Apple Client Management with JAMF. Andrew D Huston Client Infrastructure Group Informa8on Services Kent State University

Similar documents
Casper Suite Administrator s Guide. Version 9.0

Casper Suite. Security Overview

Casper Suite Administrator s Guide. Version 9.2

QuickStart Guide for Managing Computers. Version 9.2

QuickStart Guide for Client Management. Version 8.7

QuickStart Guide for Mobile Device Management. Version 8.6

QuickStart Guide for Mobile Device Management

Casper Suite Release Notes. Version 9.1

QuickStart Guide for Managing Mobile Devices. Version 9.2

Building a BYOD Program Using the Casper Suite. Technical Paper Casper Suite v9.4 or Later 17 September 2014

Simplifying Device Enrollment and Content Distribution Using the Device Enrollment Program, the Volume Purchase Program, and the Casper Suite

Managing ios Devices. Andrew Wellington Division of Information The Australian National University XW11

JAMF Software Server Installation and Configuration Guide for Linux. Version 9.2

How To Package In Composer (Amd64)

JAMF Software Server Installation and Configuration Guide for OS X. Version 9.2

JAMF Software Server Installation and Configuration Guide for OS X. Version 9.0

Administering Parallels Desktop 7 for Mac with the Casper Suite. Technical Paper November 2012

JAMF Software Server Installation and Configuration Guide for Windows. Version 9.3

AVG Business SSO Partner Getting Started Guide

Administering FileVault 2 on OS X Lion with the Casper Suite. Technical Paper July 2012

JAMF Software Server Installation and Configuration Guide for Linux. Version 9.0

How to Obtain an APNs Certificate for CA MDM

Cloud Services MDM. ios User Guide

Easily integrate Mac into Microsoft System Center

ipad in Business Mobile Device Management

Administering Adobe Creative Cloud for Enterprise with the Casper Suite v9.0 or Later. Technical Paper October 2013

OS X JumpStart Services. ios JumpStart Services

iphone in Business Mobile Device Management

Administering FileVault 2 on OS X Mavericks with the Casper Suite v9.2 or Later. Technical Paper October 2013

Deploying iphone and ipad Mobile Device Management

Apple Security Checklist Companion A practical guide for automating security standards in the Apple Enterprise with the Casper Suite

Mac OS X Security Checklist:

Sophos Mobile Control Startup guide. Product version: 3

ManageEngine Desktop Central. Mobile Device Management User Guide

Sophos Mobile Control Startup guide. Product version: 3.5

Packaging for Distribution

Getting Started - MDM Setup

Strategies for ios Deployment, Integration, and Control. Enterprise iphone and ipad Administrator s Guide. Charles Edge

Single Console vs. Best of Breed A position paper looking at two perspectives in choosing a client management system for the Mac OS.

UP L18 Enhanced MDM and Updated Protection Hands-On Lab

Managing OS X with Configuration Profiles

Sophos SafeGuard Disk Encryption for Mac and the Casper Suite

How to configure Mac OS X Server

Dell Mobile Management. Apple Device Enrollment Program

Mobile Device Management Solution Hexnode MDM

Product Manual. MDM On Premise Installation Version 8.1. Last Updated: 06/07/15

Advanced Configuration Steps

Engage ios App Administrator s Guide

Sophos Mobile Control Installation guide. Product version: 3

Complete Patch Management

Integrating Cisco ISE with GO!Enterprise MDM Quick Start

Mobile Device Management horizons for CERN Managed ios and Mac Self-Service. Maciej Muszkowski, Michal Kwiatek, Vincent Bippus (IT-OIS)

Colligo Briefcase Enterprise. Administrator s Guide

SYNCSHIELD FEATURES. Preset a certain task to be executed. specific time.

CONNECTING TO DEPARTMENT OF COMPUTER SCIENCE SERVERS BOTH FROM ON AND OFF CAMPUS USING TUNNELING, PuTTY, AND VNC Client Utilities

Sophos Mobile Control Administrator guide. Product version: 3

Telstra Mobile Device Management (T MDM) Getting Started Guide

Security Guide. BlackBerry Enterprise Service 12. for ios, Android, and Windows Phone. Version 12.0

Vodafone Secure Device Manager Administration User Guide

The Centrify Vision: Unified Access Management

BlackBerry Enterprise Service 10. Universal Device Service Version: Administration Guide

Zenprise Device Manager 6.1.5

Sophos Mobile Control Installation guide. Product version: 3.5


Generating and Renewing an APNs Certificate. Technical Paper May 2012

ios Enterprise Deployment Overview

Generating an Apple Push Notification Service Certificate for use with GO!Enterprise MDM. This guide provides information on...

Getting Started Guide: Getting the most out of your Windows Intune cloud

RES ONE Automation 2015 Task Overview

CounterACT Plugin Configuration Guide for ForeScout Mobile Integration Module MaaS360 Version ForeScout Mobile

Server Software Installation Guide

Systems Manager Cloud Based Mobile Device Management

Sophos Mobile Control SaaS startup guide. Product version: 6

Creating an Apple APNS Certificate

Deploying iphone and ipad Apple Configurator

Sophos Mobile Control Technical guide

Mobility Manager 9.5. Users Guide

Copyright 2013, 3CX Ltd.

MSP Center Plus Features Checklist

Server Installation ZENworks Mobile Management 2.7.x August 2013

Apple Remote Desktop Administrator s Guide. Version 2.0

Full disk encryption with Sophos Safeguard Enterprise With Two-Factor authentication of Users Using SecurAccess by SecurEnvoy

1. Introduction Activation of Mobile Device Management How Endpoint Protector MDM Works... 5

System Administration Training Guide. S100 Installation and Site Management

SCCM Plug-in User Guide. Version 3.41

End User Devices Security Guidance: Apple OS X 10.10

ICE Trade Vault. Public User & Technology Guide June 6, 2014

A Brief Insight on IOS deployment in Education System- need for 3 rd Platform implementation in Schools

Systems Manager Cloud-Based Enterprise Mobility Management

ipad Deployment Guide

Preparing for GO!Enterprise MDM On-Demand Service

Charles Firth Managing Macs in a Windows World

Introduction to the EIS Guide

Kaspersky Lab Mobile Device Management Deployment Guide

Apple Configurator MDM Site - Review

Guidance End User Devices Security Guidance: Apple OS X 10.9

Kaseya 2. User Guide. Version 1.0

Imaging & Patch Management for Mac OS X Clients using Windows Servers

APPENDIX B1 - FUNCTIONALITY AND INTEGRATION REQUIREMENTS RESPONSE FORM FOR A COUNTY HOSTED SOLUTION

Transcription:

Apple Client Management with JAMF Andrew D Huston Client Infrastructure Group Informa8on Services Kent State University

Intro Intro 2011 Kent State University President s Excellence in Action Award Winner for Customer Service

Apple Devices Purchased Per Year Apple Devices Purchased Per Year

Apple Management Vendors Apple Management Vendors

Why JAMF? Why JAMF?

Why not these guys? Why not these guys?

Let the Technology Speak for Itself! I ll let the technology speak for itself, but here s a clue!

History History

How Does JAMF Compare to Managing Windows? Remote Desktop Group Policy Management Jamf Casper Suite How Does JAMF Compare to Managing Windows? Disk Encryption Management

KSU JAMF Infrastructure KSU JAMF Infrastructure

Technology Overview Technology Overview

Technology Overview Application JAMF Agent JAMF Binary JAMF Software Server (JSS) Casper Remote Description The jamf agent collects inventory data and restricts software on managed computers. The jamf agent is installed and updated on managed computers automatically. It is installed in the following location: /usr/sbin/jamfagent Most tasks in the Casper Suite are executed using the jamf command-line application (also known as the jamf binary). Although you are free to use this application at will, it is installed, updated, and run on managed computers automatically. It is stored in the following location on managed computers: /usr/sbin/jamf The JAMF Software Server (JSS) is a web application that functions as the administrative core of the Casper Suite. The JSS allows you to perform inventory and remote management and configuration tasks on managed computers and mobile devices. All other administrative applications in the Casper Suite communicate with the JSS. The Casper Remote application allows you to immediately perform remote management tasks on computers, such as installing packages, running scripts, and binding to directory services. While policies allow you to automate these tasks so that they run on a schedule, Casper Remote allows you to perform them immediately over a Secure Shell (SSH) connection. Technology Overview Composer Self Service The Composer application allows you to build packages (PKG or DMG) of software, applications, preference files, or documents. Composer also allows you to build a DMG of an operating system. The Self Service application for Mac OS X allows users to browse and run policies, install configuration profiles, Mac App Store apps and ebooks, access webpages, and utilize plug-ins developed with the Self Service API. Users can point and click their way through Self Service using an intuitive interface similar to itunes. Self Service for ios allows you to distribute configuration profiles, apps, and ebooks to ios devices for users to install. Users tap Self Service to browse and install items using an interface similar to the App Store. Recon The Recon application allows you to enroll OS X computers. Enrollment is the process of adding computers to the JSS. When OS X computers are enrolled, inventory information for the computers is submitted to the JSS, and the computers are managed.

Sites and JSS Site Access Sites are organizational components that allow the central administrator to control which items each JSS user (Site Administrator) can manage. Sites on the JSS are modeled after our departmental OU structure in Active Directory Each Site on the JSS has a site administrator active directory group associated with it 108 Sites on our JSS Everyone Enroll computers and mobile devices with the JSS Execute Policies in Self Service A Member of a JAMF Admin Group Manage computers with Managed Preferences, Configuration Profiles, and Policies Manage mobile devices with Configuration Profiles Create Policies to Distribute Software Packages Use Casper Remote View Inventory Create Smart and Static Groups Send Remote Commands Create Inventory Reports Map and Unmap Printers Create and View Software License Records Restrict Software From Running on a Computer Sites and JSS site Access

Managing Mac OS X

Enrolling a Computer with the JSS 2 Step Process: 1. Download the QuickAdd package for the site you want to enroll the computer in. 2. Install the Site QuickAdd Package on the computer you want to enroll. What happens during enrollment: 1. The Jamf Agent is downloaded from the JSS and is installed 2. Management account is created 3. The Mobile Device Management containing the Trust Certificate and Default Configuration Profiles are installed: Software Update Server is set A password is required to wake the computer from screen saver or sleep A Pre-boot/Login message is set on the login window. 4. The Jamf Agent run scripts that are scoped to enrollment: Password Policy is set to at least 8 characters, 1 number, 1 mixed case letter, and must be different than the last 3 passwords used. Firewall is enabled 5. Software packages are downloaded from the Distribution Point and installed: CocoaDialog Pashua Self Service 6. Inventory is submitted to the JSS. Enrolling a Computer with the JSS

Managing SePngs Architecture: Settings for Mac OS X are contained in files called Property Lists or plists. plists are xml based files containing keys that can be modified. Store such things as dock position, screen saver, software settings, printer settings, etc. plist files that are managed are stored in /Library/Managed Preferences global.plist contains the software developer s default settings and default Mac OS X settings. Managed Preferences: Introduced in Mac OS X Server 10.2 Jaguar with the inclusion of Open Directory as the replacement for the legacy Macintosh Manager platform used to manage Classic Mac OSes and Mac OS X 10.0 and 10.1. Also called MCX settings or Managed Client for OS X Applied at login As of 10.9 Apple has begun moving away for Managed Preferences toward Configuration Profiles Configuration Profiles: Used on both Mac OS X and ios. Most of the functionality provided by Managed Preferences can be provided by a Configuration Profile Applied Immediately Sent Over Apple Push Notification Service Defaults Command via a script: Direct access to manipulate the xml keys in a plist This is not managing the plist, but directly modifying it Local MCX: Some plists can be modified then distributed using a package to install them in the /Library/ Managed Preferences folder Managing Settings

Monolithic Imaging Methodology Create an Image: 1. Install Operating System 2. Install OS Updates 3. Install Software Applications 4. Install Printers 5. Configure Accounts 6. Configure Settings 7. Capture a Hard Drive Image 8. Deploy to Like Machines PROS CONS Easy to do Hardware specific Time consuming New updates means building new images Multiple images would have to be built for customizations or special OS builds Monolithic Imaging Methodology

Thin Imaging or Package Based Imaging Methodology New computers already come with an OS, ilife and iwork installed. Why take up so much time reinstalling these things? Most of the time spent during imaging is because of ilife. Installing OS X is fairly easy, and free on the AppStore. Hardware Independant Software is installed during image time Uses a Policy in Self Service to deploy all standard KSU Software Mac OS X Updates Microsoft Office 2011 ilife (If it s not already installed) iwork (If it s not already installed) Google Chrome Firefox Adobe Reader Adobe Flash Flip4Mac Quicktime Components Microsoft SCEP Silverlight Shockwave (10.9 and prior) VLC Player Thin Imaging or Package Based Imaging

Thin Imaging Thin Imaging

Policies, Self Service, and Casper Remote Management Actions: Run scripts and terminal commands Manage accounts Distribute software and software updates Map and unmap printers Enable FileVault 2 encryption Set firmware passwords Update inventory Perform maintenance tasks Policies: Allows you to automate management actions so that they run on a schedule. When you create a policy, you specify the tasks you want to automate, when the policy should run (called trigger ), how often it should run (called execution frequency ), and the users and computers for which it should run (called scope ). You can also make policies available in Self Service for users to run on their computers. Self Service: Allows users to browse and run policies, install configuration profiles, Mac App Store apps and ebooks, access webpages, and utilize plug-ins developed with the Self Service API. Users can point and click their way through Self Service using an intuitive interface similar to itunes. Casper Remote: Allows you to immediately perform remote management tasks on computers, such as installing packages, running scripts, and binding to directory services. While policies allow you to automate these tasks so that they run on a schedule, Casper Remote allows you to perform them immediately over a Secure Shell (SSH) connection. Allows you to provide remote assistance through the use of screen sharing. Policies, Self Service, and Casper Remote

Packaging Mac OS X Applica8ons Composer allows you to build packages of software, applications, preference files, or documents. A package is a self-contained group of files that can be deployed to remote computers or installed as part of the imaging process. Capture Options: Normal snapshots - These snapshots capture any new files on the drive. New and modified snapshots - These snapshots capture any new files on the drive, as well as any files that have been modified Monitor the file system - Composer uses the File System Events (FSEvents) framework to monitor any changes that are made to the file system during the installation process. Next, Composer creates a package source based on the changes. Use pre-installed software - You can use software that is pre-installed on your computer to create a package source based on package manifests. This method allows you to create package sources without monitoring the installation process. Use user environment settings - Package manifests can also be used to capture settings configured on your computer, such as Dashboard, Display, and Global Preference settings. Drag contents from the Finder - A simple drag-and-drop process allows you to create a package source from files already installed on your computer. Packaging Mac OS X Applications

Enabling Full Disk Encryp8on FileVault 1 or Legacy FileVault First introduced with Mac OS X 10.3 Panther Encrypts the user s home directory Files stored outside the user s home directory are not encrypted FileVault 2 First Introduced with Mac OS X 10.7 Full Disk Encryption XTS-AES 128 encryption FIPS 140-2 Compliant Encryption Keys Store locally, take a screenshot of the encryption key Store with Apple Retrieved by calling Apple User must know their security questions Jamf Allows you to enable FileVault 2 Capture the encryption key and stores it under the computer record for retrieval later Compliance information is able to be reported on Enabling Full Disk Encryption

Managing ios Devices

Enrolling an ios Device with the JSS Ways of enrolling an ios Device: User-initiated Enrollment You can allow users to enroll mobile devices by having them log in to an enrollment portal where they follow the onscreen instructions to install the necessary profile and certificates You can provide this URL by sending it in an email or SMS invitation from the JSS, or through any other means that fit your environment. Apple Configurator Enrollment You can enroll mobile devices with the JSS by connecting them to a computer via USB and using Apple Configurator, an enrollment URL, and an anchor certificate that you download from the JSS What happens during enrollment: 1. The MDM Profile is downloaded and installed 2. The Trust Profile containing the CA certificate is downloaded and installed establishing a trust between the certificate authority and the mobile device 3. The Device Certificate is downloaded and installed verifying the identity of the managed mobile device each time it communicates with the JSS. 4. Self Service Mobile App is downloaded from the Appstore and installed 5. The default configuration profile is downloaded and installed a. Sets the password requirement on the ios device to require at least 6 alphanumeric characters, set the lock time to immediately after the grace period, and wipe the device after 10 failed password attempts 6. Inventory is submitted back to the JSS Enrolling an ios Device with the JSS

Distribu8ng SoTware, Managing SePngs and Remote Commands Distributing Software: Install Automatically/Prompt Users to Install Make Available in Self Service Managing Settings: ios configuration profiles are XML files (.mobileconfig) that provide an easy way to define settings and restrictions for mobile devices. There are two different ways to distribute an ios configuration profile Install it automatically (requires no interaction from the user) Make it available in Self Service. You can also specify the mobile devices and users to which the profile should be applied (called scope ). Remote Commands: Update inventory Lock a device Clear the passcode on a device Clear the restrictions on a device (only for supervised devices with ios 8 or later) Unmanage a device Wipe a device Send a blank push notification For a personally owned device, wipe institutional data and unmanage the device Distributing Software, Managing Settings, and Remote Commands

Reporting

Inventory & Repor8ng Inventory is collected every 24 hours Inventory Information Collected: Local user accounts, with the option to include home directory sizes and/or hidden system accounts Printers Active services Last backup date/time for managed mobile devices that are synced to computers User and location from an LDAP directory service (only available if an LDAP server is set up in the JSS) Package receipts Available software updates Application Usage information Fonts Plug-ins Extension Attributes Allows you to run a script that populates the extension attribute each time a computer submits inventory to the JSS Fillable information using predefined drop down boxes. Advanced Searches allow you to generate a report on the environment based on a specified set of criteria. Example: Computers running a particular version of Adobe Photoshop, computers that do not have FileVault 2 enabled, or mobile devices running a specific version of ios. Export the results as a report Comma-separated values file (.csv) Tab delimited text file (.txt) XML file Inventory & Reporting

JAMF ResVul API Allows you to query inventory information directly from the MySQL database outside of the JSS interface. Powershell Server runs a script to: Queries the JSS for the current list of computers enrolled with the JSS using the JAMF API Queries the JSS using the JSSID of the computer to get a detailed list of information on each computer using the JAMF API Parses the detailed information on each computer and correlates the information into a set of data that can be outputted into a Google Sheet Calls a custom Google AppS Script API to deposit the information into a predefined report in Google Sheets Google Sheets are setup to format the data into meaningful reports. JAMF Restful API

Example Reports Using the JAMF API Example Reports Using the JAMF API

Example Reports Using the JAMF API Example Reports Using the JAMF API

Example Reports Using the JAMF API Example Reports Using the JAMF API

Example Reports Using the JAMF API Example Reports Using the JAMF API

Q&A

Thanks for Attending

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information