Apple Client Management with JAMF Andrew D Huston Client Infrastructure Group Informa8on Services Kent State University
Intro Intro 2011 Kent State University President s Excellence in Action Award Winner for Customer Service
Apple Devices Purchased Per Year Apple Devices Purchased Per Year
Apple Management Vendors Apple Management Vendors
Why JAMF? Why JAMF?
Why not these guys? Why not these guys?
Let the Technology Speak for Itself! I ll let the technology speak for itself, but here s a clue!
History History
How Does JAMF Compare to Managing Windows? Remote Desktop Group Policy Management Jamf Casper Suite How Does JAMF Compare to Managing Windows? Disk Encryption Management
KSU JAMF Infrastructure KSU JAMF Infrastructure
Technology Overview Technology Overview
Technology Overview Application JAMF Agent JAMF Binary JAMF Software Server (JSS) Casper Remote Description The jamf agent collects inventory data and restricts software on managed computers. The jamf agent is installed and updated on managed computers automatically. It is installed in the following location: /usr/sbin/jamfagent Most tasks in the Casper Suite are executed using the jamf command-line application (also known as the jamf binary). Although you are free to use this application at will, it is installed, updated, and run on managed computers automatically. It is stored in the following location on managed computers: /usr/sbin/jamf The JAMF Software Server (JSS) is a web application that functions as the administrative core of the Casper Suite. The JSS allows you to perform inventory and remote management and configuration tasks on managed computers and mobile devices. All other administrative applications in the Casper Suite communicate with the JSS. The Casper Remote application allows you to immediately perform remote management tasks on computers, such as installing packages, running scripts, and binding to directory services. While policies allow you to automate these tasks so that they run on a schedule, Casper Remote allows you to perform them immediately over a Secure Shell (SSH) connection. Technology Overview Composer Self Service The Composer application allows you to build packages (PKG or DMG) of software, applications, preference files, or documents. Composer also allows you to build a DMG of an operating system. The Self Service application for Mac OS X allows users to browse and run policies, install configuration profiles, Mac App Store apps and ebooks, access webpages, and utilize plug-ins developed with the Self Service API. Users can point and click their way through Self Service using an intuitive interface similar to itunes. Self Service for ios allows you to distribute configuration profiles, apps, and ebooks to ios devices for users to install. Users tap Self Service to browse and install items using an interface similar to the App Store. Recon The Recon application allows you to enroll OS X computers. Enrollment is the process of adding computers to the JSS. When OS X computers are enrolled, inventory information for the computers is submitted to the JSS, and the computers are managed.
Sites and JSS Site Access Sites are organizational components that allow the central administrator to control which items each JSS user (Site Administrator) can manage. Sites on the JSS are modeled after our departmental OU structure in Active Directory Each Site on the JSS has a site administrator active directory group associated with it 108 Sites on our JSS Everyone Enroll computers and mobile devices with the JSS Execute Policies in Self Service A Member of a JAMF Admin Group Manage computers with Managed Preferences, Configuration Profiles, and Policies Manage mobile devices with Configuration Profiles Create Policies to Distribute Software Packages Use Casper Remote View Inventory Create Smart and Static Groups Send Remote Commands Create Inventory Reports Map and Unmap Printers Create and View Software License Records Restrict Software From Running on a Computer Sites and JSS site Access
Managing Mac OS X
Enrolling a Computer with the JSS 2 Step Process: 1. Download the QuickAdd package for the site you want to enroll the computer in. 2. Install the Site QuickAdd Package on the computer you want to enroll. What happens during enrollment: 1. The Jamf Agent is downloaded from the JSS and is installed 2. Management account is created 3. The Mobile Device Management containing the Trust Certificate and Default Configuration Profiles are installed: Software Update Server is set A password is required to wake the computer from screen saver or sleep A Pre-boot/Login message is set on the login window. 4. The Jamf Agent run scripts that are scoped to enrollment: Password Policy is set to at least 8 characters, 1 number, 1 mixed case letter, and must be different than the last 3 passwords used. Firewall is enabled 5. Software packages are downloaded from the Distribution Point and installed: CocoaDialog Pashua Self Service 6. Inventory is submitted to the JSS. Enrolling a Computer with the JSS
Managing SePngs Architecture: Settings for Mac OS X are contained in files called Property Lists or plists. plists are xml based files containing keys that can be modified. Store such things as dock position, screen saver, software settings, printer settings, etc. plist files that are managed are stored in /Library/Managed Preferences global.plist contains the software developer s default settings and default Mac OS X settings. Managed Preferences: Introduced in Mac OS X Server 10.2 Jaguar with the inclusion of Open Directory as the replacement for the legacy Macintosh Manager platform used to manage Classic Mac OSes and Mac OS X 10.0 and 10.1. Also called MCX settings or Managed Client for OS X Applied at login As of 10.9 Apple has begun moving away for Managed Preferences toward Configuration Profiles Configuration Profiles: Used on both Mac OS X and ios. Most of the functionality provided by Managed Preferences can be provided by a Configuration Profile Applied Immediately Sent Over Apple Push Notification Service Defaults Command via a script: Direct access to manipulate the xml keys in a plist This is not managing the plist, but directly modifying it Local MCX: Some plists can be modified then distributed using a package to install them in the /Library/ Managed Preferences folder Managing Settings
Monolithic Imaging Methodology Create an Image: 1. Install Operating System 2. Install OS Updates 3. Install Software Applications 4. Install Printers 5. Configure Accounts 6. Configure Settings 7. Capture a Hard Drive Image 8. Deploy to Like Machines PROS CONS Easy to do Hardware specific Time consuming New updates means building new images Multiple images would have to be built for customizations or special OS builds Monolithic Imaging Methodology
Thin Imaging or Package Based Imaging Methodology New computers already come with an OS, ilife and iwork installed. Why take up so much time reinstalling these things? Most of the time spent during imaging is because of ilife. Installing OS X is fairly easy, and free on the AppStore. Hardware Independant Software is installed during image time Uses a Policy in Self Service to deploy all standard KSU Software Mac OS X Updates Microsoft Office 2011 ilife (If it s not already installed) iwork (If it s not already installed) Google Chrome Firefox Adobe Reader Adobe Flash Flip4Mac Quicktime Components Microsoft SCEP Silverlight Shockwave (10.9 and prior) VLC Player Thin Imaging or Package Based Imaging
Thin Imaging Thin Imaging
Policies, Self Service, and Casper Remote Management Actions: Run scripts and terminal commands Manage accounts Distribute software and software updates Map and unmap printers Enable FileVault 2 encryption Set firmware passwords Update inventory Perform maintenance tasks Policies: Allows you to automate management actions so that they run on a schedule. When you create a policy, you specify the tasks you want to automate, when the policy should run (called trigger ), how often it should run (called execution frequency ), and the users and computers for which it should run (called scope ). You can also make policies available in Self Service for users to run on their computers. Self Service: Allows users to browse and run policies, install configuration profiles, Mac App Store apps and ebooks, access webpages, and utilize plug-ins developed with the Self Service API. Users can point and click their way through Self Service using an intuitive interface similar to itunes. Casper Remote: Allows you to immediately perform remote management tasks on computers, such as installing packages, running scripts, and binding to directory services. While policies allow you to automate these tasks so that they run on a schedule, Casper Remote allows you to perform them immediately over a Secure Shell (SSH) connection. Allows you to provide remote assistance through the use of screen sharing. Policies, Self Service, and Casper Remote
Packaging Mac OS X Applica8ons Composer allows you to build packages of software, applications, preference files, or documents. A package is a self-contained group of files that can be deployed to remote computers or installed as part of the imaging process. Capture Options: Normal snapshots - These snapshots capture any new files on the drive. New and modified snapshots - These snapshots capture any new files on the drive, as well as any files that have been modified Monitor the file system - Composer uses the File System Events (FSEvents) framework to monitor any changes that are made to the file system during the installation process. Next, Composer creates a package source based on the changes. Use pre-installed software - You can use software that is pre-installed on your computer to create a package source based on package manifests. This method allows you to create package sources without monitoring the installation process. Use user environment settings - Package manifests can also be used to capture settings configured on your computer, such as Dashboard, Display, and Global Preference settings. Drag contents from the Finder - A simple drag-and-drop process allows you to create a package source from files already installed on your computer. Packaging Mac OS X Applications
Enabling Full Disk Encryp8on FileVault 1 or Legacy FileVault First introduced with Mac OS X 10.3 Panther Encrypts the user s home directory Files stored outside the user s home directory are not encrypted FileVault 2 First Introduced with Mac OS X 10.7 Full Disk Encryption XTS-AES 128 encryption FIPS 140-2 Compliant Encryption Keys Store locally, take a screenshot of the encryption key Store with Apple Retrieved by calling Apple User must know their security questions Jamf Allows you to enable FileVault 2 Capture the encryption key and stores it under the computer record for retrieval later Compliance information is able to be reported on Enabling Full Disk Encryption
Managing ios Devices
Enrolling an ios Device with the JSS Ways of enrolling an ios Device: User-initiated Enrollment You can allow users to enroll mobile devices by having them log in to an enrollment portal where they follow the onscreen instructions to install the necessary profile and certificates You can provide this URL by sending it in an email or SMS invitation from the JSS, or through any other means that fit your environment. Apple Configurator Enrollment You can enroll mobile devices with the JSS by connecting them to a computer via USB and using Apple Configurator, an enrollment URL, and an anchor certificate that you download from the JSS What happens during enrollment: 1. The MDM Profile is downloaded and installed 2. The Trust Profile containing the CA certificate is downloaded and installed establishing a trust between the certificate authority and the mobile device 3. The Device Certificate is downloaded and installed verifying the identity of the managed mobile device each time it communicates with the JSS. 4. Self Service Mobile App is downloaded from the Appstore and installed 5. The default configuration profile is downloaded and installed a. Sets the password requirement on the ios device to require at least 6 alphanumeric characters, set the lock time to immediately after the grace period, and wipe the device after 10 failed password attempts 6. Inventory is submitted back to the JSS Enrolling an ios Device with the JSS
Distribu8ng SoTware, Managing SePngs and Remote Commands Distributing Software: Install Automatically/Prompt Users to Install Make Available in Self Service Managing Settings: ios configuration profiles are XML files (.mobileconfig) that provide an easy way to define settings and restrictions for mobile devices. There are two different ways to distribute an ios configuration profile Install it automatically (requires no interaction from the user) Make it available in Self Service. You can also specify the mobile devices and users to which the profile should be applied (called scope ). Remote Commands: Update inventory Lock a device Clear the passcode on a device Clear the restrictions on a device (only for supervised devices with ios 8 or later) Unmanage a device Wipe a device Send a blank push notification For a personally owned device, wipe institutional data and unmanage the device Distributing Software, Managing Settings, and Remote Commands
Reporting
Inventory & Repor8ng Inventory is collected every 24 hours Inventory Information Collected: Local user accounts, with the option to include home directory sizes and/or hidden system accounts Printers Active services Last backup date/time for managed mobile devices that are synced to computers User and location from an LDAP directory service (only available if an LDAP server is set up in the JSS) Package receipts Available software updates Application Usage information Fonts Plug-ins Extension Attributes Allows you to run a script that populates the extension attribute each time a computer submits inventory to the JSS Fillable information using predefined drop down boxes. Advanced Searches allow you to generate a report on the environment based on a specified set of criteria. Example: Computers running a particular version of Adobe Photoshop, computers that do not have FileVault 2 enabled, or mobile devices running a specific version of ios. Export the results as a report Comma-separated values file (.csv) Tab delimited text file (.txt) XML file Inventory & Reporting
JAMF ResVul API Allows you to query inventory information directly from the MySQL database outside of the JSS interface. Powershell Server runs a script to: Queries the JSS for the current list of computers enrolled with the JSS using the JAMF API Queries the JSS using the JSSID of the computer to get a detailed list of information on each computer using the JAMF API Parses the detailed information on each computer and correlates the information into a set of data that can be outputted into a Google Sheet Calls a custom Google AppS Script API to deposit the information into a predefined report in Google Sheets Google Sheets are setup to format the data into meaningful reports. JAMF Restful API
Example Reports Using the JAMF API Example Reports Using the JAMF API
Example Reports Using the JAMF API Example Reports Using the JAMF API
Example Reports Using the JAMF API Example Reports Using the JAMF API
Example Reports Using the JAMF API Example Reports Using the JAMF API
Q&A
Thanks for Attending