Instructions on code signing the scripts, LaunchAgents, LaunchDaemons and other custom code you deploy to your endpoints.| MacBlog
How to enable and enforce your custom scripts in macOS Ventura using the new service management Configuration Profile payload.| MacBlog
How to properly create a Configuration Profile to manage FileVault Recovery Key Escrow for Mac OS X 10.13 and above.| MacBlog
GitHub is a popular channel for software distribution, and AutoPkg simplifies the task of packaging GitHub-released apps. AutoPkg's GitHubReleasesInfoProvider processor is the standard method for identifying the latest version of software released using GitHub's Releases feature, but it has one key requirement - a binary asset must be attached to the release. However, not all software adheres to this convention. Some repositories might only contain simple shell scripts or other non-binary ass...| MacBlog
Part of my job is to test (and re-test) first-time setup workflows for new and repurposed Macs. I recently needed to analyze the flow of network traffic during initial MDM enrollment to confirm an on-premise network was permitting all required traffic. The tcpdump tool – included with macOS – is a powerful utility that allows you to record all network traffic passing through any interface on the Mac. It requires elevated privileges to run, however. This presents a problem, since we do not...| MacBlog
I recently presented at the monthly University of Utah Mac Admin Meeting about two of my custom AutoPkg processors: DatetimeOutputter and AppIconExtractor. Here are links to a recording of the presentation and the associated slides: Solving problems with custom AutoPkg processors Slides (PDF)| MacBlog
I recently needed to use the date and time of an AutoPkg run from within the context of recipe. While AutoPkg itself is aware of the date and time of a run, that information is not accessible to other processors within the recipe. To fill this need, I wrote a new AutoPkg processor: DatetimeOutputter. DatetimeOutputter helps you reference the current date and time as a variable within your AutoPkg recipes. Additionally, it can calculate future and past dates to enhance advanced workflows. Curr...| MacBlog
Adding your organization's common tools or newly-installed items to a user's Dock can minimize confusion for your colleagues, and is a common task for Mac admins. For those managing their fleet with Jamf Pro, the jamf binary includes a modifyDock command which allows you to apply certain Dock modifications. It isn't a fully-featured Dock management tool, but it does include enough functionality to add new items to a user's Dock. I was recently working on a project where I needed to conditiona...| MacBlog
I'm a stickler for including icons for all policies available in Jamf Pro's Self Service app. They help users find items in Self Service, and generally make the app easier to use. However, I don't like manually extracting icons from apps. It's easy enough with a tool like SAP's Icons app, but if I'm automating package and policy creation with AutoPkg, I should similarly be able to automate icon creation, right? I created the AppIconExtractor AutoPkg processor to fully automate this task. At i...| MacBlog
Hannes Juutilainen's VirusTotalAnalyzer is a fantastic AutoPkg postprocessor. It automatically queries VirusTotal to analyze items downloaded by AutoPkg and detect potential malware. VirusTotalAnalyzer was designed to run as a postprocessor. AutoPkg postprocessors allow you to add extra "steps" to an AutoPkg recipe at runtime without modifying the recipe itself. By this convention, VirusTotalAnalyzer scans files after all other recipe steps have completed. This means a recipe cannot condition...| MacBlog
Quick follow-up to my earlier guide on using JavaScript for Automation. There must be something in the air that put the topic of JXA on the minds of the Apple community. Armin Briegel shared a great roundup of recent JXA work, and the #scripting channel on the MacAdmins Slack team is full of folks discussing new and old discoveries. Here are a handful of additional tips. Excutable JXA scripts You can run JXA directly by including the JavaScript language flag in a script's shebang, like this: ...| MacBlog
JSON – JavaScript Object Notation – is the lingua franca for shipping data between systems. Everything from software APIs to web services commonly support, and typically default to, outputting data in JSON format. Because of its ubiquity, you're bound to run into a need to manipulate a chunk of JSON in the course of managing your fleet. For example, you might run a shell script on your Macs that instructs them to read data from an external system via its API using curl. That external sys...| MacBlog
Apple recently introduced iCloud Private Relay as an additional benefit for iCloud+ subscribers. The feature routes Safari web browsing (and some other insecure Internet traffic) through a semi-anonymizing service to reduce third parties' ability to profile and track individual users. However, it may be necessary in some environments to disable iCloud Private Relay. The feature may interfere with management controls, prevent required traffic auditing, or complicate troubleshooting procedures....| MacBlog
Many scripted macOS workflows require determining the username of the currently logged-in user. Whether you wish to execute a command as that user via su or you just want to log the username during your script's execution, you may need to query macOS for this information. This is a solved problem, and Armin Briegel's excellent article on Getting the current user in macOS outlines the best method. In addition to determining the logged-in user's username, you may also need their user ID number,...| MacBlog
A couple of years ago, I shared a method to set a Mac's hostname via a Google Sheet. It's worked well at my organization (as well as many others!) and helped us keep our computer names consistent. We've since moved to using Snipe-IT for asset management. Snipe is a fantastic open-source tool that simplifies inventory tracking for our whole IT shop. It also includes a robust API that allows us to integrate with external systems and processes. I'm now using the Snipe API to script our computer ...| MacBlog
macOS Big Sur includes a new screen during Setup Assistant: Accessbility. It prompts users to explore the accessibility features of macOS to adapt their computer to their vision, motor, hearing, and cognitive needs. You might want to disable or skip this setup screen. Don't. The first time you boot a Mac, it runs through a process known as Setup Assistant. This lets your users configure some basic options before they begin using the computer. With each new macOS release, Apple adds additional...| MacBlog
Although Slack has seemingly taken over the world of workplace chat, my organization is a G Suite shop and we use Hangouts Chat for a majority of our internal communication. It's included as a "core" G Suite app, so why not use the product we already have, right? I wanted a way to post notifications to Hangsouts Chat rooms when autopkg downloads new software, or makes changes to our Jamf Pro server via JSSImporter. No solution existed. Building on the excellent Slack-centric work of both Grah...| MacBlog
Taking a cue from iOS, Mac OS X 10.8 "Mountain Lion" introduced new systems to help users manage access requests to potentially sensitive and private personal information. When an app required access to a user's Contacts, for instance, a consent prompt appeared on screen asking the user to allow or disallow this access. Broadly, this system is known as TCC or transparency, consent and control. With each version of macOS, Apple broadens the scope of privacy controls. The upcoming release of ma...| MacBlog
Apple has made it clear; MDM is the future. As the preferred method of device management moves more and more to Configuration Profiles, administrators must turn their focus toward digital security. Signing configuration profiles provides assurance of their origin, and an assertion their contents have not been modified in transit. A profile signed with a trusted signing certificate appears in System Preferences > Profiles with a green "Verified" label. If the profile is signed by a certificate...| MacBlog
I recently ran into a snag with our Device Enrollment Program (DEP) workflow. Users were not being prompted to enable Location Services to automatically set the time zone, nor was the explicit Time Zone selection screen displayed during Setup Assistant. The result was that devices wound up configured with the default Cupertino, CA location, and a Pacific time zone. We're on the East coast – so we'd have to script a change of settings, or worse, have the user manually modify them. As it turn...| MacBlog
In a post-imaging, DEP-only world, maintaining your organization's computer naming convention can be a challenge. We can ease the pain with a little bit of Python, some clever interaction with the jamf binary, and a remotely-hosted Google Sheet. The problem With DEP enrollments, your Macs are assigned a default computer hostname in the format <user's first name>'s <Mac model>. DEP provides no facility to set computer names, and Jamf Pro's PreStage Enrollments are similarly limited. You wind u...| MacBlog
So you've trained your users to use Jamf Pro's Self Service to install third-party software, but how can we encourage users to self-manage macOS operating system updates? Let's create a user-centric, Self Service workflow for checking the status of available software updates. Background In my shop we support users at all positions of the "technical literacy" spectrum. Some users may not have familiarity with the Mac App Store or installing operating system updates. We want to provide a "singl...| MacBlog
Sqwarq's DetectX is an amazing shareware security tool that checks your Mac for malware, keyloggers, adware and potentially unwanted programs. Recent updates to DetectX add the ability for administrators to initiate a scheduled scan from a management platform. Neat! Let's integrate it with Jamf Pro to scan and report on your fleet. Developer Phil Stokes is currently working on a Swift re-write of the app named, appropriately, DetectX Swift. To quote Phil, DetectX Swift is an on-demand securit...| MacBlog
For maintaining a consistent, repeatable and intuitive administrative workflow, you need a naming scheme for objects in your Jamf Pro Server. Here's my take on a good strategy. As I add more policies, Smart Groups, configuration profiles and packages to my Jamf Pro Server, a consistent naming scheme provides clarity. If a quick glance tells me most of what I need to know about an object, my tasks become quicker and less error-prone. Focus on Function and Semantics The name of any JPS object s...| MacBlog