conference, here are links to the slides in PDF and Keynote format.

Removing the Restart Options section from Jamf Pro policies using the API

May 14, 2020 Leave a comment

As part of setting up new Jamf Pro policies, the Restart Options section is automatically added to newly-created policies.

Screen Shot 2020 05 14 at 5 41 49 PM

For policies which don’t need it though, this section should be removed as a best practice to avoid accidental triggering of a restart where one isn’t needed or wanted. In some cases, the options provided by this section are never needed and it may be useful to be able to remove the Restart Options section from all of your current Jamf Pro policies.

In those cases, depending on how many policies you have, it can be tedious to have to do them one at a time using the admin console. However, with the right API calls in a script, it’s straightforward to perform these tasks using the Jamf Pro API. For more information, please see below the jump.

Read more…

Enabling Safari to successfully connect after changing a self-signed certificate

April 19, 2020 1 comment

Every so often, I need to use Safari to access something which is using a self-signed certificate. When I do so, Safari now walks you through the following procedure:

  1. Warns you something’s not right and give you the option of either going back or seeing the details.
  2. If you choose to see the details, Safari will let you view the certificate.

Screen Shot 2020 04 18 at 11 27 14 PM

Safari will also give you the option of proceeding anyway.

Screen Shot 2020 04 18 at 11 27 32 PM

If you choose to proceed anyway, Safari will store the self-signed certificate in your login keychain and mark it as trusted.

Screen Shot 2020 04 19 at 2 07 29 PM

With this certificate now marked as trusted, Safari will allow you to visit the website.

Screen Shot 2020 04 18 at 11 27 43 PM

However, what happens when the SSL certificate changes but keeps the same subject name? At this point, connections from Safari to the site will fail with an error message similar to the one described below:

Safari Can’t Open the Page
Safari can’t open the page because Safari can’t establish a secure connection to the server “server.name.here”.

Screen Shot 2020 04 18 at 11 23 11 PM

The reason that this message appears is because Safari is using HTTP Strict Transport Security, otherwise known as HSTS. One of the requirements of HSTS as implemented by Safari is that if the security of the connection cannot be ensured, Safari must terminate the connection and should not allow the user to access the web application.

Since the self-signed certificate stored in your login keychain and the SSL certificate being received don’t match each other, that tells Safari that the certificate being received can’t be trusted. The result is Safari immediately terminates the connection and displays an error message like the one shown above.

However, what if the certificate changing is known behavior and you know that proceeding is safe? It’s possible to re-set Safari’s behavior, but it’s not intuitive. For more details, please see below the jump.

Read more…

Upgrading from ESXi 6.7 to ESXi 7.0 via SSH and esxcli

April 19, 2020 Leave a comment

Following VMware’s release of ESXi 7.0, I upgraded my ESXi 6.7 server to ESXi 7.0 using SSH and esxcli. For those interested, see below the jump for the details of the process I used.

Screen Shot 2020 04 18 at 1 31 21 PM

Read more…

Categories: VMware, VMware ESXi
%d bloggers like this: